Windows Recon (Cheat Sheet)

Windows OS Enumeration

net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find Goodies

Service Account Credentials within SYSVOL Group Policy Preferences (GPP)

findstr /S /I cpassword \\domain.com\sysvol\domain.com\policies\*.xml

Find in files and registry

findstr /snip password *.xml *.ini *.txt (quicker than below)
findstr /snip password *
dir /s *password* == *cred* == *vnc* == *.config*dir c:\*vnc.ini /s /bc:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

GPO settings

gpresult /z
gpresult /H (for Pretty HTML output)

Users, Groups and Privileges

net localgroup administrators /domain
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
Get-ADDomainController -filter * | select hostname, operatingsystemGet-ADFineGrainedPasswordPolicy -filter *Get-ADDefaultDomainPasswordPolicyGet-ADUser <UserName>-Properties *Get-ADUser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,EnabledGet-ADGroupMember -identity <GroupName>Get-ADComputer -filter * | select nameGet-GPO -all | select DisplayName, gpostatus

SMB File Shares

Find Hosts with SMB Open (Nmap)

nmap -vv -Pn -n -p 445 10.10.10.0/24 -oA smb_hostFormat:
grep open smb_host.gnmap | awk {'print $2'} > smb_up.txt && cat smb_up.txt

Find Open Shares (PowerView)

Invoke-ShareFinder -HostList hosts_with_smb.txt -NoPing -CheckShareAccess | Out-File -Encoding ascii found_shares.txtIf you want to remove the extra formatting of output in found_shares.txt, you can run:
grep -oP "(\s).?\-.*" found_shares.txt > found_shares.txt

Permissions (PowerView)

Invoke-FileFinder -ShareList .\found_shares.txt | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path,Owner,Group,AccessToString | Export-Csv Permissions.csv

Find Interesting file names from Share list (PowerView)

Invoke-FileFinder -ShareList found_shares.txt -Terms confidential, password -Verbose | ForEach-Object {Get-Acl $_.FullName} | Format-List

Batch Script to search for in-file passwords in open shares found from steps above.

@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
C:
NET USE Z: /delete /y
net use z: “%%a”
Z:
echo %%a
echo %%a >> "C:\Temp\output_file.txt"
if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )
)

Use password or hash for authentication (using CrackMapExec)

cme smb 192.168.1.0/24 -u UserName -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE'

Lists

https://github.com/danielmiessler/SecLists

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Smarting up google docs and sheets

All You Need To Know About Java Synchronization With Examples

How to use the mobile phone to run the command of RHEL.

Building Spring Boot Microservices , Monitoring with prometheus and grafana and log aggregation…

Control the Tello drone! Node.js | TypeScript | JavaScript

A big brain FPL play

My eXPerience, 2 Years Pair Programming

Photo by Amir-abbas Abdolali on Unsplash

Lesser-Known Arithmetic Operators in Python

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
svch0st

svch0st

More from Medium

Pentesting : The Poor Man Guide.

Deploying Ransomware with a Weaponized USB Device

How to not be a script kiddie in 2022

OWASP Zed Attack Proxy Primer