When enumerating Windows hosts, there are a number of tools you can use. Some of the more popular ones include:

  • Built-in commands and utilities
  • Nmap
  • rpcclient
  • Metasploit

You can use these tools to enumerate OS version, users, groups, shares, files, services, hardware, Registry keys, configurations, privileges, policies, and more. If you are already logged in to the target, you can run local commands to query the operating system directly. If not, some tools allow you to make a remote connection. In some cases, you do not need to use a privileged account to obtain good information. Prior to Windows Server 2003, you could even make a connection without a user name and password.

The following tables list some common commands for enumeration. Most of the built-in command-line commands are actually executables in themselves, but are designed to be used in a command prompt. Some of these commands have options for manipulating the data as well.

Built-in Command-Line Command


dir /h

Get help with the dir command.

dir *.xlsx /s

Search the current directory and all subdirectories for Excel spreadsheets.

ipconfig /all

Show all IP information for all interfaces.

ipconfig /displaydns

Display resolved DNS names.

arp -a

Display the ARP cache.

route print

Display the route table.

net user

List all users on this machine.

net localgroup administrators

List all members of the local administrators group.

net share

List all shares on this machine.

PowerShell Cmdlet



List all installed PowerShell cmdlets.

Get-Command Get-*

List all cmdlets that start with "Get".


List all local users on the machine.


List all local groups on the machine.

Get-LocalGroupMember <group name>

List all members of the given group.


List websites on the machine.


List items and child items in a folder or Registry key.

Get-ChildItem -Path C:\ -Include *.docx,*.xlsx,*.txt -File -Recurse -ErrorAction SilentlyContinue | Select-String password

Starting from C:\ recursively search every Word, Excel, and text file for the word "password", and display the path, file name, line number, and text on that line.

Note: To learn more about PowerShell, visit https://mva.microsoft.com/learning-path/powershell-beginner-12.


Common ways to use Nmap for host enumeration are to fingerprint the operating system and interrogate its services. You can also use NSE scripts for enumeration. Here are some examples:

nmap -O
nmap -sV
nmap --script=smb-os-discovery <target>

Rpcclient has over 200 commands for enumeration and configuration. It runs on Linux and works against both Windows and Linux Samba computers. If you are not already logged onto the target, you must first make a connection, providing a password when prompted. Administrative or SYSTEM level privileges (from a compromised host) will give you the best results.

Here is an example of using rpcclient to enumerate server information and user accounts on the target. Enter these commands separately:

rpcclient <target IP> -U <username>
lookupnames administrator

Now use the lookupsids command to discover new users by Security ID (SID). Copy the administrator's SID and change the last set of numbers to 1000. Increment from there.

Note: The administrator SID always ends in 500. Even if you rename the administrator account, this number will never change.


Metasploit also has several enumeration modules. Just like the rpcclient lookupsids command, the smb_lookupsid Metasploit module will enumerate users based on a brute forcing of possible SIDs. In the following example, the credentials of a standard (non-privileged) user named moo are used against a particular host. Since user relative IDs (RIDs) start at 1000, the example sets a range of 1000 to 1100, searching for the first 100 user accounts that were created.

use /auxiliary/scanner/smb/smb_lookupsid
set SMBUser moo
set SMBPass Pa22w0rd
set MinRID 1000
set MaxRID 1100