IT学习网 - 爱学习 - 最具影响力综合资讯网站 -- 中国IT界的领航者!
热门关键字:      88888  as  xxx
站外
广告
站外
广告

Windows下的渗透测试之提权的基本套路(上)

发布时间:2016-11-07 20:07文章来源:互联网文章作者: 佚名点击次数:
从t0到t3 - 信息搜集 一开始,我们拥有的帐号是一个没有特权的普通账号。假设我们已经在远程或者在本地利用EXP进行了一次攻击并且获得了一个反弹回来的shell。根本上说,在时间t0,我们不知道被攻击的机器是做什么的,它和谁进行连接,我们拥有怎样的权限,

从t0到t3 - 信息搜集

一开始,我们拥有的帐号是一个没有特权的普通账号。假设我们已经在远程或者在本地利用EXP进行了一次攻击并且获得了一个反弹回来的shell。根本上说,在时间t0,我们不知道被攻击的机器是做什么的,它和谁进行连接,我们拥有怎样的权限,甚至它的操作系统是哪个。

因此,开始的时候,我们就需要快速的搜集一些至关重要的信息,这样我们就可以了解一下我们所处环境的情况。

首先,先看看我们连接的什么类型的操作系统

C:\Windows\system32> systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

OS Name: Microsoft Windows 7 Professional

OS Version: 6.1.7601 Service Pack 1 Build 7601

注:中文环境下,"OS Name"为"OS 名称","OS Version"为"OS 版本"

接着,看下计算机名和我们使用的用户

C:\Windows\system32> hostname

b33f

C:\Windows\system32> echo %username%

user1

现在我们有了基本的信息,接下来我们可以列出计算机上的其它用户,并且可以看一下我们当前用户的详细信息。从下面的结果可以看出,user1不是本地用户组Administrators的成员。

C:\Windows\system32> net users

User accounts for \\B33F

-------------------------------------------------------------------------------

Administrator b33f Guest

user1

The command completed successfully.

C:\Windows\system32> net user user1

User name user1

Full Name

Comment

User's comment

Country code 000 (System Default)

Account active Yes

Account expires Never

Password last set 1/11/2014 7:47:14 PM

Password expires Never

Password changeable 1/11/2014 7:47:14 PM

Password required Yes

User may change password Yes

Workstations allowed All

Logon script

User profile

Home directory

Last logon 1/11/2014 8:05:09 PM

Logon hours allowed All

Local Group Memberships *Users

Global Group memberships *None

The command completed successfully.

这是我们暂时需要了解的关于用户的所有信息。接下来我们需要从网络方面搜集信息了。

首先,看一下网络连接和路由表。

C:\Windows\system32> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : b33f

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Bluetooth Network Connection:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

Physical Address. . . . . . . . . : 0C-84-DC-62-60-29

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

Physical Address. . . . . . . . . : 00-0C-29-56-79-35

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::5cd4:9caf:61c0:ba6e%11(Preferred)

IPv4 Address. . . . . . . . . . . : 192.168.0.104(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Lease Obtained. . . . . . . . . . : Saturday, January 11, 2014 3:53:55 PM

{C} Lease Expires . . . . . . . . . . : Sunday, January 12, 2014 3:53:55 PM

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DHCPv6 IAID . . . . . . . . . . . : 234884137

DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-14-24-1D-00-0C-29-56-79-35

DNS Servers . . . . . . . . . . . : 192.168.0.1

NetBIOS over Tcpip. . . . . . . . : Enabled

C:\Windows\system32> route print

===========================================================================

Interface List

18...0c 84 dc 62 60 29 ......Bluetooth Device (Personal Area Network)

13...00 ff 0c 0d 4f ed ......TAP-Windows Adapter V9

11...00 0c 29 56 79 35 ......Intel(R) PRO/1000 MT Network Connection

1...........................Software Loopback Interface 1

16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter \#2

19...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter \#3

14...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.104 10

127.0.0.0 255.0.0.0 On-link 127.0.0.1 306

127.0.0.1 255.255.255.255 On-link 127.0.0.1 306

127.255.255.255 255.255.255.255 On-link 127.0.0.1 306

192.168.0.0 255.255.255.0 On-link 192.168.0.104 266

192.168.0.104 255.255.255.255 On-link 192.168.0.104 266

192.168.0.255 255.255.255.255 On-link 192.168.0.104 266

224.0.0.0 240.0.0.0 On-link 127.0.0.1 306

224.0.0.0 240.0.0.0 On-link 192.168.0.104 266

255.255.255.255 255.255.255.255 On-link 127.0.0.1 306

255.255.255.255 255.255.255.255 On-link 192.168.0.104 266

===========================================================================

Persistent Routes:

None

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

14 58 ::/0 On-link

1 306 ::1/128 On-link

14 58 2001::/32 On-link

14 306 2001:0:5ef5:79fb:8d2:b4e:3f57:ff97/128

On-link

11 266 fe80::/64 On-link

{C} 14 306 fe80::/64 On-link

14 306 fe80::8d2:b4e:3f57:ff97/128

On-link

11 266 fe80::5cd4:9caf:61c0:ba6e/128

On-link

1 306 ff00::/8 On-link

14 306 ff00::/8 On-link

11 266 ff00::/8 On-link

===========================================================================

Persistent Routes:

None

arp -A 展示了ARP缓存表.

C:\Windows\system32> arp -A

Interface: 192.168.0.104 --- 0xb

Internet Address Physical Address Type

192.168.0.1 90-94-e4-c5-b0-46 dynamic

192.168.0.101 ac-22-0b-af-bb-43 dynamic

192.168.0.255 ff-ff-ff-ff-ff-ff static

224.0.0.22 01-00-5e-00-00-16 static

224.0.0.251 01-00-5e-00-00-fb static

224.0.0.252 01-00-5e-00-00-fc static

239.255.255.250 01-00-5e-7f-ff-fa static

255.255.255.255 ff-ff-ff-ff-ff-ff static

下面可以看到活动的网络连接和防火墙规则

C:\Windows\system32> netstat -ano

Active Connections

Proto Local Address Foreign Address State PID

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4

TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4

TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING 1400

TCP 192.168.0.104:139 0.0.0.0:0 LISTENING 4

TCP [::]:135 [::]:0 LISTENING 684

TCP [::]:445 [::]:0 LISTENING 4

TCP [::]:5357 [::]:0 LISTENING 4

UDP 0.0.0.0:5355 *:* 1100

{C} UDP 0.0.0.0:52282 *:* 976

UDP 0.0.0.0:55202 *:* 2956

UDP 0.0.0.0:59797 *:* 1400

UDP 127.0.0.1:1900 *:* 2956

UDP 127.0.0.1:65435 *:* 2956

UDP 192.168.0.104:137 *:* 4

UDP 192.168.0.104:138 *:* 4

UDP 192.168.0.104:1900 *:* 2956

UDP 192.168.0.104:5353 *:* 1400

UDP 192.168.0.104:65434 *:* 2956

UDP [::]:5355 *:* 1100

UDP [::]:52281 *:* 976

UDP [::]:52283 *:* 976

UDP [::]:55203 *:* 2956

UDP [::]:59798 *:* 1400

UDP [::1]:1900 *:* 2956

{C} UDP [::1]:5353 *:* 1400

UDP [::1]:65433 *:* 2956

UDP [fe80::5cd4:9caf:61c0:ba6e%11]:1900 *:* 2956

UDP [fe80::5cd4:9caf:61c0:ba6e%11]:65432 *:* 2956
        
Windows下的渗透测试之提权的基本套路(上)
本文由 IT学习网 整理,转载请注明“转自IT学习网”,并附上链接。
原文链接:http://www.ourlove520.com/Article/netsafe/xitong/543773.html

标签分类:

上一篇:上一篇:阿里聚安全Android应用漏洞扫描器解析:本地拒绝服务检测详解
下一篇: 下一篇:没有了
无觅关联推荐,快速提升流量