Windows Commands
Jump to navigation
Jump to search
Recon
nslookup
- Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
- Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
- No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
Null session
- Establishing a null session
net use \\<target> "" /u:""
- Pulling credentials
enum -U <target> enum -G <target>
- user2sid
- Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>
- sid2user
- Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
sc query &
Starting telnet
sc query tlntsvr sc config tlntsvr start= auto sc start tlntsvr
Starting terminal services
sc query termservice sc config termservice start= auto sc start termservice ===Users and groups=== Listing users <pre>net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup >groupname< <username> /add
Adding a user to the telnet users group
net user <username> <password> /add net localgroup TelnetClients /add net localgroup TelnetClients <username> /add Adding a user to the terminal services group <pre>net localgroup "Remote Desktop Users" <username> /add ===Firewall interaction=== Opening the firewall for telnet <pre>netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"