-
Notifications
You must be signed in to change notification settings - Fork 663
/
Cheatsheet_BuildReviews.txt
140 lines (116 loc) · 3.2 KB
/
Cheatsheet_BuildReviews.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Build Review Cheatsheet
-----------------------
[+] Main tasks:
Any third party installed software and all associated versions.
Password policy applied locally via net accounts commands.
Domain policy applied, including domain password policy.
Logging settings.
Running services and unquoted service paths.
Permissions set on services.
List of patches and hotfixes installed.
Efficacy of AV solutions. May require import of a benign Eicar test file.
USB policy and removable media access (including firewire, CD etc).
Disk encryption (if relevant)
BIOS passwords set.
Proxy settings (if relevant).
Nessus Scan (With Credentials).
[+] Windows Hosts:
[+] Server Roles
[+] Server Manager
[+] System Properties
[+] Default Domain Policy
[+] Global Domain Policy
[+] Net accounts/Users/groups/Administrators
[+] IPConfig/Routing
[+] Installed Programs
[+] Installed System Updates
[+] AV Version/Definition Dates
[+] Check Computer folders
[+] Firewall Configuration
[+] Audit Policy
[+] Password/Lockout Policy
[+] Security Policy
[+] User Rights Policy
[+] Lanman Parameters (HKLM - System - Current Control - Services - LanmanServer - Parameters)
[+] LSA (HKLM - System - Current Control - Control - LSA)
[+] MSV (HKLM - System - Current Control - Control - LSA - MSV1_0)
systeminfo command
BIOS password
boot to usb
file system
- encrypted?
- grab /Windows/System32/config/SAM SECURITY SYSTEM
- put C:\Program.exe (eg calc)
Control Panel
- Windows Firewall
- enabled
- editable
- logs
- System Info
- Windows Update
Anti-Virus
- config
- logs
- version
- dates
- EICAR
cmd.exe
script.cmd
- ipconfig /all
- netstat
- net accounts
- net accounts /domain (review password policy)
- net user hacker Password@1 /add
- regedit
- ping
- sched
- tracert
- net use \\IP address_or_host name\ipc$ "" /user:"" # null session
- net use
- net view
- net start
- tasklist
mount usb
usb autostart
copy over files
- nc
- enum
- nmap
- DIRE
- EICAR
# SAM files in backtrack
/Windows/System32/config/SAM SECURITY SYSTEM
# mounting on desktop review
# mount <target> <mydir>
# sda1 = client hdd, sdb2 = my usb part 2
# mkdir /mnt/client-hdd
# mount /dev/sda1 /mnt/client-hdd
# mkdir /mnt/win-usb
# mount /dev/sdb2 /mnt/win-usb
hosts file C:\Windows\System32\drivers\etc\hosts.txt
SYSVOL GPO preference item, check for obscured passwords in xml
http://blogs.technet.com/b/grouppolicy/archive/2008/08/04/passwords-in-group-policy-preferences.aspx
The history file is readable by any authenticated user, as shown below:
C:\Users\All Users\Microsoft\Group Policy\History\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml
The same Group Policy Preference XML configuration file is also accessible via the following UNC path on the Domain Controller, again by any authenticated user:
\\Domain_Controller\sysvol\Domain_Name\Policies\{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml
[+] Unix Based Hosts:
hostname
whoami
uname -a
cat /etc/lsb-release
dmesg | grep Linux
cat /etc/passwd
cat /etc/sudoers
netstat -antup
ps -aux
ps aux | grep root
crontab -l
/sbin/ifconfig -a
iptables -L
arp -e
cat ~/.bash_history
cat ~/.ssh/authorized_keys
mount
- Check installed applications
- Check installed compilers/interpreters