Enumeration

Users

Basic info

whoami /all
whoami /priv
whoami /groups

Execute command as other user (I)

$p = ConvertTo-SecureString 'password' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('user',$p)
Start-Process -Credential $c -NoNewWindow -ArgumentList "-Command & { whoami }" -FilePath "powershell"

Execute command as other user (II)

En caso de tener credenciales, podemos ejecutar comandos sin necesitar una shell:

Función de bash tomada de un directo en twitch de s4vitar

PSCredential () {
    echo -e "\n\t[+] \$user = 'user'"
    echo -e "\t[+] \$pw = 'password'"
    echo -e "\t[+] \$secpw = ConvertTo-SecureString \$pw -AsPlainText -Force"
    echo -e "\t[+] \$cred = New-Object System.Management.Automation.PSCredential \$user, \$secpw"
    echo -e "\t[+] Invoke-Command -ComputerName localhost -Credential \$cred -ScriptBlock { whoami }"
}

Files

Search content inside

type <file> | findstr "text_to_search"

Permissions

icacls

Find files

Get-ChildItem -Path C:\ -Filter f.txt -Recurse -ErrorAction SilentlyContinue -Force

Registers

List installed programs

cmd /c REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Ports & Hosts

Discover internal hosts (I)

Para descubrir dispositivos que esten en la misma interfaz nuestra, podemos usar PowerShell, creamos un archivo .ps1 con el siguiente contenido y ejecutamos:

$ips = 1..254 | ForEach-Object { "192.168.40.$_" }  # Generamos IPS

foreach ($ip in $ips) {
  $job = Start-Job -ScriptBlock { param($ip) ping -n 1 $ip | Out-Null } -ArgumentList $ip

  Start-Sleep -Seconds 1

  if ($job.State -eq "Running") {
    Stop-Job -Job $job
  } else {
    Write-Output "IP Activa: $ip"
  }

  Remove-Job -Job $job
}

Discover internal hosts (II)

arp -d
for /L %a in (1,1,254) do @start /b ping 192.168.20.%a -w 100 -n 2 >nul
arp -a

Computers

System info

systeminfo
netstat -a # See active connections (ports)
wmic qfe # Show us a list of installed and updated software

Remote Desktop

xfreerdp /v:IP /u:USER /p:PASSWORD

On hand commands

Get-WmiObject -Class win32_OperatingSystem 	Get information about the operating system
icacls <directory> 	View the permissions set on a directory
icacls c:\users /grant joe:f 	Grant a user full permissions to a directory
icacls c:\users /remove joe 	Remove a users' permissions on a directory
New-Alias -Name "Show-Files" Get-ChildItem 	Create a new PowerShell alias
Get-ExecutionPolicy -List 	View the PowerShell execution policy
Set-ExecutionPolicy Bypass -Scope Process 	Set the PowerShell execution policy to bypass for the current session
wmic os list brief 	Get information about the operating system with wmic
Get-MpComputerStatus 	Check which Defender protection settings are enabled
wmic useraccount get name,sid     Show Name and SID from system users with wmic

Sysinternals tools

The SysInternals Tools suite is a set of portable Windows applications that can be used to administer Windows systems (for the most part without requiring installation). The tools can be either downloaded from the Microsoft website or by loading them directly from an internet-accessible file share by typing \\live.sysinternals.com\tools into a Windows Explorer window.

\\live.sysinternals.com\tools\procdump.exe -accepteula
PreviousWritable $PATHNextUseful Commands

Last updated