RIO
  • Welcome
    • RIO
    • Useful Links
  • PENTESTING
    • Methodology
    • Protocols
      • FTP
      • SMB
      • NFS
      • SSH
      • RDP
      • SMTP
      • IMAP / POP3
      • RSYNC
      • SNMP
      • IPMI
      • R-Services
      • WinRM
      • WMI
      • LDAP
    • Databases
      • MySQL
      • MSSQL
      • Oracle TNS
      • PostgreSQL
    • File Transfers
      • Windows
      • Linux
      • Code
      • Misc
    • Password Attacks
      • John The Ripper
      • Hashcat
    • Docker
  • TOOLS
    • Nmap
    • Metasploit
    • BloodHound
    • Other
  • Linux
    • Theory
    • Commands and Utilities
      • Useful Commands
    • Bash Scripting
    • Post-Exploitation
      • Cred Hunting
      • Pivoting
    • Privilege Escalation
  • WINDOWS
    • Theory
      • Security
    • Commands and Utilities
    • PowerShell
    • Post-Exploitation
      • Tools
      • Enumeration
        • System
        • Network
        • Users
        • Groups
        • Processes / Services
        • Permissions
        • Defence
        • Programs
        • Files
      • Access
      • Pivoting
      • Cred Hunting
    • Privilege Escalation
      • Privileges
      • Built-In Groups
        • Backup Operators
        • Server Operators
        • Print Operators
        • DnsAdmins
        • Event Log Readers
      • Privilege Abuse
        • Potatoes
        • SeDebugPrivilege
        • SeTakeOwnershipPrivilege
      • MISC
        • UAC Bypass
        • User-Interaction Attacks
        • Weak Permissions
  • ACTIVE DIRECTORY
    • Theory
      • Terminology
    • Reconnaissance
      • Responder
      • Password Policies
      • DNS
      • Enumeration
        • Users
        • Groups
          • GPO's
        • Shares
        • Domain
        • Trusts
        • ACL
    • Movement
      • Credentials
        • Dumping
          • DCSync
        • Making a Target List
        • Spraying
        • Powershell Remoting
      • Kerberos
        • Kerbrute
        • Kerberoasting
          • Semi-Manual Way
          • Targeted Kerberoasting
        • ASREProasting
        • Forging
          • Golden Ticket
        • Overpass The Hash
        • Pass The Ticket
        • noPAC
      • MITM / Coerced Auths
        • LLMNR, NBT-NS Poisoning
        • PetitPotam
      • DACL Abuse
        • AddMember
        • ForceChangePassword
      • Trust Abuse
        • ExtraSIDs
      • ADCS
      • Printers
        • PrintNightmare
    • Tools
  • Networking
    • Theory
      • Types / Topologies
      • OSI & TCP/IP Models
      • TCP / UDP
      • MAC Addresses
      • IP / Subnetting
      • Proxies
      • ARP
    • Pivoting
      • Port-Forwarding
    • Commands and Utilities
    • Techniques
  • WEB
    • Web Recon
      • Fuzzing
    • DNS
  • CLOUD
    • Google GKE/GCP
      • Theory
Powered by GitBook
On this page
  • ABOUT
  • Data Sources
  • NAMED PIPES
  • SCHEDULED TASKS
  1. WINDOWS
  2. Post-Exploitation

Enumeration

PreviousToolsNextSystem

ABOUT

In any situation, whether daily life or a network penetration test, understanding our surroundings is crucial. This awareness allows us to make informed, proactive decisions. We may discover accessible hosts, protections to bypass, or tools incompatible with the target system.

This is basically enumeration section, but most of it is about Living Off The Land enumeration, which is more stealthy and uses built-in tools. If there are command which requires not built in tool, I'll write about it. If you are inside domain environment, look for LOL subsections in Enum Section

Data Sources

  • Installed applications

  • Installed services

    • Websites

    • File Shares

    • Databases

    • Directory Services (such as Active Directory, Azure AD, etc.)

    • Name Servers

    • Deployment Services

    • Certificate Authority

    • Source Code Management Server

    • Virtualization

    • Messaging

    • Monitoring and Logging Systems

    • Backups

  • Sensitive Data

    • Keylogging

    • Screen Capture

    • Network Traffic Capture

    • Previous Audit reports

  • User Information

    • History files, interesting documents (.doc/x,.xls/x,password./pass., etc)

    • Roles and Privileges

    • Web Browsers

    • IM Clients

NAMED PIPES

Listing Named Pipes

C:\> pipelist.exe /accepteula
PS C:\> gci \\.\pipe\

Reviewing LSASS Named Pipe Permissions

C:\> accesschk.exe /accepteula \\.\Pipe\lsass -v

SCHEDULED TASKS

C:\> schtasks /query /fo LIST /v
PS C:\> Get-ScheduledTask | select TaskName,State
[LINK]