Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Host enumeration

Client-Checker

Client-Checker is a PowerShell script to automate client checks on a Windows system. You should run it as admin, as certain stuff can only be queried with elevated rights.

It is used to check a client for common misconfigurations. The list currently includes:

  • Default Domain Password Policy
  • LSA Protection Settings
  • WDAC Usage
  • AppLocker Usage
  • Credential Guard Settings
  • Co-installer Settings
  • DMA Protection Settings
  • BitLocker Settings
  • Secure Boot Settings
  • System PATH ACL checks
  • Unquoted Service Path checks
  • Always Install Elevated checks
  • UAC checks
  • Guest Account checks
  • System Tool access as low priv user checks
  • WSUS Settings
  • PowerShell Settings
  • IPv6 Settings
  • NetBIOS / LLMNR Settings / mDNS
  • SMB Server Settings
  • Firewall Settings
  • AV Settings
  • Proxy Settings
  • Windows Updates
  • 3rd Party Installations
  • RDP Settings
  • WinRM Settings
  • PrintNightmare checks
  • Recall checks
  • Autologon checks

WinPEAS

PEAS is a suite of tools designed to identify local privilege escalation pathways on Windows, Linux, Unix-like, and macOS systems. These tools are provided in multiple formats, including batch scripts (.bat), PowerShell scripts (.ps1), and executables (.exe).

Seatbelt

Seatbelt.exe is part of the GhostPack suite of tools that performs many security checks on a Windows host and collects system data that can be useful for privilege escalation or persistence.

Example (run all checks; produces a lot of output):

powershell
Seatbelt.exe -group=all -full

BloodyAD

Perform manual LDAP queries to a domain controller using bloodyAD. This tool is especially useful for running LDAP queries on a non-Windows system.

bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket, or certificates and binds to LDAP services of a domain controller to perform AD privilege escalation.

powershell
Usage:
    bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'

SharpSCCM

SharpSCCM can be used for local enumeration on a Windows host to retrieve Microsoft Endpoint Configuration Manager (formerly SCCM) configuration details via WMI (for example the management point endpoint and site code). The enumeration part is done via WMI, so we can use either SharpSCCM or the WMI interface.

powershell
# SharpSCCM
SharpSCCM.exe local site-info --no-banner

# WMI
Get-WmiObject -Class SMS_Authority -Namespace root\\CCM | select Name, CurrentManagementPoint | fl

We can also check for systems which have GenericAll permissions on the CN=System Management container - these are likely systems which are used to set up / configure SCCM in the first place (as these are required to set up SCCM):

powershell
SharpSCCM.exe get site-info -d mydomain --no-banner

If we want to list containers which are readable by a specific user, we need to run the query as that user, due to SCCM’s RBAC model.