Windows Enumeration

Command Line

1. System

# Get Systeminfo
systeminfo
systeminfo | findstr /B /C:"Os Version"
systeminfo | findtr Domain

# Get hotfix
wmic qfe # quick fix engineering

# Get list of drives and filter
wmic logicaldisk get caption,discription,pridername

1. User Enumeration

# print current user
whoami

#list privilege of current user
whoami /priv

# List user of the current group
whoami /groups

# print users on the computer and get details
net user
net user <username>

# list local groups
net localgroup
net localgroup administrator

1. Network Enumeration

# List ip addresses, interface etc
ipconfig 
ipconfig /all # verbose

# get ARP table
arp -a

# socket enumration
netstat -abno

1. Password Hunting

# search for "password" in *.txt files
findstr /si Password *.txt

1. AV Enumeration

# Check if windows defender is running
sc query windefend

#list services
sc queryex service

# Firewall Enumeration
netsh advfirewall firewall dump
netsh firewall show state

WMI

1. Antivirus Details

# Installed Antivirus solutions
Get-WmiObject -Namespace root\securitycenter2 -Class AntiVirusProduct

# Defender status
Get-MpComputerStatus

1. Services

Get-WmiObject -Namespace root\cimv2 -Class Win32_service

1. Processor Architecture

Get-WmiObject -Namespace root\cimv2 -Class win32_processor

1. Logged On User

Get-WmiObject -Class win32_ComputerSystem | Select-Object -Property Username

1. Installed HotFix

Get-WmiObject -Class Win32_quickfixengineering

1. Get log files locations

Get-WmiObject -Class win32_NTeventlogfile

1. Get Command Line to start process

Get-WmiObject -Class win32_process | Select-Object -Property ProcessName,CommandLine

1. Get BinPath for running services

Get-WmiObject -Class win32_service | select DisplayName,Pathname

1. Routing table

Get-WmiObject -Class Win32_IP4RouteTable

1. User Accounts

Get-WmiObject -Class Win32_UserAccount

1. Groups

Get-WmiObject -Class Win32_Group

1. Shadow Copy Information

Get-WmiObject -Class Win32_ShadowCopy
# Shadown copy class can be used to call the Create method to create shadow copy
# Create a shadow copy and creating a link to that shadow copy.
(Get-WmiObject -Class Win32_ShadowCopy -List).Create("C:\", "ClientAccessible")
$link = (Get-WmiObject -Class Win32_ShadowCopy).DeviceObject + "\"
cmd /c mklink /d C:\shadowcopy "$link"

Automated Tools

Executables

• winPEAS.exe

• Sealbelt.exe

• Watson.exe

• SharpUp.exe

Powershell

• Sharlock.ps1

• PowerUp.ps1

• jaws-enum.ps1

Other

• Windows-exploit-suggester (local)

• Exploit Suggester (metasploit)