Windows下的bat版本:
@echo off echo #########system info collection systeminfo ver hostname net user net localgroup net localgroup administrators net user guest net user administrator echo #######at- with atq##### echo schtask /query echo echo ####task-list############# tasklist /svc echo echo ####net-work infomation ipconfig/all route print arp -a netstat -anipconfig /displaydns echo echo #######service############ sc query type= service state= all echo #######file-############## cd tree -F
Linux下的shell版本:
#!/bin/bash
echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail……######
cp -a /var/mail /tmp/getmail 2>/dev/null
echo ‘u’r id is’ `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set
echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
arp -v
echo ####user####
cat /etc/passwd|grep -i sh
echo ####service####
chkconfig –list
for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done
locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5
###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig
从网上搜集而来的~
再补上一个vbs版本的:
'获取硬件性息的vbs脚本
REM '获取IP地址'
REM '判断DNS是否为空,判断IP地址开头是否为10或192'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=TRUE",,48)
For Each objItem in colItems
If isNULL(objItem.DNSServerSearchOrder) Then
Else
IPX=objItem.IPAddress(0)
LefIP=split(IPX,".")(0)
If LefIP="10" OR LefIP="192" Then
IP=IPX
Wscript.Echo "ip:" & IP
End If
End If
Next
REM '获取SN号'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_BIOS",,48)
For Each objItem in colItems
SN=objItem.SerialNumber
Wscript.Echo "Sn: " & SN
Next
REM '获取CPU信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_Processor",,48)
For Each objItem in colItems
Processor=objItem.Name
Wscript.Echo "Processors: " & Processor
Next
REM '获取内存信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_ComputerSystem",,48)
For Each objItem in colItems
Memory= Round(objItem.TotalPhysicalMemory/1024^3) & "GB"
Wscript.Echo "Memory: " & Memory
Next
REM '获取硬盘信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_DiskDrive",,48)
For Each objItem in colItems
Disk=objItem.Model
Wscript.Echo "Disk: " & Disk
Next
REM '获取电脑品牌'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_BaseBoard",,48)
For Each objItem in colItems
Pinpai=objItem.Manufacturer
Next
REM '获取Summary信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_BaseBoard",,48)
For Each objItem in colItems
Product=objItem.Product
Summary=Pinpai & " " & Product & "," & Processor & "," & Memory
Wscript.Echo "Summary: " & Summary
Next
REM '获取Chipset信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_Processor",,48)
For Each objItem in colItems
Chipset=objItem.Caption
Wscript.Echo "Chipset: " & Chipset
Next
REM '获取系统类型'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_OperatingSystem",,48)
For Each objItem in colItems
OS=objItem.Caption
Wscript.Echo "OS: " & OS
Next
REM '获取BIOS信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_BIOS",,48)
For Each objItem in colItems
If isNull(objItem.BIOSVersion) Then
Wscript.Echo "BIOS: "
Else
BIOS=Join(objItem.BIOSVersion,",")
Wscript.Echo "BIOS: " & BIOS
End If
Next
REM '获取计算机名'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_ComputerSystem",,48)
For Each objItem in colItems
Hostname=objItem.DNSHostName
Wscript.Echo "Hostname:" & Hostname
Next
REM '获取MAC地址'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True",,48)
For Each objItem in colItems
Macaddress=objItem.MACAddress
Wscript.Echo "MACAddress: " & Macaddress
Next
REM '获取Network信息'
strComputer = "."
Set objWMIService = GetObject("winmgmts:\" & strComputer & "rootCIMV2")
Set colItems = objWMIService.ExecQuery( _
"SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True",,48)
For Each objItem in colItems
Network=Mid(objItem.Caption,InStr(objItem.Caption,"]")+1) & " " & Macaddress
Wscript.Echo "Network: " & Network
Next
Dim Info
Info="Summary: " & Summary & Chr(13) & "Processors: " & Processor & Chr(13) & "Memory: " & Memory & Chr(13) & "Disk: " & Disk & Chr(13) & "Chipset: " & Chipset & Chr(13) & "Network: " & Network & Chr(13) & "BIOS: " & BIOS
MsgBox(Info)
=EOF=
《 “收集系统信息的脚本” 》 有 16 条评论
找出所有.sh .pl .py .conf .cnf .ini .*history .*pass* (/usr/share目录里面的除外) 并且在当前目录zip打包。有些时候很多配置文件的权限配置不严,如果搜集完全的话对于进行下一步有很大帮助。
`#Find all .sh .pl .py .conf .cnf .ini .*history .*pass* (Except in /usr/share) then zip in current directory
find / ! -path “/usr/share/*” -iregex “.*.sh$|.*.pl$|.*.py$|.*.conf$|.*.cnf$|.*.ini$|.*/..*history$|.*/..*pass.*” -print | zip pack.zip -@
`
# http://insight-labs.org/?p=883
如何最大化的利用微软自己的Sysmon工具进行安全防护(Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.)
https://github.com/MHaggis/sysmon-dfir
使用Sysmon和Splunk探测网络环境中横向渗透
http://www.freebuf.com/sectool/125846.html
Windows主机信息收集工具(服务器信息,系统日志,中间件日志等)
https://github.com/tengzhangchao/InForMation
inux-explorer – Linux 系统现场取证工具箱
https://github.com/intezer/linux-explorer
Windows批处理脚本和Unix Bash脚本,可在事件响应期间全面收集主机取证数据
https://github.com/diogo-fernan/ir-rescue
卡巴斯基分享了一个用于在企业内部采集每台员工电脑日志的脚本
https://securelist.com/happy-ir-in-the-new-year/83557/
https://cdn.securelist.com/files/2017/12/HappyNewYear.zip
ReconPi – 树莓派上的轻量级信息收集工具
https://github.com/x1mdev/ReconPi
cred_scanner – 从文件中寻找 AWS 凭证的工具
https://github.com/disruptops/cred_scanner
Seatbelt 系统信息收集工具使用介绍
https://digitalforensicstips.com/2018/09/a-quick-look-at-seatbelt-for-system-enumeration/
https://github.com/GhostPack/Seatbelt
常见的Windows错误配置:计划任务(Common Windows Misconfigurations: Scheduled Tasks)
https://amonsec.net/windows-security/2018/common-windows-misconfigurations-scheduled-tasks
10 Tools To Check Every Hardware Detail Of Your Computer In Windows
https://www.itechtics.com/check-hardware-details-windows/
`
自带的有 msinfo32 这个命令一般就能满足绝大部分需求;
CPU-Z
Speccy
HWiNFO (32/64)
PC Wizard
SiSoftware Sandra Lite
WinAudit
BlackBox
Flitskikker Info Tool
Smart System Informer
RWEverything
`
How to Get Detailed Information About Your PC
https://www.howtogeek.com/80108/how-to-get-detailed-information-about-your-pc-2/
`
Win+R => msinfo32
Command => systeminfo
`
使用 sys-toolkit 收集 Linux 系统的诊断信息
https://blog.arstercz.com/use_sys-toolkit-collect-linux-diagnostic-message/
Common utilities for sysadmin/dba
https://github.com/arstercz/sys-toolkit
AutoMacTC:一款针对macOS环境的自动化取证分类采集器
https://www.freebuf.com/sectool/218812.html
https://github.com/CrowdStrike/automactc
`
AutoMacTC是一个针对macOS环境的模块化自动取证分类收集框架,AutoMacTC旨在帮助研究人员轻松访问macOS环境中的各种取证信息以及数据文件,而且它还能够对这些取证文件及数据进行解析,并以可视化的形式呈现以供研究人员对其进行分析。除此之外,AutoMacTC的输出可以为研究人员解决macOS环境中的事件响应提供有价值的建议。值得一提的是,AutoMacTC可以在活动系统或固定磁盘(加载的卷)中直接运行。
`
How do I find the location of an executable in Windows?
https://superuser.com/questions/49104/how-do-i-find-the-location-of-an-executable-in-windows
`
# Windows 7及以后的版本内置了 where.exe 命令,类似于Linux系统上的 whereis 命令
where.exe does this on Windows 7 and Windows Server 2003 and later:
Example
C:\> where ping
Output:
C:\Windows\System32\PING.EXE
In PowerShell use where.exe, Get-Command (or its abbreviation gcm), as where is the default alias for Where-Object.
`
Windows: Command line to read version info of an executable file?
https://stackoverflow.com/questions/25648155/windows-command-line-to-read-version-info-of-an-executable-file
`
Windows下如何从命令行中读取一个可执行文件到版本信息?
wmic datafile where name=”C:\\Windows\\System32\\msiexec.exe” get Version /value
# powershell
(Get-Item -Path ‘C:\Program Files\Java\jdk1.8.0_144\bin\java.exe’).VersionInfo | Format-List -Force
`
Silent installation of a MSI package
https://stackoverflow.com/questions/8560166/silent-installation-of-a-msi-package
`
You should be able to use the /quiet or /qn options with msiexec to perform a silent install.
/i = run install sequence
/quiet, /q, qn = run completely silently
/norestart = Do not restart the system after the installation
/L*V “C:\Temp\msilog.log”= verbose logging
`