# Usage # run script directly from powershell for quick standard checks # # For quick standard checks directly from CMD: # powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1 # # To run extensive file searches use extended parameter (it can take a long time, be patient!): # PS C:\> .\WindowsEnum.ps1 extended # From CMD: # powershell -nologo -executionpolicy bypass -file WindowsEnum.ps1 extended param($extended) $lines="------------------------------------------" function whost($a) { Write-Host Write-Host -ForegroundColor Green $lines Write-Host -ForegroundColor Green " "$a Write-Host -ForegroundColor Green $lines } whost "Windows Enumeration Script v 0.1 by absolomb www.sploitspren.com" $standard_commands = [ordered]@{ 'Basic System Information' = 'Start-Process "systeminfo" -NoNewWindow -Wait'; 'Environment Variables' = 'Get-ChildItem Env: | ft Key,Value'; 'Network Information' = 'Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address'; 'DNS Servers' = 'Get-DnsClientServerAddress -AddressFamily IPv4 | ft'; 'ARP cache' = 'Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State'; 'Routing Table' = 'Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex'; 'Network Connections' = 'Start-Process "netstat" -ArgumentList "-ano" -NoNewWindow -Wait | ft'; 'Connected Drives' = 'Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft'; 'Firewall Config' = 'Start-Process "netsh" -ArgumentList "firewall show config" -NoNewWindow -Wait | ft'; 'Current User' = 'Write-Host $env:UserDomain\$env:UserName'; 'User Privileges' = 'start-process "whoami" -ArgumentList "/priv" -NoNewWindow -Wait | ft'; 'Local Users' = 'Get-LocalUser | ft Name,Enabled,LastLogon'; 'Logged in Users' = 'Start-Process "qwinsta" -NoNewWindow -Wait | ft'; 'Credential Manager' = 'start-process "cmdkey" -ArgumentList "/list" -NoNewWindow -Wait | ft' 'User Autologon Registry Items' = 'Get-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" | select "Default*" | ft'; 'Local Groups' = 'Get-LocalGroup | ft Name'; 'Local Administrators' = 'Get-LocalGroupMember Administrators | ft Name, PrincipalSource'; 'User Directories' = 'Get-ChildItem C:\Users | ft Name'; 'Searching for SAM backup files' = 'Test-Path %SYSTEMROOT%\repair\SAM ; Test-Path %SYSTEMROOT%\system32\config\regback\SAM'; 'Running Processes' = 'gwmi -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize'; 'Installed Software Directories' = 'Get-ChildItem "C:\Program Files", "C:\Program Files (x86)" | ft Parent,Name,LastWriteTime'; 'Software in Registry' = 'Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name'; 'Folders with Everyone Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}} | ft'; 'Folders with BUILTIN\User Permissions' = 'Get-ChildItem "C:\Program Files\*", "C:\Program Files (x86)\*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "BUILTIN\Users"} } catch {}} | ft'; 'Checking registry for AlwaysInstallElevated' = 'Test-Path -Path "Registry::HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" | ft'; 'Unquoted Service Paths' = 'gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike ''"*''} | select PathName, DisplayName, Name | ft'; 'Scheduled Tasks' = 'Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State'; 'Tasks Folder' = 'Get-ChildItem C:\Windows\Tasks | ft'; 'Startup Commands' = 'Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl'; } $extended_commands = [ordered]@{ 'Searching for Unattend and Sysprep files' = 'Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse -ErrorAction SilentlyContinue | where {($_.Name -like "*.xml" -or $_.Name -like "*.txt" -or $_.Name -like "*.ini")} | Out-File C:\temp\unattendfiles.txt'; 'Searching for web.config files' = 'Get-Childitem –Path C:\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\webconfigfiles.txt'; 'Searching for other interesting files' = 'Get-Childitem –Path C:\ -Include *password*,*cred*,*vnc* -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\otherfiles.txt'; 'Searching for various config files' = 'Get-Childitem –Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File -Recurse -ErrorAction SilentlyContinue | Out-File C:\temp\configfiles.txt' 'Searching HKLM for passwords' = 'reg query HKLM /f password /t REG_SZ /s | Out-File C:\temp\hklmpasswords.txt'; 'Searching HKCU for passwords' = 'reg query HKCU /f password /t REG_SZ /s | Out-File C:\temp\hkcupasswords.txt'; 'Searching for files with passwords' = 'Get-ChildItem c:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.PSPath -notlike "*C:\temp*" -and $_.PSParentPath -notlike "*Reference Assemblies*" -and $_.PSParentPath -notlike "*Windows Kits*"}| Select-String -Pattern "password" | Out-File C:\temp\password.txt'; } function RunCommands($commands) { ForEach ($command in $commands.GetEnumerator()) { whost $command.Name Invoke-Expression $command.Value } } RunCommands($standard_commands) if ($extended) { if ($extended.ToLower() -eq 'extended') { $result = Test-Path C:\temp if ($result -eq $False) { New-Item C:\temp -type directory } whost "Results writing to C:\temp\ This may take a while..." RunCommands($extended_commands) whost "Script Finished! Check your files in C:\temp\" } } else { whost "Script finished!" }