Basic checks / powershell

Default powershell path

Powershell default path IMPORTANT: Using SysNative will get us to use the correct Powershell (32bit or 64bit) version, if we do not use absolute path the 32bit powershell will be used instead - this would be cause problems if you are trying to run privesc exploits in powershell later on a 64bit machine.

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe

Basic

Syntax

Description

systeminfo

System info, os, achitecture

hostname

echo %username%

Hostname/compute rname

net user <username>

Whoami /priv

user privileges

net localgroups

Groups

net localgroup administrators

Admin group users

set

Get-ChildItem Env: | ft Key,Value

Env variables

Get-Process <process name> -FileVersionInfo

Process

Get-ChildItem -Path "C:\Users\Folder" -Recurse -File | Select-String "Password"

Recursive search string

powershell.exe -exec bypass -Command “& command1; command2"}

Powershell execute from cmd

cmd /c "ftp -v -n -s:ftp.txt"

FTP

Network

Syntax

Description

ipconfig /all

Ip address

route print

Route

arp -A

Arp (other machines that ping it)

netstat -ano

Open ports

netsh firewall show state

netsh firewall show config

Check Firewall

Juicy Info

Reg query passwords in registry

# Passwords in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

Dir search password files

# Find writeable files
dir /a-r-d /s /b

# Password files
dir /b /s unattend.xml
dir /b /s web.config
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*
dir /b /s vnc.ini
dir /s *pass* == *cred* == *vnc* == *.config*

Using 'findstr' to find files

# findstr syntax
findstr /si password *.xml *.ini *.txt

Juicy files to look

Plaintext or base64 encoded passwords / config files

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml 
%SYSTEMROOT%repairsystem
%SYSTEMROOT%repairSAM
%SYSTEMROOT%repairSAM
%WINDIR%win.ini
%SYSTEMDRIVE%boot.ini
%WINDIR%Panthersysprep.inf
%WINDIR%system32configAppEvent.Evt

Encrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module

Groups.xml

Syntax

Description

PreviousSUID NextPrivesc Openings

Last updated 5 years ago

hashtagDefault powershell path

hashtagBasic

hashtagNetwork

hashtagJuicy Info

hashtagReg query passwords in registry

hashtagDir search password files

hashtagUsing 'findstr' to find files

hashtagJuicy files to look

hashtagPlaintext or base64 encoded passwords / config files

hashtagEncrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module

Default powershell path

Basic

Network

Juicy Info

Reg query passwords in registry

Dir search password files

Using 'findstr' to find files

Juicy files to look

Plaintext or base64 encoded passwords / config files

Encrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module