课程参考网址:https://github.com/Micropoor/Micro8
1、渗透测试有何用?谁可以做渗透测试?
乙方安全测试,甲方安全自检,网络安全爱好者等,企业安全防护与提高。安全从业者可以从渗透测试开始,无论是测试还是攻防,都需要懂渗透测试。
2、利用windows exp提权
检查windows未打补丁的exp,可用如下cmd代码:
systeminfo > micropoor.txt & (for %i in (KB977165 KB2160329 KB2503665 KB2592799 KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904 KB3134228 KB3143141 KB3141780) do @type micropoor.txt|@find /i "%i"||@echo %i you can fuck) & del /f /q /a micropoor.txt
输出结果如下:
KB977165 you can fuck
KB2160329 you can fuck
KB2503665 you can fuck
KB2592799 you can fuck
KB2707511 you can fuck
KB2829361 you can fuck
KB2850851 you can fuck
KB3000061 you can fuck
KB3045171 you can fuck
KB3077657 you can fuck
KB3079904 you can fuck
KB3134228 you can fuck
KB3143141 you can fuck
KB3141780 you can fuck
windows的cmd下也可以执行whoami,然后用net user xxx,可以查看相关用户账户信息。
发现有未打补丁的exp漏洞之后,就可以利用K8工具提权,参考链接:
工具使用说明:https://www.cnblogs.com/k8gege/p/10474326.html
工具下载:https://github.com/k8gege/K8tools
K8Cscan3.8主机扫描用法:
检测存活(目标内外网均可使用)
cscan (直接运行)
cscan 192.168.1.108 (单个IP)
cscan 192.168.1.108/24 (C段)
cscan 192.168.1.108/16 (B段)
cscan 192.168.1.108/8 (A段)
cscan 192.168.1.0 192.168.5.0 (C段范围)
不存测存活(代理或禁ICMP时用)
cscan nocheck (直接运行)
cscan nocheck 192.168.1.108 (单个IP)
cscan nocheck 192.168.1.108/24 (C段)
cscan nocheck 192.168.1.108/16 (B段)
cscan nocheck 192.168.1.108/8 (A段)
cscan nocheck 192.168.1.0 192.168.5.0 (C段范围)
端口扫描:
默认43个端口
python K8PortScan.py -ip 192.11.22.29
3、linux提权exp
https://github.com/SecWiki/linux-kernel-exploits