Privilege Escalation – WINDOWS

by
Sharing is caring

Views: 9

Post Exploit Enumeration

# Basics
systeminfo
hostname
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

# Who am I?
whoami
echo %username%

# What users/localgroups are on the machine?
net users
net localgroups
net local groups administrators

# More info about a specific user. Check if user has privileges.
net user user1

# View Domain Groups
net group /domain

# View Members of Domain Group
net group /domain <Group Name>

# Firewall
netsh firewall show state
netsh firewall show config

# Network
ipconfig /all
route print
arp -A

# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn

# Meterpreter
getprivs 
getuid

Search for passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

Search for Files

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

Search In Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Active Listening (internal) Ports

# Active listening ports
netstat -ano

# Routing table info
netstat -r

# Programs listening on TCP ports
netstat -antp

 Enumerating Processes & Services

# Meterpreter
ps
pgrep explorer.exe
migrate pid

# Running services
wmic service list brief

# List of running tasks and corresponding services
tasklist /SVC

# Scheduled Tasks
schtasks /query /fo LIST
cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM

Enumeration using Metasploit 

# MSFCONSOLE
use post/windows/gather/enum_logged_on_users
use post/windows/gather/win_privs
use post/windows/gather/checkvm
use post/windows/gather/enum_applications
use post/windows/gather/enum_computers
use post/windows/gather/enum_patches

Automating local enumeration with JAWS

# Just Another Windows (enum) Script (JAWS)
https://github.com/411Hall/JAWS

powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt