Manual Enumeration Techniques
Systematic reconnaissance to find privilege escalation vectors
What You'll Discover
🎯 Why This Matters
Automated tools are powerful, but they miss context. Manual enumeration reveals attack paths that scripts overlook and helps you understand why an exploit will work. During real penetration tests, network restrictions often prevent downloading tools - you need to know how to enumerate with built-in commands.
🔍 What You'll Learn
- Complete manual enumeration checklist for Windows systems
- Commands to identify installed software, patches, and configurations
- Techniques to find weak service permissions and scheduled tasks
- Methods to discover stored credentials and sensitive files
🚀 Your First Win
In the next 10 minutes, you'll build a mental checklist of enumeration commands you can use on any Windows system without uploading any tools.
🔧 Try This Right Now
Run a quick system enumeration to identify potential attack vectors:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
whoami /priv
net user %username%
wmic qfe list briefYou'll see: OS version (for kernel exploit matching), your privileges, group memberships, and installed patches (for missing patch identification).
Skills You'll Master
✅ Core Understanding
- System and OS version enumeration
- User and group discovery
- Network configuration analysis
- Running process investigation
🔍 Expert Skills
- Service permission analysis
- Scheduled task enumeration
- Credential hunting techniques
- Registry key inspection
Understanding Manual Enumeration
Manual enumeration is a systematic process of gathering information about a Windows system to identify privilege escalation paths. You're looking for misconfigurations, missing patches, weak permissions, and stored credentials. Every command tells you something about the attack surface.
Enumeration Goal: Find the gap between current privileges and SYSTEM
System Information
Start with understanding what you're working with:
# Full system information
systeminfo
# OS and architecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
# Hostname and domain
hostname
echo %USERDOMAIN%
# Installed patches (for kernel exploit matching)
wmic qfe list brief
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Environment variables (may reveal installed software paths)
setUser and Group Enumeration
Understanding user context and available accounts:
# Current user context
whoami
whoami /priv
whoami /groups
whoami /all
# Local users
net user
net user administrator
# Local groups
net localgroup
net localgroup administrators
net localgroup "Remote Desktop Users"
# Currently logged on users
query user
qwinstaNetwork Information
Network configuration reveals pivot opportunities and listening services:
# IP configuration
ipconfig /all
# Routing table
route print
# ARP cache (other hosts on network)
arp -a
# Listening ports and connections
netstat -ano
netstat -ano | findstr LISTEN
# Firewall rules
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=allRunning Processes and Services
Processes reveal installed software and potential targets:
# Running processes
tasklist
tasklist /v
tasklist /svc
# Services
sc query
sc query state= all
wmic service get name,displayname,pathname,startmode
# Find unquoted service paths
wmic service get name,pathname,startmode | findstr /i /v "C:\Windows\\" | findstr /i /v """
# Service permissions (requires accesschk from Sysinternals)
# accesschk.exe -uwcqv "Authenticated Users" * /accepteulaScheduled Tasks
Scheduled tasks may run as SYSTEM and execute writable scripts:
# List scheduled tasks
schtasks /query /fo LIST /v
schtasks /query /fo TABLE
# Check for tasks running as SYSTEM
schtasks /query /fo LIST /v | findstr /i "SYSTEM"
# PowerShell alternative
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"}Installed Software
Installed applications may have known vulnerabilities:
# Installed software
wmic product get name,version
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s
# 32-bit apps on 64-bit
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s
# Program Files directories
dir /b "C:\Program Files"
dir /b "C:\Program Files (x86)"Tools and Techniques
Credential Hunting
Search for stored credentials and sensitive files:
# Saved credentials
cmdkey /list
# Search for password in files
findstr /si "password" *.txt *.xml *.ini *.config
findstr /spin "password" *.*
# Common credential locations
type C:\Windows\Panther\Unattend.xml
type C:\Windows\Panther\Unattended.xml
type C:\Unattend.xml
type %WINDIR%\repair\SAM
type %WINDIR%\repair\system
# IIS configuration
type C:\inetpub\wwwroot\web.config
type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
# Registry stored passwords
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s 2>nulRegistry Enumeration
Registry keys that enable privilege escalation:
# AlwaysInstallElevated (allows .msi to run as SYSTEM)
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# AutoRuns (persistence locations)
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
# Service registry keys
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s
# UAC settings
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"PowerShell Enumeration
PowerShell provides additional enumeration capabilities:
# PowerShell version and execution policy
$PSVersionTable
Get-ExecutionPolicy
# List drives
Get-PSDrive
# Find writable directories in PATH
$env:PATH.split(';') | ForEach-Object { $path = $_; try { [io.file]::OpenWrite("$path\test.txt").close(); Remove-Item "$path\test.txt"; Write-Host "Writable: $path" } catch {} }
# Search for interesting files
Get-ChildItem -Path C:\ -Include *.txt,*.xml,*.config,*.ini -File -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
# List services with unquoted paths
Get-WmiObject win32_service | Select-Object Name,PathName | Where-Object { $_.PathName -notlike '"*' -and $_.PathName -like '* *' }Real-World Attack Scenarios
🔴 Scenario: Unattend.xml Password Discovery
During Windows deployment, administrators often use unattend.xml files to automate installation. These files frequently contain base64-encoded local administrator passwords. The file persists in common locations after installation, and many administrators forget to remove it.
Attack path: Enumerate file system → Find Unattend.xml → Decode base64 password → Authenticate as Administrator
🟠 Scenario: PuTTY Saved Sessions
System administrators often save SSH session configurations in PuTTY, including proxy credentials. These are stored in the registry in plaintext. Discovering SSH credentials to Linux servers during a Windows engagement provides lateral movement opportunities.
Attack path: Query PuTTY registry → Extract saved credentials → SSH to additional systems
💡 Expert Insight
Manual enumeration is not about memorizing every command - it's about developing a systematic approach. Start broad (system info, user context), then go deep (services, scheduled tasks, credentials). Document everything; you never know what will become relevant later.
Defensive Countermeasures
Credential Hygiene
- Remove deployment files (Unattend.xml) after installation
- Never store credentials in scripts, config files, or registry
- Use Windows Credential Manager with proper encryption
- Implement LAPS for local administrator password management
Service Hardening
- Use quoted paths for all service executables
- Set restrictive permissions on service binary directories
- Run services with minimum required privileges
- Use Managed Service Accounts (MSAs) instead of user accounts
Detection Capabilities
- Monitor for enumeration commands (systeminfo, net user, whoami /priv)
- Alert on registry queries to credential storage locations
- Implement command-line logging through advanced audit policies
- Use honeypot credentials to detect credential harvesting
Frequently Asked Questions
Should I always run automated tools or start with manual enumeration?
Start manual, then validate with automated tools. Manual enumeration helps you understand the environment and often finds issues that automated tools miss due to their generic scanning patterns. Automated tools are great for coverage, but manual enumeration develops expertise.
What if I can't run cmd.exe or PowerShell?
Application whitelisting may block interpreters. Try wmic.exe (often overlooked), mshta.exe, or find writable directories to place allowed executables. You can also use living-off-the-land techniques with signed Microsoft binaries (LOLBins).
How do I check service permissions without Sysinternals?
Use sc sdshow <servicename> to view the security descriptor in SDDL format. While harder to read than accesschk output, it shows the same permission information. Online SDDL parsers can help decode the format.
🎯 Manual Enumeration - Locked In!
You now have a systematic approach to enumerating Windows systems using only built-in commands. No tools to upload, no detection from AV - just native Windows commands that reveal everything you need.
Ready to automate with WinPEAS and PowerUp →