System (Windows)
Post

System (Windows)

System information

1
2
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" 
systeminfo | findstr /C:"sistema" #Español

Installed updates

1
wmic qfe get Caption, Description

Installed Services

1
net start

Installed Apps

1
wmic product get name,version,vendor

Installed Executables

1
dir /s /b *.exe | findstr /v .exe.

Useful paths:

1
2
3
c:\windows\system32\drivers\etc\hosts
C:\Windows\win.ini
C:\xampp\php\php.ini

Enumerating Readable/Writable Files and Directories

Accesschk (Windows Internals) You need to first move Accesschk to the victim machine. If this file were to be executed by a privileged user or a service account, we could attempt to overwrite it with a malicious file of our choice, such as a reverse shell, in order to elevate our privileges.

1
accesschk.exe /accepteula -uws "Everyone" "C:\Program Files"

Powershell We can also accomplish the same goal using PowerShell. This is useful in situations where we may not be able to transfer and execute arbitrary binary files on our target system.

1
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Enumerating Unmounted Disks

1
mountvol

Enumerating Device Drivers and Kernel Modules

On Windows, we can begin our search with the driverquery command. We’ll supply the /v argument for verbose output as well as /fo csv to request the output in CSV format.

1
2
3
c:\Users\student>powershell

PS C:\Users\student> driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object Display Name, Start Mode, Path

While this produced a list of loaded drivers, we must take another step to request the version number of each loaded driver.

1
PS C:\Users\student> Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Now that we have a list of all the loaded device drivers along with the respective version numbers, we could search for exploits for these specific drivers.