- Nessus
- Snaffler
- WinPEAS
Windows (Server) Build Review Logfile
Test Details & Scope
- Project Number:
- Date of Test:
- Target List:
Test Accounts
user1:password1 admin1:password1
Legend
-
- confirmed vulnerability
-
- no issue or false positive ! - warnings about issues or possible vulnerabilities ? - still needs checking
Scanning
Nmap
nmap -Pn -p- -sSVC $target
nmap -sU --top-ports 200 $target
- Manually investigate discovered services:
Nessus
Discovery > Port Scanning > Port Scan Range = 1-65535
Assessment > Override normal accuracy (show false alarms) + perform thorough tests.
Report > Override normal verbosity + Report as much as possible + untick "Show missing superseded patches"
Credentials > Windows > Add in User/Password/Domain details, select Start Remote Registry + Enable admin shares.
Compliance > CIS Microsoft Windows Server (Version) Member Server L1
Save & Launch, review the output and eliminate false positives or screenshot relevant issues on the target.
- Issues and/or exploitable PoCs:
Local Enumeration & Configuration Checks
PowerSploit/PowerUp https://github.com/PowerShellMafia/PowerSploit/tree/master
powershell -ep bypass
. .\PowerUp.ps1
Invoke-PrivescAudit -HTMLReport
SharpUp https://github.com/GhostPack/SharpUp
SharpUp.exe audit
WinPEAS https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS/winPEASexe
# PS
winPEASx64_ofs.exe | Out-File -Encoding utf8 winpeas_output.txt
# CMD
winPEASx64_ofs.exe > winpeas_output.txt
# Execute in memory, console output
$wp = [System.Reflection.Assembly]::Load([byte[]]([IO.File]::ReadAllBytes("C:\Users\victim\winPEASx64_ofs.exe"))); $output = [winPEAS.Program]::Main("notcolor,log"); $output
# Execute in memory, write file to disk
$sw=New-Object IO.StringWriter; [Console]::SetOut($sw); [System.Reflection.Assembly]::Load([IO.File]::ReadAllBytes("C:/pentest/winPEASx64_obfs.exe")) | Out-Null; [winPEAS.Program]::Main("notcolor,log") | Out-Null; $sw.ToString() | Out-File -Encoding utf8 winpeas_output.txt
- To Do: Remote Run? WebDAV or something? IWR?
-
Check for sensitive information (logfiles, config files, scripts, certificates, keys): Manual enum:
-
What disk drives are present?
wmic logicaldisk get name,description,filesystem,volumename
- Check PowerShell history for sensitive info:
ls C:\Users
type C:\Users\[username]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- Interesting environment variables?
dir $env
- Interesting env PATHs? Anything preceding ‘system32’ can be risky, especially if writable:
$env:PATH
- Plaintext passwords? snaffler
# Local
snaffler.exe -i C:\ -o c_drive_output.log
# Remote
snaffler.exe -n [target] -o snaffler-[target].log
Software & Services
- Check software versions:
wmic datafile where name="C:\\Path\\To\\software.exe" get Version /value
(Get-Item C:\Software\Path\software.dll).VersionInfo | Format-Table -AutoSize
(Get-Item C:\Software\Path\software.dll).VersionInfo.FileVersionRaw | Format-Table -AutoSize
- Check service configuration:
services.msc
# cmd
sc query
# PS
Get-Service | fl
- Unquoted service paths(cmd):
wmic service get name, pathname
- Weak service, binary or dir permissions: i.e. Users or Authenticated Users with modify Also consider Startup Type/Log On As/Service Status when rating severity
PS C:\> Get-Acl -Path "C:\Program Files\[Vulnerable Service Folder]" | fl
- Localhost only (web) services? If they need scanning consider tunneling
netstat -pant
ssh -L localport:remoteaddress:remoteport username@server.com
curl http://localhost:localport
- DLL Preloading? See if CWDIllegalInDllSearch exists and is not set to 0
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager"
- Also if needed POC is easy - local exe calling remote (share) DLL.
- In a powershell window, cd to the network path containing the dll, making it the current working directory
- Execute the test exe using the absolute path
- If you see a load of numbers being generated, the system is vulnerable as the exe has used the dll from the current directory on the network share. If there is no output, the system is probably not vulnerable to this particular vulnerability.
Secure Networking Checks
Many of these checks are looking for deprecated protocols/mechanisms that are disabled by default on newer (Win 2008+) servers. MS documentation can help you identify what a ‘missing’ key/attribute means.
- TestSSL on external services:
testssl.sh IP:Port | tee output.txt
- Is NTLM being used? Event ID 4624
# PowerShell
$eventLog = Get-EventLog -LogName Security | Where-Object {$_.EventID -eq 4624}
$ntlmEvents = $eventLog | Where-Object {$_.Message -match "NTLM"} | Select-Object -Property MachineName, TimeGenerated, Message
if ($ntlmEvents) {
Write-Output "NTLM authentication events found:"
$ntlmEvents
} else {
Write-Output "No NTLM authentication events found."
}
# cmd
wevtutil qe Security /q:"*[System/EventID=4264]" /rd:true /f:text | findstr /i "IP Hostname"
- LLMNR enabled? 1 = Enabled
Get-NetIPInterface | Where-Object {$_.NetBtLlmnrEnabled -eq $true}
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" /v EnableMulticast
get-itemproperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters"
- NBT-NS enabled? 0 = Default (Enabled), 2 = Disabled
# wmic
wmic nicconfig get caption,index,TcpipNetbiosOptions
# regedit
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\
# PowerShell
Get-ChildItem "HKLM:SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces"
- Check WPAD settings: Only an issue if open-ended auto-detect
Internet Explorer > Internet Options > Connections Tab > LAN Settings > Auto Detect > Enabled
- Check WDigest Authentication: 0 = Disabled, 1= Enabled
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
# regedit
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential
# Powershell
Get-ChildItem "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential"
Get-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest"
- Check SMB versions:
Get-SmbServerConfiguration
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}
- Check SMB signing: Enabled, not Required is still a risk.
# Client
Get-ItemProperty "HKLM:System\CurrentControlSet\Services\LanManWorkstation\Parameters"
# Server
Get-ItemProperty "HKLM:SYSTEM\CurrentControlSet\Services\LanManServer\Parameters"
- Check LSA Protection Settings: LM Compatibilty Levels
Get-ItemProperty -path "HKLM:\System\CurrentControlSet\Control\Lsa"
1. lmcompatibiltylevel = 3-5 (default) # Lower than 3 report
2. DisableRestrictedAdmin: disabled (default) # Double negative is stupid
3. RunAsPPL: 1 (not default) # Report if missing or 0
- Check NLA:
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices).UserAuthenticationRequired`
- Protected Users Group?
TODO - Possibly only DCs?
- Permissive ‘Trusted Sites’?
# regedit (Older Windows)
HKLM:\Software\Policies\Windows\CurrentVersion\InternetExplorer\ZoneMapKey
HKCU:\Software\Policies\Windows\CurrentVersion\InternetExplorer\ZoneMapKey
HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains
# Modern Windows
Settings > Privacy & Security > Windows > App & browser control > Reputation-based protection settings >
User Accounts & Credentials
- Default administrator disabled? RID 500
net user Administrator
- Excessive (local) administrators?
# PowerShell
Get-LocalGroup | where Name -like "*admin*"
Get-LocalGroupMember [Group]
# PowerShell Script
Get-LocalGroup | Where-Object { $_.Name -like "*admin*" } | ForEach-Object { Write-Host "$($_.Name):"; Get-LocalGroupMember -Group $_.Name | ForEach-Object { Write-Host " $($_.Name)" }; Write-Host }
-
Interesting service accounts?
-
Dump credentials in memory: Cleartext? Old/insecure authentication schemes?
secretsdump.py 'DOMAIN/USER:PASSWORD@TARGET'
- LAPS in use?
TODO
- Credential Guard & SeDebugPrivilege: SeDebugPrivilege Enabled makes things worse.
msinfo32.exe > System Summary > Virtualization-based Security Services Running: Credential Guard
# Powershell for CredGuard (0/False = Not Enabled)
[bool](Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning.Contains(2)
Get-CimInstance -ClassName Win32_DeviceGuard | Select-Object -ExpandProperty SecurityServicesRunning
(Get-WmiObject -Namespace "root\Microsoft\Windows\DeviceGuard" -Class "Win32_DeviceGuard").SecurityServicesRunning
# SeDebugPrivs remote check - needs accesschk + psexec (sysinternals) to work
runas.exe /netonly /user:DOMAIN\User powershell
C:\Tools\PsExec.exe \\TargetServer -h -nobanner -accepteula -c C:\Tools\accesschk.exe /accepteula -q -a "*"
- CredSSP?
TODO
Misc Checks
- Browse to http://sophostest.com Test site for Sophos web security and control products. Visit sophos.com for complete information.