WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

Overview

WinRemoteEnum

WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gathering information of Windows hosts, and their hardening status on commonly-leveraged techniques.

Since most is enumerated through exposed built-in MS-RPC methods, it is heavily based off impacket.

What Purpose Does WinRemoteEnum Serve?

While it is possible to obtain similar results using well-known tools, WinRemoteEnum simplifies the process by offering modules operating with minimal input, and generating easy-to-consume reports (HTML and JSON). Therefore, it is a great starting point to enumerate a given scope during an engagement, or to answer specific questions as described in the Example of Operations section.

Furthermore, WinRemoteEnum follows a read-only mindset, meaning that all requests aim to read information and never to write. Though, ensure to take notice of the Warning: Understanding the Impact section.

Lastly, the development of the tool was foremost a learning experience regarding concretely interacting with various MS-RPC interfaces, and the endless possibilities of domain hardening.

Auditing

When possible, modules implement an auditing feature allowing to easily report if a target has been hardened against the technique. Visit Example of Auditing for examples, and the wiki to learn about exactly what is audited.

Supported Windows Versions

WinRemoteEnum was tested successfully on Windows 7 SP1 and newer, both on workstations and servers.

While unsupported, most modules should work on Windows XP SP3 except users, which runs into a disagreement with MS-LSAD's LsarQueryInformationPolicy, and most-likely more methods.

In case of an unexpected behavior, please only open an issue for supported versions.

Warning: Understanding the Impact

The operator must take into account the following before executing WinRemoteEnum on a scope:

  1. Multiprocessing is used to enumerate a large amount of targets simultaneously. To be precise, two extra processes are spawned per module to perform the task; however only one module runs at a time.

  2. WinRemoteEnum will authenticate using the provided credentials a considerable amount of times, which depends entirely on the selected modules. In the context of a domain, this implies the usual impact of sending authentication requests to the domain controller, incrementing the badPwdCount attribute on failed login attempts, generating Windows Event logs and so on.

  3. Under the wiki page of each module is documented the RPC methods that will be called upon execution. Understand that depending on the monitoring strategy of the environment, these may very well trigger monitoring use cases. Therefore, ensure to inform the surveillance team of your operations.

Installation

git clone https://github.com/simondotsh/WinRemoteEnum
cd WinRemoteEnum/
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Usage

usage: winremoteenum.py [-h] [-v] -u USERNAME -d DOMAIN [-p PASSWORD | -nt NT_HASH] [-m MODULES] [-a] [-nv] [-t TIMEOUT] targets

positional arguments:
  targets               Targets to enumerate. Must be a single IP (e.g. 10.0.0.1), a range (e.g. 10.0.0.0/24), or a file containing the
                        aforementioned formats separated by a new line.

optional arguments:
  -h, --help            show this help message and exit

  -v, --version         show program's version number and exit

  -u USERNAME, --username USERNAME
                        Username used to authenticate on targets.

  -d DOMAIN, --domain DOMAIN
                        Domain to authenticate to.

  -p PASSWORD, --password PASSWORD
                        Username's password. If a password or a hash is not provided, a prompt will request the password on execution.

  -nt NT_HASH, --nt-hash NT_HASH
                        Username's NT hash.

  -m MODULES, --modules MODULES
                        Modules to execute on targets, separated by a comma (,). List of modules: sessions,users,host_info,shares,logged_on
                        (default: runs all).

  -a, --audit           Audit mode. This will validate a subset of operations against targets for the selected modules, without reporting the
                        entire results. See the audit section in the wiki for each operation performed.

  -nv, --no-validation  Credentials and connectivity to targets will not be validated.

  -t TIMEOUT, --timeout TIMEOUT
                        Drops connection after x seconds when waiting to receive packets from the target (default: 2).

Modules

The wiki documents modules with their goals, MS-RPC methods used and design decisions.

Results

Results are located in the results/ directory. Visit the Reporting wiki for more information.

Examples of Operations

Run all modules on a target

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN $TARGET

Who are the members of BUILTIN\Administrators and BUILTIN\Remote Desktop Users on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users $TARGET

Is my user a Local Administrator on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m host_info $TARGET

I'm hunting for a specific user's NT hash in LSASS' memory. Where is this user authenticated?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on $RANGE

Which network shares can I read on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m shares $RANGE

Examples of Auditing

Has access to the SAM Remote Protocol been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users -a $RANGE

Have session collection vectors been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on -a $RANGE

Acknowledgements

Thank you to the following for their direct or indirect involvement with the project:

  • @marcan2020 for code review sessions, along with answering the unfortunate interrogations of "Design-wise, what would be the best way to ...".
  • The impacket project for providing easy-to-use interactions with MS-RPC interfaces.

License

See the LICENSE file for legal wording. Essentially it is MIT, meaning that I cannot be held responsible for whatever results from using this code, and do not offer any warranty. By agreeing to this, you are free to use and do anything you like with the code.

You might also like...
SpiderFoot automates OSINT collection so that you can focus on analysis.
SpiderFoot automates OSINT collection so that you can focus on analysis.

SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of m

A forensic collection tool written in Python.
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview 📝 Table of Contents 📝 Table of Contents 🧐 About 🏁 Getting Started Pre

A collection of write-ups and solutions for Cyber FastTrack Spring 2021.
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Kunyu, more efficient corporate asset collection
Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

 Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.
Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.

Venom Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python. Report Bug · Request Feature Contributing Well,

Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List CVE-2021-41349 Exchange XSS PoC = Exchange 2013 update 23 = Exchange 2016 update 2

This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Releases(v1.1)
  • v1.1(Jan 12, 2022)

    Introducing the analysis feature. While it currently only supports the module users, this feature aims to provide scripts executable by the user after collecting results, in order to answer specific questions.

    The analysis script of users outputs the list of group members that are capable of accessing hosts remotely, and offers to filter on specific principals if desired.

    Usage and further information can be found in its dedicated wiki page: Analysis users.

    Source code(tar.gz)
    Source code(zip)
  • v1.0(Oct 27, 2021)

Owner
Simon
Simon
A collection of over 5.1 million sub-domains and assets belonging to public bug bounty programs, compiled into a repo, for performing bulk operations.

?? Public Bug Bounty Targets Data By BugBountyResources A collection of over 5.1M sub-domains and assets belonging to bug bounty targets, all put in a

Bug Bounty Resources 87 Dec 13, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Known issues it will not work outside kali , i will update it

Hossam 867 Dec 22, 2022
Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user

About Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user Changed from sam-the-admin. Usage SAM THE ADMIN CVE-202

Evi1cg 500 Jan 6, 2023
Python low-interaction honeyclient

Thug The number of client-side attacks has grown significantly in the past few years shifting focus on poorly protected vulnerable clients. Just as th

Angelo Dell'Aera 896 Dec 19, 2022
Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Separation of Mainlobes and Sidelobes in the Ultrasound Image Based on the Spatial Covariance (MIST) and Aperture-Domain Spectrum of Received Signals

Rehman Ali 3 Jan 3, 2023
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

null 6 May 17, 2022
FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

null 2 Jul 20, 2022
A DOM-based G-Suite password sprayer and user enumerator

A DOM-based G-Suite password sprayer and user enumerator

Mayk 1 Apr 7, 2022
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022