Windows
Last updated
Last updated
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.
Enum4linux is a tool for enumerating information from Windows and Samba systems.
Port: 445
SMB/Samba is a popular freeware program that allows users to access and use files, printers, and other commonly shared resources.
Port: 135
Port: 5985 / 5986
Windows Remote Management (WinRM) is a feature that allows administrators to remotely run management scripts, execute command, monitor and manage windows system remote computers and servers.
Port: 88
Kerberos is an authentication protocol that is used to verify the identity of a user or host.
Checking if Kerberos pre-authentication has been disabled for accounts
With msfconsole we have able to list users form wordlists of users.
Port: 389, 636
Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly.
Server (attacker) :
Client (victim):
Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
VirusTotal aggregates many antivirus products and online scan engines called Contributors
Server :
Client with internet access:
without create shell.ps1, paste the Invoke-ConPtyShell.ps1, add Invoke-ConPtyShell ip port
on a new line
"MSRPC is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network." ·
is used for remote enumeration of network interfaces
is a tool for gathering information of ldap. (you need to have creds of an user to use it)
read the gMSA (group managed service accounts) password of the account.
find Service Principal Names that are associated with normal user account, and exfiltrate the kerberos.
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Basicaly a rogue everything use for exemple to steal NLTLM Hash, usernames...
will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set.
dumping Active Directory Password Hashes.
ConPtyShell is a Fully Interactive Reverse Shell for Windows systems.
Interactive Windows cheatsheet :