Record a complete process of office network penetration into idc

Today, I will share with you my company's office network and the company's external idc server cluster network. What everyone knows when they first enter the company is induction training. During the training, a leader told us that our company is doing very well in security, such as writing hard defense policies to death and writing switch ACLs to death, lvmeng xxx hole vulnerability scanner regularly scans, and each employee machine in Kabbah of the Enterprise Edition is required. The wsus System Patches the Intranet servers from time to time, and each department uses vlan isolation, xxx security company is required to perform penetration tests on a regular basis. log on to the server using vnp (hardware vpn, you must have a certificate to log on). The idc server uses the Intranet ip address for uniform ing, strong security defense.

Then I told the manager whether or not I would infiltrate the system. He said yes (authorization, not dead ). The environment at that time: 2008AD, Vlan division of departments, I have employees in the same domain, idc servers have to vpn and certificate Login

Then I will first work in the Internet cafe, and my machine will become a server of another company. First, I will look at the hosts and shared items under my same vlan, it collects information.

There are few shared items because I have retired from the domain and there will be many items without quitting the domain. Of course, you can also use cain to test the number of servers in the current vlan. cain is more accurate, however, the environment used seems to be only available on the win platform. for linux, find another one.

Tip 1:When I used cain to scan the number of machines, I was found to have not engaged in arp spoofing. Then another department boss said whose ip address is xxx. xxx, I got caught. the reason is that their ips idc has reported an alarm. I did not find using the LAN Viewer (it seems that the LAN viewer uses ports 139 and 445. In the domain environment, all departments need to share a lot of things, so the alarms on these ports are released, this may also be used for database sharing in the idc environment, because the database is too large to be imported and exported.) You can use this to find machines in the same segment in the future. if you want to share it better.

To be honest in the next few days, you have to think of a way to scan and not be found. the most annoying thing is the location where ips or ids are deployed (I hope you can share with me how to detect ids devices), and then use the s scanner to scan (FAST) 21 22 80443 1512 3306 3389 389 these ports, in the same segment of the office network, there are many PCs used as servers, which is why I want to scan these ports. another day later, he was arrested again, and the xx manager said you were scanning again. the hacker had to say that he was conducting a security test. then, without scanning the nmap speed, we got the Ip address that opened these ports. We thought that hydra, medusa, patator, or another password cracking tool should trigger an alarm for ids, so we had to manually guess several passwords. there is no password cracking tool like nmap that does not trigger alarms. bytes

Tip 2:Nmap scanning can escape ids. I use nmap to scan juniper firewall, Fengyun personal firewall, and so on. They do not trigger an alarm. Of course, no information can be scanned, we try to use nmap after getting a machine. nmap also exists on the win platform.

After being engaged in the sharing viewer for two times, we can see what ip segments are available in the shared viewer and find that xx segments can be used (xx segments are our R & D and DBA test servers, in order to facilitate their remote technical operation servers, they can directly remotely, and they should also think that I belong to this big technology department. haha !), Then we want to use nmap to scan 21 22 80 443 1512 3306 3389 389 these ports. the ip address list is also obtained, but the password cannot be cracked. There is no password cracking tool like nmap that does not trigger alarms. bytes

Then it took about a month to passively collect information, and the network architecture was probably clear. then one day, I suddenly thought that 139 and 445 are not white lists (files must be shared in the domain environment )! NTscan, and then various passwords will come out. of course, threads are less open. I only ran 50 and scanned for one night. of course, no xx manager came to me the next day, and then net maps to get the xx employee's file and password table (for many enterprises, I am no longer able to speak out, I have a copy of all the aunts who sweep the floor ). then xx employees need to manage the servers and collect them slowly. to sum up, there are only dozens of servers and more than 10 PCs. you have to find another port. there is no way to crack 22 and 3389. At that time, I really didn't know what to do. I just wanted to get the password before the xx manager asked me. haha! Here comes the character. I think ids may be performed by an employee in the PC segment. The server segment is not deployed because they didn't come to me. Haha

After that, the number of servers will increase. However, there will be only a large number of internal network servers (dba and R & D), but not many it servers, everyone needs to know that the core of the office network is it. (generally, when an enterprise grows, only the it department. Even if there is security department, they won't give you the core stuff easily ), for example, if AD mail is used, you must find a way to obtain the server permissions. It is much easier to collect information and perform data center operations, then I thought about building Office software such as rtx oa Kingdee e-hr lync internal Community. Haha, there are many office software vulnerabilities and they are not patched.

First, google baidu should look at the vulnerabilities that can be directly exploited by these software. Then, let's look at the web management pages provided by these software and take a look at the awvswebinpect scan that everyone prefers. then everyone understands that xx manager is again scanning the web. invalid.

Tip 3:Is there anything for web scanning to bypass? These good web scanners will send a lot of fuzz to detect web page vulnerabilities. I did not find the very hidden web scanner. generally, a large number of logs are generated, but I used a minimal LOG method, that is, crawler experience.

First, we can see that this is an aggressive iis log of awvs (tested by the Environment on your own)

Awvs only crawlers use the iis log graph:

You can see the difference. when many people are also requesting this site, it is possible that your crawler request logs are separated, and it is possible to escape 1 second access xx times alarm. of course, there will be no attack alerts, but this is not the final solution, because no matter how you play, manual or automatic, as long as you test SQL, xss, including attack parameters, it will trigger other powerful log analysis tools, but it is not easy for general enterprises to make web analysis very powerful.

Then, let's look at the structure. If it's a whole site program, is there a vulnerability that can be exploited directly? (when you play more, you will know where to find the hole ), if it is developed by your own company, you can see the source code analysis programmer's programming habits, he guessed how he would write in his way of thinking (when programmers learn programming, they always imitate others to write code before they develop their own habits, so you should check how the code is written, and then guess which code will be written in the test, so you have to understand the code and have some ideas to explore ).

Have you learned the log! (If you do not understand this sentence, you can ask me)

So I crawled the web Management page of Kingdee with crawlers, tested various weak passwords, and then ......

Kingdee's password saving method should be considered a vulnerability. The configuration is saved in plain text, and the sa password is the biggest breakthrough. it server 80% uses this password, this is also used by the it administrator PC. then map the PC to get the password table, and the AD password is also on it. after obtaining the permissions of AD, all the friends can understand it. As long as 80% of the machines in the domain can get the information, why. because some XP systems do not work by default when I do it. You have to issue a group policy to enable a service called "What service". If the service name is forgotten, the personal firewall will not care about it, as long as he wants to share something in the domain, he must allow it.

The last step is the idc. Once the server password is ready, you don't have to start the idc server. it's time to go over thousands of servers, but I also mentioned that I had to add a certificate to my vpn account! (The vpn also has a dynamic password later. token ). finally, there was a problem with the R & D server. because they want to obtain database data from the idc, and the data is large and large, vpn back-and-forth guide is not suitable, so a test line is directly opened to all IDCs, then the R & D server directly becomes a stepping stone. then play on various servers.

The report is written later.

In conclusion, I was warned three times. If I was outside the company, I would be caught three times. In fact, after the first time, there may be no more content. You know the reason. therefore, scanning tools must have escape characteristics. if you don't have the magic tool, you can play it manually. when I log on to the server, I have read details on the Intranet server and have not logged on to the Monitoring Service. Be careful when you log on to a server on the server, otherwise, the system logs will be sent to the xx log server, and an alarm will be triggered. Then they will find you and there will be no more. in addition to logon logs, you must be careful with behavior monitoring. For example, if the iptable is on, you cannot log on. When you stop. an alarm may be triggered when iptables is stopped. then there will be no more.

In addition, when collecting information, you must analyze and analyze the network architecture. Each company has the network architecture of each company. The architecture determines which direction you are most likely to penetrate, otherwise, you can only catch a mouse in it.

Finally, I would like to remind you not to think that all day scanning with a scanner has not been captured. It is not time for others to know or report an alarm. Haha!