Skip to main content

Pentesting Windows

This page contains a playbook of pentesting Windows boxes, refer to Pentesting for the generic approach.

Enumeration

nmap
SMB
LDAP dump
AD using BloodHound and analyze output of BloodHound with its UI and find shortest path to valuable assets
MS-SQL xp_dirtree

Getting foothold

Brute force users via SMB with crackmapexec
Password spray the users with crackmapexec
Connect with evil-winrm (SSH equivalent)
Shadow credential: when a user has write access to another user KeyCredentialLink, the user can write its public key material to it, forcing AD to send the NTLM token to the attacker. Use certipy-ad shadow auto to perform this kind of attack.

Privilege escalation

certipy: check if the user you have at this point has Manage Certificates or Manage CA. If it have it, you can use certify to issues an Administrator certificate to be used to leak NTLM hash.
PEAS-ng: https://github.com/carlospolop/PEASS-ng
icacls: check permission of files

Enumeration
Getting foothold
Privilege escalation