Once you’ve successfully exploited a machine and have your foothold, it’s time to enumerate the inside to understand how you might escalate privileges or move laterally.
Our upcoming WinDeBeest script will handle a lot of this enumeration for you and direct you to the appropriate places on the website.
Even if an approach looks likely to work, it’s not guaranteed, that’s just the nature of penetration testing. Sometimes it’s a case of working through many different possibilities and sets of information, hunting for files and planning lateral movements to eventually get to SYSTEM. It all starts with your initial approach to Windows enumeration and this should be repeated for each system you access and each user you get access as.
Current Local User
First, you need to know who you are on the system you’re accessing. This includes groups memberships, privileges and more.
whoami
# gives username and hostname
hostname
# gives hostname. Hostname can often give you a clue as to what the machine does like 'Web02' or 'DB1'
whoami /groups
# what groups is the current user a member of (alias confirms membership), good ones to look for include BUILTIN/Remote Desktop Users
whoami /priv
# displays the user's privileges. Some will say enabled, others will say disabled, these just mean that the privilege isn't in use. If it's listed, it's a privilege assigned to your user.
Local Users
These are the other users on the system. Taking a good look at each individually could help you to understand your next move.
Get-LocalUser
# shows local users, look for admins
Get-LocalGroup
# shows groups. Look for admin groups and interesting descriptions
Get-LocalGroupMember groupname
# shows members of the local group groupname
Get-LocalGroupMember Administrators
# lists the members of the local group 'administrators'
net user $username
# shows information about specific user.
runas /user:username cmd
# can only use with GUI, not shell but it will open a cmd with that user if you have their password.
System enumeration
In this stage, you’re looking for installed software, processes, network connections and similar to understand everything that’s going on with the box you’re accessing.
systeminfo
# reveals OS Name, Version, Manuafactures, SystemType, Architectures
ipconfig /all
# shows ip configuration which is mostly useful for moving to other systems
route print
# output shows the routing table, this can show what other networks we're connected to.
netstat -ano
# shows which ports are listening and open. Established connections could mean there are other users connected, which is a good thing for mimikatz etc.
# it also shows what services are available.
Get-ItemProperty "HKLM:\SOFTWARE\wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# this will display all applications by their name. Look for programs that aren't default and search for exploits associated with them. Think about what software might do.
Get-Process
# lists all running processes on the system.
Scheduled Tasks
Scheduled tasks are worth noting. We can enumerate them further for privilege escalation opportunities.
Get-ScheduledTask
# powershell to retrieve scheduled tasks
schtasks /query /fo LIST /v
# lists all scheduled tasks
Discovering Sensitive Information
we often assume that hacking is about technical prowess, and to some degree it is but moving deeper into a system can be as simple as locating a password file and cracking a database.
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
# this command searches all locations on the C drive for files that have the extension .kdbx. If you've identified KeePass on this system, it would be wise to search for the database file
The same command will work for all file extensions and folders but you need to be conscious of the type of file that you’re searching for. Any system could have hundreds of thousands of txt files so you need to apply some logic to avoid masses of pointless data.
History Files
On Windows systems, we don’t always have access to ‘history’ like we often do in Linux.
Get-History
# gets current history of powershell it it's available
(Get-PSReadLineOption).HistorySavePath
# locates the history file and shows the path, this is where information can often be logged about the powershell history
type $pathofhistoryfile
# shows powershell history. We're looking for credentials or files accessed or actions or environment variables the user applied that could further our access