Windows Reconnaissance with CMD and PowerShell

This guide covers the fundamentals of windows enumeration, system footprinting and other types of reconnaissance, as well as some useful cmd/powershell cmdlets I’ve picked up while competing in CCDC. For both blue team and red team, it’s critical to know the ins and outs of your systems to ensure optimal security of your network.

The more information you can collect about a system, the greater the chance of it becoming compromised. This guide will be useful for both the initial recon of a Windows system, as well as for post exploitation (especially if you only have access to a cli). I’ll be adding more to this guide as I learn more about Windows Server/workstations. In future blogs, I’ll be showcasing how you can use this gathered information to escalate privileges in the Domain.

Starting off


Systeminfo 

Displays detailed information and configurations of the computer and operating system.

Wmic

The wmic command provides a command line interface for Windows Instrumentation. Wmic will also not be logged by default audit policies and event logs. There’s a lot of info you can extract with this command, and some cool things you can do with it as well. Here are a few examples:

wmic /output:c:os.html os get /format:hform

Generates an OS/system report in HTML

wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Displays Hardrive info

wmic STARTUP GET Caption, Command, User

Finds programs/scripts that start on boot

wmic [useraccount/group/services] list

 Gets info about users/groups/services

Wmic qfe

Gets a list of updates on the windows machine

Net

The net command manages many aspects of the network settings on a windows machine. Some uses:

Net [user/group]

Lists all local and domain users/groups.

Net file

Shows a list of open files on a server.

Net share

Lists/manages shared resources on the machine

Net start

Displays running services.

qwinsta

Displays any users currently logged on. The “query session” command performs the same task.

Cmdkey /list

Displays a list of all user names and credentials that are stored in credential manager.

Icacls [path]

Gets permissions of the specified directory/file. Permissions are represented as uppercase letters in the output. Here is a quick overview of some of the permissions you will see:

Simple rights:

  • F (full access)
  • M (modify access)
  • RX (read and execute access)
  • R (read-only access)
  • W (write-only access)

Inherited Rights (apply only to directories):

  • (OI): object inherit
  • (CI): container inherit
  • (IO): inherit only
  • (NP): do not propagate inherit
  • (I): permission inherited from parent container

There are a list of other specific rights you can view on the microsoft docs. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753525(v=ws.10)?redirectedfrom=MSDN

The output can be verbose, so you can pipe the command into filters. Example:

icacls "C:\Users\*" | findstr "(F)" | findstr "Everyone"

This narrows down your search by piping the command into “findstr”, which filters the output to “Full” Permissions and the “Everyone” Group.

schtasks /query

Looks for any scheduled tasks running on the machine.

netsh

Network shell (netsh) is a command-line utility that allows you to configure and display the status of various network communications. I’ll only be going over a few examples of what you can do with this tool.

netsh interface ip show config

Displays configurations for your network interfaces.

netsh advfirewall firewall export [path]

Grabs firewall settings on the machine and exports to a file.

reg query [key]

the reg command is used to display values of a registry key. Examples:

reg query HKEY_LOCAL_MACHINE\SOFTWARE

Returns installed software.

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

You can sometimes find default credentials in User Autologon

Nbtstat -a [IP]

Finds the NetBIOS name of an endpoint with the specified ip address.

netstat -anob

Netstat displays connections for the current machine. You want to look for any listening connections that can be connected to remotely. Some of the ports may not be accessible externally, but portforwarding them can make them accessible.

Domain Recon with PowerShell


There is a lot of useful domain information you can collect with powershell cmdlets.

Get-ADDomain [Server]

Gets info about the domain.

Get-ADGroup [Group]

Gets info about the domain groups or specified group.

Get-ADGroupMember [Group]

Gets info about the members of a Domain Group. Example:

Get-ADGroupMember "Domain Admins"

Get list of members in Domain Admins group.

Get-ADComputer [Computer]

Get info about domain computers or a specified computer. Example:

 Get-ADComputer -Filter {ServicePrincipalName -like “*TERMSRV*”}

Find all computers running RDP service

Get-ADUser

Get info about domain users or a specified Domain user. Example:

Get-ADUser -Filter {ServicePrincipalName -like “*”} 

Find Service Accounts by filtering by SPN.

Get-GPO

Gets info about Group Policy Objects on the domain

To take this a step further, you can use a PowerShell platform called powersploit, which is used for privilege escalation and reconnaissance of a Domain Controller. Here are some powersploit cmdlets you can use for recon.

Get-DomainDNSZone

Enumerates the Active Directory DNS zones for a given domain

Get-NetGPOGroup

Finds a list of accounts with elevated privileges by scanning GPOs on the Domain. 

Invoke-UserHunter

Finds machines on the local domain where specified users are logged into, and can check if the current user has local admin access to the machines.

Invoke-FileFinder

Finds sensitive files on hosts by searching shared folders.

Find-InterestingFile

Searches a local or remote path for files with specific terms in the name.

Invoke-UserEventHunter

 Hunts for user logon events in domain controller event logs.

For more details on powersploit: https://powersploit.readthedocs.io/en/stable/Recon/README/

Leave a Reply

Your email address will not be published. Required fields are marked *