diff --git a/pivoting/windows/windows_cmd_network.md b/pivoting/windows/windows_cmd_network.md index 18f9f1d..fa3e6db 100644 --- a/pivoting/windows/windows_cmd_network.md +++ b/pivoting/windows/windows_cmd_network.md @@ -11,252 +11,11 @@ return false; # Windows CMD Network Commands -The Windows commands below will help you gather information about the victim system's network connections, devices and capabilities and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. - -## ipconfig -### Retrieve Local DNS Cache Info - * **Command with arguments**: `ipconfig /displaydns` - * **Description**: Displays the system's local DNS cache. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>ipconfig /displaydns
Windows IP Configuration
- 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa - ----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. - Record Type . . . . . : 12 - Time To Live . . . . : 86400 - Data Length . . . . . : 4 - Section . . . . . . . : Answer - PTR Record . . . . . : localhost

- 1.0.0.127.in-addr.arpa - ----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa. - Record Type . . . . . : 12 - Time To Live . . . . : 86400 - Data Length . . . . . : 4 - Section . . . . . . . : Answer - PTR Record . . . . . : localhost

- _ldap._tcp.default-first-site-name._sites.win-0p19ull2nb6.lab.sky.net - ----------------------------------------
Name does not exist.

- _ldap._tcp.win-0p19ull2nb6.lab.sky.net - ----------------------------------------
Name does not exist.

- localhost - ----------------------------------------
Record Name . . . . . : localhost - Record Type . . . . . : 1 - Time To Live . . . . : 86400 - Data Length . . . . . : 4 - Section . . . . . . . : Answer - A (Host) Record . . . : 127.0.0.1

- localhost - ----------------------------------------
Record Name . . . . . : localhost - Record Type . . . . . : 28 - Time To Live . . . . : 86400 - Data Length . . . . . : 16 - Section . . . . . . . : Answer - AAAA Record . . . . . : ::1 -
- -### Retrieve NIC Info - * **Command with arguments**: `ipconfig /all` - * **Description**: Displays the full information about the system's network interface cards (NICs). - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\jondoe>ipconfig /all
-Windows IP Configuration
- Host Name . . . . . . . . . . . . : WIN-0P19ULL2NB6 - Primary Dns Suffix . . . . . . . : lab.sky.net - Node Type . . . . . . . . . . . . : Hybrid - IP Routing Enabled. . . . . . . . : No - WINS Proxy Enabled. . . . . . . . : No - DNS Suffix Search List. . . . . . : lab.sky.net - sky.net
-Ethernet adapter Local Area Connection:
- Connection-specific DNS Suffix . : - Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection - Physical Address. . . . . . . . . : 00-0C-29-9A-E2-26 - DHCP Enabled. . . . . . . . . . . : No - Autoconfiguration Enabled . . . . : Yes - Link-local IPv6 Address . . . . . : fe80::11bc:e019:25e5:916d%10(Preferred) - IPv4 Address. . . . . . . . . . . : 192.168.10.34(Preferred) - Subnet Mask . . . . . . . . . . . : 255.255.255.0 - Default Gateway . . . . . . . . . : 192.168.10.1 - DHCPv6 IAID . . . . . . . . . . . : 234884137 - DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-E6-78-04-00-0C-29-9A-E2-26 - DNS Servers . . . . . . . . . . . : ::1 - 127.0.0.1 - NetBIOS over Tcpip. . . . . . . . : Enabled
-Tunnel adapter Local Area Connection* 8:
- Media State . . . . . . . . . . . : Media disconnected - Connection-specific DNS Suffix . : - Description . . . . . . . . . . . : isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26} - Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 - DHCP Enabled. . . . . . . . . . . : No - Autoconfiguration Enabled . . . . : Yes
----- - -## Misc -### arp - * **Command with arguments**: `arp -a` - * **Description**: Lists all the systems currently in the machine's ARP table. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>arp -a
-Interface: 192.168.10.34 --- 0xa - Internet Address Physical Address Type - 192.168.10.255 ff-ff-ff-ff-ff-ff static - 224.0.0.22 01-00-5e-00-00-16 static - 224.0.0.252 01-00-5e-00-00-fc static
- -### wmic - * **Command with arguments**: `wmic ntdomain list` - * **Description**: Retrieve information about Domain and Domain Controller. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>wmic ntdomain list -DomainGuid -{CD5C2FE3-5AFE-459D-804E-A81B49066CAD}
----- - -## net -For more information: http://technet.microsoft.com/en-us/library/bb490949.aspx - -### Accounts - * **Command with arguments**: `net accounts [/domain | /domain:OTHERDOMAINNAME]` - * **Description**: Prints the password policy for the local system. Pass it the `/domain` option to query the domain for the domain password policy. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net accounts -Force user logoff how long after time expires?: Never -Minimum password age (days): 1 -Maximum password age (days): 42 -Minimum password length: 7 -Length of password history maintained: 24 -Lockout threshold: Never -Lockout duration (minutes): 30 -Lockout observation window (minutes): 30 -Computer role: PRIMARY -The command completed successfully.
- -### Group - * **Command with arguments**: `net group "GROUPNAME" /domain` - * **Description**: Prints the members of the Administrators local group. The /domain switch can show you the list of current domain admins. - -Note: This command can only be used on a Windows Domain Controller. - - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net group "domain admins" -Group name Domain Admins -Comment Designated administrators of the domain
-Members
--------------------------------------------------------------------------------
-Administrator -The command completed successfully.
- -### Local Group - * **Command with arguments**: `net localgroup "GROUPNAME" [/domain]` - * **Description**: Prints the members of the local group "GROUPNAME". The `/domain` switch can show you members of domain groups. - -Note: This command can only be used on a Windows Domain Controller. - - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net localgroup administrators -Alias name administrators -Comment Administrators have complete and unrestricted access to the computer/domain
-Members
--------------------------------------------------------------------------------
-Administrator -Domain Admins -Enterprise Admins -johndoe -The command completed successfully.
- -### Queries SMB Hosts/Domain - * **Command with arguments**: `net view [/domain | /domain:OTHERDOMAINNAME]` - * **Description**: Queries NBNS/SMB (SAMBA) and tries to find all hosts in the system's current workgroup. Add the `/domain` option if the current system is joined to a domain. To query a different domain, use the `/domain:OTHERDOMAINNAME` option. - * **Output**: - * (Coming soon!) - -### Session - * **Command with arguments**: `net session` - * **Description**: Displays information about all connections to the computer. - -Note: Needs to be launched within an administrative command shell. - - * **Output**: - * (Coming soon!) - -### Share - * **Command with arguments**: `net share` - * **Description**: Displays the system's currently shared SMB entries, and what path(s) they point to. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net share
-Share name Resource Remark
--------------------------------------------------------------------------------
C$ C:\ Default share -IPC$ Remote IPC -ADMIN$ C:\Windows Remote Admin -NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS Logon server share -SYSVOL C:\Windows\SYSVOL\sysvol Logon server share -The command completed successfully.
- -### Users (List local/domain) - * **Command with arguments**: `net user [/domain]` - * **Description**: Lists the local users or, if the `/domain` option is passed, users on the computer's domain. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net user
-User accounts for \\WIN-0P19ULL2NB6
--------------------------------------------------------------------------------
Administrator Guest johndoe
krbtgt
The command completed successfully.
- -### Users (Detailed User Information) - * **Command with arguments**: `net user %USERNAME% [/domain]` - * **Description**: Lists detailed information about the current local user or, if the `/domain` option is passed, the account on the computer's domain. If it is a local user then drop the `/domain`. Important things to note are login times, last time changed password, logon scripts, and group membership. You may wish to run this twice, once with and once without the `/domain` switch to find both local and domain accounts. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net user johndoe -User name johndoe -Full Name John Doe -Comment -User's comment -Country code 000 (System Default) -Account active Yes -Account expires Never
-Password last set 10/10/2013 8:57:02 PM -Password expires 11/21/2013 8:57:02 PM -Password changeable 10/11/2013 8:57:02 PM -Password required Yes -User may change password Yes
-Workstations allowed All -Logon script -User profile -Home directory -Last logon 10/15/2013 6:53:42 PM
-Logon hours allowed All
-Local Group Memberships \*Administrators \*Users -Global Group memberships \*Domain Users -The command completed successfully.
- ----- +The Windows commands below will help you alter systems and move data between Windows systems and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. ## netsh For more information: http://technet.microsoft.com/en-us/library/bb490939.aspx -### Network Services - * **Command with arguments**: `netsh diag show all` - * **Description**: Shows information on network services and adapters. - -Note: Windows XP only. - - * **Output**: - *
**Windows XP SP3:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netsh diag show all
-Default Outlook Express Mail (Not Configured)
-Default Outlook Express News (Not Configured)
-Internet Explorer Web Proxy (Not Configured)
-Loopback (127.0.0.1)
-Computer System (OJ-75E3B8CC9475)
-Operating System (Microsoft Windows XP Professional)
-Version (5.1.2600)
-Modems
-Network Adapters - 1. [00000001] VMware Accelerated AMD PCNet Adapter - 2. [00000010] VMware Accelerated AMD PCNet Adapter
-Network Clients - 1. VMware Shared Folders - 2. Microsoft Terminal Services - 3. Microsoft Windows Network - 4. Web Client Network -
- ### Firewall Control * **Command with arguments**: `netsh firewall set opmode [disable|enable]` * **Description**: Enable or disable the Windows Firewall (requires admin privileges). @@ -293,123 +52,4 @@ Ok. 1. Complete hosted network setup for creating a wireless backdoor. 1. Starts or stops a wireless backdoor. See below to set it up. -Note: Windows 7 only. - - * **Output**: - * (Coming soon!) - -### Wireless Profile Viewing - * **Command with arguments**: `netsh wlan show profiles` - * **Description**: Shows all saved wireless profiles. You may then export the info for those profiles with the other netsh commands listed here. - * **Output**: - * (Coming soon!) - -### Wireless Profile Exporting - * **Command with arguments**: `netsh wlan export profile folder=. key=clear` - * **Description**: Exports a user wifi profile with the password in plaintext to an XML file in the current working directory. - * **Output**: - * (Coming soon!) - ----- -## netstat -For more information: http://technet.microsoft.com/en-us/library/bb490947.aspx - -### Find Information about a specific Service - * **Command with arguments**: `netstat -nabo | findstr /I (SERVICE|PROCESS|PORT)` - * **Description**: If you are interested in finding out more information about a specific service, process or port this will provide greater depth of information. The `netstat -b` flag makes the command take longer but will output the process name using each of the connections. - -Note: Needs to be launched within an administrative command shell due to the `-b`. - - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Windows\system32>netstat -nabo |findstr /I 445
- TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 - TCP [::]:445 [::]:0 LISTENING 4 - UDP 0.0.0.0:62445 *:* 1756 - UDP 0.0.0.0:63445 *:* 1756 - UDP [::]:49445 *:* 1756 - UDP [::]:64445 *:* 1756 - UDP [::]:64450 *:* 1756 - UDP [::]:64451 *:* 1756
- -### Find Listeners - * **Command with arguments**: `netstat -na | findstr :80` - * **Description**: Find all listening ports and connections on port 80 (replace 80 with your target such as `445` or `3389`). - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -na | findstr :445 - TCP 0.0.0.0:445 0.0.0.0:0 LISTENING - TCP [::]:445 [::]:0 LISTENING
- -### Find Listeners and Process IDs - * **Command with arguments**: `netstat -nao | findstr /I listening` - * **Description**: Find all listening ports and their associated PIDs (Process IDs). The `findstr /I` switch makes the search case insensitive. This could be important if you are looking for a buMPy service (example: `svchost` vs. `SVChost`) or don't know the case of it. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -nao | findstr /I listening - TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908 - TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 - TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908 - TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208 - TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 - TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 984 - TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1056 - TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 592 - TCP 0.0.0.0:49161 0.0.0.0:0 LISTENING 1804 - TCP 0.0.0.0:49169 0.0.0.0:0 LISTENING 1756 - TCP 0.0.0.0:49170 0.0.0.0:0 LISTENING 580 - TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1756 - TCP 192.168.10.34:53 0.0.0.0:0 LISTENING 1756 - TCP 192.168.10.34:139 0.0.0.0:0 LISTENING 4 - TCP [::]:88 [::]:0 LISTENING 592 - TCP [::]:135 [::]:0 LISTENING 908 - TCP [::]:389 [::]:0 LISTENING 592 - TCP [::]:445 [::]:0 LISTENING 4 - TCP [::]:464 [::]:0 LISTENING 592 - TCP [::]:593 [::]:0 LISTENING 908 - TCP [::]:636 [::]:0 LISTENING 592
- -### List Ports and Connections - * **Command with arguments**: `netstat -nabo` - * **Description**: Lists ports on and connections with the system with corresponding process (`-b`), without performing DNS lookup (`-n`), all connections (`-a`) and what is the owning process ID (`-o`). The `-b` switch is the switch in this command that requires elevated or admin privileges to execute. Omit it and you do not need to have an admin cmd shell. - - Note: Needs to be launched within an administrative command shell. - - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Windows\system32>netstat -nabo
-Active Connections
- Proto Local Address Foreign Address State PID - TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908 - RpcSs - [svchost.exe] - TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
- Can not obtain ownership information
-x: Windows Sockets initialization failed: 5 - TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908 - RpcSs - [svchost.exe] - TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592 - [lsass.exe] - TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208 - Dnscache
- -### Routing Table - * **Command with arguments**: `netstat -r` - * **Description**: Displays the system's routing table. - * **Output**: - *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -r
===========================================================================
Interface List
10 ...00 0c 29 9a e2 26 ...... Intel(R) PRO/1000 MT Network Connection
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26}
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.34 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.34 266
192.168.10.34 255.255.255.255 On-link 192.168.10.34 266
192.168.10.255 255.255.255.255 On-link 192.168.10.34 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.34 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.34 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.10.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 266 fe80::/64 On-link
10 266 fe80::11bc:e019:25e5:916d/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
+Note: Windows 7 only. \ No newline at end of file diff --git a/presence/windows/index.md b/presence/windows/index.md index 0743c42..1d548b9 100644 --- a/presence/windows/index.md +++ b/presence/windows/index.md @@ -4,4 +4,5 @@ Command that can be executed from the context of the CMD.exe prompt that help ga * [Blind Files](blind.md) - Files to look for on the system. * [Config](windows_cmd_config.md) - Commands that display information about the configuration of the victim. - * [Finding Files](find_files.md) - How to search for files. \ No newline at end of file + * [Finding Files](find_files.md) - How to search for files. + * [Networking Information](network.md) - Commands that reveal information about the configuration or status of network features \ No newline at end of file diff --git a/presence/windows/network.md b/presence/windows/network.md new file mode 100644 index 0000000..76acc2c --- /dev/null +++ b/presence/windows/network.md @@ -0,0 +1,386 @@ + + + +# Windows CMD Network Commands + +The Windows commands below will help you gather information about the victim system's network connections, devices and capabilities and are usually executed from the context of the `cmd.exe` or `command.exe` prompt. + +## ipconfig +### Retrieve Local DNS Cache Info + * **Command with arguments**: `ipconfig /displaydns` + * **Description**: Displays the system's local DNS cache. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>ipconfig /displaydns
Windows IP Configuration
+ 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa + ----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. + Record Type . . . . . : 12 + Time To Live . . . . : 86400 + Data Length . . . . . : 4 + Section . . . . . . . : Answer + PTR Record . . . . . : localhost

+ 1.0.0.127.in-addr.arpa + ----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa. + Record Type . . . . . : 12 + Time To Live . . . . : 86400 + Data Length . . . . . : 4 + Section . . . . . . . : Answer + PTR Record . . . . . : localhost

+ _ldap._tcp.default-first-site-name._sites.win-0p19ull2nb6.lab.sky.net + ----------------------------------------
Name does not exist.

+ _ldap._tcp.win-0p19ull2nb6.lab.sky.net + ----------------------------------------
Name does not exist.

+ localhost + ----------------------------------------
Record Name . . . . . : localhost + Record Type . . . . . : 1 + Time To Live . . . . : 86400 + Data Length . . . . . : 4 + Section . . . . . . . : Answer + A (Host) Record . . . : 127.0.0.1

+ localhost + ----------------------------------------
Record Name . . . . . : localhost + Record Type . . . . . : 28 + Time To Live . . . . : 86400 + Data Length . . . . . : 16 + Section . . . . . . . : Answer + AAAA Record . . . . . : ::1 +
+ +### Retrieve NIC Info + * **Command with arguments**: `ipconfig /all` + * **Description**: Displays the full information about the system's network interface cards (NICs). + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\jondoe>ipconfig /all
+Windows IP Configuration
+ Host Name . . . . . . . . . . . . : WIN-0P19ULL2NB6 + Primary Dns Suffix . . . . . . . : lab.sky.net + Node Type . . . . . . . . . . . . : Hybrid + IP Routing Enabled. . . . . . . . : No + WINS Proxy Enabled. . . . . . . . : No + DNS Suffix Search List. . . . . . : lab.sky.net + sky.net
+Ethernet adapter Local Area Connection:
+ Connection-specific DNS Suffix . : + Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection + Physical Address. . . . . . . . . : 00-0C-29-9A-E2-26 + DHCP Enabled. . . . . . . . . . . : No + Autoconfiguration Enabled . . . . : Yes + Link-local IPv6 Address . . . . . : fe80::11bc:e019:25e5:916d%10(Preferred) + IPv4 Address. . . . . . . . . . . : 192.168.10.34(Preferred) + Subnet Mask . . . . . . . . . . . : 255.255.255.0 + Default Gateway . . . . . . . . . : 192.168.10.1 + DHCPv6 IAID . . . . . . . . . . . : 234884137 + DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-E6-78-04-00-0C-29-9A-E2-26 + DNS Servers . . . . . . . . . . . : ::1 + 127.0.0.1 + NetBIOS over Tcpip. . . . . . . . : Enabled
+Tunnel adapter Local Area Connection* 8:
+ Media State . . . . . . . . . . . : Media disconnected + Connection-specific DNS Suffix . : + Description . . . . . . . . . . . : isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26} + Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0 + DHCP Enabled. . . . . . . . . . . : No + Autoconfiguration Enabled . . . . : Yes
+---- + +## Misc +### arp + * **Command with arguments**: `arp -a` + * **Description**: Lists all the systems currently in the machine's ARP table. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>arp -a
+Interface: 192.168.10.34 --- 0xa + Internet Address Physical Address Type + 192.168.10.255 ff-ff-ff-ff-ff-ff static + 224.0.0.22 01-00-5e-00-00-16 static + 224.0.0.252 01-00-5e-00-00-fc static
+ +### wmic + * **Command with arguments**: `wmic ntdomain list` + * **Description**: Retrieve information about Domain and Domain Controller. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>wmic ntdomain list +DomainGuid +{CD5C2FE3-5AFE-459D-804E-A81B49066CAD}
+---- + +## net +For more information: http://technet.microsoft.com/en-us/library/bb490949.aspx + +### Accounts + * **Command with arguments**: `net accounts [/domain | /domain:OTHERDOMAINNAME]` + * **Description**: Prints the password policy for the local system. Pass it the `/domain` option to query the domain for the domain password policy. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net accounts +Force user logoff how long after time expires?: Never +Minimum password age (days): 1 +Maximum password age (days): 42 +Minimum password length: 7 +Length of password history maintained: 24 +Lockout threshold: Never +Lockout duration (minutes): 30 +Lockout observation window (minutes): 30 +Computer role: PRIMARY +The command completed successfully.
+ +### Group + * **Command with arguments**: `net group "GROUPNAME" /domain` + * **Description**: Prints the members of the Administrators local group. The /domain switch can show you the list of current domain admins. + +Note: This command can only be used on a Windows Domain Controller. + + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net group "domain admins" +Group name Domain Admins +Comment Designated administrators of the domain
+Members
+-------------------------------------------------------------------------------
+Administrator +The command completed successfully.
+ +### Local Group + * **Command with arguments**: `net localgroup "GROUPNAME" [/domain]` + * **Description**: Prints the members of the local group "GROUPNAME". The `/domain` switch can show you members of domain groups. + +Note: This command can only be used on a Windows Domain Controller. + + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net localgroup administrators +Alias name administrators +Comment Administrators have complete and unrestricted access to the computer/domain
+Members
+-------------------------------------------------------------------------------
+Administrator +Domain Admins +Enterprise Admins +johndoe +The command completed successfully.
+ +### Queries SMB Hosts/Domain + * **Command with arguments**: `net view [/domain | /domain:OTHERDOMAINNAME]` + * **Description**: Queries NBNS/SMB (SAMBA) and tries to find all hosts in the system's current workgroup. Add the `/domain` option if the current system is joined to a domain. To query a different domain, use the `/domain:OTHERDOMAINNAME` option. + * **Output**: + * (Coming soon!) + +### Session + * **Command with arguments**: `net session` + * **Description**: Displays information about all connections to the computer. + +Note: Needs to be launched within an administrative command shell. + + * **Output**: + * (Coming soon!) + +### Share + * **Command with arguments**: `net share` + * **Description**: Displays the system's currently shared SMB entries, and what path(s) they point to. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net share
+Share name Resource Remark
+-------------------------------------------------------------------------------
C$ C:\ Default share +IPC$ Remote IPC +ADMIN$ C:\Windows Remote Admin +NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS Logon server share +SYSVOL C:\Windows\SYSVOL\sysvol Logon server share +The command completed successfully.
+ +### Users (List local/domain) + * **Command with arguments**: `net user [/domain]` + * **Description**: Lists the local users or, if the `/domain` option is passed, users on the computer's domain. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net user
+User accounts for \\WIN-0P19ULL2NB6
+-------------------------------------------------------------------------------
Administrator Guest johndoe
krbtgt
The command completed successfully.
+ +### Users (Detailed User Information) + * **Command with arguments**: `net user %USERNAME% [/domain]` + * **Description**: Lists detailed information about the current local user or, if the `/domain` option is passed, the account on the computer's domain. If it is a local user then drop the `/domain`. Important things to note are login times, last time changed password, logon scripts, and group membership. You may wish to run this twice, once with and once without the `/domain` switch to find both local and domain accounts. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>net user johndoe +User name johndoe +Full Name John Doe +Comment +User's comment +Country code 000 (System Default) +Account active Yes +Account expires Never
+Password last set 10/10/2013 8:57:02 PM +Password expires 11/21/2013 8:57:02 PM +Password changeable 10/11/2013 8:57:02 PM +Password required Yes +User may change password Yes
+Workstations allowed All +Logon script +User profile +Home directory +Last logon 10/15/2013 6:53:42 PM
+Logon hours allowed All
+Local Group Memberships \*Administrators \*Users +Global Group memberships \*Domain Users +The command completed successfully.
+ +---- + +## netsh +For more information: http://technet.microsoft.com/en-us/library/bb490939.aspx + +### Network Services + * **Command with arguments**: `netsh diag show all` + * **Description**: Shows information on network services and adapters. + +Note: Windows XP only. + + * **Output**: + *
**Windows XP SP3:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netsh diag show all
+Default Outlook Express Mail (Not Configured)
+Default Outlook Express News (Not Configured)
+Internet Explorer Web Proxy (Not Configured)
+Loopback (127.0.0.1)
+Computer System (OJ-75E3B8CC9475)
+Operating System (Microsoft Windows XP Professional)
+Version (5.1.2600)
+Modems
+Network Adapters + 1. [00000001] VMware Accelerated AMD PCNet Adapter + 2. [00000010] VMware Accelerated AMD PCNet Adapter
+Network Clients + 1. VMware Shared Folders + 2. Microsoft Terminal Services + 3. Microsoft Windows Network + 4. Web Client Network +
+ +### Firewall Status + * **Command with arguments**: `netsh firewall show conf` + * **Description**: Show the configuration of the Windows Firewall + +### Wireless Backdoor Creation + * **Command with arguments**: + 1. `netsh wlan set hostednetwork mode=[allow\|disallow]` + 1. `netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary` + 1. `netsh wlan [start|stop] hostednetwork` + * **Description**: + 1. Enables or disables hostednetwork service. + 1. Complete hosted network setup for creating a wireless backdoor. + 1. Starts or stops a wireless backdoor. See below to set it up. + +Note: Windows 7 only. + +### Wireless Profile Viewing + * **Command with arguments**: `netsh wlan show profiles` + * **Description**: Shows all saved wireless profiles. You may then export the info for those profiles with the other netsh commands listed here. + +### Wireless Profile Exporting + * **Command with arguments**: `netsh wlan export profile folder=. key=clear` + * **Description**: Exports a user wifi profile with the password in plaintext to an XML file in the current working directory. + +---- +## netstat +For more information: http://technet.microsoft.com/en-us/library/bb490947.aspx + +### Find Information about a specific Service + * **Command with arguments**: `netstat -nabo | findstr /I (SERVICE|PROCESS|PORT)` + * **Description**: If you are interested in finding out more information about a specific service, process or port this will provide greater depth of information. The `netstat -b` flag makes the command take longer but will output the process name using each of the connections. + +Note: Needs to be launched within an administrative command shell due to the `-b`. + + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Windows\system32>netstat -nabo |findstr /I 445
+ TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 + TCP [::]:445 [::]:0 LISTENING 4 + UDP 0.0.0.0:62445 *:* 1756 + UDP 0.0.0.0:63445 *:* 1756 + UDP [::]:49445 *:* 1756 + UDP [::]:64445 *:* 1756 + UDP [::]:64450 *:* 1756 + UDP [::]:64451 *:* 1756
+ +### Find Listeners + * **Command with arguments**: `netstat -na | findstr :80` + * **Description**: Find all listening ports and connections on port 80 (replace 80 with your target such as `445` or `3389`). + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -na | findstr :445 + TCP 0.0.0.0:445 0.0.0.0:0 LISTENING + TCP [::]:445 [::]:0 LISTENING
+ +### Find Listeners and Process IDs + * **Command with arguments**: `netstat -nao | findstr /I listening` + * **Description**: Find all listening ports and their associated PIDs (Process IDs). The `findstr /I` switch makes the search case insensitive. This could be important if you are looking for a buMPy service (example: `svchost` vs. `SVChost`) or don't know the case of it. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -nao | findstr /I listening + TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908 + TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 + TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908 + TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208 + TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 500 + TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 984 + TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1056 + TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 592 + TCP 0.0.0.0:49161 0.0.0.0:0 LISTENING 1804 + TCP 0.0.0.0:49169 0.0.0.0:0 LISTENING 1756 + TCP 0.0.0.0:49170 0.0.0.0:0 LISTENING 580 + TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1756 + TCP 192.168.10.34:53 0.0.0.0:0 LISTENING 1756 + TCP 192.168.10.34:139 0.0.0.0:0 LISTENING 4 + TCP [::]:88 [::]:0 LISTENING 592 + TCP [::]:135 [::]:0 LISTENING 908 + TCP [::]:389 [::]:0 LISTENING 592 + TCP [::]:445 [::]:0 LISTENING 4 + TCP [::]:464 [::]:0 LISTENING 592 + TCP [::]:593 [::]:0 LISTENING 908 + TCP [::]:636 [::]:0 LISTENING 592
+ +### List Ports and Connections + * **Command with arguments**: `netstat -nabo` + * **Description**: Lists ports on and connections with the system with corresponding process (`-b`), without performing DNS lookup (`-n`), all connections (`-a`) and what is the owning process ID (`-o`). The `-b` switch is the switch in this command that requires elevated or admin privileges to execute. Omit it and you do not need to have an admin cmd shell. + + Note: Needs to be launched within an administrative command shell. + + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Windows\system32>netstat -nabo
+Active Connections
+ Proto Local Address Foreign Address State PID + TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908 + RpcSs + [svchost.exe] + TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
+ Can not obtain ownership information
+x: Windows Sockets initialization failed: 5 + TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908 + RpcSs + [svchost.exe] + TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592 + [lsass.exe] + TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208 + Dnscache
+ +### Routing Table + * **Command with arguments**: `netstat -r` + * **Description**: Displays the system's routing table. + * **Output**: + *
**Windows 2008:** Show/Hide ![](images/output.jpg)
C:\Users\johndoe>netstat -r
===========================================================================
Interface List
10 ...00 0c 29 9a e2 26 ...... Intel(R) PRO/1000 MT Network Connection
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26}
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.34 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.34 266
192.168.10.34 255.255.255.255 On-link 192.168.10.34 266
192.168.10.255 255.255.255.255 On-link 192.168.10.34 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.34 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.34 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.10.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 266 fe80::/64 On-link
10 266 fe80::11bc:e019:25e5:916d/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None