# Windows Post Exploitation Discovery ## Description Techniques and tools for post-exploitation discovery using native Windows tools * [Background](#background) * [Techniques](#techniques) * \[Tools] * [System Info with CMD](#system-info-with-cmd) * [Network/Domain Info with CMD](#networkdomain-info-with-cmd) * [Local User Info with CMD](#local-user-info-with-cmd) * [Domain User Info with CMD](#domain-user-info-with-cmd) * [Enumerating with PowerShell](#enumerating-with-powershell) * [Resources](#resources) ## Background Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment. ## Techniques * Identify current user ID and privileges * Identify network connections (for lateral movement) * Identify Running processes * Identify Chron jobs/scheduled tasks * Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem * If not AD, then find applications, firewalls, AV * Common Windows commandss to run on system: * whoami * tasklist * systeminfo * systeminfo && whoami /all ## System Info with CMD | Description | Command | Example | | ------------------------------------ | ------------------- | ---------------------------------------------------------------------------------------------------------- | | System info | `systeminfo` | `systeminfo` | | OS Name/Version | `systeminfo` | `systeminfo` \| `findstr /B /C:"OS Name" /C:"OS Version` | | System drives | `wmic logicaldisk` | `wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber` | | Connected Devices | `wmic logicaldisk` | `wmic logicaldisk get caption,description,providername` | | System Environment Table | `set` | `set` | | Running System Processes | `tasklist` | `tasklist /v` | | Services Running Inside Each Process | `tasklist` | `tasklist /svc` | | Attributes of All Running Processes | `wmic process list` | `wmic process list full` | | Started Windows Services | `net start` | `net start` | | Scheduled Jobs | `schtasks` | `schtasks /query /fo LIST /v` | | Windows Patches | `wmic qfe` | `wmic qfe get Caption,Description,HotFixID,InstalledOn` | | Installed Application Names | `wmic product` | `wmic product get name` | ## Network/Domain Info with CMD | Description | Command | Example | | ----------------------------------- | ---------- | -------------------------------------------------------------------------------------------- | | IP and Interfaces | `ipconfig` | `ipconfig /all` | | Copy IP info to clipboard | `ipconfig` | `ipconfig` \| `clip` | | Routing Table | `route` | `route print` | | ARP Table | `arp` | `arp -a` | | Active TCP Connections | `netstat` | `netstat -an` | | TCP and UDP activity every 1 second | `netstat` | `netstat -naob 1` \| `find "` | | Get domain | `echo` | `echo %USERDOMAIN%` | | Domain Logon Server | `echo` | `echo %LOGONSERVER%` | | Domain Password Policy | `net` | `net accounts /domain` | | Local Password Policy | `net` | `net accounts` | | DC Address, Domain Name, Roles | `wmic` | `wmic ntdomain` | | Trusted Domain | `dsquery` | `dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection` | | Network Shares | `net` | `net share` | | View All Hosts in Domain/Workgroup | `net` | `net view` | | Domain Trust Info | `nltest` | `nltest /trusted_domains` | ## Local User Info with CMD | Description | Command | Example | | ---------------------------- | ----------------------------- | ------------------------------- | | Username of Current User | `whoami` or `echo %USERNAME%` | `whoami` | | All whoami Access Token Info | `whoami` | `whoami /all` | | Local Users | `net` | `net users` | | Detailed User Info | `net` | `net user $USERNAME` | | Users with RDP Priv | `qwinsta` | `qwinsta` | | Local Groups | `net` | `net localgroup` | | Local Administrators | `net` | `net localgroup administrators` | ## Resources * Awesome Windows Post Exploitation: * SANS PowerShell Port Scanner: * A simple batch script with these commands: [\tools\WinSysEnum.bat](https://github.com/EvolvingSysadmin/Penetration-Testing/blob/master/tools/WinSysEnum.bat) * A simple CMD script that outputs these commands to txt is here: [\tools\WinUserEnum.bat](https://github.com/EvolvingSysadmin/Penetration-Testing/blob/master/tools/WinUserEnum.bat)