DiscordHackTheBoxTryHackMeGitHub

Enumeration

ABOUT

In any situation, whether daily life or a network penetration test, understanding our surroundings is crucial. This awareness allows us to make informed, proactive decisions. We may discover accessible hosts, protections to bypass, or tools incompatible with the target system.

Data Sources

  • Installed applications

  • Installed services

    • Websites

    • File Shares

    • Databases

    • Directory Services (such as Active Directory, Azure AD, etc.)

    • Name Servers

    • Deployment Services

    • Certificate Authority

    • Source Code Management Server

    • Virtualization

    • Messaging

    • Monitoring and Logging Systems

    • Backups

  • Sensitive Data

    • Keylogging

    • Screen Capture

    • Network Traffic Capture

    • Previous Audit reports

  • User Information

    • History files, interesting documents (.doc/x,.xls/x,password./pass., etc)

    • Roles and Privileges

    • Web Browsers

    • IM Clients

NETWORK

Display network connections:

C:\> netstat -ano
# OR for certain port
C:\> netstat -ano | findstr 1337

Network Configs

C:\> ipconfig /all

ARP Table

C:\> arp -a

Routing Table

C:\> route print

USERS / GROUPS

Check logged-in users:

C:\> query user

C:\> whoami /user

View current user context:

C:\> echo %USERNAME%

View current user privileges:

C:\> whoami /priv

View current user group memberships:

C:\> whoami /groups

List all users on the system:

C:\> net user

List all groups on the system:

C:\> net localgroup

Get details of a specific group:

C:\> net localgroup {GROUPNAME}
As example net localgroup administrators

View password policy and account settings:

C:\> net accounts

Check Local User Description Field

PS C:\> Get-LocalUser

PROCESSES / SERVICES

View running processes and services:

C:\> tasklist /svc

View service by PID

C:\> tasklist /FI "PID eq 1337"
PS C:\> Get-WmiObject Win32_Process -Filter "ProcessId = 1337" | Select-Object Name, ProcessId, CommandLine
PS C:\> get-process -Id 1337

Get service by name

PS C:\> get-service | ? {$_.DisplayName -like 'AMOGUS*'}

SYSTEM

Display environment variables:

C:\> set

Gather system info

C:\> systeminfo

Checking Build Info

PS C:\> [environment]::OSVersion.Version

Checking UAC

# If it's enabled
C:\> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
# Checking UAC Prompt Level
C:\> REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v ConsentPromptBehaviorAdmin

Check Computer Description Field

PS C:\> Get-WmiObject -Class Win32_OperatingSystem | select Description

PERMISSIONS

Check privileges

whoami /priv

Check Group Policies

gpresult /r

PROGRAMS

List installed programs:

C:\> wmic product get name
PS C:\> Get-WmiObject -Class Win32_Product | Select-Object Name, Version
PS C:\> $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\> $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\> $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

View patches and updates:

C:\> wmic qfe
PS C:\> Get-HotFix | ft -AutoSize

PROTECTIONS

Defender Status

PS C:\> Get-MpComputerStatus

List AppLocker Rules

PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

PS C:\> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

NAMED PIPES

Listing Named Pipes

C:\> pipelist.exe /accepteula
PS C:\> gci \\.\pipe\

Reviewing LSASS Named Pipe Permissions

C:\> accesschk.exe /accepteula \\.\Pipe\lsass -v

SCHEDULED TASKS

C:\> schtasks /query /fo LIST /v
PS C:\> Get-ScheduledTask | select TaskName,State

FILES

Get more info about file

PS C:\> Get-ChildItem -Path 'C:\Share\file.txt' | Select Fullname,LastWriteTime,Attributes,@{Name="Owner";Expression={ (Get-Acl $_.FullName).Owner }}

Files of Interest

File

Explanation

C:\Windows\System32\config\SAM

Stores user account information.

C:\Windows\System32\config\system

Contains system startup settings and driver configurations.

C:\Windows\System32\config\software

Contains software installation and configuration data.

C:\Windows\System32\config\security

Stores security settings and permissions.

C:\Windows\System32\config\default

Contains default user profile settings.

C:\Windows\System32\config\RegBack

Backup registry files for system recovery.

%WINDIR%\win.ini

Contains system settings for Windows.

%WINDIR%\system32\config\txr\{guid}\*.log

Logs of file system changes.

C:\Windows\System32\winevt\Logs\Security.evtx

Security event log with information about logins and security events.

%APPDATA%\Microsoft\Windows\Recent

Contains shortcuts to recently opened files.

%SYSTEMDRIVE%\$Recycle.Bin

Stores deleted files that can be recovered.

C:\Users\<username>\AppData\Local\Temp

Temporary files that may contain sensitive data or tools.

C:\Windows\System32\drivers\etc\hosts

Maps IP addresses to hostnames, useful for detecting malicious redirections.

%WINDIR%\System32\drivers\etc\networks

Contains system network interface configurations.

C:\Windows\System32\config\hivelist

Backup of the registry hives, useful for recovery or data extraction.

C:\Windows\System32\config\software.log

Tracks changes to software configurations.

C:\inetpub\wwwroot\web.config

Configures IIS web apps, may contain sensitive data like connection strings or settings.

PreviousToolsNextPivoting

Last updated