Enumerating on a Windows System

The first access and foothold phase is an important aspect of a red teaming effort since it allows us to get access to the target. Target assaults such as social engineering schemas, phishing and spear-phishing, and exploitation are used to get the first footing. The purpose of this article is to showcase some of the most commonly used tools by security experts in this area.

Initial Access refers to strategies that employ different entrance vectors to acquire their first footing in a network. Targeted spear phishing and exploiting vulnerabilities on public-facing web servers are two techniques used to get a foothold. Footholds obtained through first access may allow for continuing access, such as legitimate accounts and usage of external remote services, or they may be limited use owing to password changes.

And Here is the Checklist which I personally follow when I get Initial Access to a Windows machine. And I recommend everyone should follow this checklist as it is inspired by OSCP Guide Book.

Enumerating Users

1. whoami

2. Net user

Enumerating the host name

1. hostname

Enumerating System Version and Architecture

1. systeminfo command with findstr

Where,

/B - If it is at the beginning of a line, it matches the text pattern.

/C - The given text is used as a literal search string.

Enumerating Running processes and Services

1. Tasklist

Where,

/svc - Returns processes that are associated with a specified Windows service.

Enumerating Networking Information

1. ipconfig /all

2. Route print

3. Netstat -ano

Where,

a - will list all currently active TCP connections

n - will enable us to show the address and port number numerically

o - will show the PID of the connection's owner

Enumerating Firewall Status & Rules

1. netsh advfirewall show currentprofile

2. Netsh advfirewall firewall show rule name=all

Enumerating Scheduled Tasks

1 .schtasks /query /fo LIST /v

Where,

/query - Argument shows tasks

/Fo LIST - The output format is changed to a plain list.

/v - Requesting verbose output

Enumerating Installed Applications and Patch Levels

1. wmic product get name, version, vendor

Where,

wmic - Windows Management Instrumentation

Product - WMI Class argument

Get - Is used to look for specific property values.

** We may select the attributes we want, such as name, version, and vendor.

2. Wmic qfe get Caption, Description, HotFixID, InstallatedOn

A combination of the HotFixID and the InstalledOn information can offer us with an accurate picture of the target Windows Operating System's security posture.

Enumerating Readable/Writable Files and Directories

1. accesschk.exe

Insufficient access controls in files can lead to a vulnerability that grants an attacker higher privileges. This occurs most frequently when an attacker has access to scripts or binary files that are run under the context of a privileged account.

On a Windows platform, there are a variety of programmes and tools that can automate this job for us. AccessChk from sysinternals is the most well-known and widely used utility for this purpose.

Enumerating Unmounted Disks

1. mountvol

Most systems mount discs automatically when they boot. As a result, it's easy to overlook unmounted discs that may hold crucial information. Always look for unmounted discs and, if found, check the mount permissions.

Enumerating Device Drivers and Kernel Modules

1. Powershell with driverquery

driverquery.exe /v /fo csv | ConvertFrom-csv | Select-Object ‘Display Name’,’Start Mode’, Path

Exploiting device drivers and kernel modules is another prevalent method of privilege escalation. Because this approach relies on matching vulnerabilities with related exploits, we'll need to generate a list of the target's drivers and kernel modules.

Here,

/v - Verbose output

/fo csv - To obtain the result in CSV format,

The result will be piped to the ConvertFrom-Csv cmdlet and Choose-Object, which will allow us to select single object properties or collections of objects such as Display Name, Start Mode, and Path.

2. Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like “*VMware*”}

While this returned a list of loaded drivers, we still needed to take another step to obtain the version number of each loaded driver. We'll use the Acquire-WmiObject cmdlet to get the Win32 PnPSignedDriver WMI Instance, which contains driver digital signature information. We may enumerate certain attributes, such as the driver version, bypassing the result to Select-Object. By passing the output to Where-Object, we can selectively target drivers based on their names.

Enumerating Binaries that Auto Elevate

1. reg query

We should verify the AlwaysInstallElevated registry setting's state. Any user can launch Windows Installer packages with elevated privileges if this key is enabled (set to 1) in either HKEY CURRENT USER or HKEY LOCAL MACHINE.

If this option is enabled, we may create an MSI file and launch it to increase our rights.

Conclusion

In this blog, we learned how we can perform a series of checklists once we are into the windows machine, and following the checklist. you'll definitely get some vulnerabilities that you can exploit to move to privilege escalation. And it will only happen if the victim is not upgraded his system. And you learned how much enumeration is required once we are in.

If you want to master cybersecurity and establish a vibrant career in cybersecurity, choose our Cybersecurity Certification Training Programs, which include instructor-led live training and real-world project experience. This training program helps you gain a thorough understanding of cybersecurity and mastery of the subject.

Author

Ayush Pritam Bagde
Cybersecurity Researcher Intern