Edit

Windows Enumeration

Command Line

  1. System

# Get Systeminfo
systeminfo
systeminfo | findstr /B /C:"Os Version"
systeminfo | findtr Domain

# Get hotfix
wmic qfe # quick fix engineering

# Get list of drives and filter
wmic logicaldisk get caption,discription,pridername

  1. User Enumeration

# print current user
whoami

#list privilege of current user
whoami /priv

# List user of the current group
whoami /groups

# print users on the computer and get details
net user
net user <username>

# list local groups
net localgroup
net localgroup administrator

  1. Network Enumeration

# List ip addresses, interface etc
ipconfig 
ipconfig /all # verbose

# get ARP table
arp -a

# socket enumration
netstat -abno

  1. Password Hunting

# search for "password" in *.txt files
findstr /si Password *.txt

  1. AV Enumeration

# Check if windows defender is running
sc query windefend

#list services
sc queryex service

# Firewall Enumeration
netsh advfirewall firewall dump
netsh firewall show state

WMI

  1. Antivirus Details

# Installed Antivirus solutions
Get-WmiObject -Namespace root\securitycenter2 -Class AntiVirusProduct

# Defender status
Get-MpComputerStatus

  1. Services

Get-WmiObject -Namespace root\cimv2 -Class Win32_service

  1. Processor Architecture

Get-WmiObject -Namespace root\cimv2 -Class win32_processor

  1. Logged On User

Get-WmiObject -Class win32_ComputerSystem | Select-Object -Property Username

  1. Installed HotFix

Get-WmiObject -Class Win32_quickfixengineering

  1. Get log files locations

Get-WmiObject -Class win32_NTeventlogfile

  1. Get Command Line to start process

Get-WmiObject -Class win32_process | Select-Object -Property ProcessName,CommandLine

  1. Get BinPath for running services

Get-WmiObject -Class win32_service | select DisplayName,Pathname

  1. Routing table

Get-WmiObject -Class Win32_IP4RouteTable

  1. User Accounts

Get-WmiObject -Class Win32_UserAccount

  1. Groups

Get-WmiObject -Class Win32_Group

  1. Shadow Copy Information

Get-WmiObject -Class Win32_ShadowCopy
# Shadown copy class can be used to call the Create method to create shadow copy
# Create a shadow copy and creating a link to that shadow copy.
(Get-WmiObject -Class Win32_ShadowCopy -List).Create("C:\", "ClientAccessible")
$link = (Get-WmiObject -Class Win32_ShadowCopy).DeviceObject + "\"
cmd /c mklink /d C:\shadowcopy "$link"

Automated Tools

Executables

  • winPEAS.exe

  • Sealbelt.exe

  • Watson.exe

  • SharpUp.exe

Powershell

  • Sharlock.ps1

  • PowerUp.ps1

  • jaws-enum.ps1

Other

  • Windows-exploit-suggester (local)

  • Exploit Suggester (metasploit)

Last updated