Difference between revisions of "Windows Commands"

From SkullSecurity
Jump to navigation Jump to search
Line 153: Line 153:


Remove the port opening
Remove the port opening
<pre>netsh firewall del portopening protocol = &lt;TCP|UDP&gt; port = &lt;port&gt;
<pre>netsh firewall del portopening protocol = &lt;TCP|UDP&gt; port = &lt;port&gt;</pre>


Disable the firewall completely (bad idea)
Disable the firewall completely (bad idea)

Revision as of 14:45, 18 July 2008

Recon

nslookup

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
  • Interactive mode:
nslookup
> [name or ip]
> server [server ip]
> set type=any
> ls -d [target_domain] [> filename]
> view [filename]
  • No recurse:
> set norecurse
> set recurse

Scanning

tracert

Parameters

  • -d -- don't resolve names
  • -h <N> -- max number of hops (default 30)
  • -j <hostlist> -- use loose source routing
  • -w <N> -- wait for Nms before timing out (default 4000)

SMB session

Establishing a null session

net use \\<target> "" /u:""

Establishing an authenticated session

net use \\<target> <password> /u:<username>

Mount a share
<pre>net use * \\<target>\<share> <password> /u:<username>
net use * \\<target>\<share> <password> /u:<machinename>\<username>
net use * \\<target>\c$ <password> /u:<username>

Dropping SMB sessions

net use \\<target> /del

Dropping all SMB sessions (bad idea)

net use * /del

Pulling credentials (w/ SMB session)

Pulling credentials

enum -U <target>
enum -G <target>

user2sid

  • Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>

sid2user

  • Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i

Exploitation

Finding client-side programs

dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"

Service interaction

List running services

sc query

List all services

sc query state= all

List all service names

sc query state= all | find "SERVICE_NAME"

Query service information

sc query <servicename>
sc qc <servicename>

Start a service

sc config <servicename> start= demand
sc start <servicename>

Starting telnet
<pre>sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr

Starting terminal services

sc query termservice
sc config termservice start= demand
sc start termservice

Variables

Finding environmental variables

set

Finding a specific variable

set <variable>
echo %<variable>%
set username
set path
set systemroot
echo %systemroot%
cd %systemroot%
etc.

Users and groups

Listing users

net user

Creating a user

net user <username> <password> /add

Listing groups

net localgroup

Creating a group

net localgroup <groupname> /add

Adding a user to a group

net localgroup <groupname> <username> /add

Adding a user to the telnet users group

net user <username> <password> /add
net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add

Adding a user to the terminal services group
<pre>net localgroup "Remote Desktop Users" <username> /add

List administrators
<pre>net localgroup administrators

Add an administrator

net user <username> %lt;password> /add
net localgroup administrators <username> /add

Remove a user from a group

net localgroup <group> <username> /del

Delete a user

net user <username> /del

Firewall interaction

Help

netsh /?

Show config

netsh firewall show config

Open a specific port

netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>

Remove the port opening

netsh firewall del portopening protocol = <TCP|UDP> port = <port>

Disable the firewall completely (bad idea)

netsh firewall set opmode disable

Opening the firewall for telnet

netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>

Opening the firewall for terminal services

netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>

Opening the firewall for SSH

netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>

Firewall interaction

Opening the firewall for telnet

netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>

Opening the firewall for terminal services

netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>

Opening the firewall for SSH

netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>

Registry interaction

Query a key

reg query <keyname>

Adding a key

reg add <keyname> /v <valuename> /t <type> /d <data>

Export data

reg export <keyname> <filename.reg>

Import data

reg import <filename.reg>

Enabling terminal services

reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0

netstat

Finding a port

netstat -an | find "<port>"

ipconfig

Dump the DNS cache

ipconfig /displaydns

arp

Dump the ARP cache

arp -a

Looping

/L loop

for /L %i in (<start>,<step>,<stop>) do <command>

Counting

for /L %i in (1,1,255) do @echo %i

Ping scanning

for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"

DNS bruteforce

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

/F loop

for /F ["<options>"] %i in (<stuff>) do <command>

Looping through passwords

for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause

Portscanning from a file

for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i