User Management

  • Get a list of local users:
net users
  • Add a user:
net user hacker my_password /add
  • Add a user to local administrators:
net localgroup Administrator hacker /add
  • Check if you are part of a domain:
net localgroup /domain
  • List all users in a domain:
net users /domain

General Operations

  • Run two or more commands sequentially:
ver & whoami
  • Show network information:
netstat -an
  • Show network adapter info:
ipconfig /all
  • Ping another machine:
ping xxx.xxx.xxx.xxx
  • Trace packets (aka traceroute):
tracert 8.8.8.8
  • List processes:
tasklist
  • Kill a process:
taskkill /PID 1532 /F
  • Shutdown:
shutdown /s /t 0
# t is for time in seconds. 0 means now.
  • Restart:
shutdown /r /t 0
  • Show environmental variables:
set
  • Show options for commands (The "man"-pages in windows is simply):
help dir
  • Clear data/shred:
cipher /w:C:\

File & Text Operations

  • Delete a file:
del xxx.txt
  • Create a folder/directory:
md folderName
  • Show hidden files:
dir /A
  • Print out file content, like cat:
type xxx.txt
  • grep files on Windows systems (very useful):
type test.txt | findstr password

Mounting & Mapping

  • To see which drives are mapped/mounted to your file-system you can use any of these commands:
wmic logicaldisk get deviceid, volumename, description
wmic logicaldisk get name
wmic logicaldisk get caption
fsutil fsinfo drives
  • The same, but in PowerShell:
get-psdrive -psprovider filesystem
  • The same, but interactive:
diskpart
list volume
  • Show only network drives:
net use
  • Using net use we can connect to shared folders on other systems. Many Windows machines have a default-share called IPC (Interprocess Communication Share). While it does not contain any files, we can usually connect to it without authentication (null-session). It may contain a lot of data that is useful for enumeration.
  • The Linux-equivalent of net use is usually smbclient.


  • Connect via null session:
net use \\xxx.xxx.xxx.xxx\IPC$ "" /u:""
  • Map/mount external drive to local drive Z:
net use z: \\xxx.xxx.xxx.xxx\SYSVOL
  • The same, but the map to first available letter:
net use * \\xxx.xxx.xxx.xxx\SYSVOL
  • To dismount the drive:
net use z: /del

Windows Networks

  • There are mainly two ways to structure a Windows network - one is using a server-client model called Domain and the other is through a peer-to-peer like model called Workgroup.

Windows Domain:

  • On a Windows domain, all users are connected to a domain controller. When you log in to your machine it authenticates against the domain controller. This way, it is ultimately the domain controller that decides the security policy - length of password, how often it should be changed, disabling accounts. If a users quits his/hers job you can just disable their account. The person in control over the domain controller is in control of the network.

  • As a pentester, you are most likely very interesting in gaining access the the domain controller with Administrator-privileges. That means you control the network.

  • Since you authenticate against a domain controller, you can log in to your account from any of the machines in the network. Think of systems you have had in schools and universities, where you can just sit down by any computer and log in to your account. This is usually a domain type network.

  • In order to set up a Domain network, you need at least one Windows server for the domain controller.

  • If you have hacked a machine and you want to know if it is part of either a Workgroup or a domain you can do the following - go to Control panel/System. If it says Workgroup: something it means that the machine is connected to a workgroup, and not a domain.

Active Directory:

  • From Windows 2000 and on the application Active directory has been program used for maintaining the central database of users and configurations.

Domain Controller:

  • Any windows computer can be configured to be a domain controller. The domain controller manages all the security aspects of the interaction between user and domain. There are usually a least two computers configured to be domain-controllers. In case one breaks down. If you have compromised a machine that belongs to a domain you can check if it has any users. DCs don't have local users.

SMB (445/tcp):

  • One of the main ports required for communication on a Windows network. On a Linux machine, you may be able to add it to a domain via SMB.

Kerberos:

  • Kerberos is a network authentication protocol. The original protocol is used by many Unix-systems. Windows have their own version of the Kerberos protocol customized so that it works with their NT-kernel. It is used by Windows Domains to authenticate users. Kerberos was not built by windows, but long before.

  • Potentially, if a machine has TCP port 88 open (kerberos), it can be assumed that it is a domain controller.

  • When a user logs in to the domain, Active Directory uses Kerberos to authenticate the user. When the user provides their password, it gets one-way encrypted and sent via Kerberos to the Active Directory, which then compares it with its password database. The Key Distribution Center responds with a TGI ticket to the user machine.

Workgroup:

  • A workgroup architecture stands in contrast to the domain-system. A workgroup is based on the idea of peer-to-peer and not server-client as domain is. In a domain network, you have a server (domain controller) and a client (the user).

  • It is usually used for smaller networks.
  • If a computer is part of a workgroup, it cannot be part of a domain.
  • In a workgroup architecture, each computer is in charge of its own security settings so there is no single computer in charge of all the security settings for the workgroup. This is good because you don't have one single point of failure, but is also bad because you have to trust the users to configure their machines securely.

  • In a network, you can have several workgroups. But that is usually not the case.

  • In a workgroup, users can see each other and share files.

Windows OS Versions

A concise list of Windows OS version numbers:


Operating System     		Version Number

Windows 1.0                    	1.04
Windows 2.0                    	2.11
Windows 3.0                    	3
Windows NT 3.1                 	3.10.528
Windows for Workgroups 3.11    	3.11
Windows NT Workstation 3.5     	3.5.807
Windows NT Workstation 3.51    	3.51.1057
Windows 95                     	4.0.950
Windows NT Workstation 4.0     	4.0.1381
Windows 98                     	4.1.1998
Windows 98 Second Edition      	4.1.2222
Windows Me                     	4.90.3000
Windows 2000 Professional      	5.0.2195
Windows XP                     	5.1.2600
Windows Vista                  	6.0.6000
Windows 7                      	6.1.7600
Windows 8.1                    	6.3.9600
Windows 10                     	10.0.10240
Windows Server
Windows NT 3.51                 NT 3.51
Windows NT 3.5                  NT 3.50
Windows NT 3.1                  NT 3.10
Windows 2000                    NT 5.0     

    Windows 2000 Server
    Windows 2000 Advanced Server
    Windows 2000 Datacenter Server

Windows NT 4.0                  NT 4.0     

    Windows NT 4.0 Server
    Windows NT 4.0 Server Enterprise
    Windows NT 4.0 Terminal Server Edition

Windows Server 2003             NT 5.2     

    Windows Small Business Server 2003
    Windows Server 2003 Web Edition
    Windows Server 2003 Standard Edition
    Windows Server 2003 Enterprise Edition
    Windows Server 2003 Datacenter Edition
    Windows Storage Server

Windows Server 2003 R2          NT 5.2     

    Windows Small Business Server 2003 R2
    Windows Server 2003 R2 Web Edition
    Windows Server 2003 R2 Standard Edition
    Windows Server 2003 R2 Enterprise Edition
    Windows Server 2003 R2 Datacenter Edition
    Windows Compute Cluster Server 2003 (CCS)
    Windows Storage Server
    Windows Home Server

Windows Server 2008              NT 6.0     

    Windows Server 2008 Standard
    Windows Server 2008 Enterprise
    Windows Server 2008 Datacenter
    Windows Server 2008 for Itanium-based Systems
    Windows Server Foundation 2008
    Windows Essential Business Server 2008
    Windows HPC Server 2008
    Windows Small Business Server 2008
    Windows Storage Server 2008
    Windows Web Server 2008

Windows Server 2008 R2           NT 6.1     

    Windows Server 2008 R2 Foundation
    Windows Server 2008 R2 Standard
    Windows Server 2008 R2 Enterprise
    Windows Server 2008 R2 Datacenter
    Windows Server 2008 R2 for Itanium-based Systems
    Windows Web Server 2008 R2
    Windows Storage Server 2008 R2
    Windows HPC Server 2008 R2
    Windows Small Business Server 2011
    Windows MultiPoint Server 2011
    Windows Home Server 2011
    Windows MultiPoint Server 2010

Windows Server 2012              NT 6.2     

    Windows Server 2012 Foundation
    Windows Server 2012 Essentials
    Windows Server 2012 Standard
    Windows Server 2012 Datacenter
    Windows MultiPoint Server 2012

Windows Server 2012 R2           NT 6.3     

    Windows Server 2012 R2 Foundation
    Windows Server 2012 R2 Essentials
    Windows Server 2012 R2 Standard
    Windows Server 2012 R2 Datacenter

Windows Server 2016     2016     NT 10.0