Difference between revisions of "Windows Commands"
Line 150: | Line 150: | ||
Open a specific port | Open a specific port | ||
<pre>netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR> | <pre>netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR></pre> | ||
Remove the port opening | Remove the port opening |
Revision as of 14:45, 18 July 2008
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
SMB session
Establishing a null session
net use \\<target> "" /u:""
Establishing an authenticated session
net use \\<target> <password> /u:<username> Mount a share <pre>net use * \\<target>\<share> <password> /u:<username> net use * \\<target>\<share> <password> /u:<machinename>\<username> net use * \\<target>\c$ <password> /u:<username>
Dropping SMB sessions
net use \\<target> /del
Dropping all SMB sessions (bad idea)
net use * /del
Pulling credentials (w/ SMB session)
Pulling credentials
enum -U <target> enum -G <target>
user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename> sc qc <servicename>
Start a service
sc config <servicename> start= demand sc start <servicename> Starting telnet <pre>sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= demand sc start termservice
Variables
Finding environmental variables
set
Finding a specific variable
set <variable> echo %<variable>% set username set path set systemroot echo %systemroot% cd %systemroot% etc.
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup <groupname> <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add Adding a user to the terminal services group <pre>net localgroup "Remote Desktop Users" <username> /add List administrators <pre>net localgroup administrators
Add an administrator
net user <username> %lt;password> /add net localgroup administrators <username> /add
Remove a user from a group
net localgroup <group> <username> /del
Delete a user
net user <username> /del
Firewall interaction
Help
netsh /?
Show config
netsh firewall show config
Open a specific port
netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>
Remove the port opening
netsh firewall del portopening protocol = <TCP|UDP> port = <port> Disable the firewall completely (bad idea) <pre>netsh firewall set opmode disable
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Firewall interaction
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Query a key
reg query <keyname>
Adding a key
reg add <keyname> /v <valuename> /t <type> /d <data>
Export data
reg export <keyname> <filename.reg>
Import data
reg import <filename.reg>
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"
ipconfig
Dump the DNS cache
ipconfig /displaydns
arp
Dump the ARP cache
arp -a
Looping
/L loop
for /L %i in (<start>,<step>,<stop>) do <command>
Counting
for /L %i in (1,1,255) do @echo %i
Ping scanning
for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"
DNS bruteforce
for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
/F loop
for /F ["<options>"] %i in (<stuff>) do <command>
Looping through passwords
for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause
Portscanning from a file
for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i