Windows Things I Forget Cheat Sheet by fred via cheatography.com/22666/cs/9094/ Networking Processes Find Outlook PST Files (cont) Hotkeys Extract Wifi Keys fport (to list pids, ports, Copy and paste the HEX part WINKEY+R (Run) https:/​ /ww​ w.pu​ re​ hac​ kin​ g.co​ m/​ bl‐​ protocols, exe) (00000​ 000​ 38A​ 1BB​ 10‐​ ALT+F4 OR CTRL+SPACE C og/v​ ita​ ly-​ nik​ ole​ nko​ /ex​ tra​ cti​ ng-​ wi‐​ prcvie​ w.exe 05E...E7​ 47​ 32F​ 636​ E3D​ 6F‐​ (Quit) rele​ ss-​ wep​ /wp​ a/w​ pa2​ -pr​ esh​ ar‐​ tcpvie​ w.exe (ports, exe, 7464​ 6E6​ 800) into a HEX to ALT+Y (Hit Yes) ed-k​ eys​ /pa​ ssw​ ord​ s-f​ rom​ -wi​ nd‐​ etc...) ASCII converter and it will show ows-7 you the pst file location in plain-‐​ Files & Directo​ ries ICMP Tunneli​ ng CMD Tricks text. tree c:\ (view in tree format) icmpsrv & icmpsend Note: Sometimes the first 2 WINKEY+R, cmd /K dir (run icmpsrv --install (on instances just show the dir in cmd) Recover hard deleted items in Victim) exchange data. If that’s the case WINKEY+R, cmd /C tree Outlook netstat -a (icmpsrv should just move onto the next HEX C:\ (run tree in cmd then User has hard deleted an item not show) instance. close) (SHIFT+​ DEL) and cannot icmpsend 192.168​ .1.8 (on WINKEY+R, cmd /C "s​ tart recover it using 'Recover deleted Attacker, to connect to Victim) Psexec - Execute commands /MIN explorer items'. Capture with Wireshark for more remotely \\x.x.x.x"​ Full descrip​ tion = Microsoft info psexec \\x.x.x.x -u WINKEY+R, powers​ hell KB246153. Hosts File ​ ​ DOMAIN\user -i 0 cmd.exe Steps https:/​ /ww​ w.pe​ tr​ i.co​ m/​ eas​ ily​ -e‐​ Start-Process cmd -Verb /c "dir c:\ > c:\temp​ \t‐​ 1. Close Outlook dit-​ hos​ ts-​ fil​ e-w​ ind​ ows-10 runAs (open cmd prompt as emp.txt​ " 2. Start Registry Editor (Reged‐​ Copy from C:\Win​ dow​ s\​ Sys‐​ admin. hit ALT+Y to approve) psexec \\x.x.x.x -u t32.exe). tem3​ 2\​ Driv​ ers​ \etc to start . (open windows DOMAIN\​ user -i 0 cmd.exe 3. Locate and click the following desktop then edit and copy back explorer in current dir) /c "s​ tar​ t" key in the registry: Open URL from CMD without start /MIN . (open explorer HKEY_LO​ CAL​ _MA​ CHI​ NE\​ SO‐​ the Browser minimised) Giving Local Admin FTWA​ RE\​ Mic​ ros​ oft​ \Ex​ cha​ ng‐​ http://​ sta​ cko​ ver​ flo​ w.co​ m/​ que​ st‐​ e\Cl​ ien​ t\​ Options ions​ /20​ 782​ 734​ /op​ en-​ a-u​ rl-​ wit​ ho‐​ Find Outlook PST Files Via a Domain Admin account 4. On the Edit menu, click Add ut-u​ sin​ g-a​ -br​ ows​ er-​ fro​ m-a​ -ba​ tc‐​ Right click on 'My Computer' -> If a user has removed their pst Value, and then add the h-file Manage files from outlook and has following registry value: Right click on "C​ omp​ uter forgotten where they are located Value name: Dumpste​ rA‐​ WMIC GPUPDATE Management (Local)​ " -> "‐​ you can find them by editing the lwaysOn Connect to another compute​ r" Runas /user:D​ OMA​ IN\​ do‐​ xml file below in notepad: Data type: DWORD ​ ​ Type in Computer Name -> main​ adm​ inuser "e​ xpl​ orer C:\Documents and Settin‐ Value data: 1 Press OK /separa​ te"​ gs\​ user​ id\​ App​ lic​ ation 5. Quit Registry Editor. System Tools -> Local Users Wmic product list status Data\Mi​ cro​ sof​ t\​ outl​ oo‐​ Start Outlook, click on folder (in and Groups -> Groups gpupdate /force k\us​ eri​ d.xml folder view) which item was hard Double click on "A​ dmi​ nis​ tra​ tor​ s" net user userid /domain Then look for instances of deleted from, select Recover -> Add something like: Deleted Items from Tools menu Click on Locations and then <ei​ dst​ ore​ >00​ 000​ 00‐​ and you should be able to select their computer name 0...6F7​ 464​ 6E6​ 800​ </e​ id‐​ recover items. DOMAIN\​ use​ rname -> Press Ok stor​ e> By fred Published 13th September, 2016. Sponsored by Readable.com cheatography.com/fred/ Last updated 13th September, 2016. Measure your website readability! Page 1 of 1. https://readable.com.