Enumerating Windows Hosts
After completing a ping sweep to identify interesting hosts in a Windows environment, the next logical step is to enumerate hosts on the network.
Built-in Tools for Enumeration
When enumerating Windows hosts, there are several built-in tools within the operating system that can be utilized via the command-line interface (CLI). The following commands are commonly used:
| Command | Purpose |
|---|---|
net view | View shared resources from other hosts on the network |
arp -a | View the Address Resolution Protocol (ARP) cache |
net user | List all users on the machine |
ipconfig /displaydns | Display resolved DNS names |
External Tools for Enumeration
In addition to built-in commands, several popular tools can enhance Windows host enumeration:
PowerShell
PowerShell (PS) uses cmdlets, which are verb-noun pairings that perform specific tasks (e.g., Get-Help). PowerShell can enumerate information such as:
- OS version
- Shares
- Files
- Services
- Registry keys
- Policies
Nmap
Nmap provides a wide range of commands and NSE scripts for host enumeration, allowing for:
- OS fingerprinting
- Service interrogation
Metasploit
Metasploit includes modules for host enumeration. For example, the enum_applications module can determine what applications are installed on the target host.
Searching Active Directory
Active Directory (AD) is the directory service for Microsoft environments. It stores, organizes, and enables access to objects within a network, and provides essential services such as DNS and Kerberos-based authentication.
Active Directory Structure
At the top of the AD structure is the Forest. The hierarchy includes:
- Tree: A collection of domains and sub-domains.
- Domain: The core unit of a Windows network. The first domain is the root, with child domains beneath it having unique names.
- Organizational Units (OU): Groups similar objects like users, groups, computers, and other OUs to minimize the number of domains.
- Users: Represent individuals or processes needing resource access, each with attributes like name, password, and email.
- Groups: Collections of users or computer accounts. Unlike containers, they list members without storing them, simplifying rights and permissions management.
Enumerating Active Directory with PowerShell
Non-privileged users can sometimes query AD for information. Using the Active Directory PowerShell module, the following cmdlets assist in AD enumeration:
| Cmdlet | Purpose |
|---|---|
Get-NetDomain | Retrieve the current user’s domain |
Get-NetLoggedon | Get users logged on to a specific computer |
Get-NetGroupMember | List domain members belonging to a specific group |
WindowsEnumerationActiveDirectoryPowerShellNmapMetasploitNetworkSecurityCybersecurityPenetrationTesting