Offensive Windows ~ Manual Enumeration

Offensive Windows [Part 1]

Offensive Windows ~ Manual Enumeration

It's no secret that windows isn't my strong suit. I'm more of a Linux guy. So, here's my shot at getting better at offensive windows techniques! I'll be writing about a couple topics which will also double up as my notes! Here we gouu!


Enumeration

One of the most important things to do after getting a foothold into a machine is to find out what we're going up against AKA perform enumeration. There are five main domains in this category.

  • System
  • User(s)
  • Network
  • Password
  • Firewall, AV & Services

Once we've gotten information of all five domains, we will have a better understanding of the machine that is in question.


System Enumeration

This section will contain techniques that can be used to gather more information regarding the base system.

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Returns system's type, its OS name and its OS version.

systeminfo

Returns every system information possibly stored on the machine.

hostname

Returns system's hostname.

wmic qfe 

Returns information regarding the system and the patches that it has installed.
QFE = Quick Fix Engineering

wmic qfe get Caption,Description,HotFixID,InstalledOn

Returns the more crucial information regarding the system and the patches that it has installed.

wmic logicaldisk

Returns all disks on the machine. Extremely messy

wmic logicaldisk get caption, description, providername

Returns all disks on the machine. Refined output


User(s) Enumeration

This section will contain techniques that can be used to gather more information regarding the users and their settings on the machine.

whoami

Returns the user that is currently logged in.

whoami /priv

Returns the privileges of the user that is currently logged in.

whoami /groups

Returns the groups that the currently logged in user belongs to.

net user

Returns all users on the machine.

net user <user>

Returns settings of the queried user.

net localgroup

Returns all existing groups on the machine.

net localgroup <group>

Returns more information pertaining to the queried group.


Network Enumeration

This section will contain techniques that can be used to gather more information regarding the network settings of the machine.

ipconfig /all

Returns all interface configuration of the machine.

arp -a

Return's the ARP table of the machine. Useful for identifying other machines that have communicated before.

route print

Returns the routing table of the machine.

netstat -ano

Returns the live network connections pertaining to the machine.


Password Enumeration

This section will contain techniques that can be used to gather any sort of plaintext credentials that may be lying around the machine.

findstr /si password *.txt

Returns entries in all .txt files in that directory which has the word password in it.

findstr /si password *.txt *.xml *.ini *.conf *.config

Returns entries in all *.txt *.xml *.ini *.conf *.config files in that directory which has the word password in it.

Other Methods

These are other methods which stood out to me during my research on this topic. Shoutout PATT.

Files

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.

Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Firewall, AV & Service Enumeration

This section will contain techniques that can be used to gather more information regarding the firewall, AV and most importantly all services running on the machine.

SC = Service Control

sc query windefend

Returns information regarding windows defender on the machine.

sc queryex type= service

Returns information regarding all the services on the machine.

netsh advfirewall firewall dump

Returns basic firewall options. Faulty on some machines as u can see

netsh firewall show state

Returns basic firewall options.

netsh firewall show config

Returns the firewall config of the machine.


That's it for manual enumeration! Do feel free to let me know if you feel that I missed out any other important domains in windows manual enumeration.

~Nee.