Windows Local Enumeration

Enumerating System Information

After gaining initial access to a target system, it is always important to learn more about the system like, what OS is running as well as the OS version. This information is very useful as it gives us an idea of what we can do and what type of exploits we can run.
What are we looking for?
- Hostname
- OS Name (Windows 7, 8 etc)
- OS Build & Service Pack (Windows 7 SP1 7600)
- OS Architecture (x64/x86)
- Installed updates/Hotfixes

Meterpreter Commands for System Information:

getuid – Retrieve the user ID and privilege level of the current session.
sysinfo – Display information about the target system, such as operating system details and hardware configuration.

Windows Command Line Commands for System Information:

hostname – Display the name of the host (computer) on which the command is executed.
systeminfo – Provide detailed information about the operating system and system hardware.
wmic qfe get Caption, Description, HotFixID, InstalledOn – List installed Windows updates along with their details.
type eula.txt – Display the content of the "eula.txt" file.

Enumerating Users & Groups

After gaining initial access to a target system, it is always important to learn more about the system like, what user account you have access to and other user accounts on the system.
What are we looking for?
- Current user & privileges
- Additional user information
- Other users on the system
- Groups
- Members of the built-in administrator group

Meterpreter Commands for Users & Groups:

getuid – Display the current user's ID and privilege level.
getprivs – Show the privileges held by the current session.
post/windows/gather/enum_logged_on_users – Use Metasploit's post-exploitation module to enumerate users logged on to the target system.

Windows Command Line Commands for Users & Groups:

whoami – Display the name of the currently logged-in user.
whoami /priv – List privileges held by the current user.
query user – Show information about currently logged-in users.
net users – List all user accounts on the system.
net user <user_name> – Display information about a specific user account.
net localgroup – List local user groups on the system.
net localgroup <group_name> – Display information about a specific local user group.

Enumerating Network Information

What are we looking for?

Current IP address & network adapter
Internal networks
TCP/UDP services running and their respective ports
Other hosts on the network
Routing table
Windows Firewall state

Windows Command Line Commands for Network Information:

ipconfig – Display IP configuration information for all active network interfaces.
ipconfig /all – Show detailed IP configuration information for all active network interfaces.
route print – Display the routing table, showing network routes and gateway addresses.
atp -a – List scheduled tasks on the system.
netstat -ano – Show active network connections along with associated processes and port numbers.
netsh firewall show state – Display the state of the Windows Firewall.
netsh advfirewall firewall dump – Dump the configuration of the Advanced Firewall settings.

Enumerating Processes & Services

After gaining initial access to a target system, it is always important to learn more about the system like, what processes, services and scheduled tasks are currently running.
What are we looking for?
- Running processes & services
- Scheduled tasks
A process is an instance of a running executable (.exe) or program.
A service is a process which runs in the background and does not interact with the desktop.

Meterpreter Commands for Processes & Services:

ps – List running processes on the target system.
pgrep explorer.exe – Find the Process ID (PID) of the explorer.exe process.
migrate <proc_id> – Migrate the Meterpreter session to the specified process.

Windows Command Line Commands for Processes & Services:

net start – Display a list of started services.
wmic service list brief – List installed services with brief details using Windows Management Instrumentation (WMI).
tasklist /SVC – List running processes and associated services.
schtasks /query /fo LIST /V – Query scheduled tasks and provide detailed information.

Automating Windows Local Enumeration

In addition to performing local enumeration manually, we can also automate the process with the help of a few scripts and MSF modules.
While local enumeration techniques/commands are important to know, as a penetration tester, you will need to be time efficient. As a result, you will need to learn how to utilize various automated enumeration scripts.
In addition to automating the process of enumerating information like system information, users & groups etc, these automated enumeration scripts will also provide you with additional information regarding the target system like; privilege escalation vulnerabilities, locally stored passwords etc.

Windows Local Enum Scripts

MSFconsole Post-exploitation Modules for Windows:

post/windows/gather/win_privs – Gather information about privileges on a Windows system.
post/windows/gather/enum_logged_on_users – Enumerate users currently logged on to a Windows system.
post/windows/gather/checkvm – Check if the target is a virtual machine.
post/windows/gather/enum_applications – Enumerate installed applications on the target Windows system.
post/windows/gather/enum_computers – Enumerate domain computers using Windows Management Instrumentation (WMI).
post/windows/gather/enum_patches – Enumerate installed patches on the target system.
post/windows/gather/enum_shares – Enumerate shared folders on the target Windows system.

Meterpreter Command:

show_mount – Display the mounted drives on the target system.

Getting Jaws-Enum Script on Target System:

Visit the GitHub repository of Jaws-Enum and copy the script from the RAW tab.
Paste the copied script on the attacking machine.
Use a Meterpreter shell to upload the script to the victim's temporary folder using the "upload <file_path>" command.
On the victim's machine, run Jaws-Enum using the following command: powershell.exe -ExecutionPolicy Bypass -File .\\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Hacker's Mantra:Hackers see the invisible and do the impossible.

PreviousPost-Exploitation NextLinux Local Enumeration

Last updated 10 months ago

Was this helpful?

Windows Local Enumeration

Enumerating System Information

After gaining initial access to a target system, it is always important to learn more about the system like, what OS is running as well as the OS version. This information is very useful as it gives us an idea of what we can do and what type of exploits we can run.
What are we looking for?
- Hostname
- OS Name (Windows 7, 8 etc)
- OS Build & Service Pack (Windows 7 SP1 7600)
- OS Architecture (x64/x86)
- Installed updates/Hotfixes

Meterpreter Commands for System Information:

getuid – Retrieve the user ID and privilege level of the current session.
sysinfo – Display information about the target system, such as operating system details and hardware configuration.

Windows Command Line Commands for System Information:

hostname – Display the name of the host (computer) on which the command is executed.
systeminfo – Provide detailed information about the operating system and system hardware.
wmic qfe get Caption, Description, HotFixID, InstalledOn – List installed Windows updates along with their details.
type eula.txt – Display the content of the "eula.txt" file.

Enumerating Users & Groups

After gaining initial access to a target system, it is always important to learn more about the system like, what user account you have access to and other user accounts on the system.
What are we looking for?
- Current user & privileges
- Additional user information
- Other users on the system
- Groups
- Members of the built-in administrator group

Meterpreter Commands for Users & Groups:

getuid – Display the current user's ID and privilege level.
getprivs – Show the privileges held by the current session.
post/windows/gather/enum_logged_on_users – Use Metasploit's post-exploitation module to enumerate users logged on to the target system.

Windows Command Line Commands for Users & Groups:

whoami – Display the name of the currently logged-in user.
whoami /priv – List privileges held by the current user.
query user – Show information about currently logged-in users.
net users – List all user accounts on the system.
net user <user_name> – Display information about a specific user account.
net localgroup – List local user groups on the system.
net localgroup <group_name> – Display information about a specific local user group.

Enumerating Network Information

What are we looking for?

Current IP address & network adapter
Internal networks
TCP/UDP services running and their respective ports
Other hosts on the network
Routing table
Windows Firewall state

Windows Command Line Commands for Network Information:

ipconfig – Display IP configuration information for all active network interfaces.
ipconfig /all – Show detailed IP configuration information for all active network interfaces.
route print – Display the routing table, showing network routes and gateway addresses.
atp -a – List scheduled tasks on the system.
netstat -ano – Show active network connections along with associated processes and port numbers.
netsh firewall show state – Display the state of the Windows Firewall.
netsh advfirewall firewall dump – Dump the configuration of the Advanced Firewall settings.

Enumerating Processes & Services

After gaining initial access to a target system, it is always important to learn more about the system like, what processes, services and scheduled tasks are currently running.
What are we looking for?
- Running processes & services
- Scheduled tasks
A process is an instance of a running executable (.exe) or program.
A service is a process which runs in the background and does not interact with the desktop.

Meterpreter Commands for Processes & Services:

ps – List running processes on the target system.
pgrep explorer.exe – Find the Process ID (PID) of the explorer.exe process.
migrate <proc_id> – Migrate the Meterpreter session to the specified process.

Windows Command Line Commands for Processes & Services:

net start – Display a list of started services.
wmic service list brief – List installed services with brief details using Windows Management Instrumentation (WMI).
tasklist /SVC – List running processes and associated services.
schtasks /query /fo LIST /V – Query scheduled tasks and provide detailed information.

Automating Windows Local Enumeration

In addition to performing local enumeration manually, we can also automate the process with the help of a few scripts and MSF modules.
While local enumeration techniques/commands are important to know, as a penetration tester, you will need to be time efficient. As a result, you will need to learn how to utilize various automated enumeration scripts.
In addition to automating the process of enumerating information like system information, users & groups etc, these automated enumeration scripts will also provide you with additional information regarding the target system like; privilege escalation vulnerabilities, locally stored passwords etc.

Windows Local Enum Scripts

- Just Another Windows (Enum) Script - JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

MSFconsole Post-exploitation Modules for Windows:

post/windows/gather/win_privs – Gather information about privileges on a Windows system.
post/windows/gather/enum_logged_on_users – Enumerate users currently logged on to a Windows system.
post/windows/gather/checkvm – Check if the target is a virtual machine.
post/windows/gather/enum_applications – Enumerate installed applications on the target Windows system.
post/windows/gather/enum_computers – Enumerate domain computers using Windows Management Instrumentation (WMI).
post/windows/gather/enum_patches – Enumerate installed patches on the target system.
post/windows/gather/enum_shares – Enumerate shared folders on the target Windows system.

Meterpreter Command:

show_mount – Display the mounted drives on the target system.

Getting Jaws-Enum Script on Target System:

Visit the GitHub repository of Jaws-Enum and copy the script from the RAW tab.
Paste the copied script on the attacking machine.
Use a Meterpreter shell to upload the script to the victim's temporary folder using the "upload <file_path>" command.
On the victim's machine, run Jaws-Enum using the following command: powershell.exe -ExecutionPolicy Bypass -File .\\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Hacker's Mantra:Hackers see the invisible and do the impossible.

PreviousPost-Exploitation NextLinux Local Enumeration

Last updated 10 months ago

Was this helpful?