add 利用图片隐写术来远程动态加载shellcode&[后渗透]Mimikatz使用大全&Linux下一键巡检工具

2025-06-20 18:00:35 +00:00 · 2020-08-18 18:30:55 +08:00 · 2020-08-18 18:30:55 +08:00 · 7b4ebc499b
commit 7b4ebc499b
parent 5c8015eedc
7 changed files with 366 additions and 3 deletions
--- a/README.md
+++ b/README.md
@ -453,7 +453,7 @@
 - [FavFreak：执行基于favicon.ico的侦察](https://github.com/devanshbatham/FavFreak)
 - [gorailgun_v1.0.7-集漏洞端口扫描利用于一体的工具](./tools/gorailgun_v1.0.7.zip)
 - [【shell管理工具】Godzilla-哥斯拉](https://github.com/BeichenDream/Godzilla)|[-AntSword蚁剑](https://github.com/AntSwordProject)|[Behinder-冰蝎](https://github.com/rebeyond/Behinder)
- [C++免杀项目推荐](./books/C++免杀项目推荐.pdf)-[附件下载](./tools/RefacterC.zip)
+- [由python编写打包的Linux下自动巡检工具](./tools/linux_auto_xunjian)|[源处](https://github.com/heikanet/linux_auto_xunjian)
 ## <span id="head8"> 文章/书籍/教程相关</span>
@ -573,9 +573,19 @@
 - [bolt_cms_V3.7.0_xss和远程代码执行漏洞](./books/bolt_cms_V3.7.0_xss和远程代码执行漏洞.pdf)
 - [关于Cobalt_Strike检测方法与去特征的思考](./books/关于Cobalt_Strike检测方法与去特征的思考.pdf)
 - [代码审计_PHPCMS_V9前台RCE挖掘分析](./books/代码审计_PHPCMS_V9前台RCE挖掘分析.pdf)
 - [【免杀】C++免杀项目推荐](./books/C++免杀项目推荐.pdf)-[附件下载](./tools/RefacterC.zip)|[原文地址](https://mp.weixin.qq.com/s/0OB0yQAiOfsU4JqkCDUi7w)
 - [利用图片隐写术来远程动态加载shellcode](./books/利用图片隐写术来远程动态加载shellcode.pdf)|[原文地址](https://mp.weixin.qq.com/s/QZ5YlRZN47zne7vCzvUpJw)
 - [[后渗透]Mimikatz使用大全](./books/[后渗透]Mimikatz使用大全.pdf)|[原文地址](https://www.cnblogs.com/-mo-/p/11890232.html)
 ## <span id="head9"> 说明</span>
-> 此项目所有文章、代码部分来源于互联网，版权归原作者所有，此项目仅供学习参考使用，严禁用于任何非法行为！使用即代表你同意自负责任！
+### 免责声明
-
+> 1.此项目所有文章、代码部分来源于互联网，版权归原作者所有，转载留存的都会写上原著出处，如有遗漏，还请说明，谢谢！  
 > 2.此项目仅供学习参考使用，严禁用于任何非法行为！使用即代表你同意自负责任！  
 > 3.如果项目中涉及到你的隐私或者需要删除的，请issue留言指名具体文件内容，附上你的证明，或者邮箱联系我，核实后即刻删除。  
 ### 喜讯
 在`2020-08-16`登上`GitHub`的`Trending`日榜，谢谢大家支持，谢谢那些在freebuf和公众号推荐的师傅，我会继续努力，期待有靠谱的师傅一起来维护优化，感兴趣的邮箱联系我吧！
 ![](./img/trending.png)  
 ### 最后，选一个屁股吧！
 ![](https://ooo.0o0.ooo/2017/06/13/593fb9335fe9c.jpg)
--- a/books/[后渗透]Mimikatz使用大全.pdf
+++ b/books/[后渗透]Mimikatz使用大全.pdf
--- a/books/利用图片隐写术来远程动态加载shellcode.pdf
+++ b/books/利用图片隐写术来远程动态加载shellcode.pdf
--- a/img/trending.png
+++ b/img/trending.png
--- a/tools/linux_auto_xunjian/README.md
+++ b/tools/linux_auto_xunjian/README.md
@ -0,0 +1,2 @@
 # linux_auto_xunjian
 linux自动化巡检工具
--- a/tools/linux_auto_xunjian/yiansec
+++ b/tools/linux_auto_xunjian/yiansec
--- a/tools/linux_auto_xunjian/yiansec.py
+++ b/tools/linux_auto_xunjian/yiansec.py
@ -0,0 +1,351 @@
 # -*- coding:utf-8 -*- -
 import os
 import re
 import psutil
 import yara
 import sys
 HOST_IP = input('\033[1;34m请输入本机IP：\033[0m')
 ####################先来一个帅气的banner#############################
 banner = """\033[1;34m
   ____    ____  __       ___      .__   __.      _______. _______   ______ 
   \   \  /   / |  |     /   \     |  \ |  |     /       ||   ____| /      |
    \   \/   /  |  |    /  ^  \    |   \|  |    |   (----`|  |__   |  ,----'
     \_    _/   |  |   /  /_\  \   |  . `  |     \   \    |   __|  |  |     
       |  |     |  |  /  _____  \  |  |\   | .----)   |   |  |____ |  `----.
       |__|     |__| /__/     \__\ |__| \__| |_______/    |_______| \______|
          linux自动化巡检工具                             Version：1.0
          Company:宁波壹安信息科技有限公司                Author：说书人\033[0m
 """
 print(banner)
 ####################开局先检查权限和判断系统#############################
 print('\033[1;36m本机IP:{0}开始巡检\033[0m'.format(HOST_IP))
 # 检查是否root运行
 def checkroot():
    if os.popen("whoami").read() != 'root\n':
        print('当前为非root权限，部分功能可能受限')
        c = input('是否继续？（y/N）:')
        if c == 'y':
            pass
        else:
            exit()
 def ostype():  # 判断系统类型和版本
    try:
        print('不要在意下面那行出现的command not found')
        a = os.popen("lsb_release -a").read()
        b = os.popen("cat /etc/redhat-release").read()
        os_info = a + b
        sysnum = int(re.findall(r' (\d+?)\.', os_info, re.S)[0])  # 取出版本号
        system = ''
        try:
            system = re.search('CentOS', os_info).group()
        except:
            pass
        try:
            system = re.search('Ubuntu', os_info).group()
        except:
            pass
        try:
            system = re.search('openSUSE', os_info).group()
        except:
            pass
        try:
            system = re.search('Red Hat', os_info).group()
        except:
            pass
        try:
            system = re.search('Debian', os_info).group()
        except:
            pass
    except:
        print('\033[1;33m提示：系统类型获取失败，请手动输入系统类型和版本号\033[0m')
        print("\033[1;33m系统类型只能'CentOS'，'Ubuntu'，'openSUSE'，'Red Hat'，'Debian' 其中一个，注意空格和大小写，输入其他无效\033[0m")
        print("\033[1;33m版本号请输入整数，如：6\033[0m")
        system = input('系统类型：')
        sysnum = input('版本号：')
    return system, sysnum
 ####################系统基本信息#############################
 def cpu():  # cpu使用率
    cpu = 'CPU使用率：{}{}\n'.format(str(psutil.cpu_percent(1)), '%')
    return cpu
 def mem():  # 内存使用率
    mem = '内存使用率：{}{}\n'.format(str(psutil.virtual_memory()[2]), '%')
    return mem
 def disk():  # 磁盘使用率
    disk = '磁盘使用率：{}{}'.format(psutil.disk_usage('/')[3], '%')
    return disk
 def network():  # 获取对外网络连接情况
    addr_list = str(psutil.net_connections()).split('sconn')
    banner = '{0}  {1:^35}  {2}'.format('远程IP', '远程端口', '进程PID')
    net = ''
    for addr in addr_list:
        try:
            if re.findall(r'raddr', addr) != []:  # 如果存在远程地址，就取出来
                remote = addr.split('raddr')[-1]
                ip = re.findall(r'ip=\'(.+?)\'', remote)[0]
                port = re.findall(r'port=(.+?)\)', remote)[0]
                pid = re.findall(r'pid=(.+?)\)', remote)[0]
                remote_info = '{0:^15}  {1:^17}  {2:^30}'.format(ip, port, pid)
                net = net + remote_info + '\n'
        except:
            pass
    network = '{0}\n{1}'.format(banner, net)
    return network
 ###################################################################
 def account_check():  # 检查账户情况
    account_list = []
    cmd = os.popen("cat /etc/shadow").read()
    user_list = re.split(r'\n', cmd)
    for i in user_list:
        try:
            c = re.search(r'\*|!', i).group()
        except:
            try:
                ok_user = re.findall(r'(.+?):', i)[0]
                account_list.append(ok_user)
            except:
                pass
    anonymous_account = os.popen("awk -F: 'length($2)==0 {print $1}' /etc/shadow").read()
    account = '存在的账户：\n{0}\n空口令用户：\n{1}\n'.format(account_list, anonymous_account)
    return account
 def process():  # 列出在当前环境中运行的进程
    process = os.popen("ps -ef").read()
    return process
 def service(system, sysnum):  # 列出开启的服务
    service = ''
    if system == 'Ubuntu' or system == 'Debian':
        service = os.popen("service --status-all | grep +").read()
    elif system == 'openSUSE':
        service = os.popen("service --status-all | grep running").read()
    elif system == 'CentOS' or system == 'Red Hat':
        if sysnum < 7:
            service1 = os.popen("chkconfig --list |grep 2:启用").read()
            service2 = os.popen("chkconfig --list |grep 2:on").read()
            service = service1 + '\n' + service2
        else:
            service = os.popen("systemctl list-units --type=service --all |grep running").read()
    return service
 def startup(system, sysnum):  # 列出启动项
    startup = ''
    if system == 'CentOS' or system == 'Red Hat':
        if sysnum < 7:
            startup = os.popen("cat /etc/rc.d/rc.local").read()
        else:
            startup = os.popen("systemctl list-unit-files | grep enabled").read()
    elif system == 'Ubuntu' or system == 'Debian':
        if sysnum < 14:
            startup1 = os.popen("chkconfig |grep on").read()
            startup2 = os.popen("chkconfig |grep 启用").read()
            startup = startup1 + startup2
        else:
            startup = os.popen("systemctl list-unit-files | grep enabled").read()
    elif system == 'openSUSE':
        startup1 = os.popen("chkconfig |grep on").read()
        startup2 = os.popen("chkconfig |grep 启用").read()
        startup = startup1 + startup2
    return startup
 def timingtask():  # 列出定时任务
    timingtask = []
    cmd = os.popen("cat /etc/shadow").read()
    user_list = re.split(r'\n', cmd)
    for i in user_list:
        try:
            c = re.search(r'\*|!', i).group()
        except:
            try:
                ok_user = re.findall(r'(.+?):', i)[0]
                task = os.popen("crontab -l -u " + ok_user).read()
                timingtask.append(task)
            except:
                pass
    return timingtask
 def seclog_time():  # 登录日志存留时间
    cmd = os.popen("cat /etc/logrotate.conf").read()
    try:
        seclog = ''
        cycle = re.findall(r'# rotate log files weekly\n(.+?)\n', cmd, re.S)[0]  # 周期
        num = re.findall(r'\d+', str(re.findall(r'# keep 4 weeks worth of backlogs\n(.+?)\n', cmd, re.S)))[0]  # 次数
        if cycle == 'weekly':
            if int(num) < 26:
                seclog = '\033[1;31m日志存留不足180天\033[0m'
            else:
                seclog = '\033[1;32m日志存留时间符合要求\033[0m'
        elif cycle == 'monthly':
            if int(num) < 6:
                seclog = '\033[1;31m日志存留不足180天\033[0m'
            else:
                seclog = '\033[1;32m日志存留时间符合要求\033[0m'
        elif cycle == 'quarterly':
            if int(num) < 2:
                seclog = '\033[1;31m日志存留不足180天\033[0m'
            else:
                seclog = '\033[1;32m日志存留时间符合要求\033[0m'
        return seclog
    except:
        seclog = '\033[1;31m日志轮转配置读取出错\033[0m'
        return seclog
 def seclog_login(system):  # 登录ip记录
    succeed = failed = ''
    if system == 'CentOS' or system == 'Red Hat':
        succeed = '\n成功登录：\n' + os.popen(
            "cat /var/log/secure*|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
        failed = '\n失败登录：\n' + os.popen(
            "cat /var/log/secure*|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
    elif system == 'Ubuntu' or system == 'Debian':
        succeed = os.popen(
            "cat /var/log/auth.log|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
        failed = os.popen(
            "cat /var/log/auth.log|awk '/authentication failure/{print $(NF-1)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
        succeed = '\n成功登录：\n' + re.sub("rhost=\|次数=\d|ruser=\|次数=\d|rhost=", "", succeed)
        failed = '\n失败登录：\n' + re.sub("rhost=\|次数=\d|ruser=\|次数=\d|rhost=", "", failed)
    elif system == 'openSUSE':
        succeed = '\n成功登录：\n' + os.popen(
            "cat /var/log/messages|awk '/Accepted/{print $(NF-3)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
        failed = '\n失败登录：\n' + os.popen(
            "cat /var/log/messages|awk '/failure/{print $(NF)}'|sort|uniq -c|awk '{print $2\"|次数=\"$1;}'").read()
    seclog_login = succeed + '\n' + failed
    return seclog_login
 def seclog_user(system):  # 用户（组）增删改日志审计
    whichlog = ''
    if system == 'CentOS' or system == 'Red Hat':
        whichlog = 'secure*'
    elif system == 'Ubuntu' or system == 'Debian':
        whichlog = 'auth.log'
    elif system == 'openSUSE':
        whichlog = 'messages'
    group_add = os.popen("cat /var/log/{0}|grep \"new group\"".format(whichlog)).read()
    group_change = os.popen("cat /var/log/{0}|grep -E \"to group|to shadow\"".format(whichlog)).read()
    group_del = os.popen("cat /var/log/{0}|grep group|grep removed".format(whichlog)).read()
    user_add = os.popen("cat /var/log/{0}|grep \"new user\"".format(whichlog)).read()
    user_del = os.popen("cat /var/log/{0}|grep \"delete user\"".format(whichlog)).read()
    seclog_user = '增加用户：\n{0}\n删除用户：\n{1}\n增加组：\n{2}\n删除组：\n{3}\n变更组：\n{4}\n'.format(user_add, user_del, group_add,
                                                                                     group_del, group_change)
    return seclog_user
 def firewall(system, sysnum):  # 查看防火墙状态
    firewall = ''
    if system == 'CentOS' or system == 'Red Hat':
        if sysnum < 7:
            firewall = os.popen("service iptables status").read()
        else:
            firewall = os.popen("systemctl status firewalld").read()
    elif system == 'Ubuntu' or system == 'Debian':
        firewall = os.popen("ufw status").read()
    elif system == 'openSUSE':
        firewall = os.popen("service SuSEfirewall2_setup status").read()
    if re.findall(r'not running|inactive|dead|unused', firewall, re.S) != []:
        firewall_status = '\033[1;31m防火墙未开启\033[0m'
    else:
        firewall_status = '\033[1;32m防火墙已开启\033[0m'
    return firewall_status
 def file_scan():  # 文件静态检测扫描模块
    print('\033[1;36m【11】文件扫描\033[0m')
    rule = yara.compile(filepath=r'rules/index.yar')
    print('\033[1;34m-----【11.1】读取待检测文件中...\033[0m')
    all = os.popen(
        "find /usr /home /root /tmp \( -path /usr/share/doc -o -path /root/.bash_history \) -prune -o -print").read().split(
        '\n')
    file_list = []  # 过滤后的文件列表
    warning_all = ''  # 全部告警信息
    print('\033[1;32m-----【11.2】读取完毕，开始过滤...\033[0m')
    for file in all:  # 过滤掉部分文件
        filter = re.findall(
            r'\.zip|\.rar|\.7z|\.tar|\.gz|\.xz|\.bz2|\.ttf|\.bmp|\.jpg|\.jpeg|\.png|\.svg|\.icon|\.gif|\.txt|\.yar|\.yara', file)
        if filter == []:
            file_list.append(file)
    print('\033[1;32m-----【11.3】过滤完毕，开始扫描...\033[0m')
    for i in range(len(file_list)):
        sys.stdout.write('\033[K' + '\r')
        print('\r', '[{0}/{1}]检测中：{2}'.format(str(i), str(len(file_list)), file_list[i]), end=' ', flush=True)
        try:
            with open(file_list[i], 'rb') as f:
                matches = rule.match(data=f.read())
        except:
            pass
        try:
            if matches != []:
                warning = ('\033[1;31m\n告警：检测到标签{0}，文件位置{1}\033[0m'.format(matches, file_list[i]))
                warning_all = warning_all + '\n' + warning
                print(warning)
        except:
            pass
    print('\033[1;32m\n-----【11.4】扫描完成\033[0m')
    return warning_all
 ############################以上为函数部分#############################
 sys_tup=ostype()
 system = sys_tup[0]
 sysnum = sys_tup[1]
 ssr_cpu = cpu()  # cpu
 ssr_mem = mem()  # 内存
 ssr_disk = disk()  # 磁盘
 ssr_network = network()  # 对外连接
 print('\033[1;36m【1】系统状态获取完毕\033[0m\n{0}   {1}   {2}\n{3}'.format(ssr_cpu, ssr_mem, ssr_disk, ssr_network))
 ssr_account = account_check()  # 账户情况
 print('\n\033[1;36m【2】账户情况获取完毕\033[0m\n{0}'.format(ssr_account))
 ssr_process = process()  # 获取所有进程详细
 print('\033[1;36m【3】进程信息获取完毕(报告中显示)\033[0m')
 ssr_service = service(system, sysnum)  # 获取开启的服务
 print('\033[1;36m【4】开启的服务获取完毕(报告中显示)\033[0m')
 ssr_startup = startup(system, sysnum)  # 获取启动项
 print('\033[1;36m【5】启动项获取完毕(报告中显示)\033[0m')
 ssr_timingtask = ''  # 定时任务
 print('\033[1;36m【6】定时任务获取完毕\033[0m')
 for timingtask in timingtask():
    print(timingtask)
    ssr_timingtask = ssr_timingtask + '\n' + timingtask
 ssr_seclog_time = seclog_time()  # 日志存留合规检查
 print('\033[1;36m【7】日志存留合规检查完毕\033[0m\n{0}'.format(ssr_seclog_time))
 ssr_seclog_login = seclog_login(system)  # 登录日志审计
 print('\033[1;36m【8】登录日志审计完毕(报告中显示)\033[0m')
 ssr_seclog_user = seclog_user(system)  # 账户操作日志审计
 print('\033[1;36m【9】账户操作日志审计完毕(报告中显示)\033[0m')
 ssr_firewall = firewall(system, sysnum)  # 防火墙状态
 print('\033[1;36m【10】防火墙状态获取完毕：\033[0m\n{0}'.format(ssr_firewall))
 ssr_file_scan = file_scan()  # 文件静态检测扫描
 ############################导出txt报告#############################
 with open("{0}巡检报告.txt".format(HOST_IP), "a") as f:
    f.write(
        "【系统状态】:\n{0}\n{1}\n{2}\n{3}\n【账户情况】:\n{4}\n【进程信息】:\n{5}\n【开启的服务】:\n{6}\n【启动项】:\n{7}\n【定时任务】:\n{8}\n【日志存留合规检查】:\n{9}\n【登录日志审计】:\n{10}\n【账户操作日志审计】:\n{11}\n【防火墙状态】:\n{12}\n【文件扫描告警结果】:\n{13}".format(ssr_cpu,ssr_mem,ssr_disk,ssr_network,ssr_account,ssr_process,ssr_service,ssr_startup,ssr_timingtask,ssr_seclog_time,ssr_seclog_login,ssr_seclog_user,ssr_firewall,ssr_file_scan))
 print('\033[1;36m【12】{0}巡检报告导出完毕，位于程序所在目录！\033[0m'.format(HOST_IP))
		`@ -0,0 +1,2 @@`
							`# linux_auto_xunjian`
							`linux自动化巡检工具`