Host Recon

For automated enumeration of potential PE vectors see here.

Get Help

# List available commands
help

# Help for a specified command
help <command>
<command> /?

Networking

All the below commands work with both CMD and Powershell.

General networking information, such as interfaces, IP addresses, and DNS:

ipconfig /all

Test-NetConnection -ComputerName 192.168.210.12 -Port 5985

System

# General system information
systeminfo

# Name of the host
hostname

# Operating system version
[environment]::OSVersion.Version
ver
echo %OS%

# Environment variables
dir env:
set

# Diplay the value of a specific variable
set %PATH%
echo %PATH%

# Named pipes
gci \\.\pipe\

# Clipboard
Get-Clipboard

# Installed applications
Get-WmiObject -Class Win32_Product |  select Name, Version
wmic product get name

# Installed applications (registry key queries)
# 32-bit apps
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
> GCI 'c:\program files (x86)'

# 64-bit apps
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
GCI 'c:\program files'

# Running services
Get-CimInstance -ClassName win32_service | Select Name, State, PathName | Where-Object { $_.State -eq "Running" }
tasklist /svc
net start
wmic service list brief # deprecated

# Auto-run services
wmic service get name,displayname,pathname,startmode |findstr /i "auto"

# Manage a service
net <start | stop | pause | continue> <service>

# Query running services
sc query type= service

# Check as which account each service is running as 
Get-CimInstance Win32_Process | Select-Object ProcessId, Name, @{Name="User";Expression={($_.GetOwner()).User}}
sc qc <service>

# Create a new service
sc create MyTestService binPath= "C:\Path\To\yourbinary.exe"

# Start / stop a service
sc <start | stop> <service>

# Modify start type (service won't be able to start with 'sc start <service>'
sc config <service> start= disabled

# Revert the change
sc config <service> start= auto

Users & Groups

# Domain/username (domain-joined) or NetBIOS/username (non domain-joined)
whoami # can be used to infer the purpose and type of the machine

# List current user's privileges
whoami /priv

# List current user's information
whoami /all

# List local users (net.exe only lists user objects, not group objects, so it can miss nested group memberships)
net user /domain
Get-LocalUser

# Query about the specified user
net user robert /domain

# List active (logged-on) users (works only on Windows Servers)
query user

# List current user's groups
whoami /groups

# List local groups
net localgroup

# List domain groups (works only on a DC)
net group /domain
Get-LocalGroup

# Query about the specified group
net group 'Domain Admins' /domain

# List group members
net localgroup <group>
Get-LocalGroup <group>

Shared Resources

All the below commands work with both CMD and Powershell.

# List resources
net share

Protections

Check WD's status with PS:

Get-MpComputerStatus

Check WD's status with CMD:

sc query windefend

Check AppLocker's rules and policies with PS:

# AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# AppLocker policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Files

PowerShell (PS) uses different host types depending on how it's being accessed, so the (Get-PSReadlineOption).HistorySavePath command will point to different files.

If the PS process is spawed as local (e.g. via SSH or RDP) → ConsoleHost_history.txt
If the PS process is spawned as remote (e.g. WinRM) → ServerRemoteHost_history.txt

# List all (including) hidden files
Get-ChildItem -Force
# All dirs and files
GCI C:\Users\User -Force 
# Only hidden files
GCI C:\Users\User\ -Hidden

# Search for a specific file
Get-ChildItem -Path C:\ -Filter local.txt -Recurse -ErrorAction SilentlyContinue -Force

# Config files, temp saves
GCI C:\Users\User\AppData

# Check PS's host type
$Host.Name
# PS history of the current user
(Get-PSReadlineOption).HistorySavePath

# PS history file of another user
Get-Content C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# History files of all host's users (assuming default path)
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

# Documents in the user's home directory
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

# Specific string (/SIM: simple and case insensitive, /C isn't related to the search start; it specifies the search string. The search starts from the beginning of each file specified in the command.)
findstr /SIM /C:"pass" *.txt *.ini *.cfg *.config *.xml

# KeePass database files
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# XAMPP configuration files
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

# Chrome dictionary files
gc 'C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Custom Dictionary.txt' | Select-String password

PowerShell provides a convenient mechanism for storing encrypted credentials, commonly used in scripting and automation. These credentials are protected using the Data Protection API (DPAPI), which enforces that decryption is only possible by the same user account on the same system where the credentials were originally created.

Consider a scenario where a script, such as Connect-VC.ps1, has been configured to connect to a vCenter server:

# Create the credential file (Get-Credential opens a prompt)
Get-Credential | Export-Clixml -Path 'C:\scripts\pass.xml'

Connect-VC.ps1

$encryptedPassword = Import-Clixml -Path 'C:\scripts\pass.xml'
$decryptedPassword = $encryptedPassword.GetNetworkCredential().Password

Connect-VIServer -Server 'VC-01' -User 'x7331_adm' -Password $decryptedPassword

While secure in normal operation, this protection is only as strong as the isolation of the user context. If command execution is obtained under the same user, or if DPAPI protections can be bypassed, the cleartext password can be retrieved directly from the stored credential file:

> $credential = Import-Clixml -Path 'C:\scripts\pass.xml'
> $credential.GetNetworkCredential().username
x7331
> $credential.GetNetworkCredential().password
Passw0rd123!

Writable Directories

C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Users\Public # similar to \Temp but more stealthy
C:\Windows\Temp # all users have rwx
C:\Users\<user>\AppData\Local\Temp # similar to above, but user-only
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

Test access:

# Move into the target directory
cd C:\Windows\Temp
# Create a file
echo "test" > test
# List the file's contents
type test

Use another user's credentials

# Create a PSCredential object
$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('<domain\user', $pass)

# Add the target user to the group with PowerView
Add-DomainGroupMember -Identity '<group>' -Members '<user>' -Credential $creds

# Confirm
Get-DomainUser <user> -Credential $cred

# Execute remote commands on another host
Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname }

Binaries

We can transfer the binary in a Unix-based attacking host and run strings on it:

# strings with 16-bit encoding for Windows binaries
strings -eb <FILE> | grep pass

PreviousCommands NextPrivilege Escalation

Last updated 3 months ago

Was this helpful?