Skip to content

Information gathering

Automated Enumeration Tools


  • accesschk.exe
  • winPEASany.exe
  • Seatbelt.exe
  • PowerUp.ps1
  • SharpUp.exe
  • Autoruns64.exe
  • windows-privesc-check2.exe: https://github.com/pentestmonkey/windows-privesc-check

PowerView.ps1


File https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

find / -name PowerView.ps1 2>/dev/null
/usr/share/windows-resources/powersploit/Recon/PowerView.ps1
Import Module
Import-Module .\PowerView.ps1
User
get-netuser
get-netuser | select name,description
(get-netuser).name
Groups
get-netgroup
(get-netgroup).name
Group Member
Get-NetGroupMember "Domain Admins" | select GroupName,MemberName
Shares
Find-DomainShare
Find-DomainShare -CheckShareAccess
Domain
Get-NetDomainController

Host


hostname

System Information


systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

User


user information

whoami
net user <user-name>
get-localuser
get-localuser -name <user-name> | select *
user permission
whoami /priv

Users

active user in system

net user

Groups

show current user groups

whoami /groups
show al user in group
net localgroup Administrators

Cron


scheduled tasks

schtasks /query /fo LIST /v

Permissions


.\accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\" 

Process


liar processes that are mapped to a specific Windows service

tasklist /SVC
Get-Process

Service


Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName
Get-WmiObject win32_service | select Name, DisplayName, PathName

Directory permission


get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-Table -wrap
get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-List

Network


TCP/IP configuration

ipconfig /all
routing tables
route print
active network connections
netstat -ano
firewall
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all

Installed Applications

application

wmic product get name, version, vendor

updates

wmic qfe get Caption, Description, HotFixID, InstalledOn

Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"
- -u to suppress errors - -w to search for write access permissions - -s to perform a recursive search
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Disks

mountvol

Device Drivers and Kernel Modules

enumerate drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path
get details
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Binaries That AutoElevate

If this key is enabled HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer with elevated privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer