CMD Cheat Sheet
All by King Cobra, Appreciate the work by commenting on contacting.
SPECIAL CHARACTERS & SYMBOLS
> Redirect output to file (overwrite): echo test > file.txt
>> Append output to file: echo another >> file.txt
< Input from file: sort < list.txt
| Pipe output: dir | findstr "log"
& Run multiple commands: echo hi & dir
&& Run next only if previous succeeds: mkdir test && cd test
|| Run next only if previous fails: dir nofolder || echo failed
^ Escape special characters: echo ^& prints &
* Wildcard (many): del *.txt
? Wildcard (one): file?.txt matches file1.txt
" Use for paths with spaces: "C:\My Folder\file.txt"
\ Directory separator
FILE & DIRECTORY MANIPULATION
dir List files and folders
dir /s /b Full path of all files recursively
cd .. Go one level up
cd \ Go to root
mkdir test Creates "test" directory
del /f /s /q *.log Force delete .log files silently
copy file1.txt D:\ Copy to D:\
xcopy /e /h /k /y s\ d\ Copy all (hidden too)
robocopy src dest /mir Mirror folders
move file.txt D:\arc\ Move or rename
attrib +h +s file.txt Hide file
ren old.txt new.txt Rename file
tree /f Show folder structure with files
type file.txt Print contents
TASK CONTROL & OBSERVATION
tasklist List running tasks
taskkill /pid [pid] Kill a task [/f for forcefully]
sc query List all services
sc query windefend Get info for windefend
sc query | findstr "" Find serviice names by str
SYSTEM & VERSION INFO
ver Windows version
winver GUI version window
vol C: Show volume label
whoami Username and hostname
slmgr.vbs -dli License info
slmgr.vbs -xpr License expiry
slmgr.vbs -ato Activate Windows
hostname Show machine name
echo %username% Logged in user
ASSOC & FTYPE for FILE ASSOCIATIONS
ASSOC
Use the assoc command to list of ftype associations
assoc .xmlfile=XmlFileLegacy.8
Set the ftype and also use it to view individual ftypes but only writing the extension without "=" Remove the associations by a blank =
assoc .txt=
FTYPE
Its literally assoc but ftype is used for
File-to-Program associations, it means that
.txt=textfilelgacy & textfilelegacy="C:/Programs/text.exe"
So, ftype sets the program for the ftype whereas
assoc sets extension for ftype
NETWORKING ESSENTIALS
ipconfig /all Full adapter info
ipconfig /release Drop IP lease
ping google.com Check host reachability
tracert google.com Trace route
netstat -b Display the services and apps responsible for processes
netstat -o Display their respective PID
netstat -an | findstr ":80"
netstat -anob # Best to use command #
netstat -r Display the Routing Table
arp -a IP ↔ MAC mappings
arp -s/-d Add/ Delete MAC from arp cache
route print Routing table
nslookup google.com DNS lookup
getmac Show MAC addresses
DOSKEY
NMAP TOOL TUTORIAL
NETSH – NETWORK SHELL
Syntax Helpers
- add: Add config
- delete: Remove config
- set: Change config
- show: View config
- dump: Save to file
Wi-Fi
netsh wlan show profiles
netsh wlan show profile name="SSID" key=clear
netsh wlan delete profile name="SSID"
netsh wlan export profile name="SSID" folder=C:\ key=clear
IP
netsh interface ip show config
netsh interface ip set address "Ethernet" static 192.168.1.10 255.255.255.0 192.168.1.1
netsh interface ip set dns "Ethernet" static 8.8.8.8
netsh interface ip set address name="Ethernet" source=dhcp
Firewall
netsh advfirewall set allprofiles state off
netsh advfirewall firewall add rule name="Allow8080" dir=in action=allow protocol=TCP localport=8080
netsh advfirewall firewall delete rule name="Allow8080"
Portproxy
netsh interface portproxy add v4tov4 listenport=8080 connectaddress=192.168.1.5 connectport=80
NAT
netsh routing ip nat install
netsh routing ip nat add interface "Ethernet" full
Export/Import
netsh dump > config.txt
netsh exec config.txt
NET COMMAND – USERS, SERVICES, SHARING
1. net view — Discover Computers on the Network
net viewLists all computers in your workgroup or domain that are accessible. Use this to scan what devices are connected.
net view \\TargetComputerShows shared folders on a specific device. Good for initial visibility of shares.
2. net user — User Account Management
net userShows all local accounts. Useful for auditing users on a system.
net user AdministratorShows detailed info about the Administrator account.
net user testuser Pass123! /addCreates a new user account with the specified password.
net user testuser /deleteDeletes the specified user.
net user testuser /active:yes /expires:never /passwordchg:noActivates the account, makes it non-expiring, and prevents password change.
3. net localgroup — Group Privileges
net localgroupLists all local security groups.
net localgroup Administrators testuser /add
Adds testuser to the Administrators group.
Gives high-level access.
net localgroup Administrators testuser /deleteRemoves the user from the Admin group. Use this to lock down privileges.
4. net session — View Active Network Sessions
net sessionLists all open sessions with the local machine. Helpful for auditing who is connected remotely.
net session \\TargetMachine /deleteForcefully ends a session.
5. net use — Map or Disconnect Network Drives
net useShows all currently mapped drives.
net use Z: \\PC1\ShareMaps a shared folder to a drive letter.
net use Z: /deleteDisconnects the mapped drive.
net use \\PC1\Share /user:Username PasswordMaps a share with a specific user credential. Useful when accessing admin shares.
6. net statistics — View System Uptime and Activity
net statistics workstationShows when the system was last started and tracks stats like bytes sent/received.
net statistics serverSame as above, but for server role.
7. net config — System Role Information
net config workstationShows config like workgroup, computer name, and active user.
net config serverUseful in server environments to view shared services.
8. net time — Sync or View Time from Network
net timeDisplays the time from a domain controller.
net time /domain /set /yesAutomatically syncs the system clock with the domain.
9. net start and net stop — Control Windows
Services
net startLists all currently running services.
net start "Windows Time"Starts the specified service.
net stop "Spooler"Stops the print spooler service. Useful in labs to test persistence or service manipulation.
10. net accounts — Password & Login Policy Control
net accountsShows current password and logon rules.
net accounts /minpwlen:10 /maxpwage:30 /minpwage:1Sets the minimum password length, maximum and minimum password age.
11. net file — Remote File Handling
net fileShows files that are opened remotely.
net file [ID] /closeForcefully closes a remote file. Use this to stop sessions if needed.
12. net share — Manage Shared Folders
net shareLists all currently shared folders.
net share MyShare=C:\\Folder /grant:everyone,full
Shares C:\\Folder as MyShare with full
access to everyone. Use only in test environments.
net share MyShare /deleteRemoves the share.
13. Deprecated or Skippable Commands
| Command | Why You Can Skip It |
|---|---|
net send |
Deprecated after XP |
net group |
Only for domain controllers |
net print |
Obsolete printer management |
net computer |
Deprecated, no help available |
SHUTDOWN – POWER CONTROL
Shutdown the local machine
Shuts down the current computer.shutdown /sRestart the local machine
Restarts the current computer after shutdown.shutdown /rLog off the current user
Logs out the current user session.shutdown /lForce close running apps
Forces running applications to close without warning.shutdown /fAbort a shutdown (if already initiated)
Cancels a pending shutdown or restart.shutdown /aShutdown a remote computer
Performs a shutdown on a remote machine.shutdown /m \\PC-NAME /s /fRestart a remote machine
Forces restart on a remote PC.shutdown /m \\PC-NAME /r /fSet a shutdown timer
Schedules shutdown after specific seconds (e.g. 60s).shutdown /s /t 60Show a shutdown message
Displays a custom message on shutdown prompt (max 512 chars).shutdown /s /t 30 /c "System maintenance in progress."Full forced reboot with warning and delay
Reboots after 2 minutes, kills all apps, and shows a message.shutdown /r /f /t 120 /c "System rebooting for updates."Help menu
Displays full list of shutdown options.shutdown /?WMIC – SYSTEM INVENTORY
1. 📦 SYSTEM INFORMATION Get OS version, build, and name
wmic os get Caption, Version, BuildNumberwmic computersystem get Manufacturer, Modelwmic bios get SerialNumberwmic cpu get Name, NumberOfCores, MaxClockSpeedwmic memorychip get Capacity, Speed2. 👤 USER ACCOUNT ENUMERATION List all local users with SID and status
wmic useraccount get Name, SID, Disabled, Lockoutwmic useraccount where "Name='Administrator'" get Lockout3. 🧨 PROCESS CONTROL List running processes (cleaner than tasklist)
wmic process list briefwmic process where "Name='notepad.exe'" call terminatewmic process where "Name='chrome.exe'" get ProcessId, ExecutablePath4. 🛠️ INSTALLED SOFTWARE List installed programs with version
wmic product get Name, Versionwmic product where "Name like '%Visual Studio%'" get Name, Version5. 🌐 NETWORK INFO Get IP address and MAC of all adapters
wmic nicconfig get Description, MACAddress, IPAddresswmic nic where "NetEnabled='true'" get Name, MACAddress6. 🚀 STARTUP PROGRAMS List programs that run at startup
wmic startup get Caption, Command7. ⚙️ WINDOWS SERVICES Show all services
wmic service list briefwmic service where "Name='Spooler'" call startservicewmic service where "Name='Spooler'" call stopservice8. 🕒 SYSTEM BOOT TIME View last boot time
wmic os get LastBootUpTimewmic process list full /format:htable > processes.htmlwmic useraccount get Name, SID > users.txt10. 🎯 REMOTE SYSTEM ENUM (Admin Access Needed) Run command on remote machine
wmic /node:"192.168.1.10" /user:"admin" /password:"pass123" process list briefDIRECTORY PERMISSION EXPLOITATION
icacls
Note:
Sids may be in either numerical or friendly name form. If a numerical
form is given, affix a * to the start of the SID.
/T indicates that this operation is performed on all matching
files/directories below the directories specified in the name.
/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.
/L indicates that this operation is performed on a symbolic link
itself versus its target.
/Q indicates that icacls should suppress success messages.
N - no access
F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access
D - delete access
icacls Folder and file Permission tool
icacls [path] Check Permissions of a folder/file
icacls [path] /[SID] User /t /c
All files target user [you] has access to
icacls [path] /grant Host\User:[Rights]
Add Rights, use /grant:r to replace existing ones and :g for granted ones
icacls [path] /setowner User
Make yourself supreme owner of target destination
--- If u r blocked by the firewall use this command to grant access:
takeown /f [path] Instantly take ownership and access
icacls [path] /deny Everyone:F
Deny Full Access [F] to all
icacls [path] /remove User
Use /remove:g to remove granted perms and
normal /remove to wipe all access for the user.
--- To Hide your changes so you don't get tracked, do this before:
icacls [path] /save perms.txt /t
--- To restore the saved permissions:
icacls [path] /restore perms.txt /t
--- Factory reset permissions:
icacls [path] /reset /t
--- For Attacks mainly look for:
INPUT:
icacls C:\ /t /c | findstr /i "Everyone BUILTIN\Users"
OUTPUT:
Everyone: (F)
BUILTIN\Users:(M)
--- It means non-admin users can escalate permissions and do any stuff
whoami
whoami
Get [Host\User]
whoami /user
Get User_Name and SID : Is same as wmic useraccount get name,SID
whoami /priv
Get to know priveleges for current user
whoami /logonid
Get the logon SID for the session
Reading a SID
User Name SID
===================== ==============================================
honor-magicbook\archa S-1-5-21-1459315111-1280694585-1677732344-1001
S
--- SID Identifier
1
--- Revision Number
5
--- Authority Issuing SID
21
--- Indicates SID is for a domain
1459315111-1280694585-1677732344
--- Domain Identifiers
1001
--- RID for a user or group