Intranet intrusion caused by Cacti monitoring Injection Vulnerability

Intranet intrusion caused by Cacti monitoring Injection Vulnerability
Preface:

Security is a whole. Any short board will cause a security accident. From the Border Network to the idc o & M network to the office network, it cannot be ignored in every network.

The multi-layer protection for security is not an IDS, WAF, and anti-virus software. The security protection can solve the problem. Why is the Intranet vulnerable? Can these protection policies detect attacks when attacks occur.

Case: inject shell to internal domain control

The entire incident was caused by the Cacti injection vulnerability. The Cacti Centreon Enterprise Server Version 2.2-> 3.0 has the remote SQL injection and Remote Command Injection Vulnerability.

GETSHELL finds it interesting that it is an intranet. It is a typical Intranet Service that maps port routes to the Internet. It seems that security is very high.

Network Topology:

Through the network architecture, we can figure out the target Intranet environment. At this time, we found that the Centios 6.5 kernel in Linux is newer and gave up permission to the kernel without the ROOT permission, you must use a low-Permission tool to execute the task and use the proxy method to forward the Intranet environment to the Internet proxy.

At this time, the data packets of this Intranet machine have been forwarded to the Internet. Start with the proxy tool. Although it is an Intranet environment, the data is actually sent back to the Intranet after the Internet turns around, during scanning, the concurrency cannot be too large, so it is easy to trigger firewall rules. The number of concurrent processes is set to the minimum, and data packets are slowly routed through the firewall.

You can use a series of service scans to obtain N weak WEB service passwords from segment C. One of them is an ECS instance, and the management interface is displayed.

Further analysis of the cloud system showed that the email script on a monitoring server had a password, obtained the password to generate a dictionary, and continued to perform various scans on other Intranet network segments.

Check the access record of the server administrator. The SSH logon IP address 192.168.XX is the office network address.

Get an office network domain server, and use WINDOWS Group Policy Configuration defects to obtain the system and improve the domain administrator privilege. The ruby script decrypts the Groups. xml file AD domain control management password (small Editor can only say that luck is good and the password is still valid TMD ?)

C:\Users\All Users\Microsoft\Group Policy\History{A1C0C41B-D2F8-401B-A5D1-437DA197A809}\Machine\Preferences\Groups\Groups.xml

Attaches the ruby GPP decryption script gpp. rb.

 

require 'rubygems'require 'openssl'require 'base64' encrypted_data = "The Password here(SecPulse.com)" #encrypted_data = ARGV def decrypt(encrypted_data)  padding = "=" * (4 - (encrypted_data.length % 4))  epassword = "#{encrypted_data}#{padding}"  decoded = Base64.decode64(epassword)    key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"  aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")  aes.decrypt  aes.key = key  plaintext = aes.update(decoded)  plaintext << aes.final  pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion    return pass end blah = decrypt(encrypted_data)puts blah

 

Log on to the domain control server, use the mimikatz dump domain administrator account and password in the memory, and use vssown. vbs + libesedb + NtdsXtract to obtain the domain database ntds. dit and SYSTEM files.

In this step, the Intranet AD domain control server includes Exchange MAIL.

Security thinking: most enterprises only provide single-dimension security protection. Attackers use 0-day attacks or attacks caused by insufficient security awareness to access the internal network of the enterprise, however, many detection systems still rely on features for discovery so far. Therefore, some unknown attack methods must be judged by behaviors and carried out in more layers, develop and establish policies for each vulnerability and hacker attack method.

"Magic high, magic high" Network Attack and Defense is a long-term game "Battlefield" between the two. Today's security development and passive protection also require the idea of "active defense.