Windows命令 netsh
渗透基础——端口转发与代理 - 嘶吼 RoarTalk – 回归最本质的信息安全,互联网安全新媒体,4hou.com
在Windows下一张网卡上绑定多个IP地址。netsh interface ip add address name="WLAN" 15.14.12.152 255.255.255.0
有时候系统的Winsock和TCP/IP协议栈因未知原因损坏,请以管理员权限在CMD中执行以下命令,然后重启:
netsh interface ipv4 reset
netsh interface ipv6 reset
netsh winsock reset
清除永恒之蓝
1.1 执行以下脚本禁用445及部分端口,杜绝被再次感染
netsh ipsec static delete policy name = SECCPP
netsh ipsec static add policy name = SECCPP description=安全策略201705
netsh ipsec static add filteraction name = Block action = block
netsh ipsec static add filterlist name = SECCPF
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 135 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 137 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 138 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 139 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 445 protocol = TCP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 137 protocol = UDP
netsh ipsec static add filter filterlist = SECCPF srcaddr=Any dstaddr = Me dstport = 138 protocol = UDP
netsh ipsec static add rule name=SECCPR policy=SECCPP filterlist=SECCPF filteraction=Block
netsh ipsec static set policy name = SECCPP assign = y
pause
exit
永恒之蓝wannacry勒索蠕虫相关进程及文件清除
执行以下脚本进行清除:
@echo off
>nul 2>&1 "%SYSTEMROOT%\system32\cacls.exe" "%SYSTEMROOT%\system32\config\system"
if '%errorlevel%' NEQ '0' (
goto UACPrompt
) else ( goto gotAdmin )
:UACPrompt
echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\getadmin.vbs"
echo UAC.ShellExecute "%~s0", "", "", "runas", 1 >> "%temp%\getadmin.vbs"
"%temp%\getadmin.vbs"
exit /B
:gotAdmin
if exist "%temp%\getadmin.vbs" ( del "%temp%\getadmin.vbs" )
cd /d "C:/Windows/"
taskkill /im mssecsvc.exe /f
taskkill /im tasksche.exe /f
del mssecsvc.exe /q
del qeriuwjhrf /q
del tasksche.exe /q
taskkill /im mssecsvc.exe /f
taskkill /im tasksche.exe /f
del mssecsvc.exe /q
del qeriuwjhrf /q
del tasksche.exe /q
开启端口转发
Client-->:33Transit-->:22Server
1、使用netsh实现端口转发(需要管理员权限,在中继服务器Transit上执行)
(1)添加转发规则
netsh interface portproxy add v4tov4 listenaddress=192.168.111.102 listenport=33 connectaddress=192.168.111.103 connectport=22
(2)添加防火墙入站规则netsh advfirewall firewall add rule name="transit test" protocol=TCP dir=in localport=33 action=allow
注:默认配置允许出站并阻挡入站通信,所以此处仅需要添加入站规则
2、使用iptables实现端口转发 (中继服务Transit执行)
(1)开启转发功能echo 1 >/proc/sys/net/ipv4/ip_forward
注:该命令立即生效,重启失效
(2)添加转发规则
iptables -t nat -A PREROUTING -p tcp -d 192.168.111.102 --dport 33 -j DNAT --to-destination 192.168.111.103:22
iptables -t nat -A POSTROUTING -p tcp -d 192.168.111.103 --dport 22 -j SNAT --to-source 192.168.111.102
(3)查看转发规则iptables -L -t nat --line-number
##
1.添加转发
netsh interface portproxy add v4tov4 转发端口 目标IP 目标端口
默认本机所有的ip 0.0.0.0
或者netsh interface portproxy add v4tov4 listenaddress=本机IP listenport=转发端口 connectaddress=目标IP connectport=目标端口
2.查看转发
netsh interface portproxy show all
3.删除转发
netsh interface portproxy delete v4tov4 listenport=转发端口
或者
netsh interface portproxy delete v4tov4 listenport=转发端口 listenaddress=本机IP
windows命令行下用netsh实现端口转发(端口映射)
1.首先安装IPV6(xp、2003下IPV6必须安装,否则端口转发不可用!)netsh interface ipv6 install
2.查看转发配置:netsh interface portproxy show all
3.将本机22到 111.111.111.11的22:netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=22 connectaddress=111.111.111.11 connectport=22
删除配置:netsh interface portproxy delete v4tov4 listenaddress=0.0.0.0 listenport=22
添加防火墙规则,允许连接22:netsh firewall set portopening protocol=tcp port=22 name=Forward mode=enable scope=all profile=all
例如:listenaddress=192.168.193.1,参数可以省略,如果省略,则监听本地所有IP地址。
添加:netsh interface portproxy add v4tov4 listenport=88 connectaddress=127.0.0.1 connectport=80
删除:netsh interface portproxy delete v4tov4 listenport=88
批量添加:for /l %i in (100,1,200) do @netsh interface portproxy add v4tov4 listenport=%i connectaddress=www.baidu.com connectport=80
全部删除:for /f "skip=5 tokens=2 " %i in ('netsh interface portproxy show all') do @netsh interface portproxy delete v4tov4 listenport=%i
Netsh 进行高级的 Windows 防火墙操作
//给防火墙添加允许 TCP 3389 端口通过
netsh advfirewall firewall add rule name=Windows Security Port dir=in action=allow protocol=TCP localport=3389
//删除防火墙所有针对 TCP 8080 端口入站的规则
netsh advfirewall firewall delete rule name=all dir=in protocol=TCP localport=8080
//直接重设防火墙策略到默认状态
netsh advfirewall reset
//关闭防火墙所有规则
netsh advfirewall set allprofiles state off
//将入站默认规则设置成阻挡并允许出站
netsh advfirewall set allprofiles firewallpolicy blackinbound,allowoutbound
//将本地的3389端口的数据转发至<公网IP>上的8080端口
netsh interface portproxy add v4tov4 listenport=3389 connectaddress=<公网IP> connectport=8080
//将本地3389端口的数据改成转发至<公网IP>的9080端口
netsh interface portproxy set v4tov4 listenport=3389 connectaddress=<公网IP> connectport=9080
//显示所有IPv4端口代理参数
netsh interface portproxy show v4tov4
//删除本地端口3389的端口转发配置
netsh interface portproxy delete v4tov4 listenport=3389
封锁指定IP:netsh advfirewall firewall add rule name="BLOCKDWS" dir=in interface=any action=block remoteip=111.221.29.177
netsh advfirewall firewall add rule name="BLOCKDWS" dir=out interface=any action=block remoteip=111.221.29.177
netsh advfirewall firewall add rule name="Remote Desktop Services" protocol=TCP dir=in localport=%port% action=allow
netsh advfirewall firewall add rule name="CMS RTSP" protocol=TCP dir=in localport=554 action=allow
netsh advfirewall firewall add rule name="EasyDarwin RTSP" protocol=TCP dir=in localport=8554 action=allow
开启 RDP 服务
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
关闭 Windows 防火墙
netsh firewall set opmode disable
(1)启用桌面防火墙
netsh advfirewall set allprofiles state on
(2)设置默认输入和输出策略
netsh advfirewall set allprofiles firewallpolicy allowinbound,allowoutbound
以上是设置为允许,如果设置为拒绝使用blockinbound,blockoutbound
(3)关闭tcp协议的139端口
netsh advfirewall firewall add rule name="deny tcp 139" dir=in protocol=tcp localport=139 action=block
(4)关闭udp协议的139端口
netsh advfirewall firewall add rule name="deny udp 139" dir=in protocol=udp localport=139 action=block
(5)关闭tcp协议的445端口
netsh advfirewall firewall add rule name="deny tcp 445" dir=in protocol=tcp localport=445 action=block
(6)关闭udp协议的445端口
netsh advfirewall firewall add rule name="deny udp 445" dir=in protocol=udp localport=445 action=block
(7)使用相同的方法,依次关闭TCP协议的21、22、23、137、138、3389、5800、5900端口。
netsh advfirewall firewall add rule name= "deny tcp 21" dir=in protocol=tcp localport=21 action=block
netsh advfirewall firewall add rule name= "deny tcp 22" dir=in protocol=tcp localport=22 action=block
netsh advfirewall firewall add rule name= "deny tcp 23" dir=in protocol=tcp localport=23 action=block
netsh advfirewall firewall add rule name= "deny tcp 3389" dir=in protocol=tcp localport=3389 action=block
netsh advfirewall firewall add rule name= "deny tcp 5800" dir=in protocol=tcp localport=5800 action=block
netsh advfirewall firewall add rule name= "deny tcp 5900" dir=in protocol=tcp localport=5900 action=block
netsh advfirewall firewall add rule name= "deny tcp 137" dir=in protocol=tcp localport=137 action=block
netsh advfirewall firewall add rule name= "deny tcp 138" dir=in protocol=tcp localport=138 action=block
(8)执行完毕后暂停
pause
echo 按任意键退出
2.恢复初始配置
(1)恢复初始防火墙设置
netsh advfirewall reset
(2)关闭防火墙
netsh advfirewall set allprofiles state off