This note will expand our knowledge needed to learn more about the system. We discussed account discovery and security products within the system in previous tasks. We will continue learning more about the system, including:
- Installed applications
- Services and processes
- Sharing files and printers
- Internal services: DNS and local web applications
It is necessary to understand what the system provides in order to get the benefit of the information.
Installed Applications
First, we start enumerating the system for installed applications by checking the applicationโs name and version. As a red teamer, this information will benefit us. We may find vulnerable software installed to exploit and escalate our system privileges. Also, we may find some information, such as plain-text credentials, is left on the system that belongs to other systems or services.
ย We will be using theย wmicย Windows command to list all installed applications and their version.
# It is slow as fvck
PS C:\Users\thm> wmic product get name,version
Name Version
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910 14.28.29910
AWS Tools for Windows 3.15.1248
Amazon SSM Agent 3.0.529.0
aws-cfn-bootstrap 2.0.5
AWS PV Drivers 8.3.4
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910 14.28.29910Another interesting thing is to look for particular text strings, hidden directories, backup files. Then we can use the PowerShell cmdlets,ย Get-ChildItem, as follow:
PS C:\Users\thm> Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop\Services and Process
Windows services enable the system administrator to create long-running executable applications in our own Windows sessions. Sometimes Windows services have misconfiguration permissions, which escalates the current user access level of permissions. Therefore, we must look at running services and perform services and processes reconnaissance.ย For more details, you can read about process discovery on Attack MITRE.
Process discovery is an enumeration step to understand what the system provides. The red team should get information and details about running services and processes on a system. We need to understand as much as possible about our targets. This information could help us understand common software running on other systems in the network.ย For example, the compromised system may have a custom client application used for internal purposes.ย Custom internally developed software is the most common root cause of escalation vectors.ย Thus, it is worth digging more to get details about the current process.ย ย
For more details about core Windows processes from the blue team perspective, check out the TryHackMe room: Core Windows Process.
Sharing files and Printers
Sharing files and network resources is commonly used in personal and enterprise environments. System administrators misconfigure access permissions, and they may have useful information about other accounts and systems. For more information on printer hacking, we suggest trying out the following TryHackMe room: Printer Hacking 101.
Internal services: DNS, local web applications, etc
Internal network services are another source of information to expand our knowledge about other systems and the entire environment. To get more details about network services that are used for external and internal network services, we suggest trying out the following rooms: Network Service, Network Service2.
The following are some of the internal services that are commonly used that we are interested in:
- DNS Services
- Email Services
- Network File Share
- Web application
- Database service
Letโs try listing the running services using the Windows command promptย net startย to check if there are any interesting running services.
PS C:\Users\thm> net start
These Windows services are started:
Active Directory Web Services
Amazon SSM Agent
Application Host Helper Service
Cryptographic Services
DCOM Server Process Launcher
DFS Namespace
DFS Replication
DHCP Client
Diagnostic Policy Service
THM Demo
DNS ClientWe can see a service with the nameย THM Demoย which we want to know more about.
Now letโs look for the exact service name, which we need to find more information.
PS C:\Users\thm> wmic service where "name like 'THM Demo'" get Name,PathName
Name PathName
THM Service c:\Windows\thm-demo.exeWe find the file name and its path; now letโs find more details using theย Get-Processย cmdlet.
PS C:\Users\thm> Get-Process -Name thm-demo
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
82 9 13128 6200 3212 0 thm-serviceOnce we find its process ID, letโs check if providing a network service by listing the listening ports within the system.
PS C:\Users\thm> netstat -noa |findstr "LISTENING" |findstr "3212"
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING 3212
TCP [::]:8080 [::]:0 LISTENING 3212We mentioned that DNS service is a commonly used protocol in any active directory environment and network. The attached machine provides DNS services for AD. Letโs enumerate the DNS by performing a zone transfer DNS and see if we can list all records.
We will perform DNS zone transfer using the Microsoft tool isย nslookup.exe.
PS C:\Users\thm> nslookup.exe
Default Server: UnKnown
Address: ::1Once we execute it, we provide the DNS server that we need to ask, which in this case is the target machine
> server 10.10.29.163
Default Server: [MACHINE_IP]
Address: MACHINE_IPNow letโs try the DNS zone transfer on the domain we find in the AD environment.
> ls -d thmredteam.com
[[10.10.29.163]]
thmredteam.com. SOA ad.thmredteam.com hostmaster.thmredteam.com. (732 900 600 86400 3600)
thmredteam.com. A MACHINE_IP
thmredteam.com. NS ad.thmredteam.com
***
ad A MACHINE_IPThe previous output is an example of successfully performing the DNS zone transfer.