Powershell : Windows Enumeration

    The other day, someone asked me why I run my Nmap scans with the flags that I typically use. I think maybe they were asking why I use sT instead of sS.  I don't think sS is any faster and if I choose to use Nmap, I don't care about the noise.  When I DO care, I'm not using Nmap. 

    If you drop onto a Windows machine, right off the bat, what do I want to know?  The OS version, the Fully Qualified Domain Name, and the IP Subnet (/24, /23, /##?).  From there, where is DNS being served.  That's likely to be an important server -- possibly a Domain Controller.  I'd also want to know the location of the mail and web server.  And finally, I'd want to know the names of all of the devices on the network because the names are sometimes telling.

    As administrators, we have a bad habit of identifying the purpose of a device by its name.  Take the following as examples:


    We have some repetition in this list but you get the point.  But it's not like we're the only people doing it.  If you look up the nameservers for Google, you'll find:


    I only need to see the name and that alone gives me a hint as to what ports are open before I do anything.  So maybe before the very noisy Nmap scan of every port - on every IP, I query DNS for hostnames.  It's noisy but a single host scanning every port on every other host is not necessarily the same as a single host making DNS queries to the DNS server. 

    This is a collection of some commands that I might want to use built into a little enumeration script (because we need another of those!! :\ )

    function Show-Menu
        param (
            [string]$Title = 'PowEnum Menu'
        Write-Host "================ $Title ================"
        Write-Host " "
        Write-Host "1: Press '1' to get OS Version"
        Write-Host "2: Press '2' to get FQDN"
        Write-Host "3: Press '3' to get domain"
        Write-Host "4: Press '4' to get DNS type All"
        Write-Host "5: Press '5' to get MX record"
        Write-Host "6: Press '6' to get WWW record"
        Write-Host "7: Press '7' to get hosts on subnet"
        Write-Host "Q: Press 'Q' to quit."
        Show-Menu –Title 'PowEnum Menu'
        Write-Host " "
        $input = Read-Host "what do you want to do?"
        switch ($input)
            '1' {               
                    systeminfo | findstr /B /C:"OS Name" /C:"OS Version"  
            '2' {               
            '3' {
                    (Get-WmiObject Win32_ComputerSystem).Domain
            '4' {
                    $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                    Resolve-DNSName -type All -name $Domain
            '5' {
                    $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                    Resolve-DNSName -type MX -name $Domain
            '6' {
                    $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                    Write-Host "www.${Domain}"
                    Resolve-DNSName -type cname -name "www.${Domain}"
            '7' {
                    Write-Host "Be patient, this could take some time..."
                    $snet = Get-WmiObject -Class Win32_IP4RouteTable |
                        where { $_.destination -eq '' -and $_.mask -eq ''} |
                        Sort-Object metric1 | select nexthop, metric1, interfaceindex
                    $line = $snet -split "nexthop="
                    $ip = $line -split ";"
                    $netw = $ip[1]
                    $ipoct = $netw.split(".")
                    $sn_value = ($ipoct[0]+"."+$ipoct[1]+"."+$ipoct[2])
                    ForEach ($ip in 1..254) {Resolve-DNSName "$sn_value.$ip" -ErrorAction SilentlyContinue }
            'q' {
        Write-Host " "
    until ($input -eq 'q')

    © 2020 sevenlayers.com