Windows Notes
How to use DIR command
The command is used to list all files and subdirectories contained in a given directory.
C:\Users\IEUser\Desktop>dir
Volume in drive C is Windows 10
Volume Serial Number is B009-E7A9
Directory of C:\Users\IEUser\Desktop
10/30/2019 11:50 AM <DIR> .
10/30/2019 11:50 AM <DIR> ..
03/19/2019 06:00 AM 896 eula.lnk
10/30/2019 11:50 AM 3,277,256 HxDSetup.exe
Listing all dir command attributes and their uses.
C:\Users\SYSADMIN>dir /?
Most commonly used:
C:\Users\SYSADMIN>dir /a
/A Displays files with specified attributes.
attributes D Directories R Read-only files
H Hidden files A Files ready for archiving
S System files I Not content indexed files
L Reparse Points - Prefix meaning not
C:\Users\SYSADMIN>dir /b
/B Uses bare format (no heading information or summary).
-------------------------------------------------------------------------
/S Displays files in specified directory and all subdirectories.
Listing files in order:
/O List by files in sorted order.
sortorder N By name (alphabetic) S By size (smallest first)
E By extension (alphabetic) D By date/time (oldest first)
G Group directories first - Prefix to reverse order
I like using attributes /s (recursively), /b (stripping excess information) and the findstr command to search for files or flags in a windows system.
C:\Users\Bob>dir /ah /s /b | findstr /i "GcOMD84N"
C:\Users\Bob\AppData\Local\Microsoft\Feeds Cache\GCOMD84N
C:\Users\Bob\AppData\Local\Microsoft\Feeds Cache\GCOMD84N\desktop.ini
/i --> Specifies that the search is not to be case-sensitive.
Dynamic Link Library (dll)
These are files in every application folder, which are used to store common pieces of application logic that can be accessed from multiple applications.
Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files.
Note: the valid process is normally located at \Windows\System32\rundll32.exe, but sometimes spyware uses the same filename and runs from a different directory in order to disguise itself.
Windows LFI
Windows Local Files Inclusion: is the process of including files, that are already locally present on the server, through the exploiting of vulnerable inclusion procedures implemented in an application.
This is mostly done through the utilisation of directory traversal (“../”) to move up from the WebRoot directory to access local files. In many different examples throughout the web you will see articles discussing LFI in regards to accessing files within Linux, such as accessing “/etc/passwd” or log files within “/var/log” or a user’s Bash history “/home/[USERNAME]/.bash_history”.
On Windows a very common file that a penetration tester might attempt to access to verify LFI is the hosts file, WINDOWS\System32\drivers\etc\hosts. This will generally be the first file someone tries to access to initially ensure they have read access to the filesystem. From this initial read access there are a number of places that someone might go within the filesystem to retrieve files
A great way to enumerate users with LFI is to look for the desktop.ini file. With LFI, when discovering the desktop.ini file for a user’s account, which will be located at (in newer versions of Windows) C:\Users[USERNAME]\Desktop\desktop.ini, you can begin attempting to discover potential files that could be contained within their Desktop or Documents folder as users often store sensitive information within these folders.
C:\windows is also denoted as %windir%
Path Traversal Cheat:
C:/apache/logs/access.log
C:/boot.ini
C:/WINDOWS/Repair/SAM
C:/Windows/repair/system
C:/Windows/repair/software
C:/Windows/repair/security
C:/WINNT/win.ini
List of Juicy Files:
- Windowsupdate.log
* C:\Windows\Logs\WindowsUpdate
- C:\Windows\System32\license.rtf
- host file -- > windows\system32\Drivers\etc\hosts
- WindowsDistribution
Leave a comment