Mixed Windows and Linux commands
It should be pretty easier to distinguish between them though (e.g. you know it’s Windows when it uses
net
or.exe
). Maybe I’ll clean this list up in the future.
- User enumeration:
whoami /all
(windows),whoami
(any)net user
,net accounts
(windows, list of users and account policy)id
hostname
(any)cat /etc/passwd /etc/shadow /etc/group
query user
- OS info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
cat /etc/issue /etc/*-release
uname -a
- Processes, Services, and Scheduled Tasks
tasklist /SVC
schtasks /query /fo LIST /v
- Query installed services:
sc query
,Get-Service | fl
, orservices.msc
(GUI) ps aux
pspy
(need to upload)ls /etc/cron.* /var/spool/cron/crontabs/*
cat /etc/*crontab
systemctl list-unit-files --state=enabled
services
- Network Information
ipconfig /all
route print
(windows)ip a[ddr]
netstat -ano
(windows)/sbin/route
or/sbin/routel
netstat -anp
orss -anp
(linux)netsh advfirewall show currentprofile
to check firewall statenetsh advfirewall firewall show rule name=all
to show firewall rulesls /etc/iptables/
- Look for
iptables-save
andiptables-restore
in processes
- Installed Applications & Updates
wmic product get name, version, vendor
(applies only to programs installed through Windows installers)wmic qfe get Caption, Description, HotFixID, InstalledOn
(Windows update KBs)dpkg -l
- Drivers, Kernel Modules
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
lsmod
,/sbin/modinfo <libname>
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
(ifAlwaysInstallElevated
, craft MSI installer with payload)find / -perm -u=s -type f 2>/dev/null
(SUID binaries)
- Filesystem Enumeration, e.g. Weak permissions (R/W)
accesschk.exe -uws "Everyone" "C:\Program Files"
(download from SysInternals)Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
find / -writable -type d 2>/dev/null
mountvol
(windows)cat /etc/fstab
,mount
,lsblk
,lsusb
(last two requires root)