Powershell : Windows Enumeration

by Vince
in Blog
Hits: 4862

The other day, someone asked me why I run my Nmap scans with the flags that I typically use. I think maybe they were asking why I use sT instead of sS.  I don't think sS is any faster and if I choose to use Nmap, I don't care about the noise.  When I DO care, I'm not using Nmap. 

If you drop onto a Windows machine, right off the bat, what do I want to know?  The OS version, the Fully Qualified Domain Name, and the IP Subnet (/24, /23, /##?).  From there, where is DNS being served.  That's likely to be an important server -- possibly a Domain Controller.  I'd also want to know the location of the mail and web server.  And finally, I'd want to know the names of all of the devices on the network because the names are sometimes telling.

As administrators, we have a bad habit of identifying the purpose of a device by its name.  Take the following as examples:

DC.DOMAIN.COM
DNS.DOMAIN.COM
NS.DOMAIN.COM
MX.DOMAIN.COM
MAIL.DOMAIN.COM
HDD.DOMAIN.COM
NAS.DOMAIN.COM
FS.DOMAIN.COM
VPN.DOMAIN.COM
JSMITH-PC.DOMAIN.COM

We have some repetition in this list but you get the point.  But it's not like we're the only people doing it.  If you look up the nameservers for Google, you'll find:

ns1.google.com
ns2.google.com
ns3.google.com
ns4.google.com

I only need to see the name and that alone gives me a hint as to what ports are open before I do anything.  So maybe before the very noisy Nmap scan of every port - on every IP, I query DNS for hostnames.  It's noisy but a single host scanning every port on every other host is not necessarily the same as a single host making DNS queries to the DNS server. 

This is a collection of some commands that I might want to use built into a little enumeration script (because we need another of those!! :\ )





Clear-Host
function Show-Menu
{
    param (
        [string]$Title = 'PowEnum Menu'
    )
    Clear-Host
    Write-Host "================ $Title ================"
    Write-Host " "
    Write-Host "1: Press '1' to get OS Version"
    Write-Host "2: Press '2' to get FQDN"
    Write-Host "3: Press '3' to get domain"
    Write-Host "4: Press '4' to get DNS type All"
    Write-Host "5: Press '5' to get MX record"
    Write-Host "6: Press '6' to get WWW record"
    Write-Host "7: Press '7' to get hosts on subnet"
    Write-Host "Q: Press 'Q' to quit."
}
 
do
{
    Show-Menu –Title 'PowEnum Menu'
    Write-Host " "
    $input = Read-Host "what do you want to do?"
    switch ($input)
    {
        '1' {               
                systeminfo | findstr /B /C:"OS Name" /C:"OS Version"  
            }
        '2' {               
                ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname
            }
        '3' {
                (Get-WmiObject Win32_ComputerSystem).Domain
            }
        '4' {
                $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                Resolve-DNSName -type All -name $Domain
            }
        '5' {
                $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                Resolve-DNSName -type MX -name $Domain
            }
        '6' {
                $Domain=(Get-WmiObject Win32_ComputerSystem).Domain
                Write-Host "www.${Domain}"
                Resolve-DNSName -type cname -name "www.${Domain}"
            }
        '7' {
                Write-Host "Be patient, this could take some time..."
                $snet = Get-WmiObject -Class Win32_IP4RouteTable |
                    where { $_.destination -eq '0.0.0.0' -and $_.mask -eq '0.0.0.0'} |
                    Sort-Object metric1 | select nexthop, metric1, interfaceindex
                $line = $snet -split "nexthop="
                $ip = $line -split ";"
                $netw = $ip[1]
                $ipoct = $netw.split(".")
                $sn_value = ($ipoct[0]+"."+$ipoct[1]+"."+$ipoct[2])
                ForEach ($ip in 1..254) {Resolve-DNSName "$sn_value.$ip" -ErrorAction SilentlyContinue }
            }
        'q' {
                 return
            }
    }
    Write-Host " "
    pause
}
until ($input -eq 'q')