Table of contents

  • Generate Active Directory user list on Windows Server
  • Windows Information Gathering: network interfaces, routing table, arp cache table
  • Searching for passwords on windows filesystem and register
  • Windows Information Gathering: OS, hostname, user list, current user info
  • Resources
    • UAC ByPass
    • Privilege Escalation

Generate Active Directory user list on Windows Server

Thorugh Windows PowerShell it is possible to generate a text file containing Windows AD User list:

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName name title department mail -limit 0 > users.txt

File is saved in current directory.

Windows Information Gathering: network interfaces, routing table, arp cache table

Available network interfaces:

C:\Users\admin>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : enculet
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : some.lan

Ethernet adapter Connessione di rete Bluetooth:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Dispositivo Bluetooth (Personal Area Network)
Physical Address. . . . . . . . . : 5C-F3-70-74-B9-26
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Ethernet0:

Connection-specific DNS Suffix . : some.lan
Description . . . . . . . . . . . : Connessione di rete Gigabit Intel(R) 82574L
Physical Address. . . . . . . . . : 00-0C-29-78-72-9E
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::78a9:478d:f75b:9355%3(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.178(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 26 May 2017 11:09:26
Lease Expires . . . . . . . . . . : 29 May 2017 14:57:50
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.52
DHCPv6 IAID . . . . . . . . . . . : 50334761
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-B5-A7-DF-00-0C-29-78-72-9E
DNS Servers . . . . . . . . . . . : 192.168.0.52
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.some.lan:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : some.lan
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Routing table

C:\Windows\system32> route print

===========================================================================
Interface List
18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)
13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9
11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection
1...........................Software Loopback Interface 1
16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::5cd4:9caf:61c0:ba6e/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

# arp -A displays the ARP (Address Resolution Protocol) cache table for all available interfaces.

ARP table:

C:\Windows\system32> arp -A

Interface: 192.168.0.104 --- 0xb
Internet Address Physical Address Type
192.168.0.1 90-94-e4-c5-b0-46 dynamic
192.168.0.101 ac-22-0b-af-bb-43 dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

From: http://www.fuzzysecurity.com/tutorials/16.html

Searching for passwords on windows filesystem and register

# The command below will search the file system for file names containing certain keywords. You can specify as many keywords as you wish.

C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*

# Search certain file types for a keyword, this can generate a lot of output.

C:\Windows\system32> findstr /si password *.xml *.ini *.txt

# Similarly the two commands below can be used to grep the registry for keywords, in this case “password”.

C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s

From: http://www.fuzzysecurity.com/tutorials/16.html

Windows Information Gathering: OS, hostname, user list, current user info

Get OS we’re connected to:

C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601

Get Hostname

C:\Windows\system32> hostname
hostname_xyz

Get current username

C:\Windows\system32> echo %username%
username_xyz

Get system users list

C:\Windows\System32>net users

User accounts for \\FSOCIETY

---------------------------------------------------------
Administrator elliot Guest
The command completed successfully.

Get info about a user (who is not part of the localgroup Administrators)

C:\Windows\system32> net user elliot

User name elliot
Full Name
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never

Password last set 1/10/2017 7:47:14 PM
Password expires Never
Password changeable 1/10/2017 7:47:14 PM
Password required Yes
User may change password Yes

Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM

Logon hours allowed All

Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.

Resources

UAC ByPass

Privilege Escalation

Active Directory Attacks