Enumeration

Enumeration

  • User Enum

    whoami

    netuser

    net user <user>

    whoami /priv

    whoami /group

  • Hostname

    hostname

  • OS & Architecture

    systeminfo

    systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type”

  • Processes & services

    tasklist /SVC

  • Firewall

    netsh advfirewall show currentprofile

    netsh advfirewall firewall show rule name=all

  • History

    • Get-History

    • (Get-PSReadlineOption).HistorySavePath give location oh history file

      • type <file-path>

  • Network Enum

    ipconfig

    ipconfig /all

    arp -a

    route print

    netstat -ano

  • Scheduled tasks

    • schtasks /query /fo LIST /v

    • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

  • Finding any specific file in whole system

    • Get-ChildItem -Path C:\ -Include <file> -File -Recurse -ErrorAction SilentlyContinue

    • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

    • Get-ChildItem -Path C:\ -Include id_*, authorized_keys, *.kdbx, known_hosts, *.txt, **.git, **.key, **.keyx -Recurse -Force -ErrorAction silentlycontinue

    • Get-ChildItem -Path C:\users\* -Recurse -ErrorAction silentlycontinue

  • Installed packages & patch level

    wmic product get name, version, vendor

    wmic qfe to check update packages details

    wmic logicaldisk to check all disks

  • Readable/Writable files & dir

    • Using tool accesschk.exe accesschk.exe -uws "Everyone" "C:\Program Files" u to suppress error, w for write permission , s for search recursively

    • Using Get-ACL in powershell Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

  • Unmounted disk

    mountvol

  • Device Drivers and Kernel Modules

    In powershell,

    driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

    For specific driver details,

    Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "VMware"}

  • Binaries That AutoElevate

    • Meaning

      Later in this module, we will explore various methods of privilege escalation. However, there are a few specific enumerations we should cover in this section that could reveal interesting OSspecific “shortcuts” to privilege escalation. First, on Windows systems, we should check the status of the AlwaysInstallElevated488 registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges.

    reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

    reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

  • Putty cred if putty is running

    • reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

    • reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

  • Password Enum

    findstr /si password *.txt *.ini *.config to check phrase “passsword” in current dir and its sub dir

  • AV Enum

    sc queryex type= service tell all runninng services state

    netsh advfirewall firewall dump OR netsh firewall show state firewall state

    Netsh firewall show config firewall configuration

  • Automation Tool

    In powershell, windows-privesc-check2.exe --dump -G or -h for help

    https://github.com/pentestmonkey/windows-privesc-check

For more commands check Important links

Previousimportant linksNextchecking tools

Last updated