WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

Overview

WinRemoteEnum

WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gathering information of Windows hosts, and their hardening status on commonly-leveraged techniques.

Since most is enumerated through exposed built-in MS-RPC methods, it is heavily based off impacket.

What Purpose Does WinRemoteEnum Serve?

While it is possible to obtain similar results using well-known tools, WinRemoteEnum simplifies the process by offering modules operating with minimal input, and generating easy-to-consume reports (HTML and JSON). Therefore, it is a great starting point to enumerate a given scope during an engagement, or to answer specific questions as described in the Example of Operations section.

Furthermore, WinRemoteEnum follows a read-only mindset, meaning that all requests aim to read information and never to write. Though, ensure to take notice of the Warning: Understanding the Impact section.

Lastly, the development of the tool was foremost a learning experience regarding concretely interacting with various MS-RPC interfaces, and the endless possibilities of domain hardening.

Auditing

When possible, modules implement an auditing feature allowing to easily report if a target has been hardened against the technique. Visit Example of Auditing for examples, and the wiki to learn about exactly what is audited.

Supported Windows Versions

WinRemoteEnum was tested successfully on Windows 7 SP1 and newer, both on workstations and servers.

While unsupported, most modules should work on Windows XP SP3 except users, which runs into a disagreement with MS-LSAD's LsarQueryInformationPolicy, and most-likely more methods.

In case of an unexpected behavior, please only open an issue for supported versions.

Warning: Understanding the Impact

The operator must take into account the following before executing WinRemoteEnum on a scope:

  1. Multiprocessing is used to enumerate a large amount of targets simultaneously. To be precise, two extra processes are spawned per module to perform the task; however only one module runs at a time.

  2. WinRemoteEnum will authenticate using the provided credentials a considerable amount of times, which depends entirely on the selected modules. In the context of a domain, this implies the usual impact of sending authentication requests to the domain controller, incrementing the badPwdCount attribute on failed login attempts, generating Windows Event logs and so on.

  3. Under the wiki page of each module is documented the RPC methods that will be called upon execution. Understand that depending on the monitoring strategy of the environment, these may very well trigger monitoring use cases. Therefore, ensure to inform the surveillance team of your operations.

Installation

git clone https://github.com/simondotsh/WinRemoteEnum
cd WinRemoteEnum/
python3 -m venv venv
source venv/bin/activate
pip3 install -r requirements.txt

Usage

usage: winremoteenum.py [-h] [-v] -u USERNAME -d DOMAIN [-p PASSWORD | -nt NT_HASH] [-m MODULES] [-a] [-nv] [-t TIMEOUT] targets

positional arguments:
  targets               Targets to enumerate. Must be a single IP (e.g. 10.0.0.1), a range (e.g. 10.0.0.0/24), or a file containing the
                        aforementioned formats separated by a new line.

optional arguments:
  -h, --help            show this help message and exit

  -v, --version         show program's version number and exit

  -u USERNAME, --username USERNAME
                        Username used to authenticate on targets.

  -d DOMAIN, --domain DOMAIN
                        Domain to authenticate to.

  -p PASSWORD, --password PASSWORD
                        Username's password. If a password or a hash is not provided, a prompt will request the password on execution.

  -nt NT_HASH, --nt-hash NT_HASH
                        Username's NT hash.

  -m MODULES, --modules MODULES
                        Modules to execute on targets, separated by a comma (,). List of modules: sessions,users,host_info,shares,logged_on
                        (default: runs all).

  -a, --audit           Audit mode. This will validate a subset of operations against targets for the selected modules, without reporting the
                        entire results. See the audit section in the wiki for each operation performed.

  -nv, --no-validation  Credentials and connectivity to targets will not be validated.

  -t TIMEOUT, --timeout TIMEOUT
                        Drops connection after x seconds when waiting to receive packets from the target (default: 2).

Modules

The wiki documents modules with their goals, MS-RPC methods used and design decisions.

Results

Results are located in the results/ directory. Visit the Reporting wiki for more information.

Examples of Operations

Run all modules on a target

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN $TARGET

Who are the members of BUILTIN\Administrators and BUILTIN\Remote Desktop Users on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users $TARGET

Is my user a Local Administrator on this target?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m host_info $TARGET

I'm hunting for a specific user's NT hash in LSASS' memory. Where is this user authenticated?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on $RANGE

Which network shares can I read on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m shares $RANGE

Examples of Auditing

Has access to the SAM Remote Protocol been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m users -a $RANGE

Have session collection vectors been hardened on this range?

python3 winremoteenum.py -u $USER -p $PASSWORD -d $DOMAIN -m sessions,logged_on -a $RANGE

Acknowledgements

Thank you to the following for their direct or indirect involvement with the project:

  • @marcan2020 for code review sessions, along with answering the unfortunate interrogations of "Design-wise, what would be the best way to ...".
  • The impacket project for providing easy-to-use interactions with MS-RPC interfaces.

License

See the LICENSE file for legal wording. Essentially it is MIT, meaning that I cannot be held responsible for whatever results from using this code, and do not offer any warranty. By agreeing to this, you are free to use and do anything you like with the code.

You might also like...
SpiderFoot automates OSINT collection so that you can focus on analysis.
SpiderFoot automates OSINT collection so that you can focus on analysis.

SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of m

A forensic collection tool written in Python.
A forensic collection tool written in Python.

CHIRP A forensic collection tool written in Python. Watch the video overview 📝 Table of Contents 📝 Table of Contents 🧐 About 🏁 Getting Started Pre

A collection of write-ups and solutions for Cyber FastTrack Spring 2021.
A collection of write-ups and solutions for Cyber FastTrack Spring 2021.

IMPORTANT: Please contact us before you use any styling or content shown here! Cyber FastTrack Spring 2021 / National Cyber Scholarship Competition -

Kunyu, more efficient corporate asset collection
Kunyu, more efficient corporate asset collection

Kunyu(坤舆) - More efficient corporate asset collection English | 中文文档 0x00 Introduce Tool introduction Kunyu (kunyu), whose name is taken from , is act

Convert a collection of features to a fixed-dimensional matrix using the hashing trick.

FeatureHasher Convert a collection of features to a fixed-dimensional matrix using the hashing trick. Note, this requires Jina=2.2.4. Example Here I

 Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.
Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python.

Venom Collection Of Discord Hacking Tools / Fun Stuff / Exploits That Is Completely Made Using Python. Report Bug · Request Feature Contributing Well,

Vulnerability Exploitation Code Collection Repository

Introduction expbox is an exploit code collection repository List CVE-2021-41349 Exchange XSS PoC = Exchange 2013 update 23 = Exchange 2016 update 2

This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.
This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data.

Scrambler App This collection of tools that makes it easy to secure and/or obfuscate messages, files, and data. It leverages encryption tools such as

A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Releases(v1.1)
  • v1.1(Jan 12, 2022)

    Introducing the analysis feature. While it currently only supports the module users, this feature aims to provide scripts executable by the user after collecting results, in order to answer specific questions.

    The analysis script of users outputs the list of group members that are capable of accessing hosts remotely, and offers to filter on specific principals if desired.

    Usage and further information can be found in its dedicated wiki page: Analysis users.

    Source code(tar.gz)
    Source code(zip)
  • v1.0(Oct 27, 2021)

Owner
Simon
Simon
The Multi-Tool Web Vulnerability Scanner.

🟥 RapidScan v1.2 - The Multi-Tool Web Vulnerability Scanner RapidScan has been ported to Python3 i.e. v1.2. The Python2.7 codebase is available on v1

skavngr 1.3k Dec 31, 2022
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Mr.Holmes is a information gathering tool (OSINT)

🔍 Mr.Holmes Mr.Holmes is a information gathering tool (OSINT). Is main purpose is to gain information about domains,username and phone numbers with t

534 Jan 08, 2023
PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe

PyExtractor is a decompiler that can fully decompile exe's compiled with pyinstaller or py2exe with additional features such as malware checker/detector! Also checks file(s) for suspicious words, dis

Rdimo 56 Jul 31, 2022
Driver Buddy Reloaded is an IDA Pro Python plugin that helps automate some tedious Windows Kernel Drivers reverse engineering tasks.

Driver Buddy Reloaded Quickstart Table of Contents Installation Usage About Driver Buddy Reloaded Finding DispatchDeviceControl Labelling WDM & WDF St

Paolo 'VoidSec' Stagno 199 Jan 04, 2023
An intranet tool for easily intranet pentesting

IntarKnife v1.0 a tool can be used in intarnet for easily pentesting moudle hash spray U can use this tool to spray hash on a webshell IntraKnife.exe

4 Nov 24, 2021
Log4j vuln fuzz/scan with python

Log4jFuzz log4j vuln fuzz/scan USE // it's use localhost udp server to check target vuln. python3 log4jFuzz.py [option] optional arguments: -u URL,

VVzv 3 Dec 22, 2021
Add a Web Server based on Rogue Mysql Server to allow remote user get

介绍 对于需要使用 Rogue Mysql Server 的漏洞来说,若想批量检测这种漏洞的话需要自备一个服务器。并且我常用的Rogue Mysql Server 脚本 不支持动态更改读取文件名、不支持远程用户访问读取结果、不支持批量化检测网站。于是乎萌生了这个小脚本的想法 Rogue-MySql-

6 May 17, 2022
Password List Creator Simple !

Password List Creator Simple !

MR.D3F417 4 Jan 27, 2022
PKUAutoElective for 2021 spring semester

PKUAutoElective 2021 Spring Version Update at Mar 7 15:28 (UTC+8): 修改了 get_supplement 的 API 参数,已经可以实现课程列表页面的正常跳转,请更新至最新 commit 版本 本项目基于 PKUAutoElectiv

Zihan Mao 84 Sep 09, 2022
Official repository for Pyew.

pyew Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE

Joxean 362 Nov 28, 2022
Update of uncaptcha2 from 2019

YouTube Video Proof of Concept I created a new YouTube Video with technical Explanation for breaking Google's Audio reCAPTCHAs: Click on the image bel

Nikolai Tschacher 153 Dec 20, 2022
A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms.

MacPer A python based tool that executes various CVEs to gain root privileges as root on various MAC OS platforms. Not all of the exploits directly sp

20 Nov 30, 2022
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1

CVE-2021-22911 Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1 The getPasswordPolicy method is vulnerable to NoS

Enox 47 Nov 09, 2022
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

259 Dec 19, 2022
Webpack自动化信息收集

Webpack-信息收集工具 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。 0x01 介绍 作者:小洲 团队:横戈安全团队,未来一段时间将陆续开源工具,欢迎关注微信公众号: 定位:协助红队人员快速的信息收集,测绘目

小洲 214 Dec 19, 2022
A token logger for discord + steals Brave/Chrome passwords and usernames

Backdoor Machine - ❗ For educational purposes only ❗ A program made in python for stealing passwords and usernames from Google Chrome/Brave and tokenl

36 Jul 18, 2021
GitHub Advance Security Compliance Action

advanced-security-compliance This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Sca

Mathew Payne 121 Dec 14, 2022
ORector - A Fast Python tool designed to detect open redirects vulnerabilities on websites

ORector is a Fast Python tool designed to detect open redirects vulnerabilities

11 Apr 02, 2022
A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer.

Wlan Fetcher Windows10 Description A simple python-function, to gain all wlan passwords from stored wlan-profiles on a computer. Usage This Script onl

2 Nov 20, 2021