Basic checks / powershell
Default powershell path
Powershell default path IMPORTANT: Using SysNative will get us to use the correct Powershell (32bit or 64bit) version, if we do not use absolute path the 32bit powershell will be used instead - this would be cause problems if you are trying to run privesc exploits in powershell later on a 64bit machine.
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exeBasic
Syntax
Description
systeminfo
System info, os, achitecture
hostname
echo %username%
Hostname/compute rname
net user <username>
Whoami /priv
user privileges
net localgroups
Groups
net localgroup administrators
Admin group users
set
Get-ChildItem Env: | ft Key,Value
Env variables
Get-Process <process name> -FileVersionInfo
Process
Get-ChildItem -Path "C:\Users\Folder" -Recurse -File | Select-String "Password"
Recursive search string
powershell.exe -exec bypass -Command “& command1; command2"}
Powershell execute from cmd
cmd /c "ftp -v -n -s:ftp.txt"
FTP
Network
Syntax
Description
ipconfig /all
Ip address
route print
Route
arp -A
Arp (other machines that ping it)
netstat -ano
Open ports
netsh firewall show state
netsh firewall show config
Check Firewall
Juicy Info
Reg query passwords in registry
Dir search password files
Using 'findstr' to find files
Juicy files to look
Plaintext or base64 encoded passwords / config files
Encrypted password in plaintext. Can use PowerSploit's Get-GPPPassword module
Syntax
Description
Last updated
Was this helpful?