Information gathering (windows)

Automated Enumeration Tools

accesschk.exe
winPEASany.exe
Seatbelt.exe
PowerUp.ps1
SharpUp.exe
Autoruns64.exe
windows-privesc-check2.exe: https://github.com/pentestmonkey/windows-privesc-check
windows-exploit-suggester

windows-exploit-suggester

/opt/windows/windows-exploit-suggester systeminfo.out -i "Elevation of Privilege" -e > exploits.txt

Host

hostname

List files

dir
ls
ls -force
Get-ChildItem
gci

System Information

systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

User

user information

whoami
net user <user-name>
get-localuser
get-localuser -name <user-name> | select *

user permission

whoami /priv

Users

active user in system

net user

Groups

available groups for - Windows Domain Controllr

net group

available groups

net localgroup

show current user groups

whoami /groups

show all user in group

net localgroup Administrators

Cron

scheduled tasks

schtasks /query /fo LIST /v

schtasks /query /fo LIST /v | findstr /v "\Microsoft"

Permissions

.\accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\"

Process

list processes that are mapped to a specific Windows service

tasklist /SVC

Get-Process

Service

show services with user name

wmic service get name,startname

Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName
Get-WmiObject win32_service | select Name, DisplayName, PathName

Directory permission

get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-Table -wrap
get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-List

Network

TCP/IP configuration

ipconfig /all

routing tables

route print

active network connections

netstat -n

netstat -na

discover other systems on the same LAN

arp -a

firewall

netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

test connection

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

Installed Applications

application

wmic product get name, version, vendor

updates

wmic qfe get Caption, Description, HotFixID, InstalledOn

windows antyvirus

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

windows defender

Get-Service WinDefend

Get-MpThreat

Get-MpComputerStatus | select RealTimeProtectionEnabled

firewall

Get-NetFirewallProfile | Format-Table Name, Enabled

Get-NetFirewallRule | select DisplayName, Enabled, Description

Get-NetFirewallRule -DisplayName THM-Connection | select *

Events

get-eventlog -list

Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"

- -u to suppress errors - -w to search for write access permissions - -s to perform a recursive search

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Disks

enumeration all disks

mountvol

Device Drivers and Kernel Modules

enumerate drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

get details

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Binaries That AutoElevate

If this key is enabled HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer with elevated privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Shares

net share

PowerView.ps1

File https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

find / -name PowerView.ps1 2>/dev/null
/usr/share/windows-resources/powersploit/Recon/PowerView.ps1

Import Module

Import-Module .\PowerView.ps1

User

get-netuser
get-netuser | select name,description
(get-netuser).name

Groups

get-netgroup
(get-netgroup).name

Group Member

Get-NetGroupMember "Domain Admins" | select GroupName,MemberName

Shares

Find-DomainShare
Find-DomainShare -CheckShareAccess

Domain

Get-NetDomainController