Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Users
  • Basic info
  • Execute command as other user (I)
  • Execute command as other user (II)
  • Files
  • Search content inside
  • Permissions
  • Find files
  • Registers
  • List installed programs
  • Ports & Hosts
  • Discover internal hosts (I)
  • Discover internal hosts (II)
  • Computers
  • System info
  • Remote Desktop
  • On hand commands
  • Sysinternals tools
  1. WINDOWS THINGS

Enumeration

PreviousWritable $PATHNextUseful Commands

Last updated 5 months ago

Users

Basic info

whoami /all
whoami /priv
whoami /groups

Execute command as other user (I)

$p = ConvertTo-SecureString 'password' -AsPlainText -Force
$c = New-Object System.Management.Automation.PSCredential ('user',$p)
Start-Process -Credential $c -NoNewWindow -ArgumentList "-Command & { whoami }" -FilePath "powershell"

Execute command as other user (II)

En caso de tener credenciales, podemos ejecutar comandos sin necesitar una shell:

Función de bash tomada de un directo en twitch de 

PSCredential () {
    echo -e "\n\t[+] \$user = 'user'"
    echo -e "\t[+] \$pw = 'password'"
    echo -e "\t[+] \$secpw = ConvertTo-SecureString \$pw -AsPlainText -Force"
    echo -e "\t[+] \$cred = New-Object System.Management.Automation.PSCredential \$user, \$secpw"
    echo -e "\t[+] Invoke-Command -ComputerName localhost -Credential \$cred -ScriptBlock { whoami }"
}

Files

Search content inside

type <file> | findstr "text_to_search"

Permissions

icacls

Find files

Get-ChildItem -Path C:\ -Filter f.txt -Recurse -ErrorAction SilentlyContinue -Force

Registers

List installed programs

cmd /c REG QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Ports & Hosts

Discover internal hosts (I)

Para descubrir dispositivos que esten en la misma interfaz nuestra, podemos usar PowerShell, creamos un archivo .ps1 con el siguiente contenido y ejecutamos:

$ips = 1..254 | ForEach-Object { "192.168.40.$_" }  # Generamos IPS

foreach ($ip in $ips) {
  $job = Start-Job -ScriptBlock { param($ip) ping -n 1 $ip | Out-Null } -ArgumentList $ip

  Start-Sleep -Seconds 1

  if ($job.State -eq "Running") {
    Stop-Job -Job $job
  } else {
    Write-Output "IP Activa: $ip"
  }

  Remove-Job -Job $job
}

Discover internal hosts (II)

arp -d
for /L %a in (1,1,254) do @start /b ping 192.168.20.%a -w 100 -n 2 >nul
arp -a

Computers

System info

systeminfo
netstat -a # See active connections (ports)
wmic qfe # Show us a list of installed and updated software

Remote Desktop

xfreerdp /v:IP /u:USER /p:PASSWORD

On hand commands

Get-WmiObject -Class win32_OperatingSystem 	Get information about the operating system
icacls <directory> 	View the permissions set on a directory
icacls c:\users /grant joe:f 	Grant a user full permissions to a directory
icacls c:\users /remove joe 	Remove a users' permissions on a directory
New-Alias -Name "Show-Files" Get-ChildItem 	Create a new PowerShell alias
Get-ExecutionPolicy -List 	View the PowerShell execution policy
Set-ExecutionPolicy Bypass -Scope Process 	Set the PowerShell execution policy to bypass for the current session
wmic os list brief 	Get information about the operating system with wmic
Get-MpComputerStatus 	Check which Defender protection settings are enabled
wmic useraccount get name,sid     Show Name and SID from system users with wmic

Sysinternals tools

\\live.sysinternals.com\tools\procdump.exe -accepteula

The is a set of portable Windows applications that can be used to administer Windows systems (for the most part without requiring installation). The tools can be either downloaded from the Microsoft website or by loading them directly from an internet-accessible file share by typing \\live.sysinternals.com\tools into a Windows Explorer window.

s4vitar
SysInternals Tools suite