A man's martial arts: the idea of Intranet penetration testing (2)
Web penetration (previous article)Http://www.bkjia.com/Article/201412/357403.htmlDifferent, Intranet penetration requires more randomness and breakthrough, and the situation is more complicated. When encountering obstacles, sometimes you can use different ideas to break through. In many cases, you can only stop here. Here are some of my summary of Intranet penetration experience. Mainly in windows.
0 × 01 dipper
(When obtaining webshell, find a way to obtain system information and obtain system permissions)
1. webshell has been obtained through conventional web penetration. Next, we will test the system information and raise the right. For windows, we will try to enable the Remote Desktop Connection, and for linux, we will try to use the reverse shell to connect to the local device.
① Webshell should be able to call the system cmd to execute some simple commands. Then, whoami (view current permissions), netuser (view users/groups), and systeminfo (view system patch fixes) and other common commands should be first executed
Probe.
I: Do not have system permissions:
① Serv-U Elevation of Privilege. Many webshells now integrate the Serv-U one-click Elevation of Privilege function. You only need to click it to have the system permission, which is simple and fast.
② SQL Server uses the webshell directory flip function to retrieve database configuration files under the root directory of the website. For example, php is config. php; generally, the user name/password of the database login information will be found when you view the file content (password md5 or other encryption methods can be decrypted ), if webshell or database port is enabled, use tools such as Database Connection Tool Navicat to connect to the database.
Connect to the database and check whether xp_mongoshell exists,Extended Stored ProcedureWhether to enable or not, use xp_cmdshell to execute system commands, add users, and enable remote desktop.
Common commands:
Select count (*) from master. dbo. sysobjectswhere xtype = 'X' and name = 'xp _ cmdshell' the returned value is 1, that is, there is xp_cmdshell Stored Procedure exec master. dbo. sp_addextendedproc 'xp _ external shell', 'xp log70. dll 'add external shell (Sqlserver 2000) exec sp_configure 'show advanced options', 1; when the advanced options parameter is set to 1, the system can modify advanced options; reconfigure; exec sp_configure 'xp _ external shell', 1; enable the extended stored procedure; reconfigure; (Sqlserver 2005) execute the command through xp_external shell: exec master. dbo. xp_cmdshell 'COMMAND'
③ MYSQL Elevation of Privilege. Like SQL Server, first find the database connection file to find the database login information, log on to the MYSQL database, and use MYSQL's Create Function to add custom functions, add command execution functions to mysql to execute system commands. The file to be used is udf. dll.
There are also some automated tools to complete the above operations.
II: system permissions:
Use wehshell to execute related commands and add users.
② Possible obstacles:
1. Unable to execute the cmd command:
It is possible that the command to be executed does not have the execution permission or the system32/cmd file itself is denied to be called. Generally, you can upload the cmd command program by yourself to grant the current user the permission.
2. Add User commands
Net user/add cannot be executed:
Generally, the net.exe file does not contain the "deny" feature, which can be solved by uploading the "net.exe" file. When commands such as tasklist cannot be executed, you can upload the corresponding executable file.
3. the SQL Server extended stored procedure cannot be enabled:
When the Administrator reinforces the database, the xplog70.dll file is deleted by the Administrator, so that the extended database storage process cannot be started successfully. The solution is to upload the xplog70.dll file.
4. the file cannot be uploaded under the directory, or the execution permission of the uploaded file is insufficient:
Based on the execution permission of the file directory, first find the readable and writable directory. If it is not easy to find, it is generally recommended to upload the file to the recycler folder of the corresponding drive letter, this folder exists under each disk by default and has the read, write, and execution permissions.
5. The new user is successfully created, but the Administrator group cannot be determined:
If the administrator group is not clearly identified, the system administrator has renamed the administrator group when the new user is added to the administrator group. In this case, the administrator group name needs to be queried and then added to the corresponding group.
6. Although port 3389 is enabled, Remote Desktop cannot be connected:
Generally, this is caused by port restrictions imposed by the windows Firewall or security devices at the network exit of the remote server, such as the firewall's external port restrictions, at this time, we will sacrifice the LCX port forwarding tool of the predecessor, forward the corresponding port to the commonly used port, and then the forwarded port from the external connection.
2. The webshell is not obtained through conventional penetration. However, due to incorrect middleware configuration, you can upload the shell.
Middleware such as Apache and Tomcat run with the system permission. There is a manager in the Management Console. You can use the console to upload webshells in jsp and war formats to try weak passwords or brute-force password cracking, to further execute system commands.
3. SQL Injection exists on the Web. The database is SQLServer. With the feature of SQL Server, you can enable the Extended Stored Procedure xp_mongoshell to add administrator users/groups and enable remote desktop.Or, if MYSQL is injected in web SQL, you do not use webshell to read the file to obtain the database connection password and directly use the database connection tool from outside to escalate the permission.
4. Elevation of Privilege by exploiting known System Vulnerabilities,Execute systeminfo in wehsf-to determine system patching conditions, so that metasploit can be used to escalate permissions and payloads can be used to enable remote desktop.In windows more famous vulnerabilities such as MS-08067, MS11-080, MS11-046 and so on.
V. For Linux systems:
① When obtaining the webshell, the general process is to use the corresponding exp or execute the uploaded script, rebound the shell to connect locally, and run the Elevation of Privilege program to obtain the root permission.
Like in windows, in Linux, the following figure shows how to use webshell to execute whoami to determine the current user, run uname-r to determine the Linux kernel version, and find the corresponding exp according to the version; of course, for many versions of Linux kernel, there is no exp to execute. In many cases, you can only stop or find another way. Common tool nc.
② Possible obstacles:
1. The local connection fails during shell rebound:
Generally, this is because the Linux iptables firewall imposes port restrictions or there are security devices at the network exit of the remote server, such as the firewall's external port restrictions, at this time, we will sacrifice the LCX port forwarding tool of our predecessors to forward the corresponding ports to the commonly used ports.
2. The Elevation of Privilege exp or the script compiled remotely cannot be executed:
Check whether the current file has the read, write, and execute permissions. Try to modify the Directory and file permissions and use chmod u + x, if the permission cannot be modified, find a directory with the permission to re-upload and execute.
6. One-sentence Trojan Horse:
The advantage of using webshell is its powerful functions, but the disadvantages of webshell are as follows:
1. It is easy to be cleared by administrators. 2. Complex redundancy functions may not be available according to different situations. 3. It is difficult to upload webshells in web applications.
For a single-sentence Trojan, you can directly Insert the trojan in a web application based on the actual situation. The chopper can easily connect to a single-sentence directory and perform database management and custom cmd path execution. The main advantage is that it is not easy to be scanned and killed, and it is not easy to be discovered by administrators. After a webshell is uploaded, creating a trojan connection file in a readable and writable directory is also a way to save the backdoor. At the same time, remember to hide and rename the file name of a Trojan to config. php, run. php, and other system file names.
0 × 02 play ox in the mountains
(When you get a server, you can get more servers and more useful information from the Intranet)
1. Information Acquisition
Information retrieval is always the first step. You can find more information by using the Administrator's negligence or weak passwords on the Intranet.
① You can use the tool pwdump to capture the Administrator's hash. In combination with the rainbow table or online hash cracking, you can obtain the Administrator's plaintext password, which can be used as your own password table, try to log on to other machines on the Intranet.
② View the connection information of the Remote Desktop. Generally, machines frequently connected through the Remote Desktop are saved in the drop-down menu when the program is opened. If the administrator chooses to remember the password, you can easily jump to other machines.
③ If there are database management tools and ftp management tools, such as Navicat, SecureCRT, and flashfxp, check whether the password is saved and try to log in.
④ Each browser saves the login password as its own password table and tries to log on to other machines on the Intranet.
⑤ There is no VPN connection information.
2. Intranet Detection
① Run the command arp-a in cmd to view the IP address of the adjacent host.
② By uploading some tools, such as Cain, you can detect the passwords cached by the local program and sniff the username and password of adjacent machines.
③ Some tools, such as HScan, can be uploaded to detect the IP addresses, ports, enabled services, and other information of active machines in the same segment, including weak passwords of active machines.
④ Jump to the corresponding server through the local Remote Desktop.
⑤ Like web penetration, during port/service detection, you can use matesploit for overflow attacks based on the detected service version information and known vulnerabilities to obtain the corresponding server permissions.
3. Find the vswitch/vro
Find a device similar to vswitch/F5 through Intranet port/IP scan. If the network device does not have special security reinforcement, it generally does not set the permission password or use the default password/weak password, which is a good breakthrough. You can also download the configuration file of the vro/vswitch to read the login password. After obtaining the network device, you can be aware of the topological structure of the network segment.
In terms of Intranet penetration, it is more in-depth by taking advantage of omissions of administrators or user groups, which is highly random. In many cases, it is also endless and helpless. However, the ideas and methods are changing. The so-called firewall is not bypassed, and eventually there will be better ways to solve more problems.
The Internet-Intranet penetration Ideas series do not advocate effective intrusion solutions, but help our administrators better resist external threats through summary of various ideas, at the same time, we advocate everyone to be white hats with a sense of social mission. Make common technological advances and learn more in-depth technical details, such as vulnerability mining and analysis, make unremitting efforts to improve our technical level.