Windows
NOTE:
Username and hostname
Group memberships of the current user
Existing users and groups
Operating system, version and architecture
Network information
Installed applications
Running processes
Interesting Directory
C:\
# Custom folders
C:\Scripts\
C:\Tools\
C:\Backups\
# To look for SAM, SYSTEM file
C:\Windows\System32\config\
# To look for scheduled tasks
C:\Windows\System32\Tasks\
# To look for program that run on start up
C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\
# Web Servers folders
C:\xampp\
C:\inetpub\wwwroot\Interesting Files
Command Prompt
where /r C:\Users *.txt *.pdf *.xls *.xlsx *.doc *.docx *.ini *.log *.ps1 *.kdbx
where /r C:\ *.uac *.dll
where /r C:\ SAM SYSTEM
where /r C:\ local.txt proof.txt
# Display ALL files
dir /a /sPowershell
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include *.uac,*.dll -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue
# Display ALL files
ls -ForceUser Permissions
User Information
whoami /allNOTE: The above command consists of the following
whoami /userwhoami /privwhoami /groups
Page links to different permission attacks (?)
User Enumeration
Get all user in the current machine
net user [/domain]Get-LocalUserGet information on a particular user
net user <Username> [/domain]Get groups on domain
net group [/domain]Get-LocalGroupGet users in a particular group
Get-LocalGroupMember "<Group Name>"Get information on a particular group in the domain
net group <Group Name> /domainGet local administrators
net localgroup administratorsGet SMB shares
net shareGet password requirements
net accountsSystem Enumeration
Get important information
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"Get port information
netstat -anoGet network information
ipconfig /allGet current console
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShellInstalled programs
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displaynameGet-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displaynameWeb Root Directory
dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<Directory Name>\xampp\htdocsNOTE: Indication of Web Director:
.htaccess
public.html
www
htdocs
httpdcos
Get History
Get-History(Get-PSReadlineOption).HistorySavePathPowerView
NOTE: Remember to run the following
powershell -ep bypassImport-Module .\PowerView.ps1
Enumerate Users in the Domain
Get-NetUserTo get filtered result
Get-NetUser | select <Field Name> ...EXAMPLE:
Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon
To get specific information of a particular user
Get-NetUser <Username>Enumerate Groups in the Domain
Get-NetGroupTo get filtered result
Get-NetGroup | select <Field name> ...EXAMPLE:
Get-NetGroup | select cn
To get specific information of a particular group
Get-NetGroup <Group Name>Enumerate Computers in the Domain
Get-NetComputerTo get filtered result
Get-NetComputer | select <Field name> ...EXAMPLE:
Get-NetComputer | select operatingsystem, dnshostname
To get specific information of a particular computer
Get-NetComputer <DNS Host Name>To look for administrative rights on other computer for the current user
Find-LocalAdminAccessTo look for logged on users on target machine
Get-NetSession -ComputerName <Computer Name> -VerboseNOTE: If something is not right check for permission.
Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Alternatives
C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>NOTE: Remote machine must have Remote Registry service enabled
To check for permission
Get-Acl -Path <Registery Hive>:<Registry Path> | flEXAMPLE:
Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl
Get-ObjectAcl -SamAccountName <Username> -ResolveGUIDs | flTo enumerate Service Principal Name
Get-NetUser -SPN | select samaccountname, serviceprincipalnameTo enumerate ACEs
Get-ObjectAcl -Identity "<Username | Group Name>"NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier
To enumerate interesting ACL
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ftTo enumerate all user that has ActiveDirectoryRights = GenericAll under a group
Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRightsTo enumerate all ActiveDirectoryRights = GenericWrite under a group
Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRightsTo convert SID to Name in bulk
"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToNameTo convert SID to Name individually
Convert-SidToName "<SID>"Add user into group in domain
net group "<Group Name>" <Username> /add /domainTo enumerate all shares on Domain
Find-DomainShareTo enumerate shares available to current user
Find-DomainShare -CheckShareAccessTo enumerate Group Policy
Get-GPO -Name "<Group Policy Name>"EXAMPLE:
Get-GPO -Name "Default Domain Policy"
To enumerate permission on the group policy
Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"
BloodHound
To import BloodHound
Import-Module C:\Tools\Bloodhound.ps1To begin enumerationg on BloodHound
Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"On kali:
sudo neo4j startNOTE: Head over to http://localhost:7474
Username: neo4j
Password: arctic-iris-zipper-prism-courage-7161
Last updated