BSidesLV 2016 & DEFCON 24


The annual hacker summer camp is approaching and just in time too, as it should be a balmy 105F+ in Nevada, though I would argue that I prefer that type of heat compared to the high heat + humidity here in Georgia. Anywho, I thought I would make a post to highlight some of the talks that I have found interesting.

BSidesLV 2016:

Managing Security with the OWASP Assimilation Project
Alan Robertson

Automation of Penetration Testing and the Future
Haydn Johnson & Kevin Riggins

Hunting High-Value Targets in Corporate Networks
Patrick Fussell & Josh Stone

Crafting Tailored Wordlists with Wordsmith
Sanjiv Kawa & Tom Porter


Realtime Bluetooth Device Detection with Blue Hydra
Zero_Chaos & Granolocks

MouseJack: Injecting Keystrokes into Wireless Mice
Marc Newlin

Phishing without Failure and Frustration
Jay Beale & Larry Pesce

Abusing Bleeding Edge Web Standards for AppSec Glory
Bryant Zadegan & Ryan Lester

Hiding Wookiees in HTTP

So You Think You Want To Be a Penetration Tester


So I took my previous post on Windows enumeration and made a very basic script replicating some of the commands. I didn't include any WMIC commands as you can't always execute them, but the rest should be good, hopefully I will get some feedback/commits to resolve any issues.

Windows Enumeration and Privilege Escalation Script


WMIC OS GET provides a wealth of information about the installed Windows operating system. As I listed several of these in my previous post on Windows privilege escalation, I thought that I would expand and provide a list of all commands I find to be relevant. Information taken from the MSDN

Format is: WMIC OS GET boldcommand

BootDevice = Name of the disk drive from which the Windows operating system starts.

BuildNumber = Build number of an operating system. It can be used for more precise version information than product release version numbers.

BuildType = Type of build used for an operating system.

Caption = Short description of the object—a one-line string. The string includes the operating system version. For example, "Microsoft Windows 7 Enterprise ". This property can be localized.

CountryCode = Code for the country/region that an operating system uses. Values are based on international phone dialing prefixes—also referred to as IBM country/region codes. This property can use a maximum of six characters to define the country/region code value.

CSDVersion = NULL-terminated string that indicates the latest service pack installed on a computer. If no service pack is installed, the string is NULL.

CSName = Name of the scoping computer system.

CurrentTimeZone = Number, in minutes, an operating system is offset from Greenwich mean time (GMT). The number is positive, negative, or zero.

DataExecutionPrevention_32BitApplications = When the data execution prevention hardware feature is available, this property indicates that the feature is set to work for 32-bit applications if True. On 64-bit computers, the data execution prevention feature is configured in the Boot Configuration Data (BCD) store and the properties in Win32-OperatingSystem are set accordingly

DataExecutionPrevention__Available = Data execution prevention is a hardware feature to prevent buffer overrun attacks by stopping the execution of code on data-type memory pages. If True, then this feature is available. On 64-bit computers, the data execution prevention feature is configured in the BCD store and the properties in Win32-OperatingSystem are set accordingly.

DataExecutionPrevention_Drivers = When the data execution prevention hardware feature is available, this property indicates that the feature is set to work for drivers if True. On 64-bit computers, the data execution prevention feature is configured in the BCD store and the properties in Win32-OperatingSystem are set accordingly.

DataExecutionPrevention_SupportPolicy = Indicates which Data Execution Prevention (DEP) setting is applied. The DEP setting specifies the extent to which DEP applies to 32-bit applications on the system. DEP is always applied to the Windows kernel.

Always Off

DEP is turned off for all 32-bit applications on the computer with no exceptions. This setting is not available for the user interface.

Always On

DEP is enabled for all 32-bit applications on the computer. This setting is not available for the user interface.

Opt In

DEP is enabled for a limited number of binaries, the kernel, and all Windows-based services. However, it is off by default for all 32-bit applications. A user or administrator must explicitly choose either the AlwaysOn or the OptOut setting before DEP can be applied to 32-bit applications.

Opt Out

DEP is enabled by default for all 32-bit applications. A user or administrator can explicitly remove support for a 32-bit application by adding the application to an exceptions list.

Debug = Operating system is a checked (debug) build. If True, the debugging version is installed. Checked builds provide error checking, argument verification, and system debugging code. Additional code in a checked binary generates a kernel debugger error message and breaks into the debugger. This helps immediately determine the cause and location of the error. Performance may be affected in a checked build due to the additional code that is executed.

Description = Description of the Windows operating system. Some user interfaces for example, those that allow editing of this description, limit its length to 48 characters.

Distributed = If True, the operating system is distributed across several computer system nodes. If so, these nodes should be grouped as a cluster.

EncryptionLevel = Encryption level for secure transactions: 40-bit, 128-bit, or n-bit.

40-bit (0)
128-bit (1)
n-bit (2)

FreePhysicalMemory = Number, in kilobytes, of physical memory currently unused and available.

FreeSpaceInPagingFiles = Number, in kilobytes, that can be mapped into the operating system paging files without causing any other pages to be swapped out.

FreeVirtualMemory = Number, in kilobytes, of virtual memory currently unused and available.

InstallDate = Date object was installed. This property does not require a value to indicate that the object is installed.

LastBootUpTime = Date and time the operating system was last restarted.

LocalDateTime = Operating system version of the local date and time-of-day.

Locale = Language identifier used by the operating system. A language identifier is a standard international numeric abbreviation for a country/region. Each language has a unique language identifier (LANGID), a 16-bit value that consists of a primary language identifier and a secondary language identifier.

Manufacturer = Name of the operating system manufacturer. For Windows-based systems, this value is "Microsoft Corporation".

MUILanguages = Multilingual User Interface Pack (MUI Pack ) languages installed on the computer. For example, "en-us". MUI Pack languages are resource files that can be installed on the English version of the operating system. When an MUI Pack is installed, you can can change the user interface language to one of 33 supported languages.

Name = Operating system instance within a computer system.

NumberOfLicensedUsers = Number of user licenses for the operating system. If unlimited, enter 0 (zero). If unknown, enter -1.

NumberOfProcesses = Number of process contexts currently loaded or running on the operating system.

NumberOfUsers = Number of user sessions for which the operating system is storing state information currently.

OperatingSystemSKU = Stock Keeping Unit (SKU) number for the operating system. These values are the same as the PRODUCT_* constants defined in WinNT.h that are used with the GetProductInfo function.

Organization = Company name for the registered user of the operating system.

OSArchitecture = Architecture of the operating system, as opposed to the processor. This property can be localized.

OSProductSuite = Installed and licensed system product additions to the operating system. For example, the value of 146 (0x92) for OSProductSuite indicates Enterprise, Terminal Services, and Data Center (bits one, four, and seven set). The following table lists possible values.

1 (0x1)

Microsoft Small Business Server was once installed, but may have been upgraded to another version of Windows.

2 (0x2)

Windows Server 2008 Enterprise is installed.

4 (0x4)

Windows BackOffice components are installed.

8 (0x8)

Communication Server is installed.

16 (0x10)

Terminal Services is installed.

32 (0x20)

Microsoft Small Business Server is installed with the restrictive client license.

64 (0x40)

Windows Embedded is installed.

128 (0x80)

A Datacenter edition is installed.

256 (0x100)

Terminal Services is installed, but only one interactive session is supported.

512 (0x200)

Windows Home Edition is installed.

1024 (0x400)

Web Server Edition is installed.

8192 (0x2000)

Storage Server Edition is installed.

16384 (0x4000)

Compute Cluster Edition is installed.

PortableOperatingSystem = Specifies whether the operating system booted from an external USB device. If true, the operating system has detected it is booting on a supported locally connected storage device.

Windows Server 2008 R2, Windows 7, Windows Server 2008, and Windows Vista: This property is not supported before Windows 8 and Windows Server 2012.

Primary = Specifies whether this is the primary operating system.

ProductType = Additional system information.

RegisteredUser = Name of the registered user of the operating system.

SerialNumber = Operating system product serial identification number.

ServicePackMajorVersion = Major version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

ServicePackMinorVersion = Minor version number of the service pack installed on the computer system. If no service pack has been installed, the value is 0 (zero).

Status = Current status of the object. Various operational and nonoperational statuses can be defined. Operational statuses include: "OK", "Degraded", and "Pred Fail" (an element, such as a SMART-enabled hard disk drive may function properly, but predicts a failure in the near future). Nonoperational statuses include: "Error", "Starting", "Stopping", and "Service". The Service status applies to administrative work, such as mirror-resilvering of a disk, reload of a user permissions list, or other administrative work. Not all such work is online, but the managed element is neither "OK" nor in one of the other states.

"OK" "Error" "Degraded" "Unknown" "Pred Fail" "Starting" "Stopping" "Service"

SystemDevice = Physical disk partition on which the operating system is installed.

SystemDirectory = System directory of the operating system.

Version = Version number of the operating system.

Basic Windows Privilege Escalation

As I have been working through my OSCP course I have had to reference several cheat sheets and blog posts for windows enumeration, and while its not a major inconvenience, I figured I would put what I already knew and what I have found in one location for everyone's benefit. This list is by no means complete and I will update it as I come across more information and from what is contributed in the comments. Note: this is heavily influenced by g0tmilk's Linux Privilege Escalation post, so the overall layout credit goes to him.

Operating System

What version of windows is running? Is it 32 or 64-bit?

more c:\boot.ini  
wmic os get osarchitecture


set computername  

What drives are there? Are any being shared?

wmic logicaldisk get caption,description,providername  
net share  
wmic share  
net use

What can the OS variables tell you?

more C:\WINDOWS\System32\drivers\etc\hosts  
more C:\WINDOWS\System32\drivers\etc\networks  
more C:\Users\username\AppData\Local\Temp  
echo %path%  
tree (massive output)  
wmic context  
wmic bootconfig  
wmic environment  
wmic loadorder  
wmic startup

What patches are installed?

wmic qfe  

What services are installed/running?

wmic service  
net start  
sc query


What is the current network config? What is this machine talking to?

ipconfig /allcompartments /all  
wmic nicconfig get description,IPAddress,MACaddress  
route PRINT  
netstat -ano  
arp -a  
wmic nicconfig get macaddress,caption

What is the firewall configuration?

netsh dump  
netsh firewall show state  
netsh firewall show config  
netsh advfirewall firewall show rule name=all  
netsh advfirewall export "firewallinfo.txt"

Is the machine on a domain?

set userdomain  
net view /domain

Installed Software

What software is currently running? What is installed?

tasklist /svc  
tasklist /fi “pid eq PID”  
tasklist /fi “username eq USERNAME”  
driverquery /v  
wmic sysdriver  
wmic product

User Info

Who is logged in? Who is an administrator? Who belongs to what group/domain?

set username  
echo %username%  
net users  
wmic group  
net localgroup  
net localgroup administrators  
wmic useraccount


What is in the registry?

reg query  
reg query "HKLM\Software\Microsoft\Windows NT\Currentversion\Winlogon" /v LastUsedUsername

Hardware Information

What is installed in this PC?

wmic bios  
wmic baseboard get manufacturer  
wmic cdrom  
wmic cpu list full  
wmic csproduct  

Let's Encrypt!

Since my readership is pratically zero, I doubt anyone has noticed, but this site now runs with a brand spanking new cert from Let's Encrypt! If you're running Apache, the process to get this setup is automated and just takes a few commands.

However, if you're running NGINX like myself, then you're going to have to work a little.

Installing Let's Encrypt does not change from its documentation, though when you goto obtain a cert you will need to use the ./letsencrypt-auto certonly --standalone command in order to config and download the cert files. Do not forget to list your non-www domain and www domain, as in and

After you have the files, make note of the directory they are placed in (/etc/letsencrypt/live/ Now you need to edit the NGINX configuation file under /etc/nginx/sites-available/. If you have another configuration, you can tell which is active by going to /etc/nginx/sites-enabled/ the symlink there will be for the active config.

Open that file and comment out the below:

listen 80 default_server;
listen [::]:80 default_server ipv6only=on;

and add this:

listen 443 ssl;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

In the same file, outside of the original server block. Add the below to redirect port 80 traffic to your new HTTPS enabled site:

server {
listen 80;
return 301 https://$host$request_uri;

Once that is finished simply run service nginx restart and you should see an awesome https:// in front of your domain. Keep in mind you will need to renew your Let's Encrypt cert every 90 days. You can easily create a cron job to take care of this though.

Thanks to DigitalOcean for the tips on how to get this setup :)

Also check out Scott Helme's site. This will check your site's headers for certain security flags and let you know which ones you need to add. I have an A according to his site, but I need to properly configure my Content-Security-Policy ;)