Offensive Windows ~ Manual Enumeration
It's no secret that windows isn't my strong suit. I'm more of a Linux guy. So, here's my shot at getting better at offensive windows techniques! I'll be writing about a couple topics which will also double up as my notes! Here we gouu!
Enumeration
One of the most important things to do after getting a foothold into a machine is to find out what we're going up against AKA perform enumeration. There are five main domains in this category.
- System
- User(s)
- Network
- Password
- Firewall, AV & Services
Once we've gotten information of all five domains, we will have a better understanding of the machine that is in question.
System Enumeration
This section will contain techniques that can be used to gather more information regarding the base system.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Returns system's type, its OS name and its OS version.
systeminfo
Returns every system information possibly stored on the machine.
hostname
Returns system's hostname.
wmic qfe
Returns information regarding the system and the patches that it has installed.QFE = Quick Fix Engineering
wmic qfe get Caption,Description,HotFixID,InstalledOn
Returns the more crucial information regarding the system and the patches that it has installed.
wmic logicaldisk
Returns all disks on the machine. Extremely messy
wmic logicaldisk get caption, description, providername
Returns all disks on the machine. Refined output
User(s) Enumeration
This section will contain techniques that can be used to gather more information regarding the users and their settings on the machine.
whoami
Returns the user that is currently logged in.
whoami /priv
Returns the privileges of the user that is currently logged in.
whoami /groups
Returns the groups that the currently logged in user belongs to.
net user
Returns all users on the machine.
net user
Returns settings of the queried user.
net localgroup
Returns all existing groups on the machine.
net localgroup
Returns more information pertaining to the queried group.
Network Enumeration
This section will contain techniques that can be used to gather more information regarding the network settings of the machine.
ipconfig /all
Returns all interface configuration of the machine.
arp -a
Return's the ARP table of the machine. Useful for identifying other machines that have communicated before.
route print
Returns the routing table of the machine.
netstat -ano
Returns the live network connections pertaining to the machine.
Password Enumeration
This section will contain techniques that can be used to gather any sort of plaintext credentials that may be lying around the machine.
findstr /si password *.txt
Returns entries in all .txt files in that directory which has the word password in it.
findstr /si password .txt .xml .ini .conf *.config
Returns entries in all *.txt *.xml *.ini *.conf *.config files in that directory which has the word password in it.
Other Methods
These are other methods which stood out to me during my research on this topic. Shoutout PATT.
Files
findstr /si password .txt findstr /si password .xml findstr /si password *.ini
#Find all those strings in config files. dir /s pass == cred == vnc == .config
Find all passwords in all files.
findstr /spin "password" . findstr /spin "password" *.
Registry
VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
Search for password in registry
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Firewall, AV & Service Enumeration
This section will contain techniques that can be used to gather more information regarding the firewall, AV and most importantly all services running on the machine.
SC = Service Control
sc query windefend
Returns information regarding windows defender on the machine.
sc queryex type= service
Returns information regarding all the services on the machine.
netsh advfirewall firewall dump
Returns basic firewall options. Faulty on some machines as u can see
netsh firewall show state
Returns basic firewall options.
netsh firewall show config
Returns the firewall config of the machine.
That's it for manual enumeration! Do feel free to let me know if you feel that I missed out any other important domains in windows manual enumeration.
~Nee.
