编写通过webshell提权的suricata规则-测试(9001070-9001081)
1.主机A监听服务
import socket import threading HOST = "10.66.66.1" PORTS = [80, 5985] def serve(port): s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((HOST, port)) s.listen(50) print(f"listening on {HOST}:{port}", flush=True) while True: conn, addr = s.accept() try: conn.settimeout(2) _ = conn.recv(65535) resp = b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\nConnection: close\r\n\r\nOK" conn.sendall(resp) except Exception: pass finally: conn.close() for p in PORTS: t = threading.Thread(target=serve, args=(p,), daemon=True) t.start() threading.Event().wait()
2.主机B发送测试请求
#!/usr/bin/env bash set -u HOST=10.66.66.1 send_req() { local sid="$1" local port="$2" local req="$3" echo "[*] send SID ${sid} -> ${HOST}:${port}" python3 - "$HOST" "$port" "$req" <<'PY' import socket, sys host = sys.argv[1] port = int(sys.argv[2]) req = sys.argv[3] s = socket.socket() s.settimeout(3) s.connect((host, port)) s.sendall(req.encode()) try: s.recv(1024) except Exception: pass s.close() PY sleep 1 } # 9001070 sekurlsa::logonpasswords send_req 9001070 80 $'POST /submit HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 52\r\nConnection: close\r\n\r\ncmd=powershell invoke-mimikatz sekurlsa::logonpasswords' # 9001071 lsadump::sam send_req 9001071 80 $'POST /submit HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 40\r\nConnection: close\r\n\r\ncommand=mimikatz lsadump::sam' # 9001072 lsadump::dcsync send_req 9001072 80 $'POST /submit HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 43\r\nConnection: close\r\n\r\nexec=mimikatz lsadump::dcsync' # 9001073 privilege::debug send_req 9001073 80 $'POST /submit HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 44\r\nConnection: close\r\n\r\ncmd=invoke-mimikatz privilege::debug' # 9001074 kerberos::golden send_req 9001074 80 $'POST /submit HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 44\r\nConnection: close\r\n\r\ncmd=invoke-mimikatz kerberos::golden' # 9001075 SharpHound + CollectionMethod send_req 9001075 80 $'POST /collect HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 47\r\nConnection: close\r\n\r\nSharpHound CollectionMethod All ZipFileName x' # 9001076 BloodHound + neo4j send_req 9001076 80 $'POST /collect HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 30\r\nConnection: close\r\n\r\nBloodHound neo4j bolt://db01' # 9001077 ntdsutil + IFM/NTDS context send_req 9001077 80 $'POST /export HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 52\r\nConnection: close\r\n\r\nntdsutil activate instance ntds ifm create full' # 9001078 reg save SAM + SYSTEM over /wsman send_req 9001078 5985 $'POST /wsman HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 62\r\nConnection: close\r\n\r\nCommandLine reg save HKLM\\SAM x reg save HKLM\\SYSTEM y' # 9001079 comsvcs.dll MiniDump lsass over /wsman send_req 9001079 5985 $'POST /wsman HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 49\r\nConnection: close\r\n\r\nCommandLine rundll32 comsvcs.dll MiniDump lsass' # 9001080 vssadmin create shadow c: over /wsman send_req 9001080 5985 $'POST /wsman HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 38\r\nConnection: close\r\n\r\nCommandLine vssadmin create shadow c:' # 9001081 setspn /Q */ over /wsman send_req 9001081 5985 $'POST /wsman HTTP/1.1\r\nHost: 10.66.66.1\r\nContent-Length: 25\r\nConnection: close\r\n\r\nCommandLine setspn /Q */' echo "[*] done"
浙公网安备 33010602011771号