SYSTEM INFORMATION
System info
OS version, patches, architecture — Check for missing patches
systeminfo
hostname
whoami /all
Example Output
systeminfo
OS Name: Microsoft Windows Server 2019
OS Version: 10.0.17763 N/A Build 17763
System Type: x64-based PC
Hotfix(s): 3 Hotfix(s) Installed
KB4534273, KB4516115, KB4523204
Current user privileges
Token privileges — SeImpersonate = potato attack
whoami /priv
Example Output
whoami /priv
SECURITY INFORMATION
--------------------
SeImpersonatePrivilege Enabled <- POTATO ATTACK!
SeAssignPrimaryToken Enabled
SeBackupPrivilege Enabled <- READ ANY FILE!
Users and groups
Local accounts — Who is admin?
net user
net localgroup
net localgroup administrators
Example Output
net user
Administrator Guest john svc_backup
net localgroup administrators
Administrator
john
(john is local admin!)
Network info
Interfaces, routes, connections — Internal networks, pivot targets
ipconfig /all
route print
arp -a
netstat -ano
Example Output
ipconfig /all
Ethernet0: 10.10.10.5/24 Gateway: 10.10.10.1
Ethernet1: 172.16.1.5/24 <- DUAL HOMED!
netstat -ano | findstr LISTEN
TCP 0.0.0.0:80 LISTENING 1234
TCP 127.0.0.1:8080 LISTENING 5678 <- internal only!
TCP 0.0.0.0:3389 LISTENING 904
Running processes
Services and processes — Find interesting services
tasklist /svc
Get-Process
Example Output
tasklist /svc
Image Name PID Services
httpd.exe 1234 Apache2.4
mysqld.exe 1235 MySQL
FileZilla Serv 1236 FileZilla <- check version!
custom_svc.exe 1237 CustomSvc <- non-default!
wmic process get name,executablepath
(Find custom/vulnerable services)
Installed software
Installed applications — Outdated software with CVEs
wmic product get name,version
Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select DisplayName,DisplayVersion
Example Output
wmic product get name,version
Apache HTTP Server 2.4.29
MySQL Server 5.7.29
FileZilla Server 0.9.41 <- OLD VERSION!
(Search each for known CVEs)
Check architecture
32-bit or 64-bit — Match exploits to arch
wmic os get osarchitecture
Example Output
wmic os get osarchitecture
64-bit
(Use x64 exploits and payloads)
Hotfixes installed
Installed patches — Missing KB = potential exploit
wmic qfe list
Get-HotFix
Example Output
wmic qfe list
HotFixID InstalledOn
KB4534273 1/15/2020
KB4516115 9/10/2019
(Last patch 2020 = many missing updates)