Penetration Testing Lab

Articles from the Pentesting Field

Home Pentesting Distros Resources Submissions Toolkit Contact the Lab

Privilege Escalation Methods – Poll UAC Bypass – Event Viewer Search the Lab
Search...

April 24, Windows Kernel Exploits Author

2017
netbiosX Privilege Escalation Kernel, Local Exploits, Patches, Vulnerabilities,
Windows 5 Comments

Windows by default are vulnerable to several vulnerabilities that could allow an attacker to netbiosX
execute malicious code in order to abuse a system. From the other side patching systems
sufficiently is one of the main problems in security. Even if an organization has a patching
policy in place if important patches are not implemented immediately this can still give Follow PenTest Lab
short window to an attacker to exploit a vulnerability and escalate his privileges inside a
system and therefore inside the network. Enter your email address to follow this blog and
receive notifications of new posts by email.
This article will discuss how to identify missing patches related to privilege escalation and
the necessary code to exploit the issue. Join 1,640 other followers

Enter your email address

Discovery of Missing Patches
Follow
The discovery of missing patches can be identified easily either through manual methods
or automatic. Manually this can be done easily be executing the following command which

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 will enumerate all the installed patches. Recent Posts
1 wmic qfe get Caption,Description,HotFixID,InstalledOn
PDF – NTLM Hashes
The output will be similar to this: NBNS Spoofing
Lateral Movement – RDP
DCShadow
Skeleton Key

Categories
Coding (10)
Enumeration of Installed Patches Defense Evasion (19)
Exploitation Techniques (19)
The HotFixID can be used in correlation with the table below in order to discover any
External Submissions (3)
missing patches related to privilege escalation. As the focus is on privilege escalation the
General Lab Notes (21)
command can be modified slightly to discover patches based on the KB number.
Information Gathering (12)
1 wmic qfe get Caption,Description,HotFixID,InstalledOn | findst Infrastructure (2)
Maintaining Access (4)
Alternatively this can be done automatically via Metasploit, Credential Nessus Scan or via Mobile Pentesting (7)
a custom script that will look for missing patches related to privilege escalation.
Network Mapping (1)
Post Exploitation (11)
Metasploit Privilege Escalation (14)
There is a Metasploit module which can quickly identify any missing patches based on the Red Team (24)
Knowledge Base number and specifically patches for which there is a Metasploit module. Social Engineering (11)

1 post/windows/gather/enum_patches Tools (7)

VoIP (4)
Web Application (14)
Wireless (2)

Archives

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 May 2018
April 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
Metasploit – Patches Enumeration February 2017
January 2017
November 2016
Windows Exploit Suggester September 2016
Gotham Digital Security released a tool with the name Windows Exploit Suggester which February 2015
compares the patch level of a system against the Microsoft vulnerability database and can
January 2015
be used to identify those exploits that could lead to privilege escalation. The only
July 2014
requirement is that requires the system information from the target.
April 2014
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 August 2012
July 2012
June 2012
April 2012
March 2012
February 2012

@ Twitter
[New Post] PDF - NTLM Hashes
pentestlab.blog/2018/05/09/pdf… #pentestlab
#Badpdf 3 hours ago
Hiding Metasploit Shellcode to Evade Windows
Defender blog.rapid7.com/2018/05/03/hid…
5 hours ago
Windows Exploit Suggester @CheckPointSW @InQuest I have a post
scheduled ready for tomorrow regarding Bad-PDF.
Really cool research! Great advantage dor red
PowerShell teams. 20 hours ago

There is also a PowerShell script which target to identify patches that can lead to privilege [New Post] NBNS Spoofing
escalation. This script is called Sherlock and it will check a system for the following: pentestlab.blog/2018/05/08/nbn… #pentestlab
#pentest 1 day ago
MS10-015 : User Mode to Ring (KiTrap0D) RT @InQuest: From bad-PDF,
github.com/deepzec/Bad-Pdf, to worse-PDF,
MS10-092 : Task Scheduler
github.com/3gstudent/Wors…, this YARA rule
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow github.com/InQuest/yara-r… should co…
MS13-081 : TrackPopupMenuEx Win32k NULL Page 1 day ago

MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference Follow @netbiosX

MS15-051 : ClientCopyImage Win32k

MS15-078 : Font Driver Buffer Overflow Pen Test Lab Stats
MS16-016 : ‘mrxdav.sys’ WebDAV
2,950,921 hits
MS16-032 : Secondary Logon Handle

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 CVE-2017-7199 : Nessus Agent 6.6.2 – 6.10.3 Priv Esc Blogroll
Packetstorm Exploits,Advisories,Tools,Whitepapers
The output of this tool can be seen below: 0
Metasploit Latest news about Metasploit Framework
and tutorials 0
0x191unauthorized Tutorials 0
The home of WeBaCoo Information about the
WeBaCoo and other tutorials 0
Command Line Kung Fu Command Line Tips and
Tricks 0

Exploit Databases
Exploit Database Exploits,PoC,Shellcodes,Papers
0
Metasploit Database Exploit & Auxiliary Modules 0
Inj3ct0r Database Remote,Local,Web
Apps,Shellcode,PoC 0

Pentest Blogs
Carnal0wnage Ethical Hacking Tutorials 0
Coresec Pentest tutorials,Code,Tools 0
Notsosecure From Pentesters To Pentesters 0
Sherlock – Missing Patches Pentestmonkey Cheatsheets,Tools and SQL
Injection 0
Pentester Web Application Testing,Tips,Testing
Tools 0
Packetstorm Exploit Files 0
room362 Blatherings of a Security Addict 0
darkoperator Shell is only the Beginning 0

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Irongeek Hacking Videos,Infosec Articles,Scripts 0

Professional
The Official Social Engineering Portal Information
about the Social Engineering Framework,Podcasts
and Resources 0

Next Conference

Security B-Sides London

April 29th, 2014

The big day is here.

Facebook Page

Sherlock – Identification of Privilege Escalation Patches

Penetrati…
9.9K likes

Privilege Escalation Table

The following table has been compiled to assist in the process of privilege escalation due Like Page
to lack of sufficient patching.
Be the first of your friends to
Security like this
Operating System Description KB Exploit
Bulletin

Windows Exploit
MS16-
Windows Server 2016 Kernel Mode 3199135
135 Github
Drivers

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Windows Server 2008 ,7,8,10 Secondary MS16- 3143141 GitHub Advertisements

Windows Server 2012 Logon Handle 032

ExploitDB

Metasploit

MS16-
Windows Server 2008, Vista, 7 WebDAV 3136041 Github
016

GitHub
Windows Server 2003, Windows Windows
MS15-
Server 2008, Windows 7, Windows Kernel Mode 3057191 ExploitDB
051
8, Windows 2012 Drivers
Metasploit

GitHub
Windows Server 2003, Windows
MS14-
Server 2008, Windows Server Win32k.sys 3000061 ExploitDB
058
2012, 7, 8
Metasploit

Python

Windows Server 2003, Windows EXE

MS14-
Server 2008, 7, 8, Windows Server AFD Driver 2975684
040 ExploitDB
2012
Github

Windows XP, Windows Server Windows MS14-

2914368 Metasploit
2003 Kernel 002

Metasploit
Windows Server 2003, Windows
Kernel Mode MS13-
Server 2008, 7, 8, Windows Server 2778930 ExploitDB
Driver 005
2012
GitHub

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Windows Server 2008, 7 Task MS10- 2305420 Metasploit
Scheduler 092
ExploitDB

Exploit

ExploitDB
Windows Server 2003, Windows MS10-
KiTrap0D 977165
Server 2008, 7, XP 015 GitHub

Metasploit

Exploit

ExploitDB
MS14-
Windows Server 2003, XP NDProxy 2914368
002 ExploitDB

Github

Windows Server 2003, Windows

MS15-
Server 2008, 7, 8, Windows Server Kernel Driver 3057839 Github
061
2012

EXE

MS11-
Windows Server 2003, XP AFD.sys 2592799 Metasploit
080
ExploitDB

MS11-
Windows Server 2003, XP NDISTAPI 2566454 ExploitDB
062

Windows Server 2003, Windows

MS15-
Server 2008, 7, 8, Windows Server RPC 3067505 Github
076
2012

Windows Server 2003, Windows Hot Potato MS16- 3164038 GitHub

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Server 2008, 7, 8, Windows Server 075 PowerShell
2012
HotPotato

GitHub
Windows Server 2003, Windows MS15-
Kernel Driver 3036220
Server 2008, 7, XP 010 ExploitDB

EXE
Windows Server 2003, Windows MS11-
AFD.sys 2503665
Server 2008, 7, XP 046 ExploitDB

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Advertisements

Rate this:

4 Votes

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Share this:

 Twitter  Facebook 56  LinkedIn  Pinterest

 Reddit  Tumblr  Google

Like
One blogger likes this.

Related

Java Exploit Attack Intel SYSRET Windows Tools For

(CVE-2012-0507) In "Privilege Escalation" Penetration Testing
In "Exploitation In "General Lab Notes"
Techniques"

5 Comments (+add yours?)

net
Apr 25, 2017 @ 11:38:11

this is so helpful i wish you can add linux exploit too

REPLY

netbiosX
Apr 25, 2017 @ 11:41:40

Thank you! I am planning to do the same at some point for Unix systems as well.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 REPLY

Windows 提权思路总结 – MoKirinSec

Apr 27, 2017 @ 08:37:21

半⽉安全看看看2017第六期 – 安全0day
Apr 28, 2017 @ 10:38:12

Windows privilege escalation – /dayvan-blog

May 24, 2017 @ 21:32:53

Leave a Reply

Enter your comment here...

Privilege Escalation Methods – Poll UAC Bypass – Event Viewer

Blog at WordPress.com.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD