{"id":2185,"date":"2021-01-09T16:59:00","date_gmt":"2021-01-09T15:59:00","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2185"},"modified":"2024-10-29T22:12:22","modified_gmt":"2024-10-29T21:12:22","slug":"basic-windows-system-enumeration","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2185","title":{"rendered":"Basic Windows system enumeration"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">General system enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get gen\u00ader\u00adal infor\u00adma\u00adtion about the&nbsp;<span class=\"caps\">OS<\/span>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systeminfo<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get the envi\u00adron\u00adment variabes:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">set<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate cached credentials:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">cmdkey \/list<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there is an appli\u00adca\u00adtion list\u00aded, try to use <code>runas<\/code> to run a com\u00admand with the stored cre\u00adden\u00adtials.<br><code>runas \/savecred \/user:WORKGROUP\\Administrator \"\\10.10.10.10\\share\"<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">If the cur\u00adrent sys\u00adtem is not known yet, try to deter\u00admine the ver\u00adsion via one of the fol\u00adlow\u00ading&nbsp;files:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\windows\\system32\\eula.txt (<span class=\"caps\">XP<\/span>)<\/li>\n\n\n\n<li>C:\\boot.ini<\/li>\n\n\n\n<li>C:\\Windows\\System32\\License.rtf<\/li>\n\n\n\n<li>C:\\ProgramData\\Microsoft\\Diagnosis\\osver.txt (Win10)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Processes enumeration<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">tasklist \/V<br>tasklist \/V | find \"cmd.exe\" \/\/ Search for a command<br>tasklist \/V \/fi \"USERNAME eq NT AUTHORITY\\SYSTEM\" \/fi \"STATUS eq running\" \/\/ List all SYSTEM processes<br><br>taskkill \/PID $pid \/\/ Kill a process<br><br>PS&gt; Get-Process<br><br>PS&gt; Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine \/\/ Returns also the path of the processes!<br>PS&gt; Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -match \"VeryInterestingProcess\" } | Select-Object ProcessId, Name, CommandLine \/\/ Search for a specific name<br><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine the par\u00adent process in two&nbsp;steps:<\/p>\n\n\n\n<pre id=\"block-1620b9bb-edd7-4f1c-988d-d6a1883f6047\" class=\"wp-block-preformatted\">wmic process where (ProcessId=7668) get parentprocessid \/\/ Get the parent process id<br>wmic process where (ProcessId=7148) get executablepath \/\/ Get the executable name from the parent process<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive with SysinternalTools:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pslist \/accepteula -t<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">User and group enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Check the users cur\u00adrent priv\u00adi\u00adleges and groups:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">whoami \/all<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net users<br>net user $username \/\/ get details for each user<br>PS&gt; Get-LocalUser<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all groups<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net localgroup<br>PS&gt; Get-LocalGroup<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all mem\u00adbers of a&nbsp;group<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net localgroup $group<br>PS&gt; Get-LocalGroupMember $group<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">File system enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine all drives:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">fsutil fsinfo drives<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Deter\u00admine the type of a&nbsp;drive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">fsutil fsinfo drivetype Z:<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get gen\u00ader\u00adal infor\u00adma\u00adtion about a&nbsp;drive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">fsutil fsinfo volumeinfo C:<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Scheduled tasks enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Show all sched\u00aduled tasks. <strong><span class=\"caps\">NOTE<\/span><\/strong>: You need to add the Fold\u00ader to sub\u00adse\u00adquent com\u00admands here, if the task is not in the root folder!<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/Query<br>schtasks \/query \/fo LIST \/v<br>schtasks \/query \/fo CSV \/v | findstr \/I \"admin\" \/\/ Use this to filter the output for an interesting user, path, etc.<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">If there is a task you can exe\u00adcute and change the bina\u00adry (check with ica\u00adcls), then <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4119\" data-type=\"post\" data-id=\"4119\">bina\u00adry hijack\u00ading could be pos\u00adsi\u00adble here<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new task named <em>back\u00addoor<\/em>, which exe\u00adcut\u00aded at a fixed&nbsp;time:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/create \/sc weekly \/d mon \/tn backdoor \/tr C:\\s32.exe \/st 23:00<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a new task named back\u00addoor, which exe\u00adcut\u00aded when a user logs&nbsp;in:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/Create \/TR s32.exe \/RU $username \/TN backdoor \/SC ONLOGON \/IT<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adfirm that the task was cre\u00adat\u00aded correctly:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/query \/TN backdoor \/fo LIST \/V<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Delete the task <em>back\u00addoor<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/delete \/tn backdoor<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute the task back\u00addoor&nbsp;now:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">schtasks \/Run \/TN backdoor<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Registry enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Get some installed software:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg query \"HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"<br>reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\"<br><br>PS&gt; Get-ItemProperty \"HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall*\" | select displayname<br>PS&gt; Get-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall*\" | select displayname<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=838\" data-type=\"post\" data-id=\"838\">See the Reg\u00adistry post for&nbsp;more.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Search for passwords:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg query HKLM \/f password \/t REG_SZ \/s\nreg query HKCU \/f password \/t REG_SZ \/s<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Search for user\u00adnames! For exam\u00adple, check if there is some\u00adthing about an inter\u00adest\u00ading user in the registry.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Network enumeration<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">IPs<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ipconfig<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List all net\u00adwork shares<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">net share<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">List the rout\u00ading&nbsp;table<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">route print<br>netstat -ano<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Extended enumeration<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Check Pow\u00ader\u00adShell his\u00adto\u00adry file: <code>ConsoleHost_history.txt<\/code> (in <code>AppData\/Roaming\/Microsoft\/Windows\/PowerShell\/PSReadLine<\/code>)<\/li>\n\n\n\n<li>Upload <a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/sysinternals-suite\">Sys\u00adin\u00adter\u00adnal\u00adSuite<\/a>. Then:\n<ul class=\"wp-block-list\">\n<li>Enu\u00admer\u00adate installed soft\u00adware:<br><code>PsInfo64.exe \/accepteula -s<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Gen\u00ader\u00adal sys\u00adtem enu\u00admer\u00ada\u00adtion Get gen\u00ader\u00adal infor\u00adma\u00adtion about the&nbsp;<span class=\"caps\">OS<\/span>: sys\u00adtem\u00adin\u00adfo Get the envi\u00adron\u00adment vari\u00adabes: set Enu\u00admer\u00adate cached cre\u00adden\u00adtials: cmd\u00adkey \/list If the cur\u00adrent sys\u00adtem is not known yet, try to deter\u00admine the ver\u00adsion via one of the fol\u00adlow\u00ading&nbsp;files: Process\u00ades enu\u00admer\u00ada\u00adtion tasklist \/Vtasklist \/V | find \u201ccmd.exe\u201d \/\/ Search for a com\u00admand\u00adtasklist \/V \/fi \u201c<span class=\"caps\">USERNAME<\/span> eq&nbsp;<span class=\"caps\">NT<\/span>&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[483],"tags":[50,24],"class_list":["post-2185","post","type-post","status-publish","format-standard","hentry","category-howtos","tag-enumeration","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2185"}],"version-history":[{"count":45,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2185\/revisions"}],"predecessor-version":[{"id":4481,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2185\/revisions\/4481"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}