转载于雷石安全实验室
蓝队反制后的自动化信息收集
目录
前言 溯源思路 查用户 查连接信息 查日志 查密码 历史痕迹
脚本编写 windows bat linux sh web日志分析Tips MySQL数据库
@ECHO OFF
TITLE windows-info v0.1
echo -------------------------机器名-------------------------
hostname
echo -------------------------用户信息-------------------------
net user
echo -------------------------在线用户-------------------------
query user
echo -------------------------正在连接的IP-------------------------
netstat -ano |findstr ESTABLISHED | findstr /v 127.0.0.1
echo -------------------------正在监听的端口-------------------------
netstat -ano |findstr LISTENING | findstr /v 127.0.0.1
echo -------------------------尝试备份安全日志到当前目录-------------------------
wevtutil epl Security %USERPROFILE%\desktop\Sec.evtx
echo -------------------------尝试获取远程登录日志-------------------------
wevtutil qe Security "/q:*[System [(EventID=4648)]]" /f:text /rd:true /c:10
echo -------------------------其他·提示-------------------------
echo 查询隐藏用户:HKEY_LOCAL_MACHINE --SAM–SAM(需要右击权限修改管理员权限)-Domains-Account-users
echo 查询密码信息:mimikatz privilege::debug sekurlsa::logonpasswords
echo 查询web浏览记录、浏览器密码
PAUSE
#! /bin/bash
# linux-info v0.1echo "-------------------------机器名-------------------------"
hostname
echo "-------------------------查看用户信息-------------------------"
cat /etc/passwd |grep -v nologin |grep -v /bin/false
echo "-------------------------查看登录信息-------------------------"
w
echo "-------------------------查看正在连接的IP-------------------------"
netstat -antlp |grep ESTABLISHED
echo "-------------------------查看对外监听的端口-------------------------"
netstat -antlp |grep LISTEN | grep -v 127.0.0.1
echo "-------------------------查看历史登录信息-------------------------"
last -F -n 10
echo "-------------------------查看安全日志中登录成功信息-------------------------"
grep "Accepted " /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
echo "-------------------------查看历史命令,查找外联-------------------------"
history | grep -E "([0-9]{1,3}[\.]){3}[0-9]{1,3}"
echo "-------------------------查看计划任务-------------------------"
crontab -l
echo "-------------------------查找隐藏文件-------------------------"
find / ! -path "/proc/*" ! -path "/usr/*" ! -path "/var/*" ! -path "/sys/*" -name ".*" -print
echo "-------------------------其他·提示-------------------------"
echo "查看用户进程:lsof -u hack"
echo "查看端口占用:lsof -i:8888"
echo "查看公钥信息:~/.ssh/id_dsa.pub"
echo "查看进程:ps -aux"
cut -d- -f 1 log_file|uniq -c | sort -rn | head -20
awk '{print $1}' log_file|sort|uniq|wc -l
grep "/index.php" log_file | wc -l
awk '{++S[$1]} END {for (a in S) print a,S[a]}' log_file
awk '{++S[$1]} END {for (a in S) print S[a],a}' log_file | sort -n
grep ^111.111.111.111 log_file| awk '{print $1,$7}'
awk '{print $12,$1}' log_file | grep ^\"Mozilla | awk '{print $2}' |sort | uniq | wc -l
SELECT user,db,command,current_statement,last_statement,time FROM sys.session;
select table_schema,table_name,sum(io_read_requests+io_write_requests) io from sys.schema_table_statistics group by table_schema,table_name order by io desc;
SELECT host,total_connections FROM sys.host_summary;好文推荐
如有侵权请联系:admin#unsafe.sh