WinRemoteEnum

WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gathering information of Windows hosts, and their hardening status on commonly-leveraged techniques.

Since most is enumerated through exposed built-in MS-RPC methods, it is heavily based off impacket.

What Purpose Does WinRemoteEnum Serve?

While it is possible to obtain similar results using well-known tools, WinRemoteEnum simplifies the process by offering modules operating with minimal input, and generating easy-to-consume reports (HTML and JSON). Therefore, it is a great starting point to enumerate a given scope during an engagement, or to answer specific questions as described in the Example of Operations section.

Furthermore, WinRemoteEnum follows a read-only mindset, meaning that all requests aim to read information and never to write. Though, ensure to take notice of the Warning: Understanding the Impact section.

Lastly, the development of the tool was foremost a learning experience regarding concretely interacting with various MS-RPC interfaces, and the endless possibilities of domain hardening.

Auditing

When possible, modules implement an auditing feature allowing to easily report if a target has been hardened against the technique. Visit Example of Auditing for examples, and the wiki to learn about exactly what is audited.

Supported Windows Versions

WinRemoteEnum was tested successfully on Windows 7 SP1 and newer, both on workstations and servers.

While unsupported, most modules should work on Windows XP SP3 except users, which runs into a disagreement with MS-LSAD's LsarQueryInformationPolicy, and most-likely more methods.

In case of an unexpected behavior, please only open an issue for supported versions.

Warning: Understanding the Impact

The operator must take into account the following before executing WinRemoteEnum on a scope:

1. Multiprocessing is used to enumerate a large amount of targets simultaneously. To be precise, two extra processes are spawned per module to perform the task; however only one module runs at a time.

2. WinRemoteEnum will authenticate using the provided credentials a considerable amount of times, which depends entirely on the selected modules. In the context of a domain, this implies the usual impact of sending authentication requests to the domain controller, incrementing the badPwdCount attribute on failed login attempts, generating Windows Event logs and so on.

3. Under the wiki page of each module is documented the RPC methods that will be called upon execution. Understand that depending on the monitoring strategy of the environment, these may very well trigger monitoring use cases. Therefore, ensure to inform the surveillance team of your operations.

Installation

git clone https://github.com/simondotsh/WinRemoteEnum
cd WinRemoteEnum/
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Usage

usage: winremoteenum.py [-h] [-v] -u USERNAME -d DOMAIN [-p PASSWORD | -nt NT_HASH] [-m MODULES] [-a] [-nv] [-t TIMEOUT] targets

positional arguments:
  targets               Targets to enumerate. Must be a single IP (e.g. 10.0.0.1), a range (e.g. 10.0.0.0/24), or a file containing the
                        aforementioned formats separated by a new line.

optional arguments:
  -h, --help            show this help message and exit

  -v, --version         show program's version number and exit

  -u USERNAME, --username USERNAME
                        Username used to authenticate on targets.

  -d DOMAIN, --domain DOMAIN
                        Domain to authenticate to.

  -p PASSWORD, --password PASSWORD
                        Username's password. If a password or a hash is not provided, a prompt will request the password on execution.

  -nt NT_HASH, --nt-hash NT_HASH
                        Username's NT hash.

  -m MODULES, --modules MODULES
                        Modules to execute on targets, separated by a comma (,). List of modules: sessions,users,host_info,shares,logged_on
                        (default: runs all).

  -a, --audit           Audit mode. This will validate a subset of operations against targets for the selected modules, without reporting the
                        entire results. See the audit section in the wiki for each operation performed.

  -nv, --no-validation  Credentials and connectivity to targets will not be validated.

  -t TIMEOUT, --timeout TIMEOUT
                        Drops connection after x seconds when waiting to receive packets from the target (default: 2).

Modules

The wiki documents modules with their goals, MS-RPC methods used and design decisions.

Results

Results are located in the results/ directory. Visit the Reporting wiki for more information.

Examples of Operations

Run all modules on a target

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN $TARGET

Who are the members of BUILTIN\Administrators and BUILTIN\Remote Desktop Users on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users $TARGET

Is my user a Local Administrator on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m host_info $TARGET

I'm hunting for a specific user's NT hash in LSASS' memory. Where is this user authenticated?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on $RANGE

Which network shares can I read on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m shares $RANGE

Examples of Auditing

Has access to the SAM Remote Protocol been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users -a $RANGE

Have session collection vectors been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on -a $RANGE

Acknowledgements

Thank you to the following for their direct or indirect involvement with the project:

• @marcan2020 for code review sessions, along with answering the unfortunate interrogations of "Design-wise, what would be the best way to ...".
• The impacket project for providing easy-to-use interactions with MS-RPC interfaces.

License

See the LICENSE file for legal wording. Essentially it is MIT, meaning that I cannot be held responsible for whatever results from using this code, and do not offer any warranty. By agreeing to this, you are free to use and do anything you like with the code.