Mixed Windows and Linux commands

It should be pretty easier to distinguish between them though (e.g. you know it’s Windows when it uses net or .exe). Maybe I’ll clean this list up in the future.

  • User enumeration:
    • whoami /all (windows), whoami (any)
    • net user, net accounts (windows, list of users and account policy)
    • id
    • hostname (any)
    • cat /etc/passwd /etc/shadow /etc/group
    • query user
  • OS info
    • systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
    • cat /etc/issue /etc/*-release
    • uname -a
  • Processes, Services, and Scheduled Tasks
    • tasklist /SVC
    • schtasks /query /fo LIST /v
    • Query installed services: sc query, Get-Service | fl, or services.msc (GUI)
    • ps aux
    • pspy (need to upload)
    • ls /etc/cron.* /var/spool/cron/crontabs/*
    • cat /etc/*crontab
    • systemctl list-unit-files --state=enabled
    • services
  • Network Information
    • ipconfig /all
    • route print (windows)
    • ip a[ddr]
    • netstat -ano (windows)
    • /sbin/route or /sbin/routel
    • netstat -anp or ss -anp (linux)
    • netsh advfirewall show currentprofile to check firewall state
    • netsh advfirewall firewall show rule name=all to show firewall rules
    • ls /etc/iptables/
    • Look for iptables-save and iptables-restore in processes
  • Installed Applications & Updates
    • wmic product get name, version, vendor (applies only to programs installed through Windows installers)
    • wmic qfe get Caption, Description, HotFixID, InstalledOn (Windows update KBs)
    • dpkg -l
  • Drivers, Kernel Modules
    • driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
    • Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
    • lsmod, /sbin/modinfo <libname>
    • reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer (if AlwaysInstallElevated, craft MSI installer with payload)
    • find / -perm -u=s -type f 2>/dev/null (SUID binaries)
  • Filesystem Enumeration, e.g. Weak permissions (R/W)
    • accesschk.exe -uws "Everyone" "C:\Program Files" (download from SysInternals)
    • Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
    • find / -writable -type d 2>/dev/null
    • mountvol (windows)
    • cat /etc/fstab, mount, lsblk, lsusb (last two requires root)