Generic info


-All performs -Local -Domain and -Privesc

. .\HostEnum.ps1
Invoke-HostEnum -Local -HTMLReport

Graphical session

compmgmt.msc /computer=<computername|fqdn>


whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 & net view & net view /domain & net user %USERNAME% /domain & nltest /dclist & gpresult /z


wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory
net config workstation



List disks / shares

wmic logicaldisk get name, deviceid, volumename, description
get-psdrive -psprovider filesystem
fsutil fsinfo drives
wmic share list

Remote share listing

net view \\<hostname|ip> /all


wmic environment list
echo %PATH%


arp -a
ipconfig /all
route print
netstat -ano
netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors

Firewall Status (only on Win XP SP2 and above)

netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all

Users / Groups / Password policy / RDP Sessions

qwinsta [/server:<host>]
query user
wmic useraccount list brief
net users
nltest /user:"<username>"
net accounts (/domain)
net localgroup (/domain)
wmic group list brief
wmic sysaccount list
whoami /priv

Am I administrator ?

net localgroup administrators
whoami /groups
wmic useraccount where "LocalAccount = true"
PowerView: Get-NetLocalGroupMember
PowerUp: Get-CurrentUserTokenGroupSid
Seatbelt: seatbelt.exe LocalGroupMembers
SharpUp: SharpUp.exe

List all usernames


load extapi
adsi_user_enum <domain_name>

List administrators


List all information about a specific user

For the current user use: $env:USERNAME


List users (First name, Last name, Mobile phone)

All the parameters are displayed in the command above

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if ($ -ne $null){ Write-Host $ $}}

List all groups with description

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Kerberos user enumeration

nmap <ip> -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<realm>'

List logged-on users

wmic /node:<ip|@list_ip.txt> path win32_loggedonuser get antecedent

RDP sessions

quser /server:<servername>

Find files

It is looking for anything below the specified path and the file name supports wildcard

dir /b /s C:\<file>
ls -r C:\ <file> 2>$null | % { echo $_.fullname }
where /R c:\ <file>

Hidden files and directories

dir /ah

Print content file

ls -r C:\ <file> 2>$null | % { gc $_.fullname }

Find keyword

findstr /N /S /I "<keyword>" C:\<base_dir>\[*.ext]
ls -r C:\<base_dir> | % { Select-String -Path $_ -Pattern <keyword> } 2>$null


List processes

wmic process list brief

With commandline

wmic path win32_process get Caption,Processid,Commandline


wmic process call create <command>


wmic process where processid="<pid>" delete
wmic process where name="<process_name>" delete


PowerShell code to determine if file is .NET (throws an exception if not)


Scheduled jobs

schtasks /query /fo LIST /v


Use sc through an administrative SMB session by prepending \\[targetIP]
Example: sc \\[targetIP] query

List all running services

sc query
sc query | find /i "<service_name>"
wmic service where started=true get name, startname
net start

Link processes to services

tasklist /SVC

List all services

sc query state= all
sc query state= all | find /i "<service_name>"

Show service detail

sc qc <service_name>

Start and stop a service

sc start <service_name>
sc stop <service_name>

If the service has a start_type of disabled change it to a start type of demand

sc config <service_name> start= demand

Event logs

WMIC infos

Execute the bat file from an elevated shell

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html