Enumeration

After we have a shell, we need to enumerate the system

Check Recycle Bin

Finding Executables

Finding bash.exe

Bash.exe may be present on Windows systems through WSL (Windows Subsystem for Linux), Git Bash, MSYS2, or Cygwin installations.

Using `where` command (fastest):

where /R C:\ bash.exe

Using PowerShell:

Get-ChildItem -Path C:\ -Filter bash.exe -Recurse -ErrorAction SilentlyContinue

Using `dir` for recursive search:

dir /s /b C:\bash.exe

Common bash.exe locations:

C:\Windows\System32\bash.exe (WSL)
C:\Program Files\Git\bin\bash.exe (Git Bash)
C:\Program Files\Git\usr\bin\bash.exe (Git Bash)
C:\msys64\usr\bin\bash.exe (MSYS2)
C:\cygwin\bin\bash.exe (Cygwin)

Quick WSL check:

wsl --list
wsl --status

Finding any executable

where /R C:\ [filename.exe]

Get-ChildItem -Path C:\ -Filter [filename.exe] -Recurse -ErrorAction SilentlyContinue

DACLS

Check access for directories

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

System Information

Basic System Info

systeminfo

OS Information

ver
wmic os get Caption,Version,BuildNumber,OSArchitecture

Installed Software

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate

wmic product get name,version

User Enumeration

Current User

whoami
whoami /priv
whoami /groups

List all users

net user
net localgroup administrators

User details

net user [username]

Network Information

Network configuration

ipconfig /all

Routing table

route print

ARP cache

arp -a

Active connections

netstat -ano

Firewall status

netsh advfirewall show allprofiles
netsh firewall show state
netsh firewall show config

Process and Service Enumeration

Running processes

tasklist /v

Get-Process

Services

sc query
net start

Get-Service

Scheduled tasks

schtasks /query /fo LIST /v

File and Directory Enumeration

Search for files

dir /s /b C:\[filename]

Get-ChildItem -Path C:\ -Include [pattern] -Recurse -ErrorAction SilentlyContinue

Find files containing specific text

findstr /si [text] C:\*.txt

Recently modified files

Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

World-writable folders

Get-ChildItem 'C:\Program Files' -Recurse | Get-ACL | Where-Object {$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Registry Enumeration

AlwaysInstallElevated

reg query HKCU\Software\Policies\Microsoft\Windows\Installer

Search registry

reg query HKLM /f [keyword] /t REG_SZ /s
reg query HKCU /f [keyword] /t REG_SZ /s

AutoRun programs

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Credentials and Sensitive Data

Check for saved credentials

cmdkey /list

Search for passwords in files

findstr /si password C:\*.txt
findstr /si password C:\*.xml
findstr /si password C:\*.ini
findstr /si password C:\*.config

Get-ChildItem -Path C:\ -Include *.txt,*.xml,*.config,*.ini -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"

Unattended install files

dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml

Installed Programs and Paths

PATH environment variable

echo %PATH%

Program Files directories

dir "C:\Program Files"
dir "C:\Program Files (x86)"

Check for development tools

where python
where python3
where perl
where ruby
where gcc
where git

Locksmith

GitHub - jakehildreth/Locksmith: A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.GitHub

PreviousWindows NextNetwork Enumeration

Last updated 1 month ago

hashtagCheck Recycle Bin

hashtagFinding Executables

hashtagFinding bash.exe

hashtagUsing where command (fastest):

hashtagUsing PowerShell:

hashtagUsing dir for recursive search:

hashtagCommon bash.exe locations:

hashtagQuick WSL check:

hashtagFinding any executable

hashtagDACLS

hashtagSystem Information

hashtagBasic System Info

hashtagOS Information

hashtagInstalled Software

hashtagUser Enumeration

hashtagCurrent User

hashtagList all users

hashtagUser details

hashtagNetwork Information

hashtagNetwork configuration

hashtagRouting table

hashtagARP cache

hashtagActive connections

hashtagFirewall status

hashtagProcess and Service Enumeration

hashtagRunning processes

hashtagServices

hashtagScheduled tasks

hashtagFile and Directory Enumeration

hashtagSearch for files

hashtagFind files containing specific text

hashtagRecently modified files

hashtagWorld-writable folders

hashtagRegistry Enumeration

hashtagAlwaysInstallElevated

hashtagSearch registry

hashtagAutoRun programs

hashtagCredentials and Sensitive Data

hashtagCheck for saved credentials

hashtagSearch for passwords in files

hashtagUnattended install files

hashtagInstalled Programs and Paths

hashtagPATH environment variable

hashtagProgram Files directories

hashtagCheck for development tools

hashtagLocksmith