Windows Commands

Mastering Windows Enumeration for Pentesters

While many new penetration testers begin their journey using Linux, it’s critical not to overlook the Windows operating system. Enterprise environments frequently run Windows-based infrastructure, and understanding how to enumerate, navigate, and interact with Windows systems is essential. This guide breaks down fundamental Windows concepts and commands that every pentester should know.

1. Windows File System Structure

Understanding the Windows directory structure helps locate sensitive files, user data, and services that may be misconfigured.

  • Drives Windows uses lettered drives like C:, D:, etc. The C: drive is typically the main system partition.

  • C:\Program Files and C:\Program Files (x86) These directories store installed applications.

    • Program Files is for 64-bit applications.

    • Program Files (x86) is for 32-bit and legacy programs.

  • C:\Users Contains individual user profiles. Each user folder holds data like:

    • Desktop

    • Documents

    • Downloads

    • AppData (which stores user-specific settings)

  • C:\Windows Core system files, binaries, and libraries.

    • System and System32 contain critical .exe and .dll files.

  • C:\inetpub\wwwroot Default directory for hosting websites in Internet Information Services (IIS).

2. Windows Command Line Basics

The Windows command line (cmd.exe) is case-insensitive and supports several built-in utilities.

  • Use /? to get help with any command. Example: net user /?

  • Use quotes for paths with spaces. Example: "C:\Program Files\Microsoft Office"

  • Use the up arrow key to view and reuse previous commands.

3. Common Enumeration Commands

These commands are critical during the post-exploitation or initial enumeration phase in Windows environments.

Identity and Privileges

whoami

Displays the currently logged-in user.

echo %username%

Prints the username using environment variables.

whoami /all

Shows detailed information, including group memberships and privileges.

net user

Lists all local user accounts.

net user administrator

Provides details about the administrator account, including password settings and last login.

System Information

systeminfo

Displays OS version, architecture, hotfixes, domain info, and more. Useful for identifying potential vulnerabilities.

File and Directory Listing

dir /a

Lists all files, including hidden and system files.

dir /s

Recursively lists all files in the current directory and subdirectories.

type filename.txt

Displays the contents of a file (similar to cat in Linux).

echo Some text > example.txt

Creates a new text file named example.txt with the given content.

findstr "keyword" filename.txt

Searches for a string inside a text file (similar to grep in Linux).

Process Enumeration

tasklist

Displays all currently running processes. Helpful for spotting suspicious activity or checking if antivirus is running.

4. File Operations (Linux Equivalents)

These are basic file manipulation commands in Windows that resemble Linux tools.

  • Copying Files

copy file.txt D:\Backup\

  • Moving Files

move file.txt D:\Archive\

  • Deleting Files

del file.txt

  • Command History

doskey /history

Displays previously executed commands in the current session.

5. Practical Enumeration Script (Batch File)

Below is a sample batch script to automate some basic enumeration tasks.

@echo off
echo [+] Current User:
whoami

echo [+] Detailed User Info:
whoami /all

echo [+] Listing Local Users:
net user

echo [+] Administrator Account Info:
net user administrator

echo [+] System Details:
systeminfo

echo [+] File Listing (Hidden Included):
dir /a

echo [+] Recursive File Listing:
dir /s

echo [+] Running Processes:
tasklist

echo [+] Command History:
doskey /history

Save the above as enum.bat and execute it on the target system (with proper authorization) to gather useful information quickly.

Final Thoughts

Having a solid grasp of Windows commands is essential for any pentester. While automated tools exist, a manual understanding of the Windows environment strengthens your ability to identify misconfigurations and exploit opportunities. Always complement your Linux skills with Windows knowledge to be a well-rounded security professional.

Would you like this content exported as Markdown or GitBook-ready format for direct publishing?

PreviousThe who, what, when, where, and how of the Linux command lineNextM03: Understanding Network Protocols

Last updated