原文地址:
[url]http://www.fuzzysecurity.com/tutorials/16.html[/url]
1. 信息收集
[quote]
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
echo %username%
net users
net user username
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
[color=red]# This will display verbose output for all scheduled tasks, below you can see sample output for a single task.[/color]
schtasks /query /fo LIST /v
[color=red]# The following command links running processes to started services.[/color]
C:\Windows\system32> tasklist /SVC
net start
[color=red]# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holes than Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.
[/color]C:\Windows\system32> DRIVERQUERY
[/quote]
2. WMIC
[quote][color=red]The first and most obvious thing we need to look at is the patchlevel. There is no need to worry ourself further if we see that the host is badly patched. My WMIC script will already list all the installed patches but you can see the sample [/color]command line output below.
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
[/quote]
3. configuration file
[quote]c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml[/quote]
4. GPP
[url]https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp[/url]
[url]https://github.com/mattifestation/PowerSploit[/url]
5. strange registry setting
The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM. For more background reading on this issue you can have a look here at an article by Parvez from GreyHatHacker who originally reported this as a security concern.
6. service and accesschk.exe
7. files/folder permission
[url]http://www.fuzzysecurity.com/tutorials/16.html[/url]
1. 信息收集
[quote]
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
echo %username%
net users
net user username
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
[color=red]# This will display verbose output for all scheduled tasks, below you can see sample output for a single task.[/color]
schtasks /query /fo LIST /v
[color=red]# The following command links running processes to started services.[/color]
C:\Windows\system32> tasklist /SVC
net start
[color=red]# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holes than Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.
[/color]C:\Windows\system32> DRIVERQUERY
[/quote]
2. WMIC
[quote][color=red]The first and most obvious thing we need to look at is the patchlevel. There is no need to worry ourself further if we see that the host is badly patched. My WMIC script will already list all the installed patches but you can see the sample [/color]command line output below.
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
[/quote]
3. configuration file
[quote]c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml[/quote]
4. GPP
[url]https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp[/url]
[url]https://github.com/mattifestation/PowerSploit[/url]
5. strange registry setting
The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM. For more background reading on this issue you can have a look here at an article by Parvez from GreyHatHacker who originally reported this as a security concern.
6. service and accesschk.exe
7. files/folder permission
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
