Directory
I.
The target environment.
1.1 Intranet network extension diagram and platform Introduction.
1.2 purpose of Penetration Testing.
1.3 content and scope of the penetration target.
1.4 avoid risks.
II. The intranet Penetration Process.
2.1 Intranet breakthrough (Socket port forwarding and terminal connection ).
2.2 system password acquisition, Hash cracking, and management software password cracking.
2.3 Social engineering and password habits composite dictionary scan to collect management information.
2.4 Common Intranet IPC $ shared intrusion.
2.5 ARP sniffing and ARP Trojans break through employee PC.
2.6 Use of Internet Explorer Aurora Exploit 2010-01-17.
2.7 use synchronization data software for penetration.
2.8 break through the vulnerability of IIS write permission and IIS6.0 file suffix resolution.
2.9 use Windows XP 2 k remote, local Exploits, overflow for permission acquisition and elevation.
More than 3.0 of the methods work with remote control Trojans.
3.0.1 domain HASH injection attack breakthrough (not successful)
Iii. Summary of the security reinforcement solution for the target system.
3.1 Access Control.
3.2 telecommunication and network security.
3.3 security management and practices.
3.4 application and system development security.
1.1
Intranet network extension diagram and platform Introduction
The target network is a three-layer switching environment.
IP address distribution and Service Classification
192.168.100.X-192.168.103.X internal staff office network
176.12.1.X-176.12.15.X indicates the Web-based database support network.
192.168.11.X-192.168.11.255 is the idle network area.
A total of 467 computers are divided into three domains: shjt cyts ccit
The above information is obtained during penetration.
I changed a batch for convenience.
The code is
====================================== Domain. bat ====================================
@ Echo off
Setlocal ENABLEDELAYEDEXPANSION
@ FOR/F "usebackq delims =," % j in ('net view/domain ^ | find "command success"/v ^ | find "The command completed successfully. "/v ^ | find" command completed successfully "/v ^ | find" -- "/v ^ | find" Domain "/v ^ | find" "/v ^ | find" zookeeper has been stopped normally. zookeeper has been stopped "/v/I ') do (
@ Echo ==== domain: % J ========
@ FOR/F "usebackq eol =; delims =," % I in ('net view/domain: % J ^ | findstr "\" ') DO (
@ FOR/F "usebackq eol =; tokens = 1, 2, 3 * delims = \" % a in ('echo % I ') do (
@ FOR/F "tokens = 1, 2, 4 * usebackq delims =: "% k in ('@ ping-a-n 1-w 100% % a ^ | findstr" Pinging "') do (
@ Echo \ % L % M
)
)
)
)
Echo % 0
================================== End ========== ======================================
Cat editing. JPG(85.38 KB)
System type. installed software version and category
Windows xp 2 K and Linux
Mssql2000 2005 Sybase IIS5.0 6.0 Intranet systems all use the mic coffee enterprise-level server to install data synchronization software
1.2
Purpose of Penetration Testing
On the one hand, penetration testing can test whether the security protection measures of the business system are effective and whether various security policies are implemented from the perspective of attackers; on the other hand, we can highlight potential security risks in the form of real events, so as to have
This helps improve the security awareness of relevant personnel. After the penetration test is completed, reinforce the security immediately to solve the security problems found in the test, so as to effectively prevent the occurrence of real security events.
1.3
Content and scope of the penetration target.
This penetration includes the target database server and employee office PC ..
1.4
Risk Avoidance
This penetration test is performed without affecting the target business. Some penetration testing methods have been set up locally and then applied to the target to ensure that the target business is normal, (For example, ARP detects arp erp office system Trojans and breakthroughs. IE0day uses tests that have been passed locally without causing the PC to crash or exceptions of the target employee ).
This intranet Penetration Process
2.1
Intranet breakthrough (Socket port forwarding and terminal connection)
Use the web Shell on 222.11.22.11 (192.168.22.34) (assuming IP) of the external Web server to connect to the Mssql2005 server with the Intranet ip address 192.168.22.35. The current account permission is Sa. (view the account password through Web. the Sa account is the default highest-permission account of Mssql. Because the MSSQL service runs with the SYSTEM permission, MSSQL just provides some functions that can execute commands and can be used successfully, a system permission will be obtained, so I think this will lead to a great opportunity for me to make use of it successfully (for example, xp_mongoshell cannot execute sp_oacreate when using unknown sp_add_job sp_addtask xp_regread xp_regwrite xp_readwebtask xp_make) because the SQL Server is under the protection of hardware, the firewall generally prohibits external connections to the Intranet, and there is no restriction on internal connections. we can break through Socket port forwarding. local listeners
Cat editing. JPG(37.17 KB)
Optional mstsc.exe host 127.0.0.1: 88
2.2 system password acquisition, Hash cracking, and management software password cracking
In this case, sethc.exeis the cmd.exe program. The system uses a magnifier backdoor to obtain a CMD Shell to facilitate penetration (after penetration, all target files are restored) use Cmd Shell to connect to the local Ftp Server Get Hash.exe (system password hash value Acquisition Tool) VNC4 password Acquisition Tool GUI version to the current host, [VNC4 password is saved in the Registry address: HKEY_LOCAL_MACHINESOFTWARERealVNCWinVNC4password: capture the password and return it to the local machine through ftp put. if no more than 14 characters are displayed during crawling, you can directly query the website by using the online LM password query, for example:
Two common online Hash cracking websites
Http://cracker.offensive-security.com/index.php
Http://www.objectif-securite.ch/en/products.php
The system administrator password is ccit2006 VNC4, as shown in figure