Generic infos

HostEnum.ps1

-All performs -Local -Domain and -Privesc

. .\HostEnum.ps1
Invoke-HostEnum -Local -HTMLReport

One-liner

whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 & net view & net view /domain & net user %USERNAME% /domain & nltest /dclist & gpresult /z

OS

ver
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory
systeminfo
net config workstation

Drivers

DRIVERQUERY

List disks / shares

wmic logicaldisk get name, deviceid, volumename, description
get-psdrive -psprovider filesystem
fsutil fsinfo drives
wmic share list

Environment

wmic environment list
set
echo %PATH%
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess

Network

arp -a
ipconfig /all
route print
netstat -ano
netsh interface ip show addresses
netsh interface ip show route
netsh interface ip show neighbors

Firewall Status (only on Win XP SP2 and above)

netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all

Users / Groups / Password policy / RDP Sessions

qwinsta [/server:<host>]
query user
wmic useraccount list brief
net users
nltest /user:"<username>"
net accounts (/domain)
net localgroup (/domain)
wmic group list brief
wmic sysaccount list
whoami /priv

Am I administrator ?

net localgroup administrators
whoami /groups
wmic useraccount where "LocalAccount = true"
PowerView: Get-NetLocalGroupMember
PowerUp: Get-CurrentUserTokenGroupSid
Seatbelt: seatbelt.exe LocalGroupMembers
SharpUp: SharpUp.exe

List all usernames

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

load extapi
adsi_user_enum <domain_name>

List administrators

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

List all information about a specific user

For the current user use: $env:USERNAME

([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties

List users (First name, Last name, Mobile phone)

All the parameters are displayed in the command above

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if ($_.mobile -ne $null){ Write-Host $_.cn $_.mobile}}

List all groups with description

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Kerberos user enumeration

nmap <ip> -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<realm>'

List logged-on users

wmic /node:<ip|@list_ip.txt> path win32_loggedonuser get antecedent

RDP sessions

quser /server:<servername>

Find files

It is looking for anything below the specified path and the file name supports wildcard

dir /b /s C:\<file>
ls -r C:\ <file> 2>$null | % { echo $_.fullname }

Hidden files and directories

dir /ah

Print content file

ls -r C:\ <file> 2>$null | % { gc $_.fullname }

Find keyword

findstr /N /S /I "<keyword>" C:\<base_dir>\[*.ext]
ls -r C:\<base_dir> | % { Select-String -Path $_ -Pattern <keyword> } 2>$null

Processes

Execute

wmic process call create <command>

List

wmic process list brief

Kill

wmic process where processid="<pid>" delete
wmic process where name="<process_name>" delete

Executables

PowerShell code to determine if file is .NET (throws an exception if not)

[Reflection.AssemblyName]::GetAssemblyName("<C:\Path\To\File.exe>")

Scheduled jobs

schtasks /query /fo LIST /v

Services

Use sc through an administrative SMB session by prepending \\[targetIP]
Example: sc \\[targetIP] query

List all running services

sc query
sc query | find /i "<service_name>"
wmic service where started=true get name, startname
net start

Link processes to services

tasklist /SVC

List all services

sc query state= all
sc query state= all | find /i "<service_name>"

Show service detail

sc qc <service_name>

Start and stop a service

sc start <service_name>
sc stop <service_name>

If the service has a start_type of disabled change it to a start type of demand

sc config <service_name> start= demand

WMIC infos

https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4

Execute the bat file from an elevated shell

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html