# Network Info - Determine whether our foothold is dual-homed using `ipconfig /all` - This command will also show DNS info - For host discovery, check routing tables with `route print` also check arp table with `arp -a` ```cmd ipconfig /all route print arp -a ``` # Enumerating Protections - Most modern systems/environments have AV or EDR services to monitor, alert, and block threats - Many orgs utilize solutions like  [AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) to perform app whitelisting, for example, on a user or role basis - To this end, non-admin user may be blocked from using `cmd.exe` or `powershell.exe` - Some EDR tools detect on or even block usage of common binaries such as `net.exe`, `tasklist`, etc. ## Check Defender Status ```powershell Get-MpComputerStatus ``` ## List AppLocker Rules ```powershell Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections ``` ## Test AppLocker Policy ```powershell Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone ``` --- # Exercise - `ping` test ![[images/Pasted image 20260216195310.png]] - `nmap` scan ![[images/Pasted image 20260216195458.png]] - `rdp` into target with given creds ```bash xfreerdp3 /v:10.129.9.234 /u:htb-student /p:"HTB_@cademy_stdnt!" /dynamic-resolution ``` ![[images/Pasted image 20260216195442.png]] - light internal enum ![[images/Pasted image 20260216195637.png]] - applocker enum ![[images/Pasted image 20260216195959.png]] ![[images/Pasted image 20260216200011.png]]