Survey
Windows
ipconfig /all
date /t
time /t
tasklist /V
auditpol /get /category:*
netstat /anob
netsh advfirewall show allprofiles
net share
reg query hklm\software\microsoft\windows\currentversion\run
reg query hklm\software\microsoft\windows\currentversion\runonce
reg query hklm\software
at
schtasks /query /v
-run without the /v for a cleaner output, or run wmic
wmic process get name,processid,parentprocessid,executablepath,sessionid
dir /o:d /t:w c:\
dir /o:d /t:w c:\windows\temp
dir /o:d /t:w c:\windows\
dir /o:d /t:w c:\windows\system32
dir /o:d /t:w c:\windows\system32\winevt\logs
wevtutil qe security /c:25 /rd:true /f:text
query user
*NIX
ifconfig
ip addr (if ifconfig doesnt work on distro)
date; date -u
uname -a
ls -latr /
ls -latr /tmp
ls -latr .
ls -latr ..
sudo ls -latr /root
ps -elf
netstat -auntp
w
last
ls -latr /var/spool/cron
tail -n 1000 'Files in /var/spool/cron'
ls -la /etc/cron.*
cat /etc/crontab
for user in $(cut -f1 -d: /etc/passwd); do echo "###### $user crontab is:"; cat /var/spool/cron/{crontabs/$user,$user} 2>/dev/null; done
df -h
lsblk
ls -latr /var/*acc*
ls -latr /var/log/
ls -latr /var/log(s)/
ls -la /etc/*syslog*
-Read all of the config files
-If Ubuntu run: cat /etc/rsyslog.d/*.conf
find / \( -path /proc -prune -o -path /sys -prune \) -o -mmin -6 -type f -print | xargs ls -latr
change the 6 to how long you have been on the box
sestatus || getenforce
If enabled get version from: cat /etc/selinux/semanage.conf
sudo cat /root/.bash_history
cat ~/.bash_history
Unexpected OS
Research the below commands and confirm before executing
Research how to identify IP address
Research how to identify Operating System
Research how to identify routes
Research how to identify network connections
Research how to identify updated logs
Research how to identify uptime
Research how to identify running processes
Research how to identify common storage locations and what they contain