Enumeration

• User Enum

  whoami

  netuser

  net user <user>

  whoami /priv

  whoami /group

• Hostname

  hostname

• OS & Architecture

  systeminfo

  systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type”

• Processes & services

  tasklist /SVC

• Firewall

  netsh advfirewall show currentprofile

  netsh advfirewall firewall show rule name=all

• History

  • Get-History

  • (Get-PSReadlineOption).HistorySavePath give location oh history file
    • type <file-path>

• Network Enum

  ipconfig

  ipconfig /all

  arp -a

  route print

  netstat -ano

• Scheduled tasks

  • schtasks /query /fo LIST /v

  • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

• Finding any specific file in whole system

  • Get-ChildItem -Path C:\ -Include <file> -File -Recurse -ErrorAction SilentlyContinue

  • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

  • Get-ChildItem -Path C:\ -Include id_, authorized_keys, *.kdbx, known_hosts, *.txt, *.git, *.key, *.keyx -Recurse -Force -ErrorAction silentlycontinue

  • Get-ChildItem -Path C:\users\* -Recurse -ErrorAction silentlycontinue

• Installed packages & patch level

  wmic product get name, version, vendor

  wmic qfe to check update packages details

  wmic logicaldisk to check all disks

• Readable/Writable files & dir

  • Using tool accesschk.exe
    
    accesschk.exe -uws "Everyone" "C:\Program Files" u to suppress error, w for write permission , s for search recursively

  • Using Get-ACL in powershell
    
    Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

• Unmounted disk

  mountvol

• Device Drivers and Kernel Modules

  In powershell,

  driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
  
  
  For specific driver details,

  Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "VMware"}

• Binaries That AutoElevate

  • Meaning

    Later in this module, we will explore various methods of privilege escalation. However, there are a few specific enumerations we should cover in this section that could reveal interesting OSspecific “shortcuts” to privilege escalation.
    First, on Windows systems, we should check the status of the AlwaysInstallElevated488 registry setting. If this key is enabled (set to 1) in either HKEY_CURRENT_USER or
    HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges.
    

  reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

  reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

• Putty cred if putty is running

  • reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s

  • reg query HKCU\Software\SimonTatham\PuTTY\SshHostKeys\

• Password Enum

  findstr /si password *.txt *.ini *.config to check phrase “passsword” in current dir and its sub dir

• AV Enum

  sc queryex type= service tell all runninng services state

  netsh advfirewall firewall dump OR
  
  netsh firewall show state firewall state

  Netsh firewall show config firewall configuration

• Automation Tool

  In powershell, windows-privesc-check2.exe --dump -G or -h for help

  https://github.com/pentestmonkey/windows-privesc-check

For more commands check Important links