Difference between revisions of "Windows Commands"
Jump to navigation
Jump to search
Line 25: | Line 25: | ||
* -j <hostlist> -- use loose source routing | * -j <hostlist> -- use loose source routing | ||
* -w <N> -- wait for Nms before timing out (default 4000) | * -w <N> -- wait for Nms before timing out (default 4000) | ||
===Null session=== | |||
* Establishing a null session | |||
<pre>net use \\<target> "" /u:""</pre> | |||
* Pulling credentials | |||
<pre>enum -U <target> | |||
enum -G <target></pre> | |||
* user2sid | |||
** Outputs in the form S-X-Y-target_sid-RID | |||
<pre>user2sid \\<target> <machine_name></pre> | |||
* sid2user | |||
** Requires spaces instead of dashes | |||
<pre>sid2user \\<target> 5 <target_sid> <N></pre> | |||
<pre>for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i</pre> |
Revision as of 16:53, 15 July 2008
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
Null session
- Establishing a null session
net use \\<target> "" /u:""
- Pulling credentials
enum -U <target> enum -G <target>
- user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
- sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i