Changing Windows files permissions:

in CMD you can check files and folders permissions like this:

icacls <File_Name>

Example output shows that NT AUTHORITY\STSTEM is DENIED of (RX) Read and Execute :

C:\Users\Administrator>icacls flag
icacls flag
flag NT AUTHORITY\SYSTEM:(OI)(CI)(DENY)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
WIN-GQ7PTVEC6HL\Administrator:(I)(OI)(CI)(F)

This is how to remove all rules on this file from the NT AUTHORITY\SYSTEM

icacls flag /remove "NT AUTHORITY\SYSTEM"

Auto Enum Use: [[JAWS]]

After Gaining initial access:

If we have normal Windows shell:

use systeminfo command to show useful information about the system and the hotfixes on it...

Information about hotfix or updates installed not only IDs from the systeminfo command:

wmic qfe get Caption,Description,HotFixID,InstalledOn

This file contains more information about the system:

cat /windows/system32/eula.txt

This will show all disks on the system including external USBs:

show_mount

Enumerating Users & Groups:

  • to get user ID in meterpreter session:

getuid or whoami in a normal session.

  • show current user privilages:

getprivs ==> meterpreter shell whoami /priv ==> normal session.

  • List current logged on Users:

query user ==> Normal Shell

  • List all users on a system:

net users ==> normal shell

  • Show info about a user:

net user administrator ==> normal shell

  • Show info about group:

net localgroup

  • Show users under a specific group:

net localgroup administrators

MSF Modules:

This module will enumerate current and recently logged on Windows users. post/windows/gather/enum_logged_on_users

Enumerating Network Information:

  • Show connected adapters and their info: ipconfig or ipconfig /all for more info ==> Windows shell.

  • Show routing table info: route print ==> Windows shell.

  • List all devices in the network: arp -a ==> Windows shell.

  • Show list of services running or listening: netstat -ano

netsh firewall show state or netsh advfirewall firewall for newer systems...

more info for the netsh firewall command:

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
consec         - Changes to the `netsh advfirewall consec' context.
dump           - Displays a configuration script.
export         - Exports the current policy to a file.
firewall       - Changes to the `netsh advfirewall firewall' context.
help           - Displays a list of commands.
import         - Imports a policy file into the current policy store.
mainmode       - Changes to the `netsh advfirewall mainmode' context.
monitor        - Changes to the `netsh advfirewall monitor' context.
reset          - Resets the policy to the default out-of-box policy.
set            - Sets the per-profile or global settings.
show           - Displays profile or global properties.

Enumeration Processes & Services:

Meterpreter commands:

  • list processes in meterpreter: ps

  • search for a process ID by it's name: pgrep explorer.exe

  • migrate to a higher privileged process or a more stable one: migrate <PID>

CMD Commands:

  • Shows current started services: net start

  • Show current services ✅ wmic service list brief

  • List processes and services running under a particular process: tasklist /SVC ✅✅

  • List scheduled tasks: schtasks /query /fo LIST or schtasks /query /fo LIST /v that will display additional information... Copy this info to a txt file because it will be handy in priv escalation........