dll, for more information see: Didier’s Blog RunDll32.exe user32.dll,LockWorkStation – Lock Screenĭidier Steven’s has produced a nice write up on taking a third party command interpreter and converting it from. Rundll32.exe powrprof.dll,SetSuspendState – Hibernate Rundll32.exe dsquery,OpenQueryWindow – Find Users (New targets to brute force?) Rundll32.exe oobefldr.dll,ShowWelcomeCenter – Start Welcome Centre Rundll32.exe shwebsvc.dll,AddNetPlaceRunDll – Add network location (wizard) Rundll32.exe van.dll,RunVAN – Network Popup (Subsequently access networking?)
Rundll32 Shell32.dll,OpenAs_RunDLL file.abc – Change file associations (e.g. Rundll32.exe keymgr.dll, KRShowKeyMgr – Stored Usernames/Passwords (see below) Rundll32.exe shell32.dll,Options_RunDLL 7 – View File and Folder Options (see below) Rundll32.exe shell32.dll,Options_RunDLL 6 – Taskbar Toolbar Display Options Rundll32.exe shell32.dll,Options_RunDLL 5 – Taskbar Notifications on/off
Rundll32.exe shell32.dll,Options_RunDLL 4 – Turn System icons on/off Rundll32.exe shell32.dll,Options_RunDLL 3 – Start Menu Options Rundll32.exe shell32.dll,Options_RunDLL 2 – Search Options Rundll32.exe shell32.dll,Options_RunDLL 1 – Taskbar Options Rundll32.exe devmgr.dll DeviceManager_Execute – Device Manager (view only) Rundll32.exe shell32.dll,Control_RunDLL – Control Panel
Rundll32 Shell32.dll,SHHelpShortcuts_RunDLL Connect – Map Network Drives Note: The usage screenshots have been run from the command line for the sake of clarity, in reality you’re unlikely to have cmd.exe (or PowerShell) access and the rundll32 commands (and arguments) will need to be called via Windows shortcuts (as described towards the end of this post). I’ve also refrained from referencing any Control Panel (.cpl) related commands, as these can all be trivially called from C:\Windows\System32 (and most weren’t executable during my engagement). I couldn’t really find a good pentest related resource for leveraging rundll32 so thought I’d a put something together to highlight what I’d found to be useful.Īll of the following commands have been tested on Windows 7 Ultimate, buts it’s worth bearing in mind that even if the command runs successfully you’ll still be restricted to the security context of the current user (but at least you’ll have a way of initiating the command / function that you may not have had before). However, I found that I was able to utilise rundll32.exe to attempt to enumerate/manipulate the environment. I was recently on a Windows 7 workstation lock-down test which had been implemented pretty effectively with the vast majority of file and folder, service and AppLocker applied rules and permissions preventing the majority of malicious actions.
0 kommentar(er)
