首页
社区
课程
招聘
[翻译]渗透测试备忘单
发表于: 2022-10-17 17:31 17993

[翻译]渗透测试备忘单

2022-10-17 17:31
17993

原文链接
作者:H21LAB
译者:阳春
翻译时间:2022/10/17
译者注:转载清注明作者、译者和出处

日常渗透测试可以显著改善公司的安全状况。在进行任何安全审计之前,审计员应该从目标网络或者目标系统所有者那里获得必要的权限和允许。

剑其铸时必盼其有所用,作者不承担其被错用的责任。本文成文时亦盼其有所用,但是对此不作任何保证。

``bash
uptime```

 
traceroute 8.8.8.8
traceroute 8.8.8.8
traceroute -I 8.8.8.8
traceroute -I 8.8.8.8
nmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1
nmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1
nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1
nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1
nmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16
nmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16
nmap --script-updatedb
nmap --script-updatedb
ls -la /usr/share/nmap/scripts/
ls -la /usr/share/nmap/scripts/
nmap -vvv --script http-brute --script-args userdb-users.txt,passdb-pass.txt -p <port> <host>
nmap -vvv --script http-brute --script-args userdb-users.txt,passdb-pass.txt -p <port> <host>
nmap --script vmauthd-brute -p <port> <host>
nmap --script vmauthd-brute -p <port> <host>
nmap --script ftp-brute -p <port> <host>
nmap --script ftp-brute -p <port> <host>
nmap --script-help-ssl-heartbleed
nmap --script-help-ssl-heartbleed
nmap -sV –script=ssl-heartbleed.nse -p <port> <host>
nmap -sV –script=ssl-heartbleed.nse -p <port> <host>
nmap -sV --script=smb* -p <port> <host>
nmap -sV --script=smb* -p <port> <host>
mkdir /usr/share/nmap/scripts/vulscan
cd /usr/share/nmap/scripts/vulscan
git clone https://github.com/scipag/vulscan.git
nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
mkdir /usr/share/nmap/scripts/vulscan
cd /usr/share/nmap/scripts/vulscan
git clone https://github.com/scipag/vulscan.git
nmap -sV --script=vulscan/vulscan.nse 127.0.0.1
ncrack -vv --user root <host>:<port>
ncrack -vv --user root <host>:<port>
ncrack -vv -U username.txt -P password.txt <host>:3389
ncrack -vv -U username.txt -P password.txt <host>:3389
ncrack -vv --user root <host>:22
ncrack -vv --user root <host>:22
fcrackzip -b -l 1-4 -u  ./archive.zip
fcrackzip -b -l 1-4 -u  ./archive.zip
hydra -L <user-list.txt> -P <password-list.txt> ssh://<host>
hydra -L <user-list.txt> -P <password-list.txt> ssh://<host>
hydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /
hydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /
hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080
hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080
hydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp
hydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp
hydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1
hydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1
skipfish -o out_dir https://www.host.com
skipfish -o out_dir https://www.host.com
skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  https://www.host.com
skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX  https://www.host.com
wfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php
wfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php
wfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z
wfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z
sqlmap -u "http://host.com/vulnerable.php?param=12345"
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbs
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T table
sqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
sqlmap -r POST.txt -p field
sqlmap -u "http://host.com/vulnerable.php?param=12345"
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbs
sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T table
sqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
sqlmap -r POST.txt -p field
mysql -u <username> -p --port <port> -h <host>
mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql
mysql -u <username> -p --port <port> -h <host>
mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql
sqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
sqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"
# 改善sqlplus命令行输出
SET PAGESIZE 50000;
 
# 列举表空间
SELECT TABLESPACE_NAME FROM USER_TABLESPACES;
 
# 列举所有表
SELECT owner, table_name FROM dba_tables;
 
# 查找具有给定列名的表
SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');
SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
 
# 给定列名查找表并计算行数
SET SERVEROUTPUT ON
DECLARE
val NUMBER;
BEGIN
FOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOP
EXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;
DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );
END LOOP;
END;
/
 
# 查找数据库中所有NVARCHAR2类型的列
SET SERVEROUTPUT ON SIZE 100000
 
DECLARE
match_count INTEGER;
BEGIN
FOR t IN (SELECT owner, table_name, column_name
          FROM all_tab_columns
          WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
 
EXECUTE IMMEDIATE
  'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name ||
  ' WHERE '||t.column_name||' = :1'
  INTO match_count
  USING 'SEARCH_TEXT';
 
IF match_count > 0 THEN
  dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );
END IF;
 
END LOOP;
 
END;
/
# 改善sqlplus命令行输出
SET PAGESIZE 50000;
 
# 列举表空间
SELECT TABLESPACE_NAME FROM USER_TABLESPACES;
 
# 列举所有表
SELECT owner, table_name FROM dba_tables;
 
# 查找具有给定列名的表
SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');
SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
 
# 给定列名查找表并计算行数
SET SERVEROUTPUT ON
DECLARE
val NUMBER;
BEGIN
FOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOP
EXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;
DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );
END LOOP;
END;
/
 
# 查找数据库中所有NVARCHAR2类型的列
SET SERVEROUTPUT ON SIZE 100000
 
DECLARE
match_count INTEGER;
BEGIN
FOR t IN (SELECT owner, table_name, column_name
          FROM all_tab_columns
          WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
 
EXECUTE IMMEDIATE
  'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name ||
  ' WHERE '||t.column_name||' = :1'
  INTO match_count
  USING 'SEARCH_TEXT';
 
IF match_count > 0 THEN
  dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );
END IF;
 
END LOOP;
 
END;
/
psql -h 127.0.0.1 db_name username
psql -h 127.0.0.1 db_name username
snmpwalk -mALL -v1 -cpublic <host>
snmpwalk -mALL -v1 -cprivate <host>
snmpget -mALL -v1 -cpublic <host> sysName.0
snmpwalk -mALL -v1 -cpublic <host>
snmpwalk -mALL -v1 -cprivate <host>
snmpget -mALL -v1 -cpublic <host> sysName.0
snmpwalk -v2c -cprivate <host>:<port>
snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0
snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1
SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)
snmpwalk -v2c -cprivate <host>:<port>
snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0
snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1
SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)
snmpwalk -v3  -l authPriv -u snmpadmin -a MD5 -A PaSSword  -x DES -X PRIvPassWord <host>:<port> system
snmpwalk -v3  -l authPriv -u snmpadmin -a MD5 -A PaSSword  -x DES -X PRIvPassWord <host>:<port> system
ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub
ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
 
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif
dn: ou=people,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
ou: people
...
 
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
ldapsearch -x -b "dc=company,dc=com" -s base -h <host>
LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub
ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"
ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
 
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif
dn: ou=people,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
ou: people
...
 
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"
redis-cli dbsize
redis-cli dbsize
redis-cli -n 0 keys "*"
redis-cli -n 0 keys "*"
showmount -e 127.0.0.1
mount -o ro 127.0.0.1:/ /mnt/nfs
showmount -e 127.0.0.1
mount -o ro 127.0.0.1:/ /mnt/nfs
svmap -p5060,5061,5080-5090 10.0.0.1
svmap -p5060,5061,5080-5090 10.0.0.1
svcrack -u100 -d dictionary.txt 10.0.0.1
svcrack -u100 -d dictionary.txt 10.0.0.1
smbclient -L <host> -N
smbclient //<host>/<dir> -N
smbclient -L <host> -N
smbclient //<host>/<dir> -N
sshfs user@<host>:/remote/path /mnt/tmp -C -p 22
sshfs user@<host>:/remote/path /mnt/tmp -C -p 22
fusermount -u /mnt/tmp
fusermount -u /mnt/tmp
redir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
redir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>
curl --data "param1=value1&param2=value2" https://host.com/index.php
curl --data "param1=value1&param2=value2" https://host.com/index.php
#!/bin/sh
 
HOST=host.com
PORT=8888
 
nc $HOST $PORT << __EOF__
POST /services/ HTTP/1.1
Host: host.com:8888
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:soapRequest>
      </web:soapRequest>
   </soapenv:Body>
</soapenv:Envelope>
__EOF__
#!/bin/sh
 
HOST=host.com
PORT=8888
 
nc $HOST $PORT << __EOF__
POST /services/ HTTP/1.1
Host: host.com:8888
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:soapRequest>
      </web:soapRequest>
   </soapenv:Body>
</soapenv:Envelope>
__EOF__
$ proxychains curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
 
$ cat data.xml
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:soapRequest>
      </web:soapRequest>
   </soapenv:Body>
</soapenv:Envelope>
$ proxychains curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
 
$ cat data.xml
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <web:soapRequest>
      </web:soapRequest>
   </soapenv:Body>
</soapenv:Envelope>
sudo nping -c 1 --data hexstring --udp -p dest_port -S source_ip -g source_port dest_ip
sudo nping -c 1 --data hexstring --udp -p dest_port -S source_ip -g source_port dest_ip
cat test.txt | sort | uniq -c | sort -n
cat test.txt | sort | uniq -c | sort -n
ssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -
wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)
ssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -
wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)
xxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
xxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap
grep -Po '"field" : .*?[^\\]",' test.json
grep -Po '"field" : .*?[^\\]",' test.json
tshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
tshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap
john --session=session_name --format=opencl ~/hash.txt
john --session=session_name --format=opencl ~/hash.txt
john --list=formats --format=opencl
john --list=formats --format=opencl
john --restore=session_name
john --restore=session_name
john ~/hash.txt --show
john ~/hash.txt --show
john --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
john --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt
script <filename>
script <filename>
ssh username@hostname
ssh username@hostname
echo $0
echo $0
whoami
whoami
uname -a
uname -a
export
export
ps -ef
ps auxf
ps auxfww
ps -ef
ps auxf
ps auxfww
find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;
find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null
find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;
find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;
find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null
find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null
find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
find / -perm -2 -type d 2>/dev/null
find / -perm -2 -type d 2>/dev/null
find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;
find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null
find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;
find . -type f \( -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py \) -exec fgrep -iHn password {} \; 2> /dev/null
find . -type f -exec grep -iHFf patterns.txt {} \;
find . -type f -exec grep -iHFf patterns.txt {} \;
find . -type f -size -512k -exec fgrep -iHn password {} \;
find . -type f -size -512k -exec fgrep -iHn password {} \;
find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq
netstat -anp
netstat -anp
cat /etc/hosts
cat /etc/hosts
ifconfig -a
ifconfig -a
route -v
route -v

[注意]APP应用上架合规检测服务,协助应用顺利上架!

最后于 2022-10-17 17:32 被阳春编辑 ,原因: typo
收藏
免费 2
支持
分享
最新回复 (1)
雪    币: 303
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
学习了
2022-11-30 16:31
0
游客
登录 | 注册 方可回帖
返回
//