Windows Enumeration Cheatsheet - Post Exploitation


Enumeration is one of the most important phases in the Penetration Testing Process, this phase is present at the beginning and at the end.  
In this post, I share a shortlist of commands I use to get additional information after getting access to a Windows machine. This info can help to escalate privileges.

1.- System Enumeration

Get system information

systeminfo
systeminfo | findstr /b /C:"OS Name" /C"OS Version"

Checking installed updates

wmic qfe get Caption, Description

Check how many drivers are in the machine

wmic logicaldisk get Caption

2.- User enumeration

Check current user

whoami

Check current user privileges

whoami /priv

Groups were current user is involved

whoami /groups

View all users

net users

View user information

net users <username>
#Example
net users daronwolff

List the user groups

net localgroup

View members of a group

net localgroup Administrators

3.- Network Enumeration

Ip address configuration (default gateway, subnet, dns, domain controller)

ipconfig /all

ARP table

arp -a 

Routing table

route print

Network status

net stat

4.- Password Enumeration

Search the word "password" in text files

findstr /si password *.txt *.ini *.config

Searching passwords in the registry

REG QUERY HKLM /F "password" /t REG_SZ /S /K 
REG QUERY HKCU /F "password" /t REG_SZ /S /K

Passwords in unattend files

C:\unattend.xml 
C:\Windows\Panther\Unattend.xml 
C:\Windows\Panther\Unattend\Unattend.xml 
C:\Windows\system32\sysprep.inf 
C:\Windows\system32\sysprep\sysprep.xml

5.- Firewall and AV Enumeration

Check Windows defender

sc query windefend

View all services running on the machine

sc queryex type= service

sc = service control

Firewall settings

netsh advfirewall firewall dump
netsh firewall show state

Show firewall config

netsh firewall show config

View more  commands to enumerate info:

swisskyrepo/PayloadsAllTheThings
A list of useful payloads and bypass for Web Application Security and Pentest/CTF - swisskyrepo/PayloadsAllTheThings