Powershell
xbz0n@sh:~# Living Off the Land: Windows Post-Exploitation Without Tools
枚举进程和服务
1
2
| # Get all running processes with their paths
Get-Process | Select-Object ProcessName, Id, Path | Sort-Object ProcessName
|
1
2
| # Find services running as SYSTEM
Get-WmiObject win32_service | Where-Object {$_.StartName -eq "LocalSystem"} | Select-Object Name, PathName, State, StartMode
|
本地网络连接
1
2
| # Get basic network configuration
Get-NetIPConfiguration
|
1
2
3
4
| # Show established network connections
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} |
Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess |
Sort-Object RemoteAddress
|
1
2
3
| # Check ARP cache for recently communicated hosts
Get-NetNeighbor | Where-Object {$_.State -ne "Unreachable" -and $_.State -ne "Incomplete"} |
Select-Object IPAddress, LinkLayerAddress, State
|
1
2
3
4
5
6
7
| # Ping sweep a subnet (be careful - this is noisy)
1..254 | ForEach-Object {
$ip = "192.168.1.$_"
if (Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1) {
Write-Output "$ip is alive"
}
}
|
已经安装的软件
1
2
3
4
5
6
7
8
9
| # List installed software from registry (64-bit)
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Where-Object {$_.DisplayName -ne $null}
# Also check 32-bit software on 64-bit systems
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Where-Object {$_.DisplayName -ne $null}
|
1
2
3
| # Check for security products
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct |
Select-Object displayName, pathToSignedProductExe, productState
|