Looking for breakthroughs in penetration

Looking for breakthroughs in penetration
0x00 target search

In daily detection and observation of others, it is found that information collection in the early stage plays a critical role. In many cases, you do not need to study a vulnerability, if you collect enough targets in the early stage, you only need to detect some common high-risk vulnerabilities.

Common ideas

1. network segment information

1) subdomain name

If the domain transfer vulnerability exists, it is the best. Otherwise, the subdomain name will be cracked.

My commonly used software is dnsmap, basic usage

./Dnsmap target-domain.com-w your domain name dictionary-r the absolute path to save the result File

For a domain name with extensive resolution, you can use-I to ignore ip addresses to avoid false positives. If no domain name is resolved to 1.1.1.1 during the domain name xxx.com brute-force cracking process, run the following command:

./dnsmap xxx.com -w domain.txt -i 1.1.1.1 -r /tmp/result.txt 

 

The result is in the following format:

The default dnsmap compilation has a problem. For the solution and other usage methods, see

Http://pan.baidu.com/s/1nt5HMw5

You can add some such names as oa, zabbix, nagios, cacti, erp, sap, and crm Based on the default dictionary. Many enterprises use this naming method.

Penetration will usually look for targets from important business network segments such as oa and mail. If some domain names in the management background are

Xx.admin.xxx.com can be expanded to search for third-level domain names under admin.xxx.com.

I did not intend to find a ntp.nb.xxx.com domain name when I checked a website, and then broke the domain name nb.xxx.com. The result is as follows:

Zabbix.nb.xxx.com is exposed to the Internet and has a low version. You can use the zabbix injection vulnerability to obtain permissions.

At the same time, sub-domain names can also be collected through the search engine syntax site: xxx.com (increasing conditions to get more, such as inurl and intitle)

2) AS number

Jwhois usage

yum install -y jwhois

Run

whois -h asn.shadowserver.org origin 1.1.1.1

Obtain the AS number of the enterprise where the ip is located

Continue execution

Whois-h asn.shadowserver.org prefix as No.

You can obtain the corresponding network segment of the as number.

Note: Generally, only large enterprises have an as number, and an enterprise may have multiple as numbers.

3) DNS

4) spf records

How to determine cdn?

If you mistakenly Add the cdn ip address to the target, some manual time will be affected. How can you determine cdn? The simplest method is to use the ping function in multiple locations.

Http://ping.chinaz.com/

2. Use whatweb to find web portals

Usage

./Whatweb 1.1.1.1/24 -- log-brief = output_file (For details, refer to the usage instructions)

By default, only port 80 is identified. If you want to identify port 8080, add -- url-suffix = ": 8080 ".

You can search for the target based on the title, cms, and other information. Generally, you can search for websites with Parsing Vulnerabilities in earlier nginx versions, the affected versions are 0.5 full versions, 0.6 full versions, 0.7 <= 0.7.65, 0.8 <= 0.8.37

Attached to an instance:

When detecting an enterprise, whatweb batch identification fingerprint finds a website with a low nginx version and a resolution vulnerability. The homepage is a blank page, and the directory structure is cracked. bash_history File

A package file is found in the operation history and stored in the web directory.

Download the package file. The content is as follows:

A log file is found, and the log file records the user-agent information.

Use firefox plug-in User Agent Switcher To Change user-agent Information

 

Attackers can exploit the parsing vulnerability to directly obtain webshells after writing a single-statement code to a log file.

3. Use nmap to find available services

For detailed usage instructions, refer to the user manual. The commonly used commands are as follows (-P0 parameter is added as needed. If ping is not disabled, it can be skipped to increase the speed)

./nmap -sT -sV 1.1.1.1/24 -P0 -oN /tmp/port_result.txt --open 

When there are few Ip addresses, you can scan the entire port and some basic information.

./nmap -sT -sV -p 1-65535 1.1.1.1 -P0 -A

Using nmap, we can find some web ports on common ports such as 80/443/8080 and some ports that are prone to problems, such

873 (rsync not verified)/21 (ftp Anonymous Account)/11211 (memcache not verified)/27017 (mongodb not verified) and so on. Don't give up when you encounter unfamiliar services, go to exploit-db and other sites to search for known vulnerabilities. Maybe you cannot find an RCE directly. (in many cases, I will also search for it in wooyun, which is an actual example, more straightforward)

4. Search Engines for background or important systems

Common search Syntax: site: xxx.com inurl: login

The value of Inurl can be freely changed. Commonly Used keywords include admin, manage, or intitle: Search for keywords such as management and logon. Most of the results of some sites may be false positives under the same site, for example, for a blog or question type, you can use-to reduce false positives. For example, you can search for site: baidu.com inurl: login-zhidao in google to remove zhidao-related results from the results, input from Baidu

site:baidu.com inurl:login -site:zhidao.baidu.com

Example reference: WooYun: a complete web detection process for Suning Tesco (multiple images)

5. Create a simplified path dictionary

We can make common paths that are prone to problems and are highly risky into a simple small dictionary and traverse the previously collected domain names, such as/invoker/jmxinvokerservlet1_wwwroot.zip, if you find it, you are likely to get the permission.

0x01 Exploitation

Several common system exploitation methods are listed here.

1. Background

When the background or important system is found in the current process, the following checks are generally performed:

1) awvs comprehensive scan (frequent unexpected discoveries) 2) directory structure brute-force attack 3) password brute-force attack (when admin fails, the password may not be incorrect. In many cases, the user name is incorrect, all methods that you can think of to get the user name, such as turning over js, css files, html source code comments, or. svn directory information leakage, etc. The password can be modified to the system name, domain name, and other information to be added to the dictionary.) 4) html source code, js, and other files to obtain information (some developers will put some management addresses in html source code as annotations, and the management interface addresses will be written in js. If you are lucky, you can directly access them without authorization) 5) The parameter value is cracked (some background login pages written by the framework may be in this format xx.com /? C = login. You can collect common parameter values, such as index, main, upload, edit, and adduser. If you are lucky, you can directly perform unauthorized operations)

2. axis2

File Inclusion:

Www.xxx.com/axis2/services/listServices view all services

Www.xxx.com/axis2/services/xxxxx? Xsd = ../conf/axis2.xml xxxxx can replace any service, read the axis2 configuration file to get the background account

Www.xxx.com/axis2/axis2-admin/ log on to the Management Background

Code execution of the background deployment file:

Use metasploit

Resin

File Reading:

Http://www.xxx.com/resin-doc/resource/tutorial/jndi-appconfig/test? InputFile =/etc/passwd

You can also use

Http://www.xxx.com/resin-doc/resource/tutorial/jndi-appconfig/test? InputFile = http: // 1.1.1.1

SSRF implementation

Solr Sensitive Information Leakage

Http://xxx.org: 8080/solr/admin/file /? File = solrconfig. xml

Search for xml files and find the data-import.xml

Access http://xxx.org: 8080/solr/admin/file /? File = data-import.xml get Database Password

Hudson (similar to jenkins)

Refer to an application of Sohu for remote Groovy code execution! Http://www.bkjia.com/Article/201303/197476.html
 

Zenoss

Google Keyword: intitle: "Zenoss Login"

Default password admin/zenoss

Usage reference

From a default password to youku and tudou Intranet (hazards please fix as soon as possible) http://www.bkjia.com/Article/201304/206243.html

Zabbix

Background: http://www.xxx.com/zabbix

Default password: admin/zabbix

Google: inurl: zabbix/dashboard. php

For usage methods, see WooYun: the improper operation and maintenance of application zabbix leads to arbitrary command execution.

In addition, this zabbix injection also has many http://drops.wooyun.org/papers/680

Cacti

Default logon path: www.xxx.com/cacti/index.php

Default password admin/admin

For details about the exploitation method, refer to the WooYun: cacti background logon command execution vulnerability.

Splunk

Default background address:

Http://xxx.com: 8000/zh-CN/account/login? Return_to = % 2Fzh-CN % 2F

Default Account admin/changeme default port 8000

Manager-Application-obtain the shell from the File Installation Application

Msf exploitation Module

Exploit/multi/http/splunk_upload_app_exec

0x02 ends

Two comprehensive introduction articles about wooyun are recommended.

1. View O & M security from wooyun

Http://drops.wooyun.org/papers/410

2. Attack Java Web applications 7-Server 1

Http://drops.wooyun.org/tips/604