Windows Enumeration

Command Line

System

# Get Systeminfo
systeminfo
systeminfo | findstr /B /C:"Os Version"
systeminfo | findtr Domain

# Get hotfix
wmic qfe # quick fix engineering

# Get list of drives and filter
wmic logicaldisk get caption,discription,pridername

User Enumeration

# print current user
whoami

#list privilege of current user
whoami /priv

# List user of the current group
whoami /groups

# print users on the computer and get details
net user
net user <username>

# list local groups
net localgroup
net localgroup administrator

Network Enumeration

# List ip addresses, interface etc
ipconfig 
ipconfig /all # verbose

# get ARP table
arp -a

# socket enumration
netstat -abno

Password Hunting

# search for "password" in *.txt files
findstr /si Password *.txt

AV Enumeration

# Check if windows defender is running
sc query windefend

#list services
sc queryex service

# Firewall Enumeration
netsh advfirewall firewall dump
netsh firewall show state

WMI

Antivirus Details

# Installed Antivirus solutions
Get-WmiObject -Namespace root\securitycenter2 -Class AntiVirusProduct

# Defender status
Get-MpComputerStatus

Services

Get-WmiObject -Namespace root\cimv2 -Class Win32_service

Processor Architecture

Get-WmiObject -Namespace root\cimv2 -Class win32_processor

Logged On User

Get-WmiObject -Class win32_ComputerSystem | Select-Object -Property Username

Installed HotFix

Get-WmiObject -Class Win32_quickfixengineering

Get log files locations

Get-WmiObject -Class win32_NTeventlogfile

Get Command Line to start process

Get-WmiObject -Class win32_process | Select-Object -Property ProcessName,CommandLine

Get BinPath for running services

Get-WmiObject -Class win32_service | select DisplayName,Pathname

Routing table

Get-WmiObject -Class Win32_IP4RouteTable

User Accounts

Get-WmiObject -Class Win32_UserAccount

Groups

Get-WmiObject -Class Win32_Group

Shadow Copy Information

Get-WmiObject -Class Win32_ShadowCopy
# Shadown copy class can be used to call the Create method to create shadow copy
# Create a shadow copy and creating a link to that shadow copy.
(Get-WmiObject -Class Win32_ShadowCopy -List).Create("C:\", "ClientAccessible")
$link = (Get-WmiObject -Class Win32_ShadowCopy).DeviceObject + "\"
cmd /c mklink /d C:\shadowcopy "$link"

Automated Tools

Executables

winPEAS.exe
Sealbelt.exe
Watson.exe
SharpUp.exe

Powershell

Sharlock.ps1
PowerUp.ps1
jaws-enum.ps1

Other

Windows-exploit-suggester (local)
Exploit Suggester (metasploit)

Last updated 1 year ago

hashtagCommand Line

hashtagWMI

hashtagAutomated Tools

hashtagExecutables

hashtagPowershell

hashtagOther

Command Line

WMI

Automated Tools

Executables

Powershell

Other