Skip to content

Footprinting Windows

System Information

1
systeminfo

If systeminfo doesn't display hotfixes, they may be queriable with WMI using the WMI-Command binary with QFE (Quick Fix Engineering) to display patches.

1
2
3
4
5
# In cmd
wmic qfe

# With powershell
Get-HotFix | ft -AutoSize

1
2
# Tasklist: Using the tasklist command to look at running processes will give us a better idea of what applications are currently running on the system.
tasklist /svc

It is essential to become familiar with standard Windows processes such as Session Manager Subsystem (smss.exe)Client Server Runtime Subsystem (csrss.exe)WinLogon (winlogon.exe)Local Security Authority Subsystem Service (LSASS), and Service Host (svchost.exe), among others

Environment variables:

1
2
3
4
5
6
# In cmd
set
# In addition to the PATH, set can also give up other helpful information such as the HOME DRIVE. In enterprises, this will often be a file share. Navigating to the file share itself may reveal other directories that can be accessed.

# Print path
PATH

Installed programs:

1
2
3
4
5
# With cmd
wmic product get name

# With Powershell
Get-WmiObject -Class Win32_Product |  select Name, Version

Interface(s), IP Address(es), DNS Information

1
2
3
4
5
6
7
8
ipconfig /all


# ARP Table
arp -a

# Routing Table
route print

Users and groups

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Logged-In Users
query user

# Current User with cmd
echo %USERNAME%

# Current User with cmd and powershell
whoami

# Current User Privileges with cmd and powershell
whoami /priv

# Current User Group Information in cmd and powershell
whoami /groups

# Get All Users
net user

# Get All Groups
net localgroup

# Details About a Group
net localgroup administrators

# Get Password Policy & Other Account Information
net accounts

Enumerating Protections

Many organizations utilize some sort of application whitelisting solution to control what types of applications and files certain users can run. This may be used to attempt to block non-admin users from running cmd.exe or powershell.exe or other binaries and file types not needed for their day-to-day work. A popular solution offered by Microsoft is AppLocker. We can use the GetAppLockerPolicy cmdlet to enumerate the local, effective (enforced), and domain AppLocker policies.

Some EDR tools detect on or even block usage of common binaries such as net.exetasklist, etc.

1
Get-MpComputerStatus

List AppLocker Rules

1
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

1
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Processes

Display Running Processes:

1
2
# With Netstat
netstat -ano

The main thing to look for with Active Network Connections are entries listening on loopback addresses (127.0.0.1 and ::1) that are not listening on the IP Address (10.129.43.8) or broadcast (0.0.0.0, ::/0).

Nmap and TTL

Nmap script

1
2
3
4
5
# To determine the OS
 sudo nmap -v -O $ip

# To see banners of existing open ports
sudo nmap -v $ip --script banner.nse

TTL technique Time To Live (TTL) counter when utilizing ICMP to determine if the host is up. 

1
ping $ip

A typical response from a Windows host will either be 32 or 128. We can utilize this value since most hosts will never be more than 20 hops away from your point of origin, so there is little chance of the TTL counter dropping into the acceptable values of another OS type. More at https://subinsb.com/default-device-ttl-values/.

Last update: 2025-02-23
Created: October 20, 2024 18:03:15