Skip to content

Enumeration

Enumerating System Information

This information is very useful as it gives us an idea of what we can do and what type of exploits we can run.

We have to identify: - Hostname - OS Name - OS Build and Service Pack - OS Architecture - Installed updates/Hotfixes

Commands to perform local enumeration 

# Hostname
hostname

# Display all the operating system information
systeminfo

# Get additional information regarding the updates
wmic qfe get Caption,Description,HotFixID,

Get the content of the C:\Windows\System32\eula.txt if exists. It contains information regarding the operating system.

Enumerating Users and Groups

It is important to learn more about the system like: - What privileges we have. - What user account we have access to and other user account on the system.

# Enumerate current user
whoami

# Display privileges
whoami /priv

# Enumerate logged on users
query user

# Display all accounts on the system
net users

# Get details of a specific user, example for administrator user
net user administrator

# Enumerate local groups on the system
net localgroup

# Get members of the group Administrators
net localgroup Administrators

Enumerating Network Information

What are we looking for? - Identify the current IP address. - Learn more about the current network. - Identify any internal network. - Identify TCP/UDP services. - Identify other hosts. - Get the routing table. - The current state of the Windows Firewall.

# Enumerate adapters and their details
ipconfig

# Get additional information
ipconfig /all

# Get routing table
route print

# List all devices on the network
arp -a

# Display services that are currently running/listening on the system
netstat -ano

# Windows firewall state
netsh firewall show state
netsh advfirewall show allprofiles

Enumerating Processes and Services

It is important to learn about the system like what processes, services and scheduled tasks are currently running.

Running processes and services are used for migrating to a more stable process.

Scheduled tasks can be leveraged to elevate our privileges.

A process is an instance of a running executable or program while a service is a process which runs in the background and does not interact with the desktop.

Meterpreter commands

# List running processes
ps

# Search for a specific process, for instance explorer.exe
pgrep explorer.exe 

# Migrate to a particular PID
migrate PID

Shell commands

# Enumerate a list of running services
net starts

# We can learn more about the running services by running the following command
wmic service list brief

# List of running tasks and the corresponding services for each task
tasklist /SVC

# List of scheduled tasks
schtasks /query /fo LIST /v

Meterpreter commands

# Get user information
getuid

# Check current privileges
getprivs

# Get information
sysinfo

# Attempt to elevate privileges
getsystem

# Start keylogger
keyscan_start

# Dump hashes
hashdump

# Display mounts/drives
show_mount

# Take screenshot
screenshot

# List processes
ps

# Migrate to a different process
migrate PID

# From a shell, enumerate users
net users

# From a shell, enumerate members of the administrators group
net localgroup administrators