~/Enumeration/Windows#

Callable methods.

wmic [alias] call /?

Process

wmic process list full

Launching WMIC

wmic startupwmic service

Domain information

wmic ntdomain list

List all patches

wmic qfe

Logical partitions

wmic logicaldisk get descriptionname

Query processor data length (32 bit 64 bit)

wmic cpu get DataWidth /format:list

DNS Host

C:\Windows\System32\drivers\etc\hosts

Network Settings

C:\Windows\System32\drivers\etc\networks

Password Hashes of Local Users

C:\Windows\System32\config\SAM

Application Logs

C:\Windows\system32\config\AppEvent.Evt

Security Logs

C:\Windows\System32\config\SecEvent.Evt

Location of Automatic Applications

%ALLUSERSPROFILE%\Start Menu\Programs\Startup\

Operating system version

ver

Services

sc query state=all

Running Process & Services

tasklist /svc

All Process and DLLs

tasklist /m

Remote Process List

tasklist /S ip /v

Forcing the process to close

taskkill /PID pid /F

Remote system information

systeminfo /S ip /U domain\user /P Pwd

Remote registry query

reg query\\ ip \ RegDomain \ Key /v

Searching for passwords in the registry

reg query HKLM /f password /t REG SZ /s

List drivers

fsutil fsinfo drives -

Search All Excel Files

dir /a /s /b c:\'.xls'

Search all patches

dir /a /b c:\windows\kb'

Searching for passwords in files

findstr /si password' .txt I '.xmll '.xls

C: directory listing for directory

tree /F /A c:\ tree.txt

Export the SECURITY hive to a file

reg save HKLl~\Security security.hive

Current user account

echo %USERNAME%

IP information

ipconfig / all

Local DNS cache

ipconfig /displaydns

Open connections

netstat -ana

Netstat loop

netstat -anop tcp 1

Listening ports

netstat -ani findstr LISTENING

Routing table 

route print

ARP table 

arp -a

DNS Zone

nslookup set type=any ls -d domain

Domain SRV lookup 

nslookup -type=SRV _www._tcp.url.com tftp -I ip GET remotefile

Saving the wireless profile

netsh wlan show profiles

Firewall disable 

netsh firewall set opmode disable

Extract wifi passwords in clear text

netsh wlan export profile folder=. key=clear

List Interfaces 

netsh interface ip show interfaces

Change IP

netsh interface ip set address local static ip nmask gw ID

Change DNS server

netsh interface ip set dns local static ip

Changing the interface with DHCP

netsh interface ip set address local dhcp

Workstation Lockdown

rundll32.dll user32.dll LockWorkstation

Firewall disable

netsh advfirewall set currentprofile state off

Port Forwarding

netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2

CMD activation

reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCMD /t REG DWORD /d 0 /f

List features

wmic [alias] get /?

Callable methods

wmic [alias] call /?

Processes

wmic process list full

Launching WMIC

wmic startupwmic service

Domain information

wmic ntdomain list

Network Settings

C:\Windows\System32\drivers\networks

Password Hashes of Local Users

C:\Windows\System32\config\SAM

Application Logs

C:\Windows\system32\config\AppEvent.Evt

Security Logs

C:\Windows\system32\config\SecEvent.Evt

Logical partitions

wmic logicaldisk get descriptionname

DNS Host

C:\Windows\System32\drivers\etc\hosts

Forward port 80 to local port 4444

fpipe.exe -l 4444 -r 80 x.x.x.x

Listening to port 80 with socat local port 4444

socat TCP4:LISTEN:4444 TCP4:x.x.x.x:80