OSCP Notes
Search…
Manual enumeration

Operating System

What is the OS and architecture? Is it missing any patches? (!)
1
systeminfo
2
wmic qfe
Copied!
1
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Copied!
Is there anything interesting in environment variables? A domain controller in LOGONSERVER?
1
set
Copied!
1
Get-ChildItem Env: | ft Key,Value
Copied!
Are there any other connected drives?
1
net use
2
wmic logicaldisk get caption,description,providername
Copied!
1
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
Copied!

Users

Who are you? (!)
1
whoami
2
hostname
3
echo %USERNAME%
Copied!
1
$env:UserName
Copied!
Any interesting user privileges?
1
whoami /priv
Copied!
What users are on the system? Any old user profiles that weren’t cleaned up? We list the other user accounts on the box and view our own user's information in a bit more detail.
1
net users
2
dir /b /ad "C:\Users\"
3
dir /b /ad "C:\Documents and Settings\" # Windows XP and below
Copied!
1
Get-LocalUser | ft Name,Enabled,LastLogon
2
Get-ChildItem C:\Users -Force | select Name
Copied!
Is anyone else logged in?
1
qwinsta
Copied!
What groups are on the system?
1
net localgroup
2
Get-LocalGroup | ft Name
Copied!
Are any of the users in the Administrators group?
1
net localgroup Administrators
2
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Copied!
Anything in the Registry for User Autologon?
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"
2
3
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
Copied!
Anything interesting in Credential Manager?
1
cmdkey /list
2
dir C:\Users\username\AppData\Local\Microsoft\Credentials\
3
dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Copied!
1
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
2
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Copied!
Can we access SAM and SYSTEM files?
1
%SYSTEMROOT%\repair\SAM
2
%SYSTEMROOT%\System32\config\RegBack\SAM
3
%SYSTEMROOT%\System32\config\SAM
4
%SYSTEMROOT%\repair\system
5
%SYSTEMROOT%\System32\config\SYSTEM
6
%SYSTEMROOT%\System32\config\RegBack\system
Copied!

Programs, Processes, and Services

What software is installed?
1
dir /a "C:\Program Files"
2
dir /a "C:\Program Files (x86)"
3
reg query HKEY_LOCAL_MACHINE\SOFTWARE
4
5
Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
6
7
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
Copied!
Are there any weak folder or file permissions? Full Permissions for Everyone or Users on Program Folders?
1
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "Everyone"
2
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "Everyone"
3
4
icacls "C:\Program Files\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
5
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F)" | findstr "BUILTIN\Users"
Copied!
Modify Permissions for Everyone or Users on Program Folders?
1
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "Everyone"
2
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "Everyone"
3
4
icacls "C:\Program Files\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
5
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(M)" | findstr "BUILTIN\Users"
Copied!
1
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'Everyone'} } catch {}}
2
3
Get-ChildItem 'C:\Program Files\*','C:\Program Files (x86)\*' | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match 'BUILTIN\Users'} } catch {}}
Copied!
You can also upload accesschk from Sysinternals to check for writeable folders and files.
1
accesschk.exe -qwsu "Everyone" *
2
accesschk.exe -qwsu "Authenticated Users" *
3
accesschk.exe -qwsu "Users" *
Copied!
What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it? See Port Forwarding in Appendix.
1
tasklist /svc
2
tasklist /v
3
net start
4
sc query
Copied!
Get-Process has a -IncludeUserName option to see the process owner, however you have to have administrative rights to use it.
1
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
2
Get-Service
Copied!
This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.
1
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
Copied!
Any weak service permissions? Can we reconfigure anything? Again, upload accesschk.
1
accesschk.exe -uwcqv "Everyone" *
2
accesschk.exe -uwcqv "Authenticated Users" *
3
accesschk.exe -uwcqv "Users" *
Copied!
Are there any unquoted service paths?
1
wmic service get name,displayname,pathname,startmode 2>nul |findstr /i "Auto" 2>nul |findstr /i /v "C:\Windows\\" 2>nul |findstr /i /v """
Copied!
1
gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Copied!
What scheduled tasks are there? Anything custom implemented?
1
schtasks /query /fo LIST 2>nul | findstr TaskName
2
dir C:\windows\tasks
Copied!
1
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
Copied!
1
schtasks /query /fo LIST /v
Copied!
1
Copied!
What is ran at startup?
1
wmic startup get caption,command
2
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
3
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
4
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
5
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
6
dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
7
dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
Copied!
1
Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
2
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'
3
Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'
4
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
5
Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'
6
Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"
7
Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
Copied!
Is AlwaysInstallElevated enabled? I have not ran across this but it doesn’t hurt to check.
1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Copied!

Networking

What NICs are connected? Are there multiple networks?
1
ipconfig /all
Copied!
1
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
2
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
Copied!
What routes do we have?
1
route print
2
3
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
Copied!
Anything in the ARP cache?
1
arp -a
2
3
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
Copied!
Are there connections to other hosts?
1
netstat -ano
Copied!
Anything in the hosts file?
1
C:\WINDOWS\System32\drivers\etc\hosts
Copied!
Is the firewall turned on? If so what’s configured?
1
netsh firewall show state
2
netsh firewall show config
3
netsh advfirewall firewall show rule name=all
4
netsh advfirewall export "firewall.txt"
Copied!
Any other interesting interface configurations?
1
netsh dump
Copied!
Are there any SNMP configurations?
1
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
2
3
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
Copied!

Interesting Files and Sensitive Information

Any passwords in the registry?
1
reg query HKCU /f password /t REG_SZ /s
2
reg query HKLM /f password /t REG_SZ /s
Copied!
Are there sysprep or unattend files available that weren’t cleaned up?
1
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
Copied!
1
Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")}
Copied!
If the server is an IIS webserver, what’s in inetpub? Any hidden directories? web.config files?
1
dir /a C:\inetpub\
2
dir /s web.config
3
C:\Windows\System32\inetsrv\config\applicationHost.config
Copied!
1
Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
Copied!
What’s in the IIS Logs?
1
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
2
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
3
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
4
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
Copied!
Is XAMPP, Apache, or PHP installed? Any there any XAMPP, Apache, or PHP configuration files?
1
dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
Copied!
1
Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue
Copied!
Any Apache web logs?
1
dir /s access.log error.log
Copied!
1
Get-Childitem –Path C:\ -Include access.log,error.log -File -Recurse -ErrorAction SilentlyContinue
Copied!
Any interesting files to look at? Possibly inside User directories (Desktop, Documents, etc)?
1
dir /s *pass* == *vnc* == *.config* 2>nul
Copied!
1
Get-Childitem –Path C:\Users\ -Include *password*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue
Copied!
1
dir /s *pass* == *cred* == *vnc* == *.config*
Copied!
Files containing password inside them?
1
findstr /si password *.xml *.ini *.txt *.config 2>nul
Copied!
1
findstr /si password *.xml *.ini *.txt
Copied!
1
Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-Str
Copied!
Last modified 1yr ago