Windows
NOTE:
Username and hostname
Group memberships of the current user
Existing users and groups
Operating system, version and architecture
Network information
Installed applications
Running processes
Interesting Directory
C:\
# Custom folders
C:\Scripts\
C:\Tools\
C:\Backups\
# To look for SAM, SYSTEM file
C:\Windows\System32\config\
# To look for scheduled tasks
C:\Windows\System32\Tasks\
# To look for program that run on start up
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\
# Web Servers folders
C:\xampp\
C:\inetpub\wwwroot\
Interesting Files
Command Prompt
where /r C:\Users *.txt *.pdf *.xls *.xlsx *.doc *.docx *.ini *.log *.ps1 *.kdbx
where /r C:\ *.uac *.dll
where /r C:\ SAM SYSTEM
where /r C:\ local.txt proof.txt
# Display ALL files
dir /a /s
Powershell
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.uac,*.dll -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue
# Display ALL files
ls -Force
User Permissions
User Information
whoami /all
NOTE: The above command consists of the following
whoami /user
whoami /priv
whoami /groups
Page links to different permission attacks (?)
User Enumeration
Get all user in the current machine
net user [/domain]
Get-LocalUser
Get information on a particular user
net user <Username> [/domain]
Get groups on domain
net group [/domain]
Get-LocalGroup
Get users in a particular group
Get-LocalGroupMember "<Group Name>"
Get information on a particular group in the domain
net group <Group Name> /domain
Get local administrators
net localgroup administrators
Get SMB shares
net share
Get password requirements
net accounts
System Enumeration
Get important information
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"
Get port information
netstat -ano
Get network information
ipconfig /all
Get current console
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
Installed programs
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Web Root Directory
dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<Directory Name>\xampp\htdocs
NOTE: Indication of Web Director:
.htaccess
public.html
www
htdocs
httpdcos
Get History
Get-History
(Get-PSReadlineOption).HistorySavePath
PowerView
NOTE: Remember to run the following
powershell -ep bypass
Import-Module .\PowerView.ps1
Enumerate Users in the Domain
Get-NetUser
To get filtered result
Get-NetUser | select <Field Name> ...
EXAMPLE:
Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon
To get specific information of a particular user
Get-NetUser <Username>
Enumerate Groups in the Domain
Get-NetGroup
To get filtered result
Get-NetGroup | select <Field name> ...
EXAMPLE:
Get-NetGroup | select cn
To get specific information of a particular group
Get-NetGroup <Group Name>
Enumerate Computers in the Domain
Get-NetComputer
To get filtered result
Get-NetComputer | select <Field name> ...
EXAMPLE:
Get-NetComputer | select operatingsystem, dnshostname
To get specific information of a particular computer
Get-NetComputer <DNS Host Name>
To look for administrative rights on other computer for the current user
Find-LocalAdminAccess
To look for logged on users on target machine
Get-NetSession -ComputerName <Computer Name> -Verbose
NOTE: If something is not right check for permission.
Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Alternatives
C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>
NOTE: Remote machine must have Remote Registry service enabled
To check for permission
Get-Acl -Path <Registery Hive>:<Registry Path> | fl
EXAMPLE:
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
Get-ObjectAcl -SamAccountName <Username> -ResolveGUIDs | fl
To enumerate Service Principal Name
Get-NetUser -SPN | select samaccountname, serviceprincipalname
To enumerate ACEs
Get-ObjectAcl -Identity "<Username | Group Name>"
NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier
To enumerate interesting ACL
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
To enumerate all user that has ActiveDirectoryRights = GenericAll under a group
Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights
To enumerate all ActiveDirectoryRights = GenericWrite under a group
Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights
To convert SID to Name in bulk
"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName
To convert SID to Name individually
Convert-SidToName "<SID>"
Add user into group in domain
net group "<Group Name>" <Username> /add /domain
To enumerate all shares on Domain
Find-DomainShare
To enumerate shares available to current user
Find-DomainShare -CheckShareAccess
To enumerate Group Policy
Get-GPO -Name "<Group Policy Name>"
EXAMPLE:
Get-GPO -Name "Default Domain Policy"
To enumerate permission on the group policy
Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>
NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"
BloodHound
To import BloodHound
Import-Module C:\Tools\Bloodhound.ps1
To begin enumerationg on BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"
On kali:
sudo neo4j start
NOTE: Head over to http://localhost:7474
Username: neo4j
Password: arctic-iris-zipper-prism-courage-7161
Last updated