2024-04-06 18:35:30 +00:00
# Checklist - Local Windows Privilege Escalation
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
{% hint style="success" %}
Impara e pratica Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Impara e pratica Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
< summary > Supporta HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
* Controlla i [**piani di abbonamento** ](https://github.com/sponsors/carlospolop )!
* **Unisciti al** 💬 [**gruppo Discord** ](https://discord.gg/hRep4RUj7f ) o al [**gruppo telegram** ](https://t.me/peass ) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repos di github.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 16:12:26 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-03-14 23:33:40 +00:00
**Try Hard Security Group**
2024-04-06 18:35:30 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:33:40 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2024-02-15 12:03:49 +00:00
### **Miglior strumento per cercare vettori di escalation dei privilegi locali di Windows:** [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS)
2022-04-28 16:01:33 +00:00
2024-02-10 13:03:23 +00:00
### [Informazioni di sistema](windows-local-privilege-escalation/#system-info)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Ottieni [**informazioni di sistema** ](windows-local-privilege-escalation/#system-info )
* [ ] Cerca **exploit del kernel** [**utilizzando script** ](windows-local-privilege-escalation/#version-exploits )
* [ ] Usa **Google per cercare** exploit del kernel
* [ ] Usa **searchsploit per cercare** exploit del kernel
* [ ] Informazioni interessanti in [**variabili d'ambiente** ](windows-local-privilege-escalation/#environment )?
* [ ] Password nella [**cronologia di PowerShell** ](windows-local-privilege-escalation/#powershell-history )?
* [ ] Informazioni interessanti nelle [**impostazioni di Internet** ](windows-local-privilege-escalation/#internet-settings )?
2024-02-10 13:03:23 +00:00
* [ ] [**Unità** ](windows-local-privilege-escalation/#drives )?
* [ ] [**Exploit WSUS** ](windows-local-privilege-escalation/#wsus )?
2024-04-06 18:35:30 +00:00
* [ ] [**AlwaysInstallElevated** ](windows-local-privilege-escalation/#alwaysinstallelevated )?
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
### [Enumerazione di Logging/AV](windows-local-privilege-escalation/#enumeration)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Controlla le impostazioni di [**Audit** ](windows-local-privilege-escalation/#audit-settings ) e [**WEF** ](windows-local-privilege-escalation/#wef )
* [ ] Controlla [**LAPS** ](windows-local-privilege-escalation/#laps )
* [ ] Controlla se [**WDigest** ](windows-local-privilege-escalation/#wdigest ) è attivo
2024-02-10 13:03:23 +00:00
* [ ] [**Protezione LSA** ](windows-local-privilege-escalation/#lsa-protection )?
2024-07-19 16:12:26 +00:00
* [ ] [**Credentials Guard** ](windows-local-privilege-escalation/#credentials-guard )[? ](windows-local-privilege-escalation/#cached-credentials )
2024-02-15 12:03:49 +00:00
* [ ] [**Credenziali memorizzate** ](windows-local-privilege-escalation/#cached-credentials )?
2024-07-19 16:12:26 +00:00
* [ ] Controlla se ci sono [**AV** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/windows-av-bypass/README.md )
* [ ] [**Politica AppLocker** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/README.md#applocker-policy )?
* [ ] [**UAC** ](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/authentication-credentials-uac-and-efs/uac-user-account-control/README.md )
* [ ] [**Privilegi utente** ](windows-local-privilege-escalation/#users-and-groups )
* [ ] Controlla i [**privilegi**] dell'utente [**corrente** ](windows-local-privilege-escalation/#users-and-groups )
2024-04-06 18:35:30 +00:00
* [ ] Sei [**membro di qualche gruppo privilegiato** ](windows-local-privilege-escalation/#privileged-groups )?
2024-07-19 16:12:26 +00:00
* [ ] Controlla se hai [alcuni di questi token abilitati ](windows-local-privilege-escalation/#token-manipulation ): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
2024-04-06 18:35:30 +00:00
* [ ] [**Sessioni utenti** ](windows-local-privilege-escalation/#logged-users-sessions )?
2024-07-19 16:12:26 +00:00
* [ ] Controlla [**le home degli utenti** ](windows-local-privilege-escalation/#home-folders ) (accesso?)
* [ ] Controlla la [**Politica delle password** ](windows-local-privilege-escalation/#password-policy )
* [ ] Cosa c'è [**dentro il Clipboard** ](windows-local-privilege-escalation/#get-the-content-of-the-clipboard )?
2024-02-15 12:03:49 +00:00
2024-03-14 23:33:40 +00:00
### [Rete](windows-local-privilege-escalation/#network)
2024-02-15 12:03:49 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Controlla le [**informazioni di rete** ](windows-local-privilege-escalation/#network ) **correnti**
* [ ] Controlla i **servizi locali nascosti** riservati all'esterno
2024-02-15 12:03:49 +00:00
2024-03-14 23:33:40 +00:00
### [Processi in esecuzione](windows-local-privilege-escalation/#running-processes)
2024-02-15 12:03:49 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Permessi sui [**file e cartelle dei processi** ](windows-local-privilege-escalation/#file-and-folder-permissions )
* [ ] [**Estrazione password dalla memoria** ](windows-local-privilege-escalation/#memory-password-mining )
* [ ] [**App GUI insicure** ](windows-local-privilege-escalation/#insecure-gui-apps )
* [ ] Ruba credenziali con **processi interessanti** tramite `ProcDump.exe` ? (firefox, chrome, ecc ...)
2024-02-15 12:03:49 +00:00
2024-03-14 23:33:40 +00:00
### [Servizi](windows-local-privilege-escalation/#services)
2024-02-15 12:03:49 +00:00
2024-07-19 16:12:26 +00:00
* [ ] [Puoi **modificare qualche servizio**? ](windows-local-privilege-escalation/#permissions )
* [ ] [Puoi **modificare** il **binario** che viene **eseguito** da qualche **servizio**? ](windows-local-privilege-escalation/#modify-service-binary-path )
* [ ] [Puoi **modificare** il **registro** di qualche **servizio**? ](windows-local-privilege-escalation/#services-registry-modify-permissions )
* [ ] [Puoi approfittare di qualche **percorso di binario di servizio non quotato**? ](windows-local-privilege-escalation/#unquoted-service-paths )
2020-07-15 15:43:14 +00:00
2024-02-10 13:03:23 +00:00
### [**Applicazioni**](windows-local-privilege-escalation/#applications)
2020-08-18 15:38:51 +00:00
2024-07-19 16:12:26 +00:00
* [ ] **Scrivi** [**permessi sulle applicazioni installate** ](windows-local-privilege-escalation/#write-permissions )
* [ ] [**Applicazioni di avvio** ](windows-local-privilege-escalation/#run-at-startup )
* [ ] **Driver vulnerabili** [**Drivers** ](windows-local-privilege-escalation/#drivers )
2024-04-06 18:35:30 +00:00
2024-03-14 23:33:40 +00:00
### [DLL Hijacking](windows-local-privilege-escalation/#path-dll-hijacking)
2020-08-18 15:38:51 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Puoi **scrivere in qualche cartella dentro PATH** ?
* [ ] C'è qualche binario di servizio noto che **cerca di caricare qualche DLL non esistente** ?
* [ ] Puoi **scrivere** in qualche **cartella di binari** ?
2020-07-15 15:43:14 +00:00
2024-02-15 12:03:49 +00:00
### [Rete](windows-local-privilege-escalation/#network)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Enumera la rete (condivisioni, interfacce, rotte, vicini, ...)
* [ ] Fai particolare attenzione ai servizi di rete in ascolto su localhost (127.0.0.1)
2020-08-19 09:14:23 +00:00
2024-07-19 16:12:26 +00:00
### [Credenziali di Windows](windows-local-privilege-escalation/#windows-credentials)
2020-08-19 09:14:23 +00:00
2024-03-14 23:33:40 +00:00
* [ ] Credenziali di [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials )
2024-07-19 16:12:26 +00:00
* [ ] Credenziali di [**Windows Vault** ](windows-local-privilege-escalation/#credentials-manager-windows-vault ) che potresti usare?
* [ ] Credenziali [**DPAPI** ](windows-local-privilege-escalation/#dpapi ) interessanti?
2024-03-14 23:33:40 +00:00
* [ ] Password delle [**reti Wifi salvate** ](windows-local-privilege-escalation/#wifi )?
* [ ] Informazioni interessanti nelle [**connessioni RDP salvate** ](windows-local-privilege-escalation/#saved-rdp-connections )?
2024-07-19 16:12:26 +00:00
* [ ] Password nei [**comandi eseguiti di recente** ](windows-local-privilege-escalation/#recently-run-commands )?
* [ ] Password nel [**Remote Desktop Credentials Manager** ](windows-local-privilege-escalation/#remote-desktop-credential-manager )?
* [ ] Esiste [**AppCmd.exe** ](windows-local-privilege-escalation/#appcmd-exe )? Credenziali?
* [ ] [**SCClient.exe** ](windows-local-privilege-escalation/#scclient-sccm )? DLL Side Loading?
2020-07-15 15:43:14 +00:00
2024-02-10 13:03:23 +00:00
### [File e Registro (Credenziali)](windows-local-privilege-escalation/#files-and-registry-credentials)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] **Putty:** [**Credenziali** ](windows-local-privilege-escalation/#putty-creds ) **e** [**chiavi host SSH** ](windows-local-privilege-escalation/#putty-ssh-host-keys )
2024-03-14 23:33:40 +00:00
* [ ] [**Chiavi SSH nel registro** ](windows-local-privilege-escalation/#ssh-keys-in-registry )?
2024-07-19 16:12:26 +00:00
* [ ] Password in [**file non presidiati** ](windows-local-privilege-escalation/#unattended-files )?
* [ ] Qualche backup di [**SAM & SYSTEM** ](windows-local-privilege-escalation/#sam-and-system-backups )?
2024-03-14 23:33:40 +00:00
* [ ] [**Credenziali cloud** ](windows-local-privilege-escalation/#cloud-credentials )?
* [ ] File [**McAfee SiteList.xml** ](windows-local-privilege-escalation/#mcafee-sitelist.xml )?
2024-07-19 16:12:26 +00:00
* [ ] [**Password GPP memorizzate** ](windows-local-privilege-escalation/#cached-gpp-pasword )?
* [ ] Password nel [**file di configurazione IIS Web** ](windows-local-privilege-escalation/#iis-web-config )?
2024-03-24 12:26:19 +00:00
* [ ] Informazioni interessanti nei [**log web** ](windows-local-privilege-escalation/#logs )?
2024-07-19 16:12:26 +00:00
* [ ] Vuoi [**chiedere credenziali** ](windows-local-privilege-escalation/#ask-for-credentials ) all'utente?
* [ ] File [**interessanti dentro il Cestino** ](windows-local-privilege-escalation/#credentials-in-the-recyclebin )?
2024-03-24 12:26:19 +00:00
* [ ] Altro [**registro contenente credenziali** ](windows-local-privilege-escalation/#inside-the-registry )?
2024-07-19 16:12:26 +00:00
* [ ] Dentro i [**dati del browser** ](windows-local-privilege-escalation/#browsers-history ) (db, cronologia, segnalibri, ...)?
* [ ] [**Ricerca generica di password** ](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry ) in file e registro
* [ ] [**Strumenti** ](windows-local-privilege-escalation/#tools-that-search-for-passwords ) per cercare automaticamente password
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
### [Leaked Handlers](windows-local-privilege-escalation/#leaked-handlers)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Hai accesso a qualche gestore di un processo eseguito da amministratore?
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
### [Pipe Client Impersonation](windows-local-privilege-escalation/#named-pipe-client-impersonation)
2020-07-15 15:43:14 +00:00
2024-07-19 16:12:26 +00:00
* [ ] Controlla se puoi abusarne
2022-04-28 16:01:33 +00:00
2024-03-14 23:33:40 +00:00
**Try Hard Security Group**
2024-04-06 18:35:30 +00:00
< figure > < img src = "../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:33:40 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2024-07-19 16:12:26 +00:00
{% hint style="success" %}
Impara e pratica Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Impara e pratica Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
< details >
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
< summary > Supporta HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 16:12:26 +00:00
* Controlla i [**piani di abbonamento** ](https://github.com/sponsors/carlospolop )!
* **Unisciti al** 💬 [**gruppo Discord** ](https://discord.gg/hRep4RUj7f ) o al [**gruppo telegram** ](https://t.me/peass ) o **seguici** su **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Condividi trucchi di hacking inviando PR ai** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repos di github.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 16:12:26 +00:00
{% endhint %}