Installed Applications
We can Enumerate the System for Installed Applications by Checking the Application's Name and Version. We may find Vulnerable Software installed to Exploit and escalate our System Privileges. Also, we may find some Information, such as Plain-Text Credentials, is left on the System that belongs to other Systems or Services.
:: List Installed Applications and their Version
wmic product get name,version
Another Interesting thing is to look for particular Text Strings, Hidden Directories, Backup Files, etc.
:: Search for Files with Common Backup Extensions
dir C:\ /s /b | findstr /i "\.bak$ \.bkp$ \.old$ \.tmp$ \.~$"
:: Search for Files with Specific file Extensions
dir C:\ /s /b | findstr /i "\.zip$ \.rar$ \.7z$"
:: Search for Files Containing [backup] in their Names
dir C:\ /s /b | findstr /i "backup"
:: Search for Hidden Directories
Get-ChildItem -Hidden -Path C:\Path\
Internal Services
Internal Network Services are another source of Information to expand our knowledge about other Systems and the entire Environment. The following are some of the Internal Services that are commonly used that are worth to Monitor.
- DNS Services
- Email Services
- Network File Share
- Web Application
- Database Service
:: Display the Status of Running Services
net start
:: Get Exact Service Information
wmic service where "name like 'Service Name'" get Name,PathName
:: Find more Details about the Process
:: Note: Use the [Name] found in the Previous Command
Get-Process -Name "Name"
:: Check if the Current Service is Using a Port on the Network
:: Note: Use the [Service ID] found in the Previous Command
netstat -noa | findstr "LISTENING" | findstr "Service ID"