windows 命令巧用(持续更新)
netstat -ano
netstat -anvb
netstat -s -p [tcp|udp|ip|icmp]
# 关闭/打开防火墙
netsh firewall set opmode disable
netsh firewall set opmode enable
# 当前运行中的进程
tasklist /m /svc
# 查看所有服务状态及指定服务
sc query [ServiceName]
# 查看本机所有驱动
driverquery
# AccessChk V.6.12 工具下载地址
https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk
用法:
accesschk64 "administrator" e:\1 # 查找e:\1目录下所有 存在administrator权限的文件
Using AccessChk
Usage: accesschk [-s][-e][-u][-r][-w][-n][-v]-[f <account>,...][[-a]|[-k]|[-p [-f] [-t]]|[-h][-o [-t <object type>]][-c]|[-d]] [[-l [-i]]|[username]] <file, directory, registry key, process, service, object>
Parameter | Description |
---|---|
-a | Name is a Windows account right. Specify "*" as the name to show all rights assigned to a user. Note that when you specify a specific right, only groups and accounts directly assigned to the right are displayed. |
-c | Name is a Windows Service, e.g. ssdpsrv. Specify "*" as the name to show all services and "scmanager" to check the security of the Service Control Manager. |
-d | Only process directories or top-level keys |
-e | Only show explicitly set-Integrity Levels (Windows Vista Vista and higher only) |
-f | If following -p, shows full process token information including groups and privileges. Otherwise is a list of comma-separated accounts to filter from the output. |
-h | Name is a file or printer share. Specify '*' as the name to show all shares. |
-i | Ignore objects with only inherited ACEs when dumping full access control lists. |
-k | Name is a Registry key, e.g. hklm\software |
-l | Show full security descriptor. Add -i to ignore inherited ACEs. |
-n | Show only objects that have no access |
-o | Name is an object in the Object Manager namespace (default is root). To view the contents of a directory, specify the name with a trailing backslash or add -s. Add -t and an object type (e.g. section) to see only objects of a specific type. |
-p | Name is a process name or PID, e.g. cmd.exe (specify "*" as the name to show all processes). Add -f to show full process token information, including groups and privileges. Add -t to show threads. |
-q | Omit Banner |
-r | Show only objects that have read access |
-s | Recurse |
-t | Object type filter, e.g. "section" |
-u | Suppress errors |
-v | Verbose (includes Windows Vista Integrity Level) |
-w | Show only objects that have write access |
If you specify a user or group name and path, AccessChk will report the effective permissions for that account; otherwise it will show the effective access for accounts referenced in the security descriptor.
By default, the path name is interpreted as a file system path (use the "\pipe\" prefix to specify a named pipe path). For each object, AccessChk prints R if the account has read access, W for write access, and nothing if it has neither. The -v switch has AccessChk dump the specific accesses granted to an account.
Examples
The following command reports the accesses that the Power Users account has to files and directories in \Windows\System32:
accesschk "power users" c:\windows\system32
This command shows which Windows services members of the Users group have write access to:
accesschk users -cw \*
To see what Registry keys under HKLM\CurrentUser a specific account has no access to:
accesschk -kns austin\mruss hklm\software
To see the security on the HKLM\Software key:
accesschk -k hklm\software
To see all files under \Users\Mark on Vista that have an explicit integrity level:
accesschk -e -s c:\users\mark
To see all global objects that Everyone can modify:
accesschk -wuo everyone \basednamedobjects
# 要查看与当前帐户使用关联的权限
whoami /priv
。
# 一个好玩的“隐写术”
^"%LOCALAPPDATA:~-3%^%SYSTEMROOT:~0,1%^" # calc
^%LOCALAPPDATA:~0,1%^%Programdata:~9,1%^%SYSTEMROOT:~-4,1%^ # cmd
rundll32.exe user32.dll LockWorkStation # 锁屏功能
%APPDATA:~-7,1%^%APPDATA:~3,1%^%comspec:~5,1%^%OS:~3,1%^%TEMP:~-6,1%^%TEMP:~-6,1%^32^%comspec:~-4%^ %temp:~3,4%^32^.d^%TEMP:~-6,1%^%TEMP:~-6,1%^ LockWorkStation
参考:
http://memorycorruption.org/windows/2018/07/29/Notes-On-Windows-Privilege-Escalation.html
https://docs.microsoft.com/zh-cn/sysinternals/downloads/accesschk
http://blog.51cto.com/rangercyh/497497
https://xz.aliyun.com/t/2519
windows 命令巧用(持续更新)的更多相关文章
- [转帖]各种命令,以及FAQ..持续更新.....
各种命令,以及FAQ..持续更新..... https://www.cnblogs.com/jicki/p/5548668.html Linux 篇: CentOs 7 修改主机名 hostnamec ...
- Python常用组件、命令大总结(持续更新)
Python开发常用组件.命令(干货) 持续更新中-关注公众号"轻松学编程"了解更多. 1.生成6位数字随机验证码 import random import string def ...
- Ubuntu命令集(持续更新)
Ubuntu命令集,生活工作汇总,没有顺序.(持续更新...) 1 pwd:没有参数,在终端现实我们当前所处的文件夹位置:ctrl+l:清除当前终端屏: 2 --------------------- ...
- windows常用运行命令收集(持续更新)
快捷键打开运行窗口:Windows + R > calc(计算器) > gpedit.msc(本地组策略编辑器) > regedit(注册表) > mstsc(远程桌面) &g ...
- SVN经常使用命令总结(持续更新)
如今流行的协同管理工具预计就属SVN和Git了.这两者都使用过,只是如今正在使用的是SVN.故将常常使用的命令总结下来. 无论是Windows端的svnclient还是eclipse的subversi ...
- 各种命令,以及FAQ..持续更新.....
Linux 篇: CentOs 7 修改主机名 hostnamectl --static set-hostname <host-name> 统计最多的10条记录 awk '{print $ ...
- tar 命令详解(持续更新)
可以用man tar查看tar命令使用的权威解释 Main operation mode: -c: 建立压缩档案 -r:向压缩归档文件末尾追加文件 -t:查看内容 -u:更新原压缩包中的文件 -x:解 ...
- Linux必知必会的命令全集(持续更新)
Linux有超过五百多种命令,每个命令还有十几二十种选项,令人抓狂,本文旨在整理本人工作常用的Linux命令,希望对大家有所帮助! 1.cd 跳转文件夹 最常用的命令,没有之一. cd # 进入 ...
- Linux 常用命令笔记 (持续更新)
声明:本文是转载前辈的,地址:http://www.cnblogs.com/tovep/articles/2473147.html 在tomcat的bin目录下执行 ./shutdown.sh 为了查 ...
随机推荐
- uva 13598
/* 题目的大意是 给你 N 学生 然后 给前 K个学生编号了 给定的 号码 , 然后你按照 使得接下来学生 学号尽量小的 方法 从第 K+1个学生开始编号 每个号码 自然只能用一次, 解答 : 先将 ...
- 20155308 2016-2017-2 《Java程序设计》第9周学习总结
20155308 2016-2017-2 <Java程序设计>第9周学习总结 教材学习内容总结 第十六章 整合数据库 16.1 JDBC入门 驱动的四种类型 JDBC-ODBC Bridg ...
- Python: 字符串搜索和匹配,re.compile() 编译正则表达式字符串,然后使用match() , findall() 或者finditer() 等方法
1. 使用find()方法 >>> text = 'yeah, but no, but yeah, but no, but yeah' >>> text.find( ...
- python 采坑总结 调用键盘事件后导致键盘失灵的可能原因
在练习python封装键盘事件的时候,实现一个keyDown和keyUp的功能: @staticmethod def keyDown(keyName): #按下按键 ...
- SVN版本服务器搭建
windows: https://blog.csdn.net/lu1024188315/article/details/74082227 SVN 的下载地址如下 http://torto ...
- CSS3实现8种Loading效果【二】
CSS3实现8种Loading效果[二] 今晚吃完饭回宿舍又捣鼓了另外几种Loading效果,老规矩,直接“上菜“…… 注:gif图片动画有些卡顿,非实际效果! 第一种效果: 代码如下: < ...
- jQuery API的特点
jQuery API 的特点 版权声明:未经博主授权,严禁转载分享 jQuery API 的三大特点 1. jQuery 对象是一个类数组对象,API自带遍历效果 - 对 jQuery 对象调用一次A ...
- centos+Jenkins+maven搭建持续集成
Jenkins是一个开源软件项目,旨在提供一个开放易用的软件平台,使软件的持续集成变成可能 什么是持续集成 随着软件开发复杂度的不断提高,团队开发成员间如何更好地协同工作以确保软件开发的质量已经慢慢成 ...
- 20145304 网络对抗技术 逆向与Bof基础
20145304 网络对抗技术 逆向与Bof基础 实践目标 学习以下两种方法,运行正常情况下不会被运行的代码: 手工修改可执行文件,改变程序执行流程,直接跳转到getShell函数. 利用foo函数的 ...
- TableView,自定义TableViewCell
自定义Table 原理: http://blog.jobbole.com/67272/ http://www.cnblogs.com/wangxiaofeinin/p/3532831.html 补充: ...