Difference between revisions of "Windows Commands"
Jump to navigation
Jump to search
Line 49: | Line 49: | ||
===Service interaction=== | ===Service interaction=== | ||
sc query & | List running services | ||
<pre>sc query</pre> | |||
List all services | |||
<pre>sc query state= all</pre> | |||
List all service names | |||
<pre>sc query state= all | find "SERVICE_NAME"</pre> | |||
Query service information | |||
<pre>sc query <servicename> | |||
sc qc <servicename></pre> | |||
Start a service | |||
<pre>sc config <servicename> start= auto | |||
sc start <servicename> | |||
Starting telnet | Starting telnet |
Revision as of 20:52, 17 July 2008
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
Null session
- Establishing a null session
net use \\<target> "" /u:""
- Pulling credentials
enum -U <target> enum -G <target>
- user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
- sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename> sc qc <servicename>
Start a service
sc config <servicename> start= auto sc start <servicename> Starting telnet <pre>sc query tlntsvr sc config tlntsvr start= auto sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= auto sc start termservice
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup >groupname< <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add Adding a user to the terminal services group <pre>net localgroup "Remote Desktop Users" <username> /add ===Firewall interaction=== Opening the firewall for telnet <pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"