Windows Commands

LOL Bins

Basic enum commands

Enumeration

Command

Result

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set

Displays a list of environment variables for the current session (ran from CMD-prompt)

echo %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

echo %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

List Local Admins

PS C:\Windows\system32> Get-LocalGroupMember -Group "Administrators"

Privileges

  1. net localgroup

Once connected, we can check to see what privileges bwilliamson has. We can start with looking at the local group membership using the command:

*Evil-WinRM* PS C:\> net localgroup

Aliases for \\DC01

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.

  1. net user username - Checking User Account Privileges including Domain

*Evil-WinRM* PS C:\> net user bwilliamson

User name                    bwilliamson
Full Name                    Ben Williamson
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/13/2022 12:48:58 PM
Password expires             Never
Password changeable          1/14/2022 12:48:58 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   1/14/2022 2:07:49 PM

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Domain Admins
The command completed successfully.

  1. whoami /priv

Windows

Add user to admin local group

net user mark Password123 /add && net localgroup administrators mark /add

Mount SMB share

SMB (445, 139)
PreviousWindows ExploitNextEnumeration

Last updated