Table of contents
Intra-domain information collection:
Domain information collection (practical):
Determine the domain controller information:
introduce:
Domain penetration is generally because there is no good environment, and the online tutorials are relatively fragmented, and people who read it are difficult to understand. Here I plan to make a series of tutorials to explain the penetration methods of the entire domain penetration. How to say, my ability is limited after all. , If there are mistakes in the article, I still hope to point it out.
Generally, my process for domain penetration is as follows:
- After getting a host, first judge whether there is a domain environment
- When there is a domain environment, obtain some basic information, such as domain users, domain host names and domain controllers, etc.
- Determine the domain group you are in, determine your current authority and the location of the intranet
- Check your current permission to obtain the host, if the permission is low, try to exceed the authority, get the highest permission of the current host, and then use the tool to grab the local password
- Use the obtained information intranet hash collision to see how many hosts you can get, try your luck, haha
- At the same time, test the domain controller to see if there are any public vulnerabilities on the Internet. If there are, then congratulations, almost half of the success.
- If there are no loopholes, hehe, it would be embarrassing. We can only try to get the hash of the domain controller administrator bit by bit, which involves many attacks, such as gold notes, silver notes and other attack methods. In short, it is just one sentence The words are to obtain domain control rights
It’s almost the same process as above. If there is a loophole in the domain control, it can be done quickly, but if the defense is better, the cycle will be longer, and the process involves Trojan horse anti-killing, proxy, traffic encryption and virus concealment, etc. In short, intranet penetration is much more difficult than web penetration, but it is more interesting. I will introduce it accordingly below.
Domain base:
First of all, we need to be familiar with some basic concepts in the domain, the encryption method in the domain, which authentication method
What is a domain:
First of all, let’s talk about what a workgroup is. A workgroup is the classification of different users in the LAN. We can right-click the properties of my computer and find that we can directly see the workgroup we are in. The credentials of the workgroup are stored locally, and each host can only log in with its own account, and the number of computers in the workgroup is about 20
Domain (Domain) is a collection with security boundaries, and it is a logical conceptual domain model. Domain is designed for large-scale network management requirements. It is a collection of computers that share user accounts, computer accounts, and security policies. In a domain environment, if Permissions allow, we can access any host, the authentication is carried out on the domain controller using the Kerberos protocol, and the login to this computer is through SAM for NTLM authentication. Domains are divided into domains, domain trees, forests and organizations unit.
What are DC and AD:
Domain controller (Domain Controller, DC) is one or more computers that manage servers. The domain controller contains a database composed of information such as accounts, passwords, and computers belonging to this domain. When a computer is connected to the network, the domain controller must first identify whether the computer belongs to the domain, whether the login account used by the user exists, and whether the password is correct. If any of the above information is incorrect, the domain controller will deny the user to log in from this computer
Active Directory (Active Directory, AD), which is based on DNS, stores relevant network objects in a domain in a tree structure, which contains password hash values of all domain users and computer accounts. It provides functions such as basic network services (DNS/DHCP, etc.), computer management, user services, resource management, desktop configuration, and application system support.
A domain can be understood as a host connected to a domain controller (Domain Controller, DC). A computer is called a domain controller. There can be multiple DCs in a domain environment, and most of them are primary and secondary DCs in a general company environment.
hash password management:
Hash is mainly used for encryption algorithms in the field of information security. Obtaining the plaintext or hash of the target system in penetration testing is often an important part of the entire penetration testing process. In the Windows system, the password hash of the local user is stored in the local SAM file, and the password hash of the user in the domain is stored in the NTDS.DIT file of the domain controller.
SAM:%SystemRoot%\System32\config\SAM
ntds.dit:c:\windows\system32\ntds\ntds.dit
Windows operating systems typically use two methods to hash users' passwords, LAN Manager (LM) hashing and NT LAN Manager (NTLM) hashing. Among them, NTLM-HASH is more secure than LM-HASH. Since Windows Vista and Windows Server 2008, Windows cancels LM hash. When the system is win10 or 2012R2 or later, the storage of plaintext passwords in the memory cache is prohibited by default.
hash密码格式
用户名称:RID:LM-HASH值:NT-HASH值
例如:
Administrator:500:42a1942e00104580284d9e72274ea28a:05e120f8683aed55b5fade25aa9af6cb:::
用户名称为:Administrator
RID为:500
LM-HASH值为:42a1942e00104580284d9e72274ea28a
NT-HASH值为:05e120f8683aed55b5fade25aa9af6cbKerberos protocol:
The Kerberos protocol is a network authentication protocol. It exists mainly to prove who I am. First of all, we need to understand that in an authentication, the following three must exist:
- client (client) : the party that sends the request
- Server (Server) : The party that receives the request
- Key Distribution Center (Key Distribution Center, KDC) , and the key distribution center is generally divided into two parts, namely:
- AS (Authentication Server) : The authentication server is specially used to authenticate the identity of the client and issue the TGT (ticket granting ticket) that the client uses to access the TGS
- TGS (Ticket Granting Ticket) : The ticket granting server is used to issue the entire authentication process and the service granting ticket (Ticket) required for the client to access the server
Authentication Service: The role of the AS is to verify the identity of the Client. After the verification is passed, the AS will give the TGT ticket (Ticket Granting Ticket) to the Client.
Ticket-granting ticket (TGT): The ID of the TGT object is the value of the TGC. On the server side, query the TGT through the TGC.
Ticket-granting cookie (TGC): A cookie that stores user identity authentication credentials. It is used when communicating between the browser and the CAS Server. It is the credential that the CAS Server uses to clarify the user's identity. TGT encapsulates the TGC value and the user information corresponding to this Cookie value.
Ticket Granting Service (TGS): The function of TGS is to exchange the ST (Server Ticket) for accessing the Server side to the Client through the TGT sent by the AS to the Client.
SEerver Ticket(ST): ST service ticket, issued by TGS service.
The Kerberos protocol authentication process is briefly described as follows. The diagram is borrowed from the Internet, and the drawing is easy to understand:
(1) Client requests TGT ticket from KDC's AS authentication service => AS_REQ (2) After the client passes the authentication, the KDC will issue a TGT ticket => AS_REP (3) Client takes TGT ticket and requests ST service ticket from TGS authentication service => TGS_REQ (4) After the client has passed the TGS authentication service, TGS will issue ST service tickets => TGS_REP (5) Client uses ST service ticket to request service from server => AP_REQ (6) The Server gets the PAC and asks the KDC whether the Client has permission (7) KDC sends Client's permission information to Server (8) The Server judges whether the Client has permission to access the service according to the comparison of the permission information returned by the KDC, and returns the result to the Client=>AP_REP
IPC communication:
IPC communication is often used in domain penetration. It is a named pipe opened for inter-process communication. By verifying the account number and password, both parties can establish a secure channel and exchange encrypted data through this channel. IPC$The connection can realize remote login and access to the default share, and 139the opening of the port indicates netbiosthe application of the protocol. We can achieve access to shared files/printers through 139and ports.445
Windowsnet use ipc$For the entire communication process in the system , 445->137->139verify first. When you enable the firewall and disable it 445, you will find that the system commands cannot be connected IPC, because there is no chance to go there , so you need to open these ports at the same time 139if you use the system’s own commands to connect.ipc$
常用命令:
建立正常连接
net use \\192.168.1.1\ipc$ "123456" /user:"administrator"
查看本机连接共享情况
net use
远程C盘映射到本地z盘:
net use z: \\192.168.1.1\c$ "123456" /user:"administrator"
查看已建立连接目标主机的共享资源
net view \\192.168.1.1
查看目标主机时间
net time \\192.168.1.1
删除本机与指定ip建立的连接
net use \\192.168.1.1\ipc$ /del /y
删除本机所有已建立的连接
net use * /del /y
In addition, you can use PSEXEC or Impacket to execute commands.
Intra-domain information collection:
Common commands:
域命令:
查看是否存在域 net config workstation
判断主域 net time /domain
查看是否存在多台域 net group "domain controllers" /domain
查询域工作组 net group /domain
查询域管理员列表 net group "domain admins" /domain
查看域信任 nltest /domain_trusts
查看域用户 net user /domain
查看域主机 net group "domain computers" /domain
windows命令:
查看开发端口 netstat -ano
查看SMB共享 net share
路由表 route print
路由跟踪 tracert IP
本地ARP arp -a
查看进程(显示用户) tasklist /V
查看进程 tasklist /svc
关闭进程 taskkill /T /F /PID 13140
查看所有盘符 fsutil fsinfo drives
查看启动项 wmic startup
查看后缀名文件有password关键字的文件 findstr /si password *.xml *.ini *.txt
查看存到注册表中的密码 REG query HKCU /v "pwd" /s
获取wifi密码
for /f "skip=9 tokens=1,2 delims=:" %i in ('netsh wlan showprofiles') do @echo%j | findstr -i -v echo | netsh wlan show profiles %jkey=clear
查看是否支持powershell
if defined PSModulePath (echo support powershell) else (echo not support powershell)Domain information collection (practical):
In order to be more realistic, I use cs+kali to test here. The test environment is as follows:
域winserver 12:192.168.1.3
域内主机win 10:192.168.1.6
kali:192.168.1.5Determine the domain controller information:
net config workstation
You can see that the domain galaxy.org exists
Determine the primary domain:
net time /domain (here is the primary domain, when the domain environment is large, there will be multiple domain control servers)
Determine the domain controller IP:
ping -4 -n 1 WIN-Q7LOKMBEHNU.galaxy.org (note that sometimes the IPV6 address is directly pinged, and you need to use -4 to get the ipv4 address)
Here we know that there is a domain, and the domain controller information is as follows:
WIN-Q7LOKMBEHNU.galaxy.org 192.168.1.3
Determine if there are multiple domain controllers:
net group "domain controllers" /domain
Determine if a domain forest exists:
nltest /domain_trusts
From the information collection of the domain controller, it can be known that this is a small intranet environment. There is only one domain controller server named WIN-Q7LOKMBEHNU.galaxy.org with an ip of 192.168.1.3. It is just a simple domain environment without a domain forest.
Collect domain information:
Next, we will collect the environment in the domain, including domain hosts, domain users, etc., and then process
First collect the domain workgroup:
net group /domain
Take a look to see the three groups I created earlier:
Finance Deparment,Sales Deparment,Product Deparment
View domain administrators:
You can know that the domain administrator is Administrator
Get domain users:
net user /domain
Here we'd better make a user book to facilitate subsequent operations such as cracking
awk '{print $1,$2,$3}' user.txt | tr " " "\n" | awk '{if(length !=0) print $0}' >> user_ok.txt
sed "s/$/&@galaxy.org/g" user_ok.txt >> user_galaxy.tx
Also collect the list of domain hosts:
My environment here is relatively simple, there is only one domain user host, but although the sparrow is small and complete, I still go through it
awk '{print $1,$2,$3}' computer.txt | tr ' ' '\n' | awk '{if(length !=0) print $0}' >> computer_ok.txt
sed "s/\\$/.galaxy.org/g" computer_ok.txt >> computer_galaxy.txt
Summarize:
Through the collection of several commands, we can know the following information:
- Determined whether there is a domain, and obtained the domain controller host name, domain controller host address and administrator users under the domain controller;
- The domain user book and domain machine book are collected, which can be used for later cracking and sniffing;
- According to the obtained information, you can roughly estimate the size of the entire domain and your own location, and then proceed to the second step;
BloodHound uses:
When the domain is relatively large, we can choose to use BloodHound to obtain the information of the entire domain. It is also very simple to use. First, download the BloodHound program. The download address is:
https://github.com/BloodHoundAD/BloodHound/releases/download/2.0.4/BloodHound-win32-x64.zip
There are many ways to use it on Baidu, you can search, install and run it. To put it bluntly, start the neo4j database first, and then use BloodHound to connect to the database. After entering the account password for page access, use a collector to execute on the domain host to collect domain information, and then organize and generate a zip file, and then Import, you can see the analysis results, and the specific usage will be explained later.