攻防對抗中常用的windows命令(滲透測試和應急響應)
阿新 • • 發佈:2018-12-23
一、滲透測試
1、資訊收集類
#檢視系統資訊
>systeminfo
#檢視使用者資訊
>net user
>net user xxx
#檢視網路資訊
>ipconfig /all
>route print
>netstat -abon
>netstat -s
>nbtstat -c
>nbtstat -n
>arp -a
#查詢域資訊 >net time /domain >net view /domain >net user /domain >net group "domain admins" /domain >dsquery comoputer >dsquery server >dsquery group >dsquery user >dsget group "CN=Administrators,CN=Builtin,DC=foo,DC=com" -members
# 抓取認證資訊
>.\getpassword
2、操作類
#使用者的新增、刪除、配置許可權組(加$符號在最後能起到隱藏效果)、切換使用者
>net user pentest 123456 /add
>net localgroup administrators pentest /add
>net user pentest /del
>runas /noprofile /user:administrator [command] #網路類操作 >netsh interface ip set address name="本地連線" source=static addr=192.168.0.106 mask=255.255.255.0 >netsh interface ip set address name="本地連線" gateway=192.168.0.1 gwmetric=0 >netsh interface ip set dns name="本地連線" source=static addr=114.114.114.114 register=PRIMARY >netsh interface portproxy add v4tov4 listenport=3340 listenaddress=a.b.c.d connectport=3389 connectaddress=w.x.y.z #埠轉發 >netsh advfirewall firewall add rule name=”forwarded_RDPport_3340” protocol=TCP dir=in localip=w.x.y.z localport=3340 action=allow#修改防火牆 >arp -d #清除arp表
#IPC控制類
>net use \\ip\ipc$ [password] /user:[username] #username 和 password均為空的時候建立的空連線
>net use h: \\ip\c:$
>net view \\ip
>net share #檢視本地共享
>net share ipc$ [/del]#開啟關閉ipc共享
>net share c$ [/del]#開啟關閉c共享二、應急響應類(功能類似的以介紹wmic為主)
1、系統資訊類:
>systeminfo >wmic os >wmic cpu >wmic nteventlog #系統事件日誌 >wmic computersystem
2、程序、服務類
>tasklist #檢視程序
>tasklist | findstr "evil.exe"
>taskkill /f /t /im evil.exe
>wmic process list full
>wmic process get xxx,xxx,xxx
>wmic process where processid="2345" delete #刪除程序
>wmic process call create "C:\Program Files\Tencent\QQ\QQ.exe" #建立程序
>wmic process where name="jqs.exe" get executablepath #檢視程序執行路徑
>wmic service [list full] [get xxxx,xxxx]
>wmic service where name="xxx" call [startservice | stopservice | pauseservice | delete ]3、賬戶、域、工作組類
>wmic useraccount
>wmic sysaccount
>wmic computersystem get domain #檢視域\工作組
>wmic group
>wmic netlogin #網路登入資訊
>wmic logon #登入日誌 4、共享、遠端、啟動項類
>wmic /node:"a.b.c.d /password:"xxxxxx" /user:"administrator" #遠端連線對方
>wmic share
>wmic share where name='x$' call delete
>wmic share call create "","xxx","3","TestShareName","","c:\xxx\xxx",0 #開啟共享
>wmic startup list #檢查啟動項5、小工具程式碼
批處理程式碼,很簡單,用作應急響應的快速資訊收集,親測有效
for /F %%i in ('whoami') do ( set commitid=%%i)
set path1=C:\Users
set path3=\Desktop\
set path2=%commitid:~6%
set path4=%path1%%path2%%path3%
set floder=report\
set var=%path4%%floder%
mkdir %var%
set path5=info.txt
set var1=%var%%path5%
cd %var%
systeminfo >> info.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
wmic process list full /format:hform >> process.html
wmic service list full /format:hform >> services.html
wmic useraccount list full /format:hform >> user.html
wmic sysaccount list full /format:hform >> sysaccount.html
wmic group list full /format:hform >> group.html
wmic logon list full /format:hform >> logonlog.html
wmic netlogin list full /format:hform >> netloginlog.html
wmic job list full /format:hform >> job.html