Windows Privilege Escalation: A Guide to Initial Enumeration
How to Perform Initial Enumeration for Windows Privilege Escalation
This article provides a comprehensive guide on network enumeration and system information retrieval using various command-line tools in Windows.
It covers retrieving network interfaces, ARP entries, and routing tables.
It also includes checking Windows Defender status, listing and testing AppLocker policies, and gathering detailed system information such as running tasks, environment variables, patches, updates, installed software, and active network connections.
Additionally, it details methods to obtain user and group information, including current logged-in users, user privileges, and password policies.
Network Enumeration
Interfaces
C:\htb> ipconfig /all
ARP Entries
C:\htb> arp -a
Routes
C:\htb> route print
Enumerating Protections
Check Windows Defender Status
PS C:\htb> Get-MpComputerStatus
List AppLocker Rules
PS C:\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Test AppLocker Policy
PS C:\htb> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
System Information
Tasklist
C:\htb> tasklist /svc
Display All Environment Variables
C:\htb> set
C:\htb> systeminfo
Patches and Updates
C:\htb> wmic qfe
PS C:\htb> Get-HotFix | ft -AutoSize
C:\htb> wmic product get name
Name
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Java 8 Update 231 (64-bit)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
VMware Tools
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
Java Auto Updater
<SNIP>
PS C:\htb> Get-WmiObject -Class Win32_Product | select Name, Version
PS C:\htb> netstat -ano
User & Group Information
Logged-In Users
C:\htb> query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>administrator rdp-tcp#2 1 Active . 3/25/2021 9:27 AM
Current User
C:\htb> echo %USERNAME%
Current User Privileges
C:\htb> whoami /priv
Current User Group Information
C:\htb> whoami /groups
Get All Users
C:\htb> net user
Get All Groups
C:\htb> net localgroup
Details About a Group
C:\htb> net localgroup administrators
Get Password Policy & Other Account Information
C:\htb> net accounts
Display Active Network Connections
C:\htb> netstat -ano
We can use the tool PipeList from the Sysinternals Suite to enumerate instances of named pipes.
Listing Named Pipes with Pipelist
C:\htb> pipelist.exe /accepteula
PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Pipe Name Instances Max Instances
--------- --------- -------------
InitShutdown 3 -1
lsass 4 -1
ntsvcs 3 -1
scerpc 3 -1
Winsock2\CatalogChangeListener-340-0 1 1
Winsock2\CatalogChangeListener-414-0 1 1
epmapper 3 -1
Winsock2\CatalogChangeListener-3ec-0 1 1
Winsock2\CatalogChangeListener-44c-0 1 1
LSM_API_service 3 -1
atsvc 3 -1
Winsock2\CatalogChangeListener-5e0-0 1 1
eventlog 3 -1
Winsock2\CatalogChangeListener-6a8-0 1 1
spoolss 3 -1
Winsock2\CatalogChangeListener-ec0-0 1 1
wkssvc 4 -1
trkwks 3 -1
vmware-usbarbpipe 5 -1
srvsvc 4 -1
ROUTER 3 -1
vmware-authdpipe 1 1
<SNIP>
Listing Named Pipes with PowerShell
PS C:\htb> gci \\.\pipe\
Reviewing LSASS Named Pipe Permissions
C:\htb> accesschk.exe /accepteula \\.\Pipe\lsass -v
Named Pipes Attack Example
C:\htb> accesschk.exe -accepteula -w \pipe\WindscribeService -v