# Windows Enumeration
## **Users**
Info about user in use:
```powershell
C:\Users\student> whoami
client251\student
C:\Users\student> net user student
```
Discover other user accounts on the system
```powershell
C:\Users\student>net user
User accounts for \\CLIENT251
-------------------------------------------------------------------------------
admin Administrator DefaultAccount
Guest student WDAGUtilityAccount
The command completed successfully.
```
## **Hostname**
Discover the hostname:
```powershell
C:\Users\student>hostname
client251
```
## **Operating System Version and Architecture**
Extract the name of the operating system (Name) as well as its version (Version) and architecture (System):
C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.16299 N/A Build 16299
System Type: X86-based PC
# In italian the info changes
C:\> systeminfo | findstr /B /C:"Nome SO" /C:"Versione SO" /C:"Tipo sistema"
## **Running Processes and Services**
List the running processes:
```bash
C:\> tasklist /SVC
```
## **Networking Information**
Display the full TCP/IP configuration of all adapters:
```bash
C:\> ipconfig /all
```
Display the networking routing tables:
```bash
C:\> route print
```
Display active network connections:
```bash
C:\> netstat -ano
```
## **Firewall Status and Rules**
Inspect the current firewall profile:
```bash
C:\> netsh advfirewall show currentprofile
```
List firewall rules:
```bash
C:\> netsh advfirewall firewall show rule name=all
```
## **Scheduled Tasks**
Display scheduled tasks:
```bash
C:\> schtasks /query /fo LIST /v
```
## **Installed Applications and Patch Levels**
List applications and related version that are installed by the *Windows Installer* (it will not list applications that do not use the Windows Installer)
```bash
C:\> wmic product get name, version, vendor
Name Vendor Version
Microsoft OneNote MUI (English) 2016 Microsoft Corporation 16.0.4266.1001
Microsoft Office OSM MUI (English) 2016 Microsoft Corporation 16.0.4266.1001
...
```
Wmic can also be used to list system-wide updates by querying the *Win32\_QuickFixEngineering (qfe)* WMI class:
```bash
C:\> wmic qfe get Caption, Description, HotFixID, InstalledOn
Caption Description HotFixID InstalledOn
Update KB2693643 4/7/2018
http://support.microsoft.com/?kbid=4088785 Security Update KB4088785 3/31/2018
...
```
## **Readable / Writable Files and Directories**
Find a file with insecure file permissions in the Program Files directory:
```powershell
C:\> accesschk.exe -uws "Everyone" "C:\Program Files"
Accesschk v6.12 - Reports effective permissions for securable objects
Copyright (C) 2006-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
RW C:\Program Files\TestApplication\testapp.exe
```
Searching for any object can be modified (Modify) by members of the Everyone group:
```powershell
PS C:\> Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
Directory: C:\Program Files\TestApplication
Path Owner Access
---- ----- ------
test.exe BUILTIN\Administrators Everyone Allow Modify, Synchronize...
```
## **Unmounted Disks**
List all drives that are currently mounted or physically connected but unmounted:
```powershell
C:\> mountvol
Creates, deletes, or lists a volume mount point.
...
Possible values for VolumeName along with current mount points are:
\\?\Volume{25721a7f-0000-0000-0000-100000000000}\
*** NO MOUNT POINTS ***
\\?\Volume{25721a7f-0000-0000-0000-602200000000}\
C:\
\\?\Volume{78fa00a6-3519-11e8-a4dc-806e6f6e6963}\
D:\
```
## **Device Drivers and Kernel Modules**
This technique relies on matching vulnerabilities with corresponding exploits, we'll need to compile a list of drivers and kernel modules that are loaded on the target.
We first produce a list of loaded drivers:
```powershell
C:\> powershell.exe
PS C:\> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
```
Request the version number of each loaded driver:
```
PS C:\Users\student> Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
DeviceName DriverVersion Manufacturer
---------- ------------- ------------
VMware VMCI Host Device 9.8.6.0 VMware, Inc.
VMware PVSCSI Controller 1.3.10.0 VMware, Inc.
...
```
## **Binaries That AutoElevate**
Check the status of the *AlwaysInstallElevated* registry setting. If this setting is enabled, we could craft an *MSI* file and run it to elevate our privileges:
```powershell
C:\> reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
C:\> reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
AlwaysInstallElevated REG_DWORD 0x1
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://oscp.nstsec.com/privilege-escalation/manual-enumeration/windows-enumeration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.