• windows 命令巧用(持续更新)


    BDCMS :: 9bce763974bf7a4c9ed20335568af4c1    NWWxfW       PASS:弱口令

    ::信息收集 

    WMIC命令

    # 查看系统版本

    wmic OS get Caption,CSDVersion,OSArchitecture,Version

    # 查看杀毒软件

    wmic /node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

    # 查看当前安装测软件

    wmic product get name,version

    nbtscan命令

    下载地址

    nbtscan -n -m x.x.x.x/xx

    -n        No looking up inverse names of IP addresses responding

    -m        include MAC address in response (implied by '-f')

    netstat 命令

    netstat -ano

    netstat -anvb

    netstat -s -p [tcp|udp|ip|icmp]

    CMDKEY 命令 远程桌面连接历史记录 

    cmdkey /l

    # 关闭/打开防火墙

    netsh firewall set opmode disable

    netsh firewall set opmode enable

    # 当前运行中的进程

    tasklist /m    /svc

    # 查看所有服务状态及指定服务

    sc query [ServiceName]

    # 查看本机所有驱动

    driverquery

    # AccessChk V.6.12 工具下载地址

    https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

    用法:

    accesschk64  "administrator" e:1   #  查找e:1目录下所有 存在administrator权限的文件

    # findstr 命令高级用法

    systeminfo | findstr /b /c:"OS Name" /c:"OS Version"  

    /c: # 需要匹配和回显的内容

      

    Using AccessChk

    Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>

    ParameterDescription
    -a Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
    -c Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
    -d Only process directories or top-level keys
    -e Only show explicitly set-Integrity Levels (Windows Vista Vista and higher only)
    -f If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
    -h Name is a file or printer share. Specify '*' as the name to show all shares.
    -i Ignore objects with only inherited ACEs when dumping full access control lists.
    -k Name is a Registry key, e.g. hklmsoftware
    -l Show full security descriptor. Add -i to ignore inherited ACEs.
    -n Show only objects that have no access
    -o Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
    -p Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
    -q Omit Banner
    -r Show only objects that have read access
    -s Recurse
    -t Object type filter, e.g. "section"
    -u Suppress errors
    -v Verbose (includes Windows Vista Integrity Level)
    -w Show only objects that have write access

    If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

    By default, the path name is interpreted as a file system path (use the "pipe" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

    Examples

    The following command reports the accesses that the Power Users account has to files and directories in WindowsSystem32:

    accesschk "power users" c:windowssystem32

    This command shows which Windows services members of the Users group have write access to:

    accesschk users -cw *

    To see what Registry keys under HKLMCurrentUser a specific account has no access to:

    accesschk -kns austinmruss hklmsoftware

    To see the security on the HKLMSoftware key:

    accesschk -k hklmsoftware

    To see all files under UsersMark on Vista that have an explicit integrity level:

    accesschk -e -s c:usersmark

    To see all global objects that Everyone can modify:

    accesschk -wuo everyone asednamedobjects

    # 要查看与当前帐户使用关联的权限

    whoami /priv

    # 一个好玩的“隐写术”

    ^"%LOCALAPPDATA:~-3%^%SYSTEMROOT:~0,1%^"    # calc

    ^%LOCALAPPDATA:~0,1%^%Programdata:~9,1%^%SYSTEMROOT:~-4,1%^   # cmd

    rundll32.exe user32.dll LockWorkStation  # 锁屏功能

    %APPDATA:~-7,1%^%APPDATA:~3,1%^%comspec:~5,1%^%OS:~3,1%^%TEMP:~-6,1%^%TEMP:~-6,1%^32^%comspec:~-4%^ %temp:~3,4%^32^.d^%TEMP:~-6,1%^%TEMP:~-6,1%^ LockWorkStation

    # 创建一个空白.txt文件

    fsutil file createnew X:demo.txt 0

      

    # 关机脚本研究
    # win2008
    schtasks /create /tn gj /sc once /st 21:00 /tr c:gj.bat
    # win2003
    schtasks /create /tn gj /sc once /st 21:00 /tr c:gj.bat /ru <指定用户,不指定为默认当前用户> /rp <用户密码>
    # 计划任务快捷方式
    taskschd.msc

    # Chrome 相关

    #  版本 76.0.3809.100(正式版本) (64 位)  FLASH被屏蔽 问题

    chrome://settings/content/flash    # 设置为先询问

    参考:

    http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html

    https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

    http://blog.51cto.com/rangercyh/497497

    https://xz.aliyun.com/t/2519

  • 相关阅读:
    webrtc连接方法——TURN服务器和STUN服务器作用简介
    IM音视频即时通讯系统EasyRTC如何利用webrtc技术进行优化和发展?
    TSINGSEE青犀视频平台可以实现音视频混流吗?
    深入浅出Java 重定向和请求转发的区别
    特征工程-特征提取
    cart剪枝
    决策树算法简介
    逻辑回归介绍
    sklearn模型的保存和加载
    celery 定时任务时间篇
  • 原文地址:https://www.cnblogs.com/Cong0ks/p/9443210.html
Copyright © 2020-2023  润新知