[collect]一些Windows命令[bak]


内网(域)渗透–1.基本命令

====================================================

ipconfig /all				#查询本机IP段,所在域等
net user					#本机用户列表
net localhroup administrators	#本机管理员[通常含有域用户]
net user /domain				#查询域用户
net group /domain				#查询域里面的工作组
net group "domain admins" /domain	#查询域管理员用户组
net localgroup administrators /domain	#登录本机的域管理员
net localgroup administrators workgroupuser001 /add	#域用户添加到本机
net group "domain controllers" /domain	#查看域控制器(如果有多台)
net time /domain		#判断主域,主域服务器都做时间服务器
net config workstation	#当前登录域
net session				#查看当前会话
net use \ipipc$ pawword /user:username	#建立IPC会话[空连接-***]
net share			#查看SMB指向的路径[即共享]
net view			#查询同一域内机器列表
net view \ip		#查询某IP共享
net view /domain	#查询域列表
net view /domain:domainname		#查看workgroup域中计算机列表
net start				#查看当前运行的服务
net accounts			#查看本地密码策略
net accounts /domain	#查看域密码策略
nbtstat –A ip			#netbios查询
netstat –an/ano/anb		#网络连接查询
route print				#路由表

====================================================

dsquery computer       # finds computers in the directory.
dsquery contact           # finds contacts in thedirectory.
dsquery subnet # finds subnets in thedirectory.
dsquery group  # finds groups in thedirectory.
dsquery ou        # finds organizationalunits in the directory.
dsquery site      # finds sites in thedirectory.
dsquery server  # finds domain controllers inthe directory.
dsquery user     # finds users in thedirectory.
dsquery quota   # finds quota specificationsin the directory.
dsquery partition         # finds partitions in thedirectory.
dsquery *          # finds any object inthe directory by using a generic LDAP query.
dsquery server –domain Yahoo.com | dsget server–dnsname –site # 搜索域内域控制器的DNS主机名和站点名
dsquery computer domainroot –name *-xp –limit 10 # 搜索域内以-xp结尾的机器10台
dsquery user domainroot –name admin* -limit # 搜索域内以admin开头的用户10个
……
……
[注:dsquery来源于Windows Server 2003 Administration Tools Pack]

====================================================

tasklist /V           # 查看进程[显示对应用户]
tasklist /S ip /U domainusername /P /V  # 查看远程计算机进程列表
qprocess *         # 类似tasklist
qprocess /SERVER:IP      # 远程查看计算机进程列表
nslookup –qt-MX Yahoo.com      # 查看邮件服务器
whoami /all        # 查询当前用户权限等
set        # 查看系统环境变量
systeminfo         # 查看系统信息
qwinsta # 查看登录情况
qwinsta /SERVER:IP       # 查看远程登录情况
fsutil fsinfo drives           # 查看所有盘符
gpupdate /force   # 更新域策略

===================================================

wmic bios          # 查看bios信息
wmic qfe           # 查看补丁信息
wmic qfe get hotfixid    # 查看补丁-Patch号
wmic startup      # 查看启动项
wmic service      # 查看服务
wmic os           # 查看OS信息
wmic process get caption,executablepath,commandline
wmic process call create “process_name” (executes a program)
wmic process where name=”process_name” call terminate (terminates program)
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size,
volumeserialnumber (hard drive information)
wmic useraccount (usernames, sid, and various security related goodies)
wmic useraccount get /ALL
wmic share get /ALL (you can use ? for gets help ! )
wmic startup list full (this can be a huge list!!!)
wmic /node:"hostname" bios get serialnumber (this can be great for finding warranty info about target)

====================================================

Password hashes dump tools    ——抓hash工具列表[大集合]

参考链接:
, ,

《“[collect]一些Windows命令[bak]”》 有 23 条评论

  1. 内网渗透的一些工具和平台汇总
    https://www.secpulse.com/archives/54670.html
    `
    框架/平台:Metasploit、Cobaltstrike、Empire、Empyre
    代理/端口转发:sockscap、proxifier、Redsocks、Proxychains、SSH本地/远程端口转发、netcat/socat/hping、Metasploit
    端口扫描:nmap、fscan、Metasploit、Portscan.ps1
    PowerShell脚本:nishang、powersploit、PowerTools、PowerShell-AD-Recon
    `

  2. `
    •2: Interactive logon — This is used for a logon at the console of a computer. A type 2 logon is logged when you attempt to log on at a Windows computer’s local keyboard and screen.

    •3: Network logon — This logon occurs when you access remote file shares or printers. Also, most logons to Internet Information Services (IIS) are classified as network logons, other than IIS logons that use the basic authentication protocol (those are logged as logon type 8).

    •4: Batch logon — This is used for scheduled tasks. When the Windows Scheduler service starts a scheduled task, it first creates a new logon session for the task, so that it can run in the security context of the account that was specified when the task was created.

    •5: Service logon — This is used for services and service accounts that log > on to start a service. When a service starts, Windows first creates a logon session for the user account that is specified in the service configuration.

    •7: Unlock—This is used whenever you unlock your Windows machine.

    •8: Network clear text logon—This is used when you log on over a network and the password is sent in clear text. This happens, for example, when you use basic authentication to authenticate to an IIS server.

    •9: New credentials-based logon—This is used when you run an application using the RunAs command and specify the /netonly switch. When you start a program with RunAs using /netonly, the program starts in a new logon session that has the same local identity (this is the identity of the user you are currently logged on with), but uses different credentials (the ones specified in the runas command) for other network connections. Without /netonly, Windows runs the program on the local computer and on the network as the user specified in the runas command, and logs the logon event with type 2.

    •10: Remote Interactive logon—This is used for RDP-based applications like Terminal Services, Remote Desktop or Remote Assistance.

    •11: Cached Interactive logon—This is logged when users log on using cached credentials, which basically means that in the absence of a domain controller, you can still log on to your local machine using your domain credentials. Windows supports logon using cached credentials to ease the life of mobile users and users who are often disconnected.
    `

  3. check_hashes.py 检查使用相同密码 Hash 的域用户的脚本
    `
    #Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
    #Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
    # ./check_hashes.py
    `
    https://gist.github.com/bandrel/3dd47c93cd430606865ec84d281913dc

回复 a-z 取消回复

您的电子邮箱地址不会被公开。 必填项已用*标注