CyberNotes
Exploitation/Windows

Enumeration

Finding the goods

Check for unpatched software

wmic product get name,version,vendor

Saved Windows Credentials

Windows allows us to use other users' credentials. This function also gives the option to save these credentials on the system. The command below will list saved credentials:

cmdkey /list

While you can't see the actual passwords, if you notice any credentials worth trying, you can use them with the runas command and the /savecred option, as seen below.

runas /savecred /user:admin cmd.exe

IIS configuration

Internet Information Services (IIS) is the default web server on Windows installations. The configuration of websites on IIS is stored in a file called web.config and can store passwords for databases or configured authentication mechanisms.

Depending on the installed version of IIS, we can find web.config in one of the following locations:

  • C:\inetpub\wwwroot\web.config
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config

Here is a quick way to find database connection strings on the file:

type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config | findstr connectionString

PuTTY

While PuTTY won't allow users to store their SSH password, it will store proxy configurations that include cleartext authentication credentials.

To retrieve the stored proxy credentials, you can search under the following registry key for ProxyPassword with the following command:

reg query HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\ /f "Proxy" /s

SeBackup / SeRestore

If you have SeBackup / SeRestore privileges,

whoami /priv

you can backup the SAM and SYSTEM hashes using the following commands

C:\> reg save hklm\system C:\Users\THMBackup\system.hive
C:\> reg save hklm\sam C:\Users\THMBackup\sam.hive

We can now copy these files to our attacker machine using SMB or any other available method.

Unattended Windows Installations

When installing Windows on a large number of hosts, administrators may use Windows Deployment Services, to allow a single OS image to be deployed to several hosts. These installations require the use of an administrator account to perform the initial setup, which might end up being stored in the machine in the following locations:

  • C:\Unattend.xml
  • C:\Windows\Panther\Unattend.xml
  • C:\Windows\Panther\Unattend\Unattend.xml
  • C:\Windows\system32\sysprep.inf
  • C:\Windows\system32\sysprep\sysprep.xml

As part of these files, you might encounter credentials:

<Credentials>
    <Username>Administrator</Username>
    <Domain>domain.local</Domain>
    <Password>MyPassword123</Password>
</Credentials>

SMB

Server Message Block is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network

Escalation

Common ways for the attacker to gain and execute commands with elevated privileges

On this page