Enumerating Attack Vectors

Helpful Tools

Miscellaneous:

Exploit Suggesters:

winPEAS: Windows local Privilege Escalation Awesome Script.
Seatbelt: C# local privilege escalation checks.
PowerUp: PowerShell script for finding common Windows privilege escalation vectors that rely on misconfigurations.
SharpUp: C# version of PowerUp .
JAWS: PowerShell script for enumerating privilege escalation vectors written in PowerShell 2.0 .
Watson: .NET tool to enumerate missing KBs and suggest exploits.
Windows Exploit Suggester Next Generation
Metasploit Local Exploit Suggester: use post/multi/recon/local_exploit_suggester on a backgrounded meterpreter sessions .

Credentials:

LaZagne: Retrieve passwords stored on a local machine from Windows password storage mechanisms and many different sources.
MimiKatz: Extract credentials, perform PtH, PtT, craft golden tickets and more.
SessionGopher: PowerShell tool to find and decrypt saved session information for remote access tools.

Enumerating Windows Protection

Check Windows Defender status: Get-MpComputerStatus
List AppLocker rules: Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections
Test AppLocker policy: Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Processes, Jobs, Scheduled Tasks

Dislpay all running processes (PowerShell): Get-Process
List named pipes: pipelist.exe /accepteula
List named pipes with PowerShell: gci \\.\pipe\
Review permissions on a named pipe: accesschk.exe /accepteula \\.\Pipe\lsass -v
Display running processes: tasklist /svc
Enumerate scheduled tasks: schtasks /query /fo LIST /v
Get ACLs for a specific scheduled task: icacls C:\Users\dude\Desktop\example.exe
Enumerate scheduled tasks with PowerShell: Get-ScheduledTask \| select TaskName,State
Enumerate all Unquoted Service Paths: wmic service get name,displayname,pathname,startmode \| findstr /i "auto" \| findstr /i /v "c:\windows\\" \| findstr /i /v """

Kernel and OS

Display all environment variables: set
View detailed system configuration information: systeminfo
Get patches and updates: wmic qfe
Get installed programs: wmic product get name
Get Installed programs in PowerShell: Get-WmiObject -Class Win32_Product \| select Name, Version
Enumerate computer description field: Get-WmiObject -Class Win32_OperatingSystem \| select Description

Registries

Query for always install elevated registry key (1): reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
Query for always install elevated registry key (2): reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
Find PuTTY clear-text credentials: reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Session\

Users and Groups

Get logged-in users: query user
Get current user: echo %USERNAME%
View current user privileges: whoami /priv
View current user group information: whoami /groups
Get all system user: net user
Get all system groups: net localgroup
View details about a group: net localgroup administrators
Get password policy: net accounts
Check permissions on a directory: .\accesschk64.exe /accepteula -s -d C:\Scripts\
Check local user description field: Get-LocalUser
Run commands as another user (requires their password): runas /user:backupadmin cmd

Display active network connections: netstat -ano
Get interface, IP address and DNS information: ipconfig /all
Review ARP table: arp -a
Review routing table: route print

Installed Applications

check installed applications: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

check installed applications (alternative): Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Credential Hunting

Search common configuration files containing the word "password": findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
Searching file contents for a string: findstr /spin "password" *.*
Search file contents with PowerShell: select-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
Search for file extensions: dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
Search for file extensions (alternative): Get-ChildItem -Path C:\ -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Search for file extensions using PowerShell: Get-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
List cmdkey saved credentials (in memory): cmdkey /list
Run SessionGopher to extract credentials: Import-Module .\SessionGopher.ps1 → Invoke-SessionGopher -Target WINLPE-SRV01
Retrieve saved Chrome credentials: .\SharpChrome.exe logins /unprotect
Search Chrome Dictionary Files containing passwords: gc 'C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' \| Select-String password
Read the PowerShell History File: gc (Get-PSReadLineOption).HistorySavePath
Retrieve saved wireless passwords: netsh wlan show profile WIFINAME key=clear
Enumerate unattended installation files (files named unattend.xml) which may contain passwords, which are stored in plaintext or base64
Enumerate .kdbx KeePass files and extract credentials using python2.7 keepass2john.py file.kdbx, followed by hashcat -m 13400
Extract clipboard (copy-paste) data: git clone https://github.com/inguardians/Invoke-Clipboard/blob/master/Invoke-Clipboard.ps1
Search current user's history file content (PowerShell): Get-History
Find all accessible PowerShell history files: foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Display a user's specific history file's content: type C:\Users\{USERNAME}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Retrieve password from Windows Sticky Notes: C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite

PreviousPriveEsc checklist NextExcessive User Rights Abuse

Last updated 6 months ago