System Information

When we land on a victim machine, it is important that we take the time to enumerate more about its system. We need this information to help us with other post exploitation activities such as privilege escalation. We will want to know the following:

This information will help us look for known vulnerabilities and exploits which can be used on the target system. The architecture will help us if we are developing a priv esc exploit (for compilation) purposes or we are crafting a meterpreter session. The security updates will let us know if it is worth our while working with an exploit or not - there is no use if the vulnerability has been patched!

If we have a meterpreter session on the victim machine, we can use getuid and sysinfo to find all of the above information except the installed updates and hotfixes.

We can gain the necessary information without meterpreter by using windows commands.

We can use hostname to find the hostname.

A great command is systeminfo as it will give us all the necessary information including the hotfixes and more. We can copy and search the hotfix id numbers so we can know what the hotfix was patching.

We can find out more about the hotfixes and save ourselves from having to search for every hotfix id by using wmic qfe get Caption,Description,HotFixID,InstalledOn We can now look for the Security Updates as these are the ones which we are interested in. We will also have links to further information about the updates so we will not have to search with a search engine.

On some versions of windows, we will be able to find a file called eula.txt which is found @ C:\Windows\System32\eula.txt This file will give us information about the OS version, service pack and build but it might not exist.

Users and Groups

We need to find out which user we have gained access to a target machine as along with the privileges which are associated with that user. We will also need to enumerate more about the other users on the machine along with the groups they belong to. This is important for the purposes of priv esc. We will want to know which users belong to groups which have elevated privileges such as members of the local administrators group.

We will want to find out the following:

Once we know which users belong to interesting groups we can target them for priv esc purposes.

From a meterpreter session, we can use getuid and getprivs or run post/windows/gather/win_privs to find out more about the current user and their privileges. We can also background the session and use use post/windows/gather/enum_logged_on_users to find out which other users are logged onto the target machine.

We can use windows commands to enumerate users and groups. The command whoami lets us know the username. We can also use echo %USERNAME% We can use whoami /priv to find out more about the privileges of the current user.

To find out more about other users on the compromised machine, we can use query user and net users and to find out more about a specific user we can use net user messi The query user command will show us users who are logged on - this is important because we might need to be more careful with what we do if we see an admin user logged on as they might detect unusual activity more easily.

To find out which local groups exist on the victim machine, we can use net localgroup We can look for interesting groups as groups can give their members elevated privileges. We can look for members of interesting groups using net localgroup administrators We can then potentially target members of these interesting groups for priv esc purposes.

Network Information

It is important to enumerate network information when we compromise a machine as this will help us potentially pivot to other hosts and networks. We are mostly interested in finding out about internal networks which the machine might be connected to along with firewalls as these determine what we can do when it comes to ports. We need to therefore find out about:

We can use ipconfig and ipconfig /all to find out more about the network adaptors which the machine is using along with their respective network information such as IPv4 addresses and subnets. It also shows us the IP address of the default gateway which is responsible for routing the traffic on the subnet.

We can use route print to look at the routing table to see if there are any extra or interesting routes.

We can use arp -a to look at the arp table which will show us other devices which the compromised machine has been communicating with.

We can use netstat -ano to look at tcp and udp services along with their ports and states.

To see the state of the firewall we can use netsh advfirewall show allprofiles We can look at more specific rules - the help command will help us know what we can do: netsh advfirewall firewall help

Processes and Services

It is important to find out more about the processes (an instance of a running executable), services (a process which runs in the background and does not interact with the desktop (a daemon)) and scheduled tasks. We want to know more about these because they can potentailly help us elevate our privileges and allow us to migrate to a more stable or less suspicious process id.

We can use ps inside a meterpreter session to list the running processes. We can filter by architecture using ps -A x64 We can filter for processes which are running under the NT AUTHORITY\SYSTEM privileges using ps -s We will only see these processes if we are operating within the security context of a privileged user. We can search for a specific pid for a known process using pgrep explorer.exe

The process id is important, along with the name of the process, its architecture and the security privileges it is running under.

We can migrate our meterpreter session to a different process using migrate 832 explorer.exe is stable and a good choice to migrate to. If we migrate to a 64 bit process, our meterpreter session will operate as a 64 bit meterpreter session.

From a windows cmd shell we can use net start to see the running services. We can get more information about the running services by using wmic service list brief

We can find running processes along with the services which are running under them using tasklist /SVC This is an important command.

We can use schtasks /query /fo LIST /v to look at scheduled tasks. There will be a lot of information returned so it makes sense to copy and paste it into a .txt file.

Automating Windows Local Enumeration

It is useful to automate local enumeration as it saves us time and makes sure basic checks are performed. Automated enumeration scripts will also look for common priv esc opportunities. Time is important as it is limited for each penetration test, we it is best to speed up local enumeration of compromised machines using msf modules and / or scripts.

Meterpreter Modules

To find out more about our current user and their associated privileges, we can use: run post/windows/gather/win_privs

We can enumerate logged on and recently logged on users using: run post/windows/gather/enum_logged_on_users

We can check if the compromised system is running as a virtual machine by using: run post/windows/gather/checkvm

We can enumerate the installed applications which might be useful when we are looking for apps to target for priv esc opportunities using: run post/windows/gather/enum_applications

We can enumerate the other computers which are in the same domain as the compromised machine using: run post/windows/gather/enum_computers This could be useful when we are looking for machines to pivot to.

If we want to enumerate installed patches and hotfixes, we can use: run post/windows/gather/enum_patches

We can enumerate network shares which are available using: run post/windows/gather/enum_shares

We can arp scan a specified subnet using: run post/windows/gather/arp_scanner RHOSTS=172.16.16.0/24

We can list the active routing table using: run autoroute -p and we can set up a new route to a different subnet (for example an internal one which we have found the compromised machine is connected to) using: run autoroute -s 172.16.6.0/24 The active routing table should then show that the new route has been created. We will then be able to use the compromised machine as a pivot to the newly discovered network.

J.A.W.S.

A good powershell script to use is Just Another Windows Enumeration Script. Since it is written using powershell, we do not have to worry about an .exe file not running.

First of all, we need to transfer the jaws.ps1 script onto the compromised machine. It makes sense to trasfer it to C:\Temp

We can then execute the jaws.ps1 script using: powershell.exe -ExecutionPolicy Bypass -File .\jaws.ps1 -OutputFilename jaws.txt This will save the results into a .txt file called jaws.txt

If the above command does not work, we can try: powershell.exe -ExecutionPolicy Bypass .\jaws.ps1 -OutputFilename jaws.txt

PrivescCheck

Another powershell script we can use is PrivescCheck.ps1 Once we have transfered it to the victim machine, we can run it using: powershell.exe -ep bypass -c ". .\PrivescCheck.ps1; InvokePrivescCheck -Report pec1" This will run the checks and save the results into a file - in this case the output file is called pec1

We can get more information using the -Extended flag with the above command.