# CMD The similar to the Linux `;` to pipe commands as in: ``` echo "command 1" ; echo "command 2" ``` is `&` as in: ``` dir & whoami ``` ### Dealing with files and other stuff `del` → Delete file `md foldername` → Create folder/directory `dir /A` → Show hidden files `type file.txt` → Print out file content (like `cat` in Linux) `findstr file.txt` → grep files ### Network `netstat -an` → Show network information `ipconfig` → Show network adapter information `ping ip` → Ping another machine `tracert` → Traceroute ### Processes `tasklist` → List processes `taskkill /PID 1532 /F` → Kill a process ### Users `net user hacker my_password /add` → Add net user `net localgroup Administrator hacker /add` → add net user to localgroup `net localgroup /domain` → Check if you are part of a domain `net users /domain` → List all users in a domain ### Other `shutdown /s /t 0` → Shutdown now `shutdown /r /t 0` → Restart `ciper /w:C:\\` → Shreds the whole machine `set` → Show environmental variables `help dir` Show options for commands (similar to `man` in Linux) ### Mounting - Mapping In Windows mounting is called mapping. If you want to see which drives are mapped/mounted to your file-system you can use any of these commands: ``` # This is the most thorough wmic logicaldisk get deviceid, volumename, description # But this works too wmic logicaldisk get name wmic logicaldisk get caption # This can be slow. So don't kill your shell! fsutil fsinfo drives # With powershell get-psdrive -psprovider filesystem # This works too, but it is interacive. So it might be dangerous work hackers diskpart list volume # Map only network drives net use ``` The command to deal with mounting/mapping is `net use`. * Using `net use` we can connect to other shared folder, on other systems * Many Windows machines have a default-share called IPC (Interprocess Communication Share) * It does not contain any files but we can usually connect to it without authentication * This is called a `null-session` * Although the share does not contain any files it contains a lot fo data that is useful for enumeration * The Linux equivalent to `net use` is usually `smbclient` ``` net use \\\\IP address\\IPC$ "" /u:"" net use \\\\192.168.1.101\\IPC$ "" /u:"" ``` If you want to map a drive from another network to your filesystem you can do that like this: ``` # This will map it to drive z net use z: \\\\192.168.1.101\\SYSVOL # This will map it to the first available drive-letter net use * \\\\192.168.1.101\\SYSVOL ``` Here you map the drive to the letter `z`. If the command is successful you should now be able to access those files by entering the `z` drive. You enter the `z` drive by doing this: ``` C:\\>z: Z:\\ # Now we switch back to c Z:\\>c: C:\\ ``` #### Remove a network drive - umount it ``` c: net use z: /del ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://666isildur.gitbook.io/ethical-hacking/ctf-oscp-methodology/fundamentals/windows/cmd.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.