"Living off the land" (LoL) 一种攻击技术 利用系统内置功能,隐藏攻击者并躲避检测
作者:Sec-Labs | 发布时间:
项目地址
https://github.com/myexploit/living_off_the_land
活用基础设施技术
我经常在自己的活动目录实验室中进行实验。我喜欢能够执行某些操作并立即查看结果,这种方法使我能够发现许多技术。
我想分享一些这些结果,因此将记录其中的一些发现。
这些应该被视为实验性的,并且结果很可能因测试环境的不同而有所不同。
所有这些共享的样本都是由我创建的,使用内置于Windows操作系统中的工具,它们也是在属于域用户组(标准用户)的帐户的上下文中执行的。
建立自己的AD实验室
我强烈建议所有基础设施测试人员,包括红/紫/蓝队成员,应该建立自己的活动目录实验室,其中至少包括一台Windows服务器和两个Windows 10/11主机。
有关如何构建我的实验室的更多信息,请参见https://github.com/myexploit/LAB/blob/master/Hack_Lab_Domain,其中记录了我使用的测试域的设置。
免费试用
- 服务器 2022 - https://info.microsoft.com/ww-landing-windows-server-2022.html
- Windows 11 - https://www.microsoft.com/software-download/windows11
- 预构建的 Windows 11 虚拟机(但我认为这些现在是一种混乱的解决方案)- https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
活用基础设施技术笔记
以下是关于不同PowerShell实现和快速获胜的一些笔记。
关于 WMI
Windows Management Instrumentation(WMI)是由微软开发的技术,提供了一种标准化的方式来管理和监视Windows计算机上的各种系统资源。WMI是Windows操作系统的组成部分,允许系统管理员收集有关硬件、软件和网络配置的信息,并远程控制系统功能。
WMI使用基于模型驱动的架构来表示系统资源,这些资源被公开为可以使用基于WMI的工具、脚本语言或编程语言访问和操作的托管对象。WMI提供了一个统一的接口来访问不同版本的Windows系统资源,使管理员能够使用一组常用的工具和技术来管理和监视多个系统。
WMI提供了广泛的功能,包括检索系统信息、配置系统设置、监视系统事件以及在远程计算机上执行命令和脚本。可以使用多种编程和脚本语言(如PowerShell、VBScript和C#)访问WMI。
总的来说,WMI是一种强大的技术,使系统管理员能够以标准化和高效的方式管理和监视基于Windows的系统。
使用 PowerShell 与 WMI
PowerShell是一种强大的命令行Shell和脚本语言,可以用于与基于Windows的计算机上的WMI进行交互。PowerShell提供了几个cmdlet和模块,使管理员可以查询WMI、检索信息并执行各种管理任务。
以下是使用PowerShell与WMI的一些示例:
从本地主机检索系统信息:
语法:
Get-WmiObject -Class Win32_OperatingSystem结果:
PS C:\Users\yepyepyep> Get-WmiObject -Class Win32_OperatingSystem
SystemDirectory : C:\WINDOWS\system32
Organization :
BuildNumber : 22621
RegisteredUser : yepyepyep@myexploitland.com
SerialNumber : 00220-007-Redacted-1234M
Version : 10.0.22621在本地主机上查询特定信息:
语法:
Get-WmiObject -Class Win32_Processor | Select-Object Name, Manufacturer, MaxClockSpeed结果:
PS C:\Users\yepyepyep> Get-WmiObject -Class Win32_Processor | Select-Object Name, Manufacturer, MaxClockSpeed
Name Manufacturer MaxClockSpeed
---- ------------ -------------
Intel(R) Core(TM) i5-10300H CPU @ 2.50GHz GenuineIntel 2496Enumerate_domain_groups_win32_groupindomain
完整语法:
Get-CimInstance -ClassName Win32_GroupInDomain | Format-Table -AutoSize结果:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_GroupInDomain | Format-Table -AutoSize
GroupComponent PartComponent PSComputerName
-------------- ------------- --------------
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Cert Publishers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "RAS and IAS Servers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Allowed RODC Password Replication Group..., Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Denied RODC Password Replication Group", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "DnsAdmins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "accounts", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "administration", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Cloneable Domain Controllers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "DnsUpdateProxy", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Domain Admins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Domain Computers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Domain Controllers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Domain Guests", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Domain Users", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Enterprise Admins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Enterprise Key Admins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Enterprise Read-only Domain Controllers..., Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Group Policy Creator Owners", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "help_desk", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Key Admins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Protected Users", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "RDP", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Read-only Domain Controllers", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "sales", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "Schema Admins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_Group (Name = "support", Domain = "HACKLAB")Enumerate_domain_users_win32_userdesktop
完整语法:
Get-CimInstance -ClassName Win32_UserDesktop | Format-Table -AutoSize > Win32_UserDesktop.txt结果:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_UserDesktop
Element Setting PSComputerName
------- ------- --------------
Win32_UserAccount (Name = "Administrator", Domain = "LAB-WIN11-2") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "DefaultAccount", Domain = "LAB-WIN11-2") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "Guest", Domain = "LAB-WIN11-2") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "ieuser", Domain = "LAB-WIN11-2") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "WDAGUtilityAccount", Domain = "LAB-WIN11-2") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "Administrator", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "Guest", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "krbtgt", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "n.collins", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "o.davidson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "p.davies", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "q.dawson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.dixon", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "r.edwards", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "s.elliot", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "t.evans", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.fisher", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "v.fletcher", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "w.ford", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "x.foster", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "y.fox", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "z.gibson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "a.graham", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "b.grant", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "c.gray", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "d.green", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "m.jenkins", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "n.johnson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "o.jones", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "g.white", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "h.yalden", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "i.yarbury", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "j.yardley", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "z.mcdonald", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "a.murphy", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "b.natt", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "c.nelson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "d.nightingale", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "e.nixon", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "f.nutter", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "p.kelly", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "q.kennedy", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.king", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "r.knight", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "s.lawrence", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "t.lee", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.lewis", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "v.lloyd", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "w.marshall", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "x.martin", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "y.mason", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "g.dell", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "h.osborne", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "i.owen", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "j.oxley", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "k.page", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "l.painter", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "m.palmer", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "n.pastor", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "o.peterson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "p.quill", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "q.quimby", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.quintrell", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "r.ramsey", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "s.ratliff", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "t.richards", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "u.roberts", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "v.robinson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "w.scott", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "x.simpson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "y.smith", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "z.stewart", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "a.taylor", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "b.turner", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "c.walsh", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "d.ward", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "e.webb", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "f.west", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "d.atkinson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "e.bailey", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "f.baker", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "g.ball", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "h.bell", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "i.brown", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "j.burton", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "k.carter", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "l.clarke", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "m.cole", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "e.griffiths", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "f.hall", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "g.hamilton", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "h.harris", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "i.harvey", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "j.hill", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "k.jackson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "l.james", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "k.yarrow", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "l.yates", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "m.young", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "n.zachary", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "o.zelly", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "p.zinc", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "q.zouch", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "a.adams", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "b.allen", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "c.armstrong", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "adm.adams", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "adm.smith", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "adm.stewart", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "adm.natt", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "adm.nelson", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_afds", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_test", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_mssql1", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_mssql2", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_lab", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "svc_admin", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "DA1", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "user1", Domain = "HACKLAB") Win32_Desktop (Name = "HACKLAB\user1")
Win32_UserAccount (Name = "user2", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "user3", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "test2", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")
Win32_UserAccount (Name = "user4", Domain = "HACKLAB") Win32_Desktop (Name = ".DEFAULT")Enumerate_domain_users_win32_userindomain
完整语法:
Get-CimInstance -ClassName Win32_UserInDomain | Format-Table -AutoSize结果:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_UserInDomain | Format-Table -AutoSize
GroupComponent PartComponent PSComputerName
-------------- ------------- --------------
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "Administrator", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "Guest", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "krbtgt", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "n.collins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "o.davidson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "p.davies", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "q.dawson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.dixon", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "r.edwards", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "s.elliot", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "t.evans", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.fisher", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "v.fletcher", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "w.ford", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "x.foster", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "y.fox", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "z.gibson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "a.graham", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "b.grant", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "c.gray", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "d.green", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "m.jenkins", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "n.johnson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "o.jones", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "g.white", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "h.yalden", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "i.yarbury", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "j.yardley", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "z.mcdonald", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "a.murphy", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "b.natt", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "c.nelson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "d.nightingale", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "e.nixon", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "f.nutter", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "p.kelly", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "q.kennedy", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.king", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "r.knight", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "s.lawrence", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "t.lee", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.lewis", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "v.lloyd", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "w.marshall", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "x.martin", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "y.mason", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "g.dell", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "h.osborne", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "i.owen", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "j.oxley", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "k.page", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "l.painter", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "m.palmer", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "n.pastor", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "o.peterson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "p.quill", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "q.quimby", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.quintrell", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "r.ramsey", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "s.ratliff", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "t.richards", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "u.roberts", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "v.robinson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "w.scott", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "x.simpson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "y.smith", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "z.stewart", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "a.taylor", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "b.turner", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "c.walsh", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "d.ward", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "e.webb", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "f.west", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "d.atkinson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "e.bailey", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "f.baker", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "g.ball", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "h.bell", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "i.brown", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "j.burton", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "k.carter", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "l.clarke", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "m.cole", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "e.griffiths", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "f.hall", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "g.hamilton", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "h.harris", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "i.harvey", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "j.hill", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "k.jackson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "l.james", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "k.yarrow", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "l.yates", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "m.young", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "n.zachary", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "o.zelly", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "p.zinc", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "q.zouch", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "a.adams", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "b.allen", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "c.armstrong", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "adm.adams", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "adm.smith", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "adm.stewart", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "adm.natt", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "adm.nelson", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_afds", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_test", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_mssql1", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_mssql2", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_lab", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "svc_admin", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "DA1", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "user1", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "user2", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "user3", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "test2", Domain = "HACKLAB")
Win32_NTDomain (Name = "Domain: HACKLAB") Win32_UserAccount (Name = "user4", Domain = "HACKLAB")枚举远程主机上是否启用WINRM
Test-NetConnection -ComputerName LAB_WIN11_1 -Port 5985
PS C:\Users\User1> Test-NetConnection -ComputerName LAB_WIN11_1 -Port 5985
WARNING: TCP connect to (192.168.68.114 : 5985) failed
ComputerName : LAB_WIN11_1
RemoteAddress : 192.168.68.114
RemotePort : 5985
InterfaceAlias : Ethernet0
SourceAddress : 192.168.68.113
PingSucceeded : True
PingReplyDetails (RTT) : 3 ms
TcpTestSucceeded : False尝试以域用户身份启用WINRM。
PS C:\Users\User1> winrm quickconfig
WinRM is not set up to receive requests on this machine.
The following changes must be made:
Start the WinRM service.
Set the WinRM service type to delayed auto start.
Make these changes [y/n]? y
Error: One or more update steps could not be completed.
Could not change the WinRM service type: Access is denied.
Could not start the WinRM service: Access is denied.
WSManFault
Message = The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".
Error number: -2144108526 0x80338012
The client cannot connect to the destination specified in the request. Verify that the service on the destination is running and is accepting requests. Consult the logs and documentation for the WS-Management service running on the destination, most commonly IIS or WinRM. If the destination is the WinRM service, run the following command on the destination to analyze and configure the WinRM service: "winrm quickconfig".尝试作为域管理员组成员启用WINRM:
PS C:\Windows\system32> winrm quickconfig
WinRM is not set up to receive requests on this machine.
The following changes must be made:
Start the WinRM service.
Set the WinRM service type to delayed auto start.
Make these changes [y/n]? y
WinRM has been updated to receive requests.
WinRM service type changed successfully.
WinRM service started.
WinRM is not set up to allow remote access to this machine for management.
The following changes must be made:
Enable the WinRM firewall exception.
Make these changes [y/n]? y
WinRM has been updated for remote management.
WinRM firewall exception enabled.
PS C:\Windows\system32>测试远程主机上是否启用WINRM。
PS C:\Users\User1> Test-NetConnection -ComputerName LAB_WIN11_1 -Port 5985
ComputerName : LAB_WIN11_1
RemoteAddress : 192.168.68.114
RemotePort : 5985
InterfaceAlias : Ethernet0
SourceAddress : 192.168.68.113
TcpTestSucceeded : True在启用远程主机上的WINRM后,使用域用户运行远程WINRM请求以获取所有本地共享:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_Share -ComputerName LAB_WIN11_1
Get-CimInstance : Access is denied.
At line:1 char:1
+ Get-CimInstance -ClassName Win32_Share -ComputerName LAB_WIN11_1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:Win32_Share:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80070005,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
+ PSComputerName : LAB_WIN11_1同样的操作,但使用属于域管理员组的帐户进行。
PS C:\Windows\system32> Get-CimInstance -ClassName Win32_Share -ComputerName LAB_WIN11_1
Name Path Description PSComputerName
---- ---- ----------- --------------
ADMIN$ C:\Windows Remote Admin LAB_WIN11_1
C$ C:\ Default share LAB_WIN11_1
IPC$ Remote IPC LAB_WIN11_1
Test C:\Users\User1\Desktop\Test LAB_WIN11_1
Users C:\Users LAB_WIN11_1
Work C:\Shares\Work LAB_WIN11_1
Work2 C:\Shares\Work LAB_WIN11_1文件枚举:CIM_LogicalElement
记录本地主机上的每个文件,查看机器的每个方面,驱动程序、IP地址等等,生成一个较大的输出文件!
完整语法:
CIM_LogicalElement结果:
Get-CimInstance -ClassName CIM_LogicalElement | Format-Table -AutoSize本地共享:win32_share
您可以使用“Get-CimInstance”命令和“Win32_Share”类来检索有关计算机上共享资源的信息。下面是一个列出本地计算机上所有共享的示例命令:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_Share
Name Path Description
---- ---- -----------
ADMIN$ C:\Windows Remote Admin
C$ C:\ Default share
IPC$ Remote IPC
Test C:\Users\User1\Desktop\Test
Users C:\Users
Work C:\Shares\Work
Work2 C:\Shares\Work该命令检索本地计算机上所有共享资源的信息,包括共享的名称、共享文件夹的路径、共享的描述以及共享类型(如磁盘、打印机、IPC 等)。
您还可以使用“-Filter”参数过滤结果,仅显示符合特定条件的共享。例如,要仅显示当前正在使用的共享,请使用以下命令:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_Share -Filter "Type='0'"
Name Path Description
---- ---- -----------
Test C:\Users\User1\Desktop\Test
Users C:\Users
Work C:\Shares\Work
Work2 C:\Shares\Work该命令检索本地计算机上所有当前正在使用的磁盘共享的信息。Win32_Share 类的“Type”属性表示共享类型,“0”表示磁盘共享。
您还可以使用“Select-Object”命令显示共享资源的特定属性。例如,要仅显示共享文件夹的名称和路径,请使用以下命令:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_Share | Select-Object Name, Path
Name Path
---- ----
ADMIN$ C:\Windows
C$ C:\
IPC$
Test C:\Users\User1\Desktop\Test
Users C:\Users
Work C:\Shares\Work
Work2 C:\Shares\Work
To see if WINRM is enabled on a remote host时区和主机名:win32_systemtimezone
完整语法:
Get-CimInstance -ClassName Win32_SystemTimeZone | Format-Table -AutoSize结果:
PS C:\Users\User1> Get-CimInstance -ClassName Win32_SystemTimeZone | Format-Table -AutoSize
Element Setting PSComputerName
------- ------- --------------
Win32_ComputerSystem (Name = "LAB-WIN11-2") Win32_TimeZone (StandardName = "GMT Standard Time")该命令检索本地计算机的时区和主机名信息。 Win32_SystemTimeZone 类提供有关计算机所在时区的信息。
MS_JScript_枚举所有域主机
此代码使用 WScript.Network 对象检索当前登录用户的域名。然后使用域名构建 adsisearcher 查询的 LDAP 路径。
创建 ADODB.Connection 对象时未指定用户名或密码,这允许使用当前登录用户的上下文。代码的其余部分与先前的示例相似,使用 ADODB.Command 对象执行 adsisearcher 查询并检索结果。
完整语法:
var objNetwork = new ActiveXObject("WScript.Network");
var strDomain = objNetwork.UserDomain;
var objConnection = new ActiveXObject("ADODB.Connection");
objConnection.Open("Provider=ADsDSOObject");
var objCommand = new ActiveXObject("ADODB.Command");
objCommand.ActiveConnection = objConnection;
objCommand.CommandText = "<LDAP://" + strDomain + ">;(objectClass=computer);name;subtree";
var objRecordSet = objCommand.Execute();
while (!objRecordSet.EOF)
{
WScript.Echo(objRecordSet.Fields("name").Value);
objRecordSet.MoveNext();
}结果:
该代码将枚举域中所有计算机的名称并在命令行窗口中显示。
var network = new ActiveXObject('WScript.Network');
var domainName = network.UserDomain;
var searcher = new ActiveXObject('ADODB.Connection');
searcher.Provider = 'ADsDSOObject';
searcher.Properties('Encrypt Password') = true;
searcher.Open('ADs Provider');
var command = new ActiveXObject('ADODB.Command');
command.ActiveConnection = searcher;
command.CommandText = '<LDAP://' + domainName + '>;(&(objectCategory=computer));adspath,name,distinguishedname;';
var results = command.Execute();
while (!results.EOF) {
var computer = results.Fields('name').Value;
WScript.Echo(computer);
results.MoveNext();
}
searcher.Close();结果:
PS C:\Users\User1\Documents> cscript.exe //nologo .\Test3.js
WIN-CH4HJ7UU7Q5
LAB_WIN11_1
LAB-WIN11-2您可以将结果输出到文本文件中。
PS C:\Users\User1\Documents> cscript.exe //nologo .\Test3.js > output1.txtMS_JScript_IPCONFIG
此代码创建 WScript.Shell 对象的实例,该对象提供对 Windows 命令 shell 的访问。使用 WScript.Shell 对象的 Exec 方法执行 ipconfig 命令。
返回的 WshScriptExec 对象的 StdOut 和 StdErr 属性用于捕获命令的输出和错误流。输出存储在 stdout 变量中,任何错误消息都存储在 stderr 变量中。
完整语法:
var objShell = new ActiveXObject("WScript.Shell");
var objExec = objShell.Exec("ipconfig");
var stdout = "";
var stderr = "";
while (!objExec.StdOut.AtEndOfStream)
{
stdout += objExec.StdOut.ReadLine() + "\n";
}
while (!objExec.StdErr.AtEndOfStream)
{
stderr += objExec.StdErr.ReadLine() + "\n";
}
WScript.Echo(stdout);
WScript.Echo(stderr);结果:
PS C:\Users\User1\Documents> cscript.exe .\Test1.js
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::eda2:cd55:404e:75cd%5
IPv4 Address. . . . . . . . . . . : 192.168.68.116
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::e6c3:2aff:fe0e:97d0%5
192.168.68.1此命令使用 WMI 枚举在其描述中引用 "pass" 的所有域帐户。 "-Filter" 参数用于筛选结果以仅显示非本地帐户,并且其描述中包含 "pass"。
完整语法
Get-WmiObject -Class win32_useraccount -Filter "LocalAccount=False AND Description LIKE '%pass%'" | Select-Object Name, AccountType, Disabled, Description结果:
该命令将显示所有域用户帐户的名称,帐户类型,禁用状态和描述,其描述中包含 "pass"。 在此示例中,仅显示了一个名为 "d.atkinson" 的帐户,该帐户未禁用,并且其描述中包含 "Summer123"。
标签:工具分享