mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-26 22:52:06 +00:00
Translated ['windows-hardening/checklist-windows-privilege-escalation.md
This commit is contained in:
parent
9ce925dedc
commit
a332e35a8c
1 changed files with 51 additions and 50 deletions
|
@ -2,14 +2,14 @@
|
||||||
|
|
||||||
<details>
|
<details>
|
||||||
|
|
||||||
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS红队专家)</strong></a><strong>!</strong></summary>
|
<summary><strong>从零开始学习AWS黑客技术,成为专家</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE(HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||||||
|
|
||||||
支持HackTricks的其他方式:
|
支持HackTricks的其他方式:
|
||||||
|
|
||||||
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||||||
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
|
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
|
||||||
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFT](https://opensea.io/collection/the-peass-family)收藏品
|
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[NFTs](https://opensea.io/collection/the-peass-family)收藏品
|
||||||
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或在**Twitter**上关注我们 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
* **加入** 💬 [**Discord群**](https://discord.gg/hRep4RUj7f) 或 [**电报群**](https://t.me/peass) 或 **关注**我们的**Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||||||
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
|
||||||
|
|
||||||
</details>
|
</details>
|
||||||
|
@ -22,9 +22,9 @@
|
||||||
* [ ] 使用脚本搜索**内核**[**漏洞**](windows-local-privilege-escalation/#version-exploits)
|
* [ ] 使用脚本搜索**内核**[**漏洞**](windows-local-privilege-escalation/#version-exploits)
|
||||||
* [ ] 使用**Google搜索**内核**漏洞**
|
* [ ] 使用**Google搜索**内核**漏洞**
|
||||||
* [ ] 使用**searchsploit搜索**内核**漏洞**
|
* [ ] 使用**searchsploit搜索**内核**漏洞**
|
||||||
* [ ] [**环境变量**](windows-local-privilege-escalation/#environment)中有有趣的信息吗?
|
* [ ] [**环境变量**](windows-local-privilege-escalation/#environment)中有趣的信息?
|
||||||
* [ ] [**PowerShell历史记录**](windows-local-privilege-escalation/#powershell-history)中有密码吗?
|
* [ ] [**PowerShell历史记录**](windows-local-privilege-escalation/#powershell-history)中的密码?
|
||||||
* [ ] [**Internet设置**](windows-local-privilege-escalation/#internet-settings)中有有趣的信息吗?
|
* [ ] [**Internet设置**](windows-local-privilege-escalation/#internet-settings)中有趣的信息?
|
||||||
* [ ] [**驱动器**](windows-local-privilege-escalation/#drives)?
|
* [ ] [**驱动器**](windows-local-privilege-escalation/#drives)?
|
||||||
* [ ] [**WSUS漏洞**](windows-local-privilege-escalation/#wsus)?
|
* [ ] [**WSUS漏洞**](windows-local-privilege-escalation/#wsus)?
|
||||||
* [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
|
* [**AlwaysInstallElevated**](windows-local-privilege-escalation/#alwaysinstallelevated)?
|
||||||
|
@ -33,19 +33,19 @@
|
||||||
|
|
||||||
* [ ] 检查[**审计**](windows-local-privilege-escalation/#audit-settings)和[**WEF**](windows-local-privilege-escalation/#wef)设置
|
* [ ] 检查[**审计**](windows-local-privilege-escalation/#audit-settings)和[**WEF**](windows-local-privilege-escalation/#wef)设置
|
||||||
* [ ] 检查[**LAPS**](windows-local-privilege-escalation/#laps)
|
* [ ] 检查[**LAPS**](windows-local-privilege-escalation/#laps)
|
||||||
* [ ] 检查[**WDigest**](windows-local-privilege-escalation/#wdigest)是否激活
|
* 检查[**WDigest**](windows-local-privilege-escalation/#wdigest)是否激活
|
||||||
* [ ] [**LSA保护**](windows-local-privilege-escalation/#lsa-protection)?
|
* [**LSA保护**](windows-local-privilege-escalation/#lsa-protection)?
|
||||||
* [ ] [**凭据保护**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
|
* [**凭据保护**](windows-local-privilege-escalation/#credentials-guard)[?](windows-local-privilege-escalation/#cached-credentials)
|
||||||
* [ ] [**缓存凭据**](windows-local-privilege-escalation/#cached-credentials)?
|
* [**缓存凭据**](windows-local-privilege-escalation/#cached-credentials)?
|
||||||
* [ ] 检查是否有任何[**AV**](windows-av-bypass)
|
* 检查是否有任何[**AV**](windows-av-bypass)
|
||||||
* [ ] [**AppLocker策略**](authentication-credentials-uac-and-efs#applocker-policy)?
|
* [**AppLocker策略**](authentication-credentials-uac-and-efs#applocker-policy)?
|
||||||
* [**UAC**](authentication-credentials-uac-and-efs/uac-user-account-control)?
|
* [**UAC**](authentication-credentials-uac-and-efs/uac-user-account-control)?
|
||||||
* [**用户权限**](windows-local-privilege-escalation/#users-and-groups)?
|
* [**用户权限**](windows-local-privilege-escalation/#users-and-groups)?
|
||||||
* 检查[**当前**用户**权限**](windows-local-privilege-escalation/#users-and-groups)
|
* 检查[**当前用户的**权限](windows-local-privilege-escalation/#users-and-groups)?
|
||||||
* 您是[**任何特权组的成员**](windows-local-privilege-escalation/#privileged-groups)吗?
|
* 您是否是[**任何特权组的成员**](windows-local-privilege-escalation/#privileged-groups)?
|
||||||
* 检查是否启用了以下任何一个令牌:**SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege**?
|
* 检查是否启用了以下任何令牌](windows-local-privilege-escalation/#token-manipulation): **SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege** ?
|
||||||
* [**用户会话**](windows-local-privilege-escalation/#logged-users-sessions)?
|
* [**用户会话**](windows-local-privilege-escalation/#logged-users-sessions)?
|
||||||
* 检查[**用户主目录**](windows-local-privilege-escalation/#home-folders)(访问权限)?
|
* 检查[**用户主目录**](windows-local-privilege-escalation/#home-folders)(访问?)
|
||||||
* 检查[**密码策略**](windows-local-privilege-escalation/#password-policy)?
|
* 检查[**密码策略**](windows-local-privilege-escalation/#password-policy)?
|
||||||
* [**剪贴板**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)中有什么?
|
* [**剪贴板**](windows-local-privilege-escalation/#get-the-content-of-the-clipboard)中有什么?
|
||||||
|
|
||||||
|
@ -56,20 +56,21 @@
|
||||||
|
|
||||||
### [运行进程](windows-local-privilege-escalation/#running-processes)
|
### [运行进程](windows-local-privilege-escalation/#running-processes)
|
||||||
|
|
||||||
* 进程二进制文件和文件夹权限[**文件和文件夹权限**](windows-local-privilege-escalation/#file-and-folder-permissions)
|
* 进程二进制文件和文件夹权限](windows-local-privilege-escalation/#file-and-folder-permissions)
|
||||||
* [**内存密码挖掘**](windows-local-privilege-escalation/#memory-password-mining)
|
* [**内存密码挖掘**](windows-local-privilege-escalation/#memory-password-mining)
|
||||||
* [**不安全的GUI应用程序**](windows-local-privilege-escalation/#insecure-gui-apps)
|
* [**不安全的GUI应用程序**](windows-local-privilege-escalation/#insecure-gui-apps)
|
||||||
|
* 通过`ProcDump.exe`窃取**有趣进程**的凭据?(firefox,chrome等...)
|
||||||
|
|
||||||
### [服务](windows-local-privilege-escalation/#services)
|
### [服务](windows-local-privilege-escalation/#services)
|
||||||
|
|
||||||
* [您能否**修改任何服务**?](windows-local-privilege-escalation#permissions)
|
* [您能否**修改任何服务**?](windows-local-privilege-escalation#permissions)
|
||||||
* [您能否**修改**任何**服务**执行的**二进制文件**?](windows-local-privilege-escalation/#modify-service-binary-path)
|
* [您能否**修改**任何**服务**执行的**二进制文件**?](windows-local-privilege-escalation/#modify-service-binary-path)
|
||||||
* [您能否**修改**任何**服务**的**注册表**?](windows-local-privilege-escalation/#services-registry-modify-permissions)
|
* [您能否**修改**任何**服务**的**注册表**?](windows-local-privilege-escalation/#services-registry-modify-permissions)
|
||||||
* 您能否利用任何**未加引号的服务**二进制**路径**?](windows-local-privilege-escalation/#unquoted-service-paths)
|
* [您能否利用任何**未加引号的服务**二进制**路径**?](windows-local-privilege-escalation/#unquoted-service-paths)
|
||||||
|
|
||||||
### [**应用程序**](windows-local-privilege-escalation/#applications)
|
### [**应用程序**](windows-local-privilege-escalation/#applications)
|
||||||
|
|
||||||
* 安装应用程序的[**写入权限**](windows-local-privilege-escalation/#write-permissions)
|
* **写入**[**已安装应用程序的权限**](windows-local-privilege-escalation/#write-permissions)
|
||||||
* [**启动应用程序**](windows-local-privilege-escalation/#run-at-startup)
|
* [**启动应用程序**](windows-local-privilege-escalation/#run-at-startup)
|
||||||
* **易受攻击的**[**驱动程序**](windows-local-privilege-escalation/#drivers)
|
* **易受攻击的**[**驱动程序**](windows-local-privilege-escalation/#drivers)
|
||||||
|
|
||||||
|
@ -78,45 +79,45 @@
|
||||||
* 您能否**写入PATH中的任何文件夹**?
|
* 您能否**写入PATH中的任何文件夹**?
|
||||||
* 是否有任何已知的服务二进制文件**尝试加载任何不存在的DLL**?
|
* 是否有任何已知的服务二进制文件**尝试加载任何不存在的DLL**?
|
||||||
* 您能否在任何**二进制文件夹**中**写入**?
|
* 您能否在任何**二进制文件夹**中**写入**?
|
||||||
|
|
||||||
### [网络](windows-local-privilege-escalation/#network)
|
### [网络](windows-local-privilege-escalation/#network)
|
||||||
|
|
||||||
* 枚举网络(共享、接口、路由、邻居,...)
|
* [ ] 枚举网络(共享、接口、路由、邻居,...)
|
||||||
* 特别关注监听在本地主机(127.0.0.1)上的网络服务
|
* [ ] 特别关注监听在本地主机(127.0.0.1)上的网络服务
|
||||||
|
|
||||||
### [Windows凭据](windows-local-privilege-escalation/#windows-credentials)
|
### [Windows凭证](windows-local-privilege-escalation/#windows-credentials)
|
||||||
|
|
||||||
* [**Winlogon**](windows-local-privilege-escalation/#winlogon-credentials)凭据
|
* [ ] [**Winlogon** ](windows-local-privilege-escalation/#winlogon-credentials)凭证
|
||||||
* [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault)中您可以使用的凭据?
|
* [ ] [**Windows Vault**](windows-local-privilege-escalation/#credentials-manager-windows-vault) 可以使用的凭证?
|
||||||
* 有趣的[**DPAPI凭据**](windows-local-privilege-escalation/#dpapi)?
|
* [ ] 有趣的[**DPAPI凭证**](windows-local-privilege-escalation/#dpapi)?
|
||||||
* 已保存的[**Wifi网络**](windows-local-privilege-escalation/#wifi)密码?
|
* [ ] 已保存的[**Wifi网络**](windows-local-privilege-escalation/#wifi)密码?
|
||||||
* 已保存的[**RDP连接**](windows-local-privilege-escalation/#saved-rdp-connections)中有有趣的信息吗?
|
* [ ] 已保存的RDP连接中的有趣信息[**saved RDP Connections**](windows-local-privilege-escalation/#saved-rdp-connections)?
|
||||||
* 最近运行命令中的密码[**密码**](windows-local-privilege-escalation/#recently-run-commands)?
|
* [ ] 最近运行命令中的密码[**recently run commands**](windows-local-privilege-escalation/#recently-run-commands)?
|
||||||
* [**远程桌面凭据管理器**](windows-local-privilege-escalation/#remote-desktop-credential-manager)密码?
|
* [ ] [**远程桌面凭据管理器**](windows-local-privilege-escalation/#remote-desktop-credential-manager)密码?
|
||||||
* [**AppCmd.exe**存在](windows-local-privilege-escalation/#appcmd-exe)?凭据?
|
* [ ] [**AppCmd.exe** 是否存在](windows-local-privilege-escalation/#appcmd-exe)?凭证?
|
||||||
* [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)?DLL侧加载?
|
* [ ] [**SCClient.exe**](windows-local-privilege-escalation/#scclient-sccm)?DLL侧加载?
|
||||||
|
|
||||||
### [文件和注册表(凭据)](windows-local-privilege-escalation/#files-and-registry-credentials)
|
### [文件和注册表(凭证)](windows-local-privilege-escalation/#files-and-registry-credentials)
|
||||||
|
|
||||||
* **Putty:**[**凭据**](windows-local-privilege-escalation/#putty-creds)**和**[**SSH主机密钥**](windows-local-privilege-escalation/#putty-ssh-host-keys)
|
* [ ] **Putty:** [**凭证**](windows-local-privilege-escalation/#putty-creds) **和** [**SSH主机密钥**](windows-local-privilege-escalation/#putty-ssh-host-keys)
|
||||||
* 注册表中的[**SSH密钥**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
|
* [ ] 注册表中的[**SSH密钥**](windows-local-privilege-escalation/#ssh-keys-in-registry)?
|
||||||
* 未经人工干预的文件中的密码[**密码**](windows-local-privilege-escalation/#unattended-files)?
|
* [ ] 无人值守文件中的密码[**unattended files**](windows-local-privilege-escalation/#unattended-files)?
|
||||||
* 任何[**SAM和SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups)备份?
|
* [ ] 任何[**SAM & SYSTEM**](windows-local-privilege-escalation/#sam-and-system-backups)备份?
|
||||||
* [**云凭据**](windows-local-privilege-escalation/#cloud-credentials)?
|
* [ ] [**云凭证**](windows-local-privilege-escalation/#cloud-credentials)?
|
||||||
* [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml)文件?
|
* [ ] [**McAfee SiteList.xml**](windows-local-privilege-escalation/#mcafee-sitelist.xml) 文件?
|
||||||
* [**缓存的GPP密码**](windows-local-privilege-escalation/#cached-gpp-pasword)?
|
* [ ] [**缓存的GPP密码**](windows-local-privilege-escalation/#cached-gpp-pasword)?
|
||||||
* [**IIS Web配置文件**](windows-local-privilege-escalation/#iis-web-config)中的密码?
|
* [ ] [**IIS Web配置文件**](windows-local-privilege-escalation/#iis-web-config)中的密码?
|
||||||
* [**Web日志**](windows-local-privilege-escalation/#logs)中有有趣的信息吗?
|
* [ ] 日志中的有趣信息[**web** **logs**](windows-local-privilege-escalation/#logs)?
|
||||||
* 您想向用户[**请求凭据**](windows-local-privilege-escalation/#ask-for-credentials)吗?
|
* [ ] 想要向用户[**请求凭证**](windows-local-privilege-escalation/#ask-for-credentials)吗?
|
||||||
* 回收站中的有趣[**文件**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
|
* [ ] 回收站中的有趣[**文件**](windows-local-privilege-escalation/#credentials-in-the-recyclebin)?
|
||||||
* 其他包含凭据的[**注册表**](windows-local-privilege-escalation/#inside-the-registry)?
|
* [ ] 其他包含凭证的[**注册表**](windows-local-privilege-escalation/#inside-the-registry)?
|
||||||
* 浏览器数据中的[**通用密码搜索**](windows-local-privilege-escalation/#browsers-history)(数据库、历史记录、书签,...)?
|
* [ ] 浏览器数据中的[**内容**](windows-local-privilege-escalation/#browsers-history)(数据库、历史记录、书签,...)?
|
||||||
* 在文件和注册表中进行[**通用密码搜索**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry)的[**工具**](windows-local-privilege-escalation/#tools-that-search-for-passwords)?
|
* [**在文件和注册表中进行通用密码搜索**](windows-local-privilege-escalation/#generic-password-search-in-files-and-registry)?
|
||||||
|
* [**工具**](windows-local-privilege-escalation/#tools-that-search-for-passwords)自动搜索密码
|
||||||
|
|
||||||
### [泄漏的处理程序](windows-local-privilege-escalation/#leaked-handlers)
|
### [泄漏的处理程序](windows-local-privilege-escalation/#leaked-handlers)
|
||||||
|
|
||||||
* 您是否可以访问由管理员运行的进程的任何处理程序?
|
* [ ] 是否可以访问由管理员运行的进程的任何处理程序?
|
||||||
|
|
||||||
### [管道客户端冒充](windows-local-privilege-escalation/#named-pipe-client-impersonation)
|
### [管道客户端冒充](windows-local-privilege-escalation/#named-pipe-client-impersonation)
|
||||||
|
|
||||||
* 检查是否可以滥用它
|
* [ ] 检查是否可以滥用它
|
||||||
|
|
Loading…
Reference in a new issue