Mixed Windows and Linux commands
It should be pretty easier to distinguish between them though (e.g. you know it’s Windows when it uses
netor.exe).
- User enumeration:
whoami /all(windows),whoami(any)net user,net accounts(windows, list of users and account policy)idhostname(any)cat /etc/passwd /etc/shadow /etc/groupquery user
- OS info
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"cat /etc/issue /etc/*-releaseuname -a
- Processes, Services, and Scheduled Tasks
tasklist /SVCschtasks /query /fo LIST /v- Query installed services:
sc query,Get-Service | fl, orservices.msc(GUI) ps auxpspy(need to upload)ls /etc/cron.* /var/spool/cron/crontabs/*cat /etc/*crontabsystemctl list-unit-files --state=enabledservices
- Network Information
ipconfig /allroute print(windows)ip a[ddr]netstat -ano(windows)/sbin/routeor/sbin/routelnetstat -anporss -anp(linux)netsh advfirewall show currentprofileto check firewall statenetsh advfirewall firewall show rule name=allto show firewall rulesls /etc/iptables/- Look for
iptables-saveandiptables-restorein processes
- Installed Applications & Updates
wmic product get name, version, vendor(applies only to Windows installers)wmic qfe get Caption, Description, HotFixID, InstalledOndpkg -l
- Drivers, Kernel Modules
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', PathGet-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}lsmod,/sbin/modinfo <libname>reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer(ifAlwaysInstallElevated, craft MSI installer with payload)find / -perm -u=s -type f 2>/dev/null(SUID binaries)
- Filesystem Enumeration, e.g. Weak permissions (R/W)
accesschk.exe -uws "Everyone" "C:\Program Files"(download from SysInternals)Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}find / -writable -type d 2>/dev/nullmountvol(windows)cat /etc/fstab,mount,lsblk