windows 命令巧用（持续更新）

BDCMS :: 9bce763974bf7a4c9ed20335568af4c1    NWWxfW       PASS:弱口令

::信息收集 

WMIC命令

# 查看系统版本

wmic OS get Caption,CSDVersion,OSArchitecture,Version

# 查看杀毒软件

wmic /node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

# 查看当前安装测软件

wmic product get name,version

nbtscan命令

下载地址

nbtscan -n -m x.x.x.x/xx

-n        No looking up inverse names of IP addresses responding

-m        include MAC address in response (implied by '-f')

netstat 命令

netstat -ano

netstat -anvb

netstat -s -p [tcp|udp|ip|icmp]

CMDKEY 命令 远程桌面连接历史记录 

cmdkey /l

# 关闭/打开防火墙

netsh firewall set opmode disable

netsh firewall set opmode enable

# 当前运行中的进程

tasklist /m    /svc

# 查看所有服务状态及指定服务

sc query [ServiceName]

# 查看本机所有驱动

driverquery

# AccessChk V.6.12 工具下载地址

https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

用法：

accesschk64  "administrator" e:1   #  查找e:1目录下所有 存在administrator权限的文件

# findstr 命令高级用法

systeminfo | findstr /b /c:"OS Name" /c:"OS Version"  

/c: # 需要匹配和回显的内容

  

Using AccessChk

Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>

Parameter	Description
-a	Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed.
-c	Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager.
-d	Only process directories or top-level keys
-e	Only show explicitly set-Integrity Levels (Windows Vista Vista and higher only)
-f	If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output.
-h	Name is a file or printer share. Specify '*' as the name to show all shares.
-i	Ignore objects with only inherited ACEs when dumping full access control lists.
-k	Name is a Registry key, e.g. hklmsoftware
-l	Show full security descriptor. Add -i to ignore inherited ACEs.
-n	Show only objects that have no access
-o	Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type.
-p	Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads.
-q	Omit Banner
-r	Show only objects that have read access
-s	Recurse
-t	Object type filter, e.g. "section"
-u	Suppress errors
-v	Verbose (includes Windows Vista Integrity Level)
-w	Show only objects that have write access

If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.

By default, the path name is interpreted as a file system path (use the "pipe" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.

Examples

The following command reports the accesses that the Power Users account has to files and directories in WindowsSystem32:

accesschk "power users" c:windowssystem32

This command shows which Windows services members of the Users group have write access to:

accesschk users -cw *

To see what Registry keys under HKLMCurrentUser a specific account has no access to:

accesschk -kns austinmruss hklmsoftware

To see the security on the HKLMSoftware key:

accesschk -k hklmsoftware

To see all files under UsersMark on Vista that have an explicit integrity level:

accesschk -e -s c:usersmark

To see all global objects that Everyone can modify:

accesschk -wuo everyone asednamedobjects

# 要查看与当前帐户使用关联的权限

whoami /priv。

# 一个好玩的“隐写术”

^"%LOCALAPPDATA:~-3%^%SYSTEMROOT:~0,1%^"    # calc

^%LOCALAPPDATA:~0,1%^%Programdata:~9,1%^%SYSTEMROOT:~-4,1%^   # cmd

rundll32.exe user32.dll LockWorkStation  # 锁屏功能

%APPDATA:~-7,1%^%APPDATA:~3,1%^%comspec:~5,1%^%OS:~3,1%^%TEMP:~-6,1%^%TEMP:~-6,1%^32^%comspec:~-4%^ %temp:~3,4%^32^.d^%TEMP:~-6,1%^%TEMP:~-6,1%^ LockWorkStation

# 创建一个空白.txt文件

fsutil file createnew X:demo.txt 0

  

# 关机脚本研究
# win2008
schtasks /create /tn gj /sc once /st 21:00 /tr c:gj.bat
# win2003
schtasks /create /tn gj /sc once /st 21:00 /tr c:gj.bat /ru <指定用户，不指定为默认当前用户> /rp <用户密码>
# 计划任务快捷方式
taskschd.msc

# Chrome 相关

#  版本 76.0.3809.100（正式版本） （64 位）  FLASH被屏蔽 问题

chrome://settings/content/flash    # 设置为先询问

参考：

http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html

https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk

http://blog.51cto.com/rangercyh/497497

https://xz.aliyun.com/t/2519