admin/Penetration_Testing_POC
1
0
Fork 0
mirror of https://github.com/Mr-xn/Penetration_Testing_POC.git synced 2025-06-20 09:50:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

add 利用图片隐写术来远程动态加载shellcode&[后渗透]Mimikatz使用大全&Linux下一键巡检工具

Browse Source
This commit is contained in:
Mrxn 2020-08-18 18:30:55 +08:00
parent 5c8015eedc
commit 7b4ebc499b
7 changed files with 366 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -453,7 +453,7 @@
- [FavFreak执行基于favicon.ico的侦察](https://github.com/devanshbatham/FavFreak)
- [gorailgun_v1.0.7-集漏洞端口扫描利用于一体的工具](./tools/gorailgun_v1.0.7.zip)
- [【shell管理工具】Godzilla-哥斯拉](https://github.com/BeichenDream/Godzilla)|[-AntSword蚁剑](https://github.com/AntSwordProject)|[Behinder-冰蝎](https://github.com/rebeyond/Behinder)
- [C++免杀项目推荐](./books/C++免杀项目推荐.pdf)-[附件下载](./tools/RefacterC.zip)
- [由python编写打包的Linux下自动巡检工具](./tools/linux_auto_xunjian)|[源处](https://github.com/heikanet/linux_auto_xunjian)
## <span id="head8"> 文章/书籍/教程相关</span>
@ -573,9 +573,19 @@
- [bolt_cms_V3.7.0_xss和远程代码执行漏洞](./books/bolt_cms_V3.7.0_xss和远程代码执行漏洞.pdf)
- [关于Cobalt_Strike检测方法与去特征的思考](./books/关于Cobalt_Strike检测方法与去特征的思考.pdf)
- [代码审计_PHPCMS_V9前台RCE挖掘分析](./books/代码审计_PHPCMS_V9前台RCE挖掘分析.pdf)
- [【免杀】C++免杀项目推荐](./books/C++免杀项目推荐.pdf)-[附件下载](./tools/RefacterC.zip)|[原文地址](https://mp.weixin.qq.com/s/0OB0yQAiOfsU4JqkCDUi7w)
- [利用图片隐写术来远程动态加载shellcode](./books/利用图片隐写术来远程动态加载shellcode.pdf)|[原文地址](https://mp.weixin.qq.com/s/QZ5YlRZN47zne7vCzvUpJw)
- [[后渗透]Mimikatz使用大全](./books/[后渗透]Mimikatz使用大全.pdf)|[原文地址](https://www.cnblogs.com/-mo-/p/11890232.html)
## <span id="head9"> 说明</span>
> 此项目所有文章、代码部分来源于互联网,版权归原作者所有,此项目仅供学习参考使用,严禁用于任何非法行为!使用即代表你同意自负责任!
### 免责声明
> 1.此项目所有文章、代码部分来源于互联网,版权归原作者所有,转载留存的都会写上原著出处,如有遗漏,还请说明,谢谢!
> 2.此项目仅供学习参考使用,严禁用于任何非法行为!使用即代表你同意自负责任!
> 3.如果项目中涉及到你的隐私或者需要删除的请issue留言指名具体文件内容附上你的证明或者邮箱联系我核实后即刻删除。
### 喜讯
`2020-08-16`登上`GitHub``Trending`日榜谢谢大家支持谢谢那些在freebuf和公众号推荐的师傅我会继续努力期待有靠谱的师傅一起来维护优化感兴趣的邮箱联系我吧
![](./img/trending.png)
### 最后,选一个屁股吧!
![](https://ooo.0o0.ooo/2017/06/13/593fb9335fe9c.jpg)

BIN
books/[后渗透]Mimikatz使用大全.pdf Normal file
View File

Binary file not shown.

BIN
books/利用图片隐写术来远程动态加载shellcode.pdf Normal file
View File

Binary file not shown.

BIN
img/trending.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

2
tools/linux_auto_xunjian/README.md Normal file
View File

@ -0,0 +1,2 @@
# linux_auto_xunjian
linux自动化巡检工具

BIN
tools/linux_auto_xunjian/yiansec Normal file
View File

Binary file not shown.

351
tools/linux_auto_xunjian/yiansec.py Normal file
View File

@ -0,0 +1,351 @@
# -*- coding:utf-8 -*- -
import os
import re
import psutil
import yara
import sys
HOST_IP = input('\033[1;34m请输入本机IP\033[0m')
####################先来一个帅气的banner#############################
banner = """\033[1;34m
____ ____ __ ___ .__ __. _______. _______ ______
\ \ / / | | / \ | \ | | / || ____| / |
\ \/ / | | / ^ \ | \| | | (----`| |__ | ,----'
\_ _/ | | / /_\ \ | . ` | \ \ | __| | |
| | | | / _____ \ | |\ | .----) | | |____ | `----.
|__| |__| /__/ \__\ |__| \__| |_______/ |_______| \______|
linux自动化巡检工具 Version1.0
Company:宁波壹安信息科技有限公司 Author说书人\033[0m
"""
print(banner)
####################开局先检查权限和判断系统#############################
print('\033[1;36m本机IP:{0}开始巡检\033[0m'.format(HOST_IP))
# 检查是否root运行
def checkroot():
if os.popen("whoami").read() != 'root\n':
print('当前为非root权限部分功能可能受限')
c = input('是否继续y/N:')
if c == 'y':
pass
else:
exit()
def ostype(): # 判断系统类型和版本
try:
print('不要在意下面那行出现的command not found')
a = os.popen("lsb_release -a").read()
b = os.popen("cat /etc/redhat-release").read()
os_info = a + b
sysnum = int(re.findall(r' (\d+?)\.', os_info, re.S)[0]) # 取出版本号
system = ''
try:
system = re.search('CentOS', os_info).group()
except:
pass
try:
system = re.search('Ubuntu', os_info).group()
except:
pass
try:
system = re.search('openSUSE', os_info).group()
except:
pass
try:
system = re.search('Red Hat', os_info).group()
except:
pass
try:
system = re.search('Debian', os_info).group()
except:
pass
except:
print('\033[1;33m提示系统类型获取失败请手动输入系统类型和版本号\033[0m')
print("\033[1;33m系统类型只能'CentOS''Ubuntu''openSUSE''Red Hat''Debian' 其中一个,注意空格和大小写,输入其他无效\033[0m")
print("\033[1;33m版本号请输入整数6\033[0m")
system = input('系统类型:')
sysnum = input('版本号:')
return system, sysnum
####################系统基本信息#############################
def cpu(): # cpu使用率
cpu = 'CPU使用率{}{}\n'.format(str(psutil.cpu_percent(1)), '%')
return cpu
def mem(): # 内存使用率
mem = '内存使用率:{}{}\n'.format(str(psutil.virtual_memory()[2]), '%')
return mem
def disk(): # 磁盘使用率
disk = '磁盘使用率:{}{}'.format(psutil.disk_usage('/')[3], '%')
return disk
def network(): # 获取对外网络连接情况
addr_list = str(psutil.net_connections()).split('sconn')
banner = '{0} {1:^35} {2}'.format('远程IP', '远程端口', '进程PID')
net = ''
for addr in addr_list:
try:
if re.findall(r'raddr', addr) != []: # 如果存在远程地址,就取出来
remote = addr.split('raddr')[-1]
ip = re.findall(r'ip=\'(.+?)\'', remote)[0]
port = re.findall(r'port=(.+?)\)', remote)[0]
pid = re.findall(r'pid=(.+?)\)', remote)[0]
remote_info = '{0:^15} {1:^17} {2:^30}'.format(ip, port, pid)
net = net + remote_info + '\n'
except:
pass
network = '{0}\n{1}'.format(banner, net)
return network
###################################################################
def account_check(): # 检查账户情况
account_list = []
cmd = os.popen("cat /etc/shadow").read()
user_list = re.split(r'\n', cmd)
for i in user_list:
try:
c = re.search(r'\*|!', i).group()
except:
try:
ok_user = re.findall(r'(.+?):', i)[0]
account_list.append(ok_user)
except:
pass
anonymous_account = os.popen("awk -F: 'length($2)==0 {print $1}' /etc/shadow").read()
account = '存在的账户:\n{0}\n空口令用户:\n{1}\n'.format(account_list, anonymous_account)
return account
def process(): # 列出在当前环境中运行的进程
process = os.popen("ps -ef").read()
return process
def service(system, sysnum): # 列出开启的服务
service = ''
if system == 'Ubuntu' or system == 'Debian':
service = os.popen("service --status-all | grep +").read()
elif system == 'openSUSE':
service = os.popen("service --status-all | grep running").read()
elif system == 'CentOS' or system == 'Red Hat':
if sysnum < 7:
service1 = os.popen("chkconfig --list |grep 2:启用").read()
service2 = os.popen("chkconfig --list |grep 2:on").read()
service = service1 + '\n' + service2
else:
service = os.popen("systemctl list-units --type=service --all |grep running").read()
return service
def startup(system, sysnum): # 列出启动项
startup = ''
if system == 'CentOS' or system == 'Red Hat':
if sysnum < 7:
startup = os.popen("cat /etc/rc.d/rc.local").read()
else:
startup = os.popen("systemctl list-unit-files | grep enabled").read()
elif system == 'Ubuntu' or system == 'Debian':
if sysnum < 14:
startup1 = os.popen("chkconfig |grep on").read()
startup2 = os.popen("chkconfig |grep 启用").read()
startup = startup1 + startup2
else:
startup = os.popen("systemctl list-unit-files | grep enabled").read()
elif system == 'openSUSE':
startup1 = os.popen("chkconfig |grep on").read()
startup2 = os.popen("chkconfig |grep 启用").read()
startup = startup1 + startup2
return startup
def timingtask(): # 列出定时任务
timingtask = []
cmd = os.popen("cat /etc/shadow").read()
user_list = re.split(r'\n', cmd)
for i in user_list:
try:
c = re.search(r'\*|!', i).group()
except:
try:
ok_user = re.findall(r'(.+?):', i)[0]
task = os.popen("crontab -l -u " + ok_user).read()
timingtask.append(task)
except:
pass
return timingtask
def seclog_time(): # 登录日志存留时间
cmd = os.popen("cat /etc/logrotate.conf").read()
try:
seclog = ''
cycle = re.findall(r'# rotate log files weekly\n(.+?)\n', cmd, re.S)[0] # 周期
num = re.findall(r'\d+', str(re.findall(r'# keep 4 weeks worth of backlogs\n(.+?)\n', cmd, re.S)))[0] # 次数
if cycle == 'weekly':
if int(num) < 26:
seclog = '\033[1;31m日志存留不足180天\033[0m'
else:
seclog = '\033[1;32m日志存留时间符合要求\033[0m'
elif cycle == 'monthly':
if int(num) < 6:
seclog = '\033[1;31m日志存留不足180天\033[0m'
else:
seclog = '\033[1;32m日志存留时间符合要求\033[0m'
elif cycle == 'quarterly':
if int(num) < 2:
seclog = '\033[1;31m日志存留不足180天\033[0m'
else:
seclog = '\033[1;32m日志存留时间符合要求\033[0m'
return seclog
except:
seclog = '\033[1;31m日志轮转配置读取出错\033[0m'
return seclog
def seclog_login(system): # 登录ip记录
succeed = failed = ''
if system == 'CentOS' or system == 'Red Hat':
succeed = '\n成功登录:\n' + os.popen(
"cat /var/log/secure*|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
failed = '\n失败登录:\n' + os.popen(
"cat /var/log/secure*|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
elif system == 'Ubuntu' or system == 'Debian':
succeed = os.popen(
"cat /var/log/auth.log|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
failed = os.popen(
"cat /var/log/auth.log|awk '/authentication failure/{print $(NF-1)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
succeed = '\n成功登录:\n' + re.sub("rhost=\|次数=\d|ruser=\|次数=\d|rhost=", "", succeed)
failed = '\n失败登录:\n' + re.sub("rhost=\|次数=\d|ruser=\|次数=\d|rhost=", "", failed)
elif system == 'openSUSE':
succeed = '\n成功登录:\n' + os.popen(
"cat /var/log/messages|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
failed = '\n失败登录:\n' + os.popen(
"cat /var/log/messages|awk '/failure/{print $(NF)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
seclog_login = succeed + '\n' + failed
return seclog_login
def seclog_user(system): # 用户(组)增删改日志审计
whichlog = ''
if system == 'CentOS' or system == 'Red Hat':
whichlog = 'secure*'
elif system == 'Ubuntu' or system == 'Debian':
whichlog = 'auth.log'
elif system == 'openSUSE':
whichlog = 'messages'
group_add = os.popen("cat /var/log/{0}|grep \"new group\"".format(whichlog)).read()
group_change = os.popen("cat /var/log/{0}|grep -E \"to group|to shadow\"".format(whichlog)).read()
group_del = os.popen("cat /var/log/{0}|grep group|grep removed".format(whichlog)).read()
user_add = os.popen("cat /var/log/{0}|grep \"new user\"".format(whichlog)).read()
user_del = os.popen("cat /var/log/{0}|grep \"delete user\"".format(whichlog)).read()
seclog_user = '增加用户:\n{0}\n删除用户:\n{1}\n增加组:\n{2}\n删除组:\n{3}\n变更组:\n{4}\n'.format(user_add, user_del, group_add,
group_del, group_change)
return seclog_user
def firewall(system, sysnum): # 查看防火墙状态
firewall = ''
if system == 'CentOS' or system == 'Red Hat':
if sysnum < 7:
firewall = os.popen("service iptables status").read()
else:
firewall = os.popen("systemctl status firewalld").read()
elif system == 'Ubuntu' or system == 'Debian':
firewall = os.popen("ufw status").read()
elif system == 'openSUSE':
firewall = os.popen("service SuSEfirewall2_setup status").read()
if re.findall(r'not running|inactive|dead|unused', firewall, re.S) != []:
firewall_status = '\033[1;31m防火墙未开启\033[0m'
else:
firewall_status = '\033[1;32m防火墙已开启\033[0m'
return firewall_status
def file_scan(): # 文件静态检测扫描模块
print('\033[1;36m【11】文件扫描\033[0m')
rule = yara.compile(filepath=r'rules/index.yar')
print('\033[1;34m-----【11.1】读取待检测文件中...\033[0m')
all = os.popen(
"find /usr /home /root /tmp \( -path /usr/share/doc -o -path /root/.bash_history \) -prune -o -print").read().split(
'\n')
file_list = [] # 过滤后的文件列表
warning_all = '' # 全部告警信息
print('\033[1;32m-----【11.2】读取完毕,开始过滤...\033[0m')
for file in all: # 过滤掉部分文件
filter = re.findall(
r'\.zip|\.rar|\.7z|\.tar|\.gz|\.xz|\.bz2|\.ttf|\.bmp|\.jpg|\.jpeg|\.png|\.svg|\.icon|\.gif|\.txt|\.yar|\.yara', file)
if filter == []:
file_list.append(file)
print('\033[1;32m-----【11.3】过滤完毕,开始扫描...\033[0m')
for i in range(len(file_list)):
sys.stdout.write('\033[K' + '\r')
print('\r', '[{0}/{1}]检测中:{2}'.format(str(i), str(len(file_list)), file_list[i]), end=' ', flush=True)
try:
with open(file_list[i], 'rb') as f:
matches = rule.match(data=f.read())
except:
pass
try:
if matches != []:
warning = ('\033[1;31m\n告警:检测到标签{0},文件位置{1}\033[0m'.format(matches, file_list[i]))
warning_all = warning_all + '\n' + warning
print(warning)
except:
pass
print('\033[1;32m\n-----【11.4】扫描完成\033[0m')
return warning_all
############################以上为函数部分#############################
sys_tup=ostype()
system = sys_tup[0]
sysnum = sys_tup[1]
ssr_cpu = cpu() # cpu
ssr_mem = mem() # 内存
ssr_disk = disk() # 磁盘
ssr_network = network() # 对外连接
print('\033[1;36m【1】系统状态获取完毕\033[0m\n{0} {1} {2}\n{3}'.format(ssr_cpu, ssr_mem, ssr_disk, ssr_network))
ssr_account = account_check() # 账户情况
print('\n\033[1;36m【2】账户情况获取完毕\033[0m\n{0}'.format(ssr_account))
ssr_process = process() # 获取所有进程详细
print('\033[1;36m【3】进程信息获取完毕(报告中显示)\033[0m')
ssr_service = service(system, sysnum) # 获取开启的服务
print('\033[1;36m【4】开启的服务获取完毕(报告中显示)\033[0m')
ssr_startup = startup(system, sysnum) # 获取启动项
print('\033[1;36m【5】启动项获取完毕(报告中显示)\033[0m')
ssr_timingtask = '' # 定时任务
print('\033[1;36m【6】定时任务获取完毕\033[0m')
for timingtask in timingtask():
print(timingtask)
ssr_timingtask = ssr_timingtask + '\n' + timingtask
ssr_seclog_time = seclog_time() # 日志存留合规检查
print('\033[1;36m【7】日志存留合规检查完毕\033[0m\n{0}'.format(ssr_seclog_time))
ssr_seclog_login = seclog_login(system) # 登录日志审计
print('\033[1;36m【8】登录日志审计完毕(报告中显示)\033[0m')
ssr_seclog_user = seclog_user(system) # 账户操作日志审计
print('\033[1;36m【9】账户操作日志审计完毕(报告中显示)\033[0m')
ssr_firewall = firewall(system, sysnum) # 防火墙状态
print('\033[1;36m【10】防火墙状态获取完毕\033[0m\n{0}'.format(ssr_firewall))
ssr_file_scan = file_scan() # 文件静态检测扫描
############################导出txt报告#############################
with open("{0}巡检报告.txt".format(HOST_IP), "a") as f:
f.write(
"【系统状态】:\n{0}\n{1}\n{2}\n{3}\n【账户情况】:\n{4}\n【进程信息】:\n{5}\n【开启的服务】:\n{6}\n【启动项】:\n{7}\n【定时任务】:\n{8}\n【日志存留合规检查】:\n{9}\n【登录日志审计】:\n{10}\n【账户操作日志审计】:\n{11}\n【防火墙状态】:\n{12}\n【文件扫描告警结果】:\n{13}".format(ssr_cpu,ssr_mem,ssr_disk,ssr_network,ssr_account,ssr_process,ssr_service,ssr_startup,ssr_timingtask,ssr_seclog_time,ssr_seclog_login,ssr_seclog_user,ssr_firewall,ssr_file_scan))
print('\033[1;36m【12】{0}巡检报告导出完毕,位于程序所在目录!\033[0m'.format(HOST_IP))