{"id":58678,"date":"2022-09-20T16:52:03","date_gmt":"2022-09-20T08:52:03","guid":{"rendered":"https:\/\/version-2.com\/?p=58678"},"modified":"2022-11-11T15:23:03","modified_gmt":"2022-11-11T07:23:03","slug":"windows-enumeration","status":"publish","type":"post","link":"https:\/\/version-2.com\/zh\/2022\/09\/windows-enumeration\/","title":{"rendered":"Windows Enumeration"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

<\/p>

You have gotten a shell but you are not yet a privileged user, and now you want to enumerate the system to try and find a way to escalate those privileges so that you can become a system level user.<\/p>

System Enumeration<\/h4>

With a quick findstring \u2013 findstr<\/em>, and a couple of other commands we can issue a command like this:<\/p>

<\/p>

You can easily see what system and version you run, architecture, etc. Remember! You want to find adequate exploits for the system in question, you might run into an x86 architecture, or a Windows Enterprise system, so you don\u2019t want to bombard it with random exploits. That\u2019s why enumeration is key \u2013 so you can extract information that you can use. As we all know there are five stages to the process \u2013 but enumeration is usually the vital part! Enumerate, enumerate, enumerate!!<\/p>

To check for patches and other stuff that\u2019s installed on the target Windows computer, you might use a command like this:<\/p>

wmic qfe<\/strong><\/p>

Wmic is the Windows Management Instrumentation (WMI \u2013 sysadmins\/engineers and our support guys knows what this is about) and the WMIC is a command-line interface for the WMI.<\/p>

QFE in the command above will look for recently installed patches. Very useful when trying to discover what type of exploit the computer will be vulnerable to. QFE stands for Quick Fix Engineering. After running the command on my system, you can observe the following:<\/p>

<\/p>

As you can notice, you will see the related KB \u2013 knowledge base, type of update (security, etc.), who installed it, the HotFix ID, as well as the date it was installed on. Further, if you only want specific stuff, like the Caption, HotFixD and Installed on, you can run something like this:<\/p>

wmic qfe get Caption,HotFixID,InstalledOn<\/strong><\/p>

<\/p>

To enumerate drives, you can issue a command like this:<\/p>

wmic logicaldisk<\/strong><\/p>

This will give a messy output, though, so you can use the same methodology as the above and for example say get Caption:<\/p>

wmic logicaldisk get Caption<\/strong><\/p>

<\/p>

And quickly check if there are any drives other than the C: drive on the computer. (In my case there\u2019s not, but if there are, this command will find them, and you might want to look around those drives in search for something interesting\u2026)<\/p>

Of course, you can also use the good ol\u2019 hostname <\/em><\/strong>and whoami <\/em><\/strong>to check the name of the computer you\u2019re currently within, and to check the domain\/username of that same computer, respectively.<\/p>

Network Enumeration<\/h4>

I will just do a few of the commands here, just so you can get a basic idea of what you might end up doing upon entering the system. You would probably start with the basic ipconfig <\/em><\/strong>command or the ipconfig \/all<\/em><\/strong> command to see the information about stuff like the default gateway, DNS server, etc. If you\u2019re on a domain, you might see a DC as a DNS server.<\/p>

Another one is arp -a<\/em><\/strong> which can tell you about the stuff that\u2019s communicating with your box. A quick look at the route tables, with a route print<\/em><\/strong> you can also see where your machine is communicating too. This is cool as it will show you the NICs on the machine, telling you if you need to elevate or if you can just pivot of that other NIC.<\/p>

A very important command here to do is netstat<\/em><\/strong>! You want to do the netstat -ano<\/em><\/strong> and check what services are listening and where. You can gather a lot of information here, and in conjunction with the commands above with all this stuff you might also glean a bit on the architecture of the said network\/systems. Of course, the mileage may vary. If you\u2019re a seasoned pro, even though you might be using the same commands, you would immediately understand what\u2019s happening, but regardless, it is a place to start no matter the experience.<\/p>

User Enumeration<\/h4>

Here you can do something like:<\/p>

whoami \/priv<\/strong><\/p>

To check for the privileges you have.<\/p>

whoami \/groups<\/strong><\/p>

To see which groups you belong to.<\/p>

Further, you would want to do a net user<\/em><\/strong> command to see what user you are\u2026 remember, if you just gained a foothold on a box, you might not necessarily be a user, you could also land on a service. In that case, you will probably want to find more users so you can escalate to them, or just immediately escalate to an administrator user.<\/p>

You can also do net user <username><\/em><\/strong> or net user administrator<\/em><\/strong> \u2013 to see what groups they belong to. To see the administrator group members you would do net localgroup administrators<\/em><\/strong>.<\/p>

These are some basic quick and dirty commands to check stuff about your users, groups, and their privileges.<\/p>

\u00a0<\/h4>

Remarks<\/h4>

All of the above can be done, and probably will if you\u2019re doing this professionally, with tools that can automate the process. But, in order to better understand those tools and what they\u2019re doing in the background, I created this short intro, cause ultimately it will be some variation or a more complex version of the stuff above with some more stuff tacked onto it.<\/p>

Lastly, those tools just might not work, or something else along those lines. Be aware of those caveats, as for example, WinPEAS is a very, very, good tool but it requires a version of .NET that’s greater than 4 which will obviously be useless if your Windows box that you got a hold of doesn\u2019t have and you are a user that can’t install it, or you don’t want to set off the alarms.<\/p>

The main idea here is to understand the context, which is also why all the pentesting tutorials and other resources almost exclusively emphasize the importance of having rock solid understanding of the basics.<\/p>

Tooling<\/h4>

Some of the tools you might end up using:<\/p>