渗透测试系列-本地一-内网测试-第二步内网扫描,主机发现阶段+域控主机渗透

  • by

这个阶段没有很多的知识点

打算以本地两个+实际两个,共四个渗透实例进行练习,把手法与以前以及现在遇到的细节问题一一解决

本地一 web测试+内网测试
本地二 web测试 10余种web漏洞经典poc
实际一 web测试 (中低)
实际二 web+内网测试 (较低)

文章内容太单调,加了个具体主机的渗透模块

本地一:web测试主机win7->win12域控->centos7服务器

本文是本地一的内网测试第二步,以本地一web测试拿到的win7进代理扫描,渗透win12的域控主机

一.msf扫描
二.代理进去扫描
三.通过第一阶段web主机拿到目标凭证或权限

一.msf扫描

1.添加路由

run get_local_subnets
run autoroute -s 192.168.118.0/24
run autoroute -s 192.168.118.0 -n 255.255.255.0
run autoroute -p 展示路由
run autoroute -d -s 删除路由
run post/multi/manage/autoroute 自动添加路由,连接主机有几条就添加几条

2.主机发现

直接用arp信息收集扫描

meterpreter > run post/windows/gather/arp_scanner RHOSTS=192.168.118.0/24

[] Running module against ROOT-PC [] ARP Scanning 192.168.118.0/24
[+] IP: 192.168.118.1 MAC 00:50:56:c0:00:08 (VMware, Inc.)
[+] IP: 192.168.118.2 MAC 00:50:56:fc:26:f0 (VMware, Inc.)
[+] IP: 192.168.118.128 MAC 00:0c:29:b0:d8:e8 (VMware, Inc.)
[+] IP: 192.168.118.131 MAC 00:0c:29:57:1e:38 (VMware, Inc.)
[+] IP: 192.168.118.130 MAC 00:0c:29:83:d0:d5 (VMware, Inc.)
[+] IP: 192.168.118.255 MAC 00:0c:29:57:1e:38 (VMware, Inc.)
[+] IP: 192.168.118.254 MAC 00:50:56:f7:93:94 (VMware, Inc.)

3.端口扫描

这里确定了是192.168.118.130这台主机

利用syn 速度很慢

msf5 auxiliary(scanner/portscan/syn) > run

[+] TCP OPEN 192.168.118.130:53
[+] TCP OPEN 192.168.118.130:80
[+] TCP OPEN 192.168.118.130:88
[+] TCP OPEN 192.168.118.130:135
[+] TCP OPEN 192.168.118.130:139
[+] TCP OPEN 192.168.118.130:389
[+] TCP OPEN 192.168.118.130:445
[+] TCP OPEN 192.168.118.130:464
[+] TCP OPEN 192.168.118.130:593
[+] TCP OPEN 192.168.118.130:636
[+] TCP OPEN 192.168.118.130:3306
[+] TCP OPEN 192.168.118.130:3389

1)这里域控2012用的phpstudy搭建的服务 80 3306

2)以前是打开了c盘的共享,一直没有关

3)3389也是以前打开的

4.根据端口来扫描服务

其中不管是共享和3389都是需要账号密码的,而服务器是有密码强度限制的,可尝试,不可强求,当然可以利用一些msf中现成的exp,根据机子老旧程度吧,这里只列出了扫描部分

smb:

msf5 auxiliary(scanner/smb/smb_enumshares) > use auxiliary/scanner/sm
use auxiliary/scanner/smb/impacket/dcomexec
use auxiliary/scanner/smb/impacket/secretsdump
use auxiliary/scanner/smb/impacket/wmiexec
use auxiliary/scanner/smb/pipe_auditor
use auxiliary/scanner/smb/pipe_dcerpc_auditor
use auxiliary/scanner/smb/psexec_loggedin_users
use auxiliary/scanner/smb/smb1
use auxiliary/scanner/smb/smb2
use auxiliary/scanner/smb/smb_enum_gpp
use auxiliary/scanner/smb/smb_enumshares
use auxiliary/scanner/smb/smb_enumusers
use auxiliary/scanner/smb/smb_enumusers_domain
use auxiliary/scanner/smb/smb_login
use auxiliary/scanner/smb/smb_lookupsid
use auxiliary/scanner/smb/smb_ms17_010
use auxiliary/scanner/smb/smb_uninit_cred
use auxiliary/scanner/smb/smb_version

rdp:

msf5 auxiliary(scanner/smb/smb_enumshares) > use auxiliary/scanner/rdp/
use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
use auxiliary/scanner/rdp/ms12_020_check
use auxiliary/scanner/rdp/rdp_scanner

http:不提,跟web渗透过程类似

3306:mysql默认本地连接,这也是本地开发不用担心的点,除非做了傻瓜配置

root@kali:~# mysql -h 192.168.118.130 -u root -p -P 3306
Enter password:
ERROR 1130 (HY000): Host ‘192.168.118.128’ is not allowed to connect to this MySQL server

msf5 exploit(multi/handler) > use auxiliary/scanner/mysql/mysql_login
msf5 auxiliary(scanner/mysql/mysql_login) > set rhosts 192.168.118.130
rhosts => 192.168.118.130
msf5 auxiliary(scanner/mysql/mysql_login) > set username root
username => root
msf5 auxiliary(scanner/mysql/mysql_login) > set pass_file /root/password.txt
pass_file => /root/password.txt
msf5 auxiliary(scanner/mysql/mysql_login) > run

[-] 192.168.118.130:3306 – 192.168.118.130:3306 – Unsupported target version of MySQL detected. Skipping.
[] 192.168.118.130:3306 – Scanned 1 of 1 hosts (100% complete) [] Auxiliary module execution completed

二.代理进去扫描

方法是多种的,个人用过的ew,reg,ssh,msf,当然还有其他的优质方法

这里尝试msf+peoxychains(极其不稳定)

1.msf sock

use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvhost 192.168.118.131
srvhost => 192.168.118.130
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 1.

[*] Starting the socks4a proxy server

2.root@kali:~# vim /etc/proxychains.conf

socks4 192.168.118.131 3000

proxychains不支持udp和icmp协议(以前利用时遇到的问题,搜到的部分解释)

3.代理nmap

root@kali:~# proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 192.168.118.130
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-21 09:50 CST
|S-chain|-<>-192.168.118.130:1080-<–timeout |S-chain|-<>-192.168.118.130:1080-<–timeout |S-chain|-<>-192.168.118.130:1080-<–timeout |S-chain|-<>-192.168.118.130:1080-<–timeout |S-chain|-<>-192.168.118.130:1080-<–timeout
Nmap scan report for 192.168.118.130
Host is up (0.0063s latency).

PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp closed http
135/tcp closed msrpc
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds

4.代理火狐浏览器

proxychains firefox

崩了,shell直接挂掉

三.通过第一阶段web主机拿到目标凭证或权限

黄金票据

本地可能存在的账号密码保存

exp

2019.9.21

标签:

发表评论

电子邮件地址不会被公开。 必填项已用*标注