## windows specific commands - `smbclient -L //target_ip -U domain/user_name` - list shares available to user on hostname - `smbclient` - login into smb service - **revisit once you get new creds** - `copy origin_file_loc dest_file_loc` - analogous to cp in linux - `sc qc service_name` - queries config info for a service - `findstr /i string_name` - works like grep - `net user` - show user accounts for \\ - `net user /domain` - show user accounts for \\hostname.domain.xxx - `net user username /domain` - show specified user's info and group memberships - `certutils.exe` - download files from active http server - `type` - cat equivalent for windows - `dir` - show files in current directory - `dir /s/b * .txt` to search for .txt file in current directory - `dir /s/b * .log` to search for .log file in current directory - `tree /f /a` - show tree of files in current directory - useful to quickly show contents of a directory structure - `ipconfig` - `ifconfig` equivalent for windows - end proof screenshot - `type proof/user.txt` to show hash - `whoami` - `ipconfig` - `hostname` ## kali tools - `hashcat` - `john` - `zip2john` - simple python http server for moving scripts to victim machine - `python -m http.server 80` - `winpeas.exe` - `mimikatz` - `evil-winrm` - `crackmapexec` - useful for password spraying based on service - `crackmapexec service_name -u users.txt -p passwords.tx target_ip` - `netexec` is the newest flavor - `impacket-psexec` - `impacket-getnpusers` - as-rep roasting - `impacket-getNPUsers -request -dc-ip target_ip domain.xxx/user` - `impacket-getuserspns` - kerberoasting - `impacket-getUserSPNs -request -dc-ip target_ip domain.xxx/user` - `impacket-secretsdump` - LSA - LSAS - SAM - `ligolo-ng` - dl proxy and agent for pivotiung between subnets on dual-homed host - setup proxy on kali machine and agent on pivot point - See Derron C YouTube for examples