iteye_16188的博客

原文地址：[url]http://www.fuzzysecurity.com/tutorials/16.html[/url]1. 信息收集[quote]systeminfo | findstr /B /C:"OS Name" /C:"OS Version"hostnameecho %username%net usersnet user usernameipcon...

参考：[url]https://community.rapid7.com/servlet/JiveServlet/downloadBody/2881-102-2-6389/Mitigating%20Service%20Account%20Credential%20Theft%20on%20Windows.pdf[/url][b]Kerberos[/b]KerbCrack([url]ht...

参考：1. [url]http://securityweekly.com/2014/09/26/derbycon-attacking-kerberos-talk-ill-be-checking-out-and-you-should-too/[/url]2. [url]https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%...

[code="java"]rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert(‘foo’);[/code][img]http://dl2.iteye.com/upload/attachment/0104/3726/1b28aaec-ff50-3084-a61b-1b20ef72328e.png[/img]...

原文地址：http://adsecurity.org/?p=676Kerberos漏洞允许攻击者提权域用户成为管理员账户。攻击者可以使用这些权限来访问域中任何机器，包含DC。攻击者必须有一个域口令来进行这种攻击本文使用MS14-068成功攻击Server 2012 和 2012/R2但是未能成功攻击2008 R2 DC[color=blue][b]开始攻击[/b][/col...

参考：[url]https://github.com/secretsquirrel/the-backdoor-factory[/url]貌似很有趣，值得深入了解了解 :wink: [b]安装过程[/b][code="java"]1. easy_installwget "https://pypi.python.org/packages/source/e/ez_setup/ez_set...

项目地址：[url]https://github.com/lgandx/PCredz[/url]用来从pcap文件或者现在在线的接口中获得信用卡号,NTLM(DE-RPC, HTTP, SQL, LDAP等)，Kerberos(AS-REQ Pre-Auth etype 23),HTTP Basic，SNMP，FTP，IMAP等。[b]特点：[/b]1. 可以从pcap文件或在线接...

项目地址：[url]https://github.com/nidem/kerberoast[/url]kerberoast是用来攻击微软Kerberos的实现。[code="java"]PS C:> setspn -T medin -Q /[/code]使用window自带攻击提取SPN user[code="java"]PS C:> Add-Type -AssemblyNam...

原文地址：[url]http://blog.cobaltstrike.com/2014/03/20/user-account-control-what-penetration-testers-should-know/[/url]UAC是User Account Control缩写。通过UAC，可以用来提权(包含vista)。本文聚焦Windows完整性级别和UAC提权。[b]进...

原文地址：[url]https://cyberarms.wordpress.com/2011/11/04/memory-forensics-how-to-pull-passwords-from-a-memory-dump/[/url][b]1. 从memory dump 获得一些信息[/b][code="java"]volatility imageinfo -f memorydumpf...

原文地址：[url]https://code.google.com/p/google-security-research/issues/detail?id=118[/url]平台:Windows 8.1 Update 32/64 bit（其他版本未测试）Windows8更新的系统函数NtApphelpCacheControl(位于ahcache.sys)当新进程创建时允许缓存程序通用数...

[b]原文地址：[url]http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html[/url][/b]When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made...

原文地址：[url]https://blog.netspi.com/decrypting-mssql-database-link-server-passwords/[/url][url]https://blog.netspi.com/decrypting-mssql-credential-passwords/[/url](一)Linked ServersMSSQL在数据库中hash...

原文地址：[url]http://blog.gdssecurity.com/labs/2015/1/26/badsamba-exploiting-windows-startup-scripts-using-a-maliciou.html[/url]本文中心思想是：前提条件：1. window启动时以Local System account权限运行启动脚本[quote]“St...

参考地址：[url]http://way2h.blogspot.com/2015/01/increase-speed-of-HDD.html[/url]找到system.ini文件打开该文件[img]http://dl2.iteye.com/upload/attachment/0105/8539/82fd2688-2353-3c1a-bf75-6208d504d180.png[/img...

原文地址：[url]http://adsecurity.org/?p=1255[/url][url]http://adsecurity.org/?p=1275[/url]Skeleton Key Malware安装在一个/多个64位DC上。该软件“patch”系统来启动一个主密码来接受任何域user，包括admins。这样就允许attacker使用他们想用的任何username和恶...

[url]https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/[/url]

原文地址：[url]http://blog.didierstevens.com/2014/12/23/oledump-extracting-embedded-exe-from-doc/[/url]RECHNUNG_vom_18122014.doc[url]https://www.virustotal.com/en/file/d3672a6b3bc839d76b1d4c2e98ab8c3ef84...

下载地址：[url]https://github.com/volatilityfoundation/volatility[/url]wiki：[url]https://github.com/volatilityfoundation/volatility/wiki[/url]usage：[url]https://github.com/volatilityfoundation/volatili...

原文地址：[url]http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass[/url][color=red][b]注意：本例可以通过metasploit中exploit/windows/local/current_user_psexec模块解决。[/b][/color][b]场景：[/b]...

工具地址：[url]https://github.com/anexia-it/winshock-test[/url]下载方法：[code="java"]git clone https://github.com/anexia-it/winshock-test.git[/code]扫描原理：根据扫描支持的4中密码来判断是否有漏洞。漏洞原理：[url]http://www.freebuf.c...

原文地址：http://contextis.co.uk/resources/blog/rdp-replay/发现可以数据包：[img]http://dl2.iteye.com/upload/attachment/0102/6554/dd373427-fb9a-3f7c-8a80-d35b5cbef19d.png[/img]keyboard layout是2052-天朝[b]1. 密...

原文：https://www.pentestgeek.com/2013/09/18/invoke-shellcode/渗透测试人员有很多方法可以获得GUI访问目标机器，例如猜测RDP, ESX 或vnc口令。然而绕开AV获得Meterpreter的最简单方法是使用PowerSploit([url]https://github.com/mattifestation/PowerSploit[/ur...

原文地址：https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/参考资料：http://bernardodamele.blogspot.com.au/[b]一）从Windows主机上获取口令：[/b][color=blue][b]1）注册表[/b][/color]获得一份SYST...

网上下载的图片，忘了来源[img]http://dl2.iteye.com/upload/attachment/0111/0598/9612850c-f278-37e0-8bcf-0580eb1f3436.jpg[/img]

[url]https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/[/url][url]http://www.solutionary.com/resource-center/blog/2014/06/internal-network-enumeration-and-privilege-escal...

原文地址：[url]http://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/[/url]This article talk about to connetting to a pc when you don’t have password and:– you have ...

原文地址：[url]https://www.trustwave.com/Resources/SpiderLabs-Blog/Top-Five-Ways-SpiderLabs-Got-Domain-Admin-on-Your-Internal-Network/[/url][b]1. Netbios and LLMNR Name Poisoning[/b]One of the firs...

[quote]A tutorial on how to get into an admin account on ANY computer.[/quote][url]http://imgur.com/gallery/H8obU[/url]

由于Windows的SAM密码保护机制，SAM文件在Windows启动后就被保护，所以不能开机后破解。[quote]1. 使用usb启动kali[/quote][quote]2. fdisk -l[/quote] 查看磁盘分区。在我电脑测试时为一个/dev/sda5，文件格式为HPFS/NTFS/exFAT[quote]3. mount -t ntfs /dev/sda5 /m...

netbios enum1. net view /domain2. net view /domain:coreoneDumping the netbios name1. nbtstat -A 192.168.1.1Scan netbios name tables1. nbtscan 192.168.1.1/24Enum Windows Dom...

[img]http://dl2.iteye.com/upload/attachment/0103/5028/d55fc491-86dc-3590-974a-1d255f333092.png[/img]

参考：[url]http://blog.cyberis.co.uk/2012/06/password-audit-of-domain-controller.html[/url]1. 创建Shadow Copy[quote]cscript vssown.vbs /start cscript vssown.vbs /create c cscript vssown.vbs /list...

原文地址：http://www.kioptrix.com/blog/recovering-hashes-from-domain-controller-2/本方法属于后渗透测试，需要管理员/system权限。首先我们需要一些准备。VSSOwn是一个很好的脚本，它本质上帮我们创建一个Windows域控制器盘符的volume shadow copy，从而我们可以提取NTDS和SYSTEM文件...

原文地址：http://pen-testing.sans.org/blog/pen-testing/2013/04/12/using-volume-shadow-copies-from-pythonVolume Shadow copies 提供管理员工具来访问Windows，包含最新删除的的文件，带锁的文件等。他们就像通道一样直达Windows文件系统，用来挖掘各种有价值的信息。Vol...

原文地址：http://pen-testing.sans.org/blog/pen-testing/2013/07/24/plundering-windows-account-info-via-authenticated-smb-sessions通过SMB，可以远程获得共享文件，注册表，服务，域认证以及更多信息。Linux下进行Windows SBM访问的工具之一是rpcclient。...

原文地址：[url]http://pen-testing.sans.org/blog/2013/03/27/psexec-python-rocks[/url]psexec.py脚本是IMPACKET([url]http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Impacket[...

在早期的psexec版本中，如果使用-u username -p password选项，username和密码会明文传输。为了避免这种情况可以使用下面的办法。[code="java"]1. C:\>net use \\192.168.1.101\IPC$ /u:testxp\admin *2. 弹出对话框要求输入密码，输入密码3.C:\>psexec.exe \\192.168.1...

原文地址：http://pen-testing.sans.org/blog/pen-testing/2013/03/18/a-penetration-testers-pledgepsexec(包含Metasploit中的psexec， nmap中的smb-psexec脚本，以及Microsoft Sysinternals)这些工具在后渗透中及其有用。psexec可以在全补丁的系统上运行，一...

原文地址：[url]http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html[/url][color=blue][b][b]1. Autoruns[/b][/b][/color]My favorite choice when it comes to malware persist...