- System Enumeration
- User Enumeration
- Network Enumeration
- Password Hunting
- AV Enumeration
- Automated Enumeration Tools
- This is the stage where we have a reverse shell, and we need to enumerate the complete system for clues.
#from Meterpreter shell to Windows cmd
shell
systeminfo
#extract particular info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname
wmic qfe
#check patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
#filters info
wmic logicaldisk get caption,description,providername
#list drives
#in windows cmd
whoami
whoami /priv
#privileges
#certain privileges can be enabled and misused
whoami /groups
#check for administrative groups
net user
#users on machine
net user babis
#get info about user
net localgroup
net localgroup administrators
ipconfig
ipconfig /all
arp -a
#check arp tables
route print
#check routing tables
netstat -ano
#check listening ports
findstr /si password *.txt *.config *.ini
#find the word 'password' in txt files in particular directory
#we can use PayloadAllTheThings payloads for password hunting
sc query windefend
#service control
#check windows defender
sc queryex type= service
#show all services
#check for AVs
netsh advfirewall firewall dump
#firewall enum
netsh firewall show state
netsh firewall show config
-
Executables:
- winPEAS.exe
- Seatbelt.exe (compile)
- Watson.exe (compile)
- SharpUp.exe (compile)
-
PowerShell
-
Others:
- windows-exploit-suggester.py (run locally)
- Exploit Suggester (Metasploit)
#exploring enumeration tools when we cannot upload executables or files
#in Meterpreter shell
#exploit suggester
run post/multi/recon/local_exploit_suggester
#shell
shell
systeminfo
#copy sysinfo to a file sysinfo.txt
#in attacker machine
#update windows-exploit-suggester
python2 windows-exploit-suggester.py --update
#note database .xls file
pip2 install --user xlrd==1.1.0
python2 windows-exploit-suggester.py --database 2022-10-27-mssb.xls --systeminfo samplesysinfo.txt
#this gives us vulnerabilities list