{"id":150,"date":"2021-11-12T16:44:50","date_gmt":"2021-11-12T16:44:50","guid":{"rendered":"https:\/\/www.davincivirus.com\/?p=150"},"modified":"2021-11-12T17:38:53","modified_gmt":"2021-11-12T17:38:53","slug":"recon","status":"publish","type":"post","link":"https:\/\/www.davincivirus.com\/?p=150","title":{"rendered":"Recon"},"content":{"rendered":"\n

Net.exe User\/Group Enumeration<\/strong><\/p>\n\n\n\n

net group \"<GROUPNAME>\" \/domain         **Lists all members of a group on the domain\nnet localgroup administrators           **List admins on the local machine\nnet localgroup administrators \/domain   **List administrators in the domain\nnet user <username> \/domain             **List details about a domain user\nnet view \\\\COMPUTERNAME \/all            **List all shares provided by a remote computer<\/code><\/pre>\n\n\n\n
DSQuery<\/strong><\/p>\n\n\n\n
dsquery * -filter \"(objectclass=trusteddomain)\" -attr * -limit 2\ndsquery * -filter \"(&(objectclass=user)(samaccountname=*da*))\" -attr samaccountname -d <DOMAINAME>\n        Object Classes\n            -computer (Attrs: description, samaccountname, name, operatingsystem, dnshostname)\n            -user (Attrs: description, samaccountname, name)\n            -trusteddomain (Attrs: flatname, trustdirection)\n            -group (Attrs: description, samaccountname, name, member)<\/em><\/code><\/pre>\n\n\n\n
WEVTUTIL<\/strong><\/p>\n\n\n\n
wevtutil qe security \/rd:true \/f:text \/q:\"*[System\/EventID=4624] and [EventData\/Data[@Name='TargetUserName']='QUERIED_USER_NAME']\" \/c:20     (TO QUERY EVENT LOGS)<\/code><\/pre>\n\n\n\n
Windows SA<\/strong><\/p>\n\n\n\n
ipconfig \/all\ntasklist \/v\n -tasklist \/v \/s \\\\<REMOTEIP> (Remote usage)<\/em>\nnet user USERNAME \/domain\nnetstat -anop tcp\nwdigest (if system)\nlogonpasswords (if system)\nscreenshot (cs plugin)\nkeylogger (cs plugin)\narchitecture (dir c:\/)\ntree.com \/F \/A <C:\\FILEPATH>\nnet use ((as user) mapped shares)\nnet session (active sessions::best for file\/exchange server)\nPowershell.exe get-hotfix (get patches)<\/code><\/pre>\n\n\n\n
Linux SA<\/strong><\/p>\n\n\n\n
ip addr\nps -ef\nnetstat -pantu\nuname -a (linux version)\nw (who is logged in)\nlast (recently logged in users)\ncat \/etc\/fstab (mounted shares \/ creds)\ncat \/etc\/hosts (DNS entries)\nhistory (or cat histfile)<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Net.exe User\/Group Enumeration DSQuery WEVTUTIL Windows SA Linux SA<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/150"}],"collection":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=150"}],"version-history":[{"count":7,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/150\/revisions"}],"predecessor-version":[{"id":171,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/150\/revisions\/171"}],"wp:attachment":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=150"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=150"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=150"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}