Initial Enumeration

1. Initial Enumeration

RDP to Lab Target

Command:

xfreerdp /v:<target ip> /u:htb-student

Description: RDP into the lab target.

Get Network Configuration

Command:

ipconfig /all

Description: Get interface, IP address, and DNS information.

Review ARP Table

Command:

arp -a

Description: Display ARP table to identify other connected devices.

Review Routing Table

Command:

route print

Description: Display system routing table.

2. Security & Defender Checks

Check Windows Defender Status

Command:

Get-MpComputerStatus

Description: Check the status of Windows Defender.

List AppLocker Rules

Command:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Description: Display AppLocker rules.

Test AppLocker Policy

Command:

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Description: Test AppLocker policy on cmd.exe for all users.

3. System Information

Display Environment Variables

Command:

set

Description: Display all environment variables.

View System Configuration

Command:

systeminfo

Description: View detailed system configuration information.

Get Installed Patches

Command:

wmic qfe

Description: List installed patches and updates.

Get Installed Programs

Command:

wmic product get name

Description: List installed programs.

4. Process and User Information

Display Running Processes

Command:

tasklist /svc

Description: Display running processes and associated services.

Get Logged-In Users

Command:

query user

Description: List users currently logged into the system.

Get Current Username

Command:

echo %USERNAME%

Description: Print the current username.

View Current User Privileges

Command:

whoami /priv

Description: Display privileges assigned to the current user.

View User Group Information

Command:

whoami /groups

Description: List groups the current user belongs to.

5. User & Group Enumeration

Get All System Users

Command:

net user

Description: Display all local user accounts.

Get All System Groups

Command:

net localgroup

Description: Display all local groups.

View Group Details

Command:

net localgroup administrators

Description: Display members of the Administrators group.

Get Password Policy

Command:

net accounts

Description: Display system password policy.

6. Network Enumeration

Display Active Network Connections

Command:

netstat -ano

Description: List active network connections with associated process IDs.

7. Named Pipe Enumeration

List Named Pipes (Sysinternals Tool)

Command:

pipelist.exe /accepteula

Description: List named pipes using Sysinternals pipelist.

List Named Pipes (PowerShell)

Command:

gci \\.\pipe\

Description: List named pipes using PowerShell.

Check Pipe Permissions

Command:

accesschk.exe /accepteula \\.\Pipe\lsass -v

Description: Review permissions on a named pipe (lsass).