Sunday, October 4, 2009

Enumerating Windows Information

After you have gained access to a box, the first thing you want to do as a pen tester is obtain as much information about the machine/network as possible. Here is a list of commands that aim to enumerate host/network information from a Windows machine. The following commands are for Windows XP/Vista/7 unless stated otherwise.

Operating System Details

> ver

> systeminfo

Who are you logged in as

> set username

Which domain/workgroup is the machine apart of

> set userdomain

What is the machine called

> set computername

Windows 7 only

> whoami

List user groups on the system

> net localgroup

List users on the machine

> net user

List users in administrative group

> net localgroup administrators

View all mapped logical/shared drives on the system

> wmic logicaldisk get caption,description,providername

List all listening services on the machine

> netstat –nao

See which other machines the system has been communicating with

> arp –a

View what directories are currently being shared

> net share

View firewall configuration

> netsh firewall show config

Windows 7 only

> netsh advfirewall firewall show rule name=all more


> netsh advfirewall firewall show rule name=all dir=<inout>

NOTE: For more information on this command please see:

View all currently running processes

> tasklist

Find a specific task through Process ID (PID), where x is an arbitrary PID

> tasklist /fi “pid eq x”


> tasklist find “x”

Find tasks running under a specific user, where x is an arbitrary username

> tasklist /fi “username eq x”

For more information on information gathering/windows forensics, check out: