Intranet Security: Lateral Delivery Attacks ( RDP || Cobalt Strike )
Lateral movement is to take down a host of the other party, use the captured host as a springboard, and then infiltrate other hosts in the intranet, and use existing resources to try to obtain more credentials and higher permissions. Take down more hosts step by step, and then achieve the purpose of controlling the entire intranet, obtaining the highest authority, and launching advanced persistent threat attacks. (Pass-through attacks are mainly based on plaintext and Hash value acquisition. )
Table of contents:
Intranet Security: Lateral Delivery Attacks ( RDP || SPN || Cobalt Strike )
Collect intranet information. (collect the network architecture of the intranet)
RDP pass:
RDP协议连接:判断对方远程桌面服务是否开启(默认:3389)对目标主机进行扫描:(查看有没有开放 3389 端口)
nmap -sS 192.168.0.105
调用 mstsc 进行连接.
Cobalt Strike delivers:
开启 Cobalt Strike 工具需要环境中有安装了 java 环境.服务端:
(1)cd cs4.7 //切换为 cs 目录
(2)chmod a+x ./TeamServerImage // 修改权限.
(3)./teamserver 192.168.0.106 888888 //这里的IP地址是 服务端的IP,后面的是客户端的登录密码.
客户端:
(1)cd cs4.7 // 切换为 cs 目录
(2)chmod a+x ./start.sh // 修改权限.
(3)./start.sh // 打开 客户端.
Add a listener:
生成一个程序(木马)
把这个程序上传到服务器主机上并执行执行程序.
To escalate rights:
进行上传提权需要的插件:
https://gitee.com/mirrors_rsmudge/ElevateKit/repository/archive/master.zip
https://github.com/pandasec888/taowu-cobalt-strike
Collect intranet information. (collect the network architecture of the intranet)
net view // 探测 内网的网络架构.
net computers // 探测 组 || 域 环境 
net dclist // 探测 域控 的IP和名字
net user // 当前用户
shell net user /domain // 测试 域名中的所有用户名字
Using information to attack:
获取账号和密码:
用账号和密码进行攻击并连接.
进行文件管理:
Learning Link: Day 69: Intranet Security - Domain Horizontal CobaltStrike&SPN&RDP_哔哩哔哩_bilibili