Generic infos

OS

ver
wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory
systeminfo
net config workstation

Drivers

DRIVERQUERY

List disks / shares

wmic logicaldisk get name, deviceid, volumename, description
get-psdrive -psprovider filesystem
fsutil fsinfo drives
wmic share list

Environment

wmic environment list
set
echo %PATH%
[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess

Network

arp -a
ipconfig /all
route print
netstat -ano

Firewall Status (only on Win XP SP2 and above)

netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule all

Users / Groups / Password policy

qwinsta [/server:<host>]
query user
wmic useraccount list brief
net users
nltest /user:"<username>"
net accounts (/domain)
net localgroup (/domain)
wmic group list brief
wmic sysaccount list
whoami /priv

Am I administrator ?

net localgroup administrators
whoami /groups
wmic useraccount where "LocalAccount = true"
PowerView: Get-NetLocalGroupMember
PowerUp: Get-CurrentUserTokenGroupSid
Seatbelt: seatbelt.exe LocalGroupMembers
SharpUp: SharpUp.exe

List all usernames

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname

load extapi
adsi_user_enum <domain_name>

List administrators

([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname

List all information about a specific user

For the current user use: $env:USERNAME

([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties

List users (First name, Last name, Mobile phone)

All the parameters are displayed in the command above

([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties | ForEach-Object{ if ($_.mobile -ne $null){ Write-Host $_.cn $_.mobile}}

List all groups with description

([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }

Kerberos user enumeration

nmap <ip> -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<realm>'

List logged-on users

wmic /node:<ip|@list_ip.txt> path win32_loggedonuser get antecedent

Find files

It is looking for anything below the specified path and the file name supports wildcard

dir /b /s C:\<file>
ls -r C:\ <file> 2>$null | % { echo $_.fullname }

Hidden files and directories

dir /ah

Print content file

ls -r C:\ <file> 2>$null | % { gc $_.fullname }

Find keyword

findstr /N /S /I "<keyword>" C:\<base_dir>\[*.ext]
ls -r C:\<base_dir> | % { Select-String -Path $_ -Pattern <keyword> } 2>$null

Processes

Execute

wmic process call create <command>

List

wmic process list brief

Kill

wmic process where processid="<pid>" delete
wmic process where name="<process_name>" delete

Executables

PowerShell code to determine if file is .NET (throws an exception if not)

[Reflection.AssemblyName]::GetAssemblyName("<C:\Path\To\File.exe>")

Scheduled jobs

schtasks /query /fo LIST /v

Services

Use sc through an administrative SMB session by prepending \\[targetIP]
Example: sc \\[targetIP] query

List all running services

sc query
sc query | find /i "<service_name>"
wmic service where started=true get name, startname
net start

Link processes to services

tasklist /SVC

List all services

sc query state= all
sc query state= all | find /i "<service_name>"

Show service detail

sc qc <service_name>

Start and stop a service

sc start <service_name>
sc stop <service_name>

If the service has a start_type of disabled change it to a start type of demand

sc config <service_name> start= demand

WMIC infos

https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4

Execute the bat file from an elevated shell

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html