收集更多受害者資料

1. • 系統資訊 (版本、作業系統、可執行的檔案、內往鄰近電腦)
2. 利用可執行檔案的漏洞進行提權

目標:

1. 提權
2. 擴張
3. 佔領

Linux

System 資訊

1
2
3
4
5
6
7
8
9
10
11
12
13

env
cat /proc/version
cat /etc/issue
cat /etc/passwd
hostname
ifconfig
uname
uname -a
netstat -tulpn
cat /etc/fstab

# find service's config for sensitive user/password
cat wp-config.php

偷資訊腳本

1. [LinEnum](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh)

Windows

• 取得電腦資訊

  1

  wmic os

• 取得作業系統版本、位元

  1	wmic os get osarchitecture

• 共用檔案:

1

/usr/share/windows-resources/binaries/

• List all the running services : Windows + R enter - service, tasklist, or wmic

  1 2 3

  wmic service get name,displayname,pathname,startmode wmic service get name,displayname,pathname,startmode | findstr /i "auto" wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

  • /i : Make the search case insensitive
  • /v : Ignore anything that contains the string.

• schtasks

• Mails

  1	C:\Users\alex\AppData\Roaming\Thunderbird\Profiles\jbv4ndsh.default- release\Mail\mail.sandbox.local\Inbox

• Host discovery

• netdiscover

1

sudo netdiscover -i tun0 -r 10.11.1.0/24