Windows Enumeration

Enumeration

System Information

1. Basic System Info

   • hostname Displays the hostname of the current machine.

   • qwinsta Lists users connected to the machine along with session details. Similar to Linux's w or who.

   • query user Shows details about active sessions.

2. Detailed System Information

   • systeminfo Retrieves comprehensive system details.

     Filter specific details:

     systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

   • Using PowerShell:

     [System.Environment]::OSVersion.Version

3. Patch and Update Information

   • CMD:

     • wmic qfe get Caption, Description, HotFixID, InstalledOn (List installed patches)

     • wmic qfe list brief (Quick overview of updates)

     • wmic product get name (List installed programs)

   • PowerShell:

     • Get-HotFix | ft -AutoSize (List installed patches)

     • Get-WmiObject -Class Win32_Product | select Name, Version (Installed programs)

4. Running Processes

   • CMD:

     tasklist /svc

     Lists all running processes and associated services.

---

Domain Status

• PowerShell:

  (Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain

  Returns True if the machine is part of a domain.

---

PowerShell and AppLocker Policies

1. PowerShell Execution Policy

   Get-ExecutionPolicy -List

2. AppLocker Policy Rules

   Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

3. Testing AppLocker Policies

   Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

4. PowerShell History Retrieve the PowerShell command history for a specific user:

   Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

---

Environment Variables

1. CMD:

   set

2. PowerShell:

   Get-ChildItem Env: | ft Key,Value

---

Windows Defender

1. Firewall and Antivirus Status (CMD):

   • View firewall profiles:

     netsh advfirewall show allprofiles

   • Check Windows Defender status:

     sc query windefend

2. Windows Defender Status (PowerShell):

   Get-MpComputerStatus

---

Users

1. Current User Details:

   • whoami /all

   • whoami /priv

   • whoami /groups

2. Local Users (CMD):

   • List all users: net users

   • Get user details: net user <USER>

   • Current user's details: net user %username%

   • Password policy:

     net accounts
     net accounts /domain

3. Create a New User:

   net user /add <USERNAME> <PASSWORD>

4. User Domain and SID Information:

   • Show domain:

     echo "%USERDOMAIN%"

   • Check login server:

     echo %logonserver%

   • Display domain, name, and SID:

     wmic USERACCOUNT Get Domain,Name,Sid

---

Groups

1. Local Groups:

   • List all groups: net localgroup

   • Group details: net localgroup Administrators

   • Add a user to administrators:

     net localgroup administrators <USERNAME> /add

2. Domain Groups:

   • Info about domain groups: net group /domain

   • List users in a group: net group /domain <DOMAIN_GROUP_NAME>

   • List connected computers:

     net group "Domain Computers" /domain

   • Domain controllers:

     net group "Domain Controllers" /domain

---

Network Enumeration

1. Basic Networking Information:

   • ifconfig

   • ipconfig /all

2. Routing and Firewall Status:

   • Routing table: route print

   • ARP table: arp -a

   • Open ports and connections: netstat -ano

   • Firewall state:

     netsh advfirewall show state

---

Shared Resources

1. Common Shares:

   • C$: Administrative share for C:/.

   • ADMIN$: Assigned to C:/Windows.

   • IPC$: Used for interprocess communication (RPC).

   • SYSVOL: Only on Domain Controllers (DCs).

   • NETLOGON: Available on DCs for logon scripts and policies.

2. Commands:

   • List SMB shares:

     Get-SMBShare
     net share

   • Mount a share:

     net use z: \\172.16.0.1\C$ /user:elliot "P@ssword123!"

   • Unmount a share:

     net use /delete z:

   • View shared resources on a host:

     net view \\172.16.0.1 /all

---

References

• PayloadsAllTheThings: Windows Privilege Escalation
• Basic Win CMD for Pentesters