Enumerate Windows Environments
- author:: Nathan Acks
- date:: 2022-08-17
Important Commands
cmdkey /list
- show saved credentialsdriverquery
- list installed drivershostname
- return system hostnamenet group "Domain Admins" /domain
- list domain adminsnet localgroup
- list all (local) groupsnet localgroup $GROUP
- list user in group$GROUP
net user
- list all (local) usersnet user $USERNAME
- get details for user$USERNAME
netstat
- query open/listening portsquery session
- list other users who are currently logged inreg
- query (and manipulate) registry enteriessc
- query (and manipulate) services (conflicts with a PowerShell built-in!)schtasks
- list scheduled taskssysteminfo
- return system infowhoami /priv
- current user + privileges
net
Windows’ net
command is can also be used to manipulate user and group information (if you already have admin/SYSTEM permission)! For example:
# Change a user's password
#
net user $USERNAME $PASSWORD
# Add a user to a domain
#
net user $USERNAME /add /domain
# Make a user a domain admin
#
net group "Domain Admins" $USERNAME /add /domain
netstat
The netstat
command on Windows almost works exactly like its Linux equivalent. The difference is that -o
displays the PID of the process using the connection on Windows (which, IMHO, is more useful than -o
on Linux).
systeminfo
Use findstr
to filter the output of systeminfo
:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
wmic
The wmic
command is extremely useful, but is also deprecated (because of its usefulness to attackers!). It can be used on Windows 10 21H1 and earlier. For later systems, PowerShell command-lets will need to be used instead (which increases the risk that activity will be logged).
wmic product
- list all installed software (but misses 32-bit applications installed on a 64-bit OS)wmic service get name,displayname,pathname,startmode
- list all serviceswmic qfe get Caption,Description,HotFixID,InstalledOn
- list installed updateswimc service list brief
- another way of listing services
Useful Scripts
Notes:
- WinPEAS is detected and quarantined by Microsoft Defender (service
windefend
) by default. - PowerUp may require an unrestricted PowerShell session (
powershell -nop -exec bypass
), which can raise alerts. - Windows Exploit Suggester analyzes the output of
systeminfo
, and can be run on the attacker’s machine. - The
multi/recon/local_exploit_suggester
module works through Meterpreter to analyze a Windows system for potential vulnerabilities.