内网渗透中有诸多的渗透利器,wmic绝对排的上号,这里记录一下,备忘
★★连接远程的电脑,不过好象对要开RPC服务
wmic /node:"192.168.203.131" /password:"password" /user:"administrator"
★★查看bios版本型号
wmic bios get Manufacturer,Name
★★查看工作组/域
wmic computersystem get domain
★★更改计算机名abc为123
wmic computersystem where "name='abc'" call rename 123
★★查看cpu型号
wmic cpu get name
DATAFILE - DataFile 管理
★★查找e盘下test目录(不包括子目录)下的cc.cmd文件
wmic datafile where "drive='e:' and path='\\test\\' and FileName='cc' and Extension='cmd'" list
★★查找e盘下所有目录和子目录下的cc.cmd文件,且文件大小大于1K
wmic datafile where "drive='e:' and FileName='cc' and Extension='cmd' and FileSize>'1000'" list
★★删除e盘下文件大小大于10M的.cmd文件
wmic datafile where "drive='e:' and Extension='cmd' and FileSize>'10000000'" call delete
★★删除e盘下test目录(不包括子目录)下的非.cmd文件
wmic datafile where "drive='e:' and Extension<>'cmd' and path='test'" call delete
★★复制e盘下test目录(不包括子目录)下的cc.cmd文件到e:,并改名为aa.bat
wmic datafile where "drive='e:' and path='\\test\\' and FileName='cc' and Extension='cmd'" call copy "e:\aa.bat"
★★改名c:\hello.txt为c:\test.txt
wmic datafile "c:\\hello.txt" call rename c:\test.txt
★★查找h盘下目录含有test,文件名含有perl,后缀为txt的文件
wmic datafile where "drive='h:' and extension='txt' and path like '%\\test\\%' and filename like '%perl%'" get name
★★获取temp环境变量
wmic ENVIRONMENT where "name='temp'" get UserName,VariableValue
★★更改path环境变量值,新增e:\tools
wmic ENVIRONMENT where "name='path' and username='<system>'" set VariableValue="%path%;e:\tools"
★★新增系统环境变量home,值为%HOMEDRIVE%%HOMEPATH%
wmic ENVIRONMENT create name="home",username="<system>",VariableValue="%HOMEDRIVE%%HOMEPATH%"
★★删除home环境变量
wmic ENVIRONMENT where "name='home'" delete
FSDIR - 文件目录系统项目管理
★★查找e盘下名为test的目录
wmic FSDIR where "drive='e:' and filename='test'" list
★★删除e:\test目录下除过目录abc的所有目录
wmic FSDIR where "drive='e:' and path='\\test\\' and filename<>'abc'" call delete
★★删除c:\good文件夹
wmic fsdir "c:\\good" call delete
★★重命名c:\good文件夹为abb
wmic fsdir "c:\\good" rename "c:\abb"
LOGICALDISK - 本地储存设备管理
★★获取硬盘系统格式、总大小、可用空间等
wmic LOGICALDISK get name,Description,filesystem,size,freespace
PROCESS - 进程管理
★★列出进程的核心信息,类似任务管理器
wmic process list brief
(wmic startup list brief插播一条)
★★结束svchost.exe进程,路径为非C:\WINDOWS\system32\svchost.exe的
wmic process where "name='svchost.exe' and ExecutablePath<>'C:\\WINDOWS\\system32\\svchost.exe'" call Terminate
★★新建notepad进程
wmic process call create notepad
★★wmic 获取进程名称以及可执行路径:
wmic process get name,executablepath
★★wmic 删除指定进程(根据进程名称):
wmic process where name="qq.exe" call terminate 或者用 wmic process where name="qq.exe" delete
★★wmic 删除指定进程(根据进程PID):
wmic process where pid="123" delete
SERVICE - 服务程序管理
★★查看服务列表
wmic service list brief
★★运行spooler服务
wmic SERVICE where name="Spooler" call startservice
★★停止spooler服务
wmic SERVICE where name="Spooler" call stopservice
★★暂停spooler服务
wmic SERVICE where name="Spooler" call PauseService
★★更改spooler服务启动类型[auto|Disabled|Manual] 释[自动|禁用|手动]
wmic SERVICE where name="Spooler" set StartMode="auto"
★★删除服务
wmic SERVICE where name="test123" call delete
SHARE - 共享资源管理
★★删除共享
wmic SHARE where name="e$" call delete
★★添加共享
WMIC SHARE CALL Create "","test","3","TestShareName","","c:\test",0
STARTUP - 用户登录到计算机系统时自动运行命令的管理
★★查看msconfig中的启动选项
wmic STARTUP list
SYSDRIVER - 基本服务的系统驱动程序管理
wmic SYSDRIVER list
★★关闭本地计算机
wmic process call create shutdown.exe
★★重启远程计算机
wmic /node:192.168.1.10/user:administrator /password:123456 process call create "shutdown.exe -r -f -m"
★★查看系统中开启的日志
wmic nteventlog get path,filename,writeable
★★清除相关的日志(这里是全部清除)
wevtutil cl "windows powershell"
wevtutil cl "security"
wevtutil cl "system"
★★查看系统中安装的软件以及版本
wmic product get name,version
wmic product list brief
★★查看某个进程的详细信息
wmic process where name="chrome.exe" list full
★★获取存储在注册表中所有包含密码的键值:
REG query HKCU /v "pwd" /s #pwd可替换为password \ HKCU 可替换为HKCR
★★显示系统中的曾经连接过的无线密码
netsh wlan show profiles
netsh wlan show profiles name="profiles的名字" key=clear
★★查看当前系统是否是VMWARE
wmic bios list full | find /i "vmware"
参考 http://www.jb51.net/article/49987.htm