Windows Enumeration

Users

Info about user in use:

C:\Users\student> whoami
client251\student
C:\Users\student> net user student

Discover other user accounts on the system

C:\Users\student>net user
User accounts for \\CLIENT251
-------------------------------------------------------------------------------
admin                    Administrator            DefaultAccount
Guest                    student                  WDAGUtilityAccount
The command completed successfully.

Hostname

Discover the hostname:

C:\Users\student>hostname
client251

Operating System Version and Architecture

Extract the name of the operating system (Name) as well as its version (Version) and architecture (System):

C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name:                   Microsoft Windows 10 Pro
OS Version:                10.0.16299 N/A Build 16299
System Type:               X86-based PC

# In italian the info changes
C:\> systeminfo | findstr /B /C:"Nome SO" /C:"Versione SO" /C:"Tipo sistema"

Running Processes and Services

List the running processes:

C:\> tasklist /SVC

Networking Information

Display the full TCP/IP configuration of all adapters:

C:\> ipconfig /all

Display the networking routing tables:

C:\> route print

Display active network connections:

C:\> netstat -ano

Firewall Status and Rules

Inspect the current firewall profile:

C:\> netsh advfirewall show currentprofile

List firewall rules:

C:\> netsh advfirewall firewall show rule name=all

Scheduled Tasks

Display scheduled tasks:

C:\> schtasks /query /fo LIST /v

Installed Applications and Patch Levels

List applications and related version that are installed by the Windows Installer (it will not list applications that do not use the Windows Installer)

C:\> wmic product get name, version, vendor
Name                                       Vendor                      Version
Microsoft OneNote MUI (English) 2016       Microsoft Corporation       16.0.4266.1001
Microsoft Office OSM MUI (English) 2016    Microsoft Corporation       16.0.4266.1001
...

Wmic can also be used to list system-wide updates by querying the Win32_QuickFixEngineering (qfe) WMI class:

C:\> wmic qfe get Caption, Description, HotFixID, InstalledOn
Caption                                     Description      HotFixID   InstalledOn
                                            Update           KB2693643  4/7/2018
http://support.microsoft.com/?kbid=4088785  Security Update  KB4088785  3/31/2018
...

Readable / Writable Files and Directories

Find a file with insecure file permissions in the Program Files directory:

C:\> accesschk.exe -uws "Everyone" "C:\Program Files"

Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com

RW C:\Program Files\TestApplication\testapp.exe

Searching for any object can be modified (Modify) by members of the Everyone group:

PS C:\> Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

    Directory: C:\Program Files\TestApplication

Path        Owner                  Access
----        -----                  ------
test.exe BUILTIN\Administrators Everyone Allow  Modify, Synchronize...

Unmounted Disks

List all drives that are currently mounted or physically connected but unmounted:

C:\> mountvol
Creates, deletes, or lists a volume mount point.
...
Possible values for VolumeName along with current mount points are:

    \\?\Volume{25721a7f-0000-0000-0000-100000000000}\
        *** NO MOUNT POINTS ***
    \\?\Volume{25721a7f-0000-0000-0000-602200000000}\
        C:\
    \\?\Volume{78fa00a6-3519-11e8-a4dc-806e6f6e6963}\
        D:\

Device Drivers and Kernel Modules

This technique relies on matching vulnerabilities with corresponding exploits, we'll need to compile a list of drivers and kernel modules that are loaded on the target.

We first produce a list of loaded drivers:

C:\> powershell.exe
PS C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

Request the version number of each loaded driver:

PS C:\Users\student> Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

DeviceName               DriverVersion Manufacturer
----------               ------------- ------------
VMware VMCI Host Device  9.8.6.0       VMware, Inc.
VMware PVSCSI Controller 1.3.10.0      VMware, Inc.
...

Binaries That AutoElevate

Check the status of the AlwaysInstallElevated registry setting. If this setting is enabled, we could craft an MSI file and run it to elevate our privileges:

C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1

C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    AlwaysInstallElevated    REG_DWORD    0x1
PreviousManual EnumerationNextLinux Enumeration

Last updated