When enumerating Windows hosts, there are a number of tools you can use. Some of the more popular ones include:
- Built-in commands and utilities
You can use these tools to enumerate OS version, users, groups, shares, files, services, hardware, Registry keys, configurations, privileges, policies, and more. If you are already logged in to the target, you can run local commands to query the operating system directly. If not, some tools allow you to make a remote connection. In some cases, you do not need to use a privileged account to obtain good information. Prior to Windows Server 2003, you could even make a connection without a user name and password.
The following tables list some common commands for enumeration. Most of the built-in command-line commands are actually executables in themselves, but are designed to be used in a command prompt. Some of these commands have options for manipulating the data as well.
Note: To learn more about PowerShell, visit https://mva.microsoft.com/learning-path/powershell-beginner-12.
Common ways to use Nmap for host enumeration are to fingerprint the operating system and interrogate its services. You can also use NSE scripts for enumeration. Here are some examples:
nmap -O 192.168.1.50 nmap -sV 192.168.1.20 nmap --script=smb-os-discovery <target>
Rpcclient has over 200 commands for enumeration and configuration. It runs on Linux and works against both Windows and Linux Samba computers. If you are not already logged onto the target, you must first make a connection, providing a password when prompted. Administrative or SYSTEM level privileges (from a compromised host) will give you the best results.
Here is an example of using rpcclient to enumerate server information and user accounts on the target. Enter these commands separately:
rpcclient <target IP> -U <username> ? srvinfo lookupnames administrator
Now use the lookupsids command to discover new users by Security ID (SID). Copy the administrator's SID and change the last set of numbers to 1000. Increment from there.
Note: The administrator SID always ends in 500. Even if you rename the administrator account, this number will never change.
Metasploit also has several enumeration modules. Just like the rpcclient lookupsids command, the smb_lookupsid Metasploit module will enumerate users based on a brute forcing of possible SIDs. In the following example, the credentials of a standard (non-privileged) user named moo are used against a particular host. Since user relative IDs (RIDs) start at 1000, the example sets a range of 1000 to 1100, searching for the first 100 user accounts that were created.
use /auxiliary/scanner/smb/smb_lookupsid set SMBUser moo set SMBPass Pa22w0rd set MinRID 1000 set MaxRID 1100 set RHOSTS 192.168.74.50