j4s0nh4ck
- 浏览: 287773 次
-
文章分类
- 全部博客 (276)
- burp+hydra暴力破解 (1)
- kali linux工具集 (6)
- kali (59)
- linux (54)
- password (14)
- web (63)
- 渗透测试 (50)
- windows (40)
- metasploit (9)
- 信息收集 (32)
- burp suit (4)
- 安全审计 (9)
- https://github.com/secretsquirrel/the-backdoor-factory (0)
- nmap (4)
- arachni (2)
- 工具 (5)
- sql (3)
- 网络 (2)
- 后渗透测试 (10)
- 内网 (5)
- 无线 (2)
- C (3)
- bios (1)
- RoR (12)
- mongodb (1)
- linxu (1)
- gdb (1)
- linux,虚拟化 (1)
- python (4)
最新评论
原文地址:
http://www.fuzzysecurity.com/tutorials/16.html
1. 信息收集
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
echo %username%
net users
net user username
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
# This will display verbose output for all scheduled tasks, below you can see sample output for a single task.
schtasks /query /fo LIST /v
# The following command links running processes to started services.
C:\Windows\system32> tasklist /SVC
net start
# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holes than Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.
C:\Windows\system32> DRIVERQUERY
2. WMIC
3. configuration file
4. GPP
https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
https://github.com/mattifestation/PowerSploit
5. strange registry setting
The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM. For more background reading on this issue you can have a look here at an article by Parvez from GreyHatHacker who originally reported this as a security concern.
6. service and accesschk.exe
7. files/folder permission
http://www.fuzzysecurity.com/tutorials/16.html
1. 信息收集
引用
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
echo %username%
net users
net user username
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
# This will display verbose output for all scheduled tasks, below you can see sample output for a single task.
schtasks /query /fo LIST /v
# The following command links running processes to started services.
C:\Windows\system32> tasklist /SVC
net start
# This can be useful sometimes as some 3rd party drivers, even by reputable companies, contain more holes than Swiss cheese. This is only possible because ring0 exploitation lies outside most peoples expertise.
C:\Windows\system32> DRIVERQUERY
2. WMIC
引用
The first and most obvious thing we need to look at is the patchlevel. There is no need to worry ourself further if we see that the host is badly patched. My WMIC script will already list all the installed patches but you can see the sample command line output below.
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn
C:\Windows\system32> wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." /C:"KB.."
3. configuration file
引用
c:\sysprep.inf
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
c:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
4. GPP
https://www.rapid7.com/db/modules/post/windows/gather/credentials/gpp
https://github.com/mattifestation/PowerSploit
5. strange registry setting
The next thing we will look for is a strange registry setting "AlwaysInstallElevated", if this setting is enabled it allows users of any privilege level to install *.msi files as NT AUTHORITY\SYSTEM. It seems like a strange idea to me that you would create low privilege users (to restrict their use of the OS) but give them the ability to install programs as SYSTEM. For more background reading on this issue you can have a look here at an article by Parvez from GreyHatHacker who originally reported this as a security concern.
6. service and accesschk.exe
7. files/folder permission
分享到:
发表评论
-
[图] windows 10
2015-08-18 20:37 311网上下载的图片,忘了来源 -
windows提权集合
2015-06-30 00:23 589https://blog.netspi.com/5-ways- ... -
[转]Access to every PC and become local Admin
2015-06-29 21:50 530原文地址:http://www.gosecure.it/blo ... -
[转]Top Five Ways SpiderLabs Got Domain Admin on Your Internal Network
2015-06-29 21:46 1633原文地址:https://www.trustwave.com/ ... -
[转]如何获得window管理员权限
2015-06-29 21:21 474引用A tutorial on how to get into ... -
[转]malware persistence
2015-05-06 23:46 410原文地址:http://jumpespjump.blogspo ... -
[转]backdoor a windows domain
2015-05-06 22:56 497原文地址:http://jumpespjump.blogspo ... -
[译]解密MSSQL密码
2015-03-26 00:43 2876原文地址: https://blog.ne ... -
[转]badsamba
2015-03-20 00:55 323原文地址:http://blog.gdssecurity.co ... -
window增加硬盘性能方法
2015-02-05 01:03 355参考地址:http://way2h.blogspot.com/ ... -
[译]Skeleton Key Malware & Mimikatz
2015-01-28 20:29 804原文地址: http://adsecurity.org/?p= ... -
绕过PowerShell执行策略的15种方法
2015-01-28 02:27 963https://blog.netspi.com/15-ways ... -
[译]Veil-Pillage
2015-01-23 03:09 837原文地址:http://resources.infosecin ... -
[翻译]oledump: Extracting Embedded EXE From DOC
2015-01-04 22:40 942原文地址:http://blog.didierstevens. ... -
[工具]volatility----Windows内存取证
2015-01-04 22:01 1543下载地址:https://github.com/volatil ... -
[译]Windows提权:ahcache.sys/NtApphelpCacheControl
2015-01-03 21:12 1028原文地址:https://code.google.com/p/ ... -
[译]使用Volatility从memory dump获得密码
2014-12-30 12:27 3807原文地址:https://cyberarms.wordpres ... -
vmss2core将VMware镜像转换成memory dump
2014-12-26 23:59 0参考:http://kb.vmware.com/selfser ... -
Windows工具集
2014-12-25 00:54 536参考:https://community.rapid7.com ... -
Kerberos攻击
2014-12-18 01:39 622参考: 1. http://securityweekly.co ...
相关推荐
根据提供的文档内容,本文将深入解析“Window提权”这一主题。主要分为两大部分:第一部分探讨提权的基础知识;第二部分则通过多个实例详细分析实际中的提权过程和技术细节。 ### 第一部分:提权基础知识 #### ...
以下为安装步骤: 离线安装说明 1,把下载的windowbuilder.zip,解压出repository.zip,放在任意文件夹,如:F:/temp/repository.zip 2,打开eclipse》》 Install New Software >> Add 》》 3,在Add Repository 中...
实际操练,一步一步记录,绝对仔细,绝对傻瓜式的,只要按照步骤来即可
"mysql在window环境下安装步骤" MySQL是目前最流行的开源关系数据库管理系统之一,在Windows环境下安装MySQL的步骤可以分为七个部分:安装前的准备、解压安装包、创建数据目录和配置文件、配置文件参数、安装MySQL...
可以给window 软件 以System 权限运行 例如ce 等
Excel窗口_Window对象_基本操作应用示例.pdf
window2000添加网上邻居步骤.docx
首先,了解WindowBuilder的基本概念。WindowBuilder允许开发者通过直观的拖放方式创建和编辑Swing、SWT、JFace以及RCP(Rich Client Platform)等不同类型的用户界面。它极大地减少了编写布局代码的工作量,使开发者...
详细的步骤,一看就懂。从菜鸟变高手的步骤、、
本文将深入探讨Window的基本概念和用法,帮助开发者更好地理解并应用到实际项目中。 首先,我们需要了解`UIWindow`类是UIKit框架中的一个基础类,它是所有视图控制器和视图的容器。`UIWindow`并不是直接与用户交互...
### window.showModalDialog 的基本用法 `window.showModalDialog` 是一个早期的浏览器功能,主要在 Internet Explorer(IE)4.0 及以上版本中支持。它用于打开一个新的模态对话框窗口,并且该窗口将阻止用户与主...
具体步骤包括向本地终端输入`%xhost+hostname`,其中`hostname`表示远程机器的名称,以此开启网络连接的安全通道,允许远程应用程序的输出在本地显示。 X Window系统的上述特性共同铸就了其在网络时代中的独特地位...
GUI.Window函数允许开发者创建自定义的窗口,它提供了更多的控制权。你可以精确地指定窗口的位置、大小以及内部元素的布局。例如,如果你定义一个宽度为100的窗口,并在其中放置一个宽度为120的按钮,由于GUI.Window...
要在Eclipse中安装WindowBuilder 1.9.3,你需要按照以下步骤操作: 1. 首先,确保你正在使用支持插件安装的Eclipse版本。 2. 解压缩`windowbuilder1.9.3.zip`到一个临时目录。 3. 打开Eclipse,进入“Help”菜单,...
- `window.alert()`、`window.confirm()`和`window.prompt()`:提供基本的用户交互,如显示警告、确认对话框和输入框。 - `window.setTimeout()`和`window.clearTimeout()`:用于在指定延迟后执行函数,或取消已安排...
以下是WindowBuilder Pro在Eclipse环境下的安装步骤: 1. 首先,访问官方网站下载页面(http://www.eclipse.org/windowbuilder/download.php)。在这个页面上,你需要根据你的Eclipse版本选择合适的插件包。例如,...
`IFrame`的基本使用方法如下: ```html <iframe src="http://example.com" width="600" height="400"></iframe> ``` 其中,`src`属性定义了要加载的URL,`width`和`height`定义了`IFrame`的尺寸。 接下来,我们谈谈...
《Xwindow程序设计入门》是一本面向初学者的教程,旨在帮助读者理解并掌握X Window System(简称X11或X Window)的基本概念和编程技巧。X Window是Unix和类Unix系统上广泛使用的图形用户界面(GUI)系统,它提供了一...
window server安装步骤,傻瓜式安装教程,图片加解释