# Windows
{% embed url="" %}
> **NOTE:**
>
> * Username and hostname
> * Group memberships of the current user
> * Existing users and groups
> * Operating system, version and architecture
> * Network information
> * Installed applications
> * Running processes
## Interesting Directory
```
C:\
# Custom folders
C:\Scripts\
C:\Tools\
C:\Backups\
# To look for SAM, SYSTEM file
C:\Windows\System32\config\
# To look for scheduled tasks
C:\Windows\System32\Tasks\
# To look for program that run on start up
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\
# Web Servers folders
C:\xampp\
C:\inetpub\wwwroot\
```
## Interesting Files
Command Prompt
{% code overflow="wrap" %}
```
where /r C:\Users *.txt *.pdf *.xls *.xlsx *.doc *.docx *.ini *.log *.ps1 *.kdbx
where /r C:\ *.uac *.dll
where /r C:\ SAM SYSTEM
where /r C:\ local.txt proof.txt
# Display ALL files
dir /a /s
```
{% endcode %}
Powershell
{% code overflow="wrap" %}
```
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.uac,*.dll -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue
# Display ALL files
ls -Force
```
{% endcode %}
## User Permissions
User Information
```shell
whoami /all
```
> **NOTE: The above command consists of the following**
>
> ```shell
> whoami /user
> ```
>
> ```shell
> whoami /priv
> ```
>
> ```shell
> whoami /groups
> ```
Page links to different permission attacks (?)
## User Enumeration
Get all user in the current machine
```shell
net user [/domain]
```
```powershell
Get-LocalUser
```
Get information on a particular user
```shell
net user [/domain]
```
Get groups on domain
```shell
net group [/domain]
```
```powershell
Get-LocalGroup
```
Get users in a particular group
```powershell
Get-LocalGroupMember ""
```
Get information on a particular group in the domain
```shell
net group /domain
```
Get local administrators
```shell
net localgroup administrators
```
Get SMB shares
```shell
net share
```
Get password requirements
```shell
net accounts
```
## System Enumeration
Get important information
{% code overflow="wrap" %}
```shell
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"
```
{% endcode %}
Get port information
```shell
netstat -ano
```
Get network information
```shell
ipconfig /all
```
Get current console
```shell
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
```
## Installed programs
{% code overflow="wrap" %}
```powershell
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
```
{% endcode %}
{% code overflow="wrap" %}
```powershell
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
```
{% endcode %}
## Web Root Directory
```
dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\\xampp\htdocs
```
> **NOTE: Indication of Web Director:**
>
> * .htaccess
> * public.html
> * www
> * htdocs
> * httpdcos
## Get History
```powershell
Get-History
```
```powershell
(Get-PSReadlineOption).HistorySavePath
```
## PowerView
> **NOTE: Remember to run the following**
>
> * ```
> powershell -ep bypass
> ```
>
> * ```powershell
> Import-Module .\PowerView.ps1
> ```
Enumerate Users in the Domain
```powershell
Get-NetUser
```
To get filtered result
```powershell
Get-NetUser | select ...
```
> **EXAMPLE:**
>
> Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon
To get specific information of a particular user
```powershell
Get-NetUser
```
Enumerate Groups in the Domain
```powershell
Get-NetGroup
```
To get filtered result
```powershell
Get-NetGroup | select ...
```
> **EXAMPLE:**
>
> Get-NetGroup | select cn
To get specific information of a particular group
```powershell
Get-NetGroup
```
Enumerate Computers in the Domain
```powershell
Get-NetComputer
```
To get filtered result
```powershell
Get-NetComputer | select ...
```
> **EXAMPLE:**
>
> Get-NetComputer | select operatingsystem, dnshostname
To get specific information of a particular computer
```powershell
Get-NetComputer
```
To look for administrative rights on other computer for the current user
```powershell
Find-LocalAdminAccess
```
To look for logged on users on target machine
```powershell
Get-NetSession -ComputerName -Verbose
```
> **NOTE: If something is not right check for permission.**
>
> Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Alternatives
```powershell
C:\Tools\PSTools\PsLoggedon.exe \\
```
> **NOTE: Remote machine must have Remote Registry service enabled**
To check for permission
{% code overflow="wrap" %}
```powershell
Get-Acl -Path : | fl
```
{% endcode %}
> **EXAMPLE:**
>
> Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
{% code overflow="wrap" %}
```powershell
Get-ObjectAcl -SamAccountName -ResolveGUIDs | fl
```
{% endcode %}
To enumerate Service Principal Name
```powershell
Get-NetUser -SPN | select samaccountname, serviceprincipalname
```
To enumerate ACEs
```powershell
Get-ObjectAcl -Identity ""
```
> **NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier**
To enumerate interesting ACL
{% code overflow="wrap" %}
```powershell
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
```
{% endcode %}
To enumerate all user that has ActiveDirectoryRights = GenericAll under a group
{% code overflow="wrap" %}
```powershell
Get-ObjectAcl -Identity "" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights
```
{% endcode %}
To enumerate all ActiveDirectoryRights = GenericWrite under a group
{% code overflow="wrap" %}
```powershell
Get-ObjectAcl -Identity "" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights
```
{% endcode %}
To convert SID to Name in bulk
{% code overflow="wrap" %}
```powershell
"", "", "", "", "" | Convert-SidToName
```
{% endcode %}
To convert SID to Name individually
```powershell
Convert-SidToName ""
```
Add user into group in domain
```powershell
net group "" /add /domain
```
To enumerate all shares on Domain
```powershell
Find-DomainShare
```
To enumerate shares available to current user
```powershell
Find-DomainShare -CheckShareAccess
```
To enumerate Group Policy
```powershell
Get-GPO -Name ""
```
> **EXAMPLE:**
>
> Get-GPO -Name "Default Domain Policy"
To enumerate permission on the group policy
{% code overflow="wrap" %}
```powershell
Get-GPPermission -Guid -TargetType User -TargetName
```
{% endcode %}
> **NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"**
## BloodHound
### To import BloodHound
```powershell
Import-Module C:\Tools\Bloodhound.ps1
```
### To begin enumerationg on BloodHound
{% code overflow="wrap" %}
```powershell
Invoke-BloodHound -CollectionMethod All -OutputDirectory -OutputPrefix "corp audit"
```
{% endcode %}
### On kali:
```bash
sudo neo4j start
```
> **NOTE: Head over to **
>
> **Username: neo4j**
>
> **Password: arctic-iris-zipper-prism-courage-7161**
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://yongjun04.gitbook.io/oscp-cheatsheet/enumeration/windows.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.