Common enumeration

Resources

  1. PowerShell history

LogoPowerShell History File0xdf hacks stuff
Logoabout_PSReadLine - PowerShellMicrosoftLearn
Logoabout_History - PowerShellMicrosoftLearn

  1. Windows registry

Logoreg queryMicrosoftLearn
LogoWindows registry for advanced users - Windows Serverdocsmsft

PowerShell history

We can view the PowerShell history from the PSReadline module, which stores it in a file.

PSReadLine provides an improved command-line editing experience in the PowerShell console.

The file can be found at:

C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

For more information on the PSReadline options, we can run the Get-PSreadlineOption command.

Registry

We can utilize the Windows registry to harvest information. The following command examples can be used to query the registry for the password keyword:

reg query HKLM /f password /t REG_SZ /s
reg query HKU /f password /t REG_SZ /s

a. HKM, HKU: These values refers to the keyname option which must be specified

  • HKLM: HKEY_LOCAL_MACHINE key which contains configuration information particular to the computer (for any user)

  • HKU: HKEY_USERS key which contains all the actively loaded user profiles on the computer

Since we did not specify a remote machine (\\<computername>\ ), the operation will default to the local computer

b. /f : Specifies the data or pattern to search for

  • In our case, the pattern we are searching for is password

c. /t : Specifies registry types to search. Valid types are: REG_SZ, REG_MULTI_SZ, etc.

  • In ourcase, we specify it as REG_SZ, which is simply a fixed-length text string

d. /s : Specifies to query all subkeys and value names recursively

PreviousCredentials harvestingNextGeneral

Last updated