Basic checks / powershell
Default powershell path
Powershell default path IMPORTANT: Using SysNative will get us to use the correct Powershell (32bit or 64bit) version, if we do not use absolute path the 32bit powershell will be used instead - this would be cause problems if you are trying to run privesc exploits in powershell later on a 64bit machine.
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe
Basic
Syntax
Description
systeminfo
System info, os, achitecture
hostname
echo %username%
Hostname/compute rname
net user <username>
Whoami /priv
user privileges
net localgroups
Groups
net localgroup administrators
Admin group users
set
Get-ChildItem Env: | ft Key,Value
Env variables
Get-Process <process name> -FileVersionInfo
Process
Get-ChildItem -Path "C:\Users\Folder" -Recurse -File | Select-String "Password"
Recursive search string
powershell.exe -exec bypass -Command “& command1; command2"}
Powershell execute from cmd
cmd /c "ftp -v -n -s:ftp.txt"
FTP
Network
Syntax
Description
ipconfig /all
Ip address
route print
Route
arp -A
Arp (other machines that ping it)
netstat -ano
Open ports
netsh firewall show state
netsh firewall show config
Check Firewall
Juicy Info
Reg query passwords in registry
# Passwords in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
Dir search password files
# Find writeable files
dir /a-r-d /s /b
# Password files
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
dir /s *pass* == *cred* == *vnc* == *.config*
Using 'findstr' to find files
# findstr syntax
findstr /si password *.xml *.ini *.txt
Juicy files to look
Plaintext or base64 encoded passwords / config files
C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32configAppEvent.Evt
Encrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module
Groups.xml
Syntax
Description
Last updated
Was this helpful?