Security Memo

Search (Ctrl+K)

SearchSearch

Recent Notes

See 1423 more sorted by tag →

manual host enumeration

created Jan 08, 2024updated Aug 24, 20242 min read

Mixed Windows and Linux commands

It should be pretty easier to distinguish between them though (e.g. you know it’s Windows when it uses net or .exe). Maybe I’ll clean this list up in the future.

  • User enumeration:
    • whoami /all (windows), whoami (any)
    • net user, net accounts (windows, list of users and account policy)
    • id
    • hostname (any)
    • cat /etc/passwd /etc/shadow /etc/group
    • query user
  • OS info
    • systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
    • cat /etc/issue /etc/*-release
    • uname -a
  • Processes, Services, and Scheduled Tasks
    • tasklist /SVC
    • schtasks /query /fo LIST /v
    • Query installed services: sc query, Get-Service | fl, or services.msc (GUI)
    • ps aux
    • pspy (need to upload)
    • ls /etc/cron.* /var/spool/cron/crontabs/*
    • cat /etc/*crontab
    • systemctl list-unit-files --state=enabled
    • services
  • Network Information
    • ipconfig /all
    • route print (windows)
    • ip a[ddr]
    • netstat -ano (windows)
    • /sbin/route or /sbin/routel
    • netstat -anp or ss -anp (linux)
    • netsh advfirewall show currentprofile to check firewall state
    • netsh advfirewall firewall show rule name=all to show firewall rules
    • ls /etc/iptables/
    • Look for iptables-save and iptables-restore in processes
  • Installed Applications & Updates
    • wmic product get name, version, vendor (applies only to programs installed through Windows installers)
    • wmic qfe get Caption, Description, HotFixID, InstalledOn (Windows update KBs)
    • dpkg -l
  • Drivers, Kernel Modules
    • driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
    • Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}
    • lsmod, /sbin/modinfo <libname>
    • reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer (if AlwaysInstallElevated, craft MSI installer with payload)
    • find / -perm -u=s -type f 2>/dev/null (SUID binaries)
  • Filesystem Enumeration, e.g. Weak permissions (R/W)
    • accesschk.exe -uws "Everyone" "C:\Program Files" (download from SysInternals)
    • Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}
    • find / -writable -type d 2>/dev/null
    • mountvol (windows)
    • cat /etc/fstab, mount, lsblk, lsusb (last two requires root)

Graph View

Backlinks