Shulou(Shulou.com)05/31 Report--

This article introduces you how to carry out APT circuitous infiltration, the content is very detailed, interested friends can refer to reference, I hope to help you.

introduction

With the development of information security industry, many enterprises, governments and Internet companies pay more and more attention to network security. Xi pointed out that there is no national security without network security, and there is no modernization without informatization. It is well known that current security products and equipment and the emphasis on network security have greatly reduced the success rate of target penetration testing by conventional means. Of course, for some teams or individuals who hold 0 days, the success rate is still very high. The quality or condition of being circuitous in thought or mode of expression; literally circuitous; circuitous. twists and turns. To penetrate; permeate a porous body with a liquid. Another analogy is that something or power gradually enters other aspects. This means avoiding the front of security products and equipment and penetrating from the "side." This profile is one of the ways we communicate together now.

information collection

The target is a special organization, the external network structure is simple, and the protection is tight. It was discovered that several of its subsidiaries were built by a website construction company. Mining subdomain names to determine target ip distribution and main exit ip. A lot of website main station traffic will be bigger. Often the main station is linked to the CDN, but the substation is not necessarily, so some substations may not be linked to the CDN, so sometimes you can try to check the substation IP, which may be the same IP or the same station. shodan.io,fofa.so, MX and mail. Mx records query, usually will be c segment. Some websites offer registration services that may validate emails. There are RSS feeds, forgotten passwords, cross-domain settings using crossdomain.xml, domain transfer vulnerabilities, etc. You can also use SSL Certificates for domain name detection, using censys.io to determine whether it is a computer room or a company organization.

IP ownership segment of real person company. Determine whether the target has an intranet through the public network. Personally, I think this is more important:

exploitability of the vulnerability in relation to

To explain this, it is not convenient to take screenshots. Today, I will share this penetration idea with you. The supplier of this company, what we want to do is one of the customers of the supplier.

For fuzzy detection of subdomain names, light scanning can be performed using common scanners. Determine its server type, use script type, commonly cms. Found a file containing, through phpinfo access to the website with directory and ip, after detection found that the system has any file read vulnerability. Exploit this vulnerability to obtain linux common profiles, web database profiles. Through reading all kinds of configuration file password combination generation dictionary, blasting master station management, ssh, FTP and find all kinds of landing port, upload php script target from FTP, get shell.

transverse penetration

First determine whether the network location of the obtained server has an intranet, read the administrator account password, other configuration files and backup files from the data area, and find that xxip frequently logs in. (The first time to get the shell is information acquisition) The IP is located in another network segment of the subdomain name. Log in to the xxip machine through the master station as a proxy. The host has an intranet IP and is located at the boundary of the intranet.

Agent: Bypass firewall and packet filtering, protocol filtering firewall proxy and port forwarding several ways: system comes with, ssh iptables netsh third party: lcx ht socks phpsocks metasploit reg ew in finding the intranet entrance to pay attention to several points: 1 Do not go deep in the first time 2 Consolidate the access rights in the first time 3 Obtain and analyze the data of this machine and its role in the network 4 Analyze the login habits of the administrator to avoid simultaneous operation with the administrator 5 Set the next work goal. 6 Start doing proxy channels for lateral expansion. (If you can not be an agent, don't be an agent) Through the agent, locally open the mail server management login, manage all communication emails, backup the mail server data, and locally restore and analyze the communication information between the company and customers.

Intranet penetration

Search for information in the intranet machine to move laterally, and combine dictionaries to blast the intranet machine. Read the relevant files on the intranet machine and control the configuration passwords that may be stored in the database (don't forget the recycle bin), all host ports of the current network segment where the server is located, the server ARP cache, services on the server, and other HTTP services in the intranet.

Download the mstsc file and view the logins. View locally saved login credentials via cmdkey /list.

Intranet penetration:

1 Target information you want: mail server, file server, people data.

2 key user credentials: domain manager, it administrator, default management account.

3 Critical computers: machines that connect the various segments.

4 intranet machine backdoor: domain management, it administrator and other management accounts often log in the machine.

Domain Penetration:

1 Get domain information (domain manager, mail server, file server).

2 Try to grab the domain manager account password.

3 Use the normal domain user to promote authority to the domain administrator.

4 Use ms17010 eternal blue to get the password for the user account.

5 Export the domain hash in preparation for re-entry later.

6 Try to find out the password and login port of the organization's vpn account.

Working group infiltration:

1 Get the default admin password for the machine as much as possible.

2 Use ms17010 eternal blue to get the password for the user account.

3 Try to find out the password and login port of the organization's vpn account.

Additional:

Intranet again ready: remote control, find vpn, exit webshell.

Control the company through intranet penetration, master communication channels, emails, etc. with the company's target customers.

Authority Maintenance:

1. Establish hidden webshell through data flow, set permissions to prevent modification and deletion, port multiplexing to establish universal backdoor (iis apache tomcat)

2.dns/icmp/http remote control, maintenance of windows/linux permissions, windows horse no process no port

3. Mining source code vulnerabilities, modifying source code and backup files, adding known backdoors or creating vulnerable files, and creating immortal files

4. Domain Penetration Golden Key to Control Domain Machines

5. msf persistence/metsvc module

6. PowerShell Script

Ways to reach target customers:

1 Push horses through system update channels

2. Targeted hanging horse through WEB service page of customer login (filter source IP)

3 through the management page hang horse, horse use cannon fodder horse cast a large number of nets hang horse, long-term control hidden horse

4 remote maintenance, many enterprises have to give customers intranet permissions for system maintenance

5 Code Audit Finds System Omnibus Vulnerability

Since our objective this time is to infiltrate by circuitous means, we are not interested in the company's information. If you need a large number of files (more than 5g), you need to return the files. (e.g. R & D file servers for tech companies).

Document processing:

1 file screening: the file directory tree back, analysis of the required file directory.

2 File return: file encryption and compression by volume, ipc multi-layer transfer by multiple intranet machines, local file cluster formation, file return of a certain size for each IP, hash check, deletion while passing, local decompression and reconstruction.

Log cleanup:

Because of my habit, I operate my own cleaning, most of them are files, simple cleaning, action is not big. I guess I'm confident I'm going in a second time.

Internal network penetration precautions:

scanning

remote login

blasting

overflow weighting

Can manual as far as possible without tools, can not use interactive mode as far as possible without interaction, can not upload files as far as possible do not upload, can be a kitchen knife cmd command line solution do not use other.

About how to carry out APT circuitous infiltration to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.