# Windows Enumeration

## **Enumeration**

## **System Information**

1. **Basic System Info**
   * `hostname`\
     Displays the hostname of the current machine.
   * `qwinsta`\
     Lists users connected to the machine along with session details. Similar to Linux's `w` or `who`.
   * `query user`\
     Shows details about active sessions.
2. **Detailed System Information**
   * `systeminfo`\
     Retrieves comprehensive system details.

     **Filter specific details:**

     ```cmd
     systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
     ```
   * Using PowerShell:

     ```powershell
     [System.Environment]::OSVersion.Version
     ```
3. **Patch and Update Information**
   * **CMD:**
     * `wmic qfe get Caption, Description, HotFixID, InstalledOn` (List installed patches)
     * `wmic qfe list brief` (Quick overview of updates)
     * `wmic product get name` (List installed programs)
   * **PowerShell:**
     * `Get-HotFix | ft -AutoSize` (List installed patches)
     * `Get-WmiObject -Class Win32_Product | select Name, Version` (Installed programs)
4. **Running Processes**
   * **CMD:**

     ```cmd
     tasklist /svc
     ```

     Lists all running processes and associated services.

***

## **Domain Status**

* **PowerShell:**

  ```powershell
  (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
  ```

  Returns `True` if the machine is part of a domain.

***

## **PowerShell and AppLocker Policies**

1. **PowerShell Execution Policy**

   ```powershell
   Get-ExecutionPolicy -List
   ```
2. **AppLocker Policy Rules**

   ```powershell
   Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
   ```
3. **Testing AppLocker Policies**

   ```powershell
   Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
   ```
4. **PowerShell History**\
   Retrieve the PowerShell command history for a specific user:

   ```powershell
   Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
   ```

***

## **Environment Variables**

1. **CMD:**

   ```cmd
   set
   ```
2. **PowerShell:**

   ```powershell
   Get-ChildItem Env: | ft Key,Value
   ```

***

## **Windows Defender**

1. **Firewall and Antivirus Status (CMD):**
   * View firewall profiles:

     ```cmd
     netsh advfirewall show allprofiles
     ```
   * Check Windows Defender status:

     ```cmd
     sc query windefend
     ```
2. **Windows Defender Status (PowerShell):**

   ```powershell
   Get-MpComputerStatus
   ```

***

## **Users**

1. **Current User Details:**
   * `whoami /all`
   * `whoami /priv`
   * `whoami /groups`
2. **Local Users (CMD):**
   * List all users: `net users`
   * Get user details: `net user <USER>`
   * Current user's details: `net user %username%`
   * Password policy:

     ```cmd
     net accounts
     net accounts /domain
     ```
3. **Create a New User:**

   ```cmd
   net user /add <USERNAME> <PASSWORD>
   ```
4. **User Domain and SID Information:**
   * Show domain:

     ```cmd
     echo "%USERDOMAIN%"
     ```
   * Check login server:

     ```cmd
     echo %logonserver%
     ```
   * Display domain, name, and SID:

     ```cmd
     wmic USERACCOUNT Get Domain,Name,Sid
     ```

***

## **Groups**

1. **Local Groups:**
   * List all groups: `net localgroup`
   * Group details: `net localgroup Administrators`
   * Add a user to administrators:

     ```cmd
     net localgroup administrators <USERNAME> /add
     ```
2. **Domain Groups:**
   * Info about domain groups: `net group /domain`
   * List users in a group: `net group /domain <DOMAIN_GROUP_NAME>`
   * List connected computers:

     ```cmd
     net group "Domain Computers" /domain
     ```
   * Domain controllers:

     ```cmd
     net group "Domain Controllers" /domain
     ```

***

## **Network Enumeration**

1. **Basic Networking Information:**
   * `ifconfig`
   * `ipconfig /all`
2. **Routing and Firewall Status:**
   * Routing table: `route print`
   * ARP table: `arp -a`
   * Open ports and connections: `netstat -ano`
   * Firewall state:

     ```cmd
     netsh advfirewall show state
     ```

***

## **Shared Resources**

1. **Common Shares:**
   * `C$`: Administrative share for `C:/`.
   * `ADMIN$`: Assigned to `C:/Windows`.
   * `IPC$`: Used for interprocess communication (RPC).
   * `SYSVOL`: Only on Domain Controllers (DCs).
   * `NETLOGON`: Available on DCs for logon scripts and policies.
2. **Commands:**
   * List SMB shares:

     ```powershell
     Get-SMBShare
     net share
     ```
   * Mount a share:

     ```cmd
     net use z: \\172.16.0.1\C$ /user:elliot "P@ssword123!"
     ```
   * Unmount a share:

     ```cmd
     net use /delete z:
     ```
   * View shared resources on a host:

     ```cmd
     net view \\172.16.0.1 /all
     ```

***

## **References**

* [PayloadsAllTheThings: Windows Privilege Escalation](https://github.com/swisskyrepo/PayloadsAllTheThings)
* [Basic Win CMD for Pentesters](https://book.hacktricks.xyz/windows-hardening/basic-cmd-for-pentesters)