# Windows CMD Network Commands
The Windows commands below will help you gather information about the victim system's network connections, devices and capabilities and are usually executed from the context of the `cmd.exe` or `command.exe` prompt.
## ipconfig
### Retrieve Local DNS Cache Info
* **Command with arguments**: `ipconfig /displaydns`
* **Description**: Displays the system's local DNS cache.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>ipconfig /displaydns
Windows IP Configuration
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
1.0.0.127.in-addr.arpa
----------------------------------------
Record Name . . . . . : 1.0.0.127.in-addr.arpa.
Record Type . . . . . : 12
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
PTR Record . . . . . : localhost
_ldap._tcp.default-first-site-name._sites.win-0p19ull2nb6.lab.sky.net
----------------------------------------
Name does not exist.
_ldap._tcp.win-0p19ull2nb6.lab.sky.net
----------------------------------------
Name does not exist.
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 1
Time To Live . . . . : 86400
Data Length . . . . . : 4
Section . . . . . . . : Answer
A (Host) Record . . . : 127.0.0.1
localhost
----------------------------------------
Record Name . . . . . : localhost
Record Type . . . . . : 28
Time To Live . . . . : 86400
Data Length . . . . . : 16
Section . . . . . . . : Answer
AAAA Record . . . . . : ::1
### Retrieve NIC Info
* **Command with arguments**: `ipconfig /all`
* **Description**: Displays the full information about the system's network interface cards (NICs).
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\jondoe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-0P19ULL2NB6
Primary Dns Suffix . . . . . . . : lab.sky.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : lab.sky.net
sky.net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-9A-E2-26
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::11bc:e019:25e5:916d%10(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.10.34(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-E6-78-04-00-0C-29-9A-E2-26
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 8:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26}
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
----
## Misc
### arp
* **Command with arguments**: `arp -a`
* **Description**: Lists all the systems currently in the machine's ARP table.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>arp -a
Interface: 192.168.10.34 --- 0xa
Internet Address Physical Address Type
192.168.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static
### wmic
* **Command with arguments**: `wmic ntdomain list`
* **Description**: Retrieve information about Domain and Domain Controller.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>wmic ntdomain list
DomainGuid
{CD5C2FE3-5AFE-459D-804E-A81B49066CAD}
----
## net
For more information: http://technet.microsoft.com/en-us/library/bb490949.aspx
### Accounts
* **Command with arguments**: `net accounts [/domain | /domain:OTHERDOMAINNAME]`
* **Description**: Prints the password policy for the local system. Pass it the `/domain` option to query the domain for the domain password policy.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 1
Maximum password age (days): 42
Minimum password length: 7
Length of password history maintained: 24
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: PRIMARY
The command completed successfully.
### Group
* **Command with arguments**: `net group "GROUPNAME" /domain`
* **Description**: Prints the members of the Administrators local group. The /domain switch can show you the list of current domain admins.
Note: This command can only be used on a Windows Domain Controller.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net group "domain admins"
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator
The command completed successfully.
### Local Group
* **Command with arguments**: `net localgroup "GROUPNAME" [/domain]`
* **Description**: Prints the members of the local group "GROUPNAME". The `/domain` switch can show you members of domain groups.
Note: This command can only be used on a Windows Domain Controller.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
johndoe
The command completed successfully.
### Queries SMB Hosts/Domain
* **Command with arguments**: `net view [/domain | /domain:OTHERDOMAINNAME]`
* **Description**: Queries NBNS/SMB (SAMBA) and tries to find all hosts in the system's current workgroup. Add the `/domain` option if the current system is joined to a domain. To query a different domain, use the `/domain:OTHERDOMAINNAME` option.
* **Output**:
* (Coming soon!)
### Session
* **Command with arguments**: `net session`
* **Description**: Displays information about all connections to the computer.
Note: Needs to be launched within an administrative command shell.
* **Output**:
* (Coming soon!)
### Share
* **Command with arguments**: `net share`
* **Description**: Displays the system's currently shared SMB entries, and what path(s) they point to.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net share
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL\sysvol\lab.sky.net\SCRIPTS Logon server share
SYSVOL C:\Windows\SYSVOL\sysvol Logon server share
The command completed successfully.
### Users (List local/domain)
* **Command with arguments**: `net user [/domain]`
* **Description**: Lists the local users or, if the `/domain` option is passed, users on the computer's domain.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net user
User accounts for \\WIN-0P19ULL2NB6
-------------------------------------------------------------------------------
Administrator Guest johndoe
krbtgt
The command completed successfully.
### Users (Detailed User Information)
* **Command with arguments**: `net user %USERNAME% [/domain]`
* **Description**: Lists detailed information about the current local user or, if the `/domain` option is passed, the account on the computer's domain. If it is a local user then drop the `/domain`. Important things to note are login times, last time changed password, logon scripts, and group membership. You may wish to run this twice, once with and once without the `/domain` switch to find both local and domain accounts.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>net user johndoe
User name johndoe
Full Name John Doe
Comment
User's comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/10/2013 8:57:02 PM
Password expires 11/21/2013 8:57:02 PM
Password changeable 10/11/2013 8:57:02 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/15/2013 6:53:42 PM
Logon hours allowed All
Local Group Memberships \*Administrators \*Users
Global Group memberships \*Domain Users
The command completed successfully.
----
## netsh
For more information: http://technet.microsoft.com/en-us/library/bb490939.aspx
### Network Services
* **Command with arguments**: `netsh diag show all`
* **Description**: Shows information on network services and adapters.
Note: Windows XP only.
* **Output**:
* **Windows XP SP3:** Show/Hide 
C:\Users\johndoe>netsh diag show all
Default Outlook Express Mail (Not Configured)
Default Outlook Express News (Not Configured)
Internet Explorer Web Proxy (Not Configured)
Loopback (127.0.0.1)
Computer System (OJ-75E3B8CC9475)
Operating System (Microsoft Windows XP Professional)
Version (5.1.2600)
Modems
Network Adapters
1. [00000001] VMware Accelerated AMD PCNet Adapter
2. [00000010] VMware Accelerated AMD PCNet Adapter
Network Clients
1. VMware Shared Folders
2. Microsoft Terminal Services
3. Microsoft Windows Network
4. Web Client Network
### Firewall Control
* **Command with arguments**: `netsh firewall set opmode [disable|enable]`
* **Description**: Enable or disable the Windows Firewall (requires admin privileges).
* **Minimum required version**: Windows Vista.
* **Output**:
* **Windows Vista:** Show/Hide 
C:\Users\johndoe>netsh firewall set opmode enable
Ok.
C:\Users\johndoe>netsh firewall set opmode disable
Ok.
* **Windows 7:** Show/Hide 
C:\Users\johndoe>netsh firewall set opmode enable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
C:\Users\johndoe>netsh firewall set opmode disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .
Ok.
### Wireless Backdoor Creation
* **Command with arguments**:
1. `netsh wlan set hostednetwork mode=[allow\|disallow]`
1. `netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary`
1. `netsh wlan [start|stop] hostednetwork`
* **Description**:
1. Enables or disables hostednetwork service.
1. Complete hosted network setup for creating a wireless backdoor.
1. Starts or stops a wireless backdoor. See below to set it up.
Note: Windows 7 only.
* **Output**:
* (Coming soon!)
### Wireless Profile Viewing
* **Command with arguments**: `netsh wlan show profiles`
* **Description**: Shows all saved wireless profiles. You may then export the info for those profiles with the other netsh commands listed here.
* **Output**:
* (Coming soon!)
### Wireless Profile Exporting
* **Command with arguments**: `netsh wlan export profile folder=. key=clear`
* **Description**: Exports a user wifi profile with the password in plaintext to an XML file in the current working directory.
* **Output**:
* (Coming soon!)
----
## netstat
For more information: http://technet.microsoft.com/en-us/library/bb490947.aspx
### Find Information about a specific Service
* **Command with arguments**: `netstat -nabo | findstr /I (SERVICE|PROCESS|PORT)`
* **Description**: If you are interested in finding out more information about a specific service, process or port this will provide greater depth of information. The `netstat -b` flag makes the command take longer but will output the process name using each of the connections.
Note: Needs to be launched within an administrative command shell due to the `-b`.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Windows\system32>netstat -nabo |findstr /I 445
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
UDP 0.0.0.0:62445 *:* 1756
UDP 0.0.0.0:63445 *:* 1756
UDP [::]:49445 *:* 1756
UDP [::]:64445 *:* 1756
UDP [::]:64450 *:* 1756
UDP [::]:64451 *:* 1756
### Find Listeners
* **Command with arguments**: `netstat -na | findstr :80`
* **Description**: Find all listening ports and connections on port 80 (replace 80 with your target such as `445` or `3389`).
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>netstat -na | findstr :445
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP [::]:445 [::]:0 LISTENING
### Find Listeners and Process IDs
* **Command with arguments**: `netstat -nao | findstr /I listening`
* **Description**: Find all listening ports and their associated PIDs (Process IDs). The `findstr /I` switch makes the search case insensitive. This could be important if you are looking for a buMPy service (example: `svchost` vs. `SVChost`) or don't know the case of it.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>netstat -nao | findstr /I listening
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 500
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 984
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 1056
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING 592
TCP 0.0.0.0:49161 0.0.0.0:0 LISTENING 1804
TCP 0.0.0.0:49169 0.0.0.0:0 LISTENING 1756
TCP 0.0.0.0:49170 0.0.0.0:0 LISTENING 580
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1756
TCP 192.168.10.34:53 0.0.0.0:0 LISTENING 1756
TCP 192.168.10.34:139 0.0.0.0:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 592
TCP [::]:135 [::]:0 LISTENING 908
TCP [::]:389 [::]:0 LISTENING 592
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 592
TCP [::]:593 [::]:0 LISTENING 908
TCP [::]:636 [::]:0 LISTENING 592
### List Ports and Connections
* **Command with arguments**: `netstat -nabo`
* **Description**: Lists ports on and connections with the system with corresponding process (`-b`), without performing DNS lookup (`-n`), all connections (`-a`) and what is the owning process ID (`-o`). The `-b` switch is the switch in this command that requires elevated or admin privileges to execute. Omit it and you do not need to have an admin cmd shell.
Note: Needs to be launched within an administrative command shell.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Windows\system32>netstat -nabo
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908
RpcSs
[svchost.exe]
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
Can not obtain ownership information
x: Windows Sockets initialization failed: 5
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908
RpcSs
[svchost.exe]
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 592
[lsass.exe]
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1208
Dnscache
### Routing Table
* **Command with arguments**: `netstat -r`
* **Description**: Displays the system's routing table.
* **Output**:
* **Windows 2008:** Show/Hide 
C:\Users\johndoe>netstat -r
===========================================================================
Interface List
10 ...00 0c 29 9a e2 26 ...... Intel(R) PRO/1000 MT Network Connection
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.{DDE3DF3D-3417-4EBF-BF66-73BD3A64FF26}
11 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.34 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.10.0 255.255.255.0 On-link 192.168.10.34 266
192.168.10.34 255.255.255.255 On-link 192.168.10.34 266
192.168.10.255 255.255.255.255 On-link 192.168.10.34 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.10.34 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.10.34 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.10.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 266 fe80::/64 On-link
10 266 fe80::11bc:e019:25e5:916d/128
On-link
1 306 ff00::/8 On-link
10 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None