6.1.1. Information collection¶
6.1.1.1. Basic command¶
Hostname
hostnameQuery all computer names
dsquery computer- View configuration and patch information
systeminfowmic qfe get description,installedOn /format:csv
View version
ver- Process information
tasklist /svcwmic process get caption,executablepath,commandline /format:csvget-process
View all environment variables
setView scheduled tasks
schtasks /QUERY /fo LIST /vView installed drivers
DRIVERQUERY- View operating system information
Architecture
wmic os get osarchitecturesystem name
wmic os get caption
View logical disks
wmic logicaldisk get captionView installed software information
wmic product get name,version- View service information
wmic service list briefsc queryGet-WmiObject win32_service | select PathName
6.1.1.2. Domain Information¶
Get the computer name of the current group
net viewNetwork discovery
net view /allView all domains
net view /domainDomain forest, domain tree information
Domain trust information
nltest /domain_trustsLocate Domain Controller
net time /domainView usernames in a domain
dsquery userQuery Domain Group Name
net group /domainquery domain administrator
net group "Domain Admins" /domain- Domain controller information
nltest /dclist:xxGet-NetDomainGet-NetDomainControllernet group "Domain controllers"
Group Policy
6.1.1.3. User Information¶
- View users
net userwhoami/whoami /priv/whoami /allwmic useraccount get /ALL /format:csv
User Privilege Information
whoami /privView current permissions
net localgroup administratorsView Online Users
quser/qwinsta/query userView current computer name, full name, user name, system version, workstation domain, login domain
net config WorkstationACL information
get-acl
6.1.1.4. Network Information¶
Intranet segment information
network card information
ipconfigExternal network export
ARP table
arp -aRoute table
route printListening port
netstat -anoConnected port
- Port information
Get-NetTCPConnection
hosts file
Active and standby DNS
- DNS cache
ipconfig /displaydnsGet-CimInstance -Namespace root/StandardCimv2 -ClassName MSFT_DNSClientCache
- Detect the network situation
powershell -c “1..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(‘allports.exposed’,$_)) $_ } 2>$null”
6.1.1.5. Firewall¶
View firewall status
netsh advfirewall show allprofilesFirewall log directory
netsh firewall show loggingFirewall rules
netsh advfirewall firewall show rule name=allnetsh firewall show confignetsh firewall show state
6.1.1.6. Password Information¶
Windows RDP connection logging
Account password saved in the browser
Various passwords in the system password manager
- assword information in unattended installation files
C:\sysprep.infC:\sysprep\sysprep.xmlC:\Windows\Panther\Unattend\Unattended.xmlC:\Windows\Panther\Unattended.xml
6.1.1.7. Ticket Information¶
cmdkey /lklist
msf meterpreter
6.1.1.8. Special files¶
- Documentation
xlsx / xls
docx / doc
pptx / ppt
vsdx / vsd
md / txt
- Compressed file
zip / rar / 7z
- VPN configuration
ovpn
- Code
py / php / jsp / aspx / asp / sql
- Configuration file
conf / ini / xml
- Specific keywords
account/account/login/login/user
password/pass
code/documentation/handover/backup/git/svn
Mailbox / Address Book / Cluster / Office
Proxy/ Intranet/ VPN
Equipment/Asset
System/Operation/Topology/Network/IT
Backend/Admin/Database
Monitoring / Isolation / Firewall / Gatekeeper / Inspection
6.1.1.9. LAN Survival Host¶
NetBIOS scan
OXID scan
6.1.1.10. Others¶
Enabled Shared Folders
recycle bin
Recently run command
Access file history
- Check patch installation
wmic qfe get Caption,Description,HotFixID,InstalledOn
- Log and event information
wevtutileventvwr
- Registry Information
reg
Installed various agent monitoring software
Installed antivirus software
- View/set suffix associations
assocassoc .ext=example
PowerShell version
.Net version
Wi-Fi password