网络配置信息
ipconfig /all
查询操作系统及软件信息
systeminfo
查看安装的软件及版本路径等
利用wmic收集
wmic product get name,version
利用powershell收集
powershell "Get-WmiObject -class Win32_Product | Select-Object -Property name,version"
查看本机服务信息
wmic service list brief
查看进程列表
tasklist
查看进程信息
wmic process list brief
查看计划任务
schtasks /query /fo LIST /v
查看用户列表
net user
获取本地管理员(通常包含域用户)的信息
net localgroup administrators
查看当前在线用户
query user || qwinsta
查看开放端口和服务,并且根据常用端口判断某主机开放的服务是什么
netstat -ano
查看系统中安装的补丁
systeminfo
复制补丁信息,https://www.shentoushi.top/av/kb.php 查看可用提权漏洞
wmic qfe get Caption,Description,HotFixID,InstalledOn
查询本机共享列表
net share
wmic查找共享列表
wmic share get name,path,status
查询路由表和所有可用接口的arp缓存表
route print
arp -a
查询防火墙相关配置
关闭防火墙
-> server2003前: netsh firewall set opmode disable
-> server2003后: netsh advfirewall set allprofiles state off
查看防火墙配置
->netsh firewall show config
修改防火墙配置
-> server2003前: netsh firewall add allowedprogram c:\nc.exe "allow nc" enable
-> server2003后: netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="c:\nc.exe"
允许指定程序退出
netsh adcfirewall firewall add rule name="Allow nc" dir=out action=allow program="c:\nc.exe"
允许3389端口放行
netsh advfirewall firewall add rule name="rdp" protocol=TCP dire=in localport=3389 action=allow
自定义防火墙日志存储位置
netsh advfirewall set currentpofile logging filename "c:\1.log"
查看代理配置情况
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
查询并开启远程连接服务RDP
查看远程连接端口
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP" /V PortNumber
开放3389端口
server2003
-> wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
server2008/2012
-> wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
-> wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1
-> reg add "HKLM\SYSTEM\CURRENT\CONTROLSET\CONTROL\TERMINAL SERVER" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f