That doesn’t mean that you can replace the file it targets though. You need admin access if you want to modify them. Let’s not forget %appdata% and %local appdata% Put the two together and you can filter on file formats such as exes, ps1, txt, bat etc… When using dir, you can add /s to list subfolders. Check the Exploit DB for any applications found: Finding applications that have vulnerabilities might allow you to further exploit the machine and escalate those privileges (Meterpreter). Run the following to find out networking information. Now let’s get focus on the device we have a shell on. It canĪlso be very useful when mapping out the domain.īelow are a few default AD groups to query: Have a least read access to active directory.Ĭan help you identify further domain administrators and more targets. The DC depending on the restrictions in place. If the device itself is on the domain, you can also query Below shows ‘never’ so can be easily brute forced. Use net accounts to check the local policies for things like account lockout threshold. If I wanted to check the local administrators, we can run: net localgroup administrators The accounts listed above might not be the only ones provisioned on the device. Simply add the username at the end:Īs you can see, Jerry is an admin on this device whilst Tom is just a user. Once you have your users, you can get a bit more information on them. There may be more users provisioned on the system. Or if you want the lot, simply go with the whoami /all You want to know what you’re working with. To show the account privilege, use the /priv.
#Reverse shell netcat windows windows
If the account is local, it will display local Windows groups only. If the account is domain joined, whoami will show the domain instead of the device (local).Īdding /groups will query the domain controller and display all groups the account is assigned to. You might want to first check if you have the correct machine or who the shell is running under. I’m doing it on the system itself, simply because it’s easier to read. It could also be the stepping stones for privilege escalation.
Because of this, they can be used against us. When you work day to day, how often are you being prompted for Admin credentials?Ĭertainly not for general use or things like mapping drives, copying files, downloading files and running basic diagnostics. Let say you got a shell on a Windows machine, what can you The benefit being that Windows Defender still doesn’t see Netcat as a threat. Depending on the intent, Netcat might be all you need. Sometimes you don’t always need a Meterpreter shell.