Enumerating Windows¶
System¶
One command that can give us detailed information about the system, such as its build number and installed patches, would be systeminfo. In the example below, we can see which hotfixes have been installed.
PS C:\Users\user>systeminfo
Host Name: RED-WIN-ENUM
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: EC2
Registered Organization: Amazon.com
Product ID: 00430-00000-00000-AA155
Original Install Date: 3/17/2021, 2:59:06 PM
System Boot Time: 7/5/2024, 12:02:27
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2200 Mhz
BIOS Version: Amazon EC2 1.0, 10/16/2017
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Time Zone: (UTC) Coordinated Universal Time
Total Physical Memory: 2,016 MB
Hotfix(s): 30 Hotfix(s) Installed.
...
Network Card(s): 1 NIC(s) Installed.
[01]: Amazon Elastic Network Adapter
[01]: 10.10.255.122
[02]: fe80::a482:a65b:bf37:44c9
You can check the installed and started Windows services using net start. Expect to get a long list; the output below has been snipped.
PS C:\Users\user>net start
These Windows services are started:
...
Update Orchestrator Service
User Access Logging Service
User Manager
User Profile Service
Windows Connection Manager
Windows Defender Antivirus Service
Windows Defender Firewall
Windows Event Log
Windows Font Cache Service
Windows Management Instrumentation
Windows Process Activation Service
Windows Push Notifications System Service
Windows Remote Management (WS-Management)
Windows Time
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
Workstation
World Wide Web Publishing Service
...
If you are only interested in installed apps, you can issue wmic product get name,version,vendor. If you run this command on the attached virtual machine, you will get something similar to the following output.
C:\>wmic product get name,version,vendor
Name Vendor Version
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.28.29910 Microsoft Corporation 14.28.29910
[...]
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.28.29910 Microsoft Corporation 14.28.29910
Users¶
To know who you are, you can run whoami; moreover, to know what you are capable of, i.e., your privileges, you can use whoami /priv. An example is shown in the terminal output below.
C:\>whoami
win-server-cli\strategos
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
[...]
Moreover, you can use whoami /groups to know which groups you belong to. The terminal output below shows that this user belongs to the NT AUTHORITY\Local account and member of Administrators group among other groups.
C:\>whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
[...]
You can view users by running net user.
C:\>net user
User accounts for \\WIN-SERVER-CLI
-------------------------------------------------------------------------------
Administrator DefaultAccount Guest
michael peter strategos
WDAGUtilityAccount
The command completed successfully.
You can discover the available groups using net group if the system is a Windows Domain Controller or net localgroup otherwise, as shown in the terminal below.
C:\>net localgroup
Aliases for \\WIN-SERVER-CLI
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Device Owners
[...]
C:\>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
michael
peter
strategos
The command completed successfully.
Use net accounts to see the local settings on a machine; moreover, you can use net accounts /domain if the machine belongs to a domain. This command helps learn about password policy, such as minimum password length, maximum password age, and lockout duration.
Networking¶
You can use the ipconfig command to learn about your system network configuration. If you want to know all network-related settings, you can use ipconfig /all. The terminal output below shows the output when using ipconfig. For instance, we could have used ipconfig /all if we wanted to learn the DNS servers.
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : localdomain
Link-local IPv6 Address . . . . . : fe80::3dc5:78ef:1274:a740%5
IPv4 Address. . . . . . . . . . . : 10.20.30.130
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.20.30.2
In the partial output shown below, we can see that netstat -abno showed that the server is listening on TCP ports 22, 135, 445 and 3389. The processessshd.exe, RpcSs, and TermService are on ports 22, 135, and 3389, respectively. Moreover, we can see two established connections to the SSH server as indicated by the state ESTABLISHED.
C:\>netstat -abno
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:22 0.0.0.0:0 LISTENING 2016
[sshd.exe]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 924
RpcSs
[svchost.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 416
TermService
[svchost.exe]
[...]
TCP 10.20.30.130:22 10.20.30.1:39956 ESTABLISHED 2016
[sshd.exe]
TCP 10.20.30.130:22 10.20.30.1:39964 ESTABLISHED 2016
[sshd.exe]
[...]
Finally, it is worth mentioning that using arp -a helps you discover other systems on the same LAN that recently communicated with your system. ARP stands for Address Resolution Protocol; arp -a shows the current ARP entries, i.e., the physical addresses of the systems on the same LAN that communicated with your system. An example output is shown below. This indicates that these IP addresses have communicated somehow with our system; the communication can be an attempt to connect or even a simple ping. Note that 10.10.255.255 does not represent a system as it is the subnet broadcast address.
```powershell C:>arp -a
Interface: 10.10.204.175 --- 0x4 Internet Address Physical Address Type 10.10.0.1 02-c8-85-b5-5a-aa dynamic 10.10.16.117 02-f2-42-76-fc-ef dynamic 10.10.122.196 02-48-58-7b-92-e5 dynamic 10.10.146.13 02-36-c1-4d-05-f9 dynamic 10.10.161.4 02-a8-58-98-1a-d3 dynamic 10.10.217.222 02-68-10-dd-be-8d dynamic 10.10.255.255 ff-ff-ff-ff-ff-ff static ```