[翻译]渗透测试备忘单-外文翻译-看雪-安全社区|安全招聘|kanxue.com

[翻译]渗透测试备忘单

发表于: 2022-10-17 17:31 17101

[翻译]渗透测试备忘单

阳春

2022-10-17 17:31

17101

原文链接
作者：H21LAB
译者：阳春
翻译时间：2022/10/17
译者注：转载清注明作者、译者和出处

日常渗透测试可以显著改善公司的安全状况。在进行任何安全审计之前，审计员应该从目标网络或者目标系统所有者那里获得必要的权限和允许。

剑其铸时必盼其有所用，作者不承担其被错用的责任。本文成文时亦盼其有所用，但是对此不作任何保证。

``bash
uptime```

traceroute 8.8.8.8

traceroute -I 8.8.8.8

nmap -sS -sV -sC -v -p- -oA all-tcp-127.0.0.1 127.0.0.1

nmap -sS -sV -A -v -p- -oA all-tcp-127.0.0.1 127.0.0.1

nmap -Pn -sn -R -oA dns-10.1.0.0_16 10.1.0.0/16

nmap --script-updatedb

ls -la /usr/share/nmap/scripts/

nmap -vvv --script http-brute --script-args userdb-users.txt,passdb-pass.txt -p <port> <host>

nmap --script vmauthd-brute -p <port> <host>

nmap --script ftp-brute -p <port> <host>

nmap --script-help-ssl-heartbleed

nmap -sV –script=ssl-heartbleed.nse -p <port> <host>

nmap -sV --script=smb* -p <port> <host>

mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scripts/vulscan

git clone https://github.com/scipag/vulscan.git

nmap -sV --script=vulscan/vulscan.nse 127.0.0.1

mkdir /usr/share/nmap/scripts/vulscan

cd /usr/share/nmap/scripts/vulscan

git clone https://github.com/scipag/vulscan.git

nmap -sV --script=vulscan/vulscan.nse 127.0.0.1

ncrack -vv --user root <host>:<port>

ncrack -vv -U username.txt -P password.txt <host>:3389

ncrack -vv --user root <host>:22

fcrackzip -b -l 1-4 -u ./archive.zip

hydra -L <user-list.txt> -P <password-list.txt> ssh://<host>

hydra -V -l admin -P passwords.txt -t 36 -f -s 80 192.168.1.1 http-get /

hydra -V -l admin -P passwords.txt -t 36 -f -s 80 http-get://192.168.1.1:8080

hydra -V -l admin -P passwords.txt -e ns -f -s 21 192.168.1.1 ftp

hydra -t 1 -V -f -l username -P password.lst rdp://192.168.1.1

skipfish -o out_dir https://www.host.com

skipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com

wfuzz -c -z file,Directories_Common.wordlist --hc 404 http://<host>/FUZZ.php

wfuzz -c -z file,users.txt -z file,pass.txt --hc 404 http://<host>/index.php?user=FUZZ&pass=FUZ2Z

sqlmap -u "http://host.com/vulnerable.php?param=12345"

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbs

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T table

sqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

sqlmap -r POST.txt -p field

sqlmap -u "http://host.com/vulnerable.php?param=12345"

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbs

sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T table

sqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

sqlmap -r POST.txt -p field

mysql -u <username> -p --port <port> -h <host>

mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql

mysql -u <username> -p --port <port> -h <host>

mysqldump -h <host> -u <username> -p -f --port <port> --events --routines --triggers --all-databases > MySQLData.sql

sqlplus

"username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"

sqlplus

"username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))"

# 改善sqlplus命令行输出

SET PAGESIZE 50000;
 
# 列举表空间
SELECT TABLESPACE_NAME FROM USER_TABLESPACES;
 
# 列举所有表
SELECT owner, table_name FROM dba_tables;
 
# 查找具有给定列名的表

SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');

SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';
 
# 给定列名查找表并计算行数

SET SERVEROUTPUT ON
DECLARE
val NUMBER;
BEGIN

FOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOP

EXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;

DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );
END LOOP;
END;
/
 
# 查找数据库中所有NVARCHAR2类型的列

SET SERVEROUTPUT ON SIZE 100000
 
DECLARE
match_count INTEGER;
BEGIN
FOR t IN (SELECT owner, table_name, column_name

          FROM all_tab_columns

          WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP
 
EXECUTE IMMEDIATE

  'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name ||

  ' WHERE '||t.column_name||' = :1'

  INTO match_count

  USING 'SEARCH_TEXT';
 

IF match_count > 0 THEN

  dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );
END IF;
 
END LOOP;
 
END;
/

# 改善sqlplus命令行输出

SET PAGESIZE 50000;

# 列举表空间

SELECT TABLESPACE_NAME FROM USER_TABLESPACES;

# 列举所有表

SELECT owner, table_name FROM dba_tables;

# 查找具有给定列名的表

SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER('PASSWORD');

SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%';

# 给定列名查找表并计算行数

SET SERVEROUTPUT ON

DECLARE

val NUMBER;

BEGIN

FOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%') LOOP

EXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val;

DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val );

END LOOP;

END;

/

# 查找数据库中所有NVARCHAR2类型的列

SET SERVEROUTPUT ON SIZE 100000

DECLARE

match_count INTEGER;

BEGIN

FOR t IN (SELECT owner, table_name, column_name

FROM all_tab_columns

WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2') LOOP

EXECUTE IMMEDIATE

'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name ||

' WHERE '||t.column_name||' = :1'

INTO match_count

USING 'SEARCH_TEXT';

IF match_count > 0 THEN

dbms_output.put_line( t.table_name ||' '||t.column_name||' '||match_count );

END IF;

END LOOP;

END;

/

psql -h 127.0.0.1 db_name username

snmpwalk -mALL -v1 -cpublic <host>

snmpwalk -mALL -v1 -cprivate <host>

snmpget -mALL -v1 -cpublic <host> sysName.0

snmpwalk -mALL -v1 -cpublic <host>

snmpwalk -mALL -v1 -cprivate <host>

snmpget -mALL -v1 -cpublic <host> sysName.0

snmpwalk -v2c -cprivate <host>:<port>

snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0

snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1

SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)

snmpwalk -v2c -cprivate <host>:<port>

snmpget -v2c -cprivate -mALL <host> sysName.0 sysObjectID.0 ilomCtrlDateAndTime.0

snmpset -mALL -v2c -cprivate <host> ilomCtrlHttpEnabled.0 i 1

SUN-ILOM-CONTROL-MIB::ilomCtrlHttpEnabled.0 = INTEGER: true(1)

snmpwalk -v3 -l authPriv -u snmpadmin -a MD5 -A PaSSword -x DES -X PRIvPassWord <host>:<port> system

ldapsearch -x -b "dc=company,dc=com" -s base -h <host>

LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub

ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"

ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"
 
ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif

dn: ou=people,dc=company,dc=com
objectClass: top
objectClass: organizationalunit
ou: people
...
 
ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"

ldapsearch -x -b "dc=company,dc=com" -s base -h <host>

LDAPTLS_REQCERT=never ldapsearch -x -D "uid=Name.Surname,OU=People,DC=Company,DC=com" -W -H ldaps://<host> -b "uid=Name.Surname,OU=People,DC=Company,DC=com" -s sub

ldapsearch -x -p 389 -h "127.0.0.1" -b "ou=people,dc=company,dc=com" -s sub "objectClass=*"

ldapsearch -x -p 1389 -h "127.0.0.1" -b "dc=company,dc=com" -s one "objectClass=*"

ldapmodify -a -h "127.0.0.1" -p 389 -D "cn=Directory Manager" -w 'password' -f modify.ldif

dn: ou=people,dc=company,dc=com

objectClass: top

objectClass: organizationalunit

ou: people

...

ldap delete -x -D "cn=Directory Manager" -w 'password' -p 1389 -h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com"

redis-cli dbsize

redis-cli -n 0 keys "*"

showmount -e 127.0.0.1

mount -o ro 127.0.0.1:/ /mnt/nfs

showmount -e 127.0.0.1

mount -o ro 127.0.0.1:/ /mnt/nfs

svmap -p5060,5061,5080-5090 10.0.0.1

svcrack -u100 -d dictionary.txt 10.0.0.1

smbclient -L <host> -N

smbclient //<host>/<dir> -N

smbclient -L <host> -N

smbclient //<host>/<dir> -N

sshfs user@<host>:/remote/path /mnt/tmp -C -p 22

fusermount -u /mnt/tmp

redir --laddr=<listen_address> --lport=<listen_port> --caddr=<connect_address> --cport=<connect_port>

curl --data "param1=value1&param2=value2" https://host.com/index.php

#!/bin/sh
 
HOST=host.com

PORT=8888
 
nc $HOST $PORT << __EOF__

POST /services/ HTTP/1.1

Host: host.com:8888

Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
 
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">

   <soapenv:Header/>

   <soapenv:Body>

      <web:soapRequest>

      </web:soapRequest>

   </soapenv:Body>

</soapenv:Envelope>
__EOF__

#!/bin/sh

HOST=host.com

PORT=8888

nc $HOST $PORT << __EOF__

POST /services/ HTTP/1.1

Host: host.com:8888

Content-Type: text/xml;charset=UTF-8

SOAPAction: ""

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">

<soapenv:Header/>

<soapenv:Body>

<web:soapRequest>

</web:soapRequest>

</soapenv:Body>

</soapenv:Envelope>

__EOF__

$ proxychains curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/
 
$ cat data.xml 

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">

   <soapenv:Header/>

   <soapenv:Body>

      <web:soapRequest>

      </web:soapRequest>

   </soapenv:Body>

</soapenv:Envelope>

$ proxychains curl --header "Content-Type: text/xml;charset=UTF-8" --header "SOAPAction:" --data @data.xml http://127.0.0.1:8888/

$ cat data.xml

<?xml version="1.0" encoding="UTF-8"?>

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:web="http://host.com/">

<soapenv:Header/>

<soapenv:Body>

<web:soapRequest>

</web:soapRequest>

</soapenv:Body>

</soapenv:Envelope>

sudo nping -c 1 --data hexstring --udp -p dest_port -S source_ip -g source_port dest_ip

cat test.txt | sort | uniq -c | sort -n

ssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -

wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)

ssh root@192.168.1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark -k -i -

wireshark -k -i <(ssh root@192.168.1.1 tcpdump -U -s0 -i any -w - not port 22)

xxd -r -p test.hex | od -Ax -tx1 | text2pcap - test.pcap

grep -Po '"field" : .*?[^\\]",' test.json

tshark -r input.pcap -Y "ip.src == 10.1.1.1" -w output.pcap -F pcap

john --session=session_name --format=opencl ~/hash.txt

john --list=formats --format=opencl

john --restore=session_name

john ~/hash.txt --show

john --fork=16 --session=session_dynamic --format=dynamic_xxxx hash.txt

script <filename>

ssh username@hostname

echo $0

whoami

uname -a

export

ps -ef
ps auxf
ps auxfww

ps -ef

ps auxf

ps auxfww

find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;

find . -regex ".*\.\(c\|java\)" -type f -exec fgrep -iHn "textToFind" {} \;

find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null

find . -name "*.java" -type f -exec fgrep -iHn "textToFind" {} \;

find . -regex ".*\.$c\|java$" -type f -exec fgrep -iHn "textToFind" {} \;

find / -maxdepth 4 -name *.conf -type f -exec grep -Hn "textToFind" {} \; 2>/dev/null

find / -uid 0 -perm -4000 -type f 2>/dev/null

find / -uid 0 -perm -u=s,o=r -type f -exec ls -la {} \; 2> /dev/null

find / -perm -4000 -type f 2>/dev/null

find / -perm -2 -type d 2>/dev/null

find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;

find . -type f $ -iname \*.conf -o -iname \*.cfg -o -iname \*.xml -o -iname \*.ini -o -iname \*.json -o -iname \*.sh -o -iname \*.pl -o -iname \*.py $ -exec fgrep -iHn password {} \; 2> /dev/null

find . ! -path "*/proc/*" -type f -name "*" -exec fgrep -iHn password {} \;

find . -type f -exec grep -iHFf patterns.txt {} \;

find . -type f -size -512k -exec fgrep -iHn password {} \;

find . -name "*.jar" -type f -exec ~/jd-cli/jd-cli -oc -l -n -st {} \; | egrep -i -e "Location:" -e "password" | uniq

netstat -anp

cat /etc/hosts

ifconfig -a

route -v

登录后可查看完整内容

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课

最后于 2022-10-17 17:32 被阳春编辑，原因： typo

收藏・6

免费・2

支持

最新回复 (1)
无相孤君雪币： 303 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 30 粉丝 1 关注私信	无相孤君 2 楼学习了 2022-11-30 16:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

阳春

发帖

回帖

125

RANK

关注

私信

他的文章

[翻译]渗透测试备忘单 17102
[翻译]为编程和逆向搭建RISC-V开发环境 13811
[翻译]状态机的状态 10988
[原创]看雪CTF.TSRC 2018 团队赛第一题初世纪 writeup 2904
[原创]京东AI CTF大挑战Writeup 7124

关于我们

联系我们

企业服务

看雪公众号

最新回复 (1)
无相孤君雪币： 303 能力值： ( LV1，RANK：0 ) 在线值：发帖 0 回帖 30 粉丝 1 关注私信	无相孤君 2 楼学习了 2022-11-30 16:31 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复