Windows Hackers Command Reference

Windows Command Reference for Pen-testers

This part of the blog is dedicated to Windows commands that can be used from Penetration Testers (yea who is your tester?) and Information Security Administrators. In this page I will periodically post Windows tiny simple scripts and commands that a Penetration tester or a Security Administrator can use to:

1. Perform Administration Security tasks (e.g do patch enforcement, silently uninstall software e.t.c).
2. Run Vulnerability Scans (e.g Identify null sessions, test for LANMAN services e.t.c).
3. Do pivoting (e.g after compromising a machine use windows tools to escalate e.t.c).

Test for installed patches 

In order to run WMIC you just open up a command prompt and type wmic and you imminently get an interactive command shell with root accesses.

Identifying the windows security patches  using WMIC
  1.      wmic qfe get description,installedOn
Note: This produces a long list of Windows Patches and when they were installed and exports the results in stdout. That way you know exactly how to attack the workstation or perform remediation to a workstation.

Identifying windows services
  1. sc query type= service (running services)
  2. sc query type= service state= inactive (exist but don't run)
  3. sc query type= service state= all (running and not running)
Identifying windows startup programs 

This commands are reporting the start up programs:
  1.     wmic startup
  2.     wmic startup list full
  3.     wmic startup list brief
  4.     wmic startup list system
Note: This commands produces a list with all start up programs along with their registry keys, a program description and program name. The options shown above give you various output. Very interesting when doing malware behavioral analysis.
  1. wmic /node:machinename startup list full
  2. wmic STARTUP GET Caption, Command, User
 Note: Remotely list startup apps

Identifying windows network cards 

WMIC can also give you lots of information about the network cards and drivers:
  1.       wmic nicconfig list
Note: That will give you a list of all network drivers
  1.     wmic nicconfig where IPEnabled='true'
Note: That will give you a list of IP interfaces.
  1.     wmic nicconfig where index=9 call enablestatic(""), ("")
Note: This will update static IP address
  1.     wmic nicconfig where index=9 call setgateways("", ""),(1,2)
Note: This will Change network gateway
  1.     wmic nicconfig where index=9 call enabledhcp
Note: This will enable DHCP.
  1.     wmic service where caption="DHCP Client" call changestartmode "Disabled"
  2.     wmic service where caption="DHCP Client" call changestartmode "Automatic"
  3.     wmic service where caption="DHCP Client" call changestartmode "Manual"
Note: This will enable DHCP make disable, automatic or manual the service.
  1. wmic /node:machinename nicconfig where Index=1 call EnableDHCP
Note:  Remotely change IP to use DHCP
  1. wmic /node:machinename nicconfig where Index=1 call EnableStatic (""), ("")
Note:  Remotely change the IP to a static IP (Index is Interface#)

Handle Windows Process life-cycle 

The above sets of commands lets you handle all type of process manipulation:
  1.     wmic process
  2.     wmic process list brief
  3.     wmic process list full
  4.     wmic process list system
Note: The above commands list processes in a windows machine.
  1.     wmic /record:processes.xml process list brief
  2.     wmic /record:processes.xml process list full
  3.     wmic /record:processes.xml process list system
Note: After the command runs, your results are stored in xml format.  That's the only format supported, but this is a handy record of what you typed, when you typed it, and the results you got.
  1.     wmic process where name='process_name.exe'
  2.     wmic process where name='process_name.exe'  list brief
  3.     wmic process where name='process_name.exe'  list full
  4.     wmic process where name='process_name.exe'  list system
  5.     wmic process where name='process_name.exe' delete
Note:The above let you commands search/kill and create processes based on their name.
  1.     wmic process | more
Note: Displays all processes per screen page
  1.     wmic process | findstr "process name"
Note: The above command searches a process name, or process information per line.
  1. wmic /output:wmic.html process list full /format:hform
Note:  List running processes and output to HTML/XSL form.
  1. wmic /node:machinename process list brief /every:1
Note:  Remotely list running processes every second
  1. wmic process where name="cmd.exe" call getowner
  2. wmic process where name="cmd.exe" call getownersid
Note:  Get Process Owner or OwnerSID.You can use that to migrate using metasploit to some useful process. 

ICMP and DNS network sweeping 

After taking over a windows box you can use it as a pivot, but what happens if it is a restricted box and you cannot download or upload any tools? Well the following commands will do the job:
  1.     for /L %I in (1,1,254) DO @ping -n 1 192.168.1.%I | findstr "TTL=128" >> pinglog.txt
Note: This command sequence will ping sending only one package and report this machine that have a none zero TTL field. The output of the loop will be stored in a file named pinglog.txt.
  1.     for /L %I in (1,1,254) DO @nslookup 192.168.1.%I | find "Name:" >> dnslog.txt
Note: This command sequence will perform a reverse DNS lookup using the local DNS server (an external dns server can be sued also). The output will be stored in a log file called dnslog.txt
  1.     pathping targethost (for a single host only)
  2.     for /L %I in (1,1,254) DO @pingpath -n 192.168.1.%I  >> traceping.txt
Note: This command combines functions of Ping and Tracert. Pathping will first list the number of hops required to reach the address you are testing and then send multiple pings to each router between you and the destination. After that, it computes results based on the packets returned from each router. Because pathping displays the degree of packet loss at any given router or link, you can determine which routers or subnets might be having network problems. Note that the whole process may consume 5-10 minutes because many pings are being sent. There are switches to modify the process and these can be seen by entering "pathping /?" in the command prompt.The command sequence above will map the whole network along with their routes (this is going to be verbose).

  1. for /L %I in (1,1,254) DO @echo -Route: %I- >> trace.txt & @pathping -n 1 192.168.1.%I >> trace.txt
Note: This will do a simple trace routing of the whole local network.

Windows network connection monitoring
  1. netstat -nab 3 >> netstat.txt
Note: This will perform an infinite loop with all listening ports and the executable engaged with a refresh rate of 3 seconds. More specifically: 

Option: -n

Displays addresses and port numbers in numerical form

Option: -a

Displays all connections and listening ports

Option: -b

Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

Important Note: This tool is very good for identifying malware behavior that does not alter any system functions, because in case you try to disinfect a rootkit it will not be much of a help :).

Handling Windows Users

The following examples displays a list of all user accounts for the local computer (some commands do that along with other useful information):
  1. net user
  2. wmic useraccount
  3. wmic useraccount list brief
The following example displays information about the user account someuser:
  1. net user someuser
The following example adds a user account for a user whose full name is Jay Jamison and whose user account name is jayj, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user's full name:
  1. net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay Jamison

Simple add user: net user someuser /add
  1. net user miked /time:M-F,08:00-17:00
Note: Sets the logon time (8 A.M. to 5 P.M.) for miked by using 24-hour notation:
  1. net user miked /time:M-F,8AM-5PM
Note: Sets the logon time (8 A.M. to 5 P.M.) for miked by using 12-hour notation:
  1. net user anibals /time:M,4AM-5PM;T,1PM-3PM;W-F,8:00-17:00
Note: Specifies logon hours of 4 A.M. until 5 P.M. on Monday, 1 P.M. until 3 P.M. on Tuesday, and 8 A.M. until 5 P.M. Wednesday through Friday for anibals:
  1. wmic /node:remotecomputer computersystem get username
Note:  Determine user currently logged in remotely. 

List Event Logs
  1. wmic ntevent list brief --- Brief takes a while, full takes even longer
  2. wmic nteventlog where (description like "%secevent%") call clearevent
List Services
  1. wmic service list brief
Delete ARPCache

  1. netsh int ip delete arpcache
Auditing the security policies

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista Displays information about and performs functions to manipulate audit policies.For examples of how this command can be used, see the Examples section in each topic.
  1. Auditpol /get /user:{S-1-5-21-1443922412-3030960370-963420232-51} /category:"System","Detailed Tracking","Object Access"
Reboot or Shutdown a box

  1. wmic os where buildnumber="2600" call reboot -- Get build# from OS Info (see below)
  2. shutdown -r -f -t 2
  3. shutdown -s -f -t 4