# Windows Post-exploitation Enumeration we assume you have access to cmd on a Microsoft Windows host. You might have gained this access by exploiting a vulnerability and getting a shell or a reverse shell. You may also have installed a backdoor or set up an SSH server on a system you exploited. In all cases, the commands below require cmd to run. # System One of the command that can give us detailed info about the system,such as its build number and installed patches,wounbe **systeminfo** ``` C:\>systeminfo Host Name: WIN-SERVER-CLI OS Name: Microsoft Windows Server 2022 Standard OS Version: 10.0.20348 N/A Build 20348 OS Manufacturer: Microsoft Corporation [...] Hotfix(s): 3 Hotfix(s) Installed. [01]: KB5013630 [02]: KB5013944 [03]: KB5012673 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection [...] ``` You can check the installed updates using ``` C:\>wmic qfe get Caption, Description Caption Description http://support.microsoft.com/?kbid=5013630 Update https://support.microsoft.com/help/5013944 Security Update Update ``` You can check the installed and started Windows services using net start. Expect to get a long list; the output below has been snipped. ``` C:\>net start These Windows services are started: Base Filtering Engine Certificate Propagation Client License Service (ClipSVC) COM+ Event System Connected User Experiences and Telemetry CoreMessaging Cryptographic Services DCOM Server Process Launcher DHCP Client DNS Client [...] Windows Time Windows Update WinHTTP Web Proxy Auto-Discovery Service Workstation The command completed successfully. ``` If you are only interested in installed apps, you can issue wmic product get name,version,vendor. If you run this command on the attached virtual machine, you will get something similar to the following output. ## Users To know who you are,you can run **whomai** ;moreover,to know what you are capable of you can use **whoami /priv** You can view users by running **net user** ``` C:\>net user User accounts for \\WIN-SERVER-CLI ------------------------------------------------------------------------------- Administrator DefaultAccount Guest michael peter strategos WDAGUtilityAccount The command completed successfully. ``` You can list the users that belong to the local administrators' groupusing the command **net loacalgroup adminstrators** Use net accounts to see the local settings on a machine; moreover, you can use net accounts /domain if the machine belongs to a domain. This command helps learn about password policy, such as minimum password length, maximum password age, and lockout duration ## Networking Ypu can use the ipconfig command to learn about your system network configuration. On MS Windows, we can use netstat to get various information, such as which ports the system is listening on, which connections are active, and who is using them You might think that you can get an identical result by port scanning the target system; however, this is inaccurate for two reasons. A firewall might be blocking the scanning host from reaching specific network ports. Moreover, port scanning a system generates a considerable amount of traffic, unlike netstat, which makes zero noise. Finally, it is worth mentioning that using arp -a helps you discover other systems on the same LAN that recently communicated with your system. ARP stands for Address Resolution Protocol; arp -a shows the current ARP entries, i.e., the physical addresses of the systems on the same LAN that communicated with your system. An example output is shown below. This indicates that these IP addresses have communicated somehow with our system; the communication can be an attempt to connect or even a simple ping. Note that 10.10.255.255 does not represent a system as it is the subnet broadcast address. ``` C:\>arp -a Interface: 10.10.204.175 --- 0x4 Internet Address Physical Address Type 10.10.0.1 02-c8-85-b5-5a-aa dynamic 10.10.16.117 02-f2-42-76-fc-ef dynamic 10.10.122.196 02-48-58-7b-92-e5 dynamic 10.10.146.13 02-36-c1-4d-05-f9 dynamic 10.10.161.4 02-a8-58-98-1a-d3 dynamic 10.10.217.222 02-68-10-dd-be-8d dynamic 10.10.255.255 ff-ff-ff-ff-ff-ff static ```