Windows权限提升指南<\/h1>

介绍<\/h2>
特权提升的核心在于正确的系统枚举。本指南提供了Windows系统权限提升的全面枚举方法，涵盖CMD和PowerShell两种方式。通过系统化的检查点，帮助渗透测试人员快速识别潜在的提权路径。<\/p>

操作系统信息枚举<\/h2>

系统基本信息<\/h3>
systeminfo
<\/span><\/span>wmic qfe
<\/span><\/span><\/code><\/pre>Get-ComputerInfo | select Windows*
<\/span><\/span>Get-HotFix | sort InstalledOn -Descending | ft HotFixID,InstalledOn,InstalledBy
<\/span><\/span><\/code><\/pre>环境变量<\/h3>
set<\/span>
<\/span><\/span><\/code><\/pre>Get-ChildItem Env:<\/span> | ft Key,Value
<\/span><\/span><\/code><\/pre>网络驱动器<\/h3>
net use
<\/span><\/span>wmic logicaldisk get caption,description,providername
<\/span><\/span><\/code><\/pre>Get-PSDrive | where {$_.Provider -like<\/span> "Microsoft.PowerShell.Core\FileSystem"<\/span>}| ft Name,Root
<\/span><\/span><\/code><\/pre>用户和权限枚举<\/h2>
当前用户<\/h3>
whoami
<\/span><\/span>echo<\/span> %USERNAME%
<\/span><\/span><\/code><\/pre>$env:UserName
<\/span><\/span><\/code><\/pre>用户权限<\/h3>
whoami \/priv
<\/span><\/span><\/code><\/pre>系统用户<\/h3>
net users
<\/span><\/span>dir<\/span> \/b \/ad "C:\Users\"<\/span>
<\/span><\/span>dir<\/span> \/b \/ad "C:\Documents and Settings\"<\/span>  # XP及以下
<\/span><\/span><\/code><\/pre>Get-LocalUser | ft Name,Enabled,LastLogon
<\/span><\/span>Get-ChildItem C:\Users -Force | select Name
<\/span><\/span><\/code><\/pre>登录会话<\/h3>
qwinsta
<\/span><\/span><\/code><\/pre>用户组<\/h3>
net localgroup
<\/span><\/span><\/code><\/pre>Get-LocalGroup | ft Name
<\/span><\/span><\/code><\/pre>管理员组成员<\/h3>
net localgroup Administrators
<\/span><\/span><\/code><\/pre>Get-LocalGroupMember Administrators | ft Name, PrincipalSource
<\/span><\/span><\/code><\/pre>自动登录凭证<\/h3>
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"<\/span> 2<\/span>>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword"<\/span>
<\/span><\/span><\/code><\/pre>Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon'<\/span> | select "Default*"<\/span>
<\/span><\/span><\/code><\/pre>存储的凭证<\/h3>
cmdkey \/list
<\/span><\/span><\/code><\/pre>SAM和SYSTEM文件位置<\/h3>
%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%SYSTEMROOT%\repair\system
%SYSTEMROOT%\System32\config\SYSTEM
%SYSTEMROOT%\System32\config\SYSTEM
<\/code><\/pre>
程序、进程和服务枚举<\/h2>
已安装软件<\/h3>
dir<\/span> \/a "C:\Program Files"<\/span>
<\/span><\/span>dir<\/span> \/a "C:\Program Files (x86)"<\/span>
<\/span><\/span>reg query HKEY_LOCAL_MACHINE\SOFTWARE
<\/span><\/span><\/code><\/pre>Get-ChildItem 'C:\Program Files'<\/span>, 'C:\Program Files (x86)'<\/span> | ft Parent,Name,LastWriteTime
<\/span><\/span>Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
<\/span><\/span><\/code><\/pre>程序文件夹权限检查<\/h3>
icacls "C:\Program Files\*"<\/span> 2<\/span>>nul | findstr "(F)"<\/span> | findstr "Everyone"<\/span>
<\/span><\/span>icacls "C:\Program Files (x86)\*"<\/span> 2<\/span>>nul | findstr "(F)"<\/span> | findstr "Everyone"<\/span>
<\/span><\/span>icacls "C:\Program Files\*"<\/span> 2<\/span>>nul | findstr "(F)"<\/span> | findstr "BUILTIN\Users"<\/span>
<\/span><\/span>icacls "C:\Program Files (x86)\*"<\/span> 2<\/span>>nul | findstr "(F)"<\/span> | findstr "BUILTIN\Users"<\/span>
<\/span><\/span><\/code><\/pre>Get-ChildItem 'C:\Program Files\*'<\/span>,'C:\Program Files (x86)\*'<\/span> | % { try<\/span> { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match<\/span> 'Everyone'<\/span>} } catch<\/span> {}}
<\/span><\/span>Get-ChildItem 'C:\Program Files\*'<\/span>,'C:\Program Files (x86)\*'<\/span> | % { try<\/span> { Get-Acl $_ -EA SilentlyContinue | Where {($_.Access|select -ExpandProperty IdentityReference) -match<\/span> 'BUILTIN\Users'<\/span>} } catch<\/span> {}}
<\/span><\/span><\/code><\/pre>可写文件夹检查<\/h3>
accesschk.exe -qwsu "Everyone"<\/span> *
<\/span><\/span>accesschk.exe -qwsu "Authenticated Users"<\/span> *
<\/span><\/span>accesschk.exe -qwsu "Users"<\/span> *
<\/span><\/span><\/code><\/pre>进程和服务<\/h3>
tasklist \/svc
<\/span><\/span>tasklist \/v
<\/span><\/span>net start
<\/span><\/span>sc query
<\/span><\/span><\/code><\/pre>Get-WmiObject -Query "Select * from Win32_Process"<\/span> | where {$_.Name -notlike<\/span> "svchost*"<\/span>} | Select Name, Handle, @{Label="Owner"<\/span>;Expression={$_.GetOwner().User}} | ft -AutoSize
<\/span><\/span><\/code><\/pre>服务权限检查<\/h3>
accesschk.exe -uwcqv "Everyone"<\/span> *
<\/span><\/span>accesschk.exe -uwcqv "Authenticated Users"<\/span> *
<\/span><\/span>accesschk.exe -uwcqv "Users"<\/span> *
<\/span><\/span><\/code><\/pre>服务路径检查<\/h3>
wmic service get name,displayname,pathname,startmode 2<\/span>>nul |findstr \/i "Auto"<\/span> 2<\/span>>nul |findstr \/i \/v "C:\Windows\\"<\/span> 2<\/span>>nul |findstr \/i \/v """<\/span>
<\/span><\/span><\/code><\/pre>gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq<\/span> "Auto"<\/span> -and<\/span> $_.PathName -notlike<\/span> "C:\Windows*"<\/span> -and<\/span> $_.PathName -notlike<\/span> '"*'<\/span>} | select PathName,DisplayName,Name
<\/span><\/span><\/code><\/pre>计划任务<\/h3>
schtasks \/query \/fo LIST 2<\/span>>nul | findstr TaskName
<\/span><\/span>dir<\/span> C:\windows\tasks
<\/span><\/span><\/code><\/pre>Get-ScheduledTask | where {$_.TaskPath -notlike<\/span> "\Microsoft*"<\/span>} | ft TaskName,TaskPath,State
<\/span><\/span><\/code><\/pre>启动项<\/h3>
wmic startup get caption,command
<\/span><\/span>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<\/span><\/span>reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
<\/span><\/span>reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<\/span><\/span>reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
<\/span><\/span>dir<\/span> "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"<\/span>
<\/span><\/span>dir<\/span> "C:\Documents and Settings\<\/span>%username%\Start Menu\Programs\Startup"<\/span>
<\/span><\/span><\/code><\/pre>Get-CimInstance Win32_StartupCommand | select Name, command, Location, User | fl
<\/span><\/span>Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'<\/span>
<\/span><\/span>Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'<\/span>
<\/span><\/span>Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'<\/span>
<\/span><\/span>Get-ItemProperty -Path 'Registry::HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce'<\/span>
<\/span><\/span>Get-ChildItem "C:\Users\All Users\Start Menu\Programs\Startup"<\/span>
<\/span><\/span>Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"<\/span>
<\/span><\/span><\/code><\/pre>AlwaysInstallElevated检查<\/h3>
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer \/v AlwaysInstallElevated
<\/span><\/span>reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer \/v AlwaysInstallElevated
<\/span><\/span><\/code><\/pre>网络配置枚举<\/h2>
网络信息<\/h3>
ipconfig \/all
<\/span><\/span>route print
<\/span><\/span>arp -a
<\/span><\/span>netstat -ano
<\/span><\/span><\/code><\/pre>Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
<\/span><\/span>Get-DnsClientServerAddress -AddressFamily IPv4 | ft
<\/span><\/span>Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
<\/span><\/span>Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
<\/span><\/span><\/code><\/pre>Hosts文件<\/h3>
C:\WINDOWS\System32\drivers\etc\hosts
<\/code><\/pre>
防火墙配置<\/h3>
netsh firewall show state
<\/span><\/span>netsh firewall show config
<\/span><\/span>netsh advfirewall firewall show rule name=all
<\/span><\/span>netsh advfirewall export "firewall.txt"<\/span>
<\/span><\/span><\/code><\/pre>SNMP配置<\/h3>
reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP \/s
<\/span><\/span><\/code><\/pre>Get-ChildItem -path HKLM:<\/span>\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
<\/span><\/span><\/code><\/pre>敏感信息搜索<\/h2>
注册表中的密码<\/h3>
reg query HKCU \/f password \/t REG_SZ \/s
<\/span><\/span>reg query HKLM \/f password \/t REG_SZ \/s
<\/span><\/span><\/code><\/pre>IIS配置<\/h3>
dir<\/span> \/a C:\inetpub\
<\/span><\/span>dir<\/span> \/s web.config
<\/span><\/span>C:\Windows\System32\inetsrv\config\applicationHost.config
<\/span><\/span><\/code><\/pre>Get-Childitem -Path C:\inetpub\ -Include web.config -File<\/span> -Recurse -ErrorAction SilentlyContinue
<\/span><\/span><\/code><\/pre>IIS日志<\/h3>
C:\inetpub\logs\LogFiles\W3SVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\W3SVC2\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC1\u_ex[YYMMDD].log
C:\inetpub\logs\LogFiles\FTPSVC2\u_ex[YYMMDD].log
<\/code><\/pre>
Web服务器配置<\/h3>
dir<\/span> \/s php.ini httpd.conf httpd-xampp.conf my.ini my.cnf
<\/span><\/span><\/code><\/pre>Get-Childitem -Path C:\ -Include php.ini,httpd.conf,httpd-xampp.conf,my.ini,my.cnf -File<\/span> -Recurse -ErrorAction SilentlyContinue
<\/span><\/span><\/code><\/pre>日志文件<\/h3>
dir<\/span> \/s access.log error.log
<\/span><\/span><\/code><\/pre>Get-Childitem -Path C:\ -Include access.log,error.log -File<\/span> -Recurse -ErrorAction SilentlyContinue
<\/span><\/span><\/code><\/pre>敏感文件搜索<\/h3>
dir<\/span> \/s *pass* == *vnc* == *.config* 2<\/span>>nul
<\/span><\/span>findstr \/si password *.xml *.ini *.txt *.config 2<\/span>>nul
<\/span><\/span><\/code><\/pre>Get-Childitem -Path C:\Users\ -Include *password*,*vnc*,*.config -File<\/span> -Recurse -ErrorAction SilentlyContinue
<\/span><\/span>Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"<\/span>
<\/span><\/span><\/code><\/pre>总结<\/h2>
本指南提供了Windows系统权限提升的全面枚举方法，通过系统化的检查点，渗透测试人员可以快速识别潜在的提权路径。关键点包括：<\/p>

系统信息和补丁状态检查<\/li>
用户和权限枚举<\/li>
程序和服务配置检查<\/li>
网络配置分析<\/li>
敏感信息搜索<\/li>
<\/ol>
通过全面执行这些检查，可以大大提高发现权限提升漏洞的机会。<\/p>
Windows权限提升指南<\/h1>

介绍<\/h2> 特权提升的核心在于正确的系统枚举。本指南提供了Windows系统权限提升的全面枚举方法，涵盖CMD和PowerShell两种方式。通过系统化的检查点，帮助渗透测试人员快速识别潜在的提权路径。<\/p>

操作系统信息枚举<\/h2>

用户和权限枚举<\/h2>

程序、进程和服务枚举<\/h2>

网络配置枚举<\/h2>

敏感信息搜索<\/h2>

介绍<\/h2>
特权提升的核心在于正确的系统枚举。本指南提供了Windows系统权限提升的全面枚举方法，涵盖CMD和PowerShell两种方式。通过系统化的检查点，帮助渗透测试人员快速识别潜在的提权路径。<\/p>
