windows 命令巧用(持续更新)
BDCMS :: 9bce763974bf7a4c9ed20335568af4c1 NWWxfW PASS:弱口令
::信息收集
WMIC命令
# 查看系统版本
wmic OS get Caption,CSDVersion,OSArchitecture,Version
# 查看杀毒软件
wmic /node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
# 查看当前安装测软件
wmic product get name,version
nbtscan命令
nbtscan -n -m x.x.x.x/xx
-n No looking up inverse names of IP addresses responding
-m include MAC address in response (implied by '-f')
netstat 命令
netstat -ano
netstat -anvb
netstat -s -p [tcp|udp|ip|icmp]
建立的连接(ESTABLISHED)
监听连接请求(LISTENING)
CMDKEY 命令 远程桌面连接历史记录
cmdkey /l
# 关闭/打开防火墙
netsh firewall set opmode disable
netsh firewall set opmode enable
# 网卡禁用和启用
netsh interface set interface "本地连接" disabled
netsh interface set interface "本地连接" enabled
# 当前运行中的进程
tasklist /m /svc
# 查看所有服务状态及指定服务
sc query [ServiceName]
# 查看本机所有驱动
driverquery
# AccessChk V.6.12 工具下载地址
https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk
用法:
accesschk64 "administrator" e:\1 # 查找e:\1目录下所有 存在administrator权限的文件
# findstr 命令高级用法
systeminfo | findstr /b /c:"OS Name" /c:"OS Version"
/c: # 需要匹配和回显的内容
Using AccessChk
Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>
Parameter | Description |
---|---|
-a | Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed. |
-c | Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager. |
-d | Only process directories or top-level keys |
-e | Only show explicitly set-Integrity Levels (Windows Vista Vista and higher only) |
-f | If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output. |
-h | Name is a file or printer share. Specify '*' as the name to show all shares. |
-i | Ignore objects with only inherited ACEs when dumping full access control lists. |
-k | Name is a Registry key, e.g. hklm\software |
-l | Show full security descriptor. Add -i to ignore inherited ACEs. |
-n | Show only objects that have no access |
-o | Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type. |
-p | Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads. |
-q | Omit Banner |
-r | Show only objects that have read access |
-s | Recurse |
-t | Object type filter, e.g. "section" |
-u | Suppress errors |
-v | Verbose (includes Windows Vista Integrity Level) |
-w | Show only objects that have write access |
If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.
By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.
Examples
The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:
accesschk "power users" c:\windows\system32
This command shows which Windows services members of the Users group have write access to:
accesschk users -cw \*
To see what Registry keys under HKLM\CurrentUser a specific account has no access to:
accesschk -kns austin\mruss hklm\software
To see the security on the HKLM\Software key:
accesschk -k hklm\software
To see all files under \Users\Mark on Vista that have an explicit integrity level:
accesschk -e -s c:\users\mark
To see all global objects that Everyone can modify:
accesschk -wuo everyone \basednamedobjects
# 要查看与当前帐户使用关联的权限
whoami /priv
。
# 一个好玩的“隐写术”
^"%LOCALAPPDATA:~-3%^%SYSTEMROOT:~0,1%^" # calc
^%LOCALAPPDATA:~0,1%^%Programdata:~9,1%^%SYSTEMROOT:~-4,1%^ # cmd
rundll32.exe user32.dll LockWorkStation # 锁屏功能
%APPDATA:~-7,1%^%APPDATA:~3,1%^%comspec:~5,1%^%OS:~3,1%^%TEMP:~-6,1%^%TEMP:~-6,1%^32^%comspec:~-4%^ %temp:~3,4%^32^.d^%TEMP:~-6,1%^%TEMP:~-6,1%^ LockWorkStation
# 创建一个空白.txt文件
fsutil file createnew X:\demo.txt 0
# 关机脚本研究
# win2008
schtasks /create /tn gj /sc once /st 21:00 /tr c:\gj.bat
# win2003
schtasks /create /tn gj /sc once /st 21:00 /tr c:\gj.bat /ru <指定用户,不指定为默认当前用户> /rp <用户密码>
# 计划任务快捷方式
taskschd.msc
# Chrome 相关
# 版本 76.0.3809.100(正式版本) (64 位) FLASH被屏蔽 问题
chrome://settings/content/flash # 设置为先询问
参考:
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk
http://blog.51cto.com/rangercyh/497497
https://xz.aliyun.com/t/2519