Command One-Liners
Command One-Liners

Command One-Liners

One Liners

You know you like them, always handy, these blokes pack a punch. I am compiling some of them here.


Network Commands

Get information on ethernet adapters

get eth0 address
ip addr show | grep eth0 | grep inet | sed -e 's/ *inet *//g' -e 's/\/.*//g'

ip link add name X type bridge
ip link set X up
ip set eth0 master X
ip set eth1 master X

Port Redirect

# Note: you can find TCP sockets in /proc/net/tcp !
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -m multiport ! --dports 22,53,80,443 -j REDIRECT --to-port 80


Download the latest release from a Github repo

curl -s \
| grep "browser_download_url.*deb" \
| cut -d '"' -f 4 \
| wget -qi -



rundll32 | Run an arbitrary program with Mimikatz dll

rundll32 c:\path\mimilib.dll,start d:\some_path\stuff.exe

rundll32 | Show saved credentials by the Windows credentials manager

rundll32 keymgr.dll,KRShowKeyMgr

Enumerate Ways a Website can leak HTTP Info

Generic Spells

Some weird Windows native “popup” :D

wlrmdr.exe -s 60000 -f 1 -t "text" -m "more text" -a o

Open Device Manager

mmc devmgmt.msc

Get List of Local Users or Members of the Local Admin Group

# Powershell v2+
$Computer = “.”
$Computer = [ADSI](“WinNT://” + "." + “,computer”)
$LocalAdminGroup = $Computer.psbase.children.find(“Administrators”)
$LocalAdminGroupMembers = $LocalAdminGroup.psbase.invoke(“Members”) | %{ $_.GetType().InvokeMember(“Name”, ‘GetProperty’, $null, $_, $null) }

# Using Powershell v5+
Get-LocalGroupMember "Administrators"

# Using WMI
Get-WmiObject win32_groupuser -Computer localhost

Network Spells

A series of useful commands to gather network intelligence.

Show clear text password locally for Wireless Lan Connection

netsh wlan dump
netsh wlan show profiles key=clear name="BotConf2016"
netsh wlan show profiles name="BotConf2016" key=clear

PortProxy - Port Redirection

:: Redirect traffic from port 9000 to port 80 on a different IP
netsh interface portproxy add v4tov4 listenaddress= listenport=9000 connectaddress= connectport=80
:: Delete portproxy entry
netsh interface portproxy delete v4tov4 listenaddress= listenport=9000

DNS Tricks | PowerShell

# Resolve Hostnames and FQDN

Get Network Adapter info | PowerShell


List Proxy info | PowerShell

Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "AutoConfigURL"
Get-ItemProperty "HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\" "ProxyServer"
Get-ChildItem -recurse 'HKCU:\software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\' | % { $_.GetValue("WpadDetectedURL") }  | sort -Unique

List LAN info | PowerShell

wmic nicconfig where ipenabled=true call /?
wmic nicconfig where ipenabled=true call RenewDHCPLease
wmic nicconfig where ipenabled=true call ReleaseDHCPLease
wmic nicconfig where ipenabled=true list brief
wmic nicconfig where ipenabled=true get ipaddress,macaddress,dnsserversearchorder,dnshostname,defaultipgateway,dhcpserver,description /format:list
wmic nicconfig where ipenabled=true list full

Ping a Subnet | PowerShell

$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("192.168.100.$_") | select address, status }
for ( $i = 0; $i -le 256 ; $i++ ) { ping 192.168.0.$i }

Active Directory

Get a user’s AD Group Membership

# This will only return the names of the groups instead of the FQDN
(Get-ADUser SomeUserYeah -Properties MemberOf).MemberOf | % {$_.split("CN=")[1].split(",")[0]}

Get AD ms-DS-MachineAccountQuota

Useful to understand whether you can leverage this primitive for further mischief

Get-ADDomain | Get-ADObject -Properties 'ms-DS-MachineAccountQuota'

Enumerate Forest and Domain Trusts

NOTE: Good read about this –>
# With RSAT Module
Get-ADTrust -Filter *

# Without RSAT Module
## First Enumerate Domain Trusts
## Then Enumerate Forest Trusts

# List all Domain Controllers in the Forest
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites | % { $_.Servers } | select Domain,Name,SiteName

Get AD Account Details for account in a trusted Domain

Get-ADUser -Server '' -Filter { SamAccountName -eq 'some_user' } -Properties *

Enumerate all Domain Controllers


Cryptographic & Encoding Functions

Some General Encoding and Hash Functions | PowerShell

# Convert from Base64


# Convert to Base64

# Convert HEX to DEC

# Encode in HEX
[System.BitConverter]::ToString($(Get-Content .\data.bin -encoding Byte))

# Encode Hash in HEX
[System.Bitconverter]::ToString(([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>")))

# Compute MD5 Hash

Compute Hash with .NET Class

([System.Security.Cryptography.SHA1]::Create()).ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<[email protected]#$%^>"))

Generic One-Liners

Extract an archive without “Expand-Archive” | PowerShell

Add-Type -A System.IO.Compression.FileSystem;[IO.Compression.ZipFile]::ExtractToDirectory(src,dst)