Enumeration

1. Enumerating System Information

Gather basic system information:

systeminfo
sysinfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

• systeminfo: Displays OS version, architecture, and patches.

• sysinfo: Similar, used within Meterpreter.

• wmic qfe get ...: Lists installed Windows updates.

---

2. Enumerating Users & Groups

Meterpreter Commands:

getuid          # Get current user
getprivs        # Get available privileges
background      # Background current session
use post/windows/gather/enum_logged_on_users
set SESSION 1
run
sessions 1
shell

Windows Commands:

whoami
whoami /priv        # Check user privileges
net users           # List all users
net user administrator  # Check admin user details
net localgroup
net localgroup administrators

• whoami /priv: Identifies privilege escalation vectors.

• net users: Lists local user accounts.

• net localgroup administrators: Checks administrator group members.

---

3. Enumerating Network Information

ipconfig             # Show basic network details
ipconfig /all        # Show detailed network config (DNS, DHCP, MAC)
route print          # Display routing table
arp -a              # Show ARP cache (connected hosts)
netstat -ano        # Show active network connections and listening ports

• ipconfig /all: Useful for finding internal IPs, gateways, and DNS servers.

• netstat -ano: Identifies open ports and associated processes.

---

4. Enumerating Processes & Services

pgrep explorer.exe    # Find Explorer.exe process ID (on Linux-like shells)
migrate 2252          # Migrate to another process (in Meterpreter)
net start             # List running services
wmic service list brief  # Summarize running services
tasklist /SVC         # List processes and services
schtasks /query /fo LIST  # List scheduled tasks

• migrate 2252: Used to migrate Meterpreter session to a stable process.

• schtasks /query /fo LIST: Identifies scheduled tasks (potential persistence methods).

---

5. Automating Windows Local Enumeration

1. Enumerate Privileges

Checks the privileges of the current session to identify potential privilege escalation opportunities.

use post/windows/gather/win_privs
set SESSION 1
run

• Identifies high-privilege rights (e.g., SeDebugPrivilege, SeImpersonatePrivilege).

• Helps determine if the session can escalate privileges.

---

2. Enumerate Logged-On Users

Lists all users currently logged into the system.

use post/windows/gather/enum_logged_on_users
set SESSION 1
run

• Useful for identifying target accounts for credential theft.

• Helps in planning privilege escalation or lateral movement.

---

3. Check if the System is a Virtual Machine (VM)

Determines whether the compromised system is running inside a virtual environment.

use post/windows/gather/checkvm
set SESSION 1
run

• Helps attackers evade sandbox environments and avoid detection.

• Identifies Hyper-V, VMware, VirtualBox, or cloud-based VMs.

---

4. Enumerate Installed Applications

Lists all installed applications on the system.

use post/windows/gather/enum_applications
set SESSION 1
run

• Helps identify security software, vulnerable applications, or useful tools.

• May reveal password managers, remote access tools, or exploits.

---

5. Enumerate Computers in the Network

Gathers information about other computers in the same Windows domain or workgroup.

use post/windows/gather/enum_computers
set SESSION 1
run

• Useful for network reconnaissance and lateral movement.

• Identifies potential targets for further exploitation.

---

6. Enumerate Network Shares

Lists all network shares accessible from the compromised system.

use post/windows/gather/enum_shares
set SESSION 1
run

• Identifies shared files and folders that may contain sensitive data.

• Helps in data exfiltration or privilege escalation.