分类目录归档:Windows

Windows

How to change Registry Permissions with RegIni.exe (VBScript)

Today I’ll show how we can set the following permissions on a registry key with RegIni.exe and a VBScript:

– Creator Owner Full Control
– Users Full Control
– Power Users Full Control
– Administrators Full Control
– System Full Control

I will set the permissions here for testing purposes:

– HKEY_CLASSES_ROOT\AlejaCMaTypelib
– HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp

And for that I will need to create a special regini.exe script which will have the following contents:

HKEY_LOCAL_MACHINE\Software\Classes\AlejaCMaTypelib [1 5 7 11 17]
HKEY_LOCAL_MACHINE\Software\AlejaCMaCo\AlejaCMaApp [1 5 7 11 17]

Notes:
– With regini.exe I won’t be able to set Users Full Control, but Everyone Full Control.
– HKEY_CLASSES_ROOT = HKEY_LOCAL_MACHINE\Software\Classes 继续阅读

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

正 文:

今天有客户网站中毒,遂从FTP下载所谓木马文件,本地运行后,生成一个com7.h.asp的文件,在图形界面下无论如何都无法删除。提示“删除文件或文件夹时出错,无法删除 com7.h : 找不到指定文件”。     其实这是利用系统保留文件名来创建无法删除的webshell。

Webshell中的不死僵尸删除方法:解决“删除文件或文件夹时出错,无法删除找不到指定文件”

Windows 下不能够以下面这些字样来命名文件/文件夹:
aux|prn|con|nul|com1|com2|com3|com4|com5|com6|com7|com8|com9|lpt1|lpt2|lpt3|lpt4|lpt5|lpt6|lpt7|lpt8|lpt9    但是通过cmd的copy命令即可实现:

D:\>copy piaoyi.asp \\.\D:\lpt6.piaoyi.asp    前面必须有 \\.\

这类文件无法在图形界面删除,只能在命令行下删除:

D:\>del “\\.\D:\lpt6.piaoyi.asp”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

如果提示找不到文件错误,则可以先解除RHSA只读属性:

D:\>attrib -s -h -r “\\.\D:\lpt3.1.asp;.jpg”
D:\>del “\\.\D:\lpt3.1.asp;.jpg”

注意:因为路径中有分号; 所以需要用双引号,否则,路径找不到。
然而在IIS中,这种文件又是可以解析成功的。Webshell中的 “不死僵尸” 原理就在这。     删除这类文件可以用下面的方法:
最简单也是最方便的,通过命令删除:

del /f /a /q \\?\%1
rd /s /q \\?\%1

把上面的命令保存为.bat后缀名称的文件,然后把不能删除的文件或者文件夹拖到bat文件上就可以。

Remove Unwanted HTTP Response Headers

From:https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/

The purpose of this blog post is to discuss how to remove unwanted HTTP response headers from the response. Typically we have 3 response headers which many people want to remove for security reason.

  • Server – Specifies web server version.
  • X-Powered-By – Indicates that the website is “powered by ASP.NET.”
  • X-AspNet-Version – Specifies the version of ASP.NET used.

Before you go any further, you should evaluate whether or not you need to remove these headers. If you have decided to remove these headers because of a security scan on your site, you may want to read the following blog post by David Wang. 继续阅读

How to remove all information about IIS Server from Response Header?

It is amazing technique to remove any information from response header about IIS server is very scarce online. So I decide to blog this.

The reason why you would want this is because you would not want to readily disclose what version of server or what server you are running. For example see blow response header I gathered from  one of the site running IIS:

 

Notice that you have information about Server, X-AspNet-Version, X-Powered-By. There are enough information to know it is running on IIS. Why hide these info? Because why if certain version of IIS server had security hole that the hacker can expose? Sometimes, in Enterprise environment there will be external third party security firms like WhiteHat tagging such exploits so you have to fix. 继续阅读

VeraCrypt

VeraCrypt is a software for establishing and maintaining an on-the-fly-encrypted volume (data storage device). On-the-fly encryption means that data is automatically encrypted right before it is saved and decrypted right after it is loaded, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Files can be copied to and from a mounted VeraCrypt volume just like they are copied to/from any normal disk (for example, by simple drag-and-drop operations). Files are automatically being decrypted on the fly (in memory/RAM) while they are being read or copied from an encrypted VeraCrypt volume. Similarly, files that are being written or copied to the VeraCrypt volume are automatically being encrypted on the fly (right before they are written to the disk) in RAM. Note that this does not mean that the whole file that is to be encrypted/decrypted must be stored in RAM before it can be encrypted/decrypted. There are no extra memory (RAM) requirements for VeraCrypt. For an illustration of how this is accomplished, see the following paragraph.

Let’s suppose that there is an .avi video file stored on a VeraCrypt volume (therefore, the video file is entirely encrypted). The user provides the correct password (and/or keyfile) and mounts (opens) the VeraCrypt volume. When the user double clicks the icon of the video file, the operating system launches the application associated with the file type – typically a media player. The media player then begins loading a small initial portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) in order to play it. While the portion is being loaded, VeraCrypt is automatically decrypting it (in RAM). The decrypted portion of the video (stored in RAM) is then played by the media player. While this portion is being played, the media player begins loading another small portion of the video file from the VeraCrypt-encrypted volume to RAM (memory) and the process repeats. This process is called on-the-fly encryption/decryption and it works for all file types (not only for video files).

继续阅读

Block IP Addresses With Windows Firewall 2008, 2012

If you ever feel that someone may be trying to break into your FTP or IIS server or know an IP address that you want to block from accessing your server there is a built in firewall on all of our 2008-2012 Windows servers. You can use this firewall to block either a range of IP addresses or a single address. Turning Windows Firewall On

A firewall profile is a way of grouping settings, such as firewall rules and connection security rules, which are applied to the computer depending on where the computer is connected. On computers running this version of Windows, there are three profiles for Windows Firewall with Advanced Security:

  • Domain Profile – Applied to a network adapter when it is connected to a network on which it can detect a domain controller of the domain to which the computer is joined.
  • Private Profile – Applied to a network adapter when it is connected to a network that is identified by the user or administrator as a private network. A private network is one that is not connected directly to the Internet, but is behind some kind of security device, such as a network address translation (NAT) router or hardware firewall. For example, this could be a home network, or a business network that does not include a domain controller. The Private profile settings should be more restrictive than the Domain profile settings.
  • Public Profile – Applied to a network adapter when it is connected to a public network such as those available in airports and coffee shops. When the profile is not set to Domain or Private, the default profile is Public. The Public profile settings should be the most restrictive because the computer is connected to a public network where the security cannot be controlled. For example, a program that accepts inbound connections from the Internet (like a file sharing program) may not work in the Public profile because the Windows Firewall default setting will block all inbound connections to programs that are not on the list of allowed programs.

继续阅读

File System Redirector

The %windir%\System32 directory is reserved for 64-bit applications. Most DLL file names were not changed when 64-bit versions of the DLLs were created, so 32-bit versions of the DLLs are stored in a different directory. WOW64 hides this difference by using a file system redirector.

In most cases, whenever a 32-bit application attempts to access %windir%\System32, the access is redirected to %windir%\SysWOW64. Access to %windir%\lastgood\system32 is redirected to %windir%\lastgood\SysWOW64. Access to %windir%\regedit.exe is redirected to %windir%\SysWOW64\regedit.exe.

If the access causes the system to display the UAC prompt, redirection does not occur. Instead, the 64-bit version of the requested file is launched. To prevent this problem, either specify the SysWOW64 directory to avoid redirection and ensure access to the 32-bit version of the file, or run the 32-bit application with administrator privileges so the UAC prompt is not displayed. 继续阅读

Windows 事件命令行实用程序

Windows 事件命令行实用程序。

用于检索有关事件日志和发布者的信息,
安装和卸载事件清单,运行查询以及导出、存档和清除日志。

用法:

你可以使用短(如 ep /uni)或长(如
enum-publishers /unicode)形式的命令和选项名称。
命令、选项和选项值不区分大小写。

变量均使用大写形式。

wevtutil COMMAND [ARGUMENT [ARGUMENT] …] [/OPTION:VALUE [/OPTION:VALUE] …]

继续阅读

Modify an SMTP Service Property

ADSI:
strComputer = "LocalHost"

Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
objIIS.FullyQualifiedDomainName = "stmp.517sou.net"
objIIS.SetInfo

#Wscript.Echo "OK!"

cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set /Smtpsvc/1/FullyQualifiedDomainName "stmp.517sou.net"

PowerShell & WMI

Set-ExecutionPolicy RemoteSigned
function Configure-SMTPService ([string]$incomingEMailDomainName, [int]$incomingEMailMaxMessageSize)
{
       Write-Host -Foregroundcolor White ” -> Changing the start-up type of SMTP service to ‘Automatic’…”
       Set-Service “SMTPSVC” -StartupType Automatic -ErrorAction SilentlyContinue
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Successfully changed startup type.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to change startup type.”
             Exit
       }
       
       Write-Host -Foregroundcolor White ” -> Starting SMTP service…”
       Start-Service “SMTPSVC” -ErrorAction SilentlyContinue
       
       if ($?)
       {
             Write-Host -Foregroundcolor Green ” [OK] Service successfully started.”
       }
       else
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to start service.”
             Exit
       }
      
       # Ascriptomatic is a great tool to explorefor exploring WMI namespace is scriptomatic: 
       # http://www.microsoft.com/en-us/download/details.aspx?id=12028
       Write-Host -Foregroundcolor White ” -> CreatingCreate incoming SMTP domain…”
       
       # First create a new smtp domain. The path ‘SmtpSvc/1’ is the first virtual SMTP server. If you need to modify another virtual SMTP server
       # change the path accordingly.
       try
       {
             $smtpDomains = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomain’
             $newSMTPDomain = $smtpDomains.CreateInstance()
             $newSMTPDomain.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomain.Put()  | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully created incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to create incoming email domain.”
             Exit
       }
      
       Write-Host -Foregroundcolor White ” -> Configuring incoming SMTP domain…”
   
       try
       {
             # Configure the new smtp domain as alias domain
             $smtpDomainSettings = [wmiclass]‘root\MicrosoftIISv2:IIsSmtpDomainSetting’
             $newSMTPDomainSetting = $smtpDomainSettings.CreateInstance()
 
             # Set the type of the domain to “Alias”
             $newSMTPDomainSetting.RouteAction = 16
 
             # Map the settings to the domain we created in the first step
             $newSMTPDomainSetting.Name = “SmtpSvc/1/Domain/$incomingEMailDomainName“
             $newSMTPDomainSetting.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured incoming email domain.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure incoming e-mail domain.”
             Exit
       }
       Write-Host -Foregroundcolor White ” -> Configuring virtual SMTP server…”

       try
       {
             $virtualSMTPServer = Get-WmiObject IISSmtpServerSetting -namespace “ROOT\MicrosoftIISv2” | Where-Object { $_.name -like “SmtpSVC/1” }
             
             # Set maximum message size (in bytes)
             $virtualSMTPServer.MaxMessageSize = ($incomingEMailMaxMessageSize * 1024)

             # Disable session size limit
             $virtualSMTPServer.MaxSessionSize = 0

             # Set maximum number of recipients
             $virtualSMTPServer.MaxRecipients = 0

             
             # Set maximum messages per connection
             $virtualSMTPServer.MaxBatchedMessages = 0
             $virtualSMTPServer.Put() | Out-Null
             Write-Host -Foregroundcolor Green ” [OK] Successfully configured virtual SMTP server.”
       }
       catch
       {
             Write-Host -Foregroundcolor Red ” [Error] Unable to configure virtual SMTP server.”
             Exit
       }
}
Configure-SMTPService “sp.mydomain.local” 10240

Puppet部署:
configWinSMTPSVC.vbs

strComputer = "LocalHost"
 
Set objIIS = GetObject("IIS://" & strComputer & "/SMTPSVC/1")
Wscript.Echo "FullyQualifiedDomainName(Before): " & objIIS.FullyQualifiedDomainName
strFQDN = Trim(objIIS.FullyQualifiedDomainName)
If Instr(strFQDN,"517sou.net") = 0 Then
	objIIS.FullyQualifiedDomainName = "smtp.517sou.net"
	objIIS.SetInfo
End If
Wscript.Echo "FullyQualifiedDomainName(After): " & objIIS.FullyQualifiedDomainName
class configWinSMTPSVC {
    file { 'C:/Windows/Temp/configWinSMTPSVC.vbs':
    ensure => 'file',
	alias  => "configWinSMTPSVCvbs",
    source_permissions  => ignore,
    group  => 'Administrators',
	source => "puppet://puppet.zzy.com/files/windows/smtpsvc/configWinSMTPSVC.vbs",
  }
  exec { 'exec-configWinSMTPSVC':
    path      => $::path,
    command   => 'cmd.exe /c cscript.exe //Nologo C:/Windows/Temp/configWinSMTPSVC.vbs',
	require   => File['configWinSMTPSVCvbs'],
  }
}

获取Windows管理员用户名及对应的SID

GetAdminName.vbs:

'''''Code Start '''''
Wscript.Echo GetAdminName

Function GetAdminName 
	Set objNetwork = CreateObject("Wscript.Network") 	'get the current computer name
	objComputerName = objNetwork.ComputerName

	Set objwmi = GetObject("winmgmts:{impersonationLevel=impersonate}!//" & objComputerName)
	qry = "SELECT * FROM Win32_Account where Domain = '" & cstr(objComputerName) & "'" 'set query, making sure to only look at local computer

	For Each Admin in objwmi.ExecQuery(qry)
		if (left(admin.sid, 6) = "S-1-5-" and right(admin.sid,4) = "-500") then 	'look for admin sid
			GetAdminName = admin.name
		end if
	next
End Function

'''''Code End'''''

在.bat中获取.vbs返回值
GetAdminName.bat

@echo off
for /f "delims=" %%x in ('cscript //nologo t.vbs') do (
    set sFileName=%%x
)
echo %sFileName%
REM pause.

命令行查询用户对应的SID

C:\Users\Administrator>wmic useraccount where "SID like 'S-1-5-%-500'" get sid
SID
S-1-5-21-2837057897-1460117072-2570820871-500

E:\temp>wmic useraccount where "SID like 'S-1-5-%-%'" get caption,sid
Caption SID
SHANE-WORKPLACE\Administrator S-1-5-21-4246277841-3966888941-2683127511-500
SHANE-WORKPLACE\DefaultAccount S-1-5-21-4246277841-3966888941-2683127511-503
SHANE-WORKPLACE\Guest S-1-5-21-4246277841-3966888941-2683127511-501
SHANE-WORKPLACE\Shane.Wan S-1-5-21-4246277841-3966888941-2683127511-1001