- What is WinRemoteEnum?
- Module users
- Modules sessions and logged_on
- Module shares
- Module host_info
- Learn More
Enumeration is a key phase of penetration testing. When done in-depth, it can swiftly shift the dreadful “I cannot find anything” to the desirable “I can pivot everywhere”.
In the Windows world, this activity has countless layers due to the complex nature of Active Directory, and the myriad of protocols willing to answer specific questions requested by any domain user.
Typically, when one seeks to get a good context of a domain privileges-wise, they instantly think of BloodHound and I absolutely agree, but is there an alternative?
Often, I found myself in situations where I was given a scope of 10 to 20 Windows hosts. While BloodHound supports the
-ComputerFile argument to collect information from specific hosts, it feels like there is quite a bit of overhead to answer particular questions, such as “who are the local administrators?” and “what users are logged in?”. In that case, I had to rely on various enumeration tools here and there, without ever feeling like I could get it done efficiently, and more importantly, thoroughly.
This has lead to the development of WinRemoteEnum.
What is WinRemoteEnum?
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gathering information of Windows hosts, and their hardening status on commonly-leveraged techniques.
|users||Local users, groups and their members.|
|sessions||Net sessions established.|
|logged_on||Users logged on.|
|shares||Shares and their first-level content.|
|host_info||Various OS info and whether the executing user has administrative privileges.|
Since most is enumerated through exposed built-in MS-RPC methods, it is heavily based off impacket.
When executing the tool, domain credentials and targets will be required as minimal input. If a list of modules is not given, all will be executed. Once the enumeration has completed, the
results/ directory contains another directory matching the timestamp at which the execution has taken place, and stores easy-to-consume HTML and JSON enumeration result files.
python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN $TARGET
As this is the bare minimum, ensure to read the
--help for possible parameters and options.
This module is without a doubt my favorite, and the main reason behind the development of the tool. Prior to this, I did not have an efficient and easy-to-parse way to enumerate local users, groups, and their members from hosts. Thanks to MS-SAMR, this is indeed possible from a low-privileged domain user on hosts, as long as access to the SAM Remote has not been hardened.
Use Case: Basic Reconnaissance
Before digging into the host, I like to get a general idea of its context by browsing the
users.html file. Quickly, you should be able to tell if it is properly maintained or has gone through years of misuse, simply by looking at the local users and groups, and then answering some questions as such:
- How many local users does it have?
- Is the entire cosmos a local administrator?
- Are SIDs getting resolved by the DC, or the users and groups most-likely no longer exist?
Use Case: Analysis of Remote Access Groups
I use the term “Remote Access Group” to refer to any group allowing a user to compromise a host remotely, whether the end result is a privileged access or not.
The newly released version 1.1 of WinRemoteEnum contains an analysis script that can be ran manually by a user, resulting in a list of members of the groups in question. This yields a map of which users must be compromised in order to gain access to the host, or if you are able to leverage previously-compromised users.
python3 analysis/users/analyze.py results/$RESULTS_DIR/json/users.json
Visit the wiki for usage information about the script. Do note that some techniques are using services bound on different ports, meaning that proper firewalling may block you from accessing the host.
In the next section, each remote access group will be explained.
BUILTIN\Remote Management Users
This group provides access to Windows Remote Management (WinRM).
On Windows, PowerShell Remoting allows to leverage this easily by using
On Linux, CrackMapExec includes a nice implementation, which can be used like so:
./cme winrm $HOST -u $USER -p $PASSWORD -d $DOMAIN -x $COMMAND
BUILTIN\Remote Desktop Users
Remote Desktop Services are started on the host, simply fire up your favorite Remote Desktop client, and authenticate on the host to gain access.
BUILTIN\Distributed COM Users and BUILTIN\Performance Log Users
When running the analysis script, these groups are listed as “potential” since they do not grant access to the host out-of-the-box, as opposed to the other groups.
If you wish to learn about these groups and the additional privileges required, you can read about it in my previous post Non-administrative DCOM Execution: Exploring BloodHound’s ExecuteDCOM, or note that you will need
Remote Launch and
Remote Activation over the DCOM object that you want to instantiate.
impacket’s dcomexec.py can be used to perform the object instantiation:
python3 dcomexec.py -object MMC20 -silentcommand $DOMAIN/$USER:$PASSWORD\$@$HOST $COMMAND
This is evidently the Holy Grail of groups, allowing to gain privileged access to the host using the aforementioned techniques, or a multitude of different ones. For instance, impacket additionally offers atexec.py, psexec.py, smbexec.py, and wmiexec.py.
If you require to execute commands as the user instead of
NT AUTHORITY\SYSTEM, use
dcomexec.py (ensure to supply the
-object MMC20 parameter), or
Modules sessions and logged_on
These two have been grouped due to usually sharing the same goal: hunting users to dump their NT hash.
sessions enumerates net sessions established on a target. A net session is created when a client accesses a target’s resource remotely, such as a network share.
On the other hand,
logged_on returns users logged onto a target by enumerating registry keys through the Remote Registry service.
Use Case: Basic Reconnaissance
As goes for most modules, I begin with browsing the
logged_on.html to get a general idea of what is happening on the host.
Many sessions might very well indicate a file server that has significant traffic. Combined with a writable network share, one may be able to leverage NTLM relay.
Additionally, logged on users can help understanding the purpose of the host, and how it is used.
Use Case: Hunting Users
In the results of
source field indicates where the user has initiated the connection from, meaning that in the case where this user has authenticated on this source using a protocol that caches NT hashes in the LSASS process, a privileged user may leverage credential dumping.
logged_on, similarly to
sessions, the users may have authenticated on the target using a protocol that caches their NT hash.
When looking for the location of a specific user, I suggest simply using the
grep command on
logged_on.json, and see if you get any results back.
shares module offers precisely what it states: a view of the network shares available on a host through SMB, and if the executing user can read them. It also lists the name of the first-level files and directories. In the case where the count of items exceeds __MAX_SHARE_LIST_ITEMS (currently 30), a total of files and directories will be reported instead.
The tool currently does not report whether the user has write access due to the possibility of polluting the share. You can read about it in the wiki.
Use Case: Basic Reconnaissance
shares.html file quickly shows the state of the host shares-wise, and how many of these can be read.
Use Case: Finding Sensitive Information
Network shares are often a successful vector to get initial access on a host, either by getting your hands on some credentials, or through NTLM relay when they are writable.
Since the first-level content of shares are listed, this is a convenient way to identify at a first glance which ones might be worth digging into.
This module is dedicated to reporting information about the host, such as its OS version, role, domain, SMB hardening, and if the executing user is a local administrator.
Use Case: Basic Reconnaissance
Similarly to other modules,
host_info.html helps to understand further the context of the host, by revealing information regarding the OS, and more.
Use Case: Local Administrator Privileges
By attempting to open the Service Control Manager (SCM) database with all privileges, one can conclude remotely if they have administrative privileges on the host.
This can be seen in the
Use Case: Finding NTLM Relay Targets
To successfully relay a NTLM authentication on a target, it must have SMB signing disabled, which otherwise validates that the message has not been tampered with.
smb_signing_required field denotes this.
WinRemoteEnum offers an auditing feature, accessible simply by providing the
-a parameter. This will report if the enumeration vectors have been hardened against low-privileged users, since most of them are indeed hardenable.
Head over to the audit section of the wiki for a description of what is audited for each module.