An Intranet penetration to the home

First:

I didn't want to do anything about the website. I learned some programming, but someone always came to me to help me... After doing this, I want to focus on programming. As the saying goes, hackers who do not program are not very handsome... So you know.

Enter the subject

1. Main Site Exploration
2. Side station Exploration
3. Discovery by Server
4.  

No kidding ..

Shu tried the master station server, but I didn't do it. I was too lazy and didn't follow Shu's footsteps to get the db permission injection point, it has not been injected for a long time, and there is no love for injection. One day, I was excited and told me that I got a shell from the server and asked me to give it a try. I thought, since this is an enterprise site, the registered capital is said to be 8100 million yuan, which must be very rich, and the server must also be large. If you put it on the Intranet, you can still penetrate the Intranet, so it will be on.

By the way, the shell that I got was uploaded through injection and background upload, so don't try again.

After reading the shell, I had a lot of permissions and almost browsed it all. I supported asp, aspx, and php. I turned it over and saw xampp, and the Administrator was really lazy, mysql is probably running with system permissions, and I guess the root password is still blank by default. As a result, the Administrator did not disappoint me when I checked the database connection file.

Therefore, mysql was decisive in exporting udfs, adding a user with system permissions and using rootki. asp (this is a convenient way to log on with a system account with the permission system)

I checked the Remote Desktop port and found that it was not changed. ipconfig found that it was a dual-nic, but it was all in the Intranet. I installed Kingsoft antivirus software and Kingsoft management software (I don't remember if it was the name)

I tried taskkill to upload lcx to the forwarding port. ntsd could not finish the antivirus process. The most important antivirus process could not be killed, I asked Xiao Chen to do a kill-free job, and he was on the Internet .. I bought a 90-dollar tplink router for 150 yuan and found that I could not put myself in dmz, nor could I map the port. If I had an Internet connection, I can do more, bounce back to me, and use metasploit for Intranet penetration... Hey hey, I'm drooling.) So I went to the internet server and the server was operating on it. That slow way, I wanted to die... But there is a desktop environment for me to operate, and you don't have to always run the command line.

Since it is an intranet, of course, it is necessary to do something over the Intranet, but before I went down on the server, I found that winwebmail is installed, this was first known when I checked the same server, but it seems that ip login is restricted, but I control the server, not afraid to restrict ip login, and can be used as an information source in the future, keep it first.

Execute various commands in Cmd to get a basic understanding of the Intranet environment.

C: Documents and Settingsfucker> net view/domain view has several groups

Domain ---------------------

MYGROUP

WORKGROUP

The command is successfully completed.

C: Documents and Settingsfucker desktop Pwdump7> netview (query related machines)

Server Name comment

------------------------

EFGP

IBM

IIBM

JR141 jr141

JR142

JURANZHIJIALEWU

JURZJCTI-9897F9

LEWU

OASERVER

POS27 pos27

POS28

POS29 pos29

POS30 pos30

USER-87C8B53A9C

The command is successfully completed.

C: Documents and Settingsfucker> net view/domain: workgroup (view machines in the workgroup Group)

Server Name comment

----------------------

EFGP

IBM

JR141 jr141

JR142

JURANZHIJIALEWU

JURZJCTI-9897F9

LEWU

OASERVER

POS27 pos27

POS28

POS29 pos29

POS30 pos30

The command is successfully completed.

C: Documents and Settingsfucker> net view/domain: mygroup (query machines in the mygroup group Group)

Server Name comment

-------------------------

AP-3850-3 Samba Server Version 3.0.33-0.17.el4

GP53 Samba Server Version 3.0.33-3.28.el5

The command is successfully completed. -

In fact, I don't know how to use these things... It is done by looking at other Intranet penetration data ....

Use wce and pwdump to export the hash of the Local Machine (although wce can read the plaintext password in the memory, but it does not use pwdump to export the hash, I don't know why, A dictionary file is created and mounted to hscan to perform a rough scan on the Intranet machine. weak passwords are common in the Intranet, and, therefore, the ports scanned are more accurate than those on the Internet.

After scanning for a while, I have gained a lot.

This is only a part, and some are not displayed.

The sa password of mssql on three servers is 123, which is decisively won

I found that I installed feiqiu, an Intranet communication tool, and found that the Intranet is very large (in fact, it was indeed very large, and was confirmed by the Intranet SNIFFING) in the future, it can serve as a bridge for social engineering, impersonate others, and obtain more information.

Capture the hash and crack it, so I found the rule ..

The administrator password of the machine on 28 is 1.2.

The administrator password of the machine on 29 is 1.3.

The administrator password for the 30-day server is 1.3.

So I tried to enable the Remote Desktop machine before and after 28, and entered the machine 27 with the password of 1.1, but the other machines did not succeed.

All of these machines are planted with winlogon Trojans to record the Administrator's logon password. It would be nice if you could record the password for domain management...

The machine in step 3 is also a weak sa password of 123. It crawls hash to crack it as 0o9i8u7y (it looks very complicated. In fact, it's very easy to read your keyboard) and planted the winlogon Trojan.

Continue reading the hscan scan report

I guess the password of adminsitrator at 192.168.0.21 is easyhome.

(How important is the security of such sensitive things)

I can see that the scanning reports of several machines are almost the same. I wonder if one machine is assigned multiple ip addresses?

The admin account is estimated to have a high permission. sybase is the account with the highest permission in oracle. Unfortunately, it is also caused by a weak password. It is said that oracle can execute commands but has not tried it, it seems very troublesome. Just like the speed turtle, it takes two seconds to right-click it. I logged on to the account via telnet but the echo was not able to execute the command, which made me quite strange. Later, I figured it out during sniffing, these machines seem to process orders. After logging on, Let me select something, But after selecting the number and press enter, I will be prompted to lose the connection. Later, I found the same problem when logging on with the sniffing account. I do not know the cause for the moment.

If you cannot execute commands, you will not be able to escalate permissions. If you see that hscan has scanned port 80, the default page of apache is displayed. (does redhat seem to be installed by default ?), My idea is to upload a php Trojan through ftp and bounce a shell to execute the command.

After connecting to the machine through Ftp, I found that I did not have the upload permission after finding the website directory, but I had the upload permission in the subdirectory. I uploaded the php webshell, but the access was blank, I don't know why, so this idea is broken.

I found out whether there is a remote overflow vulnerability in ssh-related versions on the Internet. If no result is found, I will temporarily give up.

I used the information collected so far (the Administrator's account password, some sensitive information found in various files), sorted it out, got a dictionary again, and hung up the hscan Scan

Some gains have been made. The ftp account and password of the machine 192.168.0.7 are adminsitrator and 0o9i8u7y, and the Remote Desktop is decisively connected. It is found to be windows2000, which is not common.

Here in the deadlock, once again obscenity of their own is the Internet scene, metaploit overflow in the chat between, in the various servers systeminfo a moment, found that no MS08-067 patch, I tried to use 08-067 for remote overflow. However, I found that the 08-067 chicken capture tool used on the Internet all needs to be configured with a Trojan so that it can be downloaded and run online. Port 80 is enabled on the local machine, however, download from other machines on the Intranet requires http verification. Why is it not found...

I tried to use the weak password scanned by hscan one by one and found that there are servers in the aix system. I naturally had no experience doing this, but I still got some results. I found the other two redhat servers, after logging on, You can execute the command, so it's easy to do it. It fails to try udev to kill and escalate the permission. Then, a kernel version 2.6.18-194 is given the permission in one sentence, plant rootkit and leave (I wanted to plant a key record, but I still want to forget it. I have to download it from the Internet, then send it to linux through ftp, and then install it, the dns configuration of both linux systems is faulty. If you try to ping www.91ri.org and cannot access the external network, wget is useless. You can only use this method, during this period, you have to endure the 1-2 seconds lag of the mouse, and want to ride the wind to hit the wall ~) There is also one with a variety of exp, and the final http://keio2.cccpan.com/expfound here is a success, with the same sample Rootkit

(This is the right of one sentence)

I did not download the rootkit, And I typed the command. rootkit:

Http://forum.eviloctal.com/attachment.php? Aid = 13419 # tc_qz_original = 47347

Upload to the tmp directory,

Decompress tar zxvf mafix.tar.gz. Enter the directory and grant the root file execution permission

Install rootkit:./root connection password port enter

If successful ECHO is as follows:

Next time, use putty to connect to the corresponding port and enter the password. root permission.

After the installation is successful, the directory is automatically deleted, and the Command record of history-c is cleared.

Two more servers are available. Naturally, it is an honor to download the/etc/shadow file and try to crack it locally.

During this period, we still find sensitive data on the hard disks of each server.

There are three Cisco routers.

Logon with weak passwords fails. Attempts to crack brute force attacks also fail. telnet to the logon and ECHO:

Lishijie welcomes you! Are you allowed by administrator? If not, you are not allowed to enter! (Just like this)

I learned that the Administrator is called lishijie. Baidu's "lishijie" did not find anything. I found that the social engineering website could not be opened, find lishijie In the downloaded csdn library and find multiple accounts (Why Do You Need To Find csdn, you know )... I don't want to try it one by one. I checked the file in the lishijie folder in winwebmail and found some relevant information.

I found it in csdn and finally found it.

Failed to log on, tired, feeling no love

I don't want to go to social engineering, and the province didn't hit others.

Directly sniffing apr

When scanning machines under the same gateway, we found a printer.

You can consider the remote overflow of Microsoft printers. HP may have remote overflow, but unfortunately I did not find it.

There was no result after two days of sniffing. There were a lot of records in telnet, which were the ones I had to choose for logon and were not allowed to execute commands. Unfortunately, there is no root Password

Similarly, I guess it may be a server like order management, but most data exchanges are 10. XX. XX. between XX and 192.168.0.XX, think of the previous feiqiu, I guess 10. XX. XX. XX is probably an employee's personal pc,

I don't want to do it anymore. I feel tired and I will never love it again.

Simply change the home page of the home site. First of all, I thought of netfuke hijacking, but I didn't find the Intranet ip address of the master Site Server. Previously, I sniffed the 192.168.0.XX segment, so I sniffed 192.168.1.XX for a period of time. Then I found that there was data between the machine 192.168.1.5 and the gateway 192.168.1.1. domain showed www.juran.com.cn, undoubtedly, this is the main site of the home.

You probably know about the rest. After downloading netfuke and configuring it, click Start and change the homepage.

To sum up, I'm lucky, patient, and technical. I still complain about my Intranet environment... Metasploit can only be tested locally, and it hurts. We recommend that you store the route of the machine in the dmz zone ~~

By the way, if I want to program well at the end of the year, do not ask me for help. Thank you for choosing