Comment on page
Overview
Current users privs
whoami /priv
Current user details (all)
whoami /all
List users
net user
User details
net user <username>
List other logged in users
qwinsta
query session
List user groups
net localgroup
Group details
net localgroup <groupname>
Add user (interactive, requires user interaction)
net user <username> <password> /add
Add user (non-interactive)
net user <username> /add
net user <username> <password>
Add user to group (e.g. administrators)
net localgroup administrators <username> /add
Change password
net user <username> <password>
System info
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
Patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn
Network connections
netstat -ano
Scheduled tasks
schtasks
schtasks /query /fo LIST /v
Driver
driverquery
Installed software (slow)
wmic product get name,version,vendor
Alternative
wmic service list brief
Services
sc query
sc start <service>
sc stop <service>
sc config <service> <options>
Antivirus
sc query windefend
sc queryex type=service
Searching files
findstr /si <term> <ext>
findstr /si password *.txt
Find a program with a missing dll, or make use for search path order, to execute your own dll.
Finding unqoated service paths
wmic service get name,displayname,pathname,startmode
sc qc <service>
Check if we have write permission in a suitable path.
.\accesschk64.exe /accepteula -uwdq <path>
Mount smb share
New-PSDrive -Name "<share-name>" -PSProvider "FileSystem" -Root "\\<ip>\<smb-share>"
Access with
cd <share-name>:
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. GitHub - AonCyberLabs/Windows-Exploit-Suggester Windows Exploit Suggester - Next Generation (WES-NG)
windows-exploit-suggester.py –update
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt
winpeas.exe > <output-file>
Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities GitHub - rasta-mouse/Watson
Watson.exe
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. GitHub - GhostPack/Seatbelt
Seatbelt.exe -group=all -outputfile=<path>
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. GitHub - rasta-mouse/Sherlock
Sherlock.ps1
FindAllVulns
dir /r
powershell (Get-Content hm.txt -Stream root.txt)
runas /netonly /user:<user> cmd
Replace files/programs running with SYSTEM permissions with exploited ones
-> Check permissions
icacls <file>
Last modified 1yr ago