Check the network address of the WEB server
Check the current user
Check the firewall configuration information
netsh firewall show config
Check installed antivirus software
Found no antivirus software installed.
Check the current user
Check the firewall configuration information
netsh firewall show config
Check installed antivirus software
Found no antivirus software installed.
So add your own IP to the 2001 ACL rule set. After adding the ACL rule, you can connect.
Tried to use plink to do SSH forwarding into the intranet, but the security device is different from Linux and cannot proxy.
Tried to use plink to do SSH forwarding into the intranet, but the security device is different from Linux and cannot proxy.
Previously, the internal network discovery was all done using timeoutsocket, but this time, no assets were found using timeoutsocket, including some existing targets. Later, many live hosts were found using F-NAScan.
There are fewer application types on the hosts, more devices, and many weak passwords, which will not be mentioned here. The main focus is on the discovery of centralized devices.
Two centralized devices were found in the internal network. One is a terminal detection system from a certain vendor, as shown below:
Tried common passwords but couldn't get in.
The second is a terminal detection system from another vendor, accessed the backend through a weak password.
There are fewer application types on the hosts, more devices, and many weak passwords, which will not be mentioned here. The main focus is on the discovery of centralized devices.
Two centralized devices were found in the internal network. One is a terminal detection system from a certain vendor, as shown below:
Tried common passwords but couldn't get in.
The second is a terminal detection system from another vendor, accessed the backend through a weak password.
procdump.exe dumps the memory of the lsass.exe process, copies the obtained lsass.dmp to the local machine, and then uses the local mimikatz to get hashes and plaintext
Password information exists in the lsass.exe process, use Procdump to get information from lsass.exe
procdump -accepteula -ma lsass.exe lsass.dmp
Password information exists in the lsass.exe process, use Procdump to get information from lsass.exe
procdump -accepteula -ma lsass.exe lsass.dmp
Put cer.cet into the http server directory and use msf to start listening
Then the target machine executes the following command to get a reverse shell session
Then the target machine executes the following command to get a reverse shell session
The attack machine uses OpenSSL to simulate Google's SSL certificate information, which can be modified by yourself. After generation, there will be an encrypted file named www.google.com.pem. You can view the private key and certificate by using cat www.google.com.pem.
After creating the certificate, we can use MSF to create HTTP or HTTPS type payloads and provide the pem format certificate for connection verification. This can be combined with evasion and other bypass techniques. After generation, there will be a malicious file named update.exe.
After creating the certificate, we can use MSF to create HTTP or HTTPS type payloads and provide the pem format certificate for connection verification. This can be combined with evasion and other bypass techniques. After generation, there will be a malicious file named update.exe.
The client first needs to connect to the named pipe through CreateFile, then call WaitNamedPipe to wait for the pipe instance to be available.
After connecting to the named pipe, it also enters a loop interaction, writing commands read from the terminal into the pipe, waiting for the server to complete execution, and then reading the execution results from the pipe.
After connecting to the named pipe, it also enters a loop interaction, writing commands read from the terminal into the pipe, waiting for the server to complete execution, and then reading the execution results from the pipe.
IFS (Common Internet File System) is a file sharing protocol on Windows. The features of this protocol include:
Accessing local files on the server and reading these files
Sharing some file blocks with other users
Automatically restoring network connection when disconnected
Using Unicode file names
BOOL CopyFile(
[in] LPCTSTR lpExistingFileName,
[in] LPCTSTR lpNewFileName,
[in] BOOL bFailIfExists
);
Therefore, local files can be copied to a remote host through existing SMB shares.
Accessing local files on the server and reading these files
Sharing some file blocks with other users
Automatically restoring network connection when disconnected
Using Unicode file names
BOOL CopyFile(
[in] LPCTSTR lpExistingFileName,
[in] LPCTSTR lpNewFileName,
[in] BOOL bFailIfExists
);
Therefore, local files can be copied to a remote host through existing SMB shares.