# Enumeration ## Users ### Basic info ```powershell whoami /all whoami /priv whoami /groups ``` ### Execute command as other user (I) ```powershell $p = ConvertTo-SecureString 'password' -AsPlainText -Force $c = New-Object System.Management.Automation.PSCredential ('user',$p) Start-Process -Credential $c -NoNewWindow -ArgumentList "-Command & { whoami }" -FilePath "powershell" ``` ### Execute command as other user (II) En caso de tener credenciales, podemos ejecutar comandos sin necesitar una shell: > FunciĆ³n de **bash** tomada de un directo en twitch de [s4vitar](https://www.twitch.tv/s4vitaar) ```bash PSCredential () { echo -e "\n\t[+] \$user = 'user'" echo -e "\t[+] \$pw = 'password'" echo -e "\t[+] \$secpw = ConvertTo-SecureString \$pw -AsPlainText -Force" echo -e "\t[+] \$cred = New-Object System.Management.Automation.PSCredential \$user, \$secpw" echo -e "\t[+] Invoke-Command -ComputerName localhost -Credential \$cred -ScriptBlock { whoami }" } ``` ## Files ### Search content inside ```powershell type | findstr "text_to_search" ``` ### Permissions ```powershell icacls ``` ### Find files ```powershell Get-ChildItem -Path C:\ -Filter f.txt -Recurse -ErrorAction SilentlyContinue -Force ``` ## Registers ### List installed programs ``` cmd /c REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall ``` ## Ports & Hosts ### Discover internal hosts (I) Para descubrir dispositivos que esten en la misma interfaz nuestra, podemos usar **PowerShell**, creamos un archivo `.ps1` con el siguiente contenido y ejecutamos: ```powershell $ips = 1..254 | ForEach-Object { "192.168.40.$_" } # Generamos IPS foreach ($ip in $ips) { $job = Start-Job -ScriptBlock { param($ip) ping -n 1 $ip | Out-Null } -ArgumentList $ip Start-Sleep -Seconds 1 if ($job.State -eq "Running") { Stop-Job -Job $job } else { Write-Output "IP Activa: $ip" } Remove-Job -Job $job } ``` ### Discover internal hosts (II) ```powershell arp -d for /L %a in (1,1,254) do @start /b ping 192.168.20.%a -w 100 -n 2 >nul arp -a ``` ## Computers ### System info ```powershell systeminfo netstat -a # See active connections (ports) wmic qfe # Show us a list of installed and updated software ``` ### Remote Desktop 
xfreerdp /v:IP /u:USER /p:PASSWORD
## On hand commands ```powershell Get-WmiObject -Class win32_OperatingSystem Get information about the operating system icacls View the permissions set on a directory icacls c:\users /grant joe:f Grant a user full permissions to a directory icacls c:\users /remove joe Remove a users' permissions on a directory New-Alias -Name "Show-Files" Get-ChildItem Create a new PowerShell alias Get-ExecutionPolicy -List View the PowerShell execution policy Set-ExecutionPolicy Bypass -Scope Process Set the PowerShell execution policy to bypass for the current session wmic os list brief Get information about the operating system with wmic Get-MpComputerStatus Check which Defender protection settings are enabled wmic useraccount get name,sid Show Name and SID from system users with wmic ``` ## Sysinternals tools > The [SysInternals Tools suite](https://docs.microsoft.com/en-us/sysinternals) is a set of portable Windows applications that can be used to administer Windows systems (for the most part without requiring installation). The tools can be either downloaded from the Microsoft website or by loading them directly from an internet-accessible file share by typing `\\live.sysinternals.com\tools` into a Windows Explorer window. ```powershell \\live.sysinternals.com\tools\procdump.exe -accepteula ```