Native MS Windows commands

The following section provides a list of useful commands during a penetration testing or red teaming exercise, even when having physical access to the system or having a remote shell to communicate to the target. These commands are not limited to the following:

Command Samples and Descriptions

Command	Sample	Description
nslookup	nslookup Server nameserever.google.com Set type=any ls -d anydomain.com	nslookup is used to query the DNS. The sample command does DNS zone transfer using nslookup.
net view	net view	This displays a list of computers/domains and other shared resources.
net share	net share list="c:"	This manages the shared resources and displays all information about the shared resources on the local system.
net use	net use \\[targetIP] [password] /u:[user] net use \\[targetIP]\[sharename] [password] /u:[user]	This connects to any system on the same network; it can also be used for retrieving a list of network connections.
net user	net user [UserName [Password | *] [options]] [/domain] net user [UserName {Password | *} /add [options] [/domain]] net user [UserName [/delete] [/domain]]	This displays information regarding users and performs activity related to user accounts.
arp	arp /a arp /a /n 10.0.0.99 arp /s 10.0.0.80 00-AA-00-4F-2A-9C	This displays and modifies any entries in the ARP cache.
route	route print route print 10.* route add 0.0.0.0 mask 0.0.0.0 192.168.12.1 route delete 10.*	Similar to ARP, route can be utilized to understand the local IP routing and modify this information.
netstat	netstat -n -o	This displays all active TCP connections and ports on the local system, including information on Ethernet and IP routing tables (IPv4 and IPv6) and statistics.
nbtstat	nbtstat /R nbtstat /S 5 nbtstat /a Ip	This displays NETBIOS information, typically utilized to identify a particular MAC address of an IP, which can be used in MAC spoof attacks.
wmic	wmic process get caption,executablepath,commandline wmic netsh wlan profile="profilename" key=clear	Wmic is utilized for typical diagnostics an attacker can perform; for example, extracting a system's Wi-Fi password in a single command.
reg	reg save HKLM\Security sec.hive reg save HKLM\System sys.hive reg save HKLM\SAM sam.hive reg add [\\TargetIPaddr\][RegDomain][ \Key ]	The reg command is used by attackers to save registry hives to perform offline password attacks.
for	for /L %i in (1,1,10) do echo %ii && ping -n 5 IP for /F %i in (password.lst) do @echo %i& @net use \\[targetIP] %i /u:[Username] 2>nul&& pause && echo [Username] :%i>>done.txt	The for loop can be utilized in Windows to create a port scanner or enumeration of accounts.

© 2023 Domebytes. All rights reserved.