Windows Post Enumeration

Introduction

In this blog post, we will learn about manual post enumeration techniques to gather information about the compromised target in order to Escalate Privileges, Data Exfiltration, Persistent Access.

After compromising a device and having system-level access, Now we will gather more information about the target system to get the big scope and escalate our privileges.

The very first command to execute

To get system information

systeminfo

To get system information remotely

systeminfo /S <targetIp> /U <domain>\<user> /P <Password>

To list current user, sid, groups the current user is a member of and their sids as well as current privilege level.

whoami /all

To get OS Version

ver

To check file/folder permissions

cacls
icacls

To show processes and services in system.

tasklist /svc

To show all processes & DLLs

tasklist /m

To remote process listing

tasklist /S ip /v

To show all environmental variables.

set

To look for specific USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE, use set with them.

set USERPROFILE

To show services of system

sc query state=all

net start

To search the registry for passwords/or any string

reg query HKLM /f password /t REG SZ /s

To list all the currently scheduled tasks that your current user has access to see.

schtasks

To get more information about a service

sc getkeyname <service name>                   //It will give you a key
sc queryex <keyname>

To get all information about the workstation

net config workstation

To display hosts in the current domain

net view /domain

To list all users in the current domain

net user /domain

To add a user

net user username password /add

To add a user in Administrators

Add user to Administrators

To check network configurations of the system

ipconfig /all

To display local DNS Cache

ipconfig /displaydns

To know the listening ports of the system

netstat -ani findstr LISTENING

To list all open connections

netstat -ana

To prints the password policy for the domain

net accounts /domain

To print the members of Administrators local group

net localgroup administrators

To find active SMB session

net session I find I "\\"

To search files for the password string

findstr /si password' .txt I *.xmll *.xls

To display Domain and DC info

wmic ntdomain list

To search for services with unquoted paths to binary

wmic service get namee,displayname,pathnamee,startmode | findstr /i "auto" | findstr /i /v "C:\windows\\" | findstr /i /v """

For finding other networks and static routes that have been put in place

route print

To find the file match with the search string

dir \ /s /b | find /I “searchstring

Uninstalling Software “AntiVirus” (Non interactive)

wmic product get name /value (this gets software names)
wmic product where name="XXX" call uninstall /Interactive:Off (this uninstalls software)

To disable network level authentication, add firewall exceptiion

reg add "HKEY LOCAL_MACHINE\SYSTEM\CurentControlSet\Control \Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f

netsh firewall set service type = remotedesktop mode = enable

WMI commands

  • wmic bios
  • wmic qfe
  • wmic qfe get hotfixid (This gets patches IDs)
  • wmic startup
  • wmic service
  • wmic os
  • wmic process get caption,executablepath,commandline
  • wmic process call create “process_name” (executes a program)
  • wmic process where name=”process_name” call terminate (terminates program)
  • wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size,
  • volumeserialnumber (hard drive information)
  • wmic useraccount (usernames, sid, and various security related goodies)
  • wmic useraccount get /ALL
  • wmic share get /ALL (you can use ? for gets help ! )
  • wmic startup list full (this can be a huge list!!!)
  • wmic /node:”hostname” bios get serialnumber (this can be great for finding warranty info about the target)

Reg Command

  • reg save HKLM\Security security.hive (Save security hive to a file)
  • reg save HKLM\System system.hive (Save system hive to a file)
  • reg save HKLM\SAM sam.hive (Save sam to a file)=
  • reg add [\TargetIPaddr] [RegDomain][ \Key ]
  • reg export [RegDomain][Key] [FileName]
  • reg import [FileName ]
  • reg query [\TargetIPaddr] [RegDomain][ Key ] /v [Valuename!] (you can to add /s for recurse all values )

Conclusion

We have discussed some commands to gather information about the compromised target and the techniques to post emumeration