Generic Infos
All-in-one toolâ
tip
"-All" performs "-Local", "-Domain" and "-Privesc"
. .\HostEnum.ps1
Invoke-HostEnum -Local -HTMLReport
Graphical sessionâ
compmgmt.msc /computer=<computername|fqdn>
One-linerâ
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 & net view & net view /domain & net user %USERNAME% /domain & nltest /dclist & gpresult /z
OSâ
ver
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory
systeminfo
net config workstation
Driversâ
DRIVERQUERY
List disks / sharesâ
wmic logicaldisk get name, deviceid, volumename, description
get-psdrive -psprovider filesystem
fsutil fsinfo drives
wmic share list
Remote share listing
net view \\<hostname|ip> /all
Environmentâ
wmic environment list
set
echo %PATH%
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess
Networkâ
arp -a
ipconfig /all
route print
netstat -ano
netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors
Firewall Status (only on Win XP SP2 and above).
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all
Users / Groups / Password policy / RDP Sessionsâ
qwinsta [/server:<host>]
query user
wmic useraccount list brief
net users
nltest /user:"<username>"
net accounts (/domain)
net localgroup (/domain)
wmic group list brief
wmic sysaccount list
whoami /priv
Am I administrator ?
net localgroup administrators
whoami /groups
wmic useraccount where "LocalAccount = true"
PowerView: Get-NetLocalGroupMember
PowerUp: Get-CurrentUserTokenGroupSid
Seatbelt: seatbelt.exe LocalGroupMembers
SharpUp: SharpUp.exe
List all usernames
([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
load extapi
adsi_user_enum <domain_name>
List administrators
([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname
tip
For the current user use: $env:USERNAME. Use the parameters from the first command for the second one.
([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties
All the parameters are displayed in the command above
([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if ($_.mobile -ne $null){ Write-Host $_.cn $_.mobile}}
List all groups with description
([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }
Kerberos user enumeration
nmap <ip> -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<realm>'
List logged-on users
wmic /node:<ip|@list_ip.txt> path win32_loggedonuser get antecedent
RDP sessions
quser /server:<servername>
Find filesâ
tip
It is looking for anything below the specified path and the file name supports wildcard.
dir /b /s C:\<file>
ls -r C:\ <file> 2>$null | % { echo $_.fullname }
where /R c:\ <file>
Hidden files and directories
dir /ah
Print content file
ls -r C:\ <file> 2>$null | % { gc $_.fullname }
Find keywordâ
findstr /N /S /I "<keyword>" C:\<base_dir>\[*.ext]
ls -r C:\<base_dir> | % { Select-String -Path $_ -Pattern <keyword> } 2>$null
Processesâ
List processes
wmic process list brief
With commandline
wmic path win32_process get Caption,Processid,Commandline
Execute
wmic process call create <command>
Kill
wmic process where processid="<pid>" delete
wmic process where name="<process_name>" delete
Executablesâ
PowerShell code to determine if file is .NET (it throws an exception if not).
[Reflection.AssemblyName]::GetAssemblyName("<C:\Path\To\File.exe>")
Scheduled jobsâ
schtasks /query /fo LIST /v
Servicesâ
tip
Use double backslach to have one backslach sc \\\\[targetIP] query.
List all running services
sc query
sc query | find /i "<service_name>"
wmic service where started=true get name, startname
net start
Link processes to services
tasklist /SVC
List all services
sc query state= all
sc query state= all | find /i "<service_name>"
Show service detail
sc qc <service_name>
Start and stop a service
sc start <service_name>
sc stop <service_name>
tip
If the service has a start_type set as disabled change it to a start type of demand
sc config <service_name> start= demand
Event logsâ
WMIC infosâ
Execute the bat file from an elevated shell.
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html