🏠
dev-angelist
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 🏠Home
  • πŸ“’Certification Notes
    • Certified Ethical Hacker (CEH) Practical
    • CRTP
    • eWPTXv3
    • eCPPTv3
    • eWPTv2
    • eJPTv2
  • ✍️WRITEUPS & WALKTHROUGHS
    • TryHackMe (THM)
    • HackTheBox (HTB)
    • VulnHub
    • DockerLabs.es
    • PortSwigger - Web Sec Academy
    • HomeMade Labs
  • πŸ•ΈοΈWEB
    • eWPTXv3
    • eWPTv2
    • WAPT
    • DVWA
    • Secure Bank
    • Mutillidae II
    • WebSafeHub (WSH)
    • PortSwigger - Web Sec Academy
  • Common Services Pentest
    • Web Services - 80/443/8080
      • Tomcat
        • Lab Setup & Configuration
        • Enumeration
        • Exploitation
        • Mitigation & Hardening
    • SMB - 139/445
  • πŸ‘©β€πŸ’»CODING
    • 🐍Python
      • Python Offensive
      • Email Header Analyzer
      • Dir-Brute
      • Port-Scanner
      • Finger User Enumeration
    • DevSecOps
    • πŸ”ΉPowershell
  • πŸ”΄Offensive Security
    • Active Directory (AD)
      • CRTP
      • AD HomeMade Lab
  • Privilege Escalation
    • Windows Privilege Escalation
  • πŸ”Crypto & AI/ML
    • Crypto & Blockchain
      • Blockchain Security
        • Blockchain Architecture
          • 1.1 Characteristics and Features
          • 1.2 Core Components
          • 1.3 Consensus Algorithm
          • 1.4 Cryptography
          • 1.5 Cryptocurrency
        • Front-end Risks
          • 2.1 MFA and Blockchain
          • 2.2 Front-end
          • 2.3 OWASP Modeling for Blockchain
          • 2.4 Wallet Attacks
          • 2.5 Client Vulnerabilities
        • Back-end Risks
          • 3.1 Consensus Vulnerabilities
          • 3.2 Mining Pool Vulnerabilities
          • 3.3 Network Vulnerabilities
            • 3.3.1 DoS/DDoS/BDoS Attacks
            • 3.3.2 Delay Attacks
            • 3.3.3 Partition Attacks
            • 3.3.4 Sybil Attacks
            • 3.3.5 Time Jacking
            • 3.3.6 Transaction Attacks
        • Mining-Risks
          • 4.1 Mining Overview
          • 4.2 Proof of Stake Post Merge Ethereum
          • 4.3 Crypto Mining Malware (Cryptojacking)
          • 4.4 Zero Trust Models
          • 4.5 Byzantine Fault Tolerance
        • Blockchain as a Service
    • AI/ML Pentest
  • ACTIVE DIRECTORY
    • AD Enumeration
  • Guides & Articles
    • My Articles
    • Guides & Tutorials
      • Burp Suite - Configuration
      • Quickemu - VM
      • Setting Up SSH Keys
      • Building an AD Lab
      • Work Guidelines
  • Windows
    • Windows Enumeration
    • Windows Privilege Escalation
  • INTELLIGENCE GATHERING
    • OSINT
  • LINUX (tbd)
    • Linux Enumeration
    • Linux Privilege Escalation
Powered by GitBook
On this page
  • Enumeration
  • System Information
  • Domain Status
  • PowerShell and AppLocker Policies
  • Environment Variables
  • Windows Defender
  • Users
  • Groups
  • Network Enumeration
  • Shared Resources
  • References
  1. Windows

Windows Enumeration

Enumeration

System Information

  1. Basic System Info

    • hostname Displays the hostname of the current machine.

    • qwinsta Lists users connected to the machine along with session details. Similar to Linux's w or who.

    • query user Shows details about active sessions.

  2. Detailed System Information

    • systeminfo Retrieves comprehensive system details.

      Filter specific details:

      systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
    • Using PowerShell:

      [System.Environment]::OSVersion.Version
  3. Patch and Update Information

    • CMD:

      • wmic qfe get Caption, Description, HotFixID, InstalledOn (List installed patches)

      • wmic qfe list brief (Quick overview of updates)

      • wmic product get name (List installed programs)

    • PowerShell:

      • Get-HotFix | ft -AutoSize (List installed patches)

      • Get-WmiObject -Class Win32_Product | select Name, Version (Installed programs)

  4. Running Processes

    • CMD:

      tasklist /svc

      Lists all running processes and associated services.


Domain Status

  • PowerShell:

    (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain

    Returns True if the machine is part of a domain.


PowerShell and AppLocker Policies

  1. PowerShell Execution Policy

    Get-ExecutionPolicy -List
  2. AppLocker Policy Rules

    Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
  3. Testing AppLocker Policies

    Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
  4. PowerShell History Retrieve the PowerShell command history for a specific user:

    Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

Environment Variables

  1. CMD:

    set
  2. PowerShell:

    Get-ChildItem Env: | ft Key,Value

Windows Defender

  1. Firewall and Antivirus Status (CMD):

    • View firewall profiles:

      netsh advfirewall show allprofiles
    • Check Windows Defender status:

      sc query windefend
  2. Windows Defender Status (PowerShell):

    Get-MpComputerStatus

Users

  1. Current User Details:

    • whoami /all

    • whoami /priv

    • whoami /groups

  2. Local Users (CMD):

    • List all users: net users

    • Get user details: net user <USER>

    • Current user's details: net user %username%

    • Password policy:

      net accounts
      net accounts /domain
  3. Create a New User:

    net user /add <USERNAME> <PASSWORD>
  4. User Domain and SID Information:

    • Show domain:

      echo "%USERDOMAIN%"
    • Check login server:

      echo %logonserver%
    • Display domain, name, and SID:

      wmic USERACCOUNT Get Domain,Name,Sid

Groups

  1. Local Groups:

    • List all groups: net localgroup

    • Group details: net localgroup Administrators

    • Add a user to administrators:

      net localgroup administrators <USERNAME> /add
  2. Domain Groups:

    • Info about domain groups: net group /domain

    • List users in a group: net group /domain <DOMAIN_GROUP_NAME>

    • List connected computers:

      net group "Domain Computers" /domain
    • Domain controllers:

      net group "Domain Controllers" /domain

Network Enumeration

  1. Basic Networking Information:

    • ifconfig

    • ipconfig /all

  2. Routing and Firewall Status:

    • Routing table: route print

    • ARP table: arp -a

    • Open ports and connections: netstat -ano

    • Firewall state:

      netsh advfirewall show state

Shared Resources

  1. Common Shares:

    • C$: Administrative share for C:/.

    • ADMIN$: Assigned to C:/Windows.

    • IPC$: Used for interprocess communication (RPC).

    • SYSVOL: Only on Domain Controllers (DCs).

    • NETLOGON: Available on DCs for logon scripts and policies.

  2. Commands:

    • List SMB shares:

      Get-SMBShare
      net share
    • Mount a share:

      net use z: \\172.16.0.1\C$ /user:elliot "P@ssword123!"
    • Unmount a share:

      net use /delete z:
    • View shared resources on a host:

      net view \\172.16.0.1 /all

References

PreviousGuides & TutorialsNextOSINT

Last updated 5 months ago

PayloadsAllTheThings: Windows Privilege Escalation
Basic Win CMD for Pentesters