Windows Enumeration Fundamentals

beginner30 minWriteup

Essential commands and techniques for Windows enumeration

Learning Objectives

  • Enumerate system information
  • Find installed software
  • Identify running services
  • Check patch levels

Before exploiting a Windows system, you need to understand what you're working with. Enumeration is the process of gathering information about the system, users, permissions, and potential vulnerabilities. The better your enumeration, the more likely you'll find an escalation path.

Order Matters

Start with low-noise enumeration (whoami, systeminfo) before running automated tools like WinPEAS. Get the basics first, then go deep.

System Information

batch
1REM Basic system information
2systeminfo
3REM Shows: OS version, build, architecture, patches, domain info
4 
5REM Specific checks
6systeminfo | findstr /B /C:606070;">#a5d6ff;">"OS Name" /C:"OS Version" /C:"System Type"
7 
8REM Hostname and domain
9hostname
10echo %USERDOMAIN%
11 
12REM Architecture (32-bit vs 64-bit)
13echo %PROCESSOR_ARCHITECTURE%
14REM AMD64 = 64-bit, x86 = 32-bit
15 
16REM Installed patches
17wmic qfe list
18wmic qfe get Caption,Description,HotFixID,InstalledOn

Check .NET Versions

Many exploitation tools require specific .NET versions. Check what's installed: dir C:\\Windows\\Microsoft.NET\\Framework*

User Information

batch
1REM Current user
2whoami
3whoami /all
4REM Shows: Username, groups, privileges (VERY IMPORTANT)
5 
6REM Current user's privileges
7whoami /priv
8REM Look for: SeImpersonatePrivilege, SeBackupPrivilege, etc.
9 
10REM All local users
11net user
12 
13REM Specific user info
14net user Administrator
15 
16REM Who is logged in?
17query user
18qwinsta
19 
20REM Local groups
21net localgroup
22 
23REM Members of specific groups
24net localgroup Administrators
25net localgroup 606070;">#a5d6ff;">"Remote Desktop Users"

Understanding Privileges

1Dangerous Privileges (whoami /priv):
2SeImpersonatePrivilege      - Can impersonate tokens (Potato attacks!)
3SeAssignPrimaryTokenPrivilege - Can assign tokens to processes
4SeBackupPrivilege           - Can backup any file (read SAM, etc.)
5SeRestorePrivilege          - Can write to any file
6SeTakeOwnershipPrivilege    - Can take ownership of any object
7SeDebugPrivilege            - Can debug processes (dump lsass!)
8SeLoadDriverPrivilege       - Can load kernel drivers
9 
10If you see any of these = escalation likely!

Network Information

batch
1REM Network configuration
2ipconfig /all
3 
4REM Routing table
5route print
6 
7REM ARP cache
8arp -a
9 
10REM Open ports and connections
11netstat -ano
12netstat -ano | findstr LISTENING
13netstat -ano | findstr ESTABLISHED
14 
15REM Find process for a port
16netstat -ano | findstr :8080
17tasklist /FI 606070;">#a5d6ff;">"PID eq 1234"
18 
19REM Shares
20net share
21 
22REM Remote shares mounted
23net use
24 
25REM Firewall status
26netsh advfirewall show currentprofile

Services and Processes

batch
1REM Running processes
2tasklist
3tasklist /V
4tasklist /SVC
5 
6REM Services
7sc query
8net start
9 
10REM All services (including stopped)
11sc query state= all
12wmic service get name,displayname,pathname,startmode
13 
14REM Scheduled tasks
15schtasks /query /fo LIST /v

Unquoted Paths

Look for service paths with spaces that aren't quoted. Example: C:\\Program Files\\My App\\service.exe should be quoted. If not, we can potentially hijack it.

Installed Software

batch
1REM 32-bit installed programs
2reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
3 
4REM 64-bit installed programs
5reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
6 
7REM Quick list with WMIC
8wmic product get name,version
9 
10REM Program Files directories
11dir 606070;">#a5d6ff;">"C:\Program Files"
12dir 606070;">#a5d6ff;">"C:\Program Files (x86)"

Interesting Files

batch
1REM Password files
2findstr /si password *.xml *.ini *.txt *.config
3 
4REM Unattend files (often contain credentials)
5dir /s C:\*unattend.xml
6dir /s C:\*sysprep.xml
7 
8REM Common credential locations:
9type C:\Windows\Panther\Unattend.xml
10type C:\Windows\System32\Sysprep\Unattend.xml
11 
12REM Group Policy Preference files
13dir /s C:\*Groups.xml
14dir /s C:\*Services.xml

Registry Credentials

batch
1REM AutoLogon credentials
2reg query 606070;">#a5d6ff;">"HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
3 
4REM VNC passwords
5reg query 606070;">#a5d6ff;">"HKCU\Software\ORL\WinVNC3\Password"
6 
7REM Putty saved sessions
8reg query 606070;">#a5d6ff;">"HKCU\Software\SimonTatham\PuTTY\Sessions"
9 
10REM Search registry for passwords
11reg query HKLM /f password /t REG_SZ /s

Enumeration Methodology

Windows Enumeration Flow

1
Who Am I?whoami /all - get user, groups, privileges
2
System Infosysteminfo - OS version, patches, domain
3
Users/Groupsnet user, net localgroup - enumerate accounts
4
Networkipconfig, netstat - network config and connections
5
Servicessc query, wmic - find potential service exploits
6
SoftwareInstalled programs - outdated vulnerable apps
7
CredentialsSearch files and registry for passwords
8
AutomatedRun WinPEAS for comprehensive checks

Knowledge Check

Quick Quiz
Question 1 of 2

What command shows your current privileges that could be exploited?

Key Takeaways

  • whoami /all shows your privileges - check for SeImpersonate
  • systeminfo reveals patch level and potential kernel exploits
  • Services with unquoted paths or weak permissions are escalation vectors
  • Always search registry and files for stored credentials
  • net localgroup Administrators shows who has admin access