Windows Things I Forget Cheat Sheet by fred via cheatography.com/22666/cs/9094/
Networking Processes Find Outlook PST Files (cont) Hotkeys
Extract Wifi Keys fport (to list pids, ports, Copy and paste the HEX part WINKEY+R (Run) https:/ /ww w.pu re hac kin g.co m/ bl‐ protocols, exe) (00000 000 38A 1BB 10‐ ALT+F4 OR CTRL+SPACE C og/v ita ly- nik ole nko /ex tra cti ng- wi‐ prcvie w.exe 05E...E7 47 32F 636 E3D 6F‐ (Quit) rele ss- wep /wp a/w pa2 -pr esh ar‐ tcpvie w.exe (ports, exe, 7464 6E6 800) into a HEX to ALT+Y (Hit Yes) ed-k eys /pa ssw ord s-f rom -wi nd‐ etc...) ASCII converter and it will show ows-7 you the pst file location in plain-‐ Files & Directo ries ICMP Tunneli ng CMD Tricks text. tree c:\ (view in tree format) icmpsrv & icmpsend Note: Sometimes the first 2 WINKEY+R, cmd /K dir (run icmpsrv --install (on instances just show the dir in cmd) Recover hard deleted items in Victim) exchange data. If that’s the case WINKEY+R, cmd /C tree Outlook netstat -a (icmpsrv should just move onto the next HEX C:\ (run tree in cmd then User has hard deleted an item not show) instance. close) (SHIFT+ DEL) and cannot icmpsend 192.168 .1.8 (on WINKEY+R, cmd /C "s tart recover it using 'Recover deleted Attacker, to connect to Victim) Psexec - Execute commands /MIN explorer items'. Capture with Wireshark for more remotely \\x.x.x.x" Full descrip tion = Microsoft info psexec \\x.x.x.x -u WINKEY+R, powers hell KB246153. Hosts File DOMAIN\user -i 0 cmd.exe Steps https:/ /ww w.pe tr i.co m/ eas ily -e‐ Start-Process cmd -Verb /c "dir c:\ > c:\temp \t‐ 1. Close Outlook dit- hos ts- fil e-w ind ows-10 runAs (open cmd prompt as emp.txt " 2. Start Registry Editor (Reged‐ Copy from C:\Win dow s\ Sys‐ admin. hit ALT+Y to approve) psexec \\x.x.x.x -u t32.exe). tem3 2\ Driv ers \etc to start . (open windows DOMAIN\ user -i 0 cmd.exe 3. Locate and click the following desktop then edit and copy back explorer in current dir) /c "s tar t" key in the registry: Open URL from CMD without start /MIN . (open explorer HKEY_LO CAL _MA CHI NE\ SO‐ the Browser minimised) Giving Local Admin FTWA RE\ Mic ros oft \Ex cha ng‐ http:// sta cko ver flo w.co m/ que st‐ e\Cl ien t\ Options ions /20 782 734 /op en- a-u rl- wit ho‐ Find Outlook PST Files Via a Domain Admin account 4. On the Edit menu, click Add ut-u sin g-a -br ows er- fro m-a -ba tc‐ Right click on 'My Computer' -> If a user has removed their pst Value, and then add the h-file Manage files from outlook and has following registry value: Right click on "C omp uter forgotten where they are located Value name: Dumpste rA‐ WMIC GPUPDATE Management (Local) " -> "‐ you can find them by editing the lwaysOn Connect to another compute r" Runas /user:D OMA IN\ do‐ xml file below in notepad: Data type: DWORD Type in Computer Name -> main adm inuser "e xpl orer C:\Documents and Settin‐ Value data: 1 Press OK /separa te" gs\ user id\ App lic ation 5. Quit Registry Editor. System Tools -> Local Users Wmic product list status Data\Mi cro sof t\ outl oo‐ Start Outlook, click on folder (in and Groups -> Groups gpupdate /force k\us eri d.xml folder view) which item was hard Double click on "A dmi nis tra tor s" net user userid /domain Then look for instances of deleted from, select Recover -> Add something like: Deleted Items from Tools menu Click on Locations and then
By fred Published 13th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 13th September, 2016. Measure your website readability! Page 1 of 1. https://readable.com