Update privilege_escalation_windows.md

# Internal Enumeration - Windows

Many priv-esc techniques on windows comes from third-party programs and not necessarily windows in itself. Therefore it is important to really learn to enumerate the system and find those vulnerable programs.

http://netsec.ws/?cat=64

http://netsec.ws/?p=314

## Info about the system

schtasks /query /fo LIST /v

schtasks /query /fo LIST /v

net start

accesschk.exe -uwcqv "Authenticated Users" *

dir network-secret.txt /s

windump -i 2 -w capture -n -U -s 0 src not 10.11.0.X and dst not 10.11.0.X

```

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

hostname

#Who am I?

whoami

echo %username%

#What users are on the machine?

net users

#More info about a specific user

net user user1

```

## Firewall

```

netsh firewall show state

netsh firewall show config

```

## Network

```

ipconfig /all

route print

#Display all available interfaces

arp -A

```

### Active connections

```

netstat -ano

#Firewall rules

netsh firewall show state

netsh firewall show config

```

So how should we interpret the netstat output? Here is an example, now what does this mena?

```

Proto  Local address      Remote address     State        User  Inode  PID/Program name

    -----  -------------      --------------     -----        ----  -----  ----------------

    tcp    0.0.0.0:21         0.0.0.0:*          LISTEN       0     0      -

    tcp    0.0.0.0:5900       0.0.0.0:*          LISTEN       0     0      -

    tcp    0.0.0.0:6532       0.0.0.0:*          LISTEN       0     0      -

    tcp    192.168.1.9:139    0.0.0.0:*          LISTEN       0     0      -

    tcp    192.168.1.9:139    192.168.1.9:32874  TIME_WAIT    0     0      -

    tcp    192.168.1.9:445    192.168.1.9:40648  ESTABLISHED  0     0      -

    tcp    192.168.1.9:1166   192.168.1.9:139    TIME_WAIT    0     0      -

    tcp    192.168.1.9:27900  0.0.0.0:*          LISTEN       0     0      -

    tcp    127.0.0.1:445      127.0.0.1:1159     ESTABLISHED  0     0      -

    tcp    127.0.0.1:27900    0.0.0.0:*          LISTEN       0     0      -

    udp    0.0.0.0:135        0.0.0.0:*                       0     0      -

    udp    192.168.1.9:500    0.0.0.0:*                       0     0      -

```

**Important to understand**

Local address 0.0.0.0 means that the service is listening on all interfaces. This means that it can recieve a connection from the network card, from the loopbak interface or any other interface. 

Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else.

Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. 

## Processes running

# Privilege escalation windows

https://www.reddit.com/r/AskNetsec/comments/3ujqu3/best_windows_privilege_escalation_resources/

"Enumeration.

You don't always need to run some exploit to get higher privileges, just convince some service that is running as admin or SYSTEM to open nc.exe for you. Web services are often misconfigured and running as admin or system.

Also look at modifying a startup service to run nc.exe or your malicious binary. replace UPnP with your backdoor.

Source: OSCP and OSCE; Never used exploits to get privilege escalation on the windows machines in the lab or exam"

Look for vulnerable services that may be running as system

There are usually three types of users on a windows machine:

```

## Manually

### Basic Enumeration of the System

Before we start looking for privilege escalation opportunities we need to understand a bit about the machine.

## Manually

```

systeminfo

hostname

#Who am I?

whoami

echo %username%

# What users are on the machine?

net users

# More info about a specific user

net user user1

# Firewall

netsh firewall show state

netsh firewall show config

# Network

ipconfig /all

route print

arp -A

```

Even the manual way can be speeded up. Using this awesome script (wmic_info.bat). Found here: http://www.fuzzysecurity.com/tutorials/16.html 

### Cleartext passwords

Can be find like this:

```

findstr /si password *.txt | *.xml | *.ini

findstr /si pass *.txt | *.xml | *.ini

findstr /si password *.txt

findstr /si password *.xml

findstr /si password *.ini

#Find all those strings in config files.

dir /s *pass* == *cred* == *vnc* == *.config*

### Internal services

Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. These services might be more vulnarble since they are not meant to be seen from the outside.

Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible for the target. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.

So basically run 

netstat -ano

```

And look for LISTENING.

Then you compare that to the scan you did from the outside.

And look for LISTENING. Then you compare that to the scan you did from the outside.

Does it contain any ports that are not accessible from the outside?

If that is the case, maybe you can make a remote forward to access it.

```

# Port forward using plink

plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080

# Port forward using meterpreter

```

So how should we interpret the netstat output? Here is an example, now what does this mena?

```

Proto  Local address      Remote address     State        User  Inode  PID/Program name

    -----  -------------      --------------     -----        ----  -----  ----------------

    tcp    0.0.0.0:21         0.0.0.0:*          LISTEN       0     0      -

    tcp    0.0.0.0:5900       0.0.0.0:*          LISTEN       0     0      -

    tcp    0.0.0.0:6532       0.0.0.0:*          LISTEN       0     0      -

    tcp    192.168.1.9:139    0.0.0.0:*          LISTEN       0     0      -

    tcp    192.168.1.9:139    192.168.1.9:32874  TIME_WAIT    0     0      -

    tcp    192.168.1.9:445    192.168.1.9:40648  ESTABLISHED  0     0      -

    tcp    192.168.1.9:1166   192.168.1.9:139    TIME_WAIT    0     0      -

    tcp    192.168.1.9:27900  0.0.0.0:*          LISTEN       0     0      -

    tcp    127.0.0.1:445      127.0.0.1:1159     ESTABLISHED  0     0      -

    tcp    127.0.0.1:27900    0.0.0.0:*          LISTEN       0     0      -

    udp    0.0.0.0:135        0.0.0.0:*                       0     0      -

    udp    192.168.1.9:500    0.0.0.0:*                       0     0      -

```

**Important to understand**

Local address 0.0.0.0 means that the service is listening on all interfaces. This means that it can recieve a connection from the network card, from the loopbak interface or any other interface. 

Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else.

Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. 

### Kernel exploits

Just as in windows kernel exploits should be our last resource, since it might but the machine in an unstable state or create some other problem with the machine.