# Windows Exploits

## Windows Exploit Suggester

<https://github.com/bitsadmin/wesng>

```shell
./wes.py --update
```

```cmd
systeminfo > systeminfo.txt
```

```shell
wes.py systeminfo.txt
```

```powershell
Get-HotFix | Sort-Object InstalledOn -Descending
```

## PowerShell Windows Exploit Tools

Search DIRECTORY for files that contain STRING

```PowerShell
ls -r c:\PATH\TO\DIRECTORY -file | % {Select-String -path $_ -pattern STRING}
```

## CMD.exe Windows Exploit Tools

Configure a Windows machine as a WPA2-PSK Access Point

```CMD
netsh wlan set hostednetwork mode=allow ssid=<MYSSID> key=<MYPASSWORD> && netsh wlan start hostednetwork
```

Configure a TCP port forwarding relay from IPv4 to IPv6

```CMD
netsh interface portproxy add v4tov6 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>
```

Mount Remote Network Share

```CMD
net use X: \\IP_Address\c$
```

Add New User to Current Host

```CMD
net user <UserName> <Password> /add
```

Add User to Local Admin Group

```CMD
net localgroup Administrators <UserName> /add
```

Enumerate presence of files with SID access of User on ACLs of c:

```CMD
icacls c:\*. /findsid <UserName> /t /c /l
```

## Python

Python Web Client: download file/webpage to file

```Python
import urllib.request; urllib.request.urlretrieve("http://google.com","/google.html")
```

Python Web Server: serve up current directory on port 8000

```Python
-m http.server 8000
```

## Privilege Escalation

* [PowerUP](https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp)
* [bypassuac](https://github.com/EmpireProject/Empire/blob/master/data/module_source/privesc/Invoke-BypassUAC.ps1)

## Password Tools

* pwdump
* cachedump
* lsadump
* metasploit's psexec\_psh
* load kiwi
* <https://github.com/gentilkiwi/mimikatz>
* [Creds\_wdigest](https://www.trustedsec.com/blog/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/)