weyne/pwnwiki.github.io
1
0
Fork 0
mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

first whack at nav reorg

Browse Source
This commit is contained in:
Rob Fuller
2013-12-26 13:08:13 -05:00
parent 68644fefb7
commit be072ead31
45 changed files with 110 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
presence/linux/blind.md Normal file
View File

@@ -0,0 +1,29 @@
# Linux Blind Files
In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
The files below are things to pull when all you can do is to blindly read. Examples of vulnerabilities or situations where this would be helpful might be: local file includes (LFI), directory traversals or remote file share instances like SMB, FTP, NFS or otherwise.
| File | Description / Importance |
| -------- | ------------------------ |
| `/etc/issue` | A message or system identification to be printed before the login prompt. |
| `/etc/motd` | Message of the day banner content. Can contain information about the system owners or use of the system. |
| `/etc/passwd` | List of account names, groups, home directory, and shell (should be globally readable). May also contain password hashes. |
| `/etc/group` | User groups. |
| `/etc/resolv.conf` | Contains the current name servers (DNS) for the system. This is a globally readable file that is less likely to trigger IDS alerts than `/etc/passwd`. |
| `/etc/shadow` | List of all shadowed user's password hashes (usually requires root privileges). |
| `/home/[USERNAME]/.bash_history`<br>`~/.bash_history`<br>`$USER/.bash_history`<br>`/root/.bash_history` | Shell (bash) history for [USERNAME], the current user or root respectively. This file can contain passwords and other sensitive commands and content. It's worth trying .profile instead of .bash_history in case the user doesn't use bash |
# Information discovery through blind files
When using blind files, it is often possible to mine known files for other paths or configuration. This can disclose what services are running, how they are configured and more. The following is some files that are worth looking at.
| File | Description / Importance |
| -------- | ------------------------ |
| `/etc/mtab` | Reveals mount points. |
| `/etc/inetd.conf` | Configuration file for inetd based services, mostly deprecated these days. |
| ... | ... |
# More files
It is worth automating the extraction of files, either using a dictionary attack or even bruteforce to discover unknown files.
A list of file paths to try can be found [here](pillage.lst).

116
presence/linux/find_files.md Normal file
View File

@@ -0,0 +1,116 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Linux finding files commands
Commands that finds files on the file system are usually executed from within a shell (sh/bash) or through a forking function such as system() or exec().
## ls
### Attributes showing
* **Command with arguments**: `ls -l [directory or filename]`
* **Description**: Displays attributes of files and directories in the specified location
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ ls -l /
total 429820
drwxr-xr-x 2 root root 4096 2013-08-23 02:49 bin
drwxr-xr-x 3 root root 4096 2013-08-23 03:18 boot
drwxr-xr-x 2 root root 4096 2011-03-05 11:41 cdrom
drwxr-xr-x 15 root root 4600 2013-11-25 15:43 dev
drwxr-xr-x 158 root root 12288 2013-12-04 15:54 etc
drwxr-xr-x 4 root root 4096 2013-05-02 07:19 home
lrwxrwxrwx 1 root root 21 2012-03-01 08:11 initrd.img -> boot/initrd.img-3.2.6
drwxr-xr-x 25 root root 16384 2013-08-23 02:50 lib
drwx------ 2 root root 16384 2011-03-05 11:40 lost+found
drwxr-xr-x 4 root root 4096 2013-08-04 22:31 media
drwxr-xr-x 3 root root 4096 2012-03-04 19:14 mnt
-rw-r--r-- 1 root root 1045 2012-08-13 23:52 nis
drwxr-xr-x 12 root root 4096 2013-08-23 03:02 opt
drwxr-xr-x 25 root root 4096 2013-08-23 02:54 pentest
dr-xr-xr-x 148 root root 0 2013-11-25 15:36 proc
drwx------ 77 root root 4096 2013-12-04 15:58 root
-rw-r--r-- 1 root root 440006761 2012-10-01 00:09 root.tgz
drwxr-xr-x 2 root root 12288 2013-08-23 02:51 sbin
drwxr-xr-x 2 root root 4096 2009-12-05 16:55 selinux
drwxr-xr-x 4 root root 4096 2011-05-10 03:42 share
drwxr-xr-x 4 root root 4096 2013-04-17 21:25 srv
drwxr-xr-x 12 root root 0 2013-11-25 15:36 sys
drwxrwxrwt 12 root root 4096 2013-12-04 01:00 tmp
drwxr-xr-x 13 root root 4096 2013-08-23 02:52 usr
drwxr-xr-x 16 root root 4096 2011-06-08 09:16 var
lrwxrwxrwx 1 root root 18 2012-03-01 08:11 vmlinuz -> boot/vmlinuz-3.2.6
</code></div>
----
## find
### Search by name
* **Command with arguments**: `find /etc -name "issue*"`
* **Description**: Locates files matching the name (wildcards supported)
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find /etc -name "issue*"
/etc/issue.net
/etc/issue
/etc/issue.dpkg-dist
</code></div>
### Search by permissions
* **Command with arguments**: `find / -perm 777`
* **Description**: Locates files matching the permissions
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find / -perm 777
/initrd.img
/pentest/exploits/isr-evilgrade/include/sunjava/JavaPayload/FunnyClass2.jar
/pentest/exploits/isr-evilgrade/agent/java/javaws.exe
/pentest/exploits/isr-evilgrade/trash
/pentest/passwords/hashcat-gui/hashcat
/pentest/passwords/hashcat-gui/oclHashcat-plus
/pentest/passwords/hashcat-gui/oclHashcat-lite
/pentest/passwords/john/undrop
--snip--
</code></div>
### Search by username
* **Command with arguments**: `find / -user root`
* **Description**: Locates files owned by the user "root"
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ find / -user root
/
/initrd.img
/pentest
/pentest/sniffers
/pentest/sniffers/dnschef
/pentest/sniffers/dnschef/dnschef.exe
/pentest/sniffers/dnschef/dnschef.ini
/pentest/sniffers/dnschef/dnslib
/pentest/sniffers/dnschef/dnslib/dns.py
/pentest/sniffers/dnschef/dnslib/__init__.py
--snip--
</code></div>
----
## locate
* **Command with arguments**: `locate ifconfig`
* **Description**: Look files up in the location database
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Ubuntu:** Show/Hide</div><div class="view"><code>root@localhost:~/ locate ifconfig
/pentest/forensics/volatility/volatility/plugins/linux/ifconfig.py
/pentest/forensics/volatility/volatility/plugins/linux/ifconfig.pyc
/sbin/ifconfig
/usr/share/man/de/man8/ifconfig.8.gz
/usr/share/man/fr/man8/ifconfig.8.gz
/usr/share/man/man8/ifconfig.8.gz
/usr/share/man/pt_BR/man8/ifconfig.8.gz
</code></div>

0
presence/linux/index.md Normal file
View File

191
presence/linux/pillage.lst Normal file
View File

@@ -0,0 +1,191 @@
/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf
/etc/crontab
/etc/crypttab
/etc/debian_version
/etc/exports
/etc/fedora-release
/etc/fstab
/etc/ftphosts
/etc/ftpusers
/etc/group
/etc/group-
/etc/hosts
/etc/http/conf/httpd.conf
/etc/httpd.conf
/etc/httpd/conf/httpd.conf
/etc/httpd/httpd.conf
/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/access_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/etc/httpd/php.ini
/etc/http/httpd.conf
/etc/inetd.conf
/etc/inittab
/etc/issue
/etc/issue.net
/etc/lighttpd.conf
/etc/login.defs
/etc/mandrake-release
/etc/motd
/etc/mtab
/etc/my.cnf
/etc/mysql/my.cnf
/etc/openldap/ldap.conf
/etc/os-release
/etc/pam.conf
/etc/passwd
/etc/passwd-
/etc/password.master
/etc/php4.4/fcgi/php.ini
/etc/php4/apache2/php.ini
/etc/php4/apache/php.ini
/etc/php4/cgi/php.ini
/etc/php5/apache2/php.ini
/etc/php5/apache/php.ini
/etc/php5/cgi/php.ini
/etc/php/apache2/php.ini
/etc/php/apache/php.ini
/etc/php/cgi/php.ini
/etc/php.ini
/etc/php/php4/php.ini
/etc/php/php.ini
/etc/profile
/etc/proftp.conf
/etc/proftpd/modules.conf
/etc/protpd/proftpd.conf
/etc/pure-ftpd.conf
/etc/pureftpd.passwd
/etc/pureftpd.pdb
/etc/pure-ftpd/pure-ftpd.conf
/etc/pure-ftpd/pure-ftpd.pdb
/etc/pure-ftpd/pureftpd.pdb
/etc/redhat-release
/etc/resolv.conf
/etc/samba/smb.conf
/etc/security/environ
/etc/security/group
/etc/security/limits
/etc/security/passwd
/etc/security/user
/etc/shadow
/etc/shadow-
/etc/slackware-release
/etc/sudoers
/etc/SUSE-release
/etc/sysctl.conf
/etc/vhcs2/proftpd/proftpd.conf
/etc/vsftpd.conf
/etc/vsftpd/vsftpd.conf
/etc/wu-ftpd/ftpaccess
/etc/wu-ftpd/ftphosts
/etc/wu-ftpd/ftpusers
/logs/access.log
/logs/error.log
/opt/apache2/conf/httpd.conf
/opt/apache/conf/httpd.conf
/opt/xampp/etc/php.ini
/php4\php.ini
/php5\php.ini
/php\php.ini
/PHP\php.ini
/private/etc/httpd/httpd.conf
/private/etc/httpd/httpd.conf.default
/root/.bash_history
/root/.ssh/id_rsa
/root/.ssh/id_rsa.pub
/root/.ssh/known_hosts
/tmp/access.log
/usr/apache2/conf/httpd.conf
/usr/apache/conf/httpd.conf
/usr/etc/pure-ftpd.conf
/usr/lib/php.ini
/usr/lib/php/php.ini
/usr/lib/security/mkuser.default
/usr/local/apache2/conf/httpd.conf
/usr/local/apache2/httpd.conf
/usr/local/apache2/logs/access_log
/usr/local/apache2/logs/access.log
/usr/local/apache2/logs/error_log
/usr/local/apache2/logs/error.log
/usr/local/apache/conf/httpd.conf
/usr/local/apache/conf/php.ini
/usr/local/apache/httpd.conf
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/usr/local/apache/logs/error. og
/usr/local/apps/apache2/conf/httpd.conf
/usr/local/apps/apache/conf/httpd.conf
/usr/local/etc/apache2/conf/httpd.conf
/usr/local/etc/apache/conf/httpd.conf
/usr/local/etc/apache/vhosts.conf
/usr/local/etc/httpd/conf/httpd.conf
/usr/local/etc/php.ini
/usr/local/etc/pure-ftpd.conf
/usr/local/etc/pureftpd.pdb
/usr/local/httpd/conf/httpd.conf
/usr/local/lib/php.ini
/usr/local/php4/httpd.conf
/usr/local/php4/httpd.conf.php
/usr/local/php4/lib/php.ini
/usr/local/php5/httpd.conf
/usr/local/php5/httpd.conf.php
/usr/local/php5/lib/php.ini
/usr/local/php/httpd.conf
/usr/local/php/httpd.conf.php
/usr/local/php/lib/php.ini
/usr/local/pureftpd/etc/pure-ftpd.conf
/usr/local/pureftpd/etc/pureftpd.pdb
/usr/local/pureftpd/sbin/pure-config.pl
/usr/local/Zend/etc/php.ini
/usr/pkgsrc/net/pureftpd/
/usr/ports/contrib/pure-ftpd/
/usr/ports/ftp/pure-ftpd/
/usr/ports/net/pure-ftpd/
/usr/sbin/pure-config.pl
/var/cpanel/cpanel.config
/var/lib/mysql/my.cnf
/var/local/www/conf/php.ini
/var/log/access_log
/var/log/access.log
/var/log/apache2/access_log
/var/log/apache2/access.log
/var/log/apache2/error_log
/var/log/apache2/error.log
/var/log/apache/access_log
/var/log/apache/access.log
/var/log/apache/error_log
/var/log/apache/error.log
/var/log/error_log
/var/log/error.log
/var/log/httpd/access_log
/var/log/httpd/access.log
/var/log/httpd/error_log
/var/log/httpd/error.log
/var/log/messages
/var/log/messages.1
/var/log/user.log
/var/log/user.log.1
/var/www/conf/httpd.conf
/var/www/html/index.html
/var/www/logs/access_log
/var/www/logs/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/Volumes/webBackup/opt/apache2/conf/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf
/Volumes/webBackup/private/etc/httpd/httpd.conf.default
/web/conf/php.ini

17
presence/osx/blind.md Normal file
View File

@@ -0,0 +1,17 @@
# OS X Blind Files
In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
The files below are things to pull when all you can do is to blindly read. Examples of vulnerabilities or situations where this would be helpful might be: local file includes (LFI), directory traversals or remote file share instances like SMB, FTP, NFS or otherwise. Files that will have the same name across networks, Windows domains, and systems are noted below.
| File | Description / Importance |
| -------- | ------------------------ |
| /etc/fstab | Displays the file systems and mounted permissions of file systems attached to the host. |
| /etc/group | User group assignments. Displays user and group names and which user is a member of which group. |
| /etc/hosts | Manually-entered IP to hostname translation. |
| /etc/master.passwd | **Must be root to read.** Contains users, their UID, primary group, and default shell. |
| /etc/passwd | Contains users, their UID, primary group, and default shell. |
| /etc/resolv.conf | Configuration file for DNS server entries. |
| /etc/sudoers | Configuration file for the `sudo` command. May tell you if some users can elevate privileges with or without a password using the `sudo` command. |
| /etc/sysctl.conf | Contains a list of sysctl variable assignments that is read at system startup by rc early on in the boot sequence. [^1](http://www.openbsd.org/cgi-bin/man.cgi?query=sysctl.conf&sektion=5) |

15
presence/osx/find_files.md Normal file
View File

@@ -0,0 +1,15 @@
# OS X Finding File Commands
Commands that find files on the filesystem and are usually executed from the context of the shell (`/bin/bash` or `/bin/sh`) prompt.
| Command | Description / Importance |
| -------- | ------------------------ |
| `find /sbin /usr/sbin /opt /lib` &#96;`echo $PATH` &#124;`'sed s/:/ /g'`&#96;` -perm -4000` | Find SUID files. |
| `for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; done` | Lists all the user crontab or scheduled tasks files. |
| `find /var/log -type f -exec ls -la {} \;` | Find all the log files in `/var/log/` |
| `ls -alhtr /Volumes` | Display the volumes mounted at `/Volumes` |
| `ls /Users/*/.ssh/*` | Discover SSH files (keys and such) located in each user's home drive. May require root permissions to view these files in other user's directories. |
| `locate tar` &#124; `grep [.]tar$` | Finds all files that have a `.tar` extension. Substitute other archive extensions (e.g., `.zip`, `.7z`, `.rar`) or other extensions such as `.sql` or `.conf`. |
| `locate settings` $#124; `grep [.]php$` | Find all files with the word settings in it and with a `.php` extension. |
| `locate .properties` $#124; `grep [.]properties` | Finds Java configuration files. |

14
presence/windows/blind.md Normal file
View File

@@ -0,0 +1,14 @@
# Windows Blind Files
In some cases during exploitation you as an attacker gain the ability to read arbitrary files. As an attacker you need go-to files that cover as many different OS versions as possible in order to either confirm exploitation or gather intelligence on the exploited system. For this we use a "blind file".
The files below are things to pull when all you can do is to blindly read. Examples of vulnerabilities or situations where this would be helpful might be: local file includes (LFI), directory traversals or remote file share instances like SMB, FTP, NFS or otherwise. Files that will have the same name across networks, Windows domains, and systems are noted below.
| File | Description / Importance |
| -------- | ------------------------ |
| `%SYSTEMDRIVE%\boot.ini` | A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. **WARNING - in more recent versions of Windows this file in no longer there.** |
| `%WINDIR%\win.ini` | This is another file that can be counted on to be readable by all users of a system. |
| `%SYSTEMROOT%\repair\SAM`<br>`%SYSTEMROOT%\System32\config\RegBack\SAM` | Stores user passwords in either an [LM hash](https://en.wikipedia.org/wiki/LM_hash) and/or an [NTLM hash](https://en.wikipedia.org/wiki/NTLM) format. The SAM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
| `%SYSTEMROOT%\repair\system`<br>`%SYSTEMROOT%\System32\config\RegBack\system` | This is the SYSTEM registry hive. This file is needed to extract the user account password hashes from a Windows system. The SYSTEM file in \repair is locked, but can be retrieved using forensic or [Volume Shadow copy methods](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html). |
| `%SYSTEMDRIVE%\autoexec.bat` | autoexec.bat is a startup script that executes at startup. As [Webopedia states](http://www.webopedia.com/TERM/A/autoexec_bat.html), “Stands for automatically executed batch file, the file that DOS automatically executes when a computer boots up. This is a convenient place to put commands you always want to execute at the beginning of a computing session. For example, you can set system parameters such as the date and time, and install memory-resident programs.” |

21
presence/windows/files.md Normal file
View File

@@ -0,0 +1,21 @@
# Windows Important Files
Files that can yield passwords or other intel about the system, network or users.
| File | Description / Importance |
| -------- | ------------------------ |
| `%SYSTEMDRIVE%\pagefile.sys` | This file is used by the operating system when there is not enough RAM (memory) in the system. It is a large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size. |
| `%SYSTEMROOT%\repair\SAM` <br> `%SYSTEMROOT%\System32\config\RegBack\SAM` | These files store the LM and NTLM hashes for local users. Using [Volume Shadow Copy](http://www.room362.com/blog/2013/6/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part1.html) or [Ninja Copy](http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/) you can retrieve these files. |
| `%SystemDrive%\inetpub\logs\LogFiles` | IIS 7.x web server log file location. |
| `%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat` | Internet Explorer web browser history file (http://support.microsoft.com/kb/322916) |
| `%USERPROFILE%\ntuser.dat` | User-level Windows registry settings (http://technet.microsoft.com/en-us/library/cc758618(v=WS.10).aspx) |
| `%WINDIR%\System32\drivers\etc\hosts` | System hosts file for local translation of host names to IP addresses. |
| `%WINDIR%\debug\NetSetup.log` | Shows issues when computers are joined to a domain. http://technet.microsoft.com/en-us/library/cc961817.aspx |
| `%WINDIR%\iis[version].log` where [version] = 6, 7, or 8 | Internet Information Service (IIS web server) log files. |
| `%WINDIR%\repair\sam`<br>`%WINDIR%\repair\system`<br>`%WINDIR%\repair\software`<br>`%WINDIR%\repair\security` | System registry hives. https://en.wikipedia.org/wiki/Windows_Registry |
| `%WINDIR%\system32\CCM\logs\*.log` | Windows SCCM (System Center Configuration Manager) log files (http://technet.microsoft.com/en-us/library/bb892800.aspx) |
| `%WINDIR%\system32\config\AppEvent.Evt`<br>`%WINDIR%\system32\config\SecEvent.Evt` | Windows Event Logs. |
| `%WINDIR%\system32\config\default.sav`<br>`%WINDIR%\system32\config\security.sav`<br>`%WINDIR%\system32\config\software.sav`<br>`%WINDIR%\system32\config\system.sav` | Backup Windows registry files (http://forensics.wikia.com/wiki/Windows_registry_entries) |
| `%WINDIR%\system32\logfiles\httperr\httperr1.log` | IIS 6.x web server error logs. |
| `%WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log` where YYMMDD = year month day | Web server log files. |
| `unattend.txt, unattend.xml, sysprep.inf` | Used in the automated deployment of Windows images and can contain user accounts. |

42
presence/windows/find_files.md Normal file
View File

@@ -0,0 +1,42 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Windows Finding File Commands
Commands that find files on the filesystem and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
## dir
### Attributes Showing
* **Command with arguments**: `dir /a`
* **Description**: Displays files with specified attributes. Examples: D=Directories, R=Read-only files, H=Hidden files, A=Files ready for archiving, S=System files
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a c:\<br> Volume in drive C has no label. Volume Serial Number is 1A09-5F16<br><br> Directory of c:\<br><br>01/19/2008 03:45 AM <DIR> $Recycle.Bin<br>09/18/2006 04:43 PM 24 autoexec.bat<br>10/08/2013 10:27 PM <DIR> Boot<br>04/11/2009 08:00 AM 333,257 bootmgr<br>10/08/2013 10:27 PM 8,192 BOOTSECT.BAK<br>09/18/2006 04:43 PM 10 config.sys<br>01/19/2008 06:47 AM <JUNCTION> Documents and Settings [C:\Users]<br>10/23/2013 07:39 PM 2,460,454,912 pagefile.sys<br>01/19/2008 04:40 AM <DIR> PerfLogs<br>10/08/2013 06:36 PM <DIR> Program Files<br>10/08/2013 06:36 PM <DIR> <br>10/10/2013 07:59 PM <DIR> Users<br>10/23/2013 07:38 PM <DIR> Windows<br> 5 File(s) 2,460,796,395 bytes<br> 10 Dir(s) 33,311,416,320 bytes free</code></div>
### Recursive
* **Command with arguments**: `dir /b /s [directory or filename]`
* **Description**: Displays files recursively (all subdirectories). Good for post processing with find (example: `find /I “searchstring”`) or sending to another tool.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /b /s c:\temp<br>c:\Users\Default\AppData\Local\Temp<br>c:\Users\johndoe\AppData\Local\Temp<br>c:\Windows\Temp<br>c:\Windows\assembly\temp<br>c:\Windows\assembly\NativeImages_v2.0.50727_32\Temp<br>c:\Windows\System32\DriverStore\Temp<br>c:\Windows\winsxs\Temp</code></div>
----
## find
* **Command with arguments**: `[somecommand] \| find /c /v ”[searchstring]”`
* **Description**: Counts the number of times the [searchstring] is found in the output of [somecommand].
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>dir /a /s c:\ |find /c /v "svchost"
99184</code></div>
----
## tree
* **Command with arguments**: `tree C:\ /f /a > C:\output_of_tree.txt`
* **Description**: Prints a directory listing in tree format. The `/a` makes the tree printed with ASCII characters instead of special ones and the `/f` displays file names as well as folders.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>tree C:\ /f /a<br>Folder PATH listing<br>Volume serial number is 1A09-5F16<br>C:\<br>| autoexec.bat<br>| config.sys<br>|<br>+---PerfLogs<br>+---Program Files<br>| +---Common Files<br>| | +---microsoft shared<br>| | | +---DAO<br>| | | | dao360.dll<br>| | | |<br>| | | +---ink<br>| | | | | penchs.dll<br>| | | | | pencht.dll<br>| | | | | penjpn.dll<br>| | | | | penkor.dll<br>| | | | | penusa.dll<br>| | | | | pipanel.dll<br>| | | | | pipanel.exe<br>| | | | | pipres.dll<br>| | | | | skchobj.dll<br>| | | | | skchui.dll<br>| | | | |<br>| | | | +---ar-SA<br>| | | | | tipresx.dll.mui<br>| | | | |<br>[...SNIP...]</code></div>

8
presence/windows/index.md Normal file
View File

@@ -0,0 +1,8 @@
# Windows CMD Commands
Command that can be executed from the context of the CMD.exe prompt.
* [Config Commands](windows_cmd_config.md) - Commands that display information about the configuration of the victim.
* [Network Commands](windows_cmd_network.md) - Commands used for gathering information about the network settings and connections of a system.
* [Remote Acccess Commands](windows_cmd_remote.md) - Commands to remotely administer systems.

261
presence/windows/windows_cmd_config.md Normal file
View File

@@ -0,0 +1,261 @@
<!-- Code for collapse and expand -->
<script type="text/javascript">
$(document).ready(function() {
$('div.view').hide();
$('div.slide').click(function() {
$(this).next('div.view').slideToggle('fast');
return false;
});
});
</script>
# Windows CMD Config Commands
Commands that display information about the configuration of the victim and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
## Misc
### c:\windows\system32\gathernetworkinfo.vbs
* **Command**: `c:\windows\system32\gathernetworkinfo.vbs`
* **Command with arguments**: NA
* **Description**: **Windows 7 Only** Script included gathers data about the system and stores output in files in the `c:\windows\system32\config` directory. External link [here.](http://www.verboon.info/index.php/2011/06/the-gathernetworkinfo-vbs-script/)
* **Output**:
* NA
### echo
* **Command**: `echo`
* **Command with arguments**: `echo %COMSPEC%%`
* **Description**: Determine the location of the command line interpreter such as cmd.exe.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>echo %COMSPEC%<br>C:\Windows\system32\cmd.exe</code></div>
### fsutil
* **Command**: `set`
* **Command with arguments**: `fsutil fsinfo drives`
* **Description**: **Must be ADMIN to run this.** Lists the current drives on the system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>fsutil fsinfo drives<br><br>Drives: A:\ C:\ D:\</code></div>
### gpresult
* **Command**: `gpresult`
* **Command with arguments**: `gpresult /z`
* **Description**: Extremely verbose output of GPO (Group policy) settings as applied to the current system and user.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>gpresult /z<br><br>Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0<br>Copyright (C) Microsoft Corp. 1981-2001<br><br>Created On 10/15/2013 at 7:02:05 PM<br><br><br>RSOP data for LAB\johndoe on WIN-0P19ULL2NB6 : Logging Mode<br>------------------------------------------------------------<br><br>OS Configuration: Primary Domain Controller<br>OS Version: 6.0.6002<br>Site Name: N/A<br>Roaming Profile: N/A<br>Local Profile: C:\Users\johndoe<br>Connected over a slow link?: No<br><br><br>USER SETTINGS<br>--------------<br> CN=johndoe,CN=Users,DC=lab,DC=sky,DC=net<br> Last time Group Policy was applied: 10/12/2013 at 6:20:23 PM<br> Group Policy was applied from: WIN-0P19ULL2NB6.lab.sky.net<br> Group Policy slow link threshold: 500 kbps<br> Domain Name: LAB<br> Domain Type: Windows 2000<br><br> Applied Group Policy Objects<br> -----------------------------<br> N/A<br><br> The following GPOs were not applied because they were filtered out<br> -------------------------------------------------------------------<br> Local Group Policy<br> Filtering: Not Applied (Empty)<br><br> Default Domain Policy<br> Filtering: Not Applied (Empty)<br><br> The user is a part of the following security groups<br> ---------------------------------------------------<br> Domain Users<br> Everyone<br> BUILTIN\Users<br> BUILTIN\Administrators<br> BUILTIN\Pre-Windows 2000 Compatible Access<br> NT AUTHORITY\INTERACTIVE<br> NT AUTHORITY\Authenticated Users<br> This Organization<br> LOCAL<br> High Mandatory Level<br><br> The user has the following security privileges<br> ----------------------------------------------<br><br><br> Resultant Set Of Policies for User<br> -----------------------------------</code></div>
### set
* **Command**: `set`
* **Command with arguments**: NA
* **Description**: Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>set<br>ALLUSERSPROFILE=C:\ProgramData<br>APPDATA=C:\Users\johndoe\AppData\Roaming<br>CommonProgramFiles=C:\Program Files\Common Files<br>COMPUTERNAME=WIN-0P19ULL2NB6<br>ComSpec=C:\Windows\system32\cmd.exe<br>DFSTRACINGON=FALSE<br>FP_NO_HOST_CHECK=NO<br>HOMEDRIVE=C:<br>HOMEPATH=\Users\johndoe<br>LOCALAPPDATA=C:\Users\johndoe\AppData\Local<br>LOGONSERVER=\\WIN-0P19ULL2NB6<br>OS=Windows_NT<br>Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem<br>PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC<br>PROCESSOR_ARCHITECTURE=x86<br>PROCESSOR_IDENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel<br>PROCESSOR_LEVEL=6<br>PROCESSOR_REVISION=2a07<br>ProgramData=C:\ProgramData<br>ProgramFiles=C:\Program Files<br>PROMPT=$P$G<br>PUBLIC=C:\Users\Public<br>SESSIONNAME=Console<br>SystemDrive=C:<br>SystemRoot=C:\Windows<br>TEMP=C:\Users\johndoe\AppData\Local\Temp\1<br>TMP=C:\Users\johndoe\AppData\Local\Temp\1<br>TRACE_FORMAT_SEARCH_PATH=\\winseqfe\release\Windows6.0\lh_sp2rtm\6002.18005.090410-1830\x86fre\symbols.pri\TraceFormat<br>USERDNSDOMAIN=LAB.SKY.NET<br>USERDOMAIN=LAB<br>USERNAME=johndoe<br>USERPROFILE=C:\Users\johndoe<br>windir=C:\Windows</code></div>
### whoami
* **Command**: `whoami`
* **Command with arguments**: `whoami /all`
* **Description**: Lists information about the user you are currently logged in as. Helpful for showing what groups, sid and privileges of this user. Not available in all versions of Windows but is in Windows Vista and more recent. According to [Wikipedia](http://en.wikipedia.org/wiki/Whoami), this command can be added to Windows 2000 using the resource kit and is installed in Windows XP SP2 Support Tools.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>whoami<br>lab\johndoe<br><br>C:\Users\johndoe>whoami/all<br><br>USER INFORMATION<br>----------------<br><br>User Name SID<br>=========== ===========================================<br>lab\johndoe S-1-5-21-60789211-843652525-1994898995-1001<br><br><br>GROUP INFORMATION<br>-----------------<br><br>Group Name Type SID Attributes<br>========================================== ================ ============ ==================================================<br>Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group<br>BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group<br>BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only<br>BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only<br>NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group<br>NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group<br>NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group<br>LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group<br>Mandatory Label\Medium Mandatory Level Unknown SID type S-1-16-8192 Mandatory group, Enabled by default, Enabled group<br><br><br>PRIVILEGES INFORMATION<br>----------------------<br><br>Privilege Name Description State<br>============================= ==================================== ========<br>SeShutdownPrivilege Shut down the system Disabled<br>SeChangeNotifyPrivilege Bypass traverse checking Enabled<br>SeUndockPrivilege Remove computer from docking station Disabled<br>SeIncreaseWorkingSetPrivilege Increase a process working set Disabled<br>SeTimeZonePrivilege Change the time zone Disabled</code></div>
### systeminfo
* **Command**: `systeminfo`
* **Command with arguments**: NA
* **Description**:In computing, systeminfo.exe, a command-line utility shipped with Microsoft Windows versions from Windows XP onwards, produces summary output of Windows hardware/software operating-environment parameters.
* **Output**:
*<div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Windows\system32>systeminfo<br><br>Host Name: ADMIN-PC<br>OS Name: Microsoft Windows 2008<br>OS Version: 6.1.7601 Service Pack 1 Build 7601<br>OS Manufacturer: Microsoft Corporation<br>OS Configuration: Standalone Workstation<br>OS Build Type: Multiprocessor Free<br>Registered Owner: johndoe<br>Registered Organization: <br>Product ID: 00426-OEM-8992662-00400<br>System Type: x64-based PC<br>Processor(s): 1 Processor(s) Installed.<br>...</code></div>
### type
* **Command**: `type`
* **Command with arguments**: `type %WINDIR%\System32\drivers\etc\hosts`
* **Description**: Show the contents of a file. In this case, you can get the system's host file which does the local translation of IP address to hostname. This file may contain important servers.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>type %WINDIR%\System32\drivers\etc\hosts<br># Copyright (c) 1993-2006 Microsoft Corp.<br>#<br># This is a sample HOSTS file used by Microsoft TCP/IP for Windows.<br>#<br># This file contains the mappings of IP addresses to host names. Each<br># entry should be kept on an individual line. The IP address should<br># be placed in the first column followed by the corresponding host name.<br># The IP address and the host name should be separated by at least one<br># space.<br>#<br># Additionally, comments (such as these) may be inserted on individual<br># lines or following the machine name denoted by a '#' symbol.<br>#<br># For example:<br>#<br># 102.54.94.97 rhino.acme.com # source server<br># 38.25.63.10 x.acme.com # x client host<br><br>127.0.0.1 localhost<br>::1 localhost</code></div>
----
## Registry (reg)
For more information: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/reg.mspx?mfr=true or http://www.petri.co.il/reg_command_in_windows_xp.htm
### Add
* **Command with arguments**: `reg add [\\TargetIPaddr\] [RegDomain\Key]`
* **Description**: Adds a key to target machine's registry. Replace [\\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to insert.
* **Output**:
* NA
### Export
* **Command with arguments**: `reg export [RegDomain\Key] [OUTFILE]`
* **Description**: Exports a key to a file. Replace [RegDomain\Key] with the registry domain and key you'd like to insert and [OUTFILE] with the name of the file you would like to save the registry key in.
* **Output**:
* NA
### Import
* **Command with arguments**: `reg import [INFILE]`
* **Description**: Imports content to target machine's registry. Replace [INFILE] with the file that has the content you wish to insert.
* **Output**:
* NA
### Query (Local)
* **Command with arguments**: `reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"`
* **Description**: Securely registered executables within the system registry.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>reg query HKLM /s /d /f "C:\* *.exe" &#124; find /I "C:\" &#124; find /V """"<br> (Default) REG_SZ C:\Program Files\VMware\VMware Tools\TPVCGateway.exe<br> (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe<br> (Default) REG_SZ C:\Program Files\Internet Explorer\iexplore.exe<br> LocalizedString REG_SZ @C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-1008<br> (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareHostOpen.exe,-101<br> (Default) REG_SZ C:\Program Files\Internet Explorer\IEXPLORE.EXE<br> (Default) REG_SZ C:\Program Files\VMware\VMware Tools\VMwareTray.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\rpctool.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareCplLauncher.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\VMwareToolboxCmd.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\unzip.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\VMware\VMware Tools\vmtoolsd.exe<br> 627BF46A150AF194A92056AAE2EFA363 REG_SZ C:\Program Files\Common Files\VMware\Drivers\vss\comreg.exe</code></div>
### Query (Remote)
* **Command with arguments**: `reg query [\\TargetIPaddr\] [RegDomain\Key] /v [ValueName]`
* **Description**: Retrieves a key and value from target machine's registry. Replace [\\TargetIPaddr] with your target system, [RegDomain\Key] with the registry domain and key you'd like to query.
* **Output**:
* NA
### Save
* **Command with arguments**: `reg save [HIVE] [OUTFILE]`
* **Description**: **Must be run as an administrator.** Saves part of the registry to a file. Replace [HIVE] with HKLM\Security, HKLM\System, or HKLM\SAM and [OUTFILE] with the name of the file you would like to save the registry in.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>c:\temp>reg save HKLM\Security security.hive && dir<br>The operation completed successfully.<br> Volume in drive C has no label.<br> Volume Serial Number is 1A09-5F16<br> Directory of c:\temp<br>10/26/2013 11:17 PM <DIR> .<br>10/26/2013 11:17 PM <DIR> ..<br>10/26/2013 11:17 PM 32,768 security.hive<br> 1 File(s) 32,768 bytes<br> 2 Dir(s) 33,312,219,136 bytes free</code></div>
----
## sc
sc.exe retrieves and sets control information about services. You can use sc.exe for testing and debugging service programs. For more information: http://technet.microsoft.com/en-us/library/bb490995.aspx.
<div class="slide" style="cursor: pointer;">Help details can be found if you expand this section here: Show/Hide</div><div class="view"><code>C:\Users\tester>sc
DESCRIPTION:
SC is a command line program used for communicating with the
Service Control Manager and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...
The option <server> has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistent).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
failureflag-----Changes the failure actions flag of a service.
sidtype---------Changes the service SID type of a service.
privs-----------Changes the required privileges of a service.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
qfailureflag----Queries the failure actions flag of a service.
qsidtype--------Queries the service SID type of a service.
qprivs----------Queries the required privileges of a service.
qtriggerinfo----Queries the trigger parameters of a service.
qpreferrednode--Queries the preferred NUMA node of a service.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
showsid---------Displays the service SID string corresponding to an arbitrary name.
triggerinfo-----Configures the trigger parameters of a service.
preferrednode---Sets the preferred NUMA node of a service.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.
The following commands don't require a service name:
sc <server> <command> <option>
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService</code></div>
### Query Configuration
* **Command with arguments**: `sc qc [servicename]`
* **Description**: Queries the configuration information for a service. Things to look at here are the path to the executable, the start type (does it start at boot or on demand?), and service names.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code> c:\Users\johndoe>sc qc browser
[SC] QueryServiceConfig SUCCESS<br>SERVICE_NAME: browser<br> TYPE : 20 WIN32_SHARE_PROCESS<br> START_TYPE : 4 DISABLED<br> ERROR_CONTROL : 1 NORMAL<br> BINARY_PATH_NAME : C:\Windows\System32\svchost.exe -k netsvcs<br> LOAD_ORDER_GROUP : NetworkProvider<br> TAG : 0<br> DISPLAY_NAME : Computer Browser<br> DEPENDENCIES : LanmanWorkstation<br> : LanmanServer<br>
SERVICE_START_NAME : LocalSystem</code></div>
### Query Status
* **Command with arguments**: `sc query [servicename]`
* **Description**: Queries the status for a service, or enumerates the status for types of services.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>sc query browser<br><br>SERVICE_NAME: browser<br> TYPE : 20 WIN32_SHARE_PROCESS<br> STATE : 1 STOPPED<br> WIN32_EXIT_CODE : 1077 (0x435)<br> SERVICE_EXIT_CODE : 0 (0x0)<br> CHECKPOINT : 0x0<br> WAIT_HINT : 0x0</code></div>
### Query Status Extended
* **Command with arguments**: `sc queryex [servicename]`
* **Description**: Queries the status for a service, or enumerates the status for types of services.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>sc queryex browser<br>
SERVICE_NAME: browser<br> TYPE : 20 WIN32_SHARE_PROCESS<br> STATE : 1 STOPPED<br> WIN32_EXIT_CODE : 1077 (0x435)<br> SERVICE_EXIT_CODE : 0 (0x0)<br> CHECKPOINT : 0x0<br> WAIT_HINT : 0x0<br> PID : 0<br> FLAGS :</code></div>
----
## wmi
According to Microsoft (http://msdn.microsoft.com/en-us/library/aa394531(v=vs.85).aspx), "the WMI command-line (WMIC) utility provides a command-line interface for WMI. WMIC is compatible with existing shells and utility commands." Additional information can also be found here https://isc.sans.edu/diary/Windows+Command-Line+Kung+Fu+with+WMIC/1229.
For some of these `wmic` commands that pull information (versus perform an action) you can add `list full` to the end and retrieve the data in a non-table format. Sometimes this view is easier to read. Using `list brief` shows less data. The examples below show several output formats.
### BIOS Information
* **Command with arguments**: `wmic bios [list full]`
* **Description**: Retrieves BIOS information including system serial number.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic bios list full<br><br><br>BiosCharacteristics={4,7,8,9,10,11,12,14,15,16,19,26,27,28,29,30,32,39,40,41,42,50,57,58}<br>BuildNumber=<br>CodeSet=<br>CurrentLanguage=<br>Description=PhoenixBIOS 4.0 Release 6.0<br>IdentificationCode=<br>InstallableLanguages=<br>InstallDate=<br>LanguageEdition=<br>ListOfLanguages=<br>Manufacturer=Phoenix Technologies LTD<br>Name=PhoenixBIOS 4.0 Release 6.0<br>OtherTargetOS=<br>PrimaryBIOS=TRUE<br>ReleaseDate=20120920000000.000000+000<br>SerialNumber=VMware-56 4d 8b 9d 3b a9 3a b4-a7 09 2d ff 09 9a e2 26<br>SMBIOSBIOSVersion=6.00<br>SMBIOSMajorVersion=2<br>SMBIOSMinorVersion=4<br>SMBIOSPresent=TRUE<br>SoftwareElementID=PhoenixBIOS 4.0 Release 6.0<br>SoftwareElementState=3<br>Status=OK<br>TargetOperatingSystem=0<br>Version=INTEL - 6040000</code></div>
### Disk Information
* **Command with arguments**: `wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber`
* **Description**: Retrieve information about the harddrive.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber<br>FileSystem FreeSpace Name Size SystemName VolumeSerialNumber<br>NTFS 33311481856 C: 42947571712 WIN-0P19ULL2NB6 1A095F16</code></div>
### Patch IDs
* **Command with arguments**: `wmic qfe get hotfixid`
* **Description**: Retrieves BIOS information including system serial number.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic qfe get hotfixid<br>HotFixID<br>KB955430</code></div>
### Process Create
* **Command with arguments**: `wmic process call create [EXECUTABLE]`
* **Description**: Launches an executable. Replace [EXECUTABLE] with the name of the executable you'd like to launch (for example: calc.exe). Do not include quotes around the value (for example: *DO* use calc.exe; do *NOT* use "calc.exe").
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic process call create calc.exe<br>Executing (Win32_Process)->Create()<br>Method execution successful.<br>Out Parameters:<br>instance of __PARAMETERS<br>{<br> ProcessId = 1936;<br> ReturnValue = 0;<br>};</code></div>
### Process Information
* **Command with arguments**: `wmic process get caption,executablepath,commandline`
* **Description**: Retrieves process names, captions, executable paths and command line flags.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic process get caption,executablepath,commandline<br>Caption CommandLine ExecutablePath<br>System Idle Process<br>System<br>smss.exe<br>csrss.exe<br>[...SNIP...]<br>dllhost.exe<br>dwm.exe "C:\Windows\system32\Dwm.exe" C:\Windows\system32\Dwm.exe<br>taskeng.exe taskeng.exe {72464C44-C181-4387-A20A-569E0267D2AF} C:\Windows\system32\taskeng.exe<br>TPAutoConnect.exe TPAutoConnect.exe -q -i vmware -a COM1 -F 30 C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe<br>explorer.exe C:\Windows\Explorer.EXE C:\Windows\Explorer.EXE<br>VMwareTray.exe "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" C:\Program Files\VMware\VMware Tools\VMwareTray.exe<br>vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr C:\Program Files\VMware\VMware Tools\vmtoolsd.exe<br>cmd.exe "C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exe<br>cmd.exe<br>TrustedInstaller.exe<br>WMIC.exe wmic process get caption,executablepath,commandline C:\Windows\System32\Wbem\WMIC.exe<br>WmiPrvSE.exe</code></div>
### Process Terminate
* **Command with arguments**: `wmic process where name="[PROCESS]" call terminate`
* **Description**: Terminates a process. Replace [PROCESS] with the name of the process you'd like to terminate and you *DO* need the quotes around it (for example: calc.exe).
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic process where name="calc.exe" call terminate<br>Executing (\\WIN-0P19ULL2NB6\ROOT\CIMV2:Win32_Process.Handle="1936")->terminate()<br>Method execution successful.<br>Out Parameters:<br>instance of __PARAMETERS<br>{<br> ReturnValue = 0;<br>};</code></div>
### Service Information
* **Command with arguments**: `wmic service [list full]`
* **Description**: Retrieves ton of information about all the services installed on the system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic service list full<br><br><br>AcceptPause=FALSE<br>AcceptStop=TRUE<br>Caption=Application Experience<br>CheckPoint=0<br>CreationClassName=Win32_Service<br>Description=Processes application compatibility cache requests for applications as they are launched<br>DesktopInteract=FALSE<br>DisplayName=Application Experience<br>ErrorControl=Normal<br>ExitCode=0<br>InstallDate=<br>Name=AeLookupSvc<br>PathName=C:\Windows\system32\svchost.exe -k netsvcs<br>ProcessId=1056<br>ServiceSpecificExitCode=0<br>ServiceType=Share Process<br>Started=TRUE<br>StartMode=Auto<br>StartName=localSystem<br>State=Running<br>Status=OK<br>SystemCreationClassName=Win32_ComputerSystem<br>SystemName=WIN-0P19ULL2NB6<br>TagId=0<br>WaitHint=0<br><br><br>AcceptPause=FALSE<br>AcceptStop=FALSE<br>Caption=Application Layer Gateway Service<br>CheckPoint=0<br>CreationClassName=Win32_Service<br>Description=Provides support for 3rd party protocol plug-ins for Internet Connection Sharing<br>DesktopInteract=FALSE<br>DisplayName=Application Layer Gateway Service<br>ErrorControl=Normal<br>ExitCode=1077<br>InstallDate=<br>Name=ALG<br>PathName=C:\Windows\System32\alg.exe<br>ProcessId=0<br>ServiceSpecificExitCode=0<br>ServiceType=Own Process<br>Started=FALSE<br>StartMode=Manual<br>StartName=NT AUTHORITY\LocalService<br>State=Stopped<br>Status=OK<br>SystemCreationClassName=Win32_ComputerSystem<br>SystemName=WIN-0P19ULL2NB6<br>TagId=0<br>WaitHint=0<br>[...Truncated for brevity...]</code></div>
### Share Information
* **Command with arguments**: `wmic share [list brief]`
* **Description**: Retrieve information about local shares.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic share list brief
Description Name Path
Remote Admin ADMIN$ C:\Windows
Default share C$ C:\
Remote IPC IPC$
Logon server share NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS
Logon server share SYSVOL C:\Windows\SYSVOL\sysvol</code></div>
### Startup Items
* **Command with arguments**: `wmic startup [list brief]`
* **Description**: Shows startup items, which user runs them and full paths to the executables.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic startup list brief<br>Caption Command User<br>VMware Tools "C:\Program Files\VMware\VMware Tools\VMwareTray.exe" Public<br>VMware User Process "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr Public</code></div>
### User Information
* **Command with arguments**: `wmic useraccount [list full]`
* **Description**: Retrieve information about the user accounts on the system.
* **Output**:
* <div class="slide" style="cursor: pointer;"> **Windows 2008:** Show/Hide</div><div class="view"><code>C:\Users\johndoe>wmic useraccount list full<br><br><br>AccountType=512<br>Description=Built-in account for administering the computer/domain<br>Disabled=FALSE<br>Domain=LAB<br>FullName=<br>InstallDate=<br>LocalAccount=FALSE<br>Lockout=FALSE<br>Name=Administrator<br>PasswordChangeable=TRUE<br>PasswordExpires=TRUE<br>PasswordRequired=TRUE<br>SID=S-1-5-21-60789211-843652525-1994898995-500<br>SIDType=1<br>Status=OK<br><br><br>AccountType=512<br>Description=Key Distribution Center Service Account<br>Disabled=TRUE<br>Domain=LAB<br>FullName=<br>InstallDate=<br>LocalAccount=FALSE<br>Lockout=FALSE<br>Name=krbtgt<br>PasswordChangeable=TRUE<br>PasswordExpires=TRUE<br>PasswordRequired=TRUE<br>SID=S-1-5-21-60789211-843652525-1994898995-502<br>SIDType=1<br>Status=Degraded<br><br><br>AccountType=512<br>Description=<br>Disabled=FALSE<br>Domain=LAB<br>FullName=John Doe<br>InstallDate=<br>LocalAccount=FALSE<br>Lockout=FALSE<br>Name=johndoe<br>PasswordChangeable=TRUE<br>PasswordExpires=TRUE<br>PasswordRequired=TRUE<br>SID=S-1-5-21-60789211-843652525-1994898995-1001<br>SIDType=1<br>Status=OK<br></code></div>