Everything - Post Exploitation
Everything 是一个适用于 Windows 系统的文件搜索工具,其功能强大、性能出色、便携性极佳,非常适合用于在后渗透过程中,从目标主机上寻找并下载文件。在其官网下载便携版(Portable)即可。
svc 管理服务
安装服务命令:
1
PS C:\> Everything.exe -install-client-service -config .\Everything.ini -nodb -nocase -enable-run-as-admin
卸载服务命令:
1
PS C:\> Everything.exe -uninstall-client-service
ini 配置文件
HTTP Server 配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
; Please make sure Everything is not running before modifying this file.
[Everything]
http_server_enabled=1
http_server_bindings=0.0.0.0
http_title_format=
http_server_port=8888
http_server_username=admin
http_server_password=123456
http_server_home=
http_server_default_page=
http_server_log_file_name=
http_server_logging_enabled=0
http_server_log_max_size=4194304
http_server_log_delta_size=524288
http_server_allow_file_download=1
ETP/FTP Server 配置:
1
2
3
4
5
6
7
8
9
10
11
12
13
etp_server_enabled=1
etp_server_bindings=0.0.0.0
etp_server_port=2121
etp_server_username=admin
etp_server_password=123456
etp_server_welcome_message=
etp_server_log_file_name=
etp_server_logging_enabled=0
etp_server_log_max_size=4194304
etp_server_log_delta_size=524288
etp_server_allow_file_download=1
ftp_allow_port=1
ftp_check_data_connection_ip=1
添加移动硬盘至 Everything 中:
注:Everything 默认支持 NTFS 格式磁盘文件,如需支持非 NTFS 格式的移动硬盘,需要通过文件夹来指定。
1
2
3
4
5
6
7
8
9
folders="A:\\","B:\\","C:\\","D:\\","G:\\","H:\\","I:\\","J:\\","K:\\","L:\\","M:\\","N:\\","O:\\","P:\\","Q:\\","R:\\","S:\\","T:\\","U:\\","V:\\","W:\\","X:\\","Y:\\","Z:\\"
folder_monitor_changes=1,1
folder_buffer_size_list=65536,65536
folder_rescan_if_full_list=0,0
folder_update_types=0,2
folder_update_days=0,0
folder_update_ats=3,3
folder_update_intervals=30,6
folder_update_interval_types=0,1
run 运行效果
help 详细参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
Everything.exe [filename] [-options]
filename Open the specified file list.
Options:
-? Show this help.
-admin Run "Everything" as Administrator.
-admin-server-share-links Use \\Server\C$ links for ETP connections.
-app-data Store data in application data.
-bookmark <name> Open a bookmark.
-case Enable case matching.
-choose-language Show the language selection page.
-choose-volumes Do not automatically index volumes.
-close Close the current search window.
-config <filename> The filename of the ini file.
-connect <user:pass@host:port> Connect to an ETP server.
-console Show the debugging console.
-copyto <filename1> <...> Show the multi-file renamer with the specified filenames.
-create-file-list <filename> <path> Create a file list of a path.
-create-file-list-exclude-files <list>
Exclude the semicolon delimited wildcard filter for files.
-create-file-list-exclude-folders <list>
Exclude the semicolon delimited wildcard filter for folders.
-create-file-list-include-only-files <list>
Include only the semicolon delimited wildcard filter for files.
-create-usn-journal <volume> <max-size-bytes> <allocation-delta-bytes>
Create a USN Journal with the specified parameters.
-db <filename> The filename of the database.
-debug Show the debugging console.
-debug-log Log debugging information to disk.
-delete-usn-journal <volume> Delete a USN Journal.
-details Show results in detail view.
-diacritics Enable diacritics matching.
-disable-run-as-admin Disable run as administrator.
-disable-update-notification Disable update notification on startup.
-drive-links Use C: links for ETP connections.
-edit <filename> Open a file list with the file list editor.
-enable-run-as-admin Enable run as administrator.
-enable-update-notification Enable update notification on startup.
-exit Exit "Everything".
-first-instance Only run if this is the first instance of "Everything".
-filelist <filename> Open a file list.
-filename <filename> Search for a file or folder by filename.
-filter <name> Select a search filter.
-focus-bottom-result Focus the bottom result.
-focus-last-run-result Focus the last run result.
-focus-most-run-result Focus the most run result.
-focus-results Focus the result list.
-focus-top-result Focus the top result.
-ftp-links Use ftp://host/C: links for ETP connections.
-fullscreen Show the search window fullscreen.
-h Show this help.
-help Show this help.
-home Open the home search.
-install <location> Install "Everything" to a new location.
-install-client-service Install the "Everything" client as a service.
-install-config <filename> Install the specified ini file.
-install-desktop-shortcut Install desktop shortcut.
-install-efu-association Install EFU file association.
-install-folder-context-menu Install folder context menus.
-install-quick-launch-shortcut Install Quick Launch shortcut.
-install-run-on-system-startup Install "Everything" from the system startup.
-install-service Install and start the "Everything" service.
-install-service-pipe-name <name> Use the specified name for the "Everything" service pipe name.
-install-service-security-descriptor
Specify the pipe security descriptor.
-install-start-menu-shortcuts Install "Everything" shortcuts from the Start menu.
-install-url-protocol Install URL Protocol.
-instance <name> The name of the "Everything" instance.
-l Load the local database.
-language <langID> Set the language to the specified language ID.
-load-delay <milliseconds> The delay in milliseconds before loading the database.
-local Load the local database.
-matchpath Enable full path matching.
-maximized Maximize the search window.
-minimized Minimize the search window.
-moveto <filename1> <...> Show the multi-file renamer with the specified filenames.
-name-part <filename> Search for the name part of a filename.
-newwindow Create a new search window.
-noapp-data Store data in executable location.
-nocase Disable case matching.
-nodb Do not save to or load from the "Everything" database file.
-nodiacritics Disable diacritics matching.
-nofullscreen Show the search window in a window.
-nomatchpath Disable full path matching.
-nomaximized Unmaximize the search window.
-nominimized Unminimize the search window.
-nonewwindow Show an existing search window.
-noontop Disable always on top.
-noregex Disable Regex.
-noverbose Display only basic debug messages.
-nowholeword Disable match whole word.
-noww Disable match whole word.
-ontop Enable always on top.
-p <path> Search for a path.
-parent <path> Search for files and folders in the specified folder.
-parentpath <path> Search for the parent of a path.
-path <path> Search for a path.
-quit Exit "Everything".
-read-only Loads the database in read-only mode.
-regex Enable Regex.
-reindex Force database rebuild.
-rename <filename1> <...> Show the multi-file renamer with the specified filenames.
-rescan-all Rescan all folder indexes.
-s <text> Set the search.
-search <text> Set the search.
-search-file-list <filename> Search the specified text file for a list of file names.
-select <filename> Focus and select the specified result.
-server-share-links Use \\Server\C: links for ETP connections.
-service-pipe-name <name> Connect to the service pipe with the specified name.
-sort <name> Set the sort to the specified name.
-sort-ascending Sort ascending.
-sort-descending Sort descending.
-start-client-service Start the "Everything" client service.
-start-service Start the "Everything" service.
-startup Run "Everything" in the background.
-stop-client-service Stop the "Everything" client service.
-stop-service Stop the "Everything" service.
-svc Run "Everything" as a service.
-svc-pipe-name <name> Host the pipe server with the specified name.
-svc-security-descriptor <sd> Host the pipe server with the security descriptor.
-thumbnail-size <size> Specify the size of thumbnails in pixels.
-thumbnails Show results in thumbnail view.
-toggle-window Hides the current foreground search window or shows the search window.
-uninstall [path] Uninstall "Everything" from the specified path.
-uninstall-client-service Uninstall the "Everything" client service.
-uninstall-desktop-shortcut Uninstall desktop shortcut.
-uninstall-efu-association Uninstall EFU file association.
-uninstall-folder-context-menu Uninstall folder context menus.
-uninstall-quick-launch-shortcut Uninstall Quick Launch shortcut.
-uninstall-run-on-system-startup Remove "Everything" from the system startup.
-uninstall-service Uninstall the "Everything" service.
-uninstall-start-menu-shortcuts Uninstall "Everything" shortcuts from the Start menu.
-uninstall-url-protocol Uninstall URL Protocol.
-uninstall-user Uninstall user files.
-update Save the database to disk.
-url <[es:]search> Set the search from an ES: URL.
-verbose Display all debug messages.
-wholeword Enable match whole word.
-ww Enable match whole word.
本文由作者按照 CC BY 4.0 进行授权