Difference between revisions of "Windows Commands"

From SkullSecurity
Jump to navigation Jump to search
Line 25: Line 25:
* -j <hostlist> -- use loose source routing
* -j <hostlist> -- use loose source routing
* -w <N> -- wait for Nms before timing out (default 4000)
* -w <N> -- wait for Nms before timing out (default 4000)
===Null session===
* Establishing a null session
<pre>net use \\&lt;target&gt; "" /u:""</pre>
* Pulling credentials
<pre>enum -U &lt;target&gt;
enum -G &lt;target&gt;</pre>
* user2sid
** Outputs in the form S-X-Y-target_sid-RID
<pre>user2sid \\&lt;target&gt; &lt;machine_name&gt;</pre>
* sid2user
** Requires spaces instead of dashes
<pre>sid2user \\&lt;target&gt; 5 &lt;target_sid&gt; &lt;N&gt;</pre>
<pre>for /L %i in (1000, 1, 1050) do @sid2user \\&lt;target&gt; 5 &lt;target_sid&gt; %i</pre>

Revision as of 16:53, 15 July 2008

Recon

nslookup

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
  • Interactive mode:
nslookup
> [name or ip]
> server [server ip]
> set type=any
> ls -d [target_domain] [> filename]
> view [filename]
  • No recurse:
> set norecurse
> set recurse

Scanning

tracert

Parameters

  • -d -- don't resolve names
  • -h <N> -- max number of hops (default 30)
  • -j <hostlist> -- use loose source routing
  • -w <N> -- wait for Nms before timing out (default 4000)

Null session

  • Establishing a null session
net use \\<target> "" /u:""
  • Pulling credentials
enum -U <target>
enum -G <target>
  • user2sid
    • Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
  • sid2user
    • Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Retrieved from "https://wiki.skullsecurity.org/index.php?title=Windows_Commands&oldid=2171"