MBCDN

Siehe WMI, WMIC, CIM

# Per MSI installierte Pakete
Get-WMIObject -Class Win32_Product
PSComputerName    : VIE-NB-GBI016
Name              : Python 3.12.9 Executables (64-bit)
Version           : 3.12.9150.0
InstallState      : 5
__GENUS           : 2
__CLASS           : Win32_Product
__SUPERCLASS      : CIM_Product
__DYNASTY         : CIM_Product
__RELPATH         : Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
__PROPERTY_COUNT  : 27
__DERIVATION      : {CIM_Product}
__SERVER          : VIE-NB-GBI016
__NAMESPACE       : root\cimv2
__PATH            : \\VIE-NB-GBI016\root\cimv2:Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
AssignmentType    : 0
Caption           : Python 3.12.9 Executables (64-bit)
Description       : Python 3.12.9 Executables (64-bit)
HelpLink          :
HelpTelephone     :
IdentifyingNumber : {8F708501-AF68-42E7-8A6E-D239CA6DA1A8}
InstallDate       : 20250309
InstallDate2      :
InstallLocation   :
InstallSource     : C:\Users\admin\AppData\Local\Package Cache\{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}v3.12.9150.0\
Language          : 1033
LocalPackage      : C:\WINDOWS\Installer\30dc9ec0.msi
PackageCache      : C:\WINDOWS\Installer\30dc9ec0.msi
PackageCode       : {682163C2-28D3-44AB-89CD-BD21EA3B274A}
PackageName       : exe.msi
ProductID         :
RegCompany        :
RegOwner          :
SKUNumber         :
Transforms        :
URLInfoAbout      :
URLUpdateInfo     :
Vendor            : Python Software Foundation
WordCount         : 0
Scope             : System.Management.ManagementScope
Path              : \\VIE-NB-GBI016\root\cimv2:Win32_Product.IdentifyingNumber="{8F708501-AF68-42E7-8A6E-D239CA6DA1A8}",Name="Python 3.12.9 Executables (64-bit)",Version="3.12.9150.0"
Options           : System.Management.ObjectGetOptions
ClassPath         : \\VIE-NB-GBI016\root\cimv2:Win32_Product
Properties        : {AssignmentType, Caption, Description, HelpLink...}
SystemProperties  : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers        : {dynamic, Locale, provider, UUID}
Site              :
Container         :

# Per Winget installierte Pakete?
Get-WingetPackage
InstalledVersion  : 10.0.60828
Name              : Microsoft Visual Studio 2010 Tools for Office Runtime
Id                : Microsoft.VSTOR
IsUpdateAvailable : True
Source            : winget
AvailableVersions : {10.0.60917, 10.0.60912, 10.0.60828}

# 64 bit uninstallers
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,UninstallString
DisplayName          : LM Studio 0.3.9
UninstallString      : "C:\Program Files\LM Studio\Uninstall LM Studio.exe" /allusers
QuietUninstallString : "C:\Program Files\LM Studio\Uninstall LM Studio.exe" /allusers /S
DisplayVersion       : 0.3.9
DisplayIcon          : C:\Program Files\LM Studio\LM Studio.exe,0
Publisher            : LM Studio
NoModify             : 1
NoRepair             : 1
EstimatedSize        : 1374783
PSPath               : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\c6dbe996-22a9-5998-b542-7abe33da3b83
PSParentPath         : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
PSChildName          : c6dbe996-22a9-5998-b542-7abe33da3b83
PSDrive              : HKLM
PSProvider           : Microsoft.PowerShell.Core\Registry

# 32 bit uninstallers
Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName,UninstallString
DisplayName     : Visual Studio Community 2022
InstallDate     : 20240525
InstallLocation : C:\Program Files\Microsoft Visual Studio\2022\Community
DisplayVersion  : 17.13.1
Publisher       : Microsoft Corporation
DisplayIcon     : C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\devenv.exe
UninstallString : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" uninstall --installPath "C:\Program Files\Microsoft Visual
                  Studio\2022\Community"
ModifyPath      : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" modify --installPath "C:\Program Files\Microsoft Visual
                  Studio\2022\Community"
RepairPath      : "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" repair --installPath "C:\Program Files\Microsoft Visual
                  Studio\2022\Community"
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\374cbfa0
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
PSChildName     : 374cbfa0
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry

Get-WMIObject -Class Win32_NetworkAdapter
PSComputerName              : VIE-NB-GBI016
Availability                : 3
Name                        : Microsoft Kernel Debug Network Adapter
Status                      :
StatusInfo                  :
DeviceID                    : 0
__GENUS                     : 2
__CLASS                     : Win32_NetworkAdapter
__SUPERCLASS                : CIM_NetworkAdapter
__DYNASTY                   : CIM_ManagedSystemElement
__RELPATH                   : Win32_NetworkAdapter.DeviceID="0"
__PROPERTY_COUNT            : 40
__DERIVATION                : {CIM_NetworkAdapter, CIM_LogicalDevice, CIM_LogicalElement, CIM_ManagedSystemElement}
__SERVER                    : VIE-NB-GBI016
__NAMESPACE                 : root\cimv2
__PATH                      : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter.DeviceID="0"
AdapterType                 :
AdapterTypeId               :
AutoSense                   :
Caption                     : [00000000] Microsoft Kernel Debug Network Adapter
ConfigManagerErrorCode      : 0
ConfigManagerUserConfig     : False
CreationClassName           : Win32_NetworkAdapter
Description                 : Microsoft Kernel Debug Network Adapter
ErrorCleared                :
ErrorDescription            :
GUID                        :
Index                       : 0
InstallDate                 :
Installed                   : True
InterfaceIndex              : 17
LastErrorCode               :
MACAddress                  :
Manufacturer                : Microsoft
MaxNumberControlled         : 0
MaxSpeed                    :
NetConnectionID             :
NetConnectionStatus         :
NetEnabled                  :
NetworkAddresses            :
PermanentAddress            :
PhysicalAdapter             : False
PNPDeviceID                 : ROOT\KDNIC\0000
PowerManagementCapabilities :
PowerManagementSupported    : False
ProductName                 : Microsoft Kernel Debug Network Adapter
ServiceName                 : kdnic
Speed                       :
SystemCreationClassName     : Win32_ComputerSystem
SystemName                  : VIE-NB-GBI016
TimeOfLastReset             : 20250314082916.500000+060
Scope                       : System.Management.ManagementScope
Path                        : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter.DeviceID="0"
Options                     : System.Management.ObjectGetOptions
ClassPath                   : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapter
Properties                  : {AdapterType, AdapterTypeId, AutoSense, Availability...}
SystemProperties            : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                  : {dynamic, Locale, provider, UUID}
Site                        :
Container                   :

Get-WMIObject -Class Win32_NetworkAdapterConfiguration 

PSComputerName               : VIE-NB-GBI016
DHCPLeaseExpires             :
Index                        : 0
Description                  : Microsoft Kernel Debug Network Adapter
DHCPEnabled                  : True
DHCPLeaseObtained            :
DHCPServer                   :
DNSDomain                    :
DNSDomainSuffixSearchOrder   :
DNSEnabledForWINSResolution  :
DNSHostName                  :
DNSServerSearchOrder         :
DomainDNSRegistrationEnabled :
FullDNSRegistrationEnabled   :
IPAddress                    :
IPConnectionMetric           :
IPEnabled                    : False
IPFilterSecurityEnabled      :
WINSEnableLMHostsLookup      :
WINSHostLookupFile           :
WINSPrimaryServer            :
WINSScopeID                  :
WINSSecondaryServer          :
__GENUS                      : 2
__CLASS                      : Win32_NetworkAdapterConfiguration
__SUPERCLASS                 : CIM_Setting
__DYNASTY                    : CIM_Setting
__RELPATH                    : Win32_NetworkAdapterConfiguration.Index=0
__PROPERTY_COUNT             : 61
__DERIVATION                 : {CIM_Setting}
__SERVER                     : VIE-NB-GBI016
__NAMESPACE                  : root\cimv2
__PATH                       : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
ArpAlwaysSourceRoute         :
ArpUseEtherSNAP              :
Caption                      : [00000000] Microsoft Kernel Debug Network Adapter
DatabasePath                 :
DeadGWDetectEnabled          :
DefaultIPGateway             :
DefaultTOS                   :
DefaultTTL                   :
ForwardBufferMemory          :
GatewayCostMetric            :
IGMPLevel                    :
InterfaceIndex               : 17
IPPortSecurityEnabled        :
IPSecPermitIPProtocols       :
IPSecPermitTCPPorts          :
IPSecPermitUDPPorts          :
IPSubnet                     :
IPUseZeroBroadcast           :
IPXAddress                   :
IPXEnabled                   :
IPXFrameType                 :
IPXMediaType                 :
IPXNetworkNumber             :
IPXVirtualNetNumber          :
KeepAliveInterval            :
KeepAliveTime                :
MACAddress                   :
MTU                          :
NumForwardPackets            :
PMTUBHDetectEnabled          :
PMTUDiscoveryEnabled         :
ServiceName                  : kdnic
SettingID                    : {71E995E6-3E53-4F28-A5FD-44BEF6478D8B}
TcpipNetbiosOptions          :
TcpMaxConnectRetransmissions :
TcpMaxDataRetransmissions    :
TcpNumConnections            :
TcpUseRFC1122UrgentPointer   :
TcpWindowSize                :
Scope                        : System.Management.ManagementScope
Path                         : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration.Index=0
Options                      : System.Management.ObjectGetOptions
ClassPath                    : \\VIE-NB-GBI016\root\cimv2:Win32_NetworkAdapterConfiguration
Properties                   : {ArpAlwaysSourceRoute, ArpUseEtherSNAP, Caption, DatabasePath...}
SystemProperties             : {__GENUS, __CLASS, __SUPERCLASS, __DYNASTY...}
Qualifiers                   : {dynamic, Locale, provider, UUID}
Site                         :
Container                    :

// boot to bios
shutdown /r /fw /t 1 

winget
net group // show domain groups on DC
net localgroup // show local groups
net localgroup <group> // list group members
net user <user> // see user info
whoami
whoami /groups
whoami /priv
net user <username> <password> // set new password
net user <username> * // set password interactive

dsquery user -limit 1000
dsquery user -upn max.mustermann@domain.local
dsget user "CN=Max Mustermann,DC=dómain,DC=local"
dsquery user -upn manuel.zarat@akm.at | dsget user -memberof

// sessions anzeigen
query session [/SERVER]
qwinsta [/SERVER]
// session beenden
reset session [/SERVER] <session-id>
rwinsta [/SERVER] <session-id>


shutdown -s -t 3600 // sleep timer
shutdown -a // cancel timer
dir /s /b c:\* | findstr /i "test" // find files and folders containing "test"
ps> iwr -Uri http://google.com -UseBasicParsing

// installed patches
wmic qfe get Caption,Description,HotFixID,InstalledOn

// get running services
cmd> net start
ps> Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartName,StartMode | Where-Object {$_.State -like 'Running'}
ps> Get-CimInstance -ClassName Win32_Service -Filter "Name='mysql'" | Select-Object StartMode
ps> Restart-Computer -WhatIf // dry run

Important IDs - Microsoft Docs, Important IDs to monitor - Graylog

Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4777 -or $_.Id -eq 4776 -or $_.Id -eq 4775 -or $_.Id -eq 4774}

• Windows-E Explorer öffnen
• Strg-Windows-1 Programm aus Taskleiste öffnen (Nummer der Reihenfolge)
• Strg-Windows-D Neuer virt. Desktop
• Windows-Pfeiltaste Bildschirm teilen
• Strg-Windows-Pfeiltaste Zwischen virt. Desktops wechseln
• Windows-M Alle Fenster minimieren
• Windows-Shift-S Screenshot Ausschnitt
• Windows-G Bildschirmaufnahme
• Windows-. Emojis, GIFs etv.

Wenn man etwas mit Ctrl-C in die Zwischenablage kopiert kann man es mit Ctrl-V einfügen. Oder mit Windows+V den Verlauf anzeigen.

powercfg

Wenn ein Programm Admin Rechte zur Installation erfordert.

set __COMPAT_LAYER=RunAsInvoker
start steamsetup.exe

add a contextmenu to open current folder in cmd

regedit
Computer\HKEY_CLASSES_ROOT\Directory\Background\shell
addKey <menutitle>
addKey <menutitle> "command" 
addKey <menutitle> <command> value "cmd.exe ."

add a contextmenu to open files with a specific program

regedit
Computer\HKEY_CLASSES_ROOT\SOFTWARE\Classes\*\shell
addKey <menutitle>
addKey <menutitle> "command" 
addKey <menutitle> <command> value "program.exe %1"

winget [install|uninstall] --id <package-name>
set [var=var]
findstr [/s]  [/r] "Manuel" *.txt
findStr /irc:"Hello" /irc:"World" // find both words
more
attrib
cacls <path\\to\\file> /e /p <user>:<[R]ead|[W]rite|[F]ull> [deprecated] -> Use Icacls
subst <mountpoint>: <file> //mount
subst /d <mountpint> //delete
fc <file1> <file2>: file compare
tasklist
taskkill [/IM <name>|/PID <pid>] [/f]
query [process|user|session] // (Server only)
logoff <session>
net user 
net share [<sharename>=<path>] [/delete] 
net use x: \\<server>\<path>
wmic netuse // info about shares
net localgroup <group> /<add|remove> <user>
openfiles [/local on]
robocopy c:\documents d:\backup\documents /copyall /e /r:0 /dcopy:t /mir: sync dirs
dir file.xxx > output.msg [2>output.err|2>&1]
mode con:cols=140 lines=70
nslookup -type=mx zarat.ml
certutil -hashfile file.txt <algo>
where // wie which
(Get-Command <command>).Path // wie which in powershell
doskey ls=dir // alias
wmic qfe [get|list] // show updates and patches
wusa /uninstall /kb:<kbID> // uninstall update
wmic product get name // list installed programs
wmic product where name="<ProgramName> call uninstall // uninstall program

Siehe auch: netsh, Linux

for /f "tokens=1-2 delims= " %a in (test.txt) DO @echo %a %b : wie cut
cat "file.txt" | %{$_ -replace "original", "replacement"} > newfile.txt : wie sed
// cmd piping
dir 2> err.txt 
dir > out.txt 2> err.txt
dir 1> out.txt 2>&1 // redirect stderr to stdout

Windows Context Menu Explorer https://stackoverflow.com/questions/20449316/how-add-context-menu-item-to-windows-explorer-for-folders CMD A-Z

Std Handles

• STDIN = 0 Keyboard input
• STDOUT = 1 Text output
• STDERR = 2 Error text output

command 2> filename       Redirect any error message into a file
command 2>> filename      Append any error message into a file
(command)2> filename       Redirect any CMD.exe error into a file
command > file 2>&1       Redirect errors and output to one file
command > fileA 2> fileB  Redirect output and errors to separate files

command 2>&1 >filename    This will fail!

Siehe netsh.

restart pc with installer inserted (usb,image,..). once the setup begins, hit Shift+F10 to bring up a shell.

move c:\windows\system32\utilman.exe c:\windows\system32\utilman.exe.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe

reboot. back at the login screen click the utilitymanager which spawns a shell now add a new user and add to local admin group.

net user <username> /add
net localgroup administrators <username> /add

After a reboot you can log in using th new user.

In den Adapteroptionen des Interfaces den DNS Server auf die IP des Active Directory DC ändern.

In den Systeminformationen → Einstellungen ändern → Domain beitreten

https://www.youtube.com/watch?v=GTrekHE8A00

KMSPico (https://github.com/zarat/KMSpico_v10.2.0)

Siehe Dateisystem bzw. NTFS, NTFSSecurity

Die SAM Datenbank findet man unter

C:\Windows\System32\config\SAM

Wenn sie von einem anderen Prozess verwendet wird, Daten extrahieren.

reg save hklm/sam C:\tmp\sam.save
reg save hklm/security C:\tmp\security.save
reg save hklm/system C:\tmp\system.save

Mit samdump2 kann man die Hashes extrahieren.

samdump2 system.save sam.save

Oder auch mit creddump7

cd /usr/share/creddump7
python pwdump.py system.save sam.save

Siehe auch Mimikatz

$thumbprint = (Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*server1.dom.local*"}).Thumbprint
 
# String-Wert setzen
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertSHA1Hash" -Value $thumbprint
 
# Auf älteren Windows Versionen bzw Client Systemen muss man zusätzlich einen Parameter für den binären Wert erstellen
# Binary-Wert setzen
$binThumbprint = ($thumbprint -replace ' ', '') -split '(..)' | Where-Object { $_ } | ForEach-Object { [Convert]::ToByte($_, 16) }
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "SSLCertificateSHA1Hash" -Value ([byte[]]$binThumbprint)
 
Restart-Service TermService -Force

• ss64.com
• Server Core als 2. DomainController
• Windows Domain Controller Pentest Tutorial
• Update Managment