Hack Like a Pro: Windows CMD Remote Commands for the Aspiring Hacker, Part 1

Windows CMD Remote Commands for the Aspiring Hacker, Part 1

Hack Like a Pro: Windows CMD Remote Commands for the Aspiring Hacker, Part 1

Welcome back, my greenhorn hackers!

Many new hackers come from a Windows background, but seldom, if ever, use its built-in command-line tools. As a hacker, you will often be forced to control the target system using just Windows commands and no GUI.

Although we would love to get Metasploit's Meterpreter on the target and use all its capabilities on the owned system, that is not always possible. Some exploits will only allow us to get a CMD shell on the target Windows system.

In these cases, you will need to understand how to control the system strictly through the command prompt, without ever having the convenience and familiarity of the Windows GUI.

What I want to do in this tutorial is demonstrate some Windows commands on a Windows 7 system (Windows 7 is still over 50% of the installed base of Windows systems), but these commands change very little from Windows version to Windows version. I will be running the Windows commands from a remote Kali system on the target.

Step 1: Connect to a Remote Windows System from Kali

Windows makes a distinction between commands that can be run while physically on the system and those that can be run remotely. We can't assume that a command we can run while on the system will run remotely.

Here, we are only interested in those that can be run remotely. In my case, I will be connecting to the target system with a Netcat connection, but a Metasploit-spawned command shell or other will work just as well.

Step 2: Basic Commands

In many ways, Windows CMD commands are similar to Linux/Unix commands (Unix preceded these commands by over a decade, and Microsoft borrowed heavily from it). At its most basic, we need to change directories within the file system. Like Linux, Windows uses the cd (change directory) command. To travel to the root of the directory system, we can just type:

cd \

In addition, we can move up one level in the directory structure by typing:

cd ..

If we want to see the contents of a directory, we type dir as seen above. Some other key and basic commands include:

del <filename>

This will delete the file, similar to the Linux rm.

type <filename>

This will display the contents of the file, similar to the Linux cat.

As you can see below, I used type to display the contents of the confidentialfile.txt. I then del (delete) the confidentialfile.txt, and when I return to display the contents of it again, I get the message that "The system cannot find the specified file."

To create a new directory, we use the md (make directory) command (in Linux, it's mkdir). To create a directory named "newdirectory," we type:

md newdirectory

After making newdirectory, we can now run dir and see the new directory that we created.

Step 3: Network Commands

When we are on the remote system, we may need networking information. To do so, we have two basic commands, ipconfig and netstat. Ipconfig is very similar to the Linux ifconfig, as seen below.

To view the network connections of the system, we can type netstat, just like in Linux.

netstat

Step 4: View Processes

Often, when we are on a remote system, we will need to see a listing of the running processes. From the GUI, of course, we can use the Task Manager (Ctrl + Alt + Del), but from the command prompt, we use tasklist.

tasklist

If we want to find a single process, we could use the filter findstr (find string). This works similarly to grep in Linux. So, to find the process named "explorer," we could type:

tasklist | findstr explorer

Note, that we used the pipe (|), just like in Linux, to send the results from the tasklist command to the filtering command, findstr.

If I want to kill a process, I can use the taskkill command. It requires the PID of the process we want to kill. In this case, the explorer process has a PID of 1532, so to kill it, I can type:

taskkill /PID 1532 /F

Where the /F means to force the kill.

Step 5: Find the User Accounts

If we want to see the users on the target system, we can type:

net users

As you can see, this system has three users: guest, administrator, and the aptly named victim.

Step 6: Run a Browser on the Target

While operating the system from the command prompt, we can execute some applications, such as the web browser. Internet Explorer is named iexplore on the command prompt, and we can find it either in the "Program Files" with the 64-bit version or "Program Files (x86)" with the 32-bit version. So, if I want to open Internet Explorer on the remote system from the command prompt and have it open wonderhowto.com, I would type:

iexplore www.wonderhowto.com

When we do, this opens Internet Explorer on the target system and goes to wonderhowto.com, as you can see below.

This might be really useful if you had a malicious XSS link set up and needed the target to go to a web server. Furthermore, we might just want the target system to go to our web server on Kali. We could start the Apache web server and then direct the target system to our web server where we may have some malicious software.

We can type:

iexplore <IP address>

As you can see below, we have directed the target system to our web server on Kali.

Keep coming back, my greenhorn hackers, as we develop the most valuable skill set in the 21st century—hacking!

Cover image via Shutterstock

14 Comments

Great idea for a series. I myself am not familiar with the Windows command line, so this series will be useful for me. Thanks.

-Phoenix750

Same. I need to know this stuff better also.

This is awesome! Can't wait to see more

to remove a directory, we can use rmdir. and with powershell,we can use tab just like in our familiar bash as. if some program not in the path env, we can't use it . so , you use iexplore in it's install path.

more tipz: if you just type from any location

explorer http://www.google.it

it will open the browser anyway. Just don't forget the http:// or it won't work.

Another interesting command is attrib

attrib +S +H <filename>

will add the System & Hidden flag to the file, making it harder to a shallow eye to detect.

explorer is the window gui shell, or file manager tool not ie, use http:// looks unhandy .

true, explorer is the windows shell, but it will work to open browser to a given url, try it (tested on xp and 7, dunno about 8 and 10)

we can also switch to Power Shell to get extra functions by typing powershell

Great article OTW :)

Cheers,
Washu

Yes great article and I enjoyed the learning session as I am a beginner to coding but eager to learn. I mostly use my rooted android smartphone for everything but I believe I have been hacked and really looking for answers to retaliate or something. Any advice would be greatly appreciated and if you care to get more details then I'd be happy to share. Thanks and I enjoy this website as its my favorite knowledge base site, also my first time posting so looking forward to some positive feedback.

with "net user user newpass" you can change the pass account, example with the pic, "net user Victim 1234" changes the password of Victim to 1234 ;D

Thanks for brushing on on some cmd commands. Damn GUI has been holding my hand for too long. Look forward to anymore info to do with connecting to Windows targets and navigating/modifying/etc.

Sir OTW
Great article as always
One question:
In the following command we should use the internal IP address or the public one ?
iexplore <IP ADDRESS>

Share Your Thoughts

  • Hot
  • Latest