sobota, 9 listopada 2019

Sysinternals Suite - quick review for Windows 10

Sometimes during the project at the Client's office you can see that environment there is mostly hardened well (so for example we can not install new soft, we can not open new ports or add users and we can not connect our laptop to the network, etc). In that scenario I decided to check some tools from Sysinternals Suite. Below you'll find few notes. Here we go...
This time we will start here:

As you can see there are a lot of different tools to check. If you never tried it - I recommend you to check it (here you can find the list of tools as well).

I decided to start from tool called: pslist: with this tool you can create a list of tasks already started in the OS:



Next one - accesschk.exe - can possibly be used to gather more information about the files on remote host - for example for future attacks related to privilege escalation (similar case you can find described here):


Other example:


Next tool I tried was: AccessEnum - one of my favourite ;) We can quickly find if there is an opportunity to escalate our privs again:


For example (vulnerable System Scheduler from the last part with responder.py ;)):


Next one I tried: ADExplorer - if you have your AD credentials it should be easy to perform enumeration attacks:

More examples:

Another tool you can use during pentests (or when you're waiting for the access to the app ;)) is: procexp called ProcessExplorer:


Next tool: Process Monitor (you can use the Filter to identify for example possible DLL injection bugs. Unfortunately AFAIK we need 'more privs' to run it):


See?
Quick example of possible scenario:


Next - psexec. We can use it to execute (admin's) command on remote host. In this case we can always try to use responder (like it was described before) and crack admin's password to use it later to go deeper. Like here:


Now it should be easy:


Cool, calc.exe with NT\SYSTEM... but I always like to see when meterpreter is coming home ;)


I really recommend you to download and check Sysinternals Suite. Even with no-admin user account we still can get some information about the target we are trying to pwntest. ;)

See you next time!

Cheers









P.S. Thanks for all the donates!;)

Posted by at
Labels: , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)