前沿拓展：

aliide.sys

是個(gè)驅(qū)動(dòng)程序。具體什么驅(qū)動(dòng)不祥。

我們通常認(rèn)為配置得當(dāng)?shù)腤indows是安全的，事實(shí)真的是這樣嗎？今天讓我們跟隨本文作者一起深入了解Windows**作系統(tǒng)的黑暗角落，看看是否能得到SYSTEM權(quán)限。

作者將使用不同版本的Windows來(lái)強(qiáng)調(diào)任何可能存在的命令行差異，請(qǐng)牢記因?yàn)椴煌?*作系統(tǒng)和版本差異會(huì)在命令行中顯現(xiàn)，作者試圖構(gòu)造本教程，以便它適用于Windows提權(quán)的最普遍的方式。

注：文章篇幅較長(zhǎng)，閱讀用時(shí)約10分鐘。

Encyclopaedia Of Windows Privilege Escalation (Brett Moore)

Windows Attacks: AT is the new black (Chris Gates & Rob Fuller)

Elevating privileges by exploiting weak folder permissions (Parvez Anwar)

譯者注：原文作者提到了meterpreter，我們可以把meterpreter比做sql注入利用的sqlmap，在得到meterpreter的shell后，可以輸入命令getsystem，自動(dòng)完成提權(quán)。

在t0-t3階段，最初的信息收集方法

最開(kāi)始是一個(gè)低權(quán)限的shell，這個(gè)shell可能是通過(guò)遠(yuǎn)程代碼執(zhí)行、釣魚(yú)、反彈得到的。

在最開(kāi)始的階段，我們要快速收集一些基本信息來(lái)評(píng)估我們的環(huán)境。

第一步，找到連接的**作系統(tǒng)。

C:\Windows\system32> systeminfo | findstr /B /C:”OS Name” /C:”OS Version”
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7601 Service Pack 1 Build 7601

接下來(lái)，我們將看到主機(jī)名和連接上的對(duì)應(yīng)用戶(hù)。

C:\Windows\system32> hostname
b33f
C:\Windows\system32> echo %username%
user1

現(xiàn)在我們得到了一些基本信息，第二列出其他用戶(hù)的帳戶(hù)，并在更詳細(xì)的情況下查看用戶(hù)信息。

這里會(huì)看到user1不是本地組管理員。

C:\Windows\system32> net users
User accounts for \\B33F
——————————————————————————-
Administrator b33f Guest
user1
The command completed successfully.
C:\Windows\system32> net user user1
User name user1
Full Name
Comment
User’s comment
Country code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/11/2014 7:47:14 PM
Password expires Never
Password changeable 1/11/2014 7:47:14 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 1/11/2014 8:05:09 PM
Logon hours allowed All
Local Group Memberships *Users
Global Group memberships *None
The command completed successfully.

以上是我們目前需要了解的關(guān)于用戶(hù)和權(quán)限的全部?jī)?nèi)容。接下來(lái)我們要討論的是網(wǎng)絡(luò)信息，連接的設(shè)備，以及相應(yīng)規(guī)則。

第一看一下可用的網(wǎng)絡(luò)接口和路由表。

C:\Windows\system32> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : b33f
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Bluetooth Network Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
Physical Address. . . . . . . . . : 0C-84-DC-62-60-29
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-56-79-35
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM
Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35
DNS Servers . . . . . . . . . . . : 192.168.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Windows\system32> route print
===========================================================================
Interface List
18…0c 84 dc 62 60 29 ……Bluetooth Device (Personal Area Network)
13…00 ff 0c 0d 4f ed ……TAP-Windows Adapter V9
11…00 0c 29 56 79 35 ……Intel(R) PRO/1000 MT Network Connection
1………………………Software Loopback Interface 1
16…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
19…00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
14…00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 On-link 192.168.0.104 266
192.168.0.104 255.255.255.255 On-link 192.168.0.104 266
192.168.0.255 255.255.255.255 On-link 192.168.0.104 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.0.104 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.0.104 266
===========================================================================
Persistent Routes:
None
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
14 58 ::/0 On-link
1 306 ::1/128 On-link
14 58 2001::/32 On-link
14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::/64 On-link
14 306 fe80::/64 On-link
14 306 fe80::8d2:b4e:3f57:ff97/128
On-link
11 266 fe80::5cd4:9caf:61c0:ba6e/128
On-link
1 306 ff00::/8 On-link
14 306 ff00::/8 On-link
11 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

arp -A顯示了所有可用接口的arp(地址解析協(xié)議)緩存表。

C:\Windows\system32> arp -A
Interface: 192.168.0.104 — 0xb
Internet Address Physical Address Type
192.168.0.1 90-94-e4-c5-b0-46 dynamic
192.168.0.101 ac-22-0b-af-bb-43 dynamic
192.168.0.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static

這就使我們了解了活動(dòng)網(wǎng)絡(luò)連接和防火墻規(guī)則。

C:\Windows\system32> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400
TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4
TCP [::]:135 [::]:0 LISTENING 684
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:5357 [::]:0 LISTENING 4
UDP 0.0.0.0:5355 *:* 1100
UDP 0.0.0.0:52282 *:* 976
UDP 0.0.0.0:55202 *:* 2956
UDP 0.0.0.0:59797 *:* 1400
UDP 127.0.0.1:1900 *:* 2956
UDP 127.0.0.1:65435 *:* 2956
UDP 192.168.0.104:137 *:* 4
UDP 192.168.0.104:138 *:* 4
UDP 192.168.0.104:1900 *:* 2956
UDP 192.168.0.104:5353 *:* 1400
UDP 192.168.0.104:65434 *:* 2956
UDP [::]:5355 *:* 1100
UDP [::]:52281 *:* 976
UDP [::]:52283 *:* 976
UDP [::]:55203 *:* 2956
UDP [::]:59798 *:* 1400
UDP [::1]:1900 *:* 2956
UDP [::1]:5353 *:* 1400
UDP [::1]:65433 *:* 2956
UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956
UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956

以下兩個(gè)netsh命令是在不同**作系統(tǒng)的命令示例。

netsh firewall命令只能從XP SP2和以上版本運(yùn)行。

C:\Windows\system32> netsh firewall show state
Firewall status:
——————————————————————-
Profile = Standard
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Group policy version = Windows Firewall
Remote admin mode = Disable
Ports currently open on all network interfaces:
Port Protocol Version Program
——————————————————————-
No ports are currently open on all network interfaces.
C:\Windows\system32> netsh firewall show config
Domain profile configuration:
——————————————————————-
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
——————————————————————-
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
——————————————————————-
ICMP configuration for Domain profile:
Mode Type Description
——————————————————————-
Enable 2 Allow outbound packet too big
Standard profile configuration (current):
——————————————————————-
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Enable
Service configuration for Standard profile:
Mode Customized Name
——————————————————————-
Enable No Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
——————————————————————-
Enable Inbound COMRaider / E:\comraider\comraider.exe
Enable Inbound nc.exe / C:\users\b33f\desktop\nc.exe
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
——————————————————————-
ICMP configuration for Standard profile:
Mode Type Description
——————————————————————-
Enable 2 Allow outbound packet too big
Log configuration:
——————————————————————-
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable

最后，我們將簡(jiǎn)要地看一下在這個(gè)設(shè)備上的運(yùn)行內(nèi)容，比如計(jì)劃任務(wù)、運(yùn)行進(jìn)程、啟動(dòng)服務(wù)和安裝的驅(qū)動(dòng)程序。

這將顯示所有調(diào)度任務(wù)的詳細(xì)輸出，下面您可以看到單個(gè)任務(wù)的示例輸出。

C:\Windows\system32> schtasks /query /fo LIST /v
Folder: \Microsoft\Windows Defender
HostName: B33F
TaskName: \Microsoft\Windows Defender\MP Scheduled Scan
Next Run Time: 1/22/2014 5:11:13 AM
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: N/A
Last Result: 1
Author: N/A
Task To Run: c:\program files\windows defender\MpCmdRun.exe Scan -ScheduleJob
-WinTask -RestrictPrivilegesScan
Start In: N/A
Comment: Scheduled Scan
Scheduled Task State: Enabled
Idle Time: Only Start If Idle for 1 minutes, If Not Idle Retry For 240 minutes
Power Management: No Start On Batteries
Run As User: SYSTEM
Delete Task If Not Rescheduled: Enabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Sche**ng data is not available in this format.
Schedule Type: Daily
Start Time: 5:11:13 AM
Start Date: 1/1/2000
End Date: 1/1/2100
Days: Every 1 day(s)
Months: N/A
Repeat: Every: Disabled
Repeat: Until: Time: Disabled
Repeat: Until: Duration: Disabled
Repeat: Stop If Still Running: Disabled
[..Snip..]
# tasklist命令顯示了正在運(yùn)行的進(jìn)程以及啟動(dòng)服務(wù)。
C:\Windows\system32> tasklist /SVC
Image Name PID Services
========================= ======== ============================================
System Idle Process 0 N/A
System 4 N/A
**ss.exe 244 N/A
csrss.exe 332 N/A
csrss.exe 372 N/A
wininit.exe 380 N/A
winlogon.exe 428 N/A
services.exe 476 N/A
lsass.exe 484 SamSs
l**.exe 496 N/A
svchost.exe 588 DcomLaunch, PlugPlay, Power
svchost.exe 668 RpcEptMapper, RpcSs
svchost.exe 760 Audiosrv, Dhcp, eventlog,
HomeGroupProvider, lmhosts, wscsvc
svchost.exe 800 AudioEndpointBuilder, CscService, Netman,
Sy**ain, TrkWks, Ux**s, WdiSystemHost,
wudfsvc
svchost.exe 836 AeLookupSvc, BITS, gpsvc, iphlpsvc,
LanmanServer, MMCSS, ProfSvc, Schedule,
seclogon, SENS, ShellHWDetection, Themes,
Winmgmt, wuauserv
audiodg.exe 916 N/A
svchost.exe 992 EventSystem, fdPHost, netprofm, nsi,
WdiServiceHost, WinHttpAutoProxySvc
svchost.exe 1104 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
spoolsv.exe 1244 Spooler
svchost.exe 1272 BFE, DPS, MpsSvc
mDNSResponder.exe 1400 Bonjour Service
taskhost.exe 1504 N/A
taskeng.exe 1556 N/A
vmtoolsd.exe 1580 VMTools
dwm.exe 1660 N/A
explorer.exe 1668 N/A
vmware-u**arbitrator.exe 1768 VMU**ArbService
TPAutoConnSvc.exe 1712 TPAutoConnSvc
[..Snip..]
C:\Windows\system32> net start
These Windows services are started:
Application Experience
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
Bluetooth Support Service
Bonjour Service
COM+ Event System
COM+ System Application
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostic System Host
Distributed Link Tracking Client
Distributed Transaction Coordinator
DNS Client
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
[..Snip..]
# DRIVERQUERY有時(shí)是有用的，因?yàn)橐恍┑谌津?qū)動(dòng)，即使是信譽(yù)良好的公司，也比瑞士奶酪上的洞多。這是可能的，因?yàn)閞ing0的利用是在大多數(shù)人的專(zhuān)長(zhǎng)技能之外。
C:\Windows\system32> DRIVERQUERY
Module Name Display Name Driver Type Link Date
============ ====================== ============= ======================
1394ohci 1394 OHCI Compliant Ho Kernel 11/20/2010 6:01:11 PM
ACPI Microsoft ACPI Driver Kernel 11/20/2010 4:37:52 PM
AcpiPmi ACPI Power Meter Drive Kernel 11/20/2010 4:47:55 PM
adp94xx adp94xx Kernel 12/6/2008 7:59:55 AM
adpahci adpahci Kernel 5/2/2007 1:29:26 AM
adpu320 adpu320 Kernel 2/28/2007 8:03:08 AM
AFD Ancillary Function Dri Kernel 11/20/2010 4:40:00 PM
agp440 Intel AGP Bus Filter Kernel 7/14/2009 7:25:36 AM
aic78xx aic78xx Kernel 4/12/2006 8:20:11 AM
aliide aliide Kernel 7/14/2009 7:11:17 AM
amdagp AMD AGP Bus Filter Dri Kernel 7/14/2009 7:25:36 AM
amdide amdide Kernel 7/14/2009 7:11:19 AM
AmdK8 AMD K8 Processor Drive Kernel 7/14/2009 7:11:03 AM
AmdPPM AMD Processor Driver Kernel 7/14/2009 7:11:03 AM
amdsata amdsata Kernel 3/19/2010 9:08:27 AM
amd**s amd**s Kernel 3/21/2009 2:35:26 AM
amdxata amdxata Kernel 3/20/2010 12:19:01 AM
AppID AppID Driver Kernel 11/20/2010 5:29:48 PM
arc arc Kernel 5/25/2007 5:31:06 AM
[..Snip..]

在t4階段，神秘藝術(shù)之WMIC

WMIC（Windows Management Instrumentation Command-Line，Windows管理工具命令行），是Windows最有用的命令行工具之一。

WMIC對(duì)于信息收集和滲透是非常實(shí)用的，而且輸出內(nèi)容有很多值得期待的地方。全面解釋W(xué)MIC的使用將需要一個(gè)教程，由于格式化的問(wèn)題，WMIC有些輸出將很難顯示。

下面列出兩個(gè)文章，對(duì)于WMIC是非常值得閱讀的：

Command-Line Ninjitsu (SynJunkie)Windows WMIC Command Line (ComputerHope)

一些默認(rèn)配置的Windows并不允許訪(fǎng)問(wèn)WMIC，除非是用戶(hù)在Windows的管理組，從虛擬機(jī)測(cè)試來(lái)看，任何版本的Windows XP的低權(quán)限用戶(hù)并不能訪(fǎng)問(wèn)WMIC。相反的，默認(rèn)配置的Windows 7專(zhuān)業(yè)版和Windows 8企業(yè)版允許低權(quán)限的用戶(hù)訪(fǎng)問(wèn)WMIC并查詢(xún)**作系統(tǒng)版本。

這正是我們所需要的，因?yàn)槲覀冋谑褂肳MIC來(lái)收集關(guān)于目標(biāo)機(jī)的信息。關(guān)于WMIC的選項(xiàng)，列出了下面可用的命令行：

C:\Windows\system32> wmic /?
[global switches]
The following global switches are available:
/NAMESPACE Path for the namespace the alias operate against.
/ROLE Path for the role containing the alias definitions.
/NODE Servers the alias will operate against.
/IMPLEVEL Client impersonation level.
/AUTHLEVEL Client authentication level.
/LOCALE Language id the client should use.
/PRIVILEGES Enable or disable all privileges.
/TRACE Outputs debugging information to stderr.
/RECORD Logs all input commands and output.
/INTERACTIVE Sets or resets the interactive mode.
/FAILFAST Sets or resets the FailFast mode.
/USER User to be used during the session.
/PASSWORD Password to be used for session login.
/OUTPUT Specifies the mode for output redirection.
/APPEND Specifies the mode for output redirection.
/AGGREGATE Sets or resets aggregate mode.
/AUTHORITY Specifies the for the connection.
/?[:<BRIEF|FULL>] Usage information.
For more information on a specific global switch, type: switch-name /?
The following alias/es are available in the current role:
ALIAS – Access to the aliases available on the local system
BASEBOARD – Base board (also known as a motherboard or system board) management.
BIOS – Basic input/output services (BIOS) management.
BOOTCONFIG – Boot configuration management.
CDROM – CD-ROM management.
COMPUTERSYSTEM – Computer system management.
CPU – CPU management.
CSPRODUCT – Computer system product information from **BIOS.
DATAFILE – DataFile Management.
DCOMAPP – DCOM Application management.
DESKTOP – User’s Desktop management.
DESKTOPMONITOR – Desktop Monitor management.
DEVICEMEMORYADDRESS – Device memory addresses management.
DISKDRIVE – Physical disk drive management.
DISKQUOTA – Disk space usage for NTFS volumes.
DMACHANNEL – Direct memory access (DMA) channel management.
ENVIRONMENT – System environment settings management.
FSDIR – Filesystem directory entry management.
GROUP – Group account management.
IDECONTROLLER – IDE Controller management.
IRQ – Interrupt request line (IRQ) management.
JOB – Provides access to the jobs scheduled using the schedule service.
LOADORDER – Management of system services that define execution dependencies.
LOGICALDISK – Local storage device management.
LOGON – LOGON Sessions.
MEMCACHE – Cache memory management.
MEMORYCHIP – Memory chip information.
MEMPHYSICAL – Computer system’s physical memory management.
NETCLIENT – Network Client management.
NETLOGIN – Network login information (of a particular user) management.
NETPROTOCOL – Protocols (and their network characteristics) management.
NETUSE – Active network connection management.
NIC – Network Interface Controller (NIC) management.
NICCONFIG – Network adapter management.
NTDOMAIN – NT Domain management.
NTEVENT – Entries in the NT Event Log.
NTEVENTLOG – NT eventlog file management.
ONBOARDDEVICE – Management of common adapter devices built into the motherboard (system board).
OS – Installed Operating System/s management.
PAGEFILE – Virtual memory file swapping management.
PAGEFILESET – Page file settings management.
PARTITION – Management of partitioned areas of a physical disk.
PORT – I/O port management.
PORTCONNECTOR – Physical connection ports management.
PRINTER – Printer device management.
PRINTERCONFIG – Printer device configuration management.
PRINTJOB – Print job management.
PROCESS – Process management.
PRODUCT – Installation package task management.
QFE – Quick Fix Engineering.
QUOTASETTING – Setting information for disk quotas on a volume.
RDACCOUNT – Remote Desktop connection permission management.
RDNIC – Remote Desktop connection management on a specific network adapter.
RDPERMISSIONS – Permissions to a specific Remote Desktop connection.
RDTOGGLE – Turning Remote Desktop listener on or off remotely.
RECOVEROS – Information that will be gathered from memory when the operating system fails.
REGISTRY – Computer system registry management.
SCSICONTROLLER – SCSI Controller management.
SERVER – Server information management.
SERVICE – Service application management.
SHADOWCOPY – Shadow copy management.
SHADOWSTORAGE – Shadow copy storage area management.
SHARE – Shared resource management.
SOFTWAREELEMENT – Management of the elements of a software product installed on a system.
SOFTWAREFEATURE – Management of software product subsets of SoftwareElement.
SOUNDDEV – Sound Device management.
STARTUP – Management of commands that run automatically when users log onto the computer
system.
SYSACCOUNT – System account management.
SYSDRIVER – Management of the system driver for a base service.
SYSTEMENCLOSURE – Physical system enclosure management.
SYSTEMSLOT – Management of physical connection points including ports, slots and
peripherals, and proprietary connections points.
TAPEDRIVE – Tape drive management.
TEMPERATURE – Data management of a temperature sensor (electronic thermometer).
TIMEZONE – Time zone data management.
UPS – Uninterruptible power supply (UPS) management.
USERACCOUNT – User account management.
VOLTAGE – Voltage sensor (electronic voltmeter) data management.
VOLUME – Local storage volume management.
VOLUMEQUOTASETTING – Associates the disk quota setting with a specific disk volume.
VOLUMEUSERQUOTA – Per user storage volume quota management.
WMISET – WMI service operational parameters management.
For more information on a specific alias, type: alias /?
CLASS – Escapes to full WMI schema.
PATH – Escapes to full WMI object paths.
CONTEXT – Displays the state of all the global switches.
QUIT/EXIT – Exits the program.
For more information on CLASS/PATH/CONTEXT, type: (CLASS | PATH | CONTEXT) /?

為了簡(jiǎn)化**作，我已經(jīng)創(chuàng)建了一個(gè)腳本，可以在目標(biāo)機(jī)器上使用WMIC提取以下信息：流程、服務(wù)、用戶(hù)帳號(hào)、用戶(hù)組、網(wǎng)絡(luò)接口、硬盤(pán)信息、網(wǎng)絡(luò)共享信息、安裝Windows補(bǔ)丁、程序在啟動(dòng)運(yùn)行、安裝的軟件列表、**作系統(tǒng)、時(shí)區(qū)信息。

通過(guò)各種標(biāo)志和參數(shù)來(lái)提取有價(jià)值的信息，如果有人想要添加到列表中，請(qǐng)?jiān)谙旅媪粝略u(píng)論。使用內(nèi)置的輸出特性，腳本將把所有結(jié)果寫(xiě)入可讀的html文件。

腳本地址：

http://www.fuzzysecurity.com/tutorials/files/wmic_info.rar

輸出頁(yè)面：

http://www.fuzzysecurity.com/tutorials/files/Win7.html

以上是今天的內(nèi)容，大家看懂了嗎？下期我們將繼續(xù)分享Windows提權(quán)基本原理的相關(guān)內(nèi)容，請(qǐng)大家及時(shí)關(guān)注。

拓展知識(shí)：

aliide.sys

下載一個(gè)360安全衛(wèi)士，體檢一下，修復(fù)一下就好了，我的電腦一直關(guān)不了機(jī)，下載之后，雖然開(kāi)機(jī)慢了些，其他都正常了。

aliide.sys

出現(xiàn)這個(gè)說(shuō)明系統(tǒng)文件已經(jīng)損壞了。
解決辦法：
1、嘗試從其他win7電腦拷貝**aliide.sys文件來(lái)通過(guò)替換的辦法解決。
2、如果替換還未能解決只能重新安裝系統(tǒng)解決。

aliide.sys

你好！
WINDOWS7系統(tǒng)可以狂按F8進(jìn)入，修復(fù)后有一個(gè)選項(xiàng)可以進(jìn)到文件夾，插入優(yōu)盤(pán)把別人的電腦東西考進(jìn)來(lái)
僅代表個(gè)人觀點(diǎn)，不喜勿噴，謝謝。