Windows Exploits

Windows Exploit Suggester

https://github.com/bitsadmin/wesng

./wes.py --update
systeminfo > systeminfo.txt
wes.py systeminfo.txt
Get-HotFix | Sort-Object InstalledOn -Descending

PowerShell Windows Exploit Tools

Search DIRECTORY for files that contain STRING

ls -r c:\PATH\TO\DIRECTORY -file | % {Select-String -path $_ -pattern STRING}

CMD.exe Windows Exploit Tools

Configure a Windows machine as a WPA2-PSK Access Point

netsh wlan set hostednetwork mode=allow ssid=<MYSSID> key=<MYPASSWORD> && netsh wlan start hostednetwork

Configure a TCP port forwarding relay from IPv4 to IPv6

netsh interface portproxy add v4tov6 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

Mount Remote Network Share

net use X: \\IP_Address\c$

Add New User to Current Host

net user <UserName> <Password> /add

Add User to Local Admin Group

net localgroup Administrators <UserName> /add

Enumerate presence of files with SID access of User on ACLs of c:

icacls c:\*. /findsid <UserName> /t /c /l

Python

Python Web Client: download file/webpage to file

import urllib.request; urllib.request.urlretrieve("http://google.com","/google.html")

Python Web Server: serve up current directory on port 8000

-m http.server 8000

Privilege Escalation

Password Tools

  • pwdump

  • cachedump

  • lsadump

  • metasploit's psexec_psh

  • load kiwi

  • https://github.com/gentilkiwi/mimikatz

Last updated