This guide covers the fundamentals of windows enumeration, system footprinting and other types of reconnaissance, as well as some useful cmd/powershell cmdlets I’ve picked up while competing in CCDC. For both blue team and red team, it’s critical to know the ins and outs of your systems to ensure optimal security of your network.
The more information you can collect about a system, the greater the chance of it becoming compromised. This guide will be useful for both the initial recon of a Windows system, as well as for post exploitation (especially if you only have access to a cli). I’ll be adding more to this guide as I learn more about Windows Server/workstations. In future blogs, I’ll be showcasing how you can use this gathered information to escalate privileges in the Domain.
Starting off
Systeminfo
Displays detailed information and configurations of the computer and operating system.
Wmic
The wmic command provides a command line interface for Windows Instrumentation. Wmic will also not be logged by default audit policies and event logs. There’s a lot of info you can extract with this command, and some cool things you can do with it as well. Here are a few examples:
wmic /output:c:os.html os get /format:hform
Generates an OS/system report in HTML
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Displays Hardrive info
wmic STARTUP GET Caption, Command, User
Finds programs/scripts that start on boot
wmic [useraccount/group/services] list
Gets info about users/groups/services
Wmic qfe
Gets a list of updates on the windows machine
Net
The net command manages many aspects of the network settings on a windows machine. Some uses:
Net [user/group]
Lists all local and domain users/groups.
Net file
Shows a list of open files on a server.
Net share
Lists/manages shared resources on the machine
Net start
Displays running services.
qwinsta
Displays any users currently logged on. The “query session” command performs the same task.
Cmdkey /list
Displays a list of all user names and credentials that are stored in credential manager.
Icacls [path]
Gets permissions of the specified directory/file. Permissions are represented as uppercase letters in the output. Here is a quick overview of some of the permissions you will see:
Simple rights:
- F (full access)
- M (modify access)
- RX (read and execute access)
- R (read-only access)
- W (write-only access)
Inherited Rights (apply only to directories):
- (OI): object inherit
- (CI): container inherit
- (IO): inherit only
- (NP): do not propagate inherit
- (I): permission inherited from parent container
There are a list of other specific rights you can view on the microsoft docs. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753525(v=ws.10)?redirectedfrom=MSDN
The output can be verbose, so you can pipe the command into filters. Example:
icacls "C:\Users\*" | findstr "(F)" | findstr "Everyone"
This narrows down your search by piping the command into “findstr”, which filters the output to “Full” Permissions and the “Everyone” Group.
schtasks /query
Looks for any scheduled tasks running on the machine.
netsh
Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications. I’ll only be going over a few examples of what you can do with this tool.
netsh interface ip show config
Displays configurations for your network interfaces.
netsh advfirewall firewall export [path]
Grabs firewall settings on the machine and exports to a file.
reg query [key]
the reg command is used to display values of a registry key. Examples:
reg query HKEY_LOCAL_MACHINE\SOFTWARE
Returns installed software.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
You can sometimes find default credentials in User Autologon
Nbtstat -a [IP]
Finds the NetBIOS name of an endpoint with the specified ip address.
netstat -anob
Netstat displays connections for the current machine. You want to look for any listening connections that can be connected to remotely. Some of the ports may not be accessible externally, but portforwarding them can make them accessible.
Domain Recon with PowerShell
There is a lot of useful domain information you can collect with powershell cmdlets.
Get-ADDomain [Server]
Gets info about the domain.
Get-ADGroup [Group]
Gets info about the domain groups or specified group.
Get-ADGroupMember [Group]
Gets info about the members of a Domain Group. Example:
Get-ADGroupMember "Domain Admins"
Get list of members in Domain Admins group.
Get-ADComputer [Computer]
Get info about domain computers or a specified computer. Example:
Get-ADComputer -Filter {ServicePrincipalName -like “*TERMSRV*”}
Find all computers running RDP service
Get-ADUser
Get info about domain users or a specified Domain user. Example:
Get-ADUser -Filter {ServicePrincipalName -like “*”}
Find Service Accounts by filtering by SPN.
Get-GPO
Gets info about Group Policy Objects on the domain
To take this a step further, you can use a PowerShell platform called powersploit, which is used for privilege escalation and reconnaissance of a Domain Controller. Here are some powersploit cmdlets you can use for recon.
Get-DomainDNSZone
Enumerates the Active Directory DNS zones for a given domain
Get-NetGPOGroup
Finds a list of accounts with elevated privileges by scanning GPOs on the Domain.
Invoke-UserHunter
Finds machines on the local domain where specified users are logged into, and can check if the current user has local admin access to the machines.
Invoke-FileFinder
Finds sensitive files on hosts by searching shared folders.
Find-InterestingFile
Searches a local or remote path for files with specific terms in the name.
Invoke-UserEventHunter
Hunts for user logon events in domain controller event logs.
For more details on powersploit: https://powersploit.readthedocs.io/en/stable/Recon/README/