Exploit Notes
Exploit Notes

Exploits related to Windows

Active Directory

AD CS (Active Directory Certificate Services) Pentesting
AS-REP Roasting
Active Directory Pentesting
BloodHound SharpHound for Active Directory
Kerberos Pentesting
LAPS (Local Administrator Password Solution) Pentesting
LDAP (Lightweight Directory Access Protocol) Pentesting
NTLM (New Technology LAN Manager) Pentesting
Netlogon Elavasion of Privilege
SMB (Server Message Block) Pentesting

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting
RDP (Remote Desktop Protocol) Pentesting
WinRM (Windows Remote Management) Pentesting

Privilege Escalation

Iperius Backup Service Privilege Escalation
Mimikatz
UAC Windows Privilege Escalation
Windows PrivEsc with Registry Keys
Windows PrivEsc with SeBackupPrivilege
Windows PrivEsc with Unquoted Service Path
Windows Privilege Escalation

Post Exploitation

Windows Pivoting

PowerShell

PowerShell
PowerView

Others

Dumping Windows Password Hashes
LocalPotato
Microsoft Outlook Message (.msg)
Microsoft Word Pentesting
Windows API
Windows Basic Features
Windows Disk Management
Windows Forensics
Windows Pivoting
Windows Print Spooler Service
Windows Remote Code Execution from Linux
Windows XML EventLog (EVTX)

MSRPC (Microsoft Remote Procedure Call) Pentesting

Last modified: 2023-02-08

Windows

It is also known as a function call or a subroutine call. Default ports are 135, 593.

Enumeration

nmap --script msrpc-enum -p 135 <target-ip>

# rpcdump
impacket-rpcdump -port 135 <target-ip>
# Find the Print System Remote Prototol or the Print System Asynchronous Remote Protocol
impacket-rpcdump -port 135 <target-ip> | grep -E 'MS-RPRN|MS-PAR'
# If we found them, we may can exploit with PrintNightmare.

# Metasploit
msfconsole
msf> use auxiliary/scanner/dcerpc/endpoint_mapper
msf> use auxiliary/scanner/dcerpc/hidden
msf> use auxiliary/scanner/dcerpc/management
msf> use auxiliary/scanner/dcerpc/tcp_dcerpc_auditor

Investigation

rpcinfo reports RPC information. If you don’t have it, install ‘rpcbind’ first to use the rpcinfo.

sudo apt install rpcbind

Run the following command.

rpcinfo -p <target-ip>

# NFS only
rpcinfo -p <target-ip> | grep nfs

Connect

# Anonymous logon
rpcclient -N -U "" <target-ip>
rpcclient -N -U "" -p 593 <target-ip>
rpcclient -N -U "" dc.example.local

# Specify username
# -W: Workgroup
# -N: No password
rpcclient -U username <target-ip>
rpcclient -W WORKGROUP -U username <target-ip>
rpcclient -U username -N <target-ip>

# -k: Kerberos
rpcclient -k <target-ip>

Commands

# Server info
rpcclient $> srvinfo

# Enumerate domains
rpcclient $> enumdomains
# Enumerate domain users
rpcclient $> enumdomusers
# Enumerate domain groups
rpcclient $> enumdomgroups

# Domain info
rpcclient $> querydominfo

# Current username
rpcclient $> getusername
Twitter GitHub

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.