# Information Gathering ### 1. Network & System Information * **Network Configuration:** * `ipconfig /all` → View detailed network interface configurations (IP, DNS, etc.). * `arp -a` → Display ARP cache (shows local network devices). * `route print` → View the system's routing table. * **Service Information:** * `tasklist /svc` → List all running processes along with their services. * `netstat -ano` → Display active TCP/UDP connections and listening ports with process IDs. * **System Info:** * `systeminfo` → Get a comprehensive overview of the system (OS version, architecture, hotfixes, etc.). * `systeminfo | findstr /B /C:"Domain"` → Find Domain Controllers * `wmic product get name,version,vendor` → List installed software via the command line. * `Get-WmiObject -Class Win32_Product | select Name, Version` → List installed software via PowerShell. * `tree /f /a` → List files and directories recursively * `dir /s /b *.log` → List paths of specific files * `dir /s /b C:\*.kdbx` → List paths of kdbx files ### **2. User & Privilege Enumeration** * **Current User & Privileges:** * `whoami /priv` → List current user privileges. * `whoami /groups` → List group memberships for the current user. * `net user` → Get a list of all user accounts. * `net user /domain` → Get a list of all user accounts in the domain. * `net user ` → Get info about a specific user. * `net user /domain` -> Get info about a specific user in the domain. * `query user` → Display logged-in users on the system. * **Groups & Password Policies:** * `net localgroup` → List all local groups. * `net localgroup "Backup Operators"` → List users in the Backup Operators group. * `net group /domain` → List groups in the domain. * `net group "" /domain` → Give info about a domain group. * `net accounts` → View password policies and other account-related configurations. ### **3. Security Tools & Configuration** * **Windows Defender:** * `Get-MpComputerStatus` → Check the status of Windows Defender (active, signatures, etc.). * **Allow RDP (Needs Admin):** `reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f` * **Disable Firewall (Needs Admin)**: `netsh advfirewall set allprofiles state off` ### **4. World Writable Folders** ``` C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\drivers\color C:\Windows\System32\spool\printers C:\Windows\System32\spool\servers C:\Windows\tracing C:\Windows\Temp C:\Users\Public C:\Windows\Tasks C:\Windows\System32\tasks C:\Windows\SysWOW64\tasks C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system C:\Windows\debug\wia C:\Windows\registration\crmlog C:\Windows\System32\com\dmp C:\Windows\SysWOW64\com\dmp C:\Windows\System32\fxstmp C:\Windows\SysWOW64\fxstmp ``` ### References 1. 2. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/information-gathering.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.