🌬️Windows Local Enumeration

Enumerating System Information

After gaining initial access to a target system, it is always important to learn more about the system like, what OS is running as well as the OS version. This information is very useful as it gives us an idea of what we can do and what type of exploits we can run.
What are we looking for?
- Hostname
- OS Name (Windows 7, 8 etc)
- OS Build & Service Pack (Windows 7 SP1 7600)
- OS Architecture (x64/x86)
- Installed updates/Hotfixes

getuid – Retrieve the user ID and privilege level of the current session.
sysinfo – Display information about the target system, such as operating system details and hardware configuration.

hostname – Display the name of the host (computer) on which the command is executed.
systeminfo – Provide detailed information about the operating system and system hardware.
wmic qfe get Caption, Description, HotFixID, InstalledOn – List installed Windows updates along with their details.
type eula.txt – Display the content of the "eula.txt" file.

After gaining initial access to a target system, it is always important to learn more about the system like, what user account you have access to and other user accounts on the system.
What are we looking for?
- Current user & privileges
- Additional user information
- Other users on the system
- Groups
- Members of the built-in administrator group

getuid – Display the current user's ID and privilege level.
getprivs – Show the privileges held by the current session.
post/windows/gather/enum_logged_on_users – Use Metasploit's post-exploitation module to enumerate users logged on to the target system.

whoami – Display the name of the currently logged-in user.
whoami /priv – List privileges held by the current user.
query user – Show information about currently logged-in users.
net users – List all user accounts on the system.
net user <user_name> – Display information about a specific user account.
net localgroup – List local user groups on the system.
net localgroup <group_name> – Display information about a specific local user group.

What are we looking for?

ipconfig – Display IP configuration information for all active network interfaces.
ipconfig /all – Show detailed IP configuration information for all active network interfaces.
route print – Display the routing table, showing network routes and gateway addresses.
atp -a – List scheduled tasks on the system.
netstat -ano – Show active network connections along with associated processes and port numbers.
netsh firewall show state – Display the state of the Windows Firewall.
netsh advfirewall firewall dump – Dump the configuration of the Advanced Firewall settings.

After gaining initial access to a target system, it is always important to learn more about the system like, what processes, services and scheduled tasks are currently running.
What are we looking for?
- Running processes & services
- Scheduled tasks
A process is an instance of a running executable (.exe) or program.
A service is a process which runs in the background and does not interact with the desktop.

net start – Display a list of started services.
wmic service list brief – List installed services with brief details using Windows Management Instrumentation (WMI).
tasklist /SVC – List running processes and associated services.
schtasks /query /fo LIST /V – Query scheduled tasks and provide detailed information.

In addition to performing local enumeration manually, we can also automate the process with the help of a few scripts and MSF modules.
While local enumeration techniques/commands are important to know, as a penetration tester, you will need to be time efficient. As a result, you will need to learn how to utilize various automated enumeration scripts.
In addition to automating the process of enumerating information like system information, users & groups etc, these automated enumeration scripts will also provide you with additional information regarding the target system like; privilege escalation vulnerabilities, locally stored passwords etc.

JAWS - Just Another Windows (Enum) Script - JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.

post/windows/gather/win_privs – Gather information about privileges on a Windows system.
post/windows/gather/enum_logged_on_users – Enumerate users currently logged on to a Windows system.
post/windows/gather/checkvm – Check if the target is a virtual machine.
post/windows/gather/enum_applications – Enumerate installed applications on the target Windows system.
post/windows/gather/enum_computers – Enumerate domain computers using Windows Management Instrumentation (WMI).
post/windows/gather/enum_patches – Enumerate installed patches on the target system.
post/windows/gather/enum_shares – Enumerate shared folders on the target Windows system.

Visit the GitHub repository of Jaws-Enum and copy the script from the RAW tab.
Paste the copied script on the attacking machine.
Use a Meterpreter shell to upload the script to the victim's temporary folder using the "upload <file_path>" command.
On the victim's machine, run Jaws-Enum using the following command: powershell.exe -ExecutionPolicy Bypass -File .\\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt

Hacker's Mantra:Hackers see the invisible and do the impossible.

Last updated 1 year ago

Was this helpful?